diff --git a/.gitignore b/.gitignore
index 27d0bc390b..d1586f6fc8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,9 @@
 build*
 !ci/windows/build.cmd
 
+# Don't ignore things in the docs directory
+!doc/**
+
 tmp
 *.gcov
 
diff --git a/doc/.gitignore b/doc/.gitignore
new file mode 100644
index 0000000000..6f97ca1afc
--- /dev/null
+++ b/doc/.gitignore
@@ -0,0 +1,2 @@
+build
+*.pyc
diff --git a/doc/.readthedocs.yml b/doc/.readthedocs.yml
new file mode 100644
index 0000000000..e80d705bc6
--- /dev/null
+++ b/doc/.readthedocs.yml
@@ -0,0 +1,16 @@
+version: 2
+
+formats:
+  - htmlzip
+
+build:
+  os: ubuntu-22.04
+  tools:
+    python: "3.11"
+
+python:
+  install:
+    - requirements: requirements.txt
+
+sphinx:
+  configuration: conf.py
diff --git a/doc/.typos.toml b/doc/.typos.toml
new file mode 100644
index 0000000000..0f3aee7a94
--- /dev/null
+++ b/doc/.typos.toml
@@ -0,0 +1,65 @@
+[default]
+extend-ignore-re = [
+    # seh too close to she
+    "registered SEH to support IDL",
+    # ALLO is a valid FTP command
+    "\"ALLO\".*[0-9]{3}",
+    "des-ede3-cbc-Env-OID",
+    # On purpose
+    "\"THE NETBIOS NAM\"",
+    # NFS stuff.
+    "commited :zeek:type:`NFS3::stable_how_t`",
+    "\\/fo\\(o",
+    "  nd\\.<br",
+    "\"BaR\"",
+    "Not-ECT",
+    "Ninteenth: Ninteenth",
+
+    # Connecton and file UIDs
+    "[CF][a-zA-Z0-9]{17}",
+
+    # Smoot
+    "Smoot",
+
+    "SIEM",
+]
+
+extend-ignore-identifiers-re = [
+    "TLS_.*_EDE.*_.*",
+    "SSL.*_EDE.*_.*",
+    "_3DES_EDE_CBC_SHA",
+    "GOST_R_.*",
+    "icmp6_nd_.*",
+    "pn", # Use for `PoolNode` variables
+    "complte_flag", # Existing use in exported record in base.
+    "VidP(n|N)", # In SMB.
+    "iin", # In DNP3.
+    "(ScValidatePnPService|ScSendPnPMessage)", # In DCE-RPC.
+    "snet", # Used as shorthand for subnet in base scripts.
+    "typ",
+    "tpe",
+]
+
+[default.extend-identifiers]
+MCA_OCCURED = "MCA_OCCURED"
+MNT3ERR_ACCES = "MNT3ERR_ACCES"
+ND_QUEUE_OVERFLOW = "ND_QUEUE_OVERFLOW"
+ND_REDIRECT = "ND_REDIRECT"
+NFS3ERR_ACCES = "NFS3ERR_ACCES"
+NO_SEH = "NO_SEH"
+RPC_NT_CALL_FAILED_DNE = "RPC_NT_CALL_FAILED_DNE"
+RpcAddPrintProvidor = "RpcAddPrintProvidor"
+RpcDeletePrintProvidor = "RpcDeletePrintProvidor"
+THA = "THA"
+tha = "tha"
+uses_seh = "uses_seh"
+exat = "exat"
+EXAT = "EXAT"
+
+[default.extend-words]
+caf = "caf"
+helo = "helo"
+# Seems we use this in the management framework
+requestor = "requestor"
+# `inout` is used as a keyword in Spicy, but looks like a typo of `input`.
+inout = "inout"
diff --git a/doc/LICENSE b/doc/LICENSE
new file mode 100644
index 0000000000..8bf6198f38
--- /dev/null
+++ b/doc/LICENSE
@@ -0,0 +1,5 @@
+This work is licensed under the Creative Commons
+Attribution 4.0 International License. To view a copy of this
+license, visit https://creativecommons.org/licenses/by/4.0/ or send
+a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain
+View, California, 94041, USA.
diff --git a/doc/Makefile b/doc/Makefile
new file mode 100644
index 0000000000..33f8f415dc
--- /dev/null
+++ b/doc/Makefile
@@ -0,0 +1,37 @@
+SPHINXOPTS =
+
+NUMJOBS ?= auto
+
+all: html
+
+doc: html
+
+builddir:
+	mkdir -p build/html
+
+clean:
+	rm -rf build/html
+
+html: builddir
+	sphinx-build -j $(NUMJOBS) -b html $(SPHINXOPTS) . ./build/html
+
+livehtml: builddir
+	sphinx-autobuild --ignore "*.git/*" --ignore "*.lock" --ignore "*.pyc" --ignore "*.swp" --ignore "*.swpx" --ignore "*.swx" -b html $(SPHINXOPTS) . ./build/html
+
+commit:
+	git add * && git commit -m 'Update generated docs'
+
+spicy-%:
+	git clone https://github.com/zeek/$@
+
+check-spicy-docs: spicy-tftp
+	@echo Refreshing checkouts
+	@for REPO in $^; do (cd $$REPO && git pull && git reset HEAD --hard)>/dev/null; done
+	@
+	@echo Checking whether docs for Spicy integration are up-to-date
+	@./devel/spicy/autogen-spicy-docs spicy-tftp
+	@
+	@git diff --quiet devel/spicy/autogen/ \
+		|| (echo "Spicy docs are not up-to-date, rerun './devel/spicy/autogen-spicy-docs'." && exit 1)
+
+.PHONY : all doc builddir clean html livehtml
diff --git a/doc/README b/doc/README
new file mode 100644
index 0000000000..8204c11a4e
--- /dev/null
+++ b/doc/README
@@ -0,0 +1,132 @@
+.. _zeek-docs: https://github.com/zeek/zeek-docs
+.. _Read the Docs: https://docs.readthedocs.io/en/stable/index.html
+.. _Zeek repo: https://github.com/zeek/zeek
+.. _Sphinx: https://www.sphinx-doc.org/en/master
+.. _pip: https://pypi.org/project/pip
+
+Zeek Documentation
+==================
+
+The documentation repo at zeek-docs_
+contains version-specific Zeek documentation source files that are ultimately
+used as the basis for content hosted at https://docs.zeek.org.
+
+Markup Format, Style, and Conventions
+-------------------------------------
+
+For general guidance on the basics of how the documentation is written,
+consult this Zeek wiki:
+
+https://github.com/zeek/zeek/wiki/Documentation-Style-and-Conventions
+
+Source-Tree Organization
+------------------------
+
+The zeek-docs_ repo containing this README file is the root of a Sphinx_ source
+tree and can be modified to add more documentation, style sheets, JavaScript,
+etc.  The Sphinx config file is ``conf.py``.  The typical way new documents get
+integrated is from them being referenced directly in ``index.rst`` or
+indirectly from something in the ``toctree`` (Table of Contents Tree) specified
+in that main index.
+
+There is also a custom Sphinx domain implemented in ``ext/zeek.py`` which adds
+some reStructureText (reST) directives and roles that aid in generating useful
+index entries and cross-references. This primarily supports integration with
+the script-reference sections, some of which are auto-generated by Zeek's
+Doxygen-like feature, named "Zeekygen".  The bulk of auto-generated content
+lives under the ``scripts/`` directory or has a file name starting with
+"autogenerated", so if you find yourself wanting to change those, you should
+actually look at at doing those changes within the `Zeek repo`_ itself rather
+than here, so see the next section for how Zeekygen docs can be (re)generated.
+
+Generating Zeekygen Reference Docs
+----------------------------------
+
+All Zeekygen-generated docs get committed into Git, so if you don't have to
+perform any changes on it and just want to preview what's already existing,
+you can skip down to the next :ref:`Local Previewing <local-doc-preview>` section.
+
+The Zeekygen documentation-generation feature is a part of Zeek itself, so
+you'll want to obtain the `Zeek repo`_ from Git, read the :doc:`INSTALL
+</install>` file directions to install required dependencies, and build Zeek::
+
+  git clone --recursive https://github.com/zeek/zeek
+  cd zeek
+  # Read INSTALL file and get dependencies here
+  ./configure && make -j $(nproc)
+  # Make desired edits to scripts/, src/, etc.
+  ./ci/update-zeekygen-docs.sh
+
+The last command runs a script to generate documentation, which will end up in
+the ``doc/`` subdirectory.  Note that ``doc/`` is just a Git submodule of this
+this zeek-docs_ repository, so you can run ``git status`` there to find exactly
+what changed.
+
+Also note that the documentation-generation script is run automatically
+on a daily basis to incorporate up any documentation changes that people make
+in Zeek itself without them having to necessarily be aware of the full
+documentation process.  The GitHub Action that does that daily task is
+located in the Zeek repo's ``.github/workflows/generate-docs.yml`` file.
+
+.. _local-doc-preview:
+
+Local Previewing (How To Build)
+-------------------------------
+
+First make sure you have the required dependencies used for building docs:
+
+* Python interpreter >= 3.9
+* Sphinx: https://www.sphinx-doc.org/en/master/
+* Read the Docs Sphinx Theme: https://github.com/rtfd/sphinx_rtd_theme
+* GitPython: https://github.com/gitpython-developers/GitPython
+
+If you have pip_, you may just use the command ``pip3 install -r
+requirements.txt`` to install all the dependencies using the
+``requirements.txt`` from zeek-docs_.
+
+Now run ``make`` within the zeek-docs_ repository's top-level to locally render
+its reST files into HTML. After the build completes, HTML documentation is
+symlinked in ``build/html`` and you can open the ``index.html`` found there in
+your web browser.
+
+There's also a ``make livehtml`` (requires ``pip3 install sphinx-autobuild``)
+target in the top-level Makefile that is useful for editing the reST files and
+seeing changes rendered out live to a separate browser.
+
+Hosting
+-------
+
+Documentation is hosted by `Read the Docs`_ (RTD), so you can generally read
+about how it works there.  The web-interface is accessible via
+https://readthedocs.org/projects/zeek-docs.
+
+How zeek-docs_ is configured to use RTD is a combination of some custom
+settings in its ``.readthedocs.yml`` file and others only accessible through
+RTD's web-interface (e.g. domain and subproject settings).  Most config
+settings are likely understandable just by browsing the web-interface and
+RTD's guides, but a few particular points to mention:
+
+* There is an associated, always-failing project at
+  https://readthedocs.org/projects/zeek.  It's always-failing because
+  RTD redirects only activate when pages 404 and this project exists so that
+  all attempts to use https://zeek.rtfd.io or https://zeek.readthedocs.io
+  get redirected to https://docs.zeek.org.  Those would have been the project
+  URLs if ownership of the RTD 'zeek' project was had from the start, but
+  it was only obtained later, after documentation already started development
+  in the 'zeek-docs' RTD project slug.
+
+* Over time, page redirects have accrued into ``redirects.yml`` as a way to
+  help document what they are and why they happened and also as a potential
+  way to automate addition/reinstantiation of a large number of redirects,
+  but typically redirects can be manually added via the RTD web interface
+  first and then noted in ``redirects.yml``
+
+* There are RTD subprojects for things like Broker, Package Manager,
+  and Spicy.  The use of subprojects simply allows access to their RTD
+  docs via the custom domain of https://docs.zeek.org
+
+* RTD will auto-build any newly-pushed commits to zeek-docs_ (i.e. a webhook is
+  configured), but if a tag is changed to point somewhere different, you'll
+  typically have to go into the RTD web interface, "Edit" the associated
+  version under "Versions", "wipe" the existing docs, and then manually trigger
+  a rebuild of that version tag under "Builds".
diff --git a/doc/README.rst b/doc/README.rst
new file mode 100644
index 0000000000..8204c11a4e
--- /dev/null
+++ b/doc/README.rst
@@ -0,0 +1,132 @@
+.. _zeek-docs: https://github.com/zeek/zeek-docs
+.. _Read the Docs: https://docs.readthedocs.io/en/stable/index.html
+.. _Zeek repo: https://github.com/zeek/zeek
+.. _Sphinx: https://www.sphinx-doc.org/en/master
+.. _pip: https://pypi.org/project/pip
+
+Zeek Documentation
+==================
+
+The documentation repo at zeek-docs_
+contains version-specific Zeek documentation source files that are ultimately
+used as the basis for content hosted at https://docs.zeek.org.
+
+Markup Format, Style, and Conventions
+-------------------------------------
+
+For general guidance on the basics of how the documentation is written,
+consult this Zeek wiki:
+
+https://github.com/zeek/zeek/wiki/Documentation-Style-and-Conventions
+
+Source-Tree Organization
+------------------------
+
+The zeek-docs_ repo containing this README file is the root of a Sphinx_ source
+tree and can be modified to add more documentation, style sheets, JavaScript,
+etc.  The Sphinx config file is ``conf.py``.  The typical way new documents get
+integrated is from them being referenced directly in ``index.rst`` or
+indirectly from something in the ``toctree`` (Table of Contents Tree) specified
+in that main index.
+
+There is also a custom Sphinx domain implemented in ``ext/zeek.py`` which adds
+some reStructureText (reST) directives and roles that aid in generating useful
+index entries and cross-references. This primarily supports integration with
+the script-reference sections, some of which are auto-generated by Zeek's
+Doxygen-like feature, named "Zeekygen".  The bulk of auto-generated content
+lives under the ``scripts/`` directory or has a file name starting with
+"autogenerated", so if you find yourself wanting to change those, you should
+actually look at at doing those changes within the `Zeek repo`_ itself rather
+than here, so see the next section for how Zeekygen docs can be (re)generated.
+
+Generating Zeekygen Reference Docs
+----------------------------------
+
+All Zeekygen-generated docs get committed into Git, so if you don't have to
+perform any changes on it and just want to preview what's already existing,
+you can skip down to the next :ref:`Local Previewing <local-doc-preview>` section.
+
+The Zeekygen documentation-generation feature is a part of Zeek itself, so
+you'll want to obtain the `Zeek repo`_ from Git, read the :doc:`INSTALL
+</install>` file directions to install required dependencies, and build Zeek::
+
+  git clone --recursive https://github.com/zeek/zeek
+  cd zeek
+  # Read INSTALL file and get dependencies here
+  ./configure && make -j $(nproc)
+  # Make desired edits to scripts/, src/, etc.
+  ./ci/update-zeekygen-docs.sh
+
+The last command runs a script to generate documentation, which will end up in
+the ``doc/`` subdirectory.  Note that ``doc/`` is just a Git submodule of this
+this zeek-docs_ repository, so you can run ``git status`` there to find exactly
+what changed.
+
+Also note that the documentation-generation script is run automatically
+on a daily basis to incorporate up any documentation changes that people make
+in Zeek itself without them having to necessarily be aware of the full
+documentation process.  The GitHub Action that does that daily task is
+located in the Zeek repo's ``.github/workflows/generate-docs.yml`` file.
+
+.. _local-doc-preview:
+
+Local Previewing (How To Build)
+-------------------------------
+
+First make sure you have the required dependencies used for building docs:
+
+* Python interpreter >= 3.9
+* Sphinx: https://www.sphinx-doc.org/en/master/
+* Read the Docs Sphinx Theme: https://github.com/rtfd/sphinx_rtd_theme
+* GitPython: https://github.com/gitpython-developers/GitPython
+
+If you have pip_, you may just use the command ``pip3 install -r
+requirements.txt`` to install all the dependencies using the
+``requirements.txt`` from zeek-docs_.
+
+Now run ``make`` within the zeek-docs_ repository's top-level to locally render
+its reST files into HTML. After the build completes, HTML documentation is
+symlinked in ``build/html`` and you can open the ``index.html`` found there in
+your web browser.
+
+There's also a ``make livehtml`` (requires ``pip3 install sphinx-autobuild``)
+target in the top-level Makefile that is useful for editing the reST files and
+seeing changes rendered out live to a separate browser.
+
+Hosting
+-------
+
+Documentation is hosted by `Read the Docs`_ (RTD), so you can generally read
+about how it works there.  The web-interface is accessible via
+https://readthedocs.org/projects/zeek-docs.
+
+How zeek-docs_ is configured to use RTD is a combination of some custom
+settings in its ``.readthedocs.yml`` file and others only accessible through
+RTD's web-interface (e.g. domain and subproject settings).  Most config
+settings are likely understandable just by browsing the web-interface and
+RTD's guides, but a few particular points to mention:
+
+* There is an associated, always-failing project at
+  https://readthedocs.org/projects/zeek.  It's always-failing because
+  RTD redirects only activate when pages 404 and this project exists so that
+  all attempts to use https://zeek.rtfd.io or https://zeek.readthedocs.io
+  get redirected to https://docs.zeek.org.  Those would have been the project
+  URLs if ownership of the RTD 'zeek' project was had from the start, but
+  it was only obtained later, after documentation already started development
+  in the 'zeek-docs' RTD project slug.
+
+* Over time, page redirects have accrued into ``redirects.yml`` as a way to
+  help document what they are and why they happened and also as a potential
+  way to automate addition/reinstantiation of a large number of redirects,
+  but typically redirects can be manually added via the RTD web interface
+  first and then noted in ``redirects.yml``
+
+* There are RTD subprojects for things like Broker, Package Manager,
+  and Spicy.  The use of subprojects simply allows access to their RTD
+  docs via the custom domain of https://docs.zeek.org
+
+* RTD will auto-build any newly-pushed commits to zeek-docs_ (i.e. a webhook is
+  configured), but if a tag is changed to point somewhere different, you'll
+  typically have to go into the RTD web interface, "Edit" the associated
+  version under "Versions", "wipe" the existing docs, and then manually trigger
+  a rebuild of that version tag under "Builds".
diff --git a/doc/_static/theme_overrides.css b/doc/_static/theme_overrides.css
new file mode 100644
index 0000000000..cf1fa824f8
--- /dev/null
+++ b/doc/_static/theme_overrides.css
@@ -0,0 +1,32 @@
+/* override table width restrictions */
+@media screen and (min-width: 767px) {
+
+   .wy-table-responsive table td {
+      /* !important prevents the common CSS stylesheets from overriding
+         this as on RTD they are loaded after this stylesheet */
+      white-space: normal !important;
+   }
+
+   .wy-table-responsive {
+      overflow: visible !important;
+   }
+}
+
+h1, h2, h3, h4, h5, h6 {
+  color: #294488;
+  font-family: 'Open Sans',Helvetica,Arial,Lucida,sans-serif!important;
+}
+
+a {
+  color: #2ea3f2;
+}
+
+body {
+  font-family: "Open Sans",Arial,sans-serif;
+  color: #666;
+}
+
+div.highlight pre strong {
+  font-weight: 800;
+  background-color: #ffffcc;
+}
diff --git a/doc/_templates/breadcrumbs.html b/doc/_templates/breadcrumbs.html
new file mode 100644
index 0000000000..8a4aa54ae4
--- /dev/null
+++ b/doc/_templates/breadcrumbs.html
@@ -0,0 +1,15 @@
+{% extends "!breadcrumbs.html" %}
+
+{% block breadcrumbs_aside %}
+<li class="wy-breadcrumbs-aside">
+{% if pagename != "search" %}
+  {% if display_github %}
+    {% if github_version == "master" %}
+      <a href="https://{{ github_host|default("github.com") }}/{{ github_user }}/{{ github_repo }}/edit/{{ github_version }}{{ conf_py_path }}{{ pagename }}{{ page_source_suffix }}" class="fa fa-github"> {{ _('Edit on GitHub') }}</a>
+    {% endif %}
+  {% elif show_source and has_source and sourcename %}
+    <a href="{{ pathto('_sources/' + sourcename, true)|e }}" rel="nofollow"> {{ _('View page source') }}</a>
+  {% endif %}
+{% endif %}
+</li>
+{% endblock %}
diff --git a/doc/_templates/layout.html b/doc/_templates/layout.html
new file mode 100644
index 0000000000..3a5449e99a
--- /dev/null
+++ b/doc/_templates/layout.html
@@ -0,0 +1,14 @@
+{% extends "!layout.html" %}
+
+{% if READTHEDOCS and current_version %}
+  {% if current_version == "latest" or current_version == "stable"
+     or current_version == "master" or current_version == "current"
+     or current_version == "lts" or current_version == "LTS" %}
+    {% set current_version = current_version ~ " (" ~ version ~ ")" %}
+  {% endif %}
+{% endif %}
+
+{% block menu %}
+  {{ super() }}
+  <a href="{{pathto('genindex.html', 1)}}">Index</a>
+{% endblock %}
diff --git a/doc/about.rst b/doc/about.rst
new file mode 100644
index 0000000000..85b3ddd5a8
--- /dev/null
+++ b/doc/about.rst
@@ -0,0 +1,256 @@
+==========
+About Zeek
+==========
+
+What Is Zeek?
+=============
+
+Zeek is a passive, open-source network traffic analyzer. Many operators use
+Zeek as a network security monitor (NSM) to support investigations of
+suspicious or malicious activity. Zeek also supports a wide range of traffic
+analysis tasks beyond the security domain, including performance measurement
+and troubleshooting.
+
+The first benefit a new user derives from Zeek is the extensive set of logs
+describing network activity. These logs include not only a comprehensive record
+of every connection seen on the wire, but also application-layer transcripts.
+These include all HTTP sessions with their requested URIs, key headers, MIME
+types, and server responses; DNS requests with replies; SSL certificates; key
+content of SMTP sessions; and much more. By default, Zeek writes all this
+information into well-structured tab-separated or JSON log files suitable for
+post-processing with external software. Users can also choose to have external
+databases or SIEM products consume, store, process, and present the data for
+querying.
+
+In addition to the logs, Zeek comes with built-in functionality for a range of
+analysis and detection tasks, including extracting files from HTTP sessions,
+detecting malware by interfacing to external registries, reporting vulnerable
+versions of software seen on the network, identifying popular web applications,
+detecting SSH brute-forcing, validating SSL certificate chains, and much more.
+
+In addition to shipping such powerful functionality “out of the box,” Zeek is a
+fully customizable and extensible platform for traffic analysis. Zeek provides
+users a domain-specific, Turing-complete scripting language for expressing
+arbitrary analysis tasks. Think of the Zeek language as a “domain-specific
+Python” (or Perl): just like Python, the system comes with a large set of
+pre-built functionality (the “standard library”), yet users can also put Zeek
+to use in novel ways by writing custom code. Indeed, all of Zeek’s default
+analyses, including logging, are done via scripts; no specific analysis is
+hard-coded into the core of the system.
+
+Zeek runs on commodity hardware and hence provides a low-cost alternative to
+expensive proprietary solutions. In many ways Zeek exceeds the capabilities of
+other network monitoring tools, which typically remain limited to a small set
+of hard-coded analysis tasks. Zeek is not a classic signature-based intrusion
+detection system (IDS); while it supports such standard functionality as well,
+Zeek’s scripting language facilitates a much broader spectrum of very different
+approaches to finding malicious activity. These include semantic misuse
+detection, anomaly detection, and behavioral analysis.
+
+A large variety of sites deploy Zeek to protect their infrastructure, including
+many universities, research labs, supercomputing centers, open-science
+communities, major corporations, and government agencies. Zeek specifically
+targets high-speed, high-volume network monitoring, and an increasing number of
+sites are now using the system to monitor their 10GE networks, with some
+already moving on to 100GE links.
+
+Zeek accommodates high-performance settings by supporting scalable
+load-balancing. Large sites typically run “Zeek Clusters” in which a high-speed
+front end load balancer distributes the traffic across an appropriate number of
+back end PCs, all running dedicated Zeek instances on their individual traffic
+slices. A central manager system coordinates the process, synchronizing state
+across the back ends and providing the operators with a central management
+interface for configuration and access to aggregated logs. Zeek’s integrated
+management framework, ZeekControl, supports such cluster setups out-of-the-box.
+
+Zeek’s cluster features support single-system and multi-system setups. That's
+part of Zeek’s scalability advantages. For example, administrators can scale
+Zeek within one system for as long as possible, and then transparently add more
+systems when necessary.
+
+In brief, Zeek is optimized for interpreting network traffic and generating
+logs based on that traffic. It is not optimized for byte matching, and users
+seeking signature detection approaches would be better served by trying
+intrusion detection systems such as Suricata. Zeek is also not a protocol
+analyzer in the sense of Wireshark, seeking to depict every element of network
+traffic at the frame level, or a system for storing traffic in packet capture
+(PCAP) form. Rather, Zeek sits at the “happy medium” representing compact yet
+high fidelity network logs, generating better understanding of network traffic
+and usage.
+
+Why Zeek?
+=========
+
+Zeek offers many advantages for security and network teams who want to better
+understand how their infrastructure is being used.
+
+Security teams generally depend upon four sorts of data sources when trying to
+detect and respond to suspicious and malicious activity. These include *third
+party* sources such as law enforcement, peers, and commercial or nonprofit
+threat intelligence organizations; *network data*; *infrastructure and
+application data*, including logs from cloud environments; and *endpoint data*.
+Zeek is primarily a platform for collecting and analyzing the second form of
+data -- network data. All four are important elements of any security team’s
+program, however.
+
+When looking at data derived from the network, there are four types of data
+available to analysts. As defined by the `network security monitoring paradigm
+<https://corelight.blog/2019/04/30/do-you-know-your-nsm-data-types/>`_, these
+four data types are *full content*, *transaction data*, *extracted content*,
+and *alert data*. Using these data types, one can record traffic, summarize
+traffic, extract traffic (or perhaps more accurately, extract content
+in the form of files), and judge traffic, respectively.
+
+It’s critical to collect and analyze the four types of network security
+monitoring data. The question becomes one of determining the best way to
+accomplish this goal. Thankfully, Zeek as a NSM platform enables collection of
+at least two, and in some ways three, of these data forms, namely transaction
+data, extracted content, and alert data.
+
+Zeek is best known for its transaction data. By default, when run and told to
+watch a network interface, Zeek will generate a collection of compact,
+high-fidelity, richly-annotated set of transaction logs. These logs describe
+the protocols and activity seen on the wire, in a judgement-free,
+policy-neutral manner. This documentation will spend a considerable amount of
+time describing the most common Zeek log files such that readers will become
+comfortable with the format and learn to apply them to their environment.
+
+Zeek can also easily carve files from network traffic, thanks to its file
+extraction capabilities. Analysts can then send those files to execution
+sandboxes or other file examination tools for additional investigation. Zeek
+has some capability to perform classical byte-centric intrusion detection, but
+that job is best suited for packages like the open source Snort or Suricata
+engines. Zeek has other capabilities however that are capable of providing
+judgements in the form of alerts, through its notice mechanism.
+
+Zeek is not optimized for writing traffic to disk in the spirit of a full
+content data collection, and that task is best handled by software written to
+fulfill that requirement.
+
+Beyond the forms of network data that Zeek can natively collect and generate,
+Zeek has advantages that appeared in the `What Is Zeek?`_ section. These
+include its built-in functionality for a range of analysis and detection
+tasks, and its status as a fully customizable and extensible platform for
+traffic analysis.  Zeek is also attractive because of its ability to run on
+commodity hardware, giving users of all types the ability to at least try Zeek
+in a low-cost manner.
+
+History
+=======
+
+Zeek has a rich history stretching back to the 1990s. `Vern Paxson
+<http://www.icir.org/vern/>`_ designed and implemented the initial version in
+1995 as a researcher at the `Lawrence Berkeley National Laboratory (LBNL)
+<http://www.lbl.gov/>`_. The original software was called “Bro,” as an
+“Orwellian reminder that monitoring comes hand in hand with the potential
+for privacy violations”.
+
+LBNL first deployed Zeek in 1996, and the USENIX Security Symposium published
+Vern’s original paper on Zeek in 1998, and awarded it the Best Paper Award that
+year He published a refined version of the paper in 1999 as `Bro: A System for
+Detecting Network Intruders in Real-Time
+<http://www.icir.org/vern/papers/bro-CN99.pdf>`_.
+
+In 2003, the `National Science Foundation (NSF) <http://www.nsf.gov/>`_ began
+supporting research and advanced development on Bro at the `International
+Computer Science Institute (ICSI) <http://www.icsi.berkeley.edu/>`_. (Vern
+still leads the ICSI `Networking and Security group <http://www.icir.org/>`_.)
+
+Over the years, a growing team of ICSI researchers and students kept adding
+novel functions to Zeek, while LBNL continued its support with funding from the
+`Department of Energy (DOE) <http://www.doe.gov/>`_. Much of Zeek’s
+capabilities originate in academic research projects, with results often
+published at top-tier conferences. A key to Zeek’s success was the project’s
+ability to bridge the gap between academia and operations. This relationship
+helped ground research on Zeek in real-world challenges.
+
+With a growing operational user community, the research-centric development
+model eventually became a bottleneck to the system’s evolution.  Research
+grants did not support the more mundane parts of software development and
+maintenance. However, those elements were crucial for the end-user experience.
+As a result, deploying Zeek required overcoming a steep learning curve.
+
+In 2010, NSF sought to address this challenge by awarding ICSI a grant from its
+Software Development for Cyberinfrastructure fund. The `National Center for
+Supercomputing Applications (NCSA) <http://www.ncsa.illinois.edu/>`_ joined the
+team as a core partner, and the Zeek project began to overhaul many of the
+user-visible parts of the system for the 2.0 release in 2012.
+
+After Zeek 2.0, the project enjoyed tremendous growth in new deployments across
+a diverse range of settings, and the ongoing collaboration between ICSI (co-PI
+Robin Sommer) and NCSA (co-PI Adam Slagell) brought a number of important
+features.  In 2012, Zeek added native IPv6 support, long before many enterprise
+networking monitoring tools. In 2013, NSF renewed its support with a second
+grant that established the Bro Center of Expertise at ICSI and NCSA, promoting
+Zeek as a comprehensive, low-cost security capability for research and
+education communities. To facilitate both debugging and education,
+`try.zeek.org <https://try.zeek.org>`_ (formerly try.bro.org) was launched in
+2014.  This provided an interactive way for users to test a script with their
+own packet captures against a variety of Zeek versions and easily share
+sample code with others.  For Zeek clusters and external communication,
+the Broker communication framework was added.  Last, but not least, the
+Zeek package manager was created in 2016, funded by an additional grant
+from the Mozilla Foundation.
+
+In the fall of 2018, the project leadership team decided to change the name of
+the software from Bro to Zeek. The leadership team desired a name that better
+reflected the values of the community while avoiding the negative connotations
+of so-called “bro culture” outside the computing world. The project released
+version 3.0 in the fall of 2019, the first release bearing the name Zeek. The
+year 2020 saw a renewed focus on community and growing the Zeek community, with
+increased interaction via social media, webinars, Slack channels, and related
+outreach efforts.
+
+For a history of the project from 1995 to 2015, see Vern Paxson’s talk from
+BroCon 2015, `Reflecting on Twenty Years of Bro
+<https://www.youtube.com/watch?v=pb9HlmV0s2A>`_.
+
+For background on the decision to rename Bro to Zeek, see Vern Paxson’s talk
+from BroCon 2018, `Renaming Bro
+<https://www.youtube.com/watch?v=L88ZYfjPzyk>`_.
+
+Architecture
+============
+
+.. image:: /images/architecture.png
+   :align: center
+   :scale: 75%
+
+At a very high level, Zeek is architecturally layered into two major
+components. Its *event engine* (or *core*) reduces the incoming packet stream
+into a series of higher-level *events*. These events reflect network activity
+in policy-neutral terms, i.e., they describe *what* has been seen, but not
+*why*, or whether it is significant.
+
+For example, every HTTP request on the wire turns into a corresponding
+:zeek:see:`http_request` event that carries with it the involved IP addresses
+and ports, the URI being requested, and the HTTP version in use. The event
+however does not convey any further *interpretation*, such as whether that URI
+corresponds to a known malware site.
+
+The event engine component comprises a number of subcomponents, including in
+particular the packet processing pipeline consisting of: input sources,
+packet analysis, session analysis, and file analysis. Input sources ingest
+incoming network traffic from network interfaces. Packet analysis processes
+lower-level protocols, starting all the way down at the link layer. Session
+analysis handles application-layer protocols, such as HTTP, FTP, etc. File
+analysis dissects the content of files transferred over sessions. The event
+engine provides a plugin architecture for adding any of these from outside
+of the core Zeek code base, allowing to expand Zeek’s capabilities as
+needed.
+
+Semantics related to the events are derived by Zeek’s second main component,
+the *script interpreter*, which executes a set of *event handlers* written in
+Zeek’s custom scripting language. These scripts can express a site’s
+security policy, such as what actions to take when the monitor detects
+different types of activity.
+
+More generally scripts can derive any desired properties and statistics from
+the input traffic. In fact, all of Zeek’s default output comes from scripts
+included in the distribution. Zeek’s language comes with extensive
+domain-specific types and support functionality. Crucially, Zeek’s language
+allows scripts to maintain state over time, enabling them to track and
+correlate the evolution of what they observe across connection and host
+boundaries. Zeek scripts can generate real-time alerts and also execute
+arbitrary external programs on demand. One might use this functionality to
+trigger an active response to an attack.
diff --git a/doc/acknowledgements.rst b/doc/acknowledgements.rst
new file mode 100644
index 0000000000..7a0747e638
--- /dev/null
+++ b/doc/acknowledgements.rst
@@ -0,0 +1,22 @@
+================
+Acknowledgements
+================
+
+Thanks to everyone who contributed in making Zeek's documentation
+(alphabetically):
+
+* Johanna Amann
+* Richard Bejtlich
+* Michael Dopheide
+* Amber Graner
+* Jan Grashöfer
+* Christian Kreibich
+* Terry Leach
+* Aashish Sharma
+* Jon Siwek
+* Stephen Smoot
+* Robin Sommer
+* Aaron Soto
+* Nick Turley
+* Fatema Bannat Wala
+* Tim Wojtulewicz
diff --git a/doc/building-from-source.rst b/doc/building-from-source.rst
new file mode 100644
index 0000000000..21f940406f
--- /dev/null
+++ b/doc/building-from-source.rst
@@ -0,0 +1,392 @@
+
+.. _CMake: https://www.cmake.org
+.. _SWIG: https://www.swig.org
+.. _Xcode: https://developer.apple.com/xcode/
+.. _MacPorts: https://www.macports.org
+.. _Fink: https://www.finkproject.org
+.. _Homebrew: https://brew.sh
+.. _downloads page: https://zeek.org/get-zeek
+.. _devtoolset: https://developers.redhat.com/products/developertoolset/hello-world
+.. _zkg package manager: https://docs.zeek.org/projects/package-manager/en/stable/
+.. _crosstool-NG: https://crosstool-ng.github.io/
+.. _CMake toolchain: https://cmake.org/cmake/help/latest/manual/cmake-toolchains.7.html
+.. _contribute: https://github.com/zeek/zeek/wiki/Contribution-Guide
+.. _Chocolatey: https://chocolatey.org
+.. _Npcap: https://npcap.com/
+
+.. _building-from-source:
+
+====================
+Building from Source
+====================
+
+Building Zeek from source provides the most control over your build and is the
+preferred approach for advanced users. We support a wide range of operating
+systems and distributions. Our `support policy
+<https://github.com/zeek/zeek/wiki/Platform-Support-Policy>`_ is informed by
+what we can run in our CI pipelines with reasonable effort, with the current
+status captured in our `support matrix
+<https://github.com/zeek/zeek/wiki/Zeek-Operating-System-Support-Matrix>`_.
+
+Required Dependencies
+---------------------
+
+Building Zeek from source requires the following dependencies, including
+development headers for libraries:
+
+    * Bash (for ZeekControl and BTest)
+    * BIND8 library or greater (if not covered by system's libresolv)
+    * Bison 3.3 or greater (https://www.gnu.org/software/bison/)
+    * C/C++ compiler with C++17 support (GCC 8+ or Clang 9+)
+    * CMake 3.15 or greater (https://www.cmake.org)
+    * Flex (lexical analyzer generator) 2.6 or greater (https://github.com/westes/flex)
+    * Libpcap (https://www.tcpdump.org)
+    * Make
+    * OpenSSL (https://www.openssl.org)
+    * Python 3.9 or greater (https://www.python.org/)
+    * SWIG (https://www.swig.org)
+    * ZeroMQ (https://zeromq.org)
+    * Zlib (https://zlib.net/)
+
+To install these, you can use:
+
+* RPM/RedHat-based Linux:
+
+  .. code-block:: console
+
+     sudo dnf install bison cmake cppzmq-devel gcc gcc-c++ flex libpcap-devel make openssl-devel python3 python3-devel swig zlib-devel
+
+  On pre-``dnf`` systems, use ``yum`` instead.  Additionally, on RHEL/CentOS 7,
+  you can install and activate a devtoolset_ to get access to recent GCC
+  versions. You will also have to install and activate CMake 3.  For example:
+
+  .. code-block:: console
+
+     sudo yum install cmake3 devtoolset-7
+     scl enable devtoolset-7 bash
+
+* DEB/Debian-based Linux:
+
+  .. code-block:: console
+
+     sudo apt-get install bison cmake cppzmq-dev gcc g++ flex libfl-dev libpcap-dev libssl-dev make python3 python3-dev swig zlib1g-dev
+
+  If your platform doesn't offer ``cppzmq-dev``, try ``libzmq3-dev``
+  instead. Zeek's build will fall back to an in-tree version of C++
+  bindings to ZeroMQ in that case.
+
+* FreeBSD:
+
+  Most required dependencies should come with a minimal FreeBSD install
+  except for the following.
+
+  .. code-block:: console
+
+      sudo pkg install -y base64 bash bison cmake cppzmq git python3 swig
+      pyver=`python3 -c 'import sys; print(f"py{sys.version_info[0]}{sys.version_info[1]}")'`
+      sudo pkg install -y $pyver-sqlite3
+
+* macOS:
+
+  Compiling source code on Macs requires first installing either Xcode_
+  or the "Command Line Tools" (which is a much smaller download).  To check
+  if either is installed, run the ``xcode-select -p`` command.  If you see
+  an error message, then neither is installed and you can then run
+  ``xcode-select --install`` which will prompt you to either get Xcode (by
+  clicking "Get Xcode") or to install the command line tools (by
+  clicking "Install").
+
+  macOS comes with all required dependencies except for CMake_, SWIG_,
+  Bison, Flex, and OpenSSL (OpenSSL headers were removed in macOS 10.11,
+  therefore OpenSSL must be installed manually for macOS versions 10.11
+  or newer).
+
+  Distributions of these dependencies can likely be obtained from your
+  preferred macOS package management system (e.g. Homebrew_,
+  MacPorts_, or Fink_). Specifically for Homebrew, the ``bison``, ``cmake``,
+  ``cppzmq``, ``flex``, ``swig``, and ``openssl`` packages
+  provide the required dependencies.  For MacPorts, use the ``bison``, ``cmake``,
+  ``cppzmq``, ``flex``, ``swig``, ``swig-python``, and ``openssl`` packages.
+
+* Windows
+
+  Windows support is experimental. These instructions are meant as a starting
+  point for development on that platform, and might have issues or be missing
+  steps. Notify the Zeek team if any such problems arise.
+
+  Compiling on Windows requires the installation of a development environment.
+  Zeek currently builds on Visual Studio 2019, and you can either install the
+  full version including the UI tools or you can install the command-line tools
+  and build from a shell. The instructions below describe how to install the
+  command-line tools, but are not necessary if you install the full VS2019
+  package. You will need to install Chocolatey_ in order to install the
+  dependencies as instructed below. It's possible to install them from other
+  sources (msys2, cygwin, etc), which we leave to the reader.
+
+  Cloning the repository will also require Developer Mode to be enabled in
+  Windows. This is due to the existence of a number of symbolic links in the
+  repository. Without Developer Mode, ``git`` on Windows will ignore these
+  links and builds will fail. There are a couple of different ways to enable
+  it, and the settings may differ depending on the version of Windows.
+
+  .. code-block:: console
+
+     choco install -y --no-progress visualstudio2019buildtools --version=16.11.11.0
+     choco install -y --no-progress visualstudio2019-workload-vctools --version=1.0.0 --package-parameters '--add Microsoft.VisualStudio.Component.VC.ATLMFC'
+     choco install -y --no-progress sed
+     choco install -y --no-progress winflexbison3
+     choco install -y --no-progress msysgit
+     choco install -y --no-progress python
+     choco install -y --no-progress openssl --version=3.1.1
+
+  Once the dependencies are installed, you will need to add the Git installation
+  to your PATH (``C:\Program Files\Git\bin`` by default). This is needed for the
+  ``sh`` command to be available during the build. Once all of the dependencies
+  are in place, you will need to open a shell (PowerShell or cmd) and add the
+  development environment to it. The following command is for running on an
+  x86_64 host.
+
+  .. code-block:: console
+
+     C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Auxiliary\Build\vcvarsall.bat x86_amd64
+
+  Now you can build via cmake:
+
+  .. code-block:: console
+
+     mkdir build
+     cd build
+     cmake.exe .. -DCMAKE_BUILD_TYPE=release -DENABLE_ZEEK_UNIT_TESTS=yes -DENABLE_CLUSTER_BACKEND_ZEROMQ=no -DVCPKG_TARGET_TRIPLET="x64-windows-static" -G Ninja
+     cmake.exe --build .
+
+  All of this is duplicated in the CI configuration for Windows which lives in
+  the ``ci/windows`` directory, and can be used as a reference for running the
+  commands by hand.
+
+  Note: By default, Windows links against the standard libpcap library from
+  vcpkg. This version of libpcap does not support packet capture on Windows,
+  unlike other platforms. In order to capture packets from live interfaces on
+  Windows, you will need to link against the Npcap_ library. This library is free
+  for personal use, but requires a paid license for commercial use or
+  redistribution. To link against Npcap, download the SDK from their website,
+  unzip it, and then pass ``-DPCAP_ROOT_DIR="<path to npcap sdk>"`` to the
+  initial CMake invocation for Zeek.
+
+  Note also that the ZeroMQ cluster backend is not yet supported on Windows.
+
+Optional Dependencies
+---------------------
+
+Zeek can make use of some optional libraries and tools if they are found at
+build time:
+
+    * libmaxminddb (for geolocating IP addresses)
+    * sendmail (enables Zeek and ZeekControl to send mail)
+    * curl (used by a Zeek script that implements active HTTP)
+    * gperftools (tcmalloc is used to improve memory and CPU usage)
+    * jemalloc (https://github.com/jemalloc/jemalloc)
+    * PF_RING (Linux only, see :ref:`pf-ring-config`)
+    * krb5 libraries and headers
+    * ipsumdump (for trace-summary; https://github.com/kohler/ipsumdump)
+    * hiredis (for the Redis storage backend)
+
+Geolocation is probably the most interesting and can be installed on most
+platforms by following the instructions for :ref:`address geolocation and AS
+lookups <geolocation>`.
+
+The `zkg package manager`_, included in the Zeek installation, requires
+two external Python modules:
+
+    * GitPython: https://pypi.org/project/GitPython/
+    * semantic-version: https://pypi.org/project/semantic-version/
+
+These install easily via pip (``pip3 install GitPython
+semantic-version``) and also ship with some distributions:
+
+* RPM/RedHat-based Linux:
+
+  .. code-block:: console
+
+     sudo yum install python3-GitPython python3-semantic_version
+
+* DEB/Debian-based Linux:
+
+  .. code-block:: console
+
+     sudo apt-get install python3-git python3-semantic-version
+
+``zkg`` also requires a ``git`` installation, which the above system packages
+pull in as a dependency. If you install via pip, remember that you also need
+``git`` itself.
+
+Retrieving the Sources
+----------------------
+
+Zeek releases are bundled into source packages for convenience and are
+available on the `downloads page`_. The source code can be manually downloaded
+from the link in the ``.tar.gz`` format to the target system for installation.
+
+If you plan to `contribute`_ to Zeek or just want to try out the latest
+features under development, you should obtain Zeek's source code through its
+Git repositories hosted at https://github.com/zeek:
+
+.. code-block:: console
+
+    git clone --recurse-submodules https://github.com/zeek/zeek
+
+.. note:: If you choose to clone the ``zeek`` repository
+   non-recursively for a "minimal Zeek experience", be aware that
+   compiling it depends on several of the other submodules as well, so
+   you'll likely have to build/install those independently first.
+
+Configuring and Building
+------------------------
+
+The typical way to build and install from source is as follows:
+
+.. code-block:: console
+
+    ./configure
+    make
+    make install
+
+If the ``configure`` script fails, then it is most likely because it either
+couldn't find a required dependency or it couldn't find a sufficiently new
+version of a dependency.  Assuming that you already installed all required
+dependencies, then you may need to use one of the ``--with-*`` options
+that can be given to the ``configure`` script to help it locate a dependency.
+To find out what all different options ``./configure`` supports, run
+``./configure --help``.
+
+The default installation path is ``/usr/local/zeek``, which would typically
+require root privileges when doing the ``make install``.  A different
+installation path can be chosen by specifying the ``configure`` script
+``--prefix`` option.  Note that ``/usr``, ``/opt/bro/``, and ``/opt/zeek`` are
+the standard prefixes for binary Zeek packages to be installed, so those are
+typically not good choices unless you are creating such a package.
+
+OpenBSD users, please see our `FAQ <https://zeek.org/faq/>`_ if you are having
+problems installing Zeek.
+
+Depending on the Zeek package you downloaded, there may be auxiliary
+tools and libraries available in the ``auxil/`` directory. Some of them
+will be automatically built and installed along with Zeek. There are
+``--disable-*`` options that can be given to the configure script to
+turn off unwanted auxiliary projects that would otherwise be installed
+automatically.  Finally, use ``make install-aux`` to install some of
+the other programs that are in the ``auxil/zeek-aux`` directory.
+
+Finally, if you want to build the Zeek documentation (not required, because
+all of the documentation for the latest Zeek release is available at
+https://docs.zeek.org), there are instructions in ``doc/README`` in the source
+distribution.
+
+Cross Compiling
+---------------
+
+Prerequisites
+~~~~~~~~~~~~~
+
+You need three things on the host system:
+
+1. The Zeek source tree.
+2. A cross-compilation toolchain, such as one built via crosstool-NG_.
+3. Pre-built Zeek dependencies from the target system.  This usually
+   includes libpcap, zlib, OpenSSL, and Python development headers
+   and libraries.
+
+Configuration and Compiling
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You first need to compile a few build tools native to the host system
+for use during the later cross-compile build.  In the root of your
+Zeek source tree:
+
+.. code-block:: console
+
+   ./configure --builddir=../zeek-buildtools
+   ( cd ../zeek-buildtools && make binpac bifcl )
+
+Next configure Zeek to use your cross-compilation toolchain (this example
+uses a Raspberry Pi as the target system):
+
+.. code-block:: console
+
+   ./configure --toolchain=/home/jon/x-tools/RaspberryPi-toolchain.cmake --with-binpac=$(pwd)/../zeek-buildtools/auxil/binpac/src/binpac --with-bifcl=$(pwd)/../zeek-buildtools/src/bifcl
+
+Here, the :file:`RaspberryPi-toolchain.cmake` file specifies a `CMake
+toolchain`_.  In the toolchain file, you need to point the toolchain and
+compiler at the cross-compilation toolchain.  It might look something the
+following:
+
+.. code-block:: cmake
+
+  # Operating System on which CMake is targeting.
+  set(CMAKE_SYSTEM_NAME Linux)
+
+  # The CMAKE_STAGING_PREFIX option may not work.
+  # Given that Zeek is configured:
+  #
+  #   ``./configure --prefix=<dir>``
+  #
+  # The options are:
+  #
+  #   (1) ``make install`` and then copy over the --prefix dir from host to
+  #       target system.
+  #
+  #   (2) ``DESTDIR=<staging_dir> make install`` and then copy over the
+  #       contents of that staging directory.
+
+  set(toolchain /home/jon/x-tools/arm-rpi-linux-gnueabihf)
+  set(CMAKE_C_COMPILER   ${toolchain}/bin/arm-rpi-linux-gnueabihf-gcc)
+  set(CMAKE_CXX_COMPILER ${toolchain}/bin/arm-rpi-linux-gnueabihf-g++)
+
+  # The cross-compiler/linker will use these paths to locate dependencies.
+  set(CMAKE_FIND_ROOT_PATH
+      /home/jon/x-tools/zeek-rpi-deps
+      ${toolchain}/arm-rpi-linux-gnueabihf/sysroot
+  )
+
+  set(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
+  set(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
+  set(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
+
+If that configuration succeeds you are ready to build:
+
+.. code-block:: console
+
+   make
+
+And if that works, install on your host system:
+
+.. code-block:: console
+
+   make install
+
+Once installed, you can copy/move the files from the installation prefix on the
+host system to the target system and start running Zeek as usual.
+
+Configuring the Run-Time Environment
+====================================
+
+You may want to adjust your :envvar:`PATH` environment variable
+according to the platform/shell/package you're using since
+neither :file:`/usr/local/zeek/bin/` nor :file:`/opt/zeek/bin/`
+will reside in the default :envvar:`PATH`. For example:
+
+Bourne-Shell Syntax:
+
+.. code-block:: console
+
+   export PATH=/usr/local/zeek/bin:$PATH
+
+C-Shell Syntax:
+
+.. code-block:: console
+
+   setenv PATH /usr/local/zeek/bin:$PATH
+
+Or substitute ``/opt/zeek/bin`` instead if you installed from a binary package.
+
+Zeek supports several environment variables to adjust its behavior. Take a look
+at the ``zeek --help`` output for details.
diff --git a/doc/cluster-setup.rst b/doc/cluster-setup.rst
new file mode 100644
index 0000000000..0bb5cc0790
--- /dev/null
+++ b/doc/cluster-setup.rst
@@ -0,0 +1,507 @@
+
+.. _ZeekControl documentation: https://github.com/zeek/zeekctl
+
+==================
+Zeek Cluster Setup
+==================
+
+.. TODO: integrate BoZ revisions
+
+A *Zeek Cluster* is a set of systems jointly analyzing the traffic of
+a network link in a coordinated fashion.  You can operate such a setup from
+a central manager system easily using ZeekControl because it
+hides much of the complexity of the multi-machine installation.
+
+Cluster Architecture
+====================
+
+Zeek is not multithreaded, so once the limitations of a single processor core
+are reached the only option currently is to spread the workload across many
+cores, or even many physical computers. The cluster deployment scenario for
+Zeek is the current solution to build these larger systems. The tools and
+scripts that accompany Zeek provide the structure to easily manage many Zeek
+processes examining packets and doing correlation activities but acting as
+a singular, cohesive entity.  This section describes the Zeek cluster
+architecture.  For information on how to configure a Zeek cluster,
+see the documentation for `ZeekControl <https://github.com/zeek/zeekctl>`_.
+
+Architecture
+------------
+
+The figure below illustrates the main components of a Zeek cluster.
+
+.. image:: /images/deployment.png
+
+For more specific information on the way Zeek processes are connected,
+how they function, and how they communicate with each other, see the
+:ref:`Broker Framework Documentation <broker-framework>`.
+
+Tap
+***
+The tap is a mechanism that splits the packet stream in order to make a copy
+available for inspection. Examples include the monitoring port on a switch
+and an optical splitter on fiber networks.
+
+Frontend
+********
+The frontend is a discrete hardware device or on-host technique that splits
+traffic into many streams or flows. The Zeek binary does not do this job.
+There are numerous ways to accomplish this task, some of which are described
+below in `Frontend Options`_.
+
+Manager
+*******
+The manager is a Zeek process that has two primary jobs.  It receives log
+messages and notices from the rest of the nodes in the cluster using the Zeek
+communications protocol (note that if you use a separate logger node, then the
+logger receives all logs instead of the manager).  The result
+is a single log instead of many discrete logs that you have to
+combine in some manner with post-processing.
+The manager also supports other functionality and analysis which
+requires a centralized, global view of events or data.
+
+Logger
+******
+A logger is an optional Zeek process that receives log messages from the
+rest of the nodes in the cluster using the Zeek communications protocol.
+The purpose of having a logger receive logs instead of the manager is
+to reduce the load on the manager.  If no logger is needed, then the
+manager will receive logs instead.
+
+Proxy
+*****
+A proxy is a Zeek process that may be used to offload data storage or
+any arbitrary workload.  A cluster may contain multiple proxy nodes.
+The default scripts that come with Zeek make minimal use of proxies, so
+a single one may be sufficient, but customized use of them to partition
+data or workloads provides greater cluster scalability potential than
+just doing similar tasks on a single, centralized Manager node.
+
+Zeek processes acting as proxies don't tend to be extremely hard on CPU
+or memory and users frequently run proxy processes on the same physical
+host as the manager.
+
+Worker
+******
+The worker is the Zeek process that sniffs network traffic and does protocol
+analysis on the reassembled traffic streams.  Most of the work of an active
+cluster takes place on the workers and as such, the workers typically
+represent the bulk of the Zeek processes that are running in a cluster.
+The fastest memory and CPU core speed you can afford is recommended
+since all of the protocol parsing and most analysis will take place here.
+There are no particular requirements for the disks in workers since almost all
+logging is done remotely to the manager, and normally very little is written
+to disk.
+
+Frontend Options
+----------------
+
+There are many options for setting up a frontend flow distributor.  In many
+cases it is beneficial to do multiple stages of flow distribution
+on the network and on the host.
+
+Discrete hardware flow balancers
+********************************
+
+cPacket
+^^^^^^^
+
+If you are monitoring one or more 10G physical interfaces, the recommended
+solution is to use either a cFlow or cVu device from cPacket because they
+are used successfully at a number of sites.  These devices will perform
+layer-2 load balancing by rewriting the destination Ethernet MAC address
+to cause each packet associated with a particular flow to have the same
+destination MAC.  The packets can then be passed directly to a monitoring
+host where each worker has a BPF filter to limit its visibility to only that
+stream of flows, or onward to a commodity switch to split the traffic out to
+multiple 1G interfaces for the workers.  This greatly reduces
+costs since workers can use relatively inexpensive 1G interfaces.
+
+On host flow balancing
+**********************
+
+PF_RING
+^^^^^^^
+
+The PF_RING software for Linux has a "clustering" feature which will do
+flow-based load balancing across a number of processes that are sniffing the
+same interface.  This allows you to easily take advantage of multiple
+cores in a single physical host because Zeek's main event loop is single
+threaded and can't natively utilize all of the cores.  If you want to use
+PF_RING, see the documentation on :ref:`how to configure Zeek with PF_RING
+<pf-ring-config>`.
+
+
+AF_PACKET
+^^^^^^^^^
+
+On Linux, Zeek supports `AF_PACKET sockets <https://docs.kernel.org/networking/packet_mmap.html>`_ natively.
+Currently, this is provided by including the `external Zeek::AF_Packet plugin <https://github.com/zeek/zeek-af_packet-plugin>`_
+in default builds of Zeek for Linux. Additional information can be found in
+the project's README file.
+
+To check the availability of the ``af_packet`` packet source, print its information using ``zeek -N``::
+
+    zeek -N Zeek::AF_Packet
+    Zeek::AF_Packet - Packet acquisition via AF_Packet (dynamic, version 3.2.0)
+
+On FreeBSD, MacOSX, or if Zeek was built with ``--disable-af-packet``, the
+plugin won't be available.
+
+Single worker mode
+""""""""""""""""""
+
+For the most basic usage, prefix the interface with ``af_packet::`` when invoking Zeek::
+
+    zeek -i af_packet::eth0
+
+Generally, running Zeek this way requires a privileged user with CAP_NET_RAW
+and CAP_NET_ADMIN capabilities. Linux supports file-based capabilities: A
+process executing an executable with capabilities will receive these.
+Using this mechanism allows to run Zeek as an unprivileged user once the file
+capabilities have been added::
+
+    sudo setcap cap_net_raw,cap_net_admin=+eip /path/to/zeek
+
+Offloading and ethtool tuning
+"""""""""""""""""""""""""""""
+
+While not specific to AF_PACKET, it is recommended to disable any offloading
+features provided by the network card or Linux networking stack when running
+Zeek. This allows to see network packets as they arrive on the wire.
+See this `blog post <https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html>`_
+for more background
+
+Toggling these features can be done with the ``ethtool -K`` command, for example::
+
+    IFACE=eth0
+    for offload in rx tx sg tso ufo gso gro lro; do
+      ethtool -K $IFACE $offload off
+    done
+
+Detailed statistics about the interface can be gathered via ``ethtool -S``.
+
+For more details around the involved offloads consult the
+`ethtool manpage <https://man7.org/linux/man-pages/man8/ethtool.8.html>`_.
+
+Load balancing
+""""""""""""""
+
+The more interesting use-case is to use AF_PACKET to run multiple Zeek workers
+and have their packet sockets join what is called a fanout group.
+In such a setup, the network traffic is load-balanced across Zeek workers.
+By default load balancing is based on symmetric flow hashes [#]_.
+
+For example, running two Zeek workers listening on the same network interface,
+each worker analyzing approximately half of the network traffic, can be done
+as follows::
+
+    zeek -i af_packet::eth0 &
+    zeek -i af_packet::eth0 &
+
+The fanout group is identified by an id and configurable using the
+``AF_Packet::fanout_id`` constant which defaults to 23. In the example
+above, both Zeek workers join the same fanout group.
+
+
+.. note::
+
+  As a caveat, within the same Linux network namespace, two Zeek processes can
+  not use the same fanout group id for listening on different network interfaces.
+  If this is a setup you're planning on running, configure the fanout group
+  ids explicitly.
+  For illustration purposes, the following starts two Zeek workers each using
+  a different network interface and fanout group id::
+
+    zeek -i af_packet::eth0 AF_Packet::fanout_id=23 &
+    zeek -i af_packet::eth1 AF_Packet::fanout_id=24 &
+
+.. warning::
+
+  Zeek workers crashing or restarting due to running out of memory can,
+  for a short period of time, disturb load balancing due to their packet
+  sockets being removed and later rejoining the fanout group.
+  This may be visible in Zeek logs as gaps and/or duplicated connection
+  entries produced by different Zeek workers.
+
+See :ref:`cluster-configuration` for instructions how to configure AF_PACKET
+with ZeekControl.
+
+
+Netmap
+^^^^^^
+
+`Netmap <https://github.com/luigirizzo/netmap>`_ is a framework for fast
+packet I/O that is natively supported on FreeBSD since version 10.
+On Linux it can be installed as an out-of-tree kernel module.
+
+FreeBSD
+"""""""
+FreeBSD's libpcap library supports netmap natively. This allows to prefix
+interface names with ``netmap:`` to instruct libpcap to open the interface
+in netmap mode. For example, a single Zeek worker can leverage netmap
+transparently using Zeek's default packet source as follows::
+
+    zeek -i netmap:em0
+
+.. warning::
+
+  Above command will put the em0 interface into kernel-bypass mode. Network
+  packets will pass directly to Zeek without being interpreted by the kernel.
+  If em0 is your primary network interface, this effectively disables
+  networking, including SSH connectivity.
+
+If your network card supports multiple rings, individual Zeek workers can be
+attached to these as well (this assumes the NIC does proper flow hashing in hardware)::
+
+    zeek -i netmap:em0-0
+    zeek -i netmap:em0-1
+
+For software load balancing support, the FreeBSD source tree includes the
+``lb`` tool to distribute packets into netmap pipes doing flow hashing
+in user-space.
+
+To compile and install ``lb``, ensure ``/usr/src`` is available on your
+FreeBSD system, then run the following commands::
+
+    cd /usr/src/tools/tools/netmap/
+    make
+    # Installs lb into /usr/local/bin
+    cp /usr/obj/usr/src/`uname -m`.`uname -m`/tools/tools/netmap/lb /usr/local/bin/
+
+
+To load-balance packets arriving on em0 into 4 different netmap pipes named
+``zeek}0`` through ``zeek}3``, run ``lb`` as follows::
+
+    lb -i em0 -p zeek:4
+    410.154166 main [634] interface is em0
+    411.377220 main [741] successfully opened netmap:em0
+    411.377243 main [812] opening pipe named netmap:zeek{0/xT@1
+    411.379200 main [829] successfully opened pipe #1 netmap:zeek{0/xT@1 (tx slots: 1024)
+    411.379242 main [838] zerocopy enabled
+    ...
+
+Now, Zeek workers can attach to these four netmap pipes. When starting Zeek
+workers manually, the respective invocations would be as follows. The ``/x``
+suffix specifies exclusive mode to prevent two Zeek processes consuming packets
+from the same netmap pipe::
+
+    zeek -i netmap:zeek}0/x
+    zeek -i netmap:zeek}1/x
+    zeek -i netmap:zeek}2/x
+    zeek -i netmap:zeek}3/x
+
+For packet-level debugging, you can attach ``tcpdump`` to any of the netmap
+pipes in read monitor mode even while Zeek workers are consuming from them::
+
+    tcpdump -i netmap:zeek}1/r
+
+In case libpcap's netmap support is insufficient, the external
+`Zeek netmap plugin <https://github.com/zeek/zeek-netmap>`_ can be installed.
+
+.. warning::
+
+  When using the zeek-netmap plugin on FreeBSD, the interface specification given to Zeek
+  needs to change from ``netmap:zeek}0/x`` to ``netmap::zeek}0/x`` - a single colon more.
+  In the first case, Zeek uses the default libpcap packet source and passes ``netmap:zeek}0``
+  as interface name. In the second case, ``netmap::`` is interpreted by Zeek and
+  the netmap packet source is instantiated. The ``zeek}0/x`` part is used as
+  interface name.
+
+Linux
+"""""
+
+While netmap isn't included in the Linux kernel, it can be installed as
+an out-of-tree kernel module.
+See the project's `GitHub repository <https://github.com/luigirizzo/netmap>`_
+for detailed instructions. This includes the ``lb`` tool for load balancing.
+
+On Linux, the external `zeek-netmap <https://github.com/zeek/zeek-netmap>`_
+packet source plugin is required, or the system's libpcap library as used by
+Zeek needs to be recompiled with native netmap support. With the netmap kernel
+module loaded and the Zeek plugin installed, running a Zeek worker as follows
+will leverage netmap on Linux::
+
+    zeek -i netmap::eth1
+
+For using ``lb`` or libpcap with netmap support, refer to the commands shown
+in the FreeBSD section - these are essentially the same.
+
+
+.. _cluster-configuration:
+
+Cluster Configuration
+=====================
+
+A *Zeek Cluster* is a set of systems jointly analyzing the traffic of
+a network link in a coordinated fashion.  You can operate such a setup from
+a central manager system easily using ZeekControl because it
+hides much of the complexity of the multi-machine installation.
+
+This section gives examples of how to setup common cluster configurations
+using ZeekControl.  For a full reference on ZeekControl, see the
+`ZeekControl documentation`_.
+
+Preparing to Setup a Cluster
+----------------------------
+
+We refer to the user account used to set up the cluster
+as the "Zeek user".  When setting up a cluster the Zeek user must be set up
+on all hosts, and this user must have ssh access from the manager to all
+machines in the cluster, and it must work without being prompted for a
+password/passphrase (for example, using ssh public key authentication).
+Also, on the worker nodes this user must have access to the target
+network interface in promiscuous mode.
+
+Additional storage must be available on all hosts under the same path,
+which we will call the cluster's prefix path.  We refer to this directory
+as ``<prefix>``.  If you build Zeek from source, then ``<prefix>`` is
+the directory specified with the ``--prefix`` configure option,
+or ``/usr/local/zeek`` by default.  The Zeek user must be able to either
+create this directory or, where it already exists, must have write
+permission inside this directory on all hosts.
+
+When trying to decide how to configure the Zeek nodes, keep in mind that
+there can be multiple Zeek instances running on the same host.  For example,
+it's possible to run a proxy and the manager on the same host.  However, it is
+recommended to run workers on a different machine than the manager because
+workers can consume a lot of CPU resources.  The maximum recommended
+number of workers to run on a machine should be one or two less than
+the number of CPU cores available on that machine.  Using a load-balancing
+method (such as PF_RING) along with CPU pinning can decrease the load on
+the worker machines.  Also, in order to reduce the load on the manager
+process, it is recommended to have a logger in your configuration.  If a
+logger is defined in your cluster configuration, then it will receive logs
+instead of the manager process.
+
+Basic Cluster Configuration
+---------------------------
+
+With all prerequisites in place, perform the following steps to setup
+a Zeek cluster (do this as the Zeek user on the manager host only):
+
+- Edit the ZeekControl configuration file, ``<prefix>/etc/zeekctl.cfg``,
+  and change the value of any options to be more suitable for
+  your environment.  You will most likely want to change the value of
+  the ``MailTo`` and ``LogRotationInterval`` options.  A complete
+  reference of all ZeekControl options can be found in the
+  `ZeekControl documentation`_.
+
+- Edit the ZeekControl node configuration file, ``<prefix>/etc/node.cfg``
+  to define where logger, manager, proxies, and workers are to run.  For a
+  cluster configuration, you must comment-out (or remove) the standalone node
+  in that file, and either uncomment or add node entries for each node
+  in your cluster (logger, manager, proxy, and workers).  For example, if you
+  wanted to run five Zeek nodes (two workers, one proxy, a logger, and a
+  manager) on a cluster consisting of three machines, your cluster
+  configuration would look like this::
+
+    [logger]
+    type=logger
+    host=10.0.0.10
+
+    [manager]
+    type=manager
+    host=10.0.0.10
+
+    [proxy-1]
+    type=proxy
+    host=10.0.0.10
+
+    [worker-1]
+    type=worker
+    host=10.0.0.11
+    interface=eth0
+
+    [worker-2]
+    type=worker
+    host=10.0.0.12
+    interface=eth0
+
+  For a complete reference of all options that are allowed in the ``node.cfg``
+  file, see the `ZeekControl documentation`_.
+
+- Edit the network configuration file ``<prefix>/etc/networks.cfg``.  This
+  file lists all of the networks which the cluster should consider as local
+  to the monitored environment.
+
+- Install Zeek on all machines in the cluster using ZeekControl::
+
+    > zeekctl install
+
+- See the `ZeekControl documentation`_
+  for information on setting up a cron job on the manager host that can
+  monitor the cluster.
+
+AF_PACKET Cluster Configuration
+-------------------------------
+
+Since version 5.2, Zeek includes AF_PACKET as a native packet source. This
+provides an easy and efficient capture mechanism for Linux users.
+
+Adapt the worker section in ZeekControl's ``node.cfg`` file with the
+following entries, assuming running four worker processes listening on ``eth0`` ::
+
+    [worker-1]
+    type=worker
+    host=10.0.0.11
+    interface=eth0
+    lb_method=af_packet
+    lb_procs=4
+
+The specific options are ``lb_method=af_packet`` and ``lb_procs=4``.
+If listening on two or more interfaces on the same host is a requirement,
+remember to set a unique ``fanout_id`` using the node option ``af_packet_fanout_id``::
+
+    [worker-1-eth0]
+    type=worker
+    host=10.0.0.11
+    interface=eth0
+    lb_method=af_packet
+    lb_procs=4
+    af_packet_fanout_id=20
+
+    [worker-1-eth1]
+    type=worker
+    host=10.0.0.11
+    interface=eth1
+    lb_method=af_packet
+    lb_procs=4
+    af_packet_fanout_id=21
+
+Pinning the worker processes to individual CPU cores can improve performance.
+Use the node's option ``pin_cpus=4,5,6,7``, listing as many CPU numbers as
+processes at appropriate offsets.
+
+.. _pf-ring-config:
+
+PF_RING Cluster Configuration
+-----------------------------
+
+`PF_RING <http://www.ntop.org/products/pf_ring/>`_ allows speeding up the
+packet capture process by installing a new type of socket in Linux systems.
+It supports 10Gbit hardware packet filtering using standard network adapters,
+and user-space DNA (Direct NIC Access) for fast packet capture/transmission.
+
+.. note::
+
+   Unless you have evaluated to specifically require PF_RING, consider using
+   AF_PACKET first and test if it fulfills your requirements. AF_PACKET has
+   been integrated into Zeek since version 5.2. It's a bit easier to get
+   started with as it does not require an out of tree Linux kernel module.
+
+Head over to :ref:`cluster-pf-ring` for more details.
+
+.. toctree::
+   :hidden:
+
+   cluster/pf_ring
+
+
+.. [#] Some Linux kernel versions between 3.10 and 4.7 might exhibit
+       a bug that prevents the required symmetric hashing. The script available
+       in the GitHub project `can-i-use-afpacket-fanout <https://github.com/JustinAzoff/can-i-use-afpacket-fanout>`_
+       can be used to verify whether ``PACKET_FANOUT`` works as expected.
+
+       This issue has been fixed in all stable kernels for at least 5 years.
+       You're unlikely to be affected.
diff --git a/doc/cluster/pf_ring.rst b/doc/cluster/pf_ring.rst
new file mode 100644
index 0000000000..aa124491c2
--- /dev/null
+++ b/doc/cluster/pf_ring.rst
@@ -0,0 +1,141 @@
+.. _cluster-pf-ring:
+
+===================
+PF_RING Setup Guide
+===================
+
+Installing PF_RING
+******************
+
+1. Download and install PF_RING for your system following the instructions
+   `here <http://www.ntop.org/get-started/download/#PF_RING>`_.  The following
+   commands will install the PF_RING libraries and kernel module (replace
+   the version number 5.6.2 in this example with the version that you
+   downloaded)::
+
+     cd /usr/src
+     tar xvzf PF_RING-5.6.2.tar.gz
+     cd PF_RING-5.6.2/userland/lib
+     ./configure --prefix=/opt/pfring
+     make install
+
+     cd ../libpcap
+     ./configure --prefix=/opt/pfring
+     make install
+
+     cd ../tcpdump-4.1.1
+     ./configure --prefix=/opt/pfring
+     make install
+
+     cd ../../kernel
+     make
+     make install
+
+     modprobe pf_ring enable_tx_capture=0 min_num_slots=32768
+
+   Refer to the documentation for your Linux distribution on how to load the
+   pf_ring module at boot time.  You will need to install the PF_RING
+   library files and kernel module on all of the workers in your cluster.
+
+2. Download the Zeek source code.
+
+3. Configure and install Zeek using the following commands::
+
+     ./configure --with-pcap=/opt/pfring
+     make
+     make install
+
+4. Make sure Zeek is correctly linked to the PF_RING libpcap libraries::
+
+     ldd /usr/local/zeek/bin/zeek | grep pcap
+           libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007fa6d7d24000)
+
+5. Configure ZeekControl to use PF_RING (explained below).
+
+6. Run "zeekctl install" on the manager.  This command will install Zeek and
+   required scripts to all machines in your cluster.
+
+Using PF_RING
+*************
+
+In order to use PF_RING, you need to specify the correct configuration
+options for your worker nodes in ZeekControl's node configuration file.
+Edit the ``node.cfg`` file and specify ``lb_method=pf_ring`` for each of
+your worker nodes.  Next, use the ``lb_procs`` node option to specify how
+many Zeek processes you'd like that worker node to run, and optionally pin
+those processes to certain CPU cores with the ``pin_cpus`` option (CPU
+numbering starts at zero).  The correct ``pin_cpus`` setting to use is
+dependent on your CPU architecture (Intel and AMD systems enumerate
+processors in different ways).  Using the wrong ``pin_cpus`` setting
+can cause poor performance.  Here is what a worker node entry should
+look like when using PF_RING and CPU pinning::
+
+   [worker-1]
+   type=worker
+   host=10.0.0.50
+   interface=eth0
+   lb_method=pf_ring
+   lb_procs=10
+   pin_cpus=2,3,4,5,6,7,8,9,10,11
+
+
+Using PF_RING+DNA with symmetric RSS
+************************************
+
+You must have a PF_RING+DNA license in order to do this.  You can sniff
+each packet only once.
+
+1. Load the DNA NIC driver (i.e. ixgbe) on each worker host.
+
+2. Run "ethtool -L dna0 combined 10" (this will establish 10 RSS queues
+   on your NIC) on each worker host.  You must make sure that you set the
+   number of RSS queues to the same as the number you specify for the
+   lb_procs option in the node.cfg file.
+
+3. On the manager, configure your worker(s) in node.cfg::
+
+       [worker-1]
+       type=worker
+       host=10.0.0.50
+       interface=dna0
+       lb_method=pf_ring
+       lb_procs=10
+
+
+Using PF_RING+DNA with pfdnacluster_master
+******************************************
+
+You must have a PF_RING+DNA license and a libzero license in order to do
+this.  You can load balance between multiple applications and sniff the
+same packets multiple times with different tools.
+
+1. Load the DNA NIC driver (i.e. ixgbe) on each worker host.
+
+2. Run "ethtool -L dna0 1" (this will establish 1 RSS queues on your NIC)
+   on each worker host.
+
+3. Run the pfdnacluster_master command on each worker host.  For example::
+
+       pfdnacluster_master -c 21 -i dna0 -n 10
+
+   Make sure that your cluster ID (21 in this example) matches the interface
+   name you specify in the node.cfg file.  Also make sure that the number
+   of processes you're balancing across (10 in this example) matches
+   the lb_procs option in the node.cfg file.
+
+4. If you are load balancing to other processes, you can use the
+   pfringfirstappinstance variable in zeekctl.cfg to set the first
+   application instance that Zeek should use.  For example, if you are running
+   pfdnacluster_master with "-n 10,4" you would set
+   pfringfirstappinstance=4.  Unfortunately that's still a global setting
+   in zeekctl.cfg at the moment but we may change that to something you can
+   set in node.cfg eventually.
+
+5. On the manager, configure your worker(s) in node.cfg::
+
+       [worker-1]
+       type=worker
+       host=10.0.0.50
+       interface=dnacluster:21
+       lb_method=pf_ring
+       lb_procs=10
diff --git a/doc/components/index.rst b/doc/components/index.rst
new file mode 100644
index 0000000000..45092f3baa
--- /dev/null
+++ b/doc/components/index.rst
@@ -0,0 +1,33 @@
+
+=============
+Subcomponents
+=============
+
+To find documentation for the various subcomponents of Zeek, see their
+respective GitHub repositories or documentation:
+
+* `Spicy <https://docs.zeek.org/projects/spicy>`__
+  - C++ parser generator for dissecting protocols & files.
+* `BinPAC <https://github.com/zeek/binpac>`__
+  - A protocol parser generator
+* `ZeekControl <https://github.com/zeek/zeekctl>`__
+  - Interactive Zeek management shell
+* `Zeek-Aux <https://github.com/zeek/zeek-aux>`__
+  - Small auxiliary tools for Zeek
+* `BTest <https://github.com/zeek/btest>`__
+  - A system testing framework
+* `Capstats <https://github.com/zeek/capstats>`__
+  - Command-line packet statistic tool
+* `PySubnetTree <https://github.com/zeek/pysubnettree>`__
+  - Python module for CIDR lookups
+* `trace-summary <https://github.com/zeek/trace-summary>`__
+  - Script for generating break-downs of network traffic
+* `Broker <https://github.com/zeek/broker>`__
+  - Zeek's Messaging Library
+  - `(Docs) <https://docs.zeek.org/projects/broker>`__
+* `Package Manager <https://github.com/zeek/package-manager>`__
+  - A package manager for Zeek
+  - `(Docs) <https://docs.zeek.org/projects/package-manager>`__
+* `Paraglob <https://github.com/zeek/paraglob>`__
+  - A pattern matching data structure for Zeek.
+  - `(Docs) <https://github.com/zeek/paraglob/blob/master/README.md>`__
diff --git a/doc/conf.py b/doc/conf.py
new file mode 100644
index 0000000000..69de553ac5
--- /dev/null
+++ b/doc/conf.py
@@ -0,0 +1,305 @@
+#
+# Zeek documentation build configuration file, created by sphinx-quickstart
+#
+# This file is execfile()d with the current directory set to its containing dir.
+#
+# Note that not all possible configuration values are present in this
+# autogenerated file.
+#
+# All configuration values have a default; values that are commented out
+# serve to show the default.
+
+import os
+import sys
+
+extensions = []
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+sys.path.insert(0, os.path.abspath("ext"))
+
+# -- General configuration -----------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+# needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be extensions
+# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
+extensions += [
+    "zeek",
+    "sphinx.ext.todo",
+    "zeek_pygments",
+    "spicy-pygments",
+    "literal-emph",
+    "sphinx.ext.extlinks",
+]
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ["_templates"]
+
+# The suffix of source filenames.
+source_suffix = ".rst"
+
+# The encoding of source files.
+# source_encoding = 'utf-8-sig'
+
+# The master toctree document.
+master_doc = "index"
+
+# General information about the project.
+project = "Zeek"
+copyright = "by the Zeek Project"
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+#
+# The short X.Y version.
+#
+
+version = "source"
+
+try:
+    # Use the actual Zeek version if available
+    with open("../VERSION") as f:
+        version = f.readline().strip()
+except:
+    try:
+        import re
+
+        import git
+
+        repo = git.Repo(os.path.abspath("."))
+        version = "git/master"
+
+        version_tag_re = r"v\d+\.\d+(\.\d+)?"
+        version_tags = [
+            t
+            for t in repo.tags
+            if t.commit == repo.head.commit and re.match(version_tag_re, str(t))
+        ]
+        # Note: sorting by tag date doesn't necessarily give correct
+        # order in terms of version numbers, but doubtful that will ever be
+        # a problem (if we ever do re-tag an old version number on a given
+        # commit such that it is incorrectly found as the most recent version,
+        # we can just re-tag all the other version numbers on that same commit)
+        version_tags = sorted(version_tags, key=lambda t: t.tag.tagged_date)
+
+        if version_tags:
+            version = str(version_tags[-1])
+
+    except:
+        pass
+
+# The full version, including alpha/beta/rc tags.
+release = version
+
+# In terms of the actual hyperlink URL, a more ideal/stable way to reference
+# source code on GitHub would be by commit hash, but that can be tricky to
+# update in a way that produces stable Sphinx/reST configuration: don't want
+# to update the commit-hash for every Zeek commit unless it actually produces
+# new content, and also don't want to accidentally make it easy for people to
+# insert unreachable commits when manually running
+# `zeek/ci/update-zeekygen-docs.sh`.
+#
+# We only have a few versions of docs that actually matter: `master` and
+# `release/.*`, and the tip of those branches will always be in sync with
+# auto-generated content by simply having `zeek/ci/update-zeekygen-docs.sh`
+# change this to `release/.*` when needed.
+zeek_code_version = "master"
+zeek_code_url = f"https://github.com/zeek/zeek/blob/{zeek_code_version}"
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+# language = None
+
+# There are two options for replacing |today|: either, you set today to some
+# non-false value, then it is used:
+# today = ''
+# Else, today_fmt is used as the format for a strftime call.
+today_fmt = "%B %d, %Y"
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+exclude_patterns = [".#*", "script-reference/autogenerated-*"]
+
+# The reST default role (used for this markup: `text`) to use for all documents.
+# default_role = None
+
+# If true, '()' will be appended to :func: etc. cross-reference text.
+# add_function_parentheses = True
+
+# If true, the current module name will be prepended to all description
+# unit titles (such as .. function::).
+# add_module_names = True
+
+# If true, sectionauthor and moduleauthor directives will be shown in the
+# output. They are ignored by default.
+show_authors = True
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = "sphinx"
+
+highlight_language = "none"
+
+# A list of ignored prefixes for module index sorting.
+# modindex_common_prefix = []
+
+
+# -- Options for HTML output ---------------------------------------------------
+
+html_theme = "sphinx_rtd_theme"
+
+# Set canonical URL from the Read the Docs Domain
+html_baseurl = os.environ.get("READTHEDOCS_CANONICAL_URL", "")
+
+# Tell Jinja2 templates the build is running on Read the Docs
+if os.environ.get("READTHEDOCS", "") == "True":
+    if "html_context" not in globals():
+        html_context = {}
+    html_context["READTHEDOCS"] = True
+
+html_last_updated_fmt = "%B %d, %Y"
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further.  For a list of options available for each theme, see the
+# documentation.
+html_theme_options = {
+    "analytics_id": "UA-144186885-1",
+    "collapse_navigation": False,
+    "style_external_links": True,
+}
+
+# Add any paths that contain custom themes here, relative to this directory.
+# html_theme_path = []
+
+# The name for this set of Sphinx documents.  If None, it defaults to
+# "<project> v<release> Documentation".
+html_title = f"Book of Zeek ({release})"
+
+# A shorter title for the navigation bar.  Default is the same as html_title.
+# html_short_title = None
+
+# The name of an image file (relative to this directory) to place at the top
+# of the sidebar.
+html_logo = "images/zeek-logo-sidebar.png"
+
+# The name of an image file (within the static path) to use as favicon of the
+# docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
+# pixels large.
+html_favicon = "images/zeek-favicon.ico"
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ["_static"]
+
+
+def setup(app):
+    app.add_css_file("theme_overrides.css")
+    from sphinx.highlighting import lexers
+    from zeek_pygments import ZeekLexer
+
+    lexers["zeek"] = ZeekLexer()
+    app.add_config_value("zeek-code-url", zeek_code_url, "env")
+
+
+# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
+# using the given strftime format.
+# html_last_updated_fmt = '%b %d, %Y'
+
+# If true, SmartyPants will be used to convert quotes and dashes to
+# typographically correct entities.
+# html_use_smartypants = True
+
+# Custom sidebar templates, maps document names to template names.
+# html_sidebars = {
+#'**': ['localtoc.html', 'sourcelink.html', 'searchbox.html'],
+# }
+
+# Additional templates that should be rendered to pages, maps page names to
+# template names.
+# html_additional_pages = {}
+
+# If false, no module index is generated.
+# html_domain_indices = True
+
+# If false, no index is generated.
+# html_use_index = True
+
+# If true, the index is split into individual pages for each letter.
+# html_split_index = False
+
+# If true, links to the reST sources are added to the pages.
+# html_show_sourcelink = True
+
+# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
+# html_show_sphinx = True
+
+# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
+# html_show_copyright = True
+
+# If true, an OpenSearch description file will be output, and all pages will
+# contain a <link> tag referring to it.  The value of this option must be the
+# base URL from which the finished HTML is served.
+# html_use_opensearch = ''
+
+# This is the file name suffix for HTML files (e.g. ".xhtml").
+# html_file_suffix = None
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = "zeek-docs"
+
+# -- Options for LaTeX output --------------------------------------------------
+
+# The paper size ('letter' or 'a4').
+# latex_paper_size = 'letter'
+
+# The font size ('10pt', '11pt' or '12pt').
+# latex_font_size = '10pt'
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title, author, documentclass [howto/manual]).
+latex_documents = [
+    ("index", "Zeek.tex", "Zeek Documentation", "The Zeek Project", "manual"),
+]
+
+# The name of an image file (relative to this directory) to place at the top of
+# the title page.
+# latex_logo = None
+
+# For "manual" documents, if this is true, then toplevel headings are parts,
+# not chapters.
+# latex_use_parts = False
+
+# If true, show page references after internal links.
+# latex_show_pagerefs = False
+
+# If true, show URL addresses after external links.
+# latex_show_urls = False
+
+# Additional stuff for the LaTeX preamble.
+# latex_preamble = ''
+
+# Documents to append as an appendix to all manuals.
+# latex_appendices = []
+
+# If false, no module index is generated.
+# latex_domain_indices = True
+
+# -- Options for manual page output --------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [("index", "zeek", "Zeek Documentation", ["The Zeek Project"], 1)]
+
+# -- Options for todo plugin --------------------------------------------
+todo_include_todos = True
+
+extlinks = {
+    "slacklink": ("https://zeek.org/slack%s", None),
+    "discourselink": ("https://community.zeek.org/%s", None),
+    "spicylink": ("https://docs.zeek.org/projects/spicy/en/latest/%s", None),
+}
+extlinks_detect_hardcoded_links = True
diff --git a/doc/customizations.rst b/doc/customizations.rst
new file mode 100644
index 0000000000..fc6b15e826
--- /dev/null
+++ b/doc/customizations.rst
@@ -0,0 +1,318 @@
+.. _popular-customizations:
+
+======================
+Popular Customizations
+======================
+
+This page outlines customizations and additions that are popular
+among Zeek users.
+
+.. note::
+
+  This page lists externally-maintained Zeek packages. The Zeek team does not
+  provide support or maintenance for these packages. If you find bugs or have
+  feature requests, please reach out to the respective package maintainers directly.
+
+  You may also post in the :slacklink:`Zeek Slack <>` #packages
+  channel or :discourselink:`forum <>` to get help from the broader
+  Zeek community.
+
+
+Log Enrichment
+==============
+
+Community ID
+------------
+
+.. versionadded:: 6.0
+
+Zeek includes native `Community ID Flow Hashing`_ support. This functionality
+has previously been provided through the `zeek-community-id`_ package.
+
+.. note::
+
+  At this point, the external `zeek-community-id`_ package is still
+  available to support Zeek deployments running older versions. However,
+  the scripts provided by the package cause conflicts with those provided in
+  Zeek 6.0 - do not load both.
+
+Loading the
+:doc:`/scripts/policy/protocols/conn/community-id-logging.zeek`
+and
+:doc:`/scripts/policy/frameworks/notice/community-id.zeek`
+scripts adds an additional ``community_id`` field to the
+:zeek:see:`Conn::Info` and :zeek:see:`Notice::Info` record.
+
+.. code-block:: console
+
+   $ zeek -r ./traces/get.trace protocols/conn/community-id-logging LogAscii::use_json=T
+   $ jq < conn.log
+   {
+     "ts": 1362692526.869344,
+     "uid": "CoqLmg1Ds5TE61szq1",
+     "id.orig_h": "141.142.228.5",
+     "id.orig_p": 59856,
+     "id.resp_h": "192.150.187.43",
+     "id.resp_p": 80,
+     "proto": "tcp",
+     ...
+     "community_id": "1:yvyB8h+3dnggTZW0UEITWCst97w="
+   }
+
+
+The Community ID Flow Hash of a :zeek:see:`conn_id` instance can be computed
+with the :zeek:see:`community_id_v1` builtin function directly on the command-line
+or used in custom scripts.
+
+.. code-block:: console
+
+    $ zeek -e 'print community_id_v1([$orig_h=141.142.228.5, $orig_p=59856/tcp, $resp_h=192.150.187.43, $resp_p=80/tcp])'
+    1:yvyB8h+3dnggTZW0UEITWCst97w=
+
+.. _Community ID Flow Hashing: https://github.com/corelight/community-id-spec
+.. _zeek-community-id: https://github.com/corelight/zeek-community-id/>`_
+
+.. _geolocation:
+
+Address geolocation and AS lookups
+----------------------------------
+
+.. _libmaxminddb: https://github.com/maxmind/libmaxminddb
+
+Zeek supports IP address geolocation as well as AS (autonomous system)
+lookups. This requires two things:
+
+    * Compilation of Zeek with the `libmaxminddb`_ library and development
+      headers. If you're using our :ref:`Docker images <docker-images>` or
+      :ref:`binary packages <binary-packages>`, there's nothing to do: they ship
+      with GeoIP support.
+    * Installation of corresponding MaxMind database files on your
+      system.
+
+To check whether your Zeek supports geolocation, run ``zeek-config --have-geoip``
+(available since Zeek 6.2) or simply try an address lookup. The following
+indicates that your Zeek lacks support:
+
+.. code-block:: console
+
+    $ zeek -e 'lookup_location(1.2.3.4)'
+    error in <command line>, line 1: Zeek was not configured for GeoIP support (lookup_location(1.2.3.4))
+
+Read on for more details about building Zeek with GeoIP support, and how to
+configure access to the database files.
+
+Building Zeek with libmaxminddb
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+If you build Zeek yourself, you need to install libmaxminddb prior to
+configuring your build.
+
+* RPM/RedHat-based Linux:
+
+  .. code-block:: console
+
+      sudo yum install libmaxminddb-devel
+
+* DEB/Debian-based Linux:
+
+  .. code-block:: console
+
+      sudo apt-get install libmaxminddb-dev
+
+* FreeBSD:
+
+  .. code-block:: console
+
+      sudo pkg install libmaxminddb
+
+* Mac OS X:
+
+  You need to install from your preferred package management system
+  (e.g. Homebrew, MacPorts, or Fink).  For Homebrew, the name of the package
+  that you need is libmaxminddb.
+
+The ``configure`` script's output indicates whether it successfully located
+libmaxminddb. If your system's MaxMind library resides in a non-standard path,
+you may need to specify it via ``./configure --with-geoip=<path>``.
+
+Installing and configuring GeoIP databases
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+MaxMind's databases ship as individual files that you can `download
+<https://www.maxmind.com/en/accounts/current/geoip/downloads>`_ from their
+website after `signing up <https://www.maxmind.com/en/geolite2/signup>`_ for an
+account. Some Linux distributions also offer free databases in their package
+managers.
+
+There are three types of databases: city-level geolocation, country-level
+geolocation, and mapping of IP addresses to autonomous systems (AS number and
+organization). Download these and decide on a place to put them on your
+file system. If you use automated tooling or system packages for the
+installation, that path may be chosen for you, such as ``/usr/share/GeoIP``.
+
+Zeek provides three ways to configure access to the databases:
+
+* Specifying the path and filenames via script variables. Use the
+  :zeek:see:`mmdb_dir` variable, unset by default, to point to the directory
+  containing the database(s). By default Zeek looks for databases called
+  ``GeoLite2-City.mmdb``, ``GeoLite2-Country.mmdb``, and
+  ``GeoLite2-ASN.mmdb``. Starting with Zeek 6.2 you can adjust these names by
+  redefining the :zeek:see:`mmdb_city_db`, :zeek:see:`mmdb_country_db`, and
+  :zeek:see:`mmdb_asn_db` variables.
+* Relying on Zeek's pre-configured search paths and filenames. The
+  :zeek:see:`mmdb_dir_fallbacks` variable contains default
+  search paths that Zeek will try in turn when :zeek:see:`mmdb_dir` is not
+  set. Prior to Zeek 6.2 these paths were hardcoded; they're now redefinable.
+  For geolocation, Zeek first attempts the city-level databases due to their
+  greater precision, and falls back to the city-level one.  You can adjust the
+  database filenames via :zeek:see:`mmdb_city_db` and related variables, as
+  covered above.
+* Opening databases explicitly via scripting. The
+  :zeek:see:`mmdb_open_location_db` and :zeek:see:`mmdb_open_asn_db`
+  functions take full paths to database files. Zeek only ever uses one
+  geolocation and one ASN database, and these loads override any databases
+  previously loaded. These loads can occur at any point.
+
+Querying the databases
+^^^^^^^^^^^^^^^^^^^^^^
+
+Two built-in functions provide GeoIP functionality:
+
+.. code-block:: zeek
+
+    function lookup_location(a:addr): geo_location
+    function lookup_autonomous_system(a:addr): geo_autonomous_system
+
+:zeek:see:`lookup_location` returns a :zeek:see:`geo_location` record with
+country/region/etc fields, while :zeek:see:`lookup_autonomous_system` returns a
+:zeek:see:`geo_autonomous_system` record indicating the AS number and
+organization. Depending on the queried IP address some fields may be
+uninitialized, so you should guard access with an ``a?$b`` :ref:`existence test
+<record-field-operators>`.
+
+Zeek tests the database files for staleness. If it detects that a database has
+been updated, it will automatically reload it. Zeek does not automatically add
+GeoIP intelligence to its logs, but several add-on scripts and packages provide
+such functionality. These include:
+
+* The :ref:`notice framework <notice-framework>` lets you configure notice types
+  that you'd like to augment with location information. See
+  :zeek:see:`Notice::lookup_location_types` and
+  :zeek:see:`Notice::ACTION_ADD_GEODATA` for details.
+* The :doc:`/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek` and
+  :doc:`/scripts/policy/protocols/ssh/geo-data.zeek` policy scripts.
+* Several `Zeek packages <https://packages.zeek.org>`_.
+
+Testing
+^^^^^^^
+
+Before using the GeoIP functionality it is a good idea to verify that
+everything is setup correctly. You can quickly check if the GeoIP
+functionality works by running commands like these:
+
+.. code-block:: console
+
+    zeek -e "print lookup_location(8.8.8.8);"
+
+If you see an error message similar to "Failed to open GeoIP location database",
+then your database configuration is broken. You may need to rename or move your
+GeoIP database files.
+
+Example
+^^^^^^^
+
+The following shows every FTP connection from hosts in Ohio, US:
+
+.. code-block:: zeek
+
+    event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
+    {
+      local client = c$id$orig_h;
+      local loc = lookup_location(client);
+
+      if (loc?$region && loc$region == "OH" && loc?$country_code && loc$country_code == "US")
+      {
+        local city = loc?$city ? loc$city : "<unknown>";
+
+        print fmt("FTP Connection from:%s (%s,%s,%s)", client, city,
+          loc$region, loc$country_code);
+      }
+    }
+
+
+Log Writers
+===========
+
+Kafka
+-----
+
+For exporting logs to `Apache Kafka`_ in a streaming fashion, the externally-maintained
+`zeek-kafka`_ package is a popular choice and easy to configure. It relies on `librdkafka`_.
+
+.. code-block:: zeek
+
+   redef Log::default_writer = Log::WRITER_KAFKAWRITER;
+
+   redef Kafka::kafka_conf += {
+       ["metadata.broker.list"] = "192.168.0.1:9092"
+   };
+
+.. _Apache Kafka: https://kafka.apache.org/
+.. _zeek-kafka: https://github.com/SeisoLLC/zeek-kafka/
+.. _librdkafka: https://github.com/confluentinc/librdkafka
+
+
+Logging
+=======
+
+JSON Streaming Logs
+-------------------
+
+The externally-maintained `json-streaming-logs`_ package tailors Zeek
+for use with log shippers like `Filebeat`_ or `fluentd`_. It configures
+additional log files prefixed with ``json_streaming_``, adds ``_path``
+and ``_write_ts`` fields to log records and configures log rotation
+appropriately.
+
+If you do not use a logging archive and want to stream all logs away
+from the system where Zeek is running without leveraging Kafka, this
+package helps you with that.
+
+.. _json-streaming-logs: https://github.com/corelight/json-streaming-logs
+.. _Filebeat: https://www.elastic.co/beats/filebeat
+.. _fluentd: https://www.fluentd.org/
+
+
+Long Connections
+----------------
+
+Zeek logs connection entries into the :file:`conn.log` only upon termination
+or due to expiration of inactivity timeouts. Depending on the protocol and
+chosen timeout values this can significantly delay the appearance of a log
+entry for a given connection. The delay may be up to an hour for lingering
+SSH connections or connections where the final FIN or RST packets were missed.
+
+The `zeek-long-connections`_ package alleviates this by creating a :file:`conn_long.log`
+log with the same format as :file:`conn.log`, but containing entries for connections
+that have been existing for configurable intervals.
+By default, the first entry for a connection is logged after 10mins. Depending on
+the environment, this can be lowered as even a 10 minute delay may be significant
+for detection purposes in streaming setup.
+
+.. _zeek-long-connections: https://github.com/corelight/zeek-long-connections
+
+
+Profiling and Debugging
+=======================
+
+jemalloc profiling
+------------------
+
+For investigation of memory leaks or state-growth issues within Zeek,
+jemalloc's profiling is invaluable. A package providing a bit support
+for configuring jemalloc's profiling facilities is `zeek-jemalloc-profiling`_.
+
+Some general information about memory profiling exists in the :ref:`Troubleshooting <troubleshooting>`
+section.
+
+.. _zeek-jemalloc-profiling: https://github.com/JustinAzoff/zeek-jemalloc-profiling
diff --git a/doc/devel/cluster-backend-zeromq.rst b/doc/devel/cluster-backend-zeromq.rst
new file mode 100644
index 0000000000..c07c523786
--- /dev/null
+++ b/doc/devel/cluster-backend-zeromq.rst
@@ -0,0 +1,120 @@
+.. _cluster_backend_zeromq:
+
+======================
+ZeroMQ Cluster Backend
+======================
+
+.. versionadded:: 7.1
+
+*Experimental*
+
+Quickstart
+==========
+
+To switch a Zeek cluster with a static cluster layout over to use ZeroMQ
+as cluster backend, add the following snippet to ``local.zeek``:
+
+.. code-block:: zeek
+
+   @load frameworks/cluster/backend/zeromq/connect
+
+
+Note that the function :zeek:see:`Broker::publish` will be non-functional
+and a warning emitted when used - use :zeek:see:`Cluster::publish` instead.
+
+By default, a configuration based on hard-coded endpoints and cluster layout
+information is created. For more customization, refer to the module documentation
+at :doc:`cluster/backend/zeromq/main.zeek </scripts/policy/frameworks/cluster/backend/zeromq/main.zeek>`.
+
+
+Architecture
+============
+
+Publish-Subscribe of Zeek Events
+--------------------------------
+
+The `ZeroMQ <https://zeromq.org/>`_ based cluster backend uses a central
+XPUB/XSUB broker for publish-subscribe functionality. Zeek events published
+via :zeek:see:`Cluster::publish` are distributed by this central broker to
+interested nodes.
+
+.. figure:: /images/cluster/zeromq-pubsub.png
+
+
+As depicted in the figure above, each cluster node connects to the central
+broker twice, once via its XPUB socket and once via its XSUB socket. This
+results in two TCP connections from every cluster node to the central broker.
+This setup allows every node in the cluster to see messages from all other
+nodes, avoiding the need for cluster topology awareness.
+
+.. note::
+
+   Scalability of the central broker in production setups, but for small
+   clusters on a single node, may be fast enough.
+
+On a cluster node, the XPUB socket provides notifications about subscriptions
+created by other nodes: For every subscription created by any node in
+the cluster, the :zeek:see:`Cluster::Backend::ZeroMQ::subscription` event is
+raised locally on every other node (unless another node had created the same
+subscription previously).
+
+This mechanism is used to discover the existence of other cluster nodes by
+matching the topics with the prefix for node specific subscriptions as produced
+by :zeek:see:`Cluster::nodeid_topic`.
+
+As of now, the implementation of the central broker calls ZeroMQ's
+``zmq::proxy()`` function to forward messages between the XPUB and
+XSUB socket.
+
+While the diagram above indicates the central broker being deployed separately
+from Zeek cluster nodes, by default the manager node will start and run this
+broker using a separate thread. There's nothing that would prevent from running
+a long running central broker independently from the Zeek cluster nodes, however.
+
+The serialization of Zeek events is done by the selected
+:zeek:see:`Cluster::event_serializer` and is independent of ZeroMQ.
+The central broker needs no knowledge about the chosen format, it is
+only shuffling messages between nodes.
+
+
+Logging
+-------
+
+While remote events always pass through the central broker, nodes connect and
+send log writes directly to logger nodes in a cluster. The ZeroMQ cluster backend
+leverages ZeroMQ's pipeline pattern for this functionality. That is, logger nodes
+(including the manager if configured using :zeek:see:`Cluster::manager_is_logger`)
+open a ZeroMQ PULL socket to receive log writes. All other nodes connect their
+PUSH socket to all available PULL sockets. These connections are separate from
+the publish-subscribe setup outlined above.
+
+When sending log-writes over a PUSH socket, load balancing is done by ZeroMQ.
+Individual cluster nodes do not have control over the decision which logger
+node receives log writes at any given time.
+
+.. figure:: /images/cluster/zeromq-logging.png
+
+While the previous paragraph used "log writes", a single message to a logger
+node actually contains a batch of log writes. The options :zeek:see:`Log::flush_interval`
+and :zeek:see:`Log::write_buffer_size` control the frequency and maximum size
+of these batches.
+
+The serialization format used to encode such batches is controlled by the
+selected :zeek:see:`Cluster::log_serializer` and is independent of ZeroMQ.
+
+With the default serializer (:zeek:see:`Cluster::LOG_SERIALIZER_ZEEK_BIN_V1`),
+every log batch on the wire has a header prepended that describes it. This allows
+interpretation of log writes even by non-Zeek processes. This opens the possibility
+to implement non-Zeek logger processes as long as the chosen serializer format
+is understood by the receiving process. In the future, a JSON lines serialization
+may be provided, allowing easier interpretation than a proprietary binary format.
+
+
+Summary
+-------
+
+Combining the diagrams above, the connections between the different socket
+types in a Zeek cluster looks something like the following.
+
+.. figure:: /images/cluster/zeromq-cluster.png
+
diff --git a/doc/devel/contributors.rst b/doc/devel/contributors.rst
new file mode 100644
index 0000000000..f1ec537a16
--- /dev/null
+++ b/doc/devel/contributors.rst
@@ -0,0 +1,111 @@
+
+===================
+Contributor's Guide
+===================
+
+See below for selection of some of the more common contribution guidelines
+maintained directly in `Zeek wiki
+<https://github.com/zeek/zeek/wiki#contributors>`_.
+
+General Contribution Process
+============================
+
+See https://github.com/zeek/zeek/wiki/Contribution-Guide
+
+Coding Style and Conventions
+============================
+
+See https://github.com/zeek/zeek/wiki/Coding-Style-and-Conventions
+
+General Documentation Structure/Process
+=======================================
+
+See the :doc:`README </README>` file of https://github.com/zeek/zeek-docs
+
+Documentation Style and Conventions
+===================================
+
+See https://github.com/zeek/zeek/wiki/Documentation-Style-and-Conventions
+
+Checking for Memory Errors and Leaks
+====================================
+
+See https://github.com/zeek/zeek/wiki/Checking-for-Memory-Errors-and-Leaks
+
+Maintaining long-lived forks of Zeek
+====================================
+
+Consistent formatting of the Zeek codebase is enforced automatically by
+configurations tracked in the repository. Upstream updates to these
+configurations can lead to formatting changes which could cause merge conflicts
+for long-lived forks.
+
+Currently the following configuration files in the root directory are used:
+
+- ``.pre-commit-config.yaml``: Configuration for `pre-commit <https://pre-commit.com/>`_.
+  We use pre-commit to manage and orchestrate formatters and linters.
+- ``.clang-format``: Configuration for `clang-format
+  <https://clang.llvm.org/docs/ClangFormat.html>`_ for formatting C++ files.
+- ``.style.yapf``: Configuration for `YAPF <https://github.com/google/yapf>`_
+  for formatting Python files.
+- ``.cmake-format.json``: Configuration for `cmake-format
+  <https://github.com/cheshirekow/cmake_format>`_ for formatting CMake files.
+
+With these configuration files present ``pre-commit run --all-files`` will
+install all needed formatters and reformat all files in the repository
+according to the current configuration.
+
+.. rubric:: Workflow: Zeek ``master`` branch regularly merged into fork
+
+If Zeek's master branch is regularly merged into the fork, merge conflicts can
+be resolved once and their resolution is tracked in the repository. Similarly,
+we can explicitly reformat the fork once and then merge the upstream branch.
+
+.. code-block:: sh
+
+   ## Get and stage latest versions of configuration files from master.
+   git checkout master -- .pre-commit-config.yaml .clang-format .style.yapf .cmake-format.json
+
+   ## Reformat fork according to new configuration.
+   pre-commit run -a
+
+   ## Record reformatted state of fork.
+   git add -u && git commit -m 'Reformat'
+
+   # Merge in master, resolve merge conflicts as usual.
+   git merge master
+
+.. rubric:: Workflow: Fork regularly rebased onto Zeek ``master`` branch
+
+If the target for a rebase has been reformatted individual diff hunks might not
+apply cleanly anymore. There are different approaches to work around that. The
+approach with the least conflicts is likely to first reformat the fork
+according to upstream style without pulling in changes, and only after that
+rebase on upstream and resolve potential semantic conflicts.
+
+.. code-block:: sh
+
+   # Create a commit updating the configuration files.
+   git checkout master -- .pre-commit-config.yaml .clang-format .style.yapf .cmake-format.json
+   git commit -m 'Bump formatter configurations'
+
+   # With a fork branched from upstream at commit FORK_COMMIT, rebase the
+   # config update commit 'Bump formatter configurations' to the start of the
+   # fork, but do not yet rebase on master (interactively move the last patch
+   # to the start of the list of patches).
+   git rebase -i FORK_COMMIT
+
+   # Reformat all commits according to configs at the base. We use the '--exec'
+   # flag of 'git rebase' to execute pre-commit after applying each patch. If
+   # 'git rebase' detects uncommitted changes it stops automatic progress so
+   # one can inspect and apply the changes.
+   git rebase -i FORK_COMMIT --exec 'pre-commit run --all-files'
+   # When this stops, inspect changes and stage them.
+   git add -u
+   # Continue rebasing. This prompts for a commit message and amends the last
+   # patch.
+   git rebase --continue
+
+   # The fork is now formatted according to upstream style. Rebase on master,
+   # and drop the 'Bump formatter configurations' patch from the list of patches.
+   git rebase -i master
diff --git a/doc/devel/index.rst b/doc/devel/index.rst
new file mode 100644
index 0000000000..7ffe4baf86
--- /dev/null
+++ b/doc/devel/index.rst
@@ -0,0 +1,21 @@
+
+================
+Developer Guides
+================
+
+In addition to documentation found or mentioned below, some developer-oriented
+content is maintained directly in the `Zeek wiki
+<https://github.com/zeek/zeek/wiki#development-guides>`_ due to the nature of
+the content (e.g. the author finds it to be more dynamic, informal, meta,
+transient, etc. compared to other documentation).
+
+.. toctree::
+   :maxdepth: 2
+
+   plugins
+   spicy/index
+   websocket-api
+   Documentation Guide </README.rst>
+   contributors
+   maintainers
+   cluster-backend-zeromq
diff --git a/doc/devel/maintainers.rst b/doc/devel/maintainers.rst
new file mode 100644
index 0000000000..0bc179bcc9
--- /dev/null
+++ b/doc/devel/maintainers.rst
@@ -0,0 +1,13 @@
+
+==================
+Maintainer's Guide
+==================
+
+Some notable guidelines for maintainers are linked below for convenience, but
+they are generally maintained directly in the `Zeek wiki
+<https://github.com/zeek/zeek/wiki#maintainers>`_.
+
+Release Process
+===============
+
+See https://github.com/zeek/zeek/wiki/Release-Process
diff --git a/doc/devel/plugins.rst b/doc/devel/plugins.rst
new file mode 100644
index 0000000000..5381c1ef24
--- /dev/null
+++ b/doc/devel/plugins.rst
@@ -0,0 +1,505 @@
+.. _zkg package manager: https://docs.zeek.org/projects/package-manager/en/stable/
+
+.. _writing-plugins:
+
+===============
+Writing Plugins
+===============
+
+Zeek provides a plugin API that enables extending
+the system dynamically, without modifying the core code base. That way,
+custom code remains self-contained and can be maintained, compiled,
+and installed independently. Currently, plugins can add the following
+functionality to Zeek:
+
+    - Zeek scripts.
+
+    - Builtin functions/events/types for the scripting language.
+
+    - Protocol analyzers.
+
+    - File analyzers.
+
+    - Packet sources and packet dumpers.
+
+    - Logging framework backends.
+
+    - Input framework readers.
+
+A plugin's functionality is available to the user just as if Zeek had
+the corresponding code built-in. Indeed, internally many of Zeek's
+pieces are structured as plugins as well, they are just statically
+compiled into the binary rather than loaded dynamically at runtime.
+
+.. note::
+
+  Plugins and Zeek packages are related but separate concepts. Both extend
+  Zeek's functionality without modifying Zeek's source code. A plugin achieves
+  this via compiled, native code that Zeek links into its core at runtime. A Zeek
+  package, on the other hand, is a modular addition to Zeek, managed via the
+  `zkg package manager`_, that may or may not include a plugin. More commonly,
+  packages consist of script-layer additions to Zeek's functionality.  Packages
+  also feature more elaborate metadata, enabling dependencies on other packages,
+  Zeek versions, etc.
+
+Quick Start
+===========
+
+Writing a basic plugin is quite straight-forward as long as one
+follows a few conventions. In the following, we create a simple example
+plugin that adds a new Built-In Function (BIF) to Zeek: we'll add
+``rot13(s: string) : string``, a function that rotates every letter
+in a string by 13 places.
+
+Generally, a plugin comes in the form of a directory following a
+certain structure. To get started, Zeek's distribution provides a
+helper script ``auxil/zeek-aux/plugin-support/init-plugin`` that creates
+a skeleton plugin that can then be customized. Let's use that::
+
+    # init-plugin ./rot13-plugin Demo Rot13
+
+As you can see, the script takes three arguments. The first is a
+directory inside which the plugin skeleton will be created.  The second
+is the namespace the plugin will live in, and the third is a descriptive
+name for the plugin itself relative to the namespace. Zeek uses the
+combination of namespace and name to identify a plugin. The namespace
+serves to avoid naming conflicts between plugins written by independent
+developers; pick, e.g., the name of your organisation. The namespaces
+``Bro`` (legacy) and ``Zeek`` are reserved for functionality distributed
+by the Zeek Project. In
+our example, the plugin will be called ``Demo::Rot13``.
+
+The ``init-plugin`` script puts a number of files in place. The full
+layout is described later. For now, all we need is
+``src/rot13.bif``. It's initially empty, but we'll add our new BIF
+there as follows::
+
+    # cat src/rot13.bif
+    %%{
+    #include <cstring>
+    #include <cctype>
+    #include "zeek/util.h"
+    #include "zeek/ZeekString.h"
+    #include "zeek/Val.h"
+    %%}
+
+    module Demo;
+
+    function rot13%(s: string%) : string
+        %{
+        char* rot13 = util::copy_string(s->CheckString());
+
+        for ( char* p = rot13; *p; p++ )
+            {
+            char b = islower(*p) ? 'a' : 'A';
+            char d = *p - b + 13;
+
+            if ( d >= 13 && d <= 38 )
+                *p  = d % 26 + b;
+            }
+
+        zeek::String* zs = new zeek::String(1, reinterpret_cast<byte_vec>(rot13),
+                                            strlen(rot13));
+        return make_intrusive<StringVal>(zs);
+        %}
+
+The syntax of this file is just like any other ``*.bif`` file; we
+won't go into it here.
+
+Now we are ready to compile our plugin.  The configure script will just
+need to be able to find the location of either a Zeek installation-tree or
+a Zeek source-tree.
+
+When building a plugin against a Zeek installation-tree, simply have the
+installation's associated ``zeek-config`` in your :envvar:`PATH` and the
+configure script will detect it and use it to obtain all the information
+it needs::
+
+    # which zeek-config
+    /usr/local/zeek/bin/zeek-config
+    # cd rot13-plugin
+    # ./configure && make
+    [... cmake output ...]
+
+When building a plugin against a Zeek source-tree (which itself needs
+to have first been built), the configure script has to explicitly be
+told its location::
+
+    # cd rot13-plugin
+    # ./configure --zeek-dist=/path/to/zeek/dist && make
+    [... cmake output ...]
+
+This builds the plugin in a subdirectory ``build/``. In fact, that
+subdirectory *becomes* the plugin: when ``make`` finishes, ``build/``
+has everything it needs for Zeek to recognize it as a dynamic plugin.
+
+Let's try that. Once we point Zeek to the ``build/`` directory, it will
+pull in our new plugin automatically, as we can check with the ``-N``
+option::
+
+    # export ZEEK_PLUGIN_PATH=/path/to/rot13-plugin/build
+    # zeek -N
+    [...]
+    Demo::Rot13 - <Insert description> (dynamic, version 0.1.0)
+    [...]
+
+That looks quite good, except for the dummy description that we should
+replace with something nicer so that users will know what our plugin
+is about.  We do this by editing the ``config.description`` line in
+``src/Plugin.cc``, like this::
+
+    [...]
+    plugin::Configuration Plugin::Configure()
+        {
+        plugin::Configuration config;
+        config.name = "Demo::Rot13";
+        config.description = "Caesar cipher rotating a string's letters by 13 places.";
+        config.version.major = 0;
+        config.version.minor = 1;
+        config.version.patch = 0;
+        return config;
+        }
+    [...]
+
+Now rebuild and verify that the description is visible::
+
+    # make
+    [...]
+    # zeek -N | grep Rot13
+    Demo::Rot13 - Caesar cipher rotating a string's letters by 13 places. (dynamic, version 0.1.0)
+
+Zeek can also show us what exactly the plugin provides with the
+more verbose option ``-NN``::
+
+    # zeek -NN
+    [...]
+    Demo::Rot13 - Caesar cipher rotating a string's letters by 13 places. (dynamic, version 0.1.0)
+        [Function] Demo::rot13
+    [...]
+
+There's our function. Now let's use it::
+
+    # zeek -e 'print Demo::rot13("Hello")'
+    Uryyb
+
+It works. We next install the plugin along with Zeek itself, so that it
+will find it directly without needing the ``ZEEK_PLUGIN_PATH``
+environment variable. If we first unset the variable, the function
+will no longer be available::
+
+    # unset ZEEK_PLUGIN_PATH
+    # zeek -e 'print Demo::rot13("Hello")'
+    error in <command line>, line 1: unknown identifier Demo::rot13, at or near "Demo::rot13"
+
+Once we install it, it works again::
+
+    # make install
+    # zeek -e 'print Demo::rot13("Hello")'
+    Uryyb
+
+The installed version went into
+``<zeek-install-prefix>/lib/zeek/plugins/Demo_Rot13``.
+
+One can distribute the plugin independently of Zeek for others to use.
+To distribute in source form, just remove the ``build/`` directory
+(``make distclean`` does that) and then tar up the whole ``rot13-plugin/``
+directory. Others then follow the same process as above after
+unpacking.
+
+To distribute the plugin in binary form, the build process
+conveniently creates a corresponding tarball in ``build/dist/``. In
+this case, it's called ``Demo_Rot13-0.1.0.tar.gz``, with the version
+number coming out of the ``VERSION`` file that ``init-plugin`` put
+into place. The binary tarball has everything needed to run the
+plugin, but no further source files. Optionally, one can include
+further files by specifying them in the plugin's ``CMakeLists.txt``
+through the ``zeek_plugin_dist_files`` macro; the skeleton does that
+for ``README``, ``VERSION``, ``CHANGES``, and ``COPYING``. To use the
+plugin through the binary tarball, just unpack it into
+``<zeek-install-prefix>/lib/zeek/plugins/``.  Alternatively, if you unpack
+it in another location, then you need to point ``ZEEK_PLUGIN_PATH`` there.
+
+Before distributing your plugin, you should edit some of the meta
+files that ``init-plugin`` puts in place. Edit ``README`` and
+``VERSION``, and update ``CHANGES`` when you make changes. Also put a
+license file in place as ``COPYING``; if BSD is fine, you will find a
+template in ``COPYING.edit-me``.
+
+Plugin Directory Layout
+=======================
+
+A plugin's directory needs to follow a set of conventions so that Zeek
+(1) recognizes it as a plugin, and (2) knows what to load.  While
+``init-plugin`` takes care of most of this, the following is the full
+story. We'll use ``<base>`` to represent a plugin's top-level
+directory. With the skeleton, ``<base>`` corresponds to ``build/``.
+
+``<base>/__zeek_plugin__``
+    A file that marks a directory as containing a Zeek plugin. The file
+    must exist, and its content must consist of a single line with the
+    qualified name of the plugin (e.g., "Demo::Rot13").
+
+``<base>/lib/<plugin-name>.<os>-<arch>.so``
+    The shared library containing the plugin's compiled code. Zeek will
+    load this in dynamically at run-time if OS and architecture match
+    the current platform.
+
+``scripts/``
+    A directory with the plugin's custom Zeek scripts. When the plugin
+    gets activated, this directory will be automatically added to
+    ``ZEEKPATH``, so that any scripts/modules inside can be
+    "@load"ed.
+
+``scripts``/__load__.zeek
+    A Zeek script that will be loaded when the plugin gets activated.
+    When this script executes, any BIF elements that the plugin
+    defines will already be available. See below for more information
+    on activating plugins.
+
+``scripts``/__preload__.zeek
+    A Zeek script that will be loaded when the plugin gets activated,
+    but before any BIF elements become available. See below for more
+    information on activating plugins.
+
+``lib/bif/``
+    Directory with auto-generated Zeek scripts that declare the plugin's
+    BIF elements. The files here are produced by ``bifcl``.
+
+Any other files in ``<base>`` are ignored by Zeek.
+
+By convention, a plugin should put its custom scripts into sub folders
+of ``scripts/``, i.e., ``scripts/<plugin-namespace>/<plugin-name>/<script>.zeek``
+to avoid conflicts. As usual, you can then put a ``__load__.zeek`` in
+there as well so that, e.g., ``@load Demo/Rot13`` could load a whole
+module in the form of multiple individual scripts.
+
+Note that in addition to the paths above, the ``init-plugin`` helper
+puts some more files and directories in place that help with
+development and installation (e.g., ``CMakeLists.txt``, ``Makefile``,
+and source code in ``src/``). However, all these do not have a special
+meaning for Zeek at runtime and aren't necessary for a plugin to
+function.
+
+``init-plugin``
+===============
+
+``init-plugin`` puts a basic plugin structure in place that follows
+the above layout and augments it with a CMake build and installation
+system. Plugins with this structure can be used both directly out of
+their source directory (after ``make`` and setting Zeek's
+``ZEEK_PLUGIN_PATH``), and when installed alongside Zeek (after ``make
+install``).
+
+Upon completion, ``init-plugin`` initializes a git repository and stages its
+produced files for committing, but does not yet commit the files. This allows
+you to tweak the new plugin as needed prior to the initial commit.
+
+``make install`` copies over the ``lib`` and ``scripts`` directories,
+as well as the ``__zeek_plugin__`` magic file and any further
+distribution files specified in ``CMakeLists.txt`` (e.g., README,
+VERSION). You can find a full list of files installed in
+``build/MANIFEST``. Behind the scenes, ``make install`` really just
+unpacks the binary tarball from ``build/dist`` into the destination
+directory.
+
+``init-plugin`` will never overwrite existing files. If its target
+directory already exists, it will by default decline to do anything.
+You can run it with ``-u`` instead to update an existing plugin,
+however it will never overwrite any existing files; it will only put
+in place files it doesn't find yet. To revert a file back to what
+``init-plugin`` created originally, delete it first and then rerun
+with ``-u``.
+
+``init-plugin`` puts a ``configure`` script in place that wraps
+``cmake`` with a more familiar configure-style configuration. By
+default, the script provides two options for specifying paths to the
+Zeek source (``--zeek-dist``) and to the plugin's installation directory
+(``--install-root``). To extend ``configure`` with plugin-specific
+options (such as search paths for its dependencies) don't edit the
+script directly but instead extend ``configure.plugin``, which
+``configure`` includes. That way you will be able to more easily
+update ``configure`` in the future when the distribution version
+changes. In ``configure.plugin`` you can use the predefined shell
+function ``append_cache_entry`` to seed values into the CMake cache;
+see the installed skeleton version and existing plugins for examples.
+
+.. note::
+
+  In the past ``init-plugin`` also generated a ``zkg.meta`` file, automatically
+  creating a Zeek package containing a plugin. ``init-plugin`` now focuses
+  purely on plugins, as its name suggests. To bootstrap new Zeek packages
+  (possibly containing plugins), use the more featureful templating
+  functionality provided by the ``zkg create`` command, explained `here
+  <https://docs.zeek.org/projects/package-manager/en/stable/package.html>`_.
+
+Activating a Plugin
+===================
+
+A plugin needs to be *activated* to make it available to the user.
+Activating a plugin will:
+
+    1. Load the dynamic module
+    2. Make any BIF items available
+    3. Add the ``scripts/`` directory to ``ZEEKPATH``
+    4. Load ``scripts/__preload__.zeek``
+    5. Make BIF elements available to scripts.
+    6. Load ``scripts/__load__.zeek``
+
+By default, Zeek will automatically activate all dynamic plugins found
+in its search path ``ZEEK_PLUGIN_PATH``. However, in bare mode (``zeek
+-b``), no dynamic plugins will be activated by default; instead the
+user can selectively enable individual plugins in scriptland using the
+``@load-plugin <qualified-plugin-name>`` directive (e.g.,
+``@load-plugin Demo::Rot13``). Alternatively, one can activate a
+plugin from the command-line by specifying its full name
+(``Demo::Rot13``), or set the environment variable
+``ZEEK_PLUGIN_ACTIVATE`` to a list of comma-separated names of
+plugins to unconditionally activate, even in bare mode.
+
+``zeek -N`` shows activated plugins separately from found but not yet
+activated plugins. Note that plugins compiled statically into Zeek are
+always activated, and hence show up as such even in bare mode.
+
+Plugin Components
+=================
+
+It's easy for a plugin to provide custom scripts: just put them into
+``scripts/``, as described above.  The CMake infrastructure will automatically
+install them, as well include them into the source and binary plugin
+distributions.
+
+Any number or combination of other components can be provided by a single
+plugin.  For example a plugin can provide multiple different protocol
+analyzers, or both a log writer and input reader.
+
+The best place to look for examples or templates for a specific type of plugin
+component are the source code of Zeek itself since every one of its components
+uses the same API as any external plugin.
+
+Each component type also has a simple integration test, found
+in the Zeek source-tree's ``testing/btest/plugins/`` directory,
+that can serve useful for creating basic plugin skeletons.
+
+Testing Plugins
+===============
+
+A plugin should come with a test suite to exercise its functionality.
+The ``init-plugin`` script puts in place a basic
+`BTest <https://github.com/zeek/btest>`_ setup
+to start with. Initially, it comes with a single test that just checks
+that Zeek loads the plugin correctly::
+
+    # cd tests
+    # btest -A
+    [  0%] rot13.show-plugin ... ok
+    all 1 tests successful
+
+You can also run this via the Makefile::
+
+    # cd ..
+    # make test
+    make -C tests
+    make[1]: Entering directory `tests'
+    all 1 tests successful
+    make[1]: Leaving directory `tests'
+
+Now let's add a custom test that ensures that our BIF works correctly::
+
+    # cd tests
+    # cat >rot13/bif-rot13.zeek
+
+    # @TEST-EXEC: zeek %INPUT >output
+    # @TEST-EXEC: btest-diff output
+
+    event zeek_init()
+        {
+        print Demo::rot13("Hello");
+        }
+
+Check the output::
+
+    # btest -d rot13/bif-rot13.zeek
+    [  0%] rot13.bif-rot13 ... failed
+    % 'btest-diff output' failed unexpectedly (exit code 100)
+    % cat .diag
+    == File ===============================
+    Uryyb
+    == Error ===============================
+    test-diff: no baseline found.
+    =======================================
+
+    % cat .stderr
+
+    1 of 1 test failed
+
+Install the baseline::
+
+    # btest -U rot13/bif-rot13.zeek
+    all 1 tests successful
+
+Run the test-suite::
+
+    # btest
+    all 2 tests successful
+
+Debugging Plugins
+=================
+
+If your plugin isn't loading as expected, Zeek's debugging facilities
+can help illuminate what's going on. To enable, recompile Zeek
+with debugging support (``./configure --enable-debug``), and
+afterwards rebuild your plugin as well. If you then run Zeek with ``-B
+plugins``, it will produce a file :file:`debug.log` that records details
+about the process for searching, loading, and activating plugins.
+
+To generate your own debugging output from inside your plugin, you can
+add a custom debug stream by using the ``PLUGIN_DBG_LOG(<plugin>,
+<args>)`` macro (defined in ``DebugLogger.h``), where ``<plugin>`` is
+the ``Plugin`` instance and ``<args>`` are printf-style arguments,
+just as with Zeek's standard debugging macros (grep for ``DBG_LOG`` in
+Zeek's ``src/`` to see examples). At runtime, you can then activate
+your plugin's debugging output with ``-B plugin-<name>``, where
+``<name>`` is the name of the plugin as returned by its
+``Configure()`` method, yet with the namespace-separator ``::``
+replaced with a simple dash. Example: If the plugin is called
+``Demo::Rot13``, use ``-B plugin-Demo-Rot13``. As usual, the debugging
+output will be recorded to :file:`debug.log` if Zeek's compiled in debug
+mode.
+
+.. _building-plugins-statically:
+
+Building Plugins Statically into Zeek
+=====================================
+
+Plugins can be built statically into a Zeek binary using the
+``--include-plugins`` option passed to Zeek's ``configure``. This argument
+takes a semicolon-separated list of absolute paths to plugin sources. Each
+path needs to contain a ``CMakeLists.txt`` file, as is commonly the case at the
+toplevel of plugin source trees, and usually also in Zeek packages. Building
+plugins in this manner includes them directly into the Zeek binary
+and installation. They are loaded automatically by Zeek at startup
+without needing to install them separately.
+
+Building plugins into Zeek is a handy way to build them consistently with
+sanitizers, as you can use Zeek's existing ``./configure --sanitizers=...``
+infrastructure to apply transparently to built-in plugins.
+
+The configure run lists built-in plugins at the end, so you can verify
+successful inclusion of your plugin there. Your plugin should also
+show up in the resulting build's ``zeek -NN`` output.
+
+Headers for built-in plugins are installed into a subdirectory of
+``<zeek-install-prefix>/include/zeek/builtin-plugins`` specific to
+each plugin. Scripts are installed into a subdirectory of
+``<zeek-install-prefix>/share/zeek/builtin-plugins`` specific to
+each plugin. The scripts directory is also automatically added to
+the default ``ZEEKPATH``.
+
+Plugin Tutorials
+================
+
+.. toctree::
+   :maxdepth: 1
+
+   plugins/connkey-plugin
+   plugins/event-metadata-plugin
diff --git a/doc/devel/plugins/connkey-plugin.rst b/doc/devel/plugins/connkey-plugin.rst
new file mode 100644
index 0000000000..4e2068e5d0
--- /dev/null
+++ b/doc/devel/plugins/connkey-plugin.rst
@@ -0,0 +1,205 @@
+.. _connkey-plugin:
+
+===============================
+Writing a Connection Key Plugin
+===============================
+
+.. versionadded:: 8.0
+
+By default, Zeek looks up internal connection state using the classic five-tuple
+of originator and responder IP addresses, ports, and the numeric protocol
+identifier (for TCP, UDP, etc). Zeek's data structure driving this is called a
+connection key, or ``ConnKey``.
+
+In certain environments the classic five-tuple does not sufficiently distinguish
+connections. Consider traffic mirrored from multiple VLANs with overlapping IP
+address ranges. Concretely, a connection between 10.0.0.1 and 10.0.0.2 in one
+VLAN is distinct from a connection between the same IPs in another VLAN.  Here,
+Zeek should include the VLAN identifier into the connection key, and you can
+instruct Zeek to do so by loading the
+:doc:`/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek` policy script.
+
+Zeek's plugin API allows adding support for additional custom connection keys.
+This section provides a tutorial on how to do so, using the example of VXLAN-enabled
+flow tuples. If you're not familiar with plugin development, head over to the
+:ref:`Writing Plugins <writing-plugins>` section.
+
+Our goal is to implement a custom connection key to scope connections
+transported within a `VXLAN <https://datatracker.ietf.org/doc/html/rfc7348/index.html>`_
+tunnel by the VXLAN Network Identifier (VNI).
+
+As a test case, we have encapsulated the `HTTP GET trace <https://github.com/zeek/zeek/raw/refs/heads/master/testing/btest/Traces/http/get.trace>`_
+from the Zeek repository twice with VXLAN using VNIs 4711 and 4242, respectively,
+and merged the resulting two PCAP files with the original PCAP.
+The :download:`resulting PCAP <connkey-vxlan-fivetuple-plugin-src/Traces/vxlan-overlapping-http-get.pcap>`
+contains three HTTP connections, two of which are VXLAN-encapsulated.
+
+By default, Zeek will create the same connection key for the original and
+encapsulated HTTP connections, since they have identical inner five-tuples.
+Therefore, Zeek creates only a single ``http.log`` entry, and two entries
+in ``conn.log``.
+
+.. code-block:: shell
+
+    $ zeek -C -r Traces/vxlan-overlapping-http-get.pcap
+    $ zeek-cut -m uid method host uri < http.log
+    uid     method  host    uri
+    CpWF5etn1l2rpaLu3       GET     bro.org /download/CHANGES.bro-aux.txt
+
+    $ zeek-cut -m uid service history orig_pkts resp_pkts < conn.log
+    uid     service history orig_pkts       resp_pkts
+    Cq2CY245oGGbibJ8k9      http    ShADTadtFf      21      21
+    CMleDu4xANIMzePYd7      vxlan   D       28      0
+
+Note that just two of the HTTP connections are encapsulated.
+That is why the VXLAN connection shows only 28 packets.
+Each HTTP connection has 14 packets total, 7 in each direction. Zeek aggregates
+all packets into the single HTTP connection, but only 28 of them were
+transported within the VXLAN tunnel connection. Note also the ``t`` and ``T``
+flags in the :zeek:field:`Conn::Info$history` field. These stand for retransmissions,
+caused by Zeek not discriminating between the different HTTP connections.
+
+The plugin we'll develop below adds the VXLAN VNI to the connection key.
+As a result, Zeek will correctly report three HTTP connections, tracked
+and logged separately. We'll add the VNI as
+:zeek:field:`vxlan_vni` to the :zeek:see:`conn_id_ctx` record, making it available
+in ``http.log`` and ``conn.log`` via the ``id.ctx.vxlan_vni`` column.
+
+After activating the plugin Zeek tracks each HTTP connection individually and
+the logs will look as follows:
+
+.. code-block:: shell
+
+    $ zeek-cut -m uid method host uri id.ctx.vxlan_vni < http.log
+    uid     method  host    uri     id.ctx.vxlan_vni
+    CBifsS2vqGEg8Fa5ac      GET     bro.org /download/CHANGES.bro-aux.txt   4711
+    CEllEz13txeSrbGqBe      GET     bro.org /download/CHANGES.bro-aux.txt   4242
+    CRfbJw1kBBvHDQQBta      GET     bro.org /download/CHANGES.bro-aux.txt   -
+
+    $ zeek-cut -m uid service history orig_pkts resp_pkts id.ctx.vxlan_vni < conn.log
+    uid     service history orig_pkts       resp_pkts       id.ctx.vxlan_vni
+    CRfbJw1kBBvHDQQBta      http    ShADadFf        7       7       -
+    CEllEz13txeSrbGqBe      http    ShADadFf        7       7       4242
+    CBifsS2vqGEg8Fa5ac      http    ShADadFf        7       7       4711
+    CC6Ald2LejCS1qcDy4      vxlan   D       28      0       -
+
+
+Implementation
+==============
+
+Adding alternative connection keys involves implementing two classes.
+First, a factory class producing ``zeek::ConnKey`` instances. This
+is the class created through the added ``zeek::conn_key::Component``.
+Second, a custom connection key class derived from ``zeek::ConnKey``.
+Instances of this class are created by the factory. This is a typical
+abstract factory pattern.
+
+Our plugin's ``Configure()`` method follows the standard pattern of setting up
+basic information about the plugin and registering our own ``ConnKey`` component.
+
+.. literalinclude:: connkey-vxlan-fivetuple-plugin-src/src/Plugin.cc
+   :caption: Plugin.cc
+   :language: cpp
+   :lines: 16-
+   :linenos:
+   :tab-width: 4
+
+
+Next, in the ``Factory.cc`` file, we're implementing a custom ``zeek::ConnKey`` class.
+This class is named ``VxlanVniConnKey`` and inherits from ``zeek::IPBasedConnKey``.
+While ``zeek::ConnKey`` is technically the base class, in this tutorial we'll
+derive from ``zeek::IPBasedConnKey``.
+Currently, Zeek only supports IP-based connection tracking via the
+``IPBasedAnalyzer`` analyzer. This analyzer requires ``zeek::IPBasedConnKey``
+instances.
+
+.. literalinclude:: connkey-vxlan-fivetuple-plugin-src/src/Factory.cc
+   :caption: VxlanVniConnKey class in Factory.cc
+   :language: cpp
+   :linenos:
+   :lines: 18-78
+   :tab-width: 4
+
+The current pattern for custom connection keys is to embed the bytes used for
+the ``zeek::session::detail::Key`` as a packed struct within a ``ConnKey`` instance.
+We override ``DoPopulateConnIdVal()`` to set the :zeek:field:`vxlan_vni` field
+of the :zeek:see:`conn_id_ctx` record value to the extracted VXLAN VNI. A small trick
+employed is that we default the most significant byte of ``key.vxlan_vni`` to 0xFF.
+As a VNI has only 24 bits, this allows us to determine if a VNI was actually
+extracted, or whether it remained unset.
+
+The ``DoInit()`` implementation is the actual place for connection key customization.
+This is where we extract the VXLAN VNI from packet data. To do so, we're using the relatively
+new ``GetAnalyzerData()`` API of the packet analysis manager.
+This API allows generic access to the raw data layers analyzed by a give packet analyzer.
+For our use-case, we take the most outer VXLAN layer, if any, and extract the VNI
+into ``key.vxlan_vni``.
+
+There's no requirement to use the ``GetAnalyzerData()`` API. If the ``zeek::Packet``
+instance passed to ``DoInit()`` contains the needed information, e.g. VLAN identifiers
+or information from the packet's raw bytes, you can use them directly.
+Specifically, ``GetAnalyzerData()`` may introduce additional overhead into the
+packet path that you can avoid if the information is readily available
+elsewhere.
+Using other Zeek APIs to determine connection key information is of course
+also possible.
+
+The next part shown concerns the ``Factory`` class itself. The
+``DoConnKeyFromVal()`` method contains logic to produce a ``VxlanVniConnKey``
+instance from an existing :zeek:see:`conn_id` record.
+This is needed in order for the :zeek:see:`lookup_connection` builtin function to work properly.
+The implementation re-uses the ``DoConnKeyFromVal()`` implementation of the
+default ``fivetuple::Factory`` that our factory inherits from to extract the
+classic five-tuple information.
+
+.. literalinclude:: connkey-vxlan-fivetuple-plugin-src/src/Factory.cc
+   :caption: Factory class in Factory.cc
+   :language: cpp
+   :linenos:
+   :lines: 80-103
+   :tab-width: 4
+
+Calling the ``fivetuple::Factory::DoConnKeyFromVal()`` in turn calls our
+own factory's ``DoNewConnKey()`` method through virtual dispatch.  Since our
+factory overrides this method to always return a ``VxlanVniConnKey`` instance,
+the static cast later is safe.
+
+Last, the plugin's ``__load__.zeek`` file is shown. It includes the extension
+of the :zeek:see:`conn_id_ctx` identifier by the :zeek:field:`vxlan_vni` field.
+
+.. literalinclude:: connkey-vxlan-fivetuple-plugin-src/scripts/__load__.zeek
+   :caption: The conn_id redefinition in __load__.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+
+Using the custom Connection Key
+===============================
+
+After installing the plugin, the new connection key implementation can be
+selected by redefining the script-level :zeek:see:`ConnKey::factory` variable.
+This can either be done in a separate script, but we do it directly on the
+command-line for simplicity. The ``ConnKey::CONNKEY_VXLAN_VNI_FIVETUPLE`` is
+registered in Zeek during the plugin's ``AddComponent()`` call during
+``Configure()``, where the component has the name ``VXLAN_VNI_FIVETUPLE``.
+
+.. code-block:: shell
+
+    $ zeek -C -r Traces/vxlan-overlapping-http-get.pcap  ConnKey::factory=ConnKey::CONNKEY_VXLAN_VNI_FIVETUPLE
+
+
+Viewing the ``conn.log`` now shows three separate HTTP connections,
+two of which have a ``vxlan_vni`` value set in their logs.
+
+
+.. code-block:: shell
+
+    $ zeek-cut -m uid service history orig_pkts resp_pkts id.ctx.vxlan_vni < conn.log
+    uid     service history orig_pkts       resp_pkts       id.ctx.vxlan_vni
+    CRfbJw1kBBvHDQQBta      http    ShADadFf        7       7       -
+    CEllEz13txeSrbGqBe      http    ShADadFf        7       7       4242
+    CBifsS2vqGEg8Fa5ac      http    ShADadFf        7       7       4711
+    CC6Ald2LejCS1qcDy4      vxlan   D       28      0       -
+
+Pretty cool, isn't it?
diff --git a/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/CMakeLists.txt b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/CMakeLists.txt
new file mode 100644
index 0000000000..541256ad8e
--- /dev/null
+++ b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/CMakeLists.txt
@@ -0,0 +1,14 @@
+cmake_minimum_required(VERSION 3.15 FATAL_ERROR)
+
+project(ZeekPluginConnKeyVxlanVniFivetuple)
+
+include(ZeekPlugin)
+
+zeek_add_plugin(
+    Zeek
+    ConnKey_Vxlan_Vni_Fivetuple
+    SOURCES
+    src/Factory.cc
+    src/Plugin.cc
+    SCRIPT_FILES scripts/__load__.zeek
+)
diff --git a/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/COPYING b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/COPYING
new file mode 100644
index 0000000000..5444d58080
--- /dev/null
+++ b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/COPYING
@@ -0,0 +1,26 @@
+Copyright (c) 2025 by the Zeek Project. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/Makefile b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/Makefile
new file mode 100644
index 0000000000..3da2167a84
--- /dev/null
+++ b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/Makefile
@@ -0,0 +1,23 @@
+#
+# Convenience Makefile providing a few common top-level targets.
+#
+
+cmake_build_dir=build
+arch=`uname -s | tr A-Z a-z`-`uname -m`
+
+all: build-it
+
+build-it:
+	( cd $(cmake_build_dir) && make )
+
+install:
+	( cd $(cmake_build_dir) && make install )
+
+clean:
+	( cd $(cmake_build_dir) && make clean )
+
+distclean:
+	rm -rf $(cmake_build_dir)
+
+test:
+	make -C tests
diff --git a/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/README b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/README
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/Traces/vxlan-overlapping-http-get.pcap b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/Traces/vxlan-overlapping-http-get.pcap
new file mode 100644
index 0000000000..9597c5ab43
Binary files /dev/null and b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/Traces/vxlan-overlapping-http-get.pcap differ
diff --git a/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/VERSION b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/VERSION
new file mode 100644
index 0000000000..6e8bf73aa5
--- /dev/null
+++ b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/VERSION
@@ -0,0 +1 @@
+0.1.0
diff --git a/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/configure b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/configure
new file mode 100755
index 0000000000..5c7bad670d
--- /dev/null
+++ b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/configure
@@ -0,0 +1,193 @@
+#!/bin/sh
+#
+# Wrapper for viewing/setting options that the plugin's CMake
+# scripts will recognize.
+#
+# Don't edit this. Edit configure.plugin to add plugin-specific options.
+#
+
+set -e
+command="$0 $*"
+
+if [ -e $(dirname $0)/configure.plugin ]; then
+    # Include custom additions.
+    . $(dirname $0)/configure.plugin
+fi
+
+usage() {
+
+    cat 1>&2 <<EOF
+Usage: $0 [OPTIONS]
+
+  Plugin Options:
+    --cmake=PATH               Path to CMake binary
+    --zeek-dist=DIR            Path to Zeek source tree
+    --install-root=DIR         Path where to install plugin into
+    --with-binpac=DIR          Path to BinPAC installation root
+    --with-broker=DIR          Path to Broker installation root
+    --with-bifcl=PATH          Path to bifcl executable
+    --enable-debug             Compile in debugging mode
+    --disable-cpp-tests        Don't build C++ unit tests
+EOF
+
+    if type plugin_usage >/dev/null 2>&1; then
+        plugin_usage 1>&2
+    fi
+
+    echo
+
+    exit 1
+}
+
+# Function to append a CMake cache entry definition to the
+# CMakeCacheEntries variable
+#   $1 is the cache entry variable name
+#   $2 is the cache entry variable type
+#   $3 is the cache entry variable value
+append_cache_entry() {
+    CMakeCacheEntries="$CMakeCacheEntries -D $1:$2=$3"
+}
+
+# set defaults
+builddir=build
+zeekdist=""
+installroot="default"
+zeek_plugin_begin_opts=""
+CMakeCacheEntries=""
+
+while [ $# -ne 0 ]; do
+    case "$1" in
+        -*=*) optarg=$(echo "$1" | sed 's/[-_a-zA-Z0-9]*=//') ;;
+        *) optarg= ;;
+    esac
+
+    case "$1" in
+        --help | -h)
+            usage
+            ;;
+
+        --cmake=*)
+            CMakeCommand=$optarg
+            ;;
+
+        --zeek-dist=*)
+            zeekdist=$(cd $optarg && pwd)
+            ;;
+
+        --install-root=*)
+            installroot=$optarg
+            ;;
+
+        --with-binpac=*)
+            append_cache_entry BinPAC_ROOT_DIR PATH $optarg
+            binpac_root=$optarg
+            ;;
+
+        --with-broker=*)
+            append_cache_entry BROKER_ROOT_DIR PATH $optarg
+            broker_root=$optarg
+            ;;
+
+        --with-bifcl=*)
+            append_cache_entry BifCl_EXE PATH $optarg
+            ;;
+
+        --enable-debug)
+            append_cache_entry BRO_PLUGIN_ENABLE_DEBUG BOOL true
+            ;;
+
+        --disable-cpp-tests)
+            zeek_plugin_begin_opts="DISABLE_CPP_TESTS;$zeek_plugin_begin_opts"
+            ;;
+
+        *)
+            if type plugin_option >/dev/null 2>&1; then
+                plugin_option $1 && shift && continue
+            fi
+
+            echo "Invalid option '$1'.  Try $0 --help to see available options."
+            exit 1
+            ;;
+    esac
+    shift
+done
+
+if [ -z "$CMakeCommand" ]; then
+    # prefer cmake3 over "regular" cmake (cmake == cmake2 on RHEL)
+    if command -v cmake3 >/dev/null 2>&1; then
+        CMakeCommand="cmake3"
+    elif command -v cmake >/dev/null 2>&1; then
+        CMakeCommand="cmake"
+    else
+        echo "This plugin requires CMake, please install it first."
+        echo "Then you may use this script to configure the CMake build."
+        echo "Note: pass --cmake=PATH to use cmake in non-standard locations."
+        exit 1
+    fi
+fi
+
+if [ -z "$zeekdist" ]; then
+    if type zeek-config >/dev/null 2>&1; then
+        zeek_config="zeek-config"
+    else
+        echo "Either 'zeek-config' must be in PATH or '--zeek-dist=<path>' used"
+        exit 1
+    fi
+
+    append_cache_entry BRO_CONFIG_PREFIX PATH $(${zeek_config} --prefix)
+    append_cache_entry BRO_CONFIG_INCLUDE_DIR PATH $(${zeek_config} --include_dir)
+    append_cache_entry BRO_CONFIG_PLUGIN_DIR PATH $(${zeek_config} --plugin_dir)
+    append_cache_entry BRO_CONFIG_LIB_DIR PATH $(${zeek_config} --lib_dir)
+    append_cache_entry BRO_CONFIG_CMAKE_DIR PATH $(${zeek_config} --cmake_dir)
+    append_cache_entry CMAKE_MODULE_PATH PATH $(${zeek_config} --cmake_dir)
+
+    build_type=$(${zeek_config} --build_type)
+
+    if [ "$build_type" = "debug" ]; then
+        append_cache_entry BRO_PLUGIN_ENABLE_DEBUG BOOL true
+    fi
+
+    if [ -z "$binpac_root" ]; then
+        append_cache_entry BinPAC_ROOT_DIR PATH $(${zeek_config} --binpac_root)
+    fi
+
+    if [ -z "$broker_root" ]; then
+        append_cache_entry BROKER_ROOT_DIR PATH $(${zeek_config} --broker_root)
+    fi
+else
+    if [ ! -e "$zeekdist/zeek-path-dev.in" ]; then
+        echo "$zeekdist does not appear to be a valid Zeek source tree."
+        exit 1
+    fi
+
+    # BRO_DIST is the canonical/historical name used by plugin CMake scripts
+    # ZEEK_DIST doesn't serve a function at the moment, but set/provided anyway
+    append_cache_entry BRO_DIST PATH $zeekdist
+    append_cache_entry ZEEK_DIST PATH $zeekdist
+    append_cache_entry CMAKE_MODULE_PATH PATH $zeekdist/cmake
+fi
+
+if [ "$installroot" != "default" ]; then
+    mkdir -p $installroot
+    append_cache_entry BRO_PLUGIN_INSTALL_ROOT PATH $installroot
+fi
+
+if [ -n "$zeek_plugin_begin_opts" ]; then
+    append_cache_entry ZEEK_PLUGIN_BEGIN_OPTS STRING "$zeek_plugin_begin_opts"
+fi
+
+if type plugin_addl >/dev/null 2>&1; then
+    plugin_addl
+fi
+
+echo "Build Directory        : $builddir"
+echo "Zeek Source Directory   : $zeekdist"
+
+mkdir -p $builddir
+cd $builddir
+
+"$CMakeCommand" $CMakeCacheEntries ..
+
+echo "# This is the command used to configure this build" >config.status
+echo $command >>config.status
+chmod u+x config.status
diff --git a/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/scripts/__load__.zeek b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/scripts/__load__.zeek
new file mode 100644
index 0000000000..d41f5f01a9
--- /dev/null
+++ b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/scripts/__load__.zeek
@@ -0,0 +1,3 @@
+redef record conn_id_ctx += {
+	vxlan_vni: count &log &optional;
+};
diff --git a/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/scripts/__preload__.zeek b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/scripts/__preload__.zeek
new file mode 100644
index 0000000000..b7db25411d
--- /dev/null
+++ b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/scripts/__preload__.zeek
@@ -0,0 +1 @@
+# Empty
diff --git a/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/src/Factory.cc b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/src/Factory.cc
new file mode 100644
index 0000000000..a4bfbd3b6e
--- /dev/null
+++ b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/src/Factory.cc
@@ -0,0 +1,105 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "Factory.h"
+
+#include <memory>
+
+#include "zeek/ID.h"
+#include "zeek/Val.h"
+#include "zeek/iosource/Packet.h"
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Manager.h"
+#include "zeek/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h"
+#include "zeek/packet_analysis/protocol/ip/conn_key/fivetuple/Factory.h"
+#include "zeek/util-types.h"
+
+namespace zeek::conn_key::vxlan_vni_fivetuple {
+
+class VxlanVniConnKey : public zeek::IPBasedConnKey {
+public:
+    VxlanVniConnKey() {
+        // Ensure padding holes in the key struct are filled with zeroes.
+        memset(static_cast<void*>(&key), 0, sizeof(key));
+    }
+
+    detail::PackedConnTuple& PackedTuple() override { return key.tuple; }
+
+    const detail::PackedConnTuple& PackedTuple() const override { return key.tuple; }
+
+protected:
+    zeek::session::detail::Key DoSessionKey() const override {
+        return {reinterpret_cast<const void*>(&key), sizeof(key), session::detail::Key::CONNECTION_KEY_TYPE};
+    }
+
+    void DoPopulateConnIdVal(zeek::RecordVal& conn_id, zeek::RecordVal& ctx) override {
+        // Base class populates conn_id fields (orig_h, orig_p, resp_h, resp_p)
+        zeek::IPBasedConnKey::DoPopulateConnIdVal(conn_id, ctx);
+
+        if ( conn_id.GetType() != id::conn_id )
+            return;
+
+        if ( (key.vxlan_vni & 0xFF000000) == 0 ) // High-bits unset: Have VNI
+            ctx.Assign(GetVxlanVniOffset(), static_cast<zeek_uint_t>(key.vxlan_vni));
+        else
+            ctx.Remove(GetVxlanVniOffset());
+    }
+
+    // Extract VNI from most outer VXLAN layer.
+    void DoInit(const Packet& pkt) override {
+        static const auto& analyzer = zeek::packet_mgr->GetAnalyzer("VXLAN");
+
+        // Set the high-bits: This is needed because keys can get reused.
+        key.vxlan_vni = 0xFF000000;
+
+        if ( ! analyzer || ! analyzer->IsEnabled() )
+            return;
+
+        auto spans = zeek::packet_mgr->GetAnalyzerData(analyzer);
+
+        if ( spans.empty() || spans[0].size() < 8 )
+            return;
+
+        key.vxlan_vni = spans[0][4] << 16 | spans[0][5] << 8 | spans[0][6];
+    }
+
+    static int GetVxlanVniOffset() {
+        static const auto& conn_id_ctx = zeek::id::find_type<zeek::RecordType>("conn_id_ctx");
+        static int vxlan_vni_offset = conn_id_ctx->FieldOffset("vxlan_vni");
+        return vxlan_vni_offset;
+    }
+
+private:
+    friend class Factory;
+
+    struct {
+        struct detail::PackedConnTuple tuple;
+        uint32_t vxlan_vni;
+    } __attribute__((packed, aligned)) key; // packed and aligned due to usage for hashing
+};
+
+zeek::ConnKeyPtr Factory::DoNewConnKey() const { return std::make_unique<VxlanVniConnKey>(); }
+
+zeek::expected<zeek::ConnKeyPtr, std::string> Factory::DoConnKeyFromVal(const zeek::Val& v) const {
+    if ( v.GetType() != id::conn_id )
+        return zeek::unexpected<std::string>{"unexpected value type"};
+
+    auto ck = zeek::conn_key::fivetuple::Factory::DoConnKeyFromVal(v);
+    if ( ! ck.has_value() )
+        return ck;
+
+    int vxlan_vni_offset = VxlanVniConnKey::GetVxlanVniOffset();
+    static int ctx_offset = id::conn_id->FieldOffset("ctx");
+
+    auto* k = static_cast<VxlanVniConnKey*>(ck.value().get());
+    auto* ctx = v.AsRecordVal()->GetFieldAs<zeek::RecordVal>(ctx_offset);
+
+    if ( vxlan_vni_offset < 0 )
+        return zeek::unexpected<std::string>{"missing vlxan_vni field"};
+
+    if ( ctx->HasField(vxlan_vni_offset) )
+        k->key.vxlan_vni = ctx->GetFieldAs<zeek::CountVal>(vxlan_vni_offset);
+
+    return ck;
+}
+
+} // namespace zeek::conn_key::vxlan_vni_fivetuple
diff --git a/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/src/Factory.h b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/src/Factory.h
new file mode 100644
index 0000000000..421aedc265
--- /dev/null
+++ b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/src/Factory.h
@@ -0,0 +1,18 @@
+#pragma once
+
+#include "zeek/ConnKey.h"
+#include "zeek/packet_analysis/protocol/ip/conn_key/fivetuple/Factory.h"
+
+namespace zeek::conn_key::vxlan_vni_fivetuple {
+
+class Factory : public zeek::conn_key::fivetuple::Factory {
+public:
+    static zeek::conn_key::FactoryPtr Instantiate() { return std::make_unique<Factory>(); }
+
+private:
+    // Returns a VxlanVniConnKey instance.
+    zeek::ConnKeyPtr DoNewConnKey() const override;
+    zeek::expected<zeek::ConnKeyPtr, std::string> DoConnKeyFromVal(const zeek::Val& v) const override;
+};
+
+} // namespace zeek::conn_key::vxlan_vni_fivetuple
diff --git a/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/src/Plugin.cc b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/src/Plugin.cc
new file mode 100644
index 0000000000..03bdd8d34a
--- /dev/null
+++ b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/src/Plugin.cc
@@ -0,0 +1,26 @@
+
+#include "Plugin.h"
+
+#include <zeek/conn_key/Component.h>
+
+#include "Factory.h"
+
+namespace plugin {
+namespace Zeek_ConnKey_Vxlan_Vni_Fivetuple {
+Plugin plugin;
+}
+} // namespace plugin
+
+using namespace plugin::Zeek_ConnKey_Vxlan_Vni_Fivetuple;
+
+zeek::plugin::Configuration Plugin::Configure() {
+    zeek::plugin::Configuration config;
+    config.name = "Zeek::ConnKey_Vxlan_Vni_Fivetuple";
+    config.description = "ConnKey implementation using the most outer VXLAN VNI";
+    config.version = {0, 1, 0};
+
+    AddComponent(new zeek::conn_key::Component("VXLAN_VNI_FIVETUPLE",
+                                               zeek::conn_key::vxlan_vni_fivetuple::Factory::Instantiate));
+
+    return config;
+}
diff --git a/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/src/Plugin.h b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/src/Plugin.h
new file mode 100644
index 0000000000..057bc82d9e
--- /dev/null
+++ b/doc/devel/plugins/connkey-vxlan-fivetuple-plugin-src/src/Plugin.h
@@ -0,0 +1,17 @@
+
+#pragma once
+
+#include <zeek/plugin/Plugin.h>
+
+namespace plugin {
+namespace Zeek_ConnKey_Vxlan_Vni_Fivetuple {
+
+class Plugin : public zeek::plugin::Plugin {
+protected:
+    zeek::plugin::Configuration Configure() override;
+};
+
+extern Plugin plugin;
+
+} // namespace Zeek_ConnKey_Vxlan_Vni_Fivetuple
+} // namespace plugin
diff --git a/doc/devel/plugins/event-metadata-plugin-src/.gitignore b/doc/devel/plugins/event-metadata-plugin-src/.gitignore
new file mode 100644
index 0000000000..ee35264121
--- /dev/null
+++ b/doc/devel/plugins/event-metadata-plugin-src/.gitignore
@@ -0,0 +1,3 @@
+build
+*.log
+.state
diff --git a/doc/devel/plugins/event-metadata-plugin-src/CMakeLists.txt b/doc/devel/plugins/event-metadata-plugin-src/CMakeLists.txt
new file mode 100644
index 0000000000..e27c17e0b7
--- /dev/null
+++ b/doc/devel/plugins/event-metadata-plugin-src/CMakeLists.txt
@@ -0,0 +1,13 @@
+cmake_minimum_required(VERSION 3.15 FATAL_ERROR)
+
+project(ZeekPluginEventLatency)
+
+include(ZeekPlugin)
+
+zeek_add_plugin(
+    Zeek
+    EventLatency
+    SOURCES
+    src/Plugin.cc
+    SCRIPT_FILES scripts/__load__.zeek
+)
diff --git a/doc/devel/plugins/event-metadata-plugin-src/COPYING b/doc/devel/plugins/event-metadata-plugin-src/COPYING
new file mode 100644
index 0000000000..5444d58080
--- /dev/null
+++ b/doc/devel/plugins/event-metadata-plugin-src/COPYING
@@ -0,0 +1,26 @@
+Copyright (c) 2025 by the Zeek Project. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/doc/devel/plugins/event-metadata-plugin-src/Makefile b/doc/devel/plugins/event-metadata-plugin-src/Makefile
new file mode 100644
index 0000000000..3da2167a84
--- /dev/null
+++ b/doc/devel/plugins/event-metadata-plugin-src/Makefile
@@ -0,0 +1,23 @@
+#
+# Convenience Makefile providing a few common top-level targets.
+#
+
+cmake_build_dir=build
+arch=`uname -s | tr A-Z a-z`-`uname -m`
+
+all: build-it
+
+build-it:
+	( cd $(cmake_build_dir) && make )
+
+install:
+	( cd $(cmake_build_dir) && make install )
+
+clean:
+	( cd $(cmake_build_dir) && make clean )
+
+distclean:
+	rm -rf $(cmake_build_dir)
+
+test:
+	make -C tests
diff --git a/doc/devel/plugins/event-metadata-plugin-src/README b/doc/devel/plugins/event-metadata-plugin-src/README
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/doc/devel/plugins/event-metadata-plugin-src/VERSION b/doc/devel/plugins/event-metadata-plugin-src/VERSION
new file mode 100644
index 0000000000..6e8bf73aa5
--- /dev/null
+++ b/doc/devel/plugins/event-metadata-plugin-src/VERSION
@@ -0,0 +1 @@
+0.1.0
diff --git a/doc/devel/plugins/event-metadata-plugin-src/configure b/doc/devel/plugins/event-metadata-plugin-src/configure
new file mode 100755
index 0000000000..5c7bad670d
--- /dev/null
+++ b/doc/devel/plugins/event-metadata-plugin-src/configure
@@ -0,0 +1,193 @@
+#!/bin/sh
+#
+# Wrapper for viewing/setting options that the plugin's CMake
+# scripts will recognize.
+#
+# Don't edit this. Edit configure.plugin to add plugin-specific options.
+#
+
+set -e
+command="$0 $*"
+
+if [ -e $(dirname $0)/configure.plugin ]; then
+    # Include custom additions.
+    . $(dirname $0)/configure.plugin
+fi
+
+usage() {
+
+    cat 1>&2 <<EOF
+Usage: $0 [OPTIONS]
+
+  Plugin Options:
+    --cmake=PATH               Path to CMake binary
+    --zeek-dist=DIR            Path to Zeek source tree
+    --install-root=DIR         Path where to install plugin into
+    --with-binpac=DIR          Path to BinPAC installation root
+    --with-broker=DIR          Path to Broker installation root
+    --with-bifcl=PATH          Path to bifcl executable
+    --enable-debug             Compile in debugging mode
+    --disable-cpp-tests        Don't build C++ unit tests
+EOF
+
+    if type plugin_usage >/dev/null 2>&1; then
+        plugin_usage 1>&2
+    fi
+
+    echo
+
+    exit 1
+}
+
+# Function to append a CMake cache entry definition to the
+# CMakeCacheEntries variable
+#   $1 is the cache entry variable name
+#   $2 is the cache entry variable type
+#   $3 is the cache entry variable value
+append_cache_entry() {
+    CMakeCacheEntries="$CMakeCacheEntries -D $1:$2=$3"
+}
+
+# set defaults
+builddir=build
+zeekdist=""
+installroot="default"
+zeek_plugin_begin_opts=""
+CMakeCacheEntries=""
+
+while [ $# -ne 0 ]; do
+    case "$1" in
+        -*=*) optarg=$(echo "$1" | sed 's/[-_a-zA-Z0-9]*=//') ;;
+        *) optarg= ;;
+    esac
+
+    case "$1" in
+        --help | -h)
+            usage
+            ;;
+
+        --cmake=*)
+            CMakeCommand=$optarg
+            ;;
+
+        --zeek-dist=*)
+            zeekdist=$(cd $optarg && pwd)
+            ;;
+
+        --install-root=*)
+            installroot=$optarg
+            ;;
+
+        --with-binpac=*)
+            append_cache_entry BinPAC_ROOT_DIR PATH $optarg
+            binpac_root=$optarg
+            ;;
+
+        --with-broker=*)
+            append_cache_entry BROKER_ROOT_DIR PATH $optarg
+            broker_root=$optarg
+            ;;
+
+        --with-bifcl=*)
+            append_cache_entry BifCl_EXE PATH $optarg
+            ;;
+
+        --enable-debug)
+            append_cache_entry BRO_PLUGIN_ENABLE_DEBUG BOOL true
+            ;;
+
+        --disable-cpp-tests)
+            zeek_plugin_begin_opts="DISABLE_CPP_TESTS;$zeek_plugin_begin_opts"
+            ;;
+
+        *)
+            if type plugin_option >/dev/null 2>&1; then
+                plugin_option $1 && shift && continue
+            fi
+
+            echo "Invalid option '$1'.  Try $0 --help to see available options."
+            exit 1
+            ;;
+    esac
+    shift
+done
+
+if [ -z "$CMakeCommand" ]; then
+    # prefer cmake3 over "regular" cmake (cmake == cmake2 on RHEL)
+    if command -v cmake3 >/dev/null 2>&1; then
+        CMakeCommand="cmake3"
+    elif command -v cmake >/dev/null 2>&1; then
+        CMakeCommand="cmake"
+    else
+        echo "This plugin requires CMake, please install it first."
+        echo "Then you may use this script to configure the CMake build."
+        echo "Note: pass --cmake=PATH to use cmake in non-standard locations."
+        exit 1
+    fi
+fi
+
+if [ -z "$zeekdist" ]; then
+    if type zeek-config >/dev/null 2>&1; then
+        zeek_config="zeek-config"
+    else
+        echo "Either 'zeek-config' must be in PATH or '--zeek-dist=<path>' used"
+        exit 1
+    fi
+
+    append_cache_entry BRO_CONFIG_PREFIX PATH $(${zeek_config} --prefix)
+    append_cache_entry BRO_CONFIG_INCLUDE_DIR PATH $(${zeek_config} --include_dir)
+    append_cache_entry BRO_CONFIG_PLUGIN_DIR PATH $(${zeek_config} --plugin_dir)
+    append_cache_entry BRO_CONFIG_LIB_DIR PATH $(${zeek_config} --lib_dir)
+    append_cache_entry BRO_CONFIG_CMAKE_DIR PATH $(${zeek_config} --cmake_dir)
+    append_cache_entry CMAKE_MODULE_PATH PATH $(${zeek_config} --cmake_dir)
+
+    build_type=$(${zeek_config} --build_type)
+
+    if [ "$build_type" = "debug" ]; then
+        append_cache_entry BRO_PLUGIN_ENABLE_DEBUG BOOL true
+    fi
+
+    if [ -z "$binpac_root" ]; then
+        append_cache_entry BinPAC_ROOT_DIR PATH $(${zeek_config} --binpac_root)
+    fi
+
+    if [ -z "$broker_root" ]; then
+        append_cache_entry BROKER_ROOT_DIR PATH $(${zeek_config} --broker_root)
+    fi
+else
+    if [ ! -e "$zeekdist/zeek-path-dev.in" ]; then
+        echo "$zeekdist does not appear to be a valid Zeek source tree."
+        exit 1
+    fi
+
+    # BRO_DIST is the canonical/historical name used by plugin CMake scripts
+    # ZEEK_DIST doesn't serve a function at the moment, but set/provided anyway
+    append_cache_entry BRO_DIST PATH $zeekdist
+    append_cache_entry ZEEK_DIST PATH $zeekdist
+    append_cache_entry CMAKE_MODULE_PATH PATH $zeekdist/cmake
+fi
+
+if [ "$installroot" != "default" ]; then
+    mkdir -p $installroot
+    append_cache_entry BRO_PLUGIN_INSTALL_ROOT PATH $installroot
+fi
+
+if [ -n "$zeek_plugin_begin_opts" ]; then
+    append_cache_entry ZEEK_PLUGIN_BEGIN_OPTS STRING "$zeek_plugin_begin_opts"
+fi
+
+if type plugin_addl >/dev/null 2>&1; then
+    plugin_addl
+fi
+
+echo "Build Directory        : $builddir"
+echo "Zeek Source Directory   : $zeekdist"
+
+mkdir -p $builddir
+cd $builddir
+
+"$CMakeCommand" $CMakeCacheEntries ..
+
+echo "# This is the command used to configure this build" >config.status
+echo $command >>config.status
+chmod u+x config.status
diff --git a/doc/devel/plugins/event-metadata-plugin-src/scripts/__load__.zeek b/doc/devel/plugins/event-metadata-plugin-src/scripts/__load__.zeek
new file mode 100644
index 0000000000..50fe35fc89
--- /dev/null
+++ b/doc/devel/plugins/event-metadata-plugin-src/scripts/__load__.zeek
@@ -0,0 +1,11 @@
+module EventLatency;
+
+redef enum EventMetadata::ID += {
+	## Identifier for the absolute time at which Zeek published this event.
+	WALLCLOCK_TIMESTAMP = 10001000,
+};
+
+event zeek_init()
+	{
+	assert EventMetadata::register(WALLCLOCK_TIMESTAMP, time);
+	}
diff --git a/doc/devel/plugins/event-metadata-plugin-src/scripts/__preload__.zeek b/doc/devel/plugins/event-metadata-plugin-src/scripts/__preload__.zeek
new file mode 100644
index 0000000000..b7db25411d
--- /dev/null
+++ b/doc/devel/plugins/event-metadata-plugin-src/scripts/__preload__.zeek
@@ -0,0 +1 @@
+# Empty
diff --git a/doc/devel/plugins/event-metadata-plugin-src/src/Plugin.cc b/doc/devel/plugins/event-metadata-plugin-src/src/Plugin.cc
new file mode 100644
index 0000000000..98db08c33b
--- /dev/null
+++ b/doc/devel/plugins/event-metadata-plugin-src/src/Plugin.cc
@@ -0,0 +1,65 @@
+
+#include "Plugin.h"
+
+#include <zeek/Event.h>
+#include <zeek/Val.h>
+#include <zeek/cluster/Backend.h>
+#include <zeek/plugin/Plugin.h>
+#include <zeek/telemetry/Manager.h>
+
+namespace plugin {
+namespace Zeek_EventLatency {
+Plugin plugin;
+}
+} // namespace plugin
+
+using namespace plugin::Zeek_EventLatency;
+
+zeek::plugin::Configuration Plugin::Configure() {
+    zeek::plugin::Configuration config;
+    config.name = "Zeek::EventLatency";
+    config.description = "Track remote event latencies";
+    config.version = {0, 1, 0};
+    EnableHook(zeek::plugin::HOOK_PUBLISH_EVENT);
+    EnableHook(zeek::plugin::HOOK_QUEUE_EVENT);
+    return config;
+}
+
+void Plugin::InitPostScript() {
+    double bounds[] = {0.0002, 0.0004, 0.0006, 0.0008, 0.0010, 0.0012, 0.0014, 0.0016, 0.0018, 0.0020};
+    histogram =
+        zeek::telemetry_mgr->HistogramInstance("zeek", "cluster_event_latency_seconds", {}, bounds, "event latency");
+}
+
+bool Plugin::HookPublishEvent(zeek::cluster::Backend& backend, const std::string& topic,
+                              zeek::cluster::detail::Event& event) {
+    static const auto& wallclock_id = zeek::id::find_val<zeek::EnumVal>("EventLatency::WALLCLOCK_TIMESTAMP");
+
+    auto now_val = zeek::make_intrusive<zeek::TimeVal>(zeek::util::current_time(/*real=*/true));
+
+    if ( ! event.AddMetadata(wallclock_id, now_val) )
+        zeek::reporter->FatalError("failed to add wallclock timestamp metadata");
+
+    return true;
+}
+
+bool Plugin::HookQueueEvent(zeek::Event* event) {
+    static const auto& wallclock_id = zeek::id::find_val<zeek::EnumVal>("EventLatency::WALLCLOCK_TIMESTAMP");
+
+    if ( event->Source() == zeek::util::detail::SOURCE_LOCAL )
+        return false;
+
+    auto timestamps = event->MetadataValues(wallclock_id);
+
+    if ( timestamps->Size() > 0 ) {
+        double remote_ts = timestamps->ValAt(0)->AsTime();
+        auto now = zeek::util::current_time(/*real=*/true);
+        auto latency = std::max(0.0, now - remote_ts);
+
+        histogram->Observe(latency);
+    }
+    else
+        zeek::reporter->Warning("missing wallclock timestamp metadata");
+
+    return false;
+}
diff --git a/doc/devel/plugins/event-metadata-plugin-src/src/Plugin.h b/doc/devel/plugins/event-metadata-plugin-src/src/Plugin.h
new file mode 100644
index 0000000000..bc6acf1948
--- /dev/null
+++ b/doc/devel/plugins/event-metadata-plugin-src/src/Plugin.h
@@ -0,0 +1,29 @@
+
+#pragma once
+
+#include <zeek/plugin/Plugin.h>
+#include <zeek/telemetry/Histogram.h>
+
+namespace plugin {
+namespace Zeek_EventLatency {
+
+class Plugin : public zeek::plugin::Plugin {
+protected:
+    // Overridden from zeek::plugin::Plugin.
+    zeek::plugin::Configuration Configure() override;
+
+    void InitPostScript() override;
+
+    bool HookPublishEvent(zeek::cluster::Backend& backend, const std::string& topic,
+                          zeek::cluster::detail::Event& event) override;
+
+    bool HookQueueEvent(zeek::Event* event) override;
+
+private:
+    zeek::telemetry::HistogramPtr histogram;
+};
+
+extern Plugin plugin;
+
+} // namespace Zeek_EventLatency
+} // namespace plugin
diff --git a/doc/devel/plugins/event-metadata-plugin.rst b/doc/devel/plugins/event-metadata-plugin.rst
new file mode 100644
index 0000000000..52780d8f90
--- /dev/null
+++ b/doc/devel/plugins/event-metadata-plugin.rst
@@ -0,0 +1,103 @@
+.. _event-metadata-plugin:
+
+=====================
+Event Metadata Plugin
+=====================
+
+.. versionadded:: 8.0
+
+
+Zeek's plugin API allows adding metadata to Zeek events. In the Zeek-script
+layer, the :zeek:see:`EventMetadata::current` and :zeek:see:`EventMetadata::current_all`
+functions can be used to introspect metadata attached to events. In a Zeek cluster,
+metadata is transported via remote events for consumption by other Zeek nodes.
+This section describes the functionality in form of a tutorial. We'll
+be using custom event metadata to track the latency of Zeek events in a
+cluster and expose them as a Prometheus histogram.
+
+If you're unfamiliar with plugin development, head over to the
+:ref:`Writing Plugins <writing-plugins>` section. For more information
+about telemetry and Prometheus, see also the :ref:`Telemetry framework's <framework-telemetry>`
+documentation.
+
+
+Registering Metadata
+====================
+
+Initially, we make Zeek's core aware of the metadata to attach to events. This
+requires two steps.
+First, redefining the :zeek:see:`EventMetadata::ID` enumeration with our
+custom enumeration value ``WALLCLOCK_TIMESTAMP``. This is our metadata identifier.
+Its value represents the Unix timestamps when an event was published.
+Second, registering the metadata identifier with Zeek's :zeek:see:`time` type
+by calling :zeek:see:`EventMetadata::register` in a :zeek:see:`zeek_init` handler.
+This instructs Zeek to convert metadata items in received remote events with
+identifier ``10001000`` to a :zeek:see:`time` value.
+
+For simplicity, the second step is done in the plugin's ``scripts/__init__.zeek`` file
+that's loaded automatically when Zeek loads the plugin.
+
+.. literalinclude:: event-metadata-plugin-src/scripts/__load__.zeek
+   :caption: main.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+The ``10001000`` represents the metadata identifier for serialization purposes. It
+needs to be unique and have a defined meaning and consistent type for a given Zeek
+deployment. Metadata identifiers below ``200`` are reserved for Zeek's internal use.
+Users are free to choose any other value. Zeek will fail to start or fail to
+register the type in the case of conflicting identifiers in third-party packages.
+
+
+Implementing the Plugin
+=======================
+
+Next, we implement the ``InitPostScript()``, ``HookPublishEvent()`` and
+``HookQueueEvent()`` methods in our plugin.
+In the ``InitPostScript()`` method, a histogram instance is initialized using
+Zeek's telemetry manager with hard-coded bounds. These define buckets for latency
+monitoring.
+The ``HookPublishEvent()`` method adds ``WALLCLOCK_TIMESTAMP`` metadata with
+the current time to the event, while the ``HookQueueEvent()`` method extracts
+the sender's timestamp and computes the latency based on its own local time.
+Finally, the latency is recorded with the histogram by calling ``Observe()``.
+
+
+.. literalinclude:: event-metadata-plugin-src/src/Plugin.cc
+   :caption: main.zeek
+   :language: zeek
+   :linenos:
+   :lines: 28-
+   :tab-width: 4
+
+
+Resulting Prometheus Metrics
+============================
+
+Deploying the plugin outlined above in a cluster and querying the manager's
+metrics endpoint presents the following result::
+
+    $ curl -s localhost:10001/metrics | grep '^zeek_cluster_event_latency'
+    zeek_cluster_event_latency_seconds_count{endpoint="manager"} 11281
+    zeek_cluster_event_latency_seconds_sum{endpoint="manager"} 7.960928916931152
+    zeek_cluster_event_latency_seconds_bucket{endpoint="manager",le="0.0002"} 37
+    zeek_cluster_event_latency_seconds_bucket{endpoint="manager",le="0.0004"} 583
+    zeek_cluster_event_latency_seconds_bucket{endpoint="manager",le="0.0005999999999999999"} 3858
+    zeek_cluster_event_latency_seconds_bucket{endpoint="manager",le="0.0008"} 7960
+    zeek_cluster_event_latency_seconds_bucket{endpoint="manager",le="0.001"} 10185
+    zeek_cluster_event_latency_seconds_bucket{endpoint="manager",le="0.0012"} 10957
+    zeek_cluster_event_latency_seconds_bucket{endpoint="manager",le="0.0014"} 11239
+    zeek_cluster_event_latency_seconds_bucket{endpoint="manager",le="0.0016"} 11269
+    zeek_cluster_event_latency_seconds_bucket{endpoint="manager",le="0.0018"} 11279
+    zeek_cluster_event_latency_seconds_bucket{endpoint="manager",le="0.002"} 11281
+    zeek_cluster_event_latency_seconds_bucket{endpoint="manager",le="+Inf"} 11281
+
+
+This example indicates that there were a total of 11281 latencies observed,
+the summed up latency was around 8 seconds, 37 events had a latency less or equal
+to 0.2 milliseconds, 583 with less or equal than 0.4 milliseconds and none
+that took more than 2 milliseconds.
+
+This sort of data is usually scraped and ingested by a `Prometheus server <https://prometheus.io/>`_  and
+then visualized using `Grafana <https://grafana.com/>`_.
diff --git a/doc/devel/spicy/autogen-spicy-docs b/doc/devel/spicy/autogen-spicy-docs
new file mode 100755
index 0000000000..e09044fffe
--- /dev/null
+++ b/doc/devel/spicy/autogen-spicy-docs
@@ -0,0 +1,48 @@
+#!/bin/bash
+#
+# Copyright (c) 2020-2023 by the Zeek Project. See LICENSE for details.
+#
+# Tool to update autogenerated docs that require external files. Must be
+# run manually and requires access to the Spicy TFTP analyzer.
+
+set -e
+
+if [ $# != 1 ]; then
+    echo "usage: $(basename "$0") <spicy-tftp-repo>"
+    exit 1
+fi
+
+TFTP=$1
+
+if [ ! -d "${TFTP}"/analyzer ]; then
+    echo "${TFTP} does not seem to point to a spicy-tftp repository."
+    exit 1
+fi
+
+set -o errexit
+set -o nounset
+
+ZEEK="$(cd "$( dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)/../../.."
+DOC="${ZEEK}/doc"
+SPICY="${ZEEK}/auxil/spicy"
+SPICYDOC="${ZEEK}/build/auxil/spicy/bin/spicy-doc"
+AUTOGEN_FINAL="${ZEEK}/doc/devel/spicy/autogen"
+
+if [ ! -x "${SPICYDOC}" ]; then
+    >&2 echo "Warning: Could not find spicy-doc in build directory, aborting"
+    exit 0
+fi
+
+"${SPICY}/doc/scripts/autogen-spicy-lib" functions zeek  < "${ZEEK}/scripts/spicy/zeek.spicy" > "${AUTOGEN_FINAL}/zeek-functions.spicy" || exit 1
+
+# Copy some static files over.
+cp "${TFTP}"/scripts/main.zeek "${AUTOGEN_FINAL}"/tftp.zeek || exit 1
+cp "${TFTP}"/analyzer/tftp.spicy "${AUTOGEN_FINAL}"/tftp.spicy || exit 1
+cp "${TFTP}"/analyzer/tftp.evt "${AUTOGEN_FINAL}"/tftp.evt || exit 1
+cat "${TFTP}"/analyzer/tftp.spicy | grep -v spicy::accept_input > "${AUTOGEN_FINAL}"/tftp-no-accept.spicy || exit 1
+
+# Copy some files from the Zeek source tree so that zeek-docs remains standaline for CI.
+cp "${ZEEK}/scripts/base/frameworks/spicy/init-bare.zeek" "${AUTOGEN_FINAL}/"
+cp "${ZEEK}/scripts/base/frameworks/spicy/init-framework.zeek" "${AUTOGEN_FINAL}/"
+cp "${ZEEK}/auxil/spicy/doc/scripts/spicy-pygments.py" "${DOC}/ext"
+
diff --git a/doc/devel/spicy/autogen/init-bare.zeek b/doc/devel/spicy/autogen/init-bare.zeek
new file mode 100644
index 0000000000..e01f4adafd
--- /dev/null
+++ b/doc/devel/spicy/autogen/init-bare.zeek
@@ -0,0 +1,38 @@
+
+module Spicy;
+
+export {
+# doc-options-start
+    ## Constant for testing if Spicy is available.
+    const available = T;
+
+    ## Show output of Spicy print statements.
+    const enable_print = F &redef;
+
+    # Record and display profiling information, if compiled into analyzer.
+    const enable_profiling = F &redef;
+
+    ## abort() instead of throwing HILTI exceptions.
+    const abort_on_exceptions = F &redef;
+
+    ## Include backtraces when reporting unhandled exceptions.
+    const show_backtraces = F &redef;
+
+    ## Maximum depth of recursive file analysis (Spicy analyzers only)
+    const max_file_depth: count = 5 &redef;
+# doc-options-end
+
+# doc-types-start
+    ## Result type for :zeek:see:`Spicy::resource_usage`. The values reflect resource
+    ## usage as reported by the Spicy runtime system.
+    type ResourceUsage: record {
+        user_time : interval;           ##< user CPU time of the Zeek process
+        system_time :interval;          ##< system CPU time of the Zeek process
+        memory_heap : count;            ##< memory allocated on the heap by the Zeek process
+        num_fibers : count;             ##< number of fibers currently in use
+        max_fibers: count;              ##< maximum number of fibers ever in use
+        max_fiber_stack_size: count;    ##< maximum fiber stack size ever in use
+        cached_fibers: count;           ##< number of fibers currently cached
+    };
+# doc-types-end
+}
diff --git a/doc/devel/spicy/autogen/init-framework.zeek b/doc/devel/spicy/autogen/init-framework.zeek
new file mode 100644
index 0000000000..de6b528ee4
--- /dev/null
+++ b/doc/devel/spicy/autogen/init-framework.zeek
@@ -0,0 +1,85 @@
+# doc-common-start
+module Spicy;
+
+export {
+# doc-functions-start
+    ## Enable a specific Spicy protocol analyzer if not already active. If this
+    ## analyzer replaces an standard analyzer, that one will automatically be
+    ## disabled.
+    ##
+    ## tag: analyzer to toggle
+    ##
+    ## Returns: true if the operation succeeded
+    global enable_protocol_analyzer: function(tag: Analyzer::Tag) : bool;
+
+    ## Disable a specific Spicy protocol analyzer if not already inactive. If
+    ## this analyzer replaces an standard analyzer, that one will automatically
+    ## be re-enabled.
+    ##
+    ## tag: analyzer to toggle
+    ##
+    ## Returns: true if the operation succeeded
+    global disable_protocol_analyzer: function(tag: Analyzer::Tag) : bool;
+
+
+    ## Enable a specific Spicy file analyzer if not already active. If this
+    ## analyzer replaces an standard analyzer, that one will automatically be
+    ## disabled.
+    ##
+    ## tag: analyzer to toggle
+    ##
+    ## Returns: true if the operation succeeded
+    global enable_file_analyzer: function(tag: Files::Tag) : bool;
+
+    ## Disable a specific Spicy file analyzer if not already inactive. If
+    ## this analyzer replaces an standard analyzer, that one will automatically
+    ## be re-enabled.
+    ##
+    ## tag: analyzer to toggle
+    ##
+    ## Returns: true if the operation succeeded
+    global disable_file_analyzer: function(tag: Files::Tag) : bool;
+
+    ## Returns current resource usage as reported by the Spicy runtime system.
+    global resource_usage: function() : ResourceUsage;
+# doc-functions-end
+}
+
+# Marked with &is_used to suppress complaints when there aren't any
+# Spicy file analyzers loaded, and hence this event can't be generated.
+event spicy_analyzer_for_mime_type(a: Files::Tag, mt: string) &is_used
+    {
+    Files::register_for_mime_type(a, mt);
+    }
+
+# Marked with &is_used to suppress complaints when there aren't any
+# Spicy protocol analyzers loaded, and hence this event can't be generated.
+event spicy_analyzer_for_port(a: Analyzer::Tag, p: port) &is_used
+    {
+    Analyzer::register_for_port(a, p);
+    }
+
+function enable_protocol_analyzer(tag: Analyzer::Tag) : bool
+    {
+    return Spicy::__toggle_analyzer(tag, T);
+    }
+
+function disable_protocol_analyzer(tag: Analyzer::Tag) : bool
+    {
+    return Spicy::__toggle_analyzer(tag, F);
+    }
+
+function enable_file_analyzer(tag: Files::Tag) : bool
+    {
+    return Spicy::__toggle_analyzer(tag, T);
+    }
+
+function disable_file_analyzer(tag: Files::Tag) : bool
+    {
+    return Spicy::__toggle_analyzer(tag, F);
+    }
+
+function resource_usage() : ResourceUsage
+    {
+    return Spicy::__resource_usage();
+    }
diff --git a/doc/devel/spicy/autogen/tftp-no-accept.spicy b/doc/devel/spicy/autogen/tftp-no-accept.spicy
new file mode 100644
index 0000000000..07b7c39e3f
--- /dev/null
+++ b/doc/devel/spicy/autogen/tftp-no-accept.spicy
@@ -0,0 +1,91 @@
+# Copyright (c) 2021 by the Zeek Project. See LICENSE for details.
+#
+# Trivial File Transfer Protocol
+#
+# Specs from https://tools.ietf.org/html/rfc1350
+
+module TFTP;
+
+import spicy;
+
+# Common header for all messages:
+#
+#      2 bytes
+# ---------------
+# |  TFTP Opcode  |
+#  ---------------
+
+public type Packet = unit {    # public top-level entry point for parsing
+    op: uint16 &convert=Opcode($$);
+    switch ( self.op ) {
+        Opcode::RRQ   -> rrq:   Request(True);
+        Opcode::WRQ   -> wrq:   Request(False);
+        Opcode::DATA  -> data:  Data;
+        Opcode::ACK   -> ack:   Acknowledgement;
+        Opcode::ERROR -> error: Error;
+        };
+};
+
+# TFTP supports five types of packets [...]:
+#
+# opcode  operation
+#   1     Read request (RRQ)
+#   2     Write request (WRQ)
+#   3     Data (DATA)
+#   4     Acknowledgment (ACK)
+#   5     Error (ERROR)
+type Opcode = enum {
+    RRQ = 0x01,
+    WRQ = 0x02,
+    DATA = 0x03,
+    ACK = 0x04,
+    ERROR = 0x05
+};
+
+# Figure 5-1: RRQ/WRQ packet
+#
+#  2 bytes     string    1 byte     string   1 byte
+#  ------------------------------------------------
+# | Opcode |  Filename  |   0  |    Mode    |   0  |
+#  ------------------------------------------------
+
+type Request = unit(is_read: bool) {
+    filename: bytes &until=b"\x00";
+    mode:     bytes &until=b"\x00";
+
+};
+
+# Figure 5-2: DATA packet
+#
+#  2 bytes     2 bytes      n bytes
+#   ----------------------------------
+#  | Opcode |   Block #  |   Data     |
+#   ----------------------------------
+
+type Data = unit {
+    num:  uint16;
+    data: bytes &eod;
+};
+
+# Figure 5-3: ACK packet
+#
+#  2 bytes     2 bytes
+#  ---------------------
+# | Opcode |   Block #  |
+#  ---------------------
+
+type Acknowledgement = unit {
+    num: uint16;
+};
+
+#  Figure 5-4: ERROR packet
+#
+#  2 bytes     2 bytes      string    1 byte
+#  -----------------------------------------
+# | Opcode |  ErrorCode |   ErrMsg   |   0  |
+#  -----------------------------------------
+
+type Error = unit {
+    code: uint16;
+    msg:  bytes &until=b"\x00";
+};
diff --git a/doc/devel/spicy/autogen/tftp.evt b/doc/devel/spicy/autogen/tftp.evt
new file mode 100644
index 0000000000..85575e076d
--- /dev/null
+++ b/doc/devel/spicy/autogen/tftp.evt
@@ -0,0 +1,16 @@
+# Copyright (c) 2021 by the Zeek Project. See LICENSE for details.
+#
+# Note: When line numbers change in this file, update the documentation that pulls it in.
+
+protocol analyzer spicy::TFTP over UDP:
+    parse with TFTP::Packet,
+    port 69/udp;
+
+import TFTP;
+
+on TFTP::Request if ( is_read )   -> event tftp::read_request($conn, $is_orig, self.filename, self.mode);
+on TFTP::Request if ( ! is_read ) -> event tftp::write_request($conn, $is_orig, self.filename, self.mode);
+
+on TFTP::Data            -> event tftp::data($conn, $is_orig, self.num, self.data);
+on TFTP::Acknowledgement -> event tftp::ack($conn, $is_orig, self.num);
+on TFTP::Error           -> event tftp::error($conn, $is_orig, self.code, self.msg);
diff --git a/doc/devel/spicy/autogen/tftp.spicy b/doc/devel/spicy/autogen/tftp.spicy
new file mode 100644
index 0000000000..7927c6e90c
--- /dev/null
+++ b/doc/devel/spicy/autogen/tftp.spicy
@@ -0,0 +1,92 @@
+# Copyright (c) 2021 by the Zeek Project. See LICENSE for details.
+#
+# Trivial File Transfer Protocol
+#
+# Specs from https://tools.ietf.org/html/rfc1350
+
+module TFTP;
+
+import spicy;
+
+# Common header for all messages:
+#
+#      2 bytes
+# ---------------
+# |  TFTP Opcode  |
+#  ---------------
+
+public type Packet = unit {    # public top-level entry point for parsing
+    op: uint16 &convert=Opcode($$);
+    switch ( self.op ) {
+        Opcode::RRQ   -> rrq:   Request(True);
+        Opcode::WRQ   -> wrq:   Request(False);
+        Opcode::DATA  -> data:  Data;
+        Opcode::ACK   -> ack:   Acknowledgement;
+        Opcode::ERROR -> error: Error;
+        };
+};
+
+# TFTP supports five types of packets [...]:
+#
+# opcode  operation
+#   1     Read request (RRQ)
+#   2     Write request (WRQ)
+#   3     Data (DATA)
+#   4     Acknowledgment (ACK)
+#   5     Error (ERROR)
+type Opcode = enum {
+    RRQ = 0x01,
+    WRQ = 0x02,
+    DATA = 0x03,
+    ACK = 0x04,
+    ERROR = 0x05
+};
+
+# Figure 5-1: RRQ/WRQ packet
+#
+#  2 bytes     string    1 byte     string   1 byte
+#  ------------------------------------------------
+# | Opcode |  Filename  |   0  |    Mode    |   0  |
+#  ------------------------------------------------
+
+type Request = unit(is_read: bool) {
+    filename: bytes &until=b"\x00";
+    mode:     bytes &until=b"\x00";
+
+    on %done { spicy::accept_input(); }
+};
+
+# Figure 5-2: DATA packet
+#
+#  2 bytes     2 bytes      n bytes
+#   ----------------------------------
+#  | Opcode |   Block #  |   Data     |
+#   ----------------------------------
+
+type Data = unit {
+    num:  uint16;
+    data: bytes &eod;
+};
+
+# Figure 5-3: ACK packet
+#
+#  2 bytes     2 bytes
+#  ---------------------
+# | Opcode |   Block #  |
+#  ---------------------
+
+type Acknowledgement = unit {
+    num: uint16;
+};
+
+#  Figure 5-4: ERROR packet
+#
+#  2 bytes     2 bytes      string    1 byte
+#  -----------------------------------------
+# | Opcode |  ErrorCode |   ErrMsg   |   0  |
+#  -----------------------------------------
+
+type Error = unit {
+    code: uint16;
+    msg:  bytes &until=b"\x00";
+};
diff --git a/doc/devel/spicy/autogen/tftp.zeek b/doc/devel/spicy/autogen/tftp.zeek
new file mode 100644
index 0000000000..bc4ed3a2e2
--- /dev/null
+++ b/doc/devel/spicy/autogen/tftp.zeek
@@ -0,0 +1,162 @@
+# Copyright (c) 2021 by the Zeek Project. See LICENSE for details.
+
+module TFTP;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		## Timestamp for when the request happened.
+		ts:		time &log;
+		## Unique ID for the connection.
+		uid:		string &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id:		conn_id &log;
+		## True  for write requests, False for read request.
+		wrq:		bool &log;
+		## File name of request.
+		fname:		string &log;
+		## Mode of request.
+		mode:		string &log;
+		## UID of data connection
+		uid_data:	string &optional &log;
+		## Number of bytes sent.
+		size:		count &default=0 &log;
+		## Highest block number sent.
+		block_sent:	count &default=0 &log;
+		## Highest block number ackknowledged.
+		block_acked:	count &default=0 &log;
+		## Any error code encountered.
+		error_code:	count &optional &log;
+		## Any error message encountered.
+		error_msg:	string &optional &log;
+
+		# Set to block number of final piece of data once received.
+		final_block: count &optional;
+
+		# Set to true once logged.
+		done: bool &default=F;
+	};
+
+	## Event that can be handled to access the TFTP logging record.
+	global log_tftp: event(rec: Info);
+}
+
+# Maps a partial data connection ID to the request's Info record.
+global expected_data_conns: table[addr, port, addr] of Info;
+
+redef record connection += {
+	tftp: Info &optional;
+};
+
+event zeek_init() &priority=5
+	{
+	Log::create_stream(TFTP::LOG, [$columns = Info, $ev = log_tftp, $path="tftp"]);
+	}
+
+function log_pending(c: connection)
+	{
+	if ( ! c?$tftp || c$tftp$done )
+		return;
+
+	Log::write(TFTP::LOG, c$tftp);
+	c$tftp$done = T;
+	}
+
+function init_request(c: connection, is_orig: bool, fname: string, mode: string, is_read: bool)
+	{
+	log_pending(c);
+
+	local info: Info;
+	info$ts  = network_time();
+	info$uid = c$uid;
+	info$id  = c$id;
+	info$fname = fname;
+	info$mode = mode;
+	info$wrq = (! is_read);
+	c$tftp = info;
+
+	# The data will come in from a different source port.
+	Analyzer::schedule_analyzer(c$id$resp_h, c$id$orig_h, c$id$orig_p, Analyzer::ANALYZER_SPICY_TFTP, 1min);
+	expected_data_conns[c$id$resp_h, c$id$orig_p, c$id$orig_h] = info;
+	}
+
+event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag) &priority=10
+	{
+	local id = c$id;
+	if ( [c$id$orig_h, c$id$resp_p, c$id$resp_h] in expected_data_conns )
+		{
+		c$tftp = expected_data_conns[c$id$orig_h, c$id$resp_p, c$id$resp_h];
+		c$tftp$uid_data = c$uid;
+		add c$service["spicy_tftp_data"];
+		}
+	}
+
+event tftp::read_request(c: connection, is_orig: bool, fname: string, mode: string)
+	{
+	init_request(c, is_orig, fname, mode, T);
+	}
+
+event tftp::write_request(c: connection, is_orig: bool, fname: string, mode: string)
+	{
+	init_request(c, is_orig, fname, mode, F);
+	}
+
+event tftp::data(c: connection, is_orig: bool, block_num: count, data: string)
+	{
+	if ( ! c?$tftp || c$tftp$done )
+		return;
+
+	local info = c$tftp;
+
+	if ( block_num <= info$block_sent )
+		# Duplicate (or previous gap; we don't track that)
+		return;
+
+	info$size += |data|;
+	info$block_sent = block_num;
+
+	if ( |data| < 512 )
+		# Last block, per spec.
+		info$final_block = block_num;
+	}
+
+event tftp::ack(c: connection, is_orig: bool, block_num: count)
+	{
+	if ( ! c?$tftp || c$tftp$done )
+		return;
+
+	local info = c$tftp;
+
+	info$block_acked = block_num;
+
+	if ( block_num <= info$block_acked )
+		# Duplicate (or previous gap, we don't track that)
+		return;
+
+	info$block_acked = block_num;
+
+	# If it's an ack for the last block, we're done.
+	if ( info?$final_block && info$final_block == block_num )
+		log_pending(c);
+	}
+
+event tftp::error(c: connection, is_orig: bool, code: count, msg: string)
+	{
+	if ( ! c?$tftp || c$tftp$done )
+		return;
+
+	local info = c$tftp;
+
+	info$error_code = code;
+	info$error_msg = msg;
+	log_pending(c);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( ! c?$tftp || c$tftp$done )
+		return;
+
+	log_pending(c);
+	}
diff --git a/doc/devel/spicy/autogen/zeek-functions.spicy b/doc/devel/spicy/autogen/zeek-functions.spicy
new file mode 100644
index 0000000000..53126ad50f
--- /dev/null
+++ b/doc/devel/spicy/autogen/zeek-functions.spicy
@@ -0,0 +1,736 @@
+.. _spicy_confirm_protocol:
+
+.. rubric:: ``function zeek::confirm_protocol()``
+
+[Deprecated] Triggers a DPD protocol confirmation for the current connection.
+
+This function has been deprecated and will be removed. Use ``spicy::accept_input``
+instead, which will have the same effect with Zeek.
+
+.. _spicy_reject_protocol:
+
+.. rubric:: ``function zeek::reject_protocol(reason: string)``
+
+[Deprecated] Triggers a DPD protocol violation for the current connection.
+
+This function has been deprecated and will be removed. Use ``spicy::decline_input``
+instead, which will have the same effect with Zeek.
+
+.. _spicy_weird:
+
+.. rubric:: ``function zeek::weird(id: string, addl: string = "") : &cxxname="zeek::spicy::rt::weird";``
+
+Reports a "weird" to Zeek. This should be used with similar semantics as in
+Zeek: something quite unexpected happening at the protocol level, which however
+does not prevent us from continuing to process the connection.
+
+id: the name of the weird, which (just like in Zeek) should be a *static*
+string identifying the situation reported (e.g., ``unexpected_command``).
+
+addl: additional information to record along with the weird
+
+.. _spicy_is_orig:
+
+.. rubric:: ``function zeek::is_orig() : bool``
+
+Returns true if we're currently parsing the originator side of a connection.
+
+.. _spicy_uid:
+
+.. rubric:: ``function zeek::uid() : string``
+
+Returns the current connection's UID.
+
+.. _spicy_conn_id:
+
+.. rubric:: ``function zeek::conn_id() : tuple<orig_h: addr, orig_p: port, resp_h: addr, resp_p: port>``
+
+Returns the current connection's 4-tuple ID to make IP address and port information available.
+
+.. _spicy_flip_roles:
+
+.. rubric:: ``function zeek::flip_roles()``
+
+Instructs Zeek to flip the directionality of the current connection.
+
+.. _spicy_number_packets:
+
+.. rubric:: ``function zeek::number_packets() : uint64``
+
+Returns the number of packets seen so far on the current side of the current connection.
+
+.. _spicy_has_analyzer:
+
+.. rubric:: ``function zeek::has_analyzer(analyzer: string, if_enabled: bool = True) : bool``
+
+Checks if there is a Zeek analyzer of a given name.
+
+analyzer: the Zeek-side name of the analyzer to check for
+if_enabled: if true, only checks for analyzers that are enabled
+
+Returns the type of the analyzer if it exists, or ``Undef`` if it does not.
+
+.. _spicy_analyzer_type:
+
+.. rubric:: ``function zeek::analyzer_type(analyzer: string, if_enabled: bool = True) : AnalyzerType``
+
+Returns the type of a Zeek analyzer of a given name.
+
+analyzer: the Zeek-side name of the analyzer to check
+if_enabled: if true, only checks for analyzers that are enabled
+
+Returns the type of the analyzer if it exists, or ``Undef`` if it does not.
+
+.. _spicy_protocol_begin:
+
+.. rubric:: ``function zeek::protocol_begin(analyzer: optional<string>, protocol: spicy::Protocol = spicy::Protocol::TCP)``
+
+Adds a Zeek-side child protocol analyzer to the current connection.
+
+If the same analyzer was added previously with `protocol_handle_get_or_create` or
+`protocol_begin` with same argument, and not closed with `protocol_handle_close`
+or `protocol_end`, no new analyzer will be added.
+
+See `protocol_handle_get_or_create` for lifetime and error semantics.
+
+analyzer: type of analyzer to instantiate, specified through its Zeek-side
+name (similar to what Zeek's signature action `enable` takes)
+
+protocol: the transport-layer protocol that the analyzer uses; only TCP is
+currently supported here
+
+Note: For backwards compatibility, the analyzer argument can be left unset to add
+a DPD analyzer. This use is deprecated, though; use the single-argument version of
+`protocol_begin` for that instead.
+
+.. _spicy_protocol_begin_2:
+
+.. rubric:: ``function zeek::protocol_begin(protocol: spicy::Protocol = spicy::Protocol::TCP)``
+
+Adds a Zeek-side DPD child protocol analyzer performing dynamic protocol detection
+on subsequently provided data.
+
+If the same DPD analyzer was added previously with `protocol_handle_get_or_create` or
+`protocol_begin` with same argument, and not closed with `protocol_handle_close`
+or `protocol_end`, no new analyzer will be added.
+
+See `protocol_handle_get_or_create` for lifetime and error semantics.
+
+protocol: the transport-layer protocol on which to perform protocol detection;
+only TCP is currently supported here
+
+.. _spicy_protocol_handle_get_or_create:
+
+.. rubric:: ``function zeek::protocol_handle_get_or_create(analyzer: string, protocol: spicy::Protocol = spicy::Protocol::TCP) : ProtocolHandle``
+
+Gets a handle to a Zeek-side child protocol analyzer for the current connection.
+
+If no such child exists yet it will be added; otherwise a handle to the
+existing child protocol analyzer will be returned.
+
+This function will return an error if:
+
+- not called from a protocol analyzer, or
+- the requested child protocol analyzer is of unknown type or not support by the requested transport protocol, or
+- creation of a child analyzer of the requested type was prevented by a
+  previous call of `disable_analyzer` with `prevent=T`
+
+By default, any newly created child protocol analyzer will remain alive
+until Zeek expires the current connection's state. Alternatively, one
+can call `protocol_handle_close` or `protocol_end` to delete the analyzer
+earlier.
+
+analyzer: type of analyzer to get or instantiate, specified through its Zeek-side
+name (similar to what Zeek's signature action `enable` takes).
+
+protocol: the transport-layer protocol that the analyser uses; only TCP is
+currently supported here
+
+
+.. _spicy_protocol_data_in:
+
+.. rubric:: ``function zeek::protocol_data_in(is_orig: bool, data: bytes, protocol: spicy::Protocol = spicy::Protocol::TCP)``
+
+Forwards protocol data to all previously instantiated Zeek-side child protocol analyzers of a given transport-layer.
+
+is_orig: true to feed the data to the child's originator side, false for the responder
+
+data: chunk of data to forward to child analyzer
+
+protocol: the transport-layer protocol of the children to forward to; only TCP is currently supported here
+
+.. _spicy_protocol_data_in_2:
+
+.. rubric:: ``function zeek::protocol_data_in(is_orig: bool, data: bytes, h: ProtocolHandle)``
+
+Forwards protocol data to a specific previously instantiated Zeek-side child analyzer.
+
+is_orig: true to feed the data to the child's originator side, false for the responder
+
+data: chunk of data to forward to child analyzer
+
+h: handle to the child analyzer to forward data into
+
+.. _spicy_protocol_gap:
+
+.. rubric:: ``function zeek::protocol_gap(is_orig: bool, offset: uint64, len: uint64, h: optional<ProtocolHandle> = Null)``
+
+Signals a gap in input data to all previously instantiated Zeek-side child protocol analyzers.
+
+is_orig: true to signal gap to the child's originator side, false for the responder
+
+offset: start offset of gap in input stream
+
+len: size of gap
+
+h: optional handle to the child analyzer signal a gap to, else signal to all child analyzers
+
+.. _spicy_protocol_end:
+
+.. rubric:: ``function zeek::protocol_end()``
+
+Signals end-of-data to all previously instantiated Zeek-side child protocol
+analyzers and removes them.
+
+.. _spicy_protocol_handle_close:
+
+.. rubric:: ``function zeek::protocol_handle_close(handle: ProtocolHandle)``
+
+Signals end-of-data to the given child analyzer and removes it.
+
+The given handle must be live, i.e., it must not have been used in a
+previous protocol_handle_close call, and must not have been live when
+protocol_end was called. If the handle is not live a runtime error will
+be triggered.
+
+handle: handle to the child analyzer to remove
+
+.. _spicy_file_begin:
+
+.. rubric:: ``function zeek::file_begin(mime_type: optional<string> = Null, fuid: optional<string> = Null) : string``
+
+Signals the beginning of a file to Zeek's file analysis, associating it with the current connection.
+Optionally, a mime type can be provided. It will be passed on to Zeek's file analysis framework.
+Optionally, a file ID can be provided. It will be passed on to Zeek's file analysis framework.
+Returns the Zeek-side file ID of the new file.
+
+This function creates a new Zeek file analyzer that will remain alive until
+either `file_end` gets called, or Zeek eventually expires the analyzer
+through a timeout. (As Zeek does not tie a file analyzer's lifetime to any
+connection, it may survive the termination of the current connection.)
+
+.. _spicy_fuid:
+
+.. rubric:: ``function zeek::fuid() : string``
+
+Returns the current file's FUID.
+
+.. _spicy_terminate_session:
+
+.. rubric:: ``function zeek::terminate_session()``
+
+Terminates the currently active Zeek-side session, flushing all state. Any
+subsequent activity will start a new session from scratch. This can only be
+called from inside a protocol analyzer.
+
+.. _spicy_skip_input:
+
+.. rubric:: ``function zeek::skip_input()``
+
+Tells Zeek to skip sending any further input data to the current analyzer.
+This is supported for protocol and file analyzers.
+
+.. _spicy_file_set_size:
+
+.. rubric:: ``function zeek::file_set_size(size: uint64, fid: optional<string> = Null)``
+
+Signals the expected size of a file to Zeek's file analysis.
+
+size: expected size of file
+fid: Zeek-side ID of the file to operate on; if not given, the file started by the most recent file_begin() will be used
+
+.. _spicy_file_data_in:
+
+.. rubric:: ``function zeek::file_data_in(data: bytes, fid: optional<string> = Null)``
+
+Passes file content on to Zeek's file analysis.
+
+data: chunk of raw data to pass into analysis
+fid: Zeek-side ID of the file to operate on; if not given, the file started by the most recent file_begin() will be used
+
+.. _spicy_file_data_in_at_offset:
+
+.. rubric:: ``function zeek::file_data_in_at_offset(data: bytes, offset: uint64, fid: optional<string> = Null)``
+
+Passes file content at a specific offset on to Zeek's file analysis.
+
+data: chunk of raw data to pass into analysis
+offset: position in file where data starts
+fid: Zeek-side ID of the file to operate on; if not given, the file started by the most recent file_begin() will be used
+
+.. _spicy_file_gap:
+
+.. rubric:: ``function zeek::file_gap(offset: uint64, len: uint64, fid: optional<string> = Null)``
+
+Signals a gap in a file to Zeek's file analysis.
+
+offset: position in file where gap starts
+len: size of gap
+fid: Zeek-side ID of the file to operate on; if not given, the file started by the most recent file_begin() will be used
+
+.. _spicy_file_end:
+
+.. rubric:: ``function zeek::file_end(fid: optional<string> = Null)``
+
+Signals the end of a file to Zeek's file analysis.
+
+fid: Zeek-side ID of the file to operate on; if not given, the file started by the most recent file_begin() will be used
+
+.. _spicy_forward_packet:
+
+.. rubric:: ``function zeek::forward_packet(identifier: uint32)``
+
+Inside a packet analyzer, forwards what data remains after parsing the top-level unit
+on to another analyzer. The index specifies the target, per the current dispatcher table.
+
+.. _spicy_network_time:
+
+.. rubric:: ``function zeek::network_time() : time``
+
+Gets the network time from Zeek.
+
+.. _spicy_get_address:
+
+.. rubric:: ``function zeek::get_address(id: string) : addr``
+
+Returns the value of a global Zeek script variable of Zeek type ``addr``.
+Throws an exception if there's no such Zeek of that name, or if it's not of
+the expected type.
+
+id: fully-qualified name of the global Zeek variable to retrieve
+
+.. _spicy_get_bool:
+
+.. rubric:: ``function zeek::get_bool(id: string) : bool``
+
+Returns the value of a global Zeek script variable of Zeek type ``bool``.
+Throws an exception if there's no such Zeek of that name, or if it's not of
+the expected type.
+
+id: fully-qualified name of the global Zeek variable to retrieve
+
+.. _spicy_get_count:
+
+.. rubric:: ``function zeek::get_count(id: string) : uint64``
+
+Returns the value of a global Zeek script variable of Zeek type ``count``.
+Throws an exception if there's no such Zeek of that name, or if it's not of
+the expected type.
+
+id: fully-qualified name of the global Zeek variable to retrieve
+
+.. _spicy_get_double:
+
+.. rubric:: ``function zeek::get_double(id: string) : real``
+
+Returns the value of a global Zeek script variable of Zeek type ``double``.
+Throws an exception if there's no such Zeek of that name, or if it's not of
+the expected type.
+
+id: fully-qualified name of the global Zeek variable to retrieve
+
+.. _spicy_get_enum:
+
+.. rubric:: ``function zeek::get_enum(id: string) : string``
+
+Returns the value of a global Zeek script variable of Zeek type ``enum``.
+The value is returned as a string containing the enum's label name, without
+any scope. Throws an exception if there's no such Zeek of that name, or if
+it's not of the expected type.
+
+id: fully-qualified name of the global Zeek variable to retrieve
+
+.. _spicy_get_int:
+
+.. rubric:: ``function zeek::get_int(id: string) : int64``
+
+Returns the value of a global Zeek script variable of Zeek type ``int``.
+Throws an exception if there's no such Zeek of that name, or if it's not of
+the expected type.
+
+id: fully-qualified name of the global Zeek variable to retrieve
+
+.. _spicy_get_interval:
+
+.. rubric:: ``function zeek::get_interval(id: string) : interval``
+
+Returns the value of a global Zeek script variable of Zeek type
+``interval``. Throws an exception if there's no such Zeek of that name, or
+if it's not of the expected type.
+
+id: fully-qualified name of the global Zeek variable to retrieve
+
+.. _spicy_get_port:
+
+.. rubric:: ``function zeek::get_port(id: string) : port``
+
+Returns the value of a global Zeek script variable of Zeek type ``port``.
+Throws an exception if there's no such Zeek of that name, or if it's not of
+the expected type.
+
+id: fully-qualified name of the global Zeek variable to retrieve
+
+.. _spicy_get_record:
+
+.. rubric:: ``function zeek::get_record(id: string) : ZeekRecord``
+
+Returns the value of a global Zeek script variable of Zeek type ``record``.
+The value is returned as an opaque handle to the record, which can be used
+with the ``zeek::record_*()`` functions to access the record's fields.
+Throws an exception if there's no such Zeek of that name, or if it's not of
+the expected type.
+
+id: fully-qualified name of the global Zeek variable to retrieve
+
+.. _spicy_get_set:
+
+.. rubric:: ``function zeek::get_set(id: string) : ZeekSet``
+
+Returns the value of a global Zeek script variable of Zeek type ``set``. The
+value is returned as an opaque handle to the set, which can be used with the
+``zeek::set_*()`` functions to access the set's content. Throws an exception
+if there's no such Zeek of that name, or if it's not of the expected type.
+
+id: fully-qualified name of the global Zeek variable to retrieve
+
+.. _spicy_get_string:
+
+.. rubric:: ``function zeek::get_string(id: string) : bytes``
+
+Returns the value of a global Zeek script variable of Zeek type ``string``.
+The string's value is returned as a Spicy ``bytes`` value. Throws an
+exception if there's no such Zeek of that name, or if it's not of the
+expected type.
+
+id: fully-qualified name of the global Zeek variable to retrieve
+
+.. _spicy_get_subnet:
+
+.. rubric:: ``function zeek::get_subnet(id: string) : network``
+
+Returns the value of a global Zeek script variable of Zeek type ``subnet``.
+Throws an exception if there's no such Zeek of that name, or if it's not of
+the expected type.
+
+id: fully-qualified name of the global Zeek variable to retrieve
+
+.. _spicy_get_table:
+
+.. rubric:: ``function zeek::get_table(id: string) : ZeekTable``
+
+Returns the value of a global Zeek script variable of Zeek type ``table``.
+The value is returned as an opaque handle to the set, which can be used with
+the ``zeek::set_*()`` functions to access the set's content. Throws an
+exception if there's no such Zeek of that name, or if it's not of the
+expected type.
+
+id: fully-qualified name of the global Zeek variable to retrieve
+
+.. _spicy_get_time:
+
+.. rubric:: ``function zeek::get_time(id: string) : time``
+
+Returns the value of a global Zeek script variable of Zeek type ``time``.
+Throws an exception if there's no such Zeek of that name, or if it's not of
+the expected type.
+
+id: fully-qualified name of the global Zeek variable to retrieve
+
+.. _spicy_get_vector:
+
+.. rubric:: ``function zeek::get_vector(id: string) : ZeekVector``
+
+Returns the value of a global Zeek script variable of Zeek type ``vector``.
+The value is returned as an opaque handle to the vector, which can be used
+with the ``zeek::vector_*()`` functions to access the vector's content.
+Throws an exception if there's no such Zeek of that name, or if it's not of
+the expected type.
+
+id: fully-qualified name of the global Zeek variable to retrieve
+
+.. _spicy_get_value:
+
+.. rubric:: ``function zeek::get_value(id: string) : ZeekVal``
+
+Returns an opaque handle to a global Zeek script variable. The handle can be
+used with the ``zeek::as_*()`` functions to access the variable's value.
+Throws an exception if there's no Zeek variable of that name.
+
+.. _spicy_as_address:
+
+.. rubric:: ``function zeek::as_address(v: ZeekVal) : addr``
+
+Returns a Zeek ``addr`` value refereced by an opaque handle. Throws an
+exception if the referenced value is not of the expected type.
+
+.. _spicy_as_bool:
+
+.. rubric:: ``function zeek::as_bool(v: ZeekVal) : bool``
+
+Returns a Zeek ``bool`` value refereced by an opaque handle. Throws an
+exception if the referenced value is not of the expected type.
+
+.. _spicy_as_count:
+
+.. rubric:: ``function zeek::as_count(v: ZeekVal) : uint64``
+
+Returns a Zeek ``count`` value refereced by an opaque handle. Throws an
+exception if the referenced value is not of the expected type.
+
+.. _spicy_as_double:
+
+.. rubric:: ``function zeek::as_double(v: ZeekVal) : real``
+
+Returns a Zeek ``double`` value refereced by an opaque handle. Throws an
+exception if the referenced value is not of the expected type.
+
+.. _spicy_as_enum:
+
+.. rubric:: ``function zeek::as_enum(v: ZeekVal) : string``
+
+Returns a Zeek ``enum`` value refereced by an opaque handle. Throws an
+exception if the referenced value is not of the expected type.
+
+.. _spicy_as_int:
+
+.. rubric:: ``function zeek::as_int(v: ZeekVal) : int64``
+
+Returns a Zeek ``int`` value refereced by an opaque handle. Throws an
+exception if the referenced value is not of the expected type.
+
+.. _spicy_as_interval:
+
+.. rubric:: ``function zeek::as_interval(v: ZeekVal) : interval``
+
+Returns a Zeek ``interval`` value refereced by an opaque handle. Throws an
+exception if the referenced value is not of the expected type.
+
+.. _spicy_as_port:
+
+.. rubric:: ``function zeek::as_port(v: ZeekVal) : port``
+
+Returns a Zeek ``port`` value refereced by an opaque handle. Throws an
+exception if the referenced value is not of the expected type.
+
+.. _spicy_as_record:
+
+.. rubric:: ``function zeek::as_record(v: ZeekVal) : ZeekRecord``
+
+Returns a Zeek ``record`` value refereced by an opaque handle. Throws an
+exception if the referenced value is not of the expected type.
+
+.. _spicy_as_set:
+
+.. rubric:: ``function zeek::as_set(v: ZeekVal) : ZeekSet``
+
+Returns a Zeek ``set`` value refereced by an opaque handle. Throws an
+exception if the referenced value is not of the expected type.
+
+.. _spicy_as_string:
+
+.. rubric:: ``function zeek::as_string(v: ZeekVal) : bytes``
+
+Returns a Zeek ``string`` value refereced by an opaque handle. The string's
+value is returned as a Spicy ``bytes`` value. Throws an exception if the
+referenced value is not of the expected type.
+
+.. _spicy_as_subnet:
+
+.. rubric:: ``function zeek::as_subnet(v: ZeekVal) : network``
+
+Returns a Zeek ``subnet`` value refereced by an opaque handle. Throws an
+exception if the referenced value is not of the expected type.
+
+.. _spicy_as_table:
+
+.. rubric:: ``function zeek::as_table(v: ZeekVal) : ZeekTable``
+
+Returns a Zeek ``table`` value refereced by an opaque handle. Throws an
+exception if the referenced value is not of the expected type.
+
+.. _spicy_as_time:
+
+.. rubric:: ``function zeek::as_time(v: ZeekVal) : time``
+
+Returns a Zeek ``time`` value refereced by an opaque handle. Throws an
+exception if the referenced value is not of the expected type.
+
+.. _spicy_as_vector:
+
+.. rubric:: ``function zeek::as_vector(v: ZeekVal) : ZeekVector``
+
+Returns a Zeek ``vector`` value refereced by an opaque handle. Throws an
+exception if the referenced value is not of the expected type.
+
+.. _spicy_set_contains:
+
+.. rubric:: ``function zeek::set_contains(id: string, v: any) : bool``
+
+Returns true if a Zeek set contains a given value. Throws an exception if
+the given ID does not exist, or does not have the expected type.
+
+id: fully-qualified name of the global Zeek set to check
+v: value to check for, which must be of the Spicy-side equivalent of the set's key type
+
+.. _spicy_set_contains_2:
+
+.. rubric:: ``function zeek::set_contains(s: ZeekSet, v: any) : bool``
+
+Returns true if a Zeek set contains a given value. Throws an exception if
+the set does not have the expected type.
+
+s: opaque handle to the Zeek set, as returned by other functions
+v: value to check for, which must be of the Spicy-side equivalent of the set's key type
+
+.. _spicy_table_contains:
+
+.. rubric:: ``function zeek::table_contains(id: string, v: any) : bool``
+
+Returns true if a Zeek table contains a given value. Throws an exception if
+the given ID does not exist, or does not have the expected type.
+
+id: fully-qualified name of the global Zeek table to check
+v: value to check for, which must be of the Spicy-side equivalent of the table's key type
+
+.. _spicy_table_contains_2:
+
+.. rubric:: ``function zeek::table_contains(t: ZeekTable, v: any) : bool``
+
+Returns true if a Zeek table contains a given value. Throws an exception if
+the given ID does not exist, or does not have the expected type.
+
+t: opaque handle to the Zeek table, as returned by other functions
+v: value to check for, which must be of the Spicy-side equivalent of the table's key type
+
+.. _spicy_table_lookup:
+
+.. rubric:: ``function zeek::table_lookup(id: string, v: any) : optional<ZeekVal>``
+
+Returns the value associated with a key in a Zeek table. Returns an error
+result if the key does not exist in the table. Throws an exception if the
+given table ID does not exist, or does not have the expected type.
+
+id: fully-qualified name of the global Zeek table to check
+v: value to lookup, which must be of the Spicy-side equivalent of the table's key type
+
+.. _spicy_table_lookup_2:
+
+.. rubric:: ``function zeek::table_lookup(t: ZeekTable, v: any) : optional<ZeekVal>``
+
+Returns the value associated with a key in a Zeek table. Returns an error
+result if the key does not exist in the table. Throws an exception if the
+given table ID does not exist, or does not have the expected type.
+
+t: opaque handle to the Zeek table, as returned by other functions
+v: value to lookup, which must be of the Spicy-side equivalent of the table's key type
+
+.. _spicy_record_has_value:
+
+.. rubric:: ``function zeek::record_has_value(id: string, field: string) : bool``
+
+Returns true if a Zeek record provides a value for a given field. This
+includes fields with `&default` values. Throws an exception if the given ID
+does not exist, or does not have the expected type.
+
+id: fully-qualified name of the global Zeek record to check field: name of
+the field to check
+
+.. _spicy_record_has_value_2:
+
+.. rubric:: ``function zeek::record_has_value(r: ZeekRecord, field: string) : bool``
+
+Returns true if a Zeek record provides a value for a given field.
+This includes fields with `&default` values.
+
+r: opaque handle to the Zeek record, as returned by other functions
+field: name of the field to check
+
+.. _spicy_record_has_field:
+
+.. rubric:: ``function zeek::record_has_field(id: string, field: string) : bool``
+
+Returns true if the type of a Zeek record has a field of a given name.
+Throws an exception if the given ID does not exist, or does not have the
+expected type.
+
+id: fully-qualified name of the global Zeek record to check
+field: name of the field to check
+
+.. _spicy_record_has_field_2:
+
+.. rubric:: ``function zeek::record_has_field(r: ZeekRecord, field: string) : bool``
+
+Returns true if the type of a Zeek record has a field of a given name.
+
+r: opaque handle to the Zeek record, as returned by other functions
+field: name of the field to check
+
+.. _spicy_record_field:
+
+.. rubric:: ``function zeek::record_field(id: string, field: string) : ZeekVal``
+
+Returns a field's value from a Zeek record. Throws an exception if the given
+ID does not exist, or does not have the expected type; or if there's no such
+field in the record type, or if the field does not have a value.
+
+id: fully-qualified name of the global Zeek record to check
+field: name of the field to retrieve
+
+.. _spicy_record_field_2:
+
+.. rubric:: ``function zeek::record_field(r: ZeekRecord, field: string) : ZeekVal``
+
+Returns a field's value from a Zeek record. Throws an exception if the given
+record does not have such a field, or if the field does not have a value.
+
+r: opaque handle to the Zeek record, as returned by other functions
+field: name of the field to retrieve
+
+.. _spicy_vector_index:
+
+.. rubric:: ``function zeek::vector_index(id: string, index: uint64) : ZeekVal``
+
+Returns the value of an index in a Zeek vector. Throws an exception if the
+given ID does not exist, or does not have the expected type; or if the index
+is out of bounds.
+
+id: fully-qualified name of the global Zeek vector to check
+index: index of the element to retrieve
+
+.. _spicy_vector_index_2:
+
+.. rubric:: ``function zeek::vector_index(v: ZeekVector, index: uint64) : ZeekVal``
+
+Returns the value of an index in a Zeek vector. Throws an exception if the
+index is out of bounds.
+
+v: opaque handle to the Zeek vector, as returned by other functions
+index: index of the element to retrieve
+
+.. _spicy_vector_size:
+
+.. rubric:: ``function zeek::vector_size(id: string) : uint64``
+
+Returns the size of a Zeek vector. Throws an exception if the given ID does
+not exist, or does not have the expected type.
+
+id: fully-qualified name of the global Zeek vector to check
+
+.. _spicy_vector_size_2:
+
+.. rubric:: ``function zeek::vector_size(v: ZeekVector) : uint64``
+
+Returns the size of a Zeek vector.
+
+v: opaque handle to the Zeek vector, as returned by other functions
+
diff --git a/doc/devel/spicy/examples/my-http.evt b/doc/devel/spicy/examples/my-http.evt
new file mode 100644
index 0000000000..a326e42002
--- /dev/null
+++ b/doc/devel/spicy/examples/my-http.evt
@@ -0,0 +1,5 @@
+protocol analyzer spicy::MyHTTP over TCP:
+    parse originator with MyHTTP::RequestLine,
+    port 12345/tcp;
+
+on MyHTTP::RequestLine -> event MyHTTP::request_line($conn, self.method, self.uri, self.version.number);
diff --git a/doc/devel/spicy/examples/my-http.spicy b/doc/devel/spicy/examples/my-http.spicy
new file mode 100644
index 0000000000..a11b30402e
--- /dev/null
+++ b/doc/devel/spicy/examples/my-http.spicy
@@ -0,0 +1,26 @@
+# @TEST-EXEC: echo "GET /index.html HTTP/1.0" | spicy-driver %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+module MyHTTP;
+
+const Token      = /[^ \t\r\n]+/;
+const WhiteSpace = /[ \t]+/;
+const NewLine    = /\r?\n/;
+
+type Version = unit {
+    :       /HTTP\//;
+    number: /[0-9]+\.[0-9]+/;
+};
+
+public type RequestLine = unit {
+    method:  Token;
+    :        WhiteSpace;
+    uri:     Token;
+    :        WhiteSpace;
+    version: Version;
+    :        NewLine;
+
+    on %done {
+        print self.method, self.uri, self.version.number;
+        }
+};
diff --git a/doc/devel/spicy/examples/my-http.zeek b/doc/devel/spicy/examples/my-http.zeek
new file mode 100644
index 0000000000..d140400abf
--- /dev/null
+++ b/doc/devel/spicy/examples/my-http.zeek
@@ -0,0 +1,4 @@
+event MyHTTP::request_line(c: connection, method: string, uri: string, version: string)
+	{
+	print fmt("Zeek saw from %s: %s %s %s", c$id$orig_h, method, uri, version);
+	}
diff --git a/doc/devel/spicy/examples/request-line.pcap b/doc/devel/spicy/examples/request-line.pcap
new file mode 100644
index 0000000000..75a2943587
Binary files /dev/null and b/doc/devel/spicy/examples/request-line.pcap differ
diff --git a/doc/devel/spicy/examples/tftp-schedule-analyzer.zeek b/doc/devel/spicy/examples/tftp-schedule-analyzer.zeek
new file mode 100644
index 0000000000..b143bdd700
--- /dev/null
+++ b/doc/devel/spicy/examples/tftp-schedule-analyzer.zeek
@@ -0,0 +1,37 @@
+
+function schedule_tftp_analyzer(id: conn_id)
+    {
+    # Schedule the TFTP analyzer for the expected next packet coming in on different
+    # ports. We know that it will be exchanged between same IPs and reuse the
+    # originator's port. "Spicy_TFTP" is the Zeek-side name of the TFTP analyzer
+    # (generated from "Spicy::TFTP" in tftp.evt).
+    Analyzer::schedule_analyzer(id$resp_h, id$orig_h, id$orig_p, Analyzer::ANALYZER_SPICY_TFTP, 1min);
+    }
+
+event tftp::read_request(c: connection, is_orig: bool, filename: string, mode: string)
+    {
+    print "TFTP read request", c$id, filename, mode;
+    schedule_tftp_analyzer(c$id);
+    }
+
+event tftp::write_request(c: connection, is_orig: bool, filename: string, mode: string)
+    {
+    print "TFTP write request", c$id, filename, mode;
+    schedule_tftp_analyzer(c$id);
+    }
+
+# Add handlers for other packet types so that we see their events being generated.
+event tftp::data(c: connection, is_orig: bool, block_num: count, data: string)
+    {
+    print "TFTP data", block_num, data;
+    }
+
+event tftp::ack(c: connection, is_orig: bool, block_num: count)
+    {
+    print "TFTP ack", block_num;
+    }
+
+event tftp::error(c: connection, is_orig: bool, code: count, msg: string)
+    {
+    print "TFTP error", code, msg;
+    }
diff --git a/doc/devel/spicy/examples/tftp-single-request-more-args.evt b/doc/devel/spicy/examples/tftp-single-request-more-args.evt
new file mode 100644
index 0000000000..1badc342d8
--- /dev/null
+++ b/doc/devel/spicy/examples/tftp-single-request-more-args.evt
@@ -0,0 +1,7 @@
+protocol analyzer spicy::TFTP over UDP:
+    parse with TFTP::Packet,
+    port 69/udp;
+
+import TFTP;
+
+on TFTP::Request -> event tftp::request($conn, $is_orig, self.filename, self.mode);
diff --git a/doc/devel/spicy/examples/tftp-single-request-more-args.zeek b/doc/devel/spicy/examples/tftp-single-request-more-args.zeek
new file mode 100644
index 0000000000..cf29b86668
--- /dev/null
+++ b/doc/devel/spicy/examples/tftp-single-request-more-args.zeek
@@ -0,0 +1,4 @@
+event tftp::request(c: connection, is_orig: bool, filename: string, mode: string)
+	{
+	print "TFTP request", c$id, is_orig, filename, mode;
+	}
diff --git a/doc/devel/spicy/examples/tftp-single-request.evt b/doc/devel/spicy/examples/tftp-single-request.evt
new file mode 100644
index 0000000000..fe7228ac46
--- /dev/null
+++ b/doc/devel/spicy/examples/tftp-single-request.evt
@@ -0,0 +1,7 @@
+protocol analyzer spicy::TFTP over UDP:
+    parse with TFTP::Packet,
+    port 69/udp;
+
+import TFTP;
+
+on TFTP::Request -> event tftp::request($conn);
diff --git a/doc/devel/spicy/examples/tftp-single-request.zeek b/doc/devel/spicy/examples/tftp-single-request.zeek
new file mode 100644
index 0000000000..53c072aa38
--- /dev/null
+++ b/doc/devel/spicy/examples/tftp-single-request.zeek
@@ -0,0 +1,4 @@
+event tftp::request(c: connection)
+	{
+	print "TFTP request", c$id;
+	}
diff --git a/doc/devel/spicy/examples/tftp-two-requests.zeek b/doc/devel/spicy/examples/tftp-two-requests.zeek
new file mode 100644
index 0000000000..45a24a4645
--- /dev/null
+++ b/doc/devel/spicy/examples/tftp-two-requests.zeek
@@ -0,0 +1,9 @@
+event tftp::read_request(c: connection, is_orig: bool, filename: string, mode: string)
+	{
+	print "TFTP read request", c$id, is_orig, filename, mode;
+	}
+
+event tftp::write_request(c: connection, is_orig: bool, filename: string, mode: string)
+	{
+	print "TFTP write request", c$id, is_orig, filename, mode;
+	}
diff --git a/doc/devel/spicy/faq.rst b/doc/devel/spicy/faq.rst
new file mode 100644
index 0000000000..d82b7ad07b
--- /dev/null
+++ b/doc/devel/spicy/faq.rst
@@ -0,0 +1,88 @@
+
+===
+FAQ
+===
+
+.. _faq_zeek_install_spicy_and_plugin_to_use_parsers:
+
+.. rubric:: Do I need to install Spicy and/or a Zeek plugin to use Spicy parsers in Zeek?
+
+If you're using Zeek >= 5.0 with a default build configuration,
+there's nothing else you need to install. After installing Zeek, the
+same folder containing the ``zeek`` binary will also have the relevant
+Spicy tools, such as  ``spicyc`` (provided by Spicy) and ``spicyz``
+(provided by Zeek). To double check that the Spicy support is indeed
+available, look for ``Zeek::Spicy`` in the output of ``zeek -N``::
+
+    # zeek -N
+    <...>
+    Zeek::Spicy - Support for Spicy parsers (``*.spicy``, ``*.evt``, ``*.hlto``) (built-in)
+
+Note that it remains possible to build Zeek against an external Spicy
+installation, or even without any Spicy support at all. Look at Zeek's
+``configure`` for corresponding options.
+
+.. note::
+
+    For some historic background: Zeek 5.0 started bundling Spicy, as well
+    as the former Zeek plugin for Spicy, so that now nothing else needs to
+    be installed separately anymore to use Spicy parsers. Since Zeek 6.0,
+    the code for that former plugin has further moved into Zeek itself,
+    and is now maintained directly by the Zeek developers.
+
+
+.. _faq_zeek_spicy_dpd_support:
+
+.. rubric:: Does Spicy support *Dynamic Protocol Detection (DPD)*?
+
+Yes, see the :ref:`corresponding section <spicy_dpd>` on how to add it
+to your analyzers.
+
+.. _faq_zeek_layer2_analyzer:
+
+.. rubric:: Can I write a Layer 2 protocol analyzer with Spicy?
+
+Yes, you can. In Zeek terminology a layer 2 protocol analyzer is a packet
+analyzer, see the :ref:`corresponding section <spicy_packet_analyzer>` on how
+to declare such an analyzer.
+
+.. _faq_zeek_print_statements_no_effect:
+
+.. rubric:: I have ``print`` statements in my Spicy grammar, why do I not see any output when running Zeek?
+
+Zeek by default disables the output of Spicy-side ``print``
+statements. To enable them, add ``Spicy::enable_print=T`` to the Zeek
+command line (or ``redef Spicy::enable_print=T;`` to a Zeek script
+that you are loading).
+
+.. _faq_zeek_tcp_analyzer_not_all_messages_recognized:
+
+.. rubric:: My analyzer recognizes only one or two TCP packets even though there are more in the input.
+
+In Zeek, a Spicy analyzer parses the sending and receiving sides of a TCP
+connection each according to the given Spicy grammar. This means that
+if more than one message can be sent per side the grammar needs to
+allow for that. For example, if the grammar parses messages of the
+protocol as ``Message``, the top-level parsing unit given in the EVT
+file needs to be able to parse a list of messages ``Message[]``.
+
+One way to express this is to introduce a parser which wraps messages
+of the protocol in an :spicylink:`anonymous field
+<programming/parsing.html#anonymous-fields>`.
+
+.. warning:: Since in general the number of messages exchanged over a TCP
+  connection is unbounded, an anonymous field should be used. If a named field
+  was used instead the parser would need to store all messages over the
+  connection which would lead to unbounded memory growth.
+
+.. code-block:: spicy
+
+   type Message = unit {
+     # Fields for messages of the protocol.
+   };
+
+   # Parser used e.g., in EVT file.
+   public type Messages = unit {
+     : Message[];
+   };
+
diff --git a/doc/devel/spicy/getting-started.rst b/doc/devel/spicy/getting-started.rst
new file mode 100644
index 0000000000..dcc4b9a51b
--- /dev/null
+++ b/doc/devel/spicy/getting-started.rst
@@ -0,0 +1,118 @@
+
+===============
+Getting Started
+===============
+
+Spicy's own :spicylink:`Getting Started <getting-started.html>` guide
+uses the following Spicy code to parse a simple HTTP request line:
+
+.. literalinclude:: examples/my-http.spicy
+   :lines: 4-
+   :caption: my-http.spicy
+   :language: spicy
+
+While the Spicy documentation goes on to show :spicylink:`how to use
+this to parse corresponding data from the command line
+<getting-started.html#a-simple-parser>`, here we will instead leverage
+the ``RequestLine`` parser to build a proof-of-concept protocol
+analyzer for Zeek. While this all remains simplified here, the
+following, more in-depth :ref:`spicy_tutorial` demonstrates how
+to build a complete analyzer for a real protocol.
+
+.. rubric:: Preparations
+
+Because Zeek works from network packets, we first need a packet trace
+with the payload we want to parse. We can't just use a normal HTTP
+session as our simple parser wouldn't go further than just the first
+line of the protocol exchange and then bail out with an error. So
+instead, for our example we create a custom packet trace with a TCP
+connection that carries just a single HTTP request line as its
+payload::
+
+    # tcpdump -i lo0 -w request-line.pcap port 12345 &
+    # nc -l 12345 &
+    # echo "GET /index.html HTTP/1.0" | nc localhost 12345
+    # killall tcpdump nc
+
+This gets us :download:`this trace file <examples/request-line.pcap>`.
+
+.. _example_spicy_my_http_adding_analyzer:
+
+.. rubric:: Adding a Protocol Analyzer
+
+Now we can go ahead and add a new protocol analyzer to Zeek. We
+already got the Spicy grammar to parse our connection's payload, it's
+in ``my-http.spicy``. In order to use this with Zeek, we have two
+additional things to do: (1) We need to let Zeek know about our new
+protocol analyzer, including when to use it; and (2) we need to define
+at least one Zeek event that we want our parser to generate, so that
+we can then write a Zeek script working with the information that it
+extracts.
+
+We do both of these by creating an additional control file for Zeek:
+
+.. literalinclude:: examples/my-http.evt
+    :caption: my-http.evt
+    :linenos:
+    :language: spicy-evt
+
+The first block (lines 1-3) tells Zeek that we have a new protocol
+analyzer to provide. The analyzer's Zeek-side name is
+``spicy::MyHTTP``, and it's meant to run on top of TCP connections
+(line 1). Lines 2-3 then provide Zeek with more specifics: The entry
+point for originator-side payload is the ``MyHTTP::RequestLine`` unit
+type that our Spicy grammar defines (line 2); and we want Zeek to
+activate our analyzer for all connections with a responder port of
+12345 (which, of course, matches the packet trace we created).
+
+The second block (line 5) tells Zeek that we want to
+define one event. On the left-hand side of that line we give the unit
+that is to trigger the event. The right-hand side defines its name and
+arguments. What we are saying here is that every time a ``RequestLine``
+line has been fully parsed, we'd like a ``MyHTTP::request_line`` event
+to go to Zeek. Each event instance will come with four parameters:
+Three of them are the values of corresponding unit fields, accessed
+just through normal Spicy expressions (inside an event argument
+expression, ``self`` refers to the unit instance that has led to the
+generation of the current event). The first parameter, ``$conn``, is a
+"magic" keyword that passes the Zeek-side
+connection ID (``conn_id``) to the event.
+
+Now we got everything in place that we need for our new protocol
+analyzer---except for a Zeek script actually doing something with the
+information we are parsing. Let's use this:
+
+.. literalinclude:: examples/my-http.zeek
+    :caption: my-http.zeek
+    :language: zeek
+
+You see an Zeek event handler for the event that we just defined,
+having the expected signature of four parameters matching the types of
+the parameter expressions that the ``*.evt`` file specifies. The
+handler's body then just prints out what it gets.
+
+.. _example_spicy_my_http:
+
+Finally we can put together our pieces by compiling the Spicy grammar and the
+EVT file into an HLTO file with ``spicyz``, and by pointing Zeek at the produced
+file and the analyzer-specific Zeek scripts::
+
+    # spicyz my-http.spicy my-http.evt -o my-http.hlto
+    # zeek -Cr request-line.pcap my-http.hlto my-http.zeek
+    Zeek saw from 127.0.0.1: GET /index.html 1.0
+
+When Zeek starts up here the Spicy integration registers a protocol analyzer to
+the entry point of our Spicy grammar as specified in the EVT file. It then
+begins processing the packet trace as usual, now activating our new analyzer
+whenever it sees a TCP connection on port 12345. Accordingly, the
+``MyHTTP::request_line`` event gets generated once the parser gets to process
+the session's payload. The Zeek event handler then executes and prints the
+output we would expect.
+
+.. note::
+
+    By default, Zeek suppresses any output from Spicy-side
+    ``print`` statements. You can add ``Spicy::enable_print=T`` to the
+    command line to see it. In the example above, you would then get
+    an additional line of output: ``GET, /index.html, 1.0``.
+
diff --git a/doc/devel/spicy/index.rst b/doc/devel/spicy/index.rst
new file mode 100644
index 0000000000..7ca3a8fb95
--- /dev/null
+++ b/doc/devel/spicy/index.rst
@@ -0,0 +1,73 @@
+============================
+Writing Analyzers with Spicy
+============================
+
+:spicylink:`Spicy <index.html>` is a parser generator that makes it
+easy to create robust C++ parsers for network protocols, file formats,
+and more. Zeek supports integrating Spicy analyzers so that one can
+create Zeek protocol, packet and file analyzers. This section digs
+into how that integration works. We begin with a short "Getting
+Started" guide showing you the basics of using Spicy with Zeek,
+followed by an in-depth tutorial on adding a complete protocol
+analyzer to Zeek. The final part consists of a reference section
+documenting everything the Spicy integration supports.
+
+While this documentation walks through all the bits and pieces that an
+analyzer consists of, there's an easy way to get started when writing
+a new analyzer from scratch: the `Zeek package manager
+<https://docs.zeek.org/projects/package-manager>`_ can create analyzer
+scaffolding for you that includes an initial Spicy grammar
+(``*.spicy``), Zeek integration glue code (``*.evt``; see below) and a
+corresponding CMake build setup. To create that scaffolding, use the
+package managers ``create`` command and pass one of
+``--features=spicy-protocol-analyzer``,
+``--features=spicy-packet-analyzer``, or
+``--features=spicy-file-analyzer`` to create a Zeek protocol, packet,
+or file analyzer, respectively. See :ref:`the tutorial
+<zkg_create_package>` for more on this.
+
+Note that Zeek itself installs the grammars of its builtin Spicy
+analyzers for potential reuse. For example, the `Finger grammar
+<https://github.com/zeek/zeek/blob/master/src/analyzer/protocol/finger/finger.spicy>`_
+gets installed to ``<PREFIX>/share/spicy/finger/finger.spicy``. It can
+be used in custom code by importing it with ``import Finger from
+finger;``.
+
+.. toctree::
+   :maxdepth: 2
+   :caption: Table of Contents
+
+   installation
+   getting-started
+   tutorial
+   reference
+   faq
+
+.. note::
+
+   This documentation focuses on writing *external* Spicy analyzers
+   that you can load into Zeek at startup. Zeek also comes with the
+   infrastructure to build Spicy analyzers directly into the
+   executable itself, just like traditional built-in analyzers. We
+   will document this more as we're converting more of Zeek's built-in
+   analyzers over to Spicy. For now, we recommend locking at one of
+   the existing built-in Spicy analyzers (Syslog, Finger) as examples.
+
+.. _spicy_terminology:
+
+Terminology
+===========
+
+A word on terminology: In Zeek, the term "analyzer" generally refers
+to a component that processes a particular protocol ("protocol
+analyzer"), file format ("file analyzer"), or low-level packet
+structure ("packet analyzer"). "Processing" here means more than just
+parsing content: An analyzer controls when it wants to be used (e.g.,
+with connections on specific ports, or with files of a specific MIME
+type); what events to generate for Zeek's scripting layer; and how to
+handle any errors occurring during parsing. While Spicy itself focuses
+just on the parsing part, Spicy makes it possible to provide the
+remaining pieces to Zeek, turning a Spicy parser into a full Zeek
+analyzer. That's what we refer to as a "Spicy (protocol/file/packet)
+analyzer" for Zeek.
+
diff --git a/doc/devel/spicy/installation.rst b/doc/devel/spicy/installation.rst
new file mode 100644
index 0000000000..5125bb91a7
--- /dev/null
+++ b/doc/devel/spicy/installation.rst
@@ -0,0 +1,18 @@
+
+.. _spicy_installation:
+
+Installation
+============
+
+Since Zeek version 5.0, support for Spicy is built right into Zeek by
+default. To confirm that Spicy is indeed available, you can inspect
+the output of ``zeek -N``::
+
+    # zeek -N Zeek::Spicy
+    Zeek::Spicy - Support for Spicy parsers (*.hlto) (built-in)
+
+It remains possible to build Zeek against an external Spicy
+installation through Zeek's ``configure`` option
+``--with-spicy=PATH``, where ``PATH`` points to the Spicy installation
+directory. In that case, you also need to ensure that the Spicy tools
+(e.g., ``spicyc``, ``spicy-config``) are available in ``PATH``.
diff --git a/doc/devel/spicy/reference.rst b/doc/devel/spicy/reference.rst
new file mode 100644
index 0000000000..e7a1eeb7c2
--- /dev/null
+++ b/doc/devel/spicy/reference.rst
@@ -0,0 +1,1189 @@
+
+.. _spicy_reference:
+
+=========
+Reference
+=========
+
+Interface Definitions ("evt files")
+===================================
+
+An analyzer for Zeek does more than just parsing data. Accordingly, we
+need to tell Zeek a couple of additional pieces about Spicy parsers
+we want it to provide to Zeek:
+
+Analyzer setup
+    Zeek needs to know what type of analyzers we are creating,
+    when we want Zeek to activate them, and what Spicy unit types to
+    use as their parsing entry point.
+
+Event definitions
+   We need to tell Zeek which events to provide and
+   when to trigger them.
+
+We define all of these through custom interface definition files that
+Spicy's compiler for Zeek reads in. These files use an ``*.evt``
+extension, and the following subsections discuss their content in more
+detail.
+
+Generally, empty lines and comments starting with ``#`` are ignored in
+an ``*.evt``.
+
+.. note::
+
+    The syntax for ``*.evt`` files comes with some legacy pieces that
+    aren't particularly pretty. We may clean that up at some point.
+
+.. _spicy_evt_analyzer_setup:
+
+Analyzer Setup
+--------------
+
+You can define protocol analyzers, packet analyzers and file analyzers in an
+``*.evt`` file, per the following.
+
+.. rubric:: Protocol Analyzer
+
+To define a protocol analyzer, add a new section to an ``*.evt``
+file that looks like this::
+
+    protocol analyzer ANALYZER_NAME over TRANSPORT_PROTOCOL:
+        PROPERTY_1,
+        PROPERTY_2,
+        ...
+        PROPERTY_N;
+
+Here, ``ANALYZER_NAME`` is a name to identify your analyzer inside
+Zeek. You can choose names arbitrarily as long as they are unique.
+
+On the Zeek-side, through some normalization, these names
+automatically turn into tags added to Zeek's ``Analyzer::Tag`` enum.
+For example, ``spicy::BitTorrent`` turns into
+``Analyzer::ANALYZER_SPICY_BITTORRENT``.
+
+The analyzer's name is also what goes into Zeek signatures to activate
+an analyzer DPD-style. If the name is ``spicy::BitTorrent``, you'd
+write ``enable "spicy::BitTorrent"`` into the signature.
+
+.. note::
+
+    Once you have made your analyzers available to Zeek (which we will
+    discuss below), running ``zeek -NN Zeek::Spicy`` will show you a
+    summary of what's now available, including their Zeek-side names
+    and tags.
+
+``TRANSPORT_PROTOCOL`` can be either ``tcp`` or ``udp``, depending on
+the transport-layer protocol that your new analyzer wants to sit on
+top of.
+
+Following that initial ``protocol analyzer ...`` line, a set of
+properties defines further specifics of your analyzer. The following
+properties are supported:
+
+    ``parse [originator|responder] with SPICY_UNIT``
+        Specifies the top-level Spicy unit(s) the analyzer uses for
+        parsing payload, with ``SPICY_UNIT`` being a fully-qualified
+        Spicy-side type name (e.g. ``HTTP::Request``). The unit type must
+        have been declared as ``public`` in Spicy.
+
+        If ``originator`` is given, the unit is used only for parsing the
+        connection's originator-side payload; and if ``responder`` is
+        given, only for responder-side payload. If neither is given, it's
+        used for both sides. In other words, you can use different units
+        per side by specifying two properties ``parse originator with
+        ...`` and ``parse responder with ...``.
+
+    ``port PORT`` or ``ports { PORT_1, ..., PORT_M }``
+        Specifies one or more well-known ports for which you want Zeek to
+        automatically activate your analyzer with corresponding
+        connections. Each port must be specified in Spicy's :spicylink:`syntax
+        for port constants <programming/language/types.html#type-port>` (e.g., ``80/tcp``), or as a port range
+        ``PORT_START-PORT_END`` where start and end port are port constants
+        forming a closed interval. The ports' transport protocol must match
+        that of the analyzer.
+
+        .. note::
+
+            Zeek will also honor any ``%port`` :spicylink:`meta data
+            property <programming/parsing.html#unit-meta-data>` that the responder-side
+            ``SPICY_UNIT`` may define (as long as the attribute's
+            direction is not ``originator``).
+
+        .. note::
+
+            .. _zeek_init_instead_of_port:
+
+            While using ``port`` (or ``%port``) can be convenient, for
+            production analyzers we recommended to instead register
+            their well-known ports from inside a Zeek script, using a
+            snippet like this:
+
+            .. code-block:: zeek
+
+                module MyAnalyzer;
+
+                export {
+                    const ports = { 12345/tcp } &redef;
+                }
+
+                redef likely_server_ports += { ports };
+
+                event zeek_init() &priority=5
+                    {
+                    Analyzer::register_for_ports(Analyzer::ANALYZER_MY_ANALYZER, ports);
+                    }
+
+            This follows the idiomatic Zeek pattern for defining
+            well-known ports that allows users to customize them
+            through their own site-specific scripts (e.g., ``redef
+            MyAnalyzer::port += { 12346/tcp };``). The :ref:`package
+            template <zkg_create_package>` includes such code instead
+            of defining ports inside the EVT file.
+
+
+    ``replaces ANALYZER_NAME``
+        Replaces a built-in analyzer that Zeek already provides with a
+        new Spicy version by internally disabling the existing
+        analyzer and redirecting any usage to the new Spicy analyzer
+        instead. ``ANALYZER_NAME`` is the Zeek-side name of the
+        analyzer. To find that name, inspect the output of ``zeek
+        -NN`` for available analyzers::
+
+            # zeek -NN | grep '\[Analyzer\]'
+            ...
+            [Analyzer] SMTP (ANALYZER_SMTP, enabled)
+            ...
+
+        Here, ``SMTP`` is the name you would write into ``replaces`` to
+        disable the built-in SMTP analyzer.
+
+        The replacement takes effect in most places where normally the
+        existing Zeek analyzer would be used, or gets referenced,
+        including in Zeek scripts (e.g., when registering
+        well-known ports).
+
+        .. note::
+
+            ``replaces`` is not limited to substituting built-in
+            analyzers; you could also replace one Spicy analyzer with
+            another. However, there is no support for more complex
+            scenarios like chains of analyzers replacing each other;
+            results are undefined in that case. It's best to stick to
+            replacing classic, built-in analyzers, and control
+            everything else simply through not loading any undesired
+            Spicy analyzers in the first place.
+
+As a full example, here's what a new HTTP analyzer could look like:
+
+.. code-block:: spicy-evt
+
+    protocol analyzer spicy::HTTP over TCP:
+        parse originator with HTTP::Requests,
+        parse responder with HTTP::Replies,
+        port 80/tcp,
+        replaces HTTP;
+
+
+.. _spicy_packet_analyzer:
+.. rubric:: Packet Analyzer
+
+Defining packet analyzers works quite similar to protocol analyzers through
+``*.evt`` sections like this::
+
+    packet analyzer ANALYZER_NAME:
+        PROPERTY_1,
+        PROPERTY_2,
+        ...
+        PROPERTY_N;
+
+Here, ``ANALYZER_NAME`` is again a name to identify your analyzer
+inside Zeek.  On the Zeek-side, the name will be added to Zeek's
+``PacketAnalyzer::Tag`` enum.
+
+Packet analyzers support the following properties:
+
+    ``parse with SPICY_UNIT``
+        Specifies the top-level Spicy unit the analyzer uses for
+        parsing each packet, with ``SPICY_UNIT`` being a fully-qualified
+        Spicy-side type name. The unit type must have been declared as
+        ``public`` in Spicy.
+
+    ``replaces ANALYZER_NAME``
+        Disables an existing packet analyzer that Zeek already
+        provides internally, allowing you to replace a built-in
+        analyzer with a new Spicy version. ``ANALYZER_NAME`` is the
+        Zeek-side name of the existing analyzer. To find that name,
+        inspect the output of ``zeek -NN`` for available analyzers::
+
+            # zeek -NN | grep '\[Packet Analyzer\]'
+            ...
+            [Packet Analyzer] Ethernet (ANALYZER_ETHERNET)
+            ...
+
+        Here, ``Ethernet`` is the name you would give to ``replaces``
+        to disable the built-in Ethernet analyzer.
+
+        When replacing an existing packet analyzer, you still need to
+        configure your new analyzer on the Zeek side through a
+        `spicy_init()` event handler. See below for more.
+
+        .. note::
+
+            This feature requires Zeek >= 5.2.
+
+As a full example, here's what a new packet analyzer could look like::
+
+    packet analyzer spicy::RawLayer:
+        parse with RawLayer::Packet;
+
+In addition to the Spicy-side configuration, packet analyzers also
+need to be registered with Zeek inside a ``spicy_init`` event handler;
+see the `Zeek documentation
+<https://docs.zeek.org/en/master/frameworks/packet-analysis.html>`_
+for more. The ``-NN`` output shows your new analyzer's ``ANALYZER_*``
+tag to use.
+
+.. note::
+
+    Depending on relative loading order between your analyzer and
+    Zeek's scripts, in some situations you may not have access to the
+    ``ANALYZER_*`` tag referring to your new analyzer. If you run into
+    this, use `PacketAnalyzer::try_register_packet_analyzer_by_name
+    <https://docs.zeek.org/en/master/scripts/base/bif/packet_analysis.bif.zeek.html#id-PacketAnalyzer::try_register_packet_analyzer_by_name>`_
+    to register your Spicy analyzer by name (as shown by ``-NN``).
+    Example:
+
+    .. code-block:: zeek
+
+        event spicy_init()
+            {
+            if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name("Ethernet", 0x88b5, "spicy::RawLayer") )
+                    Reporter::error("unknown analyzer name used");
+            }
+
+
+.. rubric:: File Analyzer
+
+Defining file analyzers works quite similar to protocol analyzers,
+through ``*.evt`` sections like this::
+
+    file analyzer ANALYZER_NAME:
+        PROPERTY_1,
+        PROPERTY_2,
+        ...
+        PROPERTY_N;
+
+Here, ``ANALYZER_NAME`` is again a name to identify your analyzer
+inside Zeek.  On the Zeek-side, the name will be added to Zeek's
+``Files::Tag`` enum.
+
+File analyzers support the following properties:
+
+    ``parse with SPICY_UNIT``
+        Specifies the top-level Spicy unit the analyzer uses for
+        parsing file content, with ``SPICY_UNIT`` being a
+        fully-qualified Spicy-side type name. The unit type must have
+        been declared as ``public`` in Spicy.
+
+    ``mime-type MIME-TYPE``
+        Specifies a MIME type for which you want Zeek to automatically
+        activate your analyzer when it sees a corresponding file on
+        the network. The type is specified in standard
+        ``type/subtype`` notion, without quotes (e.g., ``image/gif``).
+
+        .. note::
+
+            Zeek will also honor any ``%mime-type`` :spicylink:`meta
+            data property <programming/parsing.html#unit-meta-data>` that the ``SPICY_UNIT``
+            may define.
+
+        .. note::
+
+            Keep in mind that Zeek identifies MIME types through
+            "content sniffing" (i.e., similar to libmagic), and
+            usually not by protocol-level headers (e.g., *not* through
+            HTTP's ``Content-Type`` header). If in doubt, examine
+            :file:`files.log` for what it records as a file's type.
+
+    ``replaces ANALYZER_NAME``
+        Disables an existing file analyzer that Zeek already provides
+        internally, allowing you to replace a built-in analyzer with a new
+        Spicy version. ``ANALYZER_NAME`` is the Zeek-side name of the
+        analyzer. To find that name, inspect the output of ``zeek -NN``
+        for available analyzers::
+
+            # zeek -NN | grep '\[File Analyzer\]'
+            ...
+            [File Analyzer] PE (ANALYZER_PE, enabled)
+            ...
+
+        Here, ``PE`` is the name you would write into ``replaces`` to
+        disable the built-in PE analyzer.
+
+        .. note::
+
+            This feature requires Zeek >= 4.1.
+
+As a full example, here's what a new GIF analyzer could look like:
+
+.. code-block:: spicy-evt
+
+    file analyzer spicy::GIF:
+        parse with GIF::Image,
+        mime-type image/gif;
+
+.. _spicy_events:
+
+Event Definitions
+-----------------
+
+You can define a Zeek event that you want the Spicy analyzer to
+trigger::
+
+    on HOOK_ID -> event EVENT_NAME(ARG_1, ARG_2, ARG_3);
+
+With an optional condition::
+
+    on HOOK_ID if ( True ) -> event EVENT_NAME(ARG_1, ARG_2, ARG_3);
+
+Or with an optional priority::
+
+    on HOOK_ID -> event EVENT_NAME(ARG_1, ARG_2, ARG_3) &priority=0;
+
+The generic syntax is::
+
+    on HOOK_ID [if ( COND )] -> event EVENT_NAME(ARG_1, ..., ARG_N) [&priority=N];
+
+where elements in square brackets ``[...]`` are optional.
+
+Zeek automatically derives from this everything it needs to
+register new events with Zeek, including a mapping of the arguments'
+Spicy types to corresponding Zeek types. More specifically, these are
+the pieces going into such an event definition:
+
+``on HOOK_ID``
+    A Spicy-side ID that defines when you want to trigger the event.
+    This works just like an ``on ...`` :spicylink:`unit hook
+    <programming/parsing.html#unit-hooks>`,
+    and you can indeed use anything here that Spicy supports for those
+    as well (except :spicylink:`container hooks
+    <programming/parsing.html#foreach>`). So, e.g., ``on
+    HTTP::Request::%done`` triggers an event whenever a
+    ``HTTP::Request`` unit has been fully parsed, and ``on
+    HTTP::Request::uri`` leads to an event each time the ``uri`` field
+    has been parsed. (In the former example you may skip the
+    ``%done``, actually: ``on HTTP::Request`` implicitly adds it.)
+
+``if ( COND )``
+    If given, events are only generated if the expression ``COND``
+    evaluates to true. Just like event arguments, the expression is
+    evaluated in the context of the current unit instance and has
+    access to ``self``.
+
+``EVENT_NAME``
+    The Zeek-side name of the event you want to generate, preferably
+    including a namespace (e.g., ``http::request``).
+
+``ARG_1, ..., ARG_N``
+    Arguments to pass to the event, given as arbitrary Spicy
+    expressions. Each expression will be evaluated within the context of
+    the unit that the ``on ...`` triggers on, similar to code running
+    inside the body of a corresponding :spicylink:`unit hook
+    <programming/parsing.html#unit-hooks>`.
+    That means the expression has access to ``self`` for accessing
+    the unit instance that's currently being parsed.
+
+    The Spicy type of the expression determines the Zeek-side type of
+    the corresponding event argument. Most Spicy types translate
+    over pretty naturally, the following summarizes the translation:
+
+    .. _zeek-event-arg-types:
+
+    .. csv-table:: Type conversion from Spicy to Zeek
+        :header: "Spicy Type", "Zeek Type", "Notes"
+
+        ``addr``, ``addr``,
+        ``bool``, ``bool``,
+        ``bytes``, ``string``,
+        ``enum { ... }``, ``enum { ... }``, [1]
+        ``int(8|16|32|64)``, ``int``,
+        ``interval``, ``interval``,
+        ``list<T>``, ``vector of T``,
+        "``map<V,K>``", "``table[V] of K``",
+        ``optional<T>``, ``T``,  [2]
+        ``port``, ``port``,
+        ``real``, ``double``,
+        ``set<T>``, ``set[T]``,
+        ``string``, ``string``,
+        ``time``, ``time``,
+        "``tuple<T_1, ... ,T_N>``", "``record { T1, ..., T_N }``", [3]
+        ``uint(8|16|32|64)``, ``count``,
+        ``vector<T>``, ``vector of T``,
+
+    .. note::
+
+        [1]
+            A corresponding Zeek-side ``enum`` type is automatically
+            created. See :ref:`below <spicy_enum>` for more.
+
+            One special-case: For convenience, the Spicy-side
+            `Protocol` enum is automatically mapped to the Zeek-side
+            `transport_proto` enum.
+
+        [2]
+            The optional value must have a value, otherwise a runtime
+            exception will be thrown.
+
+        [3]
+            Must be mapped to a Zeek-side record type with matching
+            fields.
+
+            If a tuple element is mapped to a record field with a
+            ``&default`` or ``&optional`` attribute, a couple special
+            cases are supported:
+
+                - If the expression evaluates to ``Null``, the record
+                  field is left unset.
+
+                - If the element's expression uses the
+                  :spicylink:`.? <programming/language/types.html#operator-unit::TryMember>` operator and that
+                  fails to produce a value, the record field is
+                  likewise left unset.
+
+    In addition to full Spicy expressions, there are four reserved
+    IDs with specific meanings when used as arguments:
+
+        ``$conn``
+            Refers to the connection that's currently being processed
+            by Zeek. On the Zeek-side this will turn into a parameter
+            of Zeek type ``connection``. This ID can be used only with
+            protocol analyzers.
+
+        ``$file``
+            Refers to the file that's currently being processed by
+            Zeek. On the Zeek-side this will turn into a parameter of
+            Zeek type ``fa_file``. This ID can be used with file or protocol
+            analyzers. For protocol analyzers it refers to the most recently
+            opened, but not yet closed file, see :ref:`zeek::file_begin
+            <spicy_file_begin>` and
+            :ref:`zeek::file_end <spicy_file_end>`.
+
+        ``$packet``
+            Refers to the packet that's currently being processed by
+            Zeek. On the Zeek-side this will turn into a parameter of
+            Zeek type ``raw_pkt_hdr``, with any fields filled in that
+            have already been parsed by Zeek's built-in analyzers.
+            This ID can be used only with packet analyzers. (Note that
+            instantiation of ``raw_pkt_hdr`` values can be relatively
+            expensive on the Zeek side, so best to limit usage of this
+            ID to a small part of the overall traffic.)
+
+        ``$is_orig``
+            A boolean indicating if the data currently being processed
+            is coming from the originator (``True``) or responder
+            (``False``) of the underlying connection. This turns into
+            a corresponding boolean value on the Zeek side. This ID
+            can be used only with protocol analyzers.
+
+    .. note::
+
+        Some tips:
+
+        - If you want to force a specific type on the Zeek-side, you
+          have a couple of options:
+
+            1. Spicy may provide a ``cast`` operator from the actual
+               type into the desired type (e.g., ``cast<uint64>(..)``).
+
+            2. Argument expressions have access to global functions
+               defined in the Spicy source files, so you can write a
+               conversion function taking an argument with its
+               original type and returning it with the desired type.
+
+        - List comprehension can be convenient to fill Zeek vectors:
+          ``[some_func(i) for i in self.my_list]``.
+
+``&priority=N``
+    An optional priority, where events with higher priority are raised
+    before lower priority ones. The default priority is ``-1000``.
+
+.. _spicy_export_types:
+
+Exporting Types
+---------------
+
+As we :ref:`discuss above <spicy_events>`, the type of each event
+argument maps over to a corresponding Zeek type. On the Zeek side,
+that corresponding type needs to be known by Zeek. That is always the
+case for built-in atomic types (per :ref:`the conversion table
+<zeek-event-arg-types>`), but it can turn out more challenging
+to achieve for custom types, such as ``enum`` and ``record``, for
+which you would normally need to create matching type declarations in
+your Zeek scripts. While that's not necessarily hard, but it can
+become quite cumbersome.
+
+Fortunately, there's help: for most types, Zeek can
+instantiate corresponding types automatically as it loads the
+corresponding analyzer. While you will never actually see the
+Zeek-side type declarations, they will be available inside your Zeek
+scripts as if you had typed them out yourself--similar to other types
+that are built into Zeek itself.
+
+To have the Zeek create a type for your analyzer automatically,
+you need to ``export`` the Spicy type in your EVT file. The syntax for
+that is::
+
+    export SPICY_ID;
+
+Optionally, you may add a ``ZEEK_ID``::
+
+    export SPICY_ID as ZEEK_ID;
+
+Here, ``SPICY_ID`` is the fully-scoped type ID on the Spicy side, and
+``ZEEK_ID`` is the fully-scoped type ID you want in Zeek. If you leave
+out the ``as ...`` part, the Zeek name will be the same as the Spicy
+name, including its namespace. For example, say you have a Spicy unit
+``TFTP::Request``. Adding ``export TFTP::Request;`` to your EVT file
+will make a ``record`` type of the same name, and with the same
+fields, available in Zeek. If you instead use ``export TFTP::Request
+as TheOtherTFTP::Request``, it will be placed into a different
+namespace instead.
+
+Exporting types generally works for most Spicy types as long as
+there's an ID associated with them in your Spicy code. However,
+exporting is most helpful with user-defined types, such as ``enum``
+and ``unit``, because it can save you quite a bit of typing there. We
+discuss the more common type conversions in more detail below.
+
+To confirm the types made available to Zeek, you can see all exports
+in the output of ``zeek -NN``. With our 2nd ``TFTP::Request``
+example, that looks like this::
+
+    [...]
+    # zeek -NN Zeek::Spicy
+    Zeek::Spicy - Support for Spicy parsers (*.hlto)
+        [Type] TheOtherTFTP::Request
+    [...]
+
+.. note::
+
+   Most, but not all, types can be exported automatically.  For
+   example, self-recursive types are currently not supported.
+   Generally, if you run into trouble exporting a type, you can always
+   fall back to declaring a corresponding Zeek version yourself in
+   your Zeek script. Consider the ``export`` mechanism as a
+   convenience feature that helps avoid writing a lot of boiler plate
+   code in common cases.
+
+.. _spicy_enum:
+
+Enum Types
+^^^^^^^^^^
+
+When you export a Spicy ``enum`` type, Zeek creates a
+corresponding Zeek ``enum`` type. For example, assume the following
+Spicy declaration:
+
+.. code-block:: spicy
+
+    module Test;
+
+    type MyEnum = enum {
+        A = 83,
+        B = 84,
+        C = 85
+    };
+
+Using ``export Test::MyEnum;``, Zeek will create the equivalent
+of the following Zeek type for use in your scripts:
+
+.. code-block:: zeek
+
+    module Test;
+
+    export {
+
+      type MyEnum: enum {
+          MyEnum_A = 83,
+          MyEnum_B = 84,
+          MyEnum_A = 85,
+          MyEnum_Undef = -1
+      };
+
+    }
+
+(The odd naming is due to ID limitations on the Zeek side.)
+
+.. note::
+
+    For backward compatibility, the ``enum`` type comes with an
+    additional property: all *public* enum types are automatically
+    exported, even without adding any ``export`` to your EVT file.
+    This feature may go away at some point, and we suggest to not rely
+    on it on new code; always use ``export`` for `enum` types as well.
+
+.. _spicy_unit:
+
+Unit Types
+^^^^^^^^^^
+
+When you export a Spicy ``unit`` type, Zeek creates a
+corresponding Zeek ``record`` type. For example, assume the following
+Spicy declaration:
+
+.. code-block:: spicy
+
+    module Test;
+
+    type MyRecord = unit {
+        a: bytes &size=4;
+        b: uint16;
+
+        var c: bool;
+    };
+
+Using ``export Test::MyRecord;``, Zeek will then create the
+equivalent of the following Zeek type for use in your scripts:
+
+.. code-block:: zeek
+
+    module Test;
+
+    export {
+
+      type MyRecord: record {
+        a: string &optional;
+        b: count &optional;
+        c: bool;
+      };
+
+    }
+
+The individual fields map over just like event arguments do, following
+the :ref:`the table <zeek-event-arg-types>` above. For aggregate
+types, this works recursively: if, e.g., a field is itself of unit
+type *and that type has been exported as well*, Zeek will map it
+over accordingly to the corresponding ``record`` type. Note that such
+dependent types must be exported *first* in the EVT file for this to
+work. As a result, you cannot export self-recursive unit types.
+
+As you can see in the example, unit fields are always declared as
+:zeek:see:`&optional` on the Zeek-side, as they may not have been set during
+parsing. Unit variables are non-optional by default, unless declared
+as ``&optional`` in Spicy.
+
+.. _spicy_unit_export:
+
+Controlling created Zeek types
+""""""""""""""""""""""""""""""
+
+If needed the automatic unit type exporting described above can be customized.
+The general syntax for this is:
+
+.. code-block:: spicy-evt
+
+    export SPICY_ID [with { [SIPCY_FIELD_NAME [&log], ]... }];
+    export SPICY_ID [as ZEEK_ID [ with { [SIPCY_FIELD_NAME [&log], ]...]  }];
+    export SPICY_ID [without { [SIPCY_FIELD_NAME, ]... }];
+    export SPICY_ID [as ZEEK_ID [ without { [SIPCY_FIELD_NAME, ]...]  }];
+    export SPICY_ID &log;
+    export SPICY_ID as ZEEK_ID &log;
+
+This allows
+
+1. including fields to export by naming them in ``with``, e.g.,
+   ``export foo::A with { x, y }`` creates a Zeek record with the Spicy unit
+   fields ``x`` and ``y`` added to the Zeek record type.
+
+2. excluding fields from export by naming them in ``without``, e.g.,
+   ``export foo::A without { x }`` creates a Zeek record with all fields but
+   ``x`` of the Spicy unit exported.
+
+3. renaming the Spicy type on export, e.g., ``export foo::A as bar::X`` exports
+   the Spicy unit type ``A`` in Spicy module ``foo`` to a Zeek record type ``X``
+   in Zeek module ``bar``.
+
+4. controlling :zeek:see:`&log` attribute on generated Zeek record types. We can either
+   the mark all Zeek record fields ``&log`` by marking the whole type ``&log``
+   with e.g., ``export foo::A &log`` or ``export foo::A as bar::X &log``, or
+   mark individual fields ``&log`` in the ``with`` field list.
+
+.. rubric:: Example: Controlling exported fields
+
+Assume we are given a Spicy unit type ``foo::X``:
+
+.. code-block:: spicy
+
+    module foo;
+
+    public type X = unit {
+        x: uint8;
+        y: uint8;
+        z: uint8;
+    };
+
+To create a Zeek type without the field ``x`` we can use the following ``export``
+statement:
+
+.. code-block:: spicy-evt
+
+    export foo::X without { x };
+
+.. rubric:: Example: Adding Zeek ``&log`` attributes to created Zeek record types
+
+In Zeek records, data intended to be written to Zeek log streams needs to be
+marked :zeek:see:`&log`. We can trigger creation of this attribute from Spicy
+either per-field or for the whole ``record``.
+
+The export statement
+
+.. code-block:: spicy-evt
+
+    export foo::X &log;
+
+creates a Zeek record type
+
+.. code-block:: zeek
+
+    module foo;
+
+    export {
+
+      type X: record {
+        x: count &optional &log;
+        y: count &optional &log;
+        z: count &optional &log;
+      };
+
+    }
+
+To mark individual fields :zeek:see:`&log` we can use the attribute on the
+respective fields, e.g.,
+
+.. code-block:: spicy-evt
+
+    export foo::X with { x &log, y, z };
+
+creates a Zeek record type
+
+.. code-block:: zeek
+
+    module foo;
+
+    export {
+
+      type X: record {
+        x: count &optional &log;
+        y: count &optional;
+        z: count &optional;
+      };
+
+    }
+
+.. _spicy_struct:
+
+Struct Types
+^^^^^^^^^^^^
+
+A Spicy ``struct`` type maps over to Zeek in the same way as ``unit``
+types do, treating each field like a unit variable. See :ref:`there
+<spicy_unit>` for more information.
+
+Tuple Types
+^^^^^^^^^^^
+
+A Spicy ``tuple`` type maps over to a Zeek ``record`` similar to how
+``unit`` types do, treating each tuple element like a unit variable.
+See :ref:`there <spicy_unit>` for more information.
+
+Exporting works only for ``tuple`` types that declare names for all
+their elements.
+
+Importing Spicy Modules
+-----------------------
+
+Code in an ``*.evt`` file may need access to additional Spicy modules,
+such as when expressions for event parameters call Spicy
+functions defined elsewhere. To make a Spicy module available, you can
+insert ``import`` statements into the ``*.evt`` file that work
+:spicylink:`just like in Spicy code <programming/language/modules.html#modules-import>`:
+
+    ``import NAME``
+        Imports Spicy module ``NAME``.
+
+    ``import NAME from X.Y.Z;``
+        Searches for the module ``NAME`` (i.e., for the filename
+        ``NAME.spicy``) inside a sub-directory ``X/Y/Z`` along the
+        search path, and then imports it.
+
+.. _spicy_conditional_compilation:
+
+Conditional Compilation
+-----------------------
+
+``*.evt`` files offer the same basic form of :spicylink:`conditional
+compilation <programming/language/conditional.html>` through
+``@if``/``@else``/``@endif`` blocks as Spicy scripts. Zeek
+makes two additional identifiers available for testing to both
+``*.evt`` and ``*.spicy`` code:
+
+    ``HAVE_ZEEK``
+        Always set to 1 by Zeek. This can be used for feature
+        testing from Spicy code to check if it's being compiled for
+        Zeek.
+
+    ``ZEEK_VERSION``
+        The numerical Zeek version that's being compiled for (see
+        ``zeek -e 'print Version::number'``).
+
+This is an example bracketing code by Zeek version in an EVT file:
+
+.. code-block:: spicy-evt
+
+    @if ZEEK_VERSION < 30200
+        <EVT code for Zeek versions older than 3.2>
+    @else
+        <EVT code for Zeek version 3.2 or newer>
+    @endif
+
+.. _spicy_compiling:
+.. _spicyz:
+
+Compiling Analyzers
+====================
+
+Once you have the ``*.spicy`` and ``*.evt`` source files for your new
+analyzer, you need to precompile them into an ``*.hlto`` object file
+containing their final executable code, which Zeek will then use. To
+do that, pass the relevant ``*.spicy`` and ``*.evt`` files to
+``spicyz``, then have Zeek load the output. To repeat the
+:ref:`example <example_spicy_my_http>` from the *Getting Started*
+guide::
+
+    # spicyz -o my-http-analyzer.hlto my-http.spicy my-http.evt
+    # zeek -Cr request-line.pcap my-http-analyzer.hlto my-http.zeek
+    Zeek saw from 127.0.0.1: GET /index.html 1.0
+
+Instead of providing the precompiled analyzer on the Zeek command
+line, you can also copy them into
+``${prefix}/lib/zeek/spicy``. Zeek will
+automatically load any ``*.hlto`` object files it finds there. In
+addition, Zeek also scans its plugin directory for ``*.hlto``
+files. Alternatively, you can override both of those locations by
+setting the environment variable ``ZEEK_SPICY_MODULE_PATH`` to a set of
+colon-separated directories to search instead. Zeek will then
+*only* look there. In all cases, Zeek searches any directories
+recursively, so it will find ``*.hlto`` also if they are nested in
+subfolders.
+
+Run ``spicyz -h`` to see some additional options it provides, which
+are similar to :spicylink:`toolchain.html#spicy-driver`.
+
+.. _spicy_functions:
+
+Controlling Zeek from Spicy
+===========================
+
+Spicy grammars can import a provided library module ``zeek`` to gain
+access to Zeek-specific functions that call back into Zeek's
+processing:
+
+.. include:: autogen/zeek-functions.spicy
+
+... zeek_variables:
+
+Accessing Zeek Variables from Spicy
+===================================
+
+You can access Zeek-side global variables from inside Spicy, which is
+particularly handy for configuring Spicy analyzers from Zeek script
+code. The :ref:`zeek <spicy_functions>` module facilitates this
+through a set of functions converting the current value of Zeek
+variables into corresponding Spicy values. For example, let's say you
+would like to provide a Zeek script option with a ``count`` value that
+your Spicy analyzer can leverage. On the Zeek side, you'd define the
+option like this:
+
+.. code-block:: zeek
+
+    module MyModule;
+
+    export {
+        option my_value: count &default=42;
+    }
+
+Then, in your Spicy code, you can access the value of that option
+like this:
+
+.. code-block:: spicy
+
+    import zeek;
+
+    ...
+    local my_value = zeek::get_count("MyModule::my_value");
+    ...
+
+
+This looks up the option by its global, fully-scoped ID and returns the
+Zeek-side ``count`` as a Spicy ``uint64``. If there are any errors,
+such as the global not existing or having the wrong type, the
+``get_count()`` would abort with an exception.
+
+There are corresponding conversion functions for most of Zeek's
+built-in types, see :ref:`spicy_functions` for the full list of
+``get_<TYPE>()`` functions.
+
+For Zeek container types (``map``, ``record``, ``set``, ``vector``),
+the ``get_<TYPE>()`` functions return an opaque value that can be used
+to then inspect the container further. For example, you can check
+membership in a ``set`` like this:
+
+.. code-block:: zeek
+
+   # Zeek module MyModule
+   option my_set: set[count] = { 1, 2, 3 };
+
+.. code-block:: spicy
+
+   # Spicy
+   local my_set = zeek::get_set("MyModule::my_set");
+
+   if ( zeek::set_contains(my_set, 2) )
+      print "Found 2 in the set";
+
+For retrieving values from containers, there are further ``as_<TYPE>``
+functions for conversion. Example accessing a record's field:
+
+.. code-block:: zeek
+
+   # Zeek module MyModule
+   option my_record: record {
+       a: count &default = 42;
+       b: string &default = "foo";
+   };
+
+.. code-block:: spicy
+
+   # Spicy
+   local my_record = zeek::get_record("MyModule::my_record");
+   local a = zeek::as_count(zeek::record_field(my_record, "a"));
+   local b = zeek::as_string(zeek::record_field(my_record, "b")); # returns "bytes" (not string)
+
+See :ref:`spicy_functions` again for the full list of ``as_<TYPE>()``
+and container accessor functions.
+
+The API provides only read access to Zeek variables, there's no way to
+change them from inside Spicy. This is both to simplify the API, and
+also conceptually to avoid offering a back channel into Zeek state
+that could end up producing a very tight coupling of Spicy and Zeek
+code. Use events to communicate from Spicy to Zeek instead.
+
+Access to a Zeek global can be relatively slow as it performs the ID
+lookup and data conversion. Accordingly, the mechanism is primarily
+meant for configuration-style data, not for transferring heaps of
+dynamic state. However, as a way to speed up repeated access slightly,
+you can use :ref:`zeek::get_value <spicy_get_value>` to cache the
+result of the ID lookup, then use ``as_<TYPE>()`` on the cached value
+to retrieve the actual value.
+
+.. note::
+
+    When accessing global Zeek variables from Spicy, take into account
+    whether their Zeek values might change over time. If you're
+    accessing a Zeek ``const``, you can be sure it won't change, so
+    you could just store its value inside a corresponding Spicy
+    ``global`` at initialization time, and hence avoid repeated
+    lookups during runtime. However, if you're accessing a Zeek
+    ``option``, those are designed to support runtime updates, so you
+    should *not* cache their values on the Spicy side. Likewise, any
+    Zeek ``global`` can of course change anytime. (In both cases, you
+    can still use ``get_value()`` to cache the ID lookup.)
+
+.. _spicy_dpd:
+
+Dynamic Protocol Detection (DPD)
+================================
+
+Spicy protocol analyzers support Zeek's *Dynamic Protocol Detection*
+(DPD), i.e., analysis independent of any well-known ports. To use that
+with your analyzer, add two pieces:
+
+1. A `Zeek signature
+   <https://docs.zeek.org/en/current/frameworks/signatures.html>`_ to
+   activate your analyzer based on payload patterns. Just like with
+   any of Zeek's standard analyzers, a signature can activate a Spicy
+   analyzer through the ``enable "<name>"`` keyword. The name of the
+   analyzer comes out of the EVT file: it is the ``ANALYZER_NAME``
+   with the double colons replaced with an underscore (e.g.,
+   ``spicy::HTTP`` turns into ``enable "spicy_HTTP"``.
+
+2. You should call :spicylink:`spicy::accept_input() <programming/library.html#spicy-accept-input>`
+   from a hook inside your grammar at a point when the parser can be
+   reasonably certain that it is processing the expected protocol.
+   Optionally, you may also call :spicylink:`spicy::decline_input()
+   <programming/library.html#spicy-decline-input>` when you're sure the parser is *not* parsing
+   the right protocol. However, Zeek will also trigger this
+   automatically whenever your parser aborts with an error.
+
+.. _spicy_configuration:
+
+Configuration
+=============
+
+Options
+-------
+
+Zeek provides a set of script-level options to tune Spicy
+behavior. These all live in the ``Spicy::`` namespace:
+
+.. literalinclude:: autogen/init-bare.zeek
+    :language: zeek
+    :start-after: doc-options-start
+    :end-before:  doc-options-end
+
+Functions
+---------
+
+Zeek also adds the following new built-in functions for Spicy, which
+likewise live in the ``Spicy::`` namespace:
+
+.. literalinclude:: autogen/init-framework.zeek
+    :language: zeek
+    :start-after: doc-functions-start
+    :end-before:  doc-functions-end
+
+.. _spicy_debugging:
+
+Debugging
+=========
+
+If Zeek doesn't seem to be doing the right thing with your Spicy
+analyzer, there are several ways to debug what's going on. To
+facilitate that, compile your analyzer with ``spicyz -d`` and, if
+possible, use a debug version of Zeek (i.e., build Zeek with
+``./configure --enable-debug``).
+
+If your analyzer doesn't seem to be active at all, first make sure
+Zeek actually knows about it: It should show up in the output of
+``zeek -NN Zeek::Spicy``. If it doesn't, you might not have been using
+the right ``*.spicy`` or ``*.evt`` files when precompiling, or Zeek is
+not loading the ``*.hlto`` file. Also check your ``*.evt`` if it
+defines your analyzer correctly.
+
+If Zeek knows about your analyzer and just doesn't seem to activate
+it, double-check that ports or MIME types are correct in the ``*.evt``
+file. If you're using a signature instead, try a port/MIME type first,
+just to make sure it's not a matter of signature mismatches.
+
+If there's nothing obviously wrong with your source files, you can
+trace what the Zeek's Spicy support is compiling by running ``spicyz``
+with ``-D zeek``. For example, reusing the :ref:`HTTP example
+<example_spicy_my_http>` from the *Getting Started* guide::
+
+    # spicyz -D zeek my-http.spicy my-http.evt -o my-http.hlt
+    [debug/zeek] Loading Spicy file "/Users/robin/work/spicy/main/tests/spicy/doc/my-http.spicy"
+    [debug/zeek] Loading EVT file "/Users/robin/work/spicy/main/doc/examples/my-http.evt"
+    [debug/zeek] Loading events from /Users/robin/work/spicy/main/doc/examples/my-http.evt
+    [debug/zeek]   Got protocol analyzer definition for spicy_MyHTTP
+    [debug/zeek]   Got event definition for MyHTTP::request_line
+    [debug/zeek] Running Spicy driver
+    [debug/zeek]   Got unit type 'MyHTTP::Version'
+    [debug/zeek]   Got unit type 'MyHTTP::RequestLine'
+    [debug/zeek] Adding protocol analyzer 'spicy_MyHTTP'
+    [debug/zeek] Adding Spicy hook 'MyHTTP::RequestLine::0x25_done' for event MyHTTP::request_line
+    [debug/zeek] Done with Spicy driver
+
+You can see the main pieces in there: The files being loaded, unit
+types provided by them, analyzers and events being created.
+
+If that all looks as expected, it's time to turn to the Zeek side and
+see what it's doing at runtime. You'll need a debug version of Zeek
+for that, as well as a small trace with traffic that you expect your
+analyzer to process. Run Zeek with ``-B dpd`` (or ``-B file_analysis``
+if you're debugging a file analyzer) on your trace to record the
+analyzer activity into :file:`debug.log`. For example, with the same HTTP
+example, we get:
+
+.. code-block:: text
+    :linenos:
+
+    # zeek -B dpd -Cr request-line.pcap my-http.hlto
+    # cat debug.log
+    [dpd] Registering analyzer SPICY_MYHTTP for port 12345/1
+    [...[
+    [dpd] Available analyzers after spicy_init():
+    [...]
+    [dpd]     spicy_MyHTTP (enabled)
+    [...]
+    [dpd] Analyzers by port:
+    [dpd]     12345/tcp: SPICY_MYHTTP
+    [...]
+    [dpd] TCP[5] added child SPICY_MYHTTP[7]
+    [dpd] 127.0.0.1:59619 > 127.0.0.1:12345 activated SPICY_MYHTTP analyzer due to port 12345
+    [...]
+    [dpd] SPICY_MYHTTP[7] DeliverStream(25, T) [GET /index.html HTTP/1.0\x0a]
+    [dpd] SPICY_MYHTTP[7] EndOfData(T)
+    [dpd] SPICY_MYHTTP[7] EndOfData(F)
+
+The first few lines show that Zeek's analyzer system registers the
+analyzer as expected. The subsequent lines show that the analyzer gets
+activated for processing the connection in the trace, and that it then
+receives the data that we know indeed constitutes its payload, before
+it eventually gets shutdown.
+
+To see this from the Zeek side, set the ``zeek`` debug stream
+through the ``HILTI_DEBUG`` environment variable::
+
+    # HILTI_DEBUG=zeek zeek -Cr request-line.pcap my-http.hlto
+    [zeek] Have Spicy protocol analyzer spicy_MyHTTP
+    [zeek] Registering Protocol::TCP protocol analyzer spicy_MyHTTP with Zeek
+    [zeek]   Scheduling analyzer for port 12345/tcp
+    [zeek] Done with post-script initialization
+    [zeek] [SPICY_MYHTTP/7/orig] initial chunk: |GET /index.html HTTP/1.0\\x0a| (eod=false)
+    [zeek] [SPICY_MYHTTP/7/orig] -> event MyHTTP::request_line($conn, GET, /index.html, 1.0)
+    [zeek] [SPICY_MYHTTP/7/orig] done with parsing
+    [zeek] [SPICY_MYHTTP/7/orig] parsing finished, skipping further originator payload
+    [zeek] [SPICY_MYHTTP/7/resp] no unit specified for parsing
+    [zeek] [SPICY_MYHTTP/7/orig] skipping end-of-data delivery
+    [zeek] [SPICY_MYHTTP/7/resp] no unit specified for parsing
+    [zeek] [SPICY_MYHTTP/7/orig] skipping end-of-data delivery
+    [zeek] [SPICY_MYHTTP/7/resp] no unit specified for parsing
+
+After the initial initialization, you see the data arriving and the
+event being generated for Zeek. Zeek also reports that we didn't
+define a unit for the responder side---which we know in this case, but
+if that appears unexpectedly you probably found a problem.
+
+So we know now that our analyzer is receiving the anticipated data to
+parse. At this point, we can switch to debugging the Spicy side
+:spicylink:`through the usual mechanisms <programming/debugging.html>`. In particular,
+setting ``HILTI_DEBUG=spicy`` tends to be helpful::
+
+    # HILTI_DEBUG=spicy zeek -Cr request-line.pcap my-http.hlto
+    [spicy] MyHTTP::RequestLine
+    [spicy]   method = GET
+    [spicy]   anon_2 =
+    [spicy]   uri = /index.html
+    [spicy]   anon_3 =
+    [spicy]   MyHTTP::Version
+    [spicy]     anon = HTTP/
+    [spicy]     number = 1.0
+    [spicy]   version = [$number=b"1.0"]
+    [spicy]   anon_4 = \n
+
+If everything looks right with the parsing, and the right events are
+generated too, then the final part is to check out the events that
+arrive on the Zeek side. To get Zeek to see an event that Zeek
+raises, you need to have at least one handler implemented for it in
+one of your Zeek scripts. You can then load Zeek's
+``misc/dump-events`` to see them as they are being received, including
+their full Zeek-side values::
+
+    # zeek -Cr request-line.pcap my-http.hlto misc/dump-events
+    [...]
+    1580991211.780489 MyHTTP::request_line
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=59619/tcp, ...] ...]
+                  [1] method: string     = GET
+                  [2] uri: string        = /index.html
+                  [3] version: string    = 1.0
+    [...]
diff --git a/doc/devel/spicy/tutorial.rst b/doc/devel/spicy/tutorial.rst
new file mode 100644
index 0000000000..a1905c452f
--- /dev/null
+++ b/doc/devel/spicy/tutorial.rst
@@ -0,0 +1,441 @@
+
+.. _spicy_tutorial:
+
+Tutorial
+========
+
+This tutorial walks through the integration of a simple TFTP analyzer
+into Zeek. This discussion continues  the example from
+:spicylink:`Spicy's own tutorial <tutorial/index.html>` that develops
+the TFTP grammar, now focusing on how to use it with Zeek. Please go
+through that Spicy tutorial first before continuing here.
+
+To turn a Spicy-side grammar into a Zeek analyzer, we need to provide
+Zeek with a description of how to employ it. There are two parts to
+that: Telling Zeek when to activate the analyzer, and defining events
+to generate. In addition, we will need a Zeek-side script to do
+something with our new TFTP events. We will walk through this in the
+following, starting with the mechanics of compiling the Spicy analyzer
+for Zeek. While we will build up the files involved individually
+first, see the :ref:`final section <zkg_create_package>` for how the
+Zeek package manager, *zkg*, can be used to bootstrap a new Zeek
+package with a skeleton of everything needed for an analyzer.
+
+Before proceeding, make sure that your Zeek comes with Spicy support
+built-in---which is the default since Zeek version 5.0::
+
+    # zeek -N Zeek::Spicy
+    Zeek::Spicy - Support for Spicy parsers (*.hlto) (built-in)
+
+You should also have ``spicyz`` in your ``PATH``::
+
+    # which spicyz
+    /usr/local/zeek/bin/spicyz
+
+.. note::
+
+    There are a number of pieces involved in creating a full Zeek
+    analyzer, in particular if you want to distribute it as a Zeek
+    package. To help you get started with that, Zeek's package manager
+    can create a skeleton Spicy package by running::
+
+        # zkg create --features=spicy-protocol-analyzer --packagedir <packagedir>
+
+    The generated files mark places that will need manual editing with
+    ``TODO``. See the :ref:`tutorial <zkg_create_package>` for more on
+    this.
+
+Compiling the Analyzer
+----------------------
+
+Zeek comes with a tool :ref:`spicyz <spicyz>` that compiles Spicy
+analyzers into binary code that Zeek can load through a Spicy plugin.
+The following command line produces a binary object file ``tftp.hlto``
+containing the executable analyzer code:
+
+.. code::
+
+    # spicyz -o tftp.hlto tftp.spicy
+
+Below, we will prepare an additional interface definition file
+``tftp.evt`` that describes the analyzer's integration into Zeek. We
+will need to give that to ``spicyz`` as well, and our full
+compilation command hence becomes:
+
+.. code::
+
+    # spicyz -o tftp.hlto tftp.spicy tftp.evt
+
+When starting Zeek, we add ``tftp.hlto`` to its command line:
+
+.. code::
+
+    # zeek -r tftp_rrq.pcap tftp.hlto
+
+
+Activating the Analyzer
+-----------------------
+
+In *Getting Started*, :ref:`we already saw
+<example_spicy_my_http_adding_analyzer>` how to inform Zeek about a new
+protocol analyzer. We follow the same scheme here and put the
+following into ``tftp.evt``, the analyzer definition file:
+
+.. literalinclude:: autogen/tftp.evt
+    :lines: 5-7
+    :language: spicy-evt
+
+The first line provides our analyzer with a Zeek-side name
+(``spicy::TFTP``) and also tells Zeek that we are adding an
+application analyzer on top of UDP (``over UDP``). ``TFTP::Packet``
+provides the top-level entry point for parsing both sides of a TFTP
+connection. Furthermore, we want Zeek to automatically activate our
+analyzer for all sessions on UDP port 69 (i.e., TFTP's well known
+port). See :ref:`spicy_evt_analyzer_setup` for more details on defining
+such a ``protocol analyzer`` section.
+
+.. note::
+
+    We use the ``port`` attribute in the ``protocol analyzer`` section
+    mainly for convenience; it's not the only way to define the
+    well-known ports. For a production analyzer, it's more idiomatic
+    to use the a Zeek script instead; see :ref:`this note
+    <zeek_init_instead_of_port>` for more information.
+
+With this in place, we can already employ the analyzer inside Zeek. It
+will not generate any events yet, but we can at least see the output of
+the ``on %done { print self; }`` hook that still remains part of the
+grammar from earlier:
+
+.. code::
+
+    # zeek -r tftp_rrq.pcap tftp.hlto Spicy::enable_print=T
+    [$opcode=Opcode::RRQ, $rrq=[$filename=b"rfc1350.txt", $mode=b"octet"], $wrq=(not set), $data=(not set), $ack=(not set), $error=(not set)]
+
+As by default, the Zeek plugin does not show the output of Spicy-side
+``print`` statements, we added ``Spicy::enable_print=T`` to the
+command line to turn that on. We see that Zeek took care of the
+lower network layers, extracted the UDP payload from the Read Request,
+and passed that into our Spicy parser. (If you want to view more about
+the internals of what is happening here, there are a couple kinds of
+:ref:`debug output available <spicy_debugging>`.)
+
+You might be wondering why there is only one line of output, even
+though there are multiple TFTP packets in our pcap trace. Shouldn't
+the ``print`` execute multiple times? Yes, it should, but it does not
+currently: Due to some intricacies of the TFTP protocol, our analyzer
+gets to see only the first packet for now. We will fix this later. For
+now, we focus on the Read Request packet that the output above shows.
+
+Defining Events
+---------------
+
+The core task of any Zeek analyzer is to generate events for Zeek
+scripts to process. For binary protocols, events will often correspond
+pretty directly to data units specified by their specifications---and
+TFTP is no exception. We start with an event for Read/Write Requests
+by adding this definition to ``tftp.evt``:
+
+.. literalinclude:: examples/tftp-single-request.evt
+    :lines: 5-7
+    :language: spicy-evt
+
+The first line makes our Spicy TFTP grammar available to the rest of
+the file. The line ``on ...`` defines one event: Every time a
+``Request`` unit will be parsed, we want to receive an event
+``tftp::request`` with one parameter: the connection it belongs to.
+Here, ``$conn`` is a reserved identifier that will turn into the
+standard `connection record
+<https://docs.zeek.org/en/current/scripts/base/init-bare.zeek.html#type-connection>`_
+record on the Zeek side.
+
+Now we need a Zeek event handler for our new event. Let's put this
+into ``tftp.zeek``:
+
+.. literalinclude:: examples/tftp-single-request.zeek
+    :language: zeek
+
+Running Zeek then gives us:
+
+.. code::
+
+    # spicyz -o tftp.hlto tftp.spicy tftp.evt
+    # zeek -r tftp_rrq.pcap tftp.hlto tftp.zeek
+    TFTP request, [orig_h=192.168.0.253, orig_p=50618/udp, resp_h=192.168.0.10, resp_p=69/udp]
+
+Let's extend the event signature a bit by passing further arguments:
+
+.. literalinclude:: examples/tftp-single-request-more-args.evt
+    :lines: 5-7
+    :language: spicy-evt
+
+This shows how each parameter gets specified as a Spicy expression:
+``self`` refers to the instance currently being parsed (``self``), and
+``self.filename`` retrieves the value of its ``filename`` field.
+``$is_orig`` is another reserved ID that turns into a boolean that
+will be true if the event has been triggered by originator-side
+traffic. On the Zeek side, our event now has the following signature:
+
+.. literalinclude:: examples/tftp-single-request-more-args.zeek
+    :language: zeek
+
+.. code::
+
+    # spicyz -o tftp.hlto tftp.spicy tftp.evt
+    # zeek -r tftp_rrq.pcap tftp.hlto tftp.zeek
+    TFTP request, [orig_h=192.168.0.253, orig_p=50618/udp, resp_h=192.168.0.10, resp_p=69/udp], T, rfc1350.txt, octet
+
+Going back to our earlier discussion of Read vs Write Requests, we do
+not yet make that distinction with the ``request`` event that we are
+sending to Zeek-land. However, since we had introduced the ``is_read``
+unit parameter, we can easily separate the two by gating event
+generation through an additional ``if`` condition:
+
+.. literalinclude:: autogen/tftp.evt
+    :lines: 11-12
+    :language: spicy-evt
+
+This now defines two separate events, each being generated only for
+the corresponding value of ``is_read``. Let's try it with a new
+``tftp.zeek``:
+
+.. literalinclude:: examples/tftp-two-requests.zeek
+    :language: zeek
+
+.. code::
+
+    # spicyz -o tftp.hlto tftp.spicy tftp.evt
+    # zeek -r tftp_rrq.pcap tftp.hlto tftp.zeek
+    TFTP read request, [orig_h=192.168.0.253, orig_p=50618/udp, resp_h=192.168.0.10, resp_p=69/udp], T, rfc1350.txt, octet
+
+If we look at the :file:`conn.log` that Zeek produces during this run, we
+will see that the ``service`` field is not filled in yet. That's
+because our analyzer does not yet confirm to Zeek that it has been
+successful in parsing the content. To do that, we can call a library
+function that Spicy makes available once we have successfully parsed a
+request: :spicylink:`spicy::accept_input
+<programming/library.html#spicy-accept-input>`. That function signals
+the host application---i.e., Zeek in our case—--that the parser is
+processing the expected protocol.
+
+First, we need to make sure the Spicy standard library is imported
+in ``tftp.spicy``, so that we will have its functions available:
+
+.. code::
+
+   import spicy;
+
+With that, our request looks like this now:
+
+.. code-block::
+
+    type Request = unit(is_read: bool) {
+        filename: bytes &until=b"\x00";
+        mode:     bytes &until=b"\x00";
+
+        on %done { spicy::accept_input(); }
+    };
+
+
+Let's try it again:
+
+.. code::
+
+    # spicyz -o tftp.hlto tftp.spicy tftp.evt
+    # zeek -r tftp_rrq.pcap tftp.hlto tftp.zeek
+    TFTP read request, [orig_h=192.168.0.253, orig_p=50618/udp, resp_h=192.168.0.10, resp_p=69/udp], T, rfc1350.txt, octet
+    # cat conn.log
+    [...]
+    1367411051.972852  C1f7uj4uuv6zu2aKti  192.168.0.253  50618  192.168.0.10  69  udp  spicy_tftp  -  -  -  S0  -  -0  D  1  48  0  0  -
+    [...]
+
+Now the service field says TFTP! (There will be a 2nd connection in
+the log that we are not showing here; see the next section on that).
+
+Turning to the other TFTP packet types, it is straight-forward to add
+events for them as well. The following is our complete ``tftp.evt``
+file:
+
+.. literalinclude:: autogen/tftp.evt
+    :lines: 5-
+    :language: spicy-evt
+
+
+
+Detour: Zeek vs. TFTP
+---------------------
+
+We noticed above that Zeek seems to be seeing only a single TFTP
+packet from our input trace, even though ``tcpdump`` shows that the
+pcap file contains multiple different types of packets. The reason
+becomes clear once we look more closely at the UDP ports that are in
+use:
+
+.. code::
+
+    # tcpdump -ttnr tftp_rrq.pcap
+    1367411051.972852 IP 192.168.0.253.50618 > 192.168.0.10.69:  20 RRQ "rfc1350.txtoctet" [tftp]
+    1367411052.077243 IP 192.168.0.10.3445 > 192.168.0.253.50618: UDP, length 516
+    1367411052.081790 IP 192.168.0.253.50618 > 192.168.0.10.3445: UDP, length 4
+    1367411052.086300 IP 192.168.0.10.3445 > 192.168.0.253.50618: UDP, length 516
+    1367411052.088961 IP 192.168.0.253.50618 > 192.168.0.10.3445: UDP, length 4
+    1367411052.088995 IP 192.168.0.10.3445 > 192.168.0.253.50618: UDP, length 516
+    [...]
+
+Turns out that only the first packet is using the well-known TFTP port
+69/udp, whereas all the subsequent packets use ephemeral ports. Due to
+the port difference, Zeek believes it is seeing two independent
+network connections, and it does not associate TFTP with the second
+one at all due to its lack of the well-known port (neither does
+``tcpdump``!). Zeek's connection log confirms this by showing two
+separate entries:
+
+.. code::
+
+    # cat conn.log
+    1367411051.972852  CH3xFz3U1nYI1Dp1Dk  192.168.0.253  50618  192.168.0.10  69  udp  spicy_tftp  -  -  -  S0  -  -  0  D  1  48  0  0  -
+    1367411052.077243  CfwsLw2TaTIeo3gE9g  192.168.0.10  3445  192.168.0.253  50618  udp  -  0.181558  24795  196  SF  -  -  0  Dd  49  26167  49  1568  -
+
+Switching the ports for subsequent packets is a quirk in TFTP that
+resembles similar behaviour in standard FTP, where data connections
+get set up separately as well. Fortunately, Zeek provides a built-in
+function to designate a specific analyzer for an anticipated future
+connection. We can call that function when we see the initial request:
+
+.. literalinclude:: examples/tftp-schedule-analyzer.zeek
+    :language: zeek
+
+.. code::
+
+    # spicyz -o tftp.hlto tftp.spicy tftp.evt
+    # zeek -r tftp_rrq.pcap tftp.hlto tftp.zeek
+    TFTP read request, [orig_h=192.168.0.253, orig_p=50618/udp, resp_h=192.168.0.10, resp_p=69/udp], rfc1350.txt, octet
+    TFTP data, 1, \x0a\x0a\x0a\x0a\x0a\x0aNetwork Working Group [...]
+    TFTP ack, 1
+    TFTP data, 2, B Official Protocol\x0a   Standards" for the  [...]
+    TFTP ack, 2
+    TFTP data, 3, protocol was originally designed by Noel Chia [...]
+    TFTP ack, 3
+    TFTP data, 4, r mechanism was suggested by\x0a   PARC's EFT [...]
+    TFTP ack, 4
+    [...]
+
+Now we are seeing all the packets as we would expect.
+
+
+Zeek Script
+-----------
+
+Analyzers normally come along with a Zeek-side script that implements
+a set of standard base functionality, such as recording activity into
+a protocol specific log file. These scripts provide handlers for the
+analyzers' events, and collect and correlate their activity as
+desired. We have created such :download:`a script for TFTP
+<autogen/tftp.zeek>`, based on the events that our Spicy analyzer
+generates. Once we add that to the Zeek command line, we will see a
+new :file:`tftp.log`:
+
+.. code::
+
+    # spicyz -o tftp.hlto tftp.spicy tftp.evt
+    # zeek -r tftp_rrq.pcap tftp.hlto tftp.zeek
+    # cat tftp.log
+    #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	wrq	fname	mode	uid_data	size	block_sent	block_acked	error_code	error_msg
+    1367411051.972852	CKWH8L3AIekSHYzBU	192.168.0.253	50618	192.168.0.10	69	F	rfc1350.txt	octet	ClAr3P158Ei77Fql8h	24599	49	49	-	-
+
+The TFTP script also labels the second session as TFTP data by
+adding a corresponding entry to the ``service`` field inside the
+Zeek-side connection record. With that, we are now seeing this in
+:file:`conn.log`:
+
+.. code::
+
+    1367411051.972852  ChbSfq3QWKuNirt9Uh  192.168.0.253  50618  192.168.0.10  69  udp  spicy_tftp  -  -  -  S0  -  -0  D  1  48  0  0  -
+    1367411052.077243  CowFQj20FHHduhHSYk  192.168.0.10  3445  192.168.0.253  50618  udp  spicy_tftp_data  0.181558  24795  196  SF  --  0  Dd  49  26167  49  1568  -
+
+The TFTP script ends up being a bit more complex than one would expect
+for such a simple protocol. That's because it tracks the two related
+connections (initial request and follow-up traffic on a different
+port), and combines them into a single TFTP transaction for logging.
+Since there is nothing Spicy-specific in that Zeek script, we skip
+discussing it here in more detail.
+
+
+.. _zkg_create_package:
+
+Creating a Zeek Package
+-----------------------
+
+We have now assembled all the parts needed for providing a new
+analyzer to Zeek. By adding a few further pieces, we can wrap that
+analyzer into a full *Zeek package* for others to install easily
+through *zkg*. To help create that wrapping, *zkg* provides a template
+for instantiating a skeleton analyzer package as a starting point. The
+skeleton comes in three different flavors, depending on which kind of
+analyzer you want to create: protocol, file, or packet analyzer.
+In each case, it creates all the necessary files along with the
+appropriate directory layout, and even includes a couple of
+standard test cases.
+
+To create the scaffolding for our TFTP analyzer, execute the following
+command and provide the requested information::
+
+    # zkg create --features spicy-protocol-analyzer --packagedir spicy-tftp
+    "package-template" requires a "name" value (the name of the package, e.g. "FooBar" or "spicy-http"):
+    name: spicy-tftp
+    "package-template" requires a "analyzer" value (name of the Spicy analyzer, which typically corresponds to the protocol/format being parsed (e.g. "HTTP", "PNG")):
+    analyzer: TFTP
+    "package-template" requires a "protocol" value (transport protocol for the analyzer to use: TCP or UDP):
+    protocol: UDP
+    "package-template" requires a "unit_orig" value (name of the top-level Spicy parsing unit for the originator side of the connection (e.g. "Request")):
+    unit_orig: Packet
+    "package-template" requires a "unit_resp" value (name of the top-level Spicy parsing unit for the responder side of the connection (e.g. "Reply"); may be the same as originator side):
+    unit_resp: Packet
+
+
+The above creates the following files (skipping anything related to
+``.git``)::
+
+    spicy-tftp/CMakeLists.txt
+    spicy-tftp/COPYING
+    spicy-tftp/README
+    spicy-tftp/analyzer/CMakeLists.txt
+    spicy-tftp/analyzer/tftp.evt
+    spicy-tftp/analyzer/tftp.spicy
+    spicy-tftp/cmake/FindSpicyPlugin.cmake
+    spicy-tftp/scripts/__load__.zeek
+    spicy-tftp/scripts/dpd.sig
+    spicy-tftp/scripts/main.zeek
+    spicy-tftp/testing/Baseline/tests.run-pcap/conn.log
+    spicy-tftp/testing/Baseline/tests.run-pcap/output
+    spicy-tftp/testing/Baseline/tests.standalone/
+    spicy-tftp/testing/Baseline/tests.standalone/output
+    spicy-tftp/testing/Baseline/tests.trace/output
+    spicy-tftp/testing/Baseline/tests.trace/tftp.log
+    spicy-tftp/testing/Files/random.seed
+    spicy-tftp/testing/Makefile
+    spicy-tftp/testing/Scripts/README
+    spicy-tftp/testing/Scripts/diff-remove-timestamps
+    spicy-tftp/testing/Scripts/get-zeek-env
+    spicy-tftp/testing/Traces/tcp-port-12345.pcap
+    spicy-tftp/testing/Traces/udp-port-12345.pcap
+    spicy-tftp/testing/btest.cfg
+    spicy-tftp/testing/tests/availability.zeek
+    spicy-tftp/testing/tests/standalone.spicy
+    spicy-tftp/testing/tests/trace.zeek
+    spicy-tftp/zkg.meta
+
+
+Note the ``*.evt``, ``*.spicy``, ``*.zeek`` files: they correspond to
+the files we created for TFTP in the preceding sections; we can just
+move our versions in there. Furthermore, the generated scaffolding
+marks places with ``TODO`` that need manual editing: use ``git grep
+TODO`` inside the ``spicy-tftp`` directory to find them. We won't go
+through all the specific customizations for TFTP here, but for
+reference you can find the full TFTP package as created from the *zkg*
+template on `GitHub <https://github.com/zeek/spicy-tftp>`_.
+
+If instead of a protocol analyzer, you'd like to create a file or
+packet analyzer, run zkg with ``--features spicy-file-analyzer`` or
+``--features spicy-packet-analyzer``, respectively. The generated
+skeleton will be suitably adjusted then.
diff --git a/doc/devel/websocket-api.rst b/doc/devel/websocket-api.rst
new file mode 100644
index 0000000000..968148c891
--- /dev/null
+++ b/doc/devel/websocket-api.rst
@@ -0,0 +1,317 @@
+.. _websocket-api:
+
+.. _websocat: https://github.com/vi/websocat
+
+
+======================================
+Interacting with Zeek using WebSockets
+======================================
+
+Introduction
+============
+
+Usually, Zeek produces protocol logs consumed by external applications. These
+external applications might be SIEMs, real-time streaming analysis platforms
+or basic archival processes compressing logs for long term storage.
+
+Certain use-cases require interacting and influencing Zeek's runtime behavior
+outside of static configuration via ``local.zeek``.
+
+The classic :ref:`framework-input` and :ref:`framework-configuration` can be
+leveraged for runtime configuration of Zeek as well as triggering arbitrary
+events or script execution via option handlers. These frameworks are mostly
+file- or process-based and may feel a bit unusual in environments where creation
+of files is uncommon or even impossible due to separation of concerns. In many
+of today's environments, interacting using HTTP-based APIs or other remote
+interfaces is more common.
+
+.. note::
+
+    As an aside, if you need more flexibility than the WebSocket API offers today,
+    an alternative could be to use :ref:`javascript` within Zeek. This opens the
+    possibility to run a separate HTTP or a totally different Node.js based server
+    within a Zeek process for quick experimentation and evaluation of other
+    approaches.
+
+Background and Setup
+====================
+
+Since Zeek 5.0, Zeek allows connections from external clients over WebSocket.
+This allows these clients to interact with Zeek's publish-subscribe layer and
+exchange Zeek events with other Zeek nodes.
+Initially, this implementation resided in the Broker subsystem.
+With Zeek 8.0, most of the implementation has been moved into core Zeek
+itself with the v1 serialization format remaining in Broker.
+
+WebSocket clients may subscribe to a fixed set of topics and will receive
+Zeek events matching these topics that Zeek cluster nodes, but also other
+WebSocket clients, publish.
+
+With Zeek 8.0, Zeekctl has received support to interact with Zeek cluster nodes
+using the WebSocket protocol. If you're running a Zeekctl based cluster and
+want to experiment with WebSocket functionality, add ``UseWebSocket = 1`` to
+your ``zeekctl.cfg``:
+
+.. code-block:: ini
+
+    # zeekctl.cfg
+    ...
+    UseWebSocket = 1
+
+This will essentially add the following snippet, enabling a WebSocket server
+on the Zeek manager:
+
+.. code-block:: zeek
+   :caption: websocket.zeek
+
+   event zeek_init()
+        {
+        if ( Cluster::local_node_type() == Cluster::MANAGER )
+            {
+            Cluster::listen_websocket([
+                $listen_addr=127.0.0.1,
+                $listen_port=27759/tcp,
+            ]);
+            }
+        }
+
+
+To verify that the WebSocket API is functional in your deployment use, for example,
+`websocat`_ as a quick check.
+
+.. code-block:: shell
+
+   $ echo '[]' | websocat ws://127.0.0.1:27759/v1/messages/json
+   {"type":"ack","endpoint":"3eece35d-9f94-568d-861c-6a16c433e090-websocket-2","version":"8.0.0-dev.684"}
+
+Zeek's ``cluster.log`` file will also have an entry for the WebSocket client connection.
+The empty array in the command specifies the client's subscriptions, in this case none.
+
+Version 1
+=========
+
+The currently implemented protocol is accessible at ``/v1/messages/json``.
+The `data representation <https://docs.zeek.org/projects/broker/en/current/web-socket.html#data-representation>`_
+is documented in detail within the Broker project. Note that this format is a
+direct translation of Broker's binary format into JSON, resulting in a fairly
+tight coupling between WebSocket clients and the corresponding Zeek scripts.
+Most prominently is the representation of record values as vectors instead
+of objects, making the protocol sensitive against reordering or introduction
+of optional fields to records.
+
+.. note::
+
+   We're looking into an iteration of the format. If you have feedback or
+   would like to contribute, please reach out on the usual community channels.
+
+
+Handshake and Acknowledgement
+-----------------------------
+
+The first message after a WebSocket connection has been established originates
+from the client. This message is a JSON array of strings that represent the
+topics the WebSocket client wishes to subscribe to.
+
+Zeek replies with an acknowledgement message that's a JSON object or an error.
+
+Events
+------
+
+After the acknowledgement, WebSocket clients receive all events arriving on
+topics they have subscribed to.
+
+.. code-block:: shell
+
+   $ websocat ws://127.0.0.1:27759/v1/messages/json
+   ["zeek.test"]
+   {"type":"ack","endpoint":"d955d990-ad8a-5ed4-8bc5-bee252d4a2e6-websocket-0","version":"8.0.0-dev.684"}
+   {"type":"data-message","topic":"zeek.test","@data-type":"vector","data":[{"@data-type":"count","data":1},{"@data-type":"count","data":1},{"@data-type":"vector","data":[{"@data-type":"string","data":"hello"},{"@data-type":"vector","data":[{"@data-type":"count","data":3}]},{"@data-type":"vector","data":[]}]}]}
+
+The received messages, again, are encoded in Broker's JSON format. Above ``data-message``
+represents an event received on topic ``zeek.test``. The event's name is ``hello``.
+This event has a single argument of type :zeek:type:`count`. In the example above
+its value is ``3``.
+
+To send events, WebSocket clients similarly encode their event representation
+to Broker's JSON format and send them as `text data frames <https://datatracker.ietf.org/doc/html/rfc6455#section-5.6>`_.
+
+
+X-Application-Name Header
+-------------------------
+
+When a WebSocket client includes an ``X-Application-Name`` HTTP header in
+the initial WebSocket Handshake's GET request, that header's value is available
+in the :zeek:see:`Cluster::websocket_client_added` event's ``endpoint`` argument (see :zeek:see:`Cluster::EndpointInfo`).
+
+The header's value will also be included in ``cluster.log`` messages.
+
+Additionally, if the cluster telemetry for WebSocket clients is set to
+:zeek:see:`Cluster::Telemetry::VERBOSE` or :zeek:see:`Cluster::Telemetry::DEBUG`
+via :zeek:see:`Cluster::Telemetry::websocket_metrics`, the header's value is
+included as ``app`` label in metrics exposed by the :ref:`framework-telemetry`.
+
+As of Zeek 8.0, a WebSocket client will be rejected if the header is set, but
+its value doesn't match ``[-/_.=:*@a-zA-Z0-9]+``.
+
+
+Language Bindings
+-----------------
+
+Note that it's possible to use any language that offers WebSocket bindings.
+The ones listed below mostly add a bit of convenience features around the
+initial Handshake message, error handling and serializing Zeek events and
+values into the Broker-specific serialization format.
+
+For example, using the Node.js `builtin WebSocket functionality <https://nodejs.org/en/learn/getting-started/websocket>`_,
+the ``websocat`` example from above can be reproduced as follows:
+
+.. code-block:: javascript
+   :caption: client.js
+
+   // client.js
+   const socket = new WebSocket('ws://192.168.122.107:27759/v1/messages/json');
+
+   socket.addEventListener('open', event => {
+     socket.send('["zeek.test"]');
+   });
+
+   socket.addEventListener('message', event => {
+     console.log('Message from server: ', event.data);
+   });
+
+.. code-block:: shell
+
+   $ node ./client.js
+   Message from server:  {"type":"ack","endpoint":"2e951b0c-3ca4-504c-ae8a-5d3750fec588-websocket-10","version":"8.0.0-dev.684"}
+   Message from server:  {"type":"data-message","topic":"zeek.test","@data-type":"vector","data":[{"@data-type":"count","data":1},{"@data-type":"count","data":1},{"@data-type":"vector","data":[{"@data-type":"string","data":"hello"},{"@data-type":"vector","data":[{"@data-type":"count","data":374}]},{"@data-type":"vector","data":[]}]}]}
+
+
+Golang
+^^^^^^
+
+* `Zeek Broker websocket interface library for Golang <https://github.com/corelight/go-zeek-broker-ws>`_ (not an official Zeek project)
+
+
+Rust
+^^^^
+
+* `Rust types for interacting with Zeek over WebSocket <https://github.com/bbannier/zeek-websocket-rs>`_ (not an official Zeek project)
+
+Python
+^^^^^^
+
+There are no ready to use Python libraries available, but the third-party
+`websockets <https://github.com/python-websockets/websockets>`_ package
+allows to get started quickly.
+You may take inspiration from `zeek-client's implementation <https://github.com/zeek/zeek-client>`_
+or the `small helper library <https://raw.githubusercontent.com/zeek/zeek/refs/heads/master/testing/btest/Files/ws/wstest.py>`_ used by various of Zeek's own tests for the
+WebSocket API.
+Zeekctl similarly ships a `light implementation <https://github.com/zeek/zeekctl/blob/93459b37c3deab4bec9e886211672024fa3e4759/ZeekControl/events.py#L159>`_
+using the ``websockets`` library to implement its ``netstats`` and ``print`` commands.
+
+
+Outgoing Connections
+====================
+
+For some deployment scenarios, Zeek only offering a WebSocket server can be cumbersome.
+Concretely, when multiple independent Zeek clusters interact with
+a single instance of a remote API. For instance, this could be needed for
+configuring a central firewall.
+In such scenarios, it is more natural for Zeek to connect out to the
+remote API, rather than the remote API connecting to the Zeek cluster.
+
+For these use-cases, the current suggestion is to run a WebSocket bridge between
+a Zeek cluster and the remote API. One concrete tool that can be used
+for this purpose is `websocat`_.
+
+.. note::
+
+   This topic has previously been discussed elsewhere. The following
+   `GitHub issue <https://github.com/zeek/zeek/issues/3597>`_ and
+   `discussion <https://github.com/zeek/zeek/discussions/4768>`_
+   provide more background and details.
+
+
+Example Architecture
+--------------------
+
+.. figure:: ../images/websocket-api/one-api-many-zeek.svg
+   :width: 300
+
+   Multiple Zeek instances and a single remote API
+
+The following proposal decouples the components using a WebSocket
+bridge for every Zeek cluster. This ensures that the depicted remote API
+does not need knowledge about an arbitrary number of Zeek clusters.
+
+
+.. figure:: ../images/websocket-api/one-api-many-zeek-ws-bridge.svg
+   :width: 300
+
+   Multiple Zeek instances and a single remote API with WebSocket bridges.
+
+Example Implementation
+----------------------
+
+Assuming the depicted remote API provides a WebSocket server as well,
+it is possible to use ``websocat`` as the bridge directly.
+The crux for the remote API is that upon a new WebSocket client connection,
+the first message is the topic array that the remote API wishes to subscribe
+to on a Zeek cluster.
+
+
+Putting these pieces together, the following JavaScript script presents the
+remote API, implemented using the `ws library <https://github.com/websockets/ws?tab=readme-ov-file>`_.
+It accepts WebSocket clients on port 8080 and sends the topic array as the first message
+containing just ``zeek.bridge.test``. Thereafter, it simply echos all incoming
+WebSocket messages.
+
+.. literalinclude:: websocket-api/server.js
+   :caption: server.js
+   :language: javascript
+
+The Zeek side starts a WebSocket server on port 8000 and regularly publishes
+a ``hello`` event to the ``zeek.bridge.test`` topic.
+
+.. literalinclude:: websocket-api/server.zeek
+   :caption: server.zeek
+   :language: zeek
+
+These two servers can now be connected by running ``websocat`` as follows:
+
+.. code-block:: shell
+
+    # In terminal 1 (use node if your Zeek has no JavaScript support)
+    $ zeek server.js
+
+    # In terminal 2
+    $ zeek server.zeek
+
+    # In terminal 3
+    $ while true; do websocat --text -H='X-Application-Name: client1' ws://localhost:8000/v1/messages/json ws://localhost:8080 || sleep 0.1 ; done
+
+
+The first few lines of output in terminal 1 should then look as follows:
+
+.. code-block:: shell
+
+   # zeek server.js
+   client1: connected, sending topics array ["zeek.bridge.test"]
+   client1: received: {"type":"ack","endpoint":"9089e06b-8d33-5585-ad79-4f7f6348754e-websocket-135","version":"8.1.0-dev.91"}
+   client1: received: {"type":"data-message","topic":"zeek.bridge.test","@data-type":"vector","data":[{"@data-type":"count","data":1},{"@data-type":"count","data":1},{"@data-type":"vector","data":[{"@data-type":"string","data":"hello"},{"@data-type":"vector","data":[{"@data-type":"count","data":1792}]},{"@data-type":"vector","data":[]}]}]}
+   ...
+
+If you require synchronization between the Zeek instance and the remote API, this
+is best achieved with events once the connection between the remote API and the
+Zeek cluster is established.
+
+Alternative Approaches
+----------------------
+
+Since v21, Node.js contains a built-in `WebSocket client <https://nodejs.org/en/learn/getting-started/websocket>`_,
+making it possible to use vanilla :ref:`javascript` within
+Zeek to establish outgoing WebSocket connections, too.
+
+The ``websocat`` tool provides more flexibility, potentially allowing
+to forward WebSocket messages to external commands which in turn could
+use HTTP POST requests to an external API.
diff --git a/doc/devel/websocket-api/server.js b/doc/devel/websocket-api/server.js
new file mode 100644
index 0000000000..89de7ec512
--- /dev/null
+++ b/doc/devel/websocket-api/server.js
@@ -0,0 +1,23 @@
+// server.js
+import WebSocket, { WebSocketServer } from 'ws';
+
+const wss = new WebSocketServer({ port: 8080 });
+
+wss.on('connection', (ws, req) => {
+  ws.on('error', console.error);
+  ws.on('close', () => { console.log('%s: gone', ws.zeek.app); });
+
+  ws.on('message', function message(data) {
+      console.log('%s: received: %s', ws.zeek.app, data);
+  });
+
+  let topics = ['zeek.bridge.test'];
+  let app = req.headers['x-application-name'] || '<unknown application>'
+  ws.zeek = {
+    app: app,
+    topics: topics,
+  };
+
+  console.log(`${app}: connected, sending topics array ${JSON.stringify(topics)}`);
+  ws.send(JSON.stringify(topics));
+});
diff --git a/doc/devel/websocket-api/server.zeek b/doc/devel/websocket-api/server.zeek
new file mode 100644
index 0000000000..2d6c645381
--- /dev/null
+++ b/doc/devel/websocket-api/server.zeek
@@ -0,0 +1,15 @@
+global hello: event(c : count);
+
+global c = 0;
+
+event tick()
+	{
+	Cluster::publish("zeek.bridge.test", hello, ++c);
+	schedule 1.0sec { tick() };
+	}
+
+event zeek_init()
+	{
+	Cluster::listen_websocket([$listen_addr=127.0.0.1, $listen_port=8000/tcp]);
+	event tick();
+	}
diff --git a/doc/ext/literal-emph.py b/doc/ext/literal-emph.py
new file mode 100644
index 0000000000..0d87681749
--- /dev/null
+++ b/doc/ext/literal-emph.py
@@ -0,0 +1,41 @@
+import re
+
+import sphinx
+from docutils import nodes
+
+# This extension adds a 'literal-emph' directive that operates the same
+# as the 'code-block' directive except that it additionally understands
+# the **strong emphasis** markup, allowing custom rendering of it to be
+# substituted in the final literal block (e.g. HTML adds <strong> elements).
+# Adding " (no-emph)" to the end of a line within the 'literal-emph' content
+# disables substitutions for that line.
+
+
+class LiteralEmphNode(nodes.General, nodes.Element):
+    pass
+
+
+class LiteralEmph(sphinx.directives.code.CodeBlock):
+    def run(self):
+        node = LiteralEmphNode()
+        node += super().run()
+        return [node]
+
+
+def visit_litemph_node(self, node):
+    pass
+
+
+def depart_litemph_node(self, node):
+    text = self.body[-1]
+    text = re.sub(r"\*\*(.*?)\*\*(?!.* \(no-emph\)\n)", r"<strong>\1</strong>", text)
+    text = re.sub(r"(.*) \(no-emph\)\n", r"\1\n", text)
+    self.body[-1] = text
+
+
+def setup(app):
+    app.add_directive("literal-emph", LiteralEmph)
+    app.add_node(LiteralEmphNode, html=(visit_litemph_node, depart_litemph_node))
+    return {
+        "parallel_read_safe": True,
+    }
diff --git a/doc/ext/spicy-pygments.py b/doc/ext/spicy-pygments.py
new file mode 100644
index 0000000000..adb101483f
--- /dev/null
+++ b/doc/ext/spicy-pygments.py
@@ -0,0 +1,391 @@
+# Copyright (c) 2020-now by the Zeek Project. See LICENSE for details.
+
+from pygments.lexer import RegexLexer, bygroups, include, words
+from pygments.token import (
+    Comment,
+    Keyword,
+    Name,
+    Number,
+    Operator,
+    Punctuation,
+    String,
+    Text,
+)
+from sphinx.highlighting import lexers
+
+
+def setup(app):
+    lexers["spicy"] = SpicyLexer()
+    lexers["spicy-evt"] = SpicyEvtLexer()
+    return {
+        "parallel_read_safe": True,
+        "parallel_write_safe": True,
+    }
+
+
+class SpicyLexer(RegexLexer):
+    """
+    For `Spicy <https://github.com/zeek/spicy>`_ grammars.
+    """
+
+    name = "Spicy"
+    aliases = ["spicy"]
+    filenames = ["*.spicy"]
+
+    _hex = r"[0-9a-fA-F]"
+    _float = r"((\d*\.?\d+)|(\d+\.?\d*))([eE][-+]?\d+)?"
+    _h = r"[A-Za-z0-9][-A-Za-z0-9]*"
+    _id = r"[a-zA-Z_][a-zA-Z_0-9]*"
+
+    tokens = {
+        "root": [
+            include("whitespace"),
+            include("comments"),
+            include("directives"),
+            include("attributes"),
+            include("hooks"),
+            include("properties"),
+            include("types"),
+            include("modules"),
+            include("keywords"),
+            include("literals"),
+            include("operators"),
+            include("punctuation"),
+            include("function-call"),
+            include("identifiers"),
+        ],
+        "whitespace": [
+            (r"\n", Text),
+            (r"\s+", Text),
+            (r"\\\n", Text),
+        ],
+        "comments": [
+            (r"#.*$", Comment),
+        ],
+        "directives": [(r"(@(if|else|endif))\b", Comment.Preproc)],
+        "attributes": [
+            (
+                words(
+                    (
+                        "bit-order",
+                        "byte-order",
+                        "chunked",
+                        "convert",
+                        "count",
+                        "cxxname",
+                        "default",
+                        "eod",
+                        "internal",
+                        "ipv4",
+                        "ipv6",
+                        "length",
+                        "max-size",
+                        "no-emit",
+                        "nosub",
+                        "on-heap",
+                        "optional",
+                        "originator",
+                        "parse-at",
+                        "parse-from",
+                        "priority",
+                        "requires",
+                        "responder",
+                        "size",
+                        "static",
+                        "synchronize",
+                        "transient",
+                        "try",
+                        "type",
+                        "until",
+                        "until-including",
+                        "while",
+                        "have_prototype",
+                    ),
+                    prefix=r"&",
+                    suffix=r"\b",
+                ),
+                Keyword.Pseudo,
+            ),
+        ],
+        "hooks": [
+            (
+                rf"(on)(\s+)(({_id}::)+%?{_id}(\.{_id})*)",
+                bygroups(Keyword, Text, Name.Function),
+            ),
+            (rf"(on)(\s+)(%?{_id}(\.{_id})*)", bygroups(Keyword, Text, Name.Function)),
+        ],
+        "properties": [
+            # Like an ID, but allow hyphenation ('-')
+            (r"%[a-zA-Z_][a-zA-Z_0-9-]*", Name.Attribute),
+        ],
+        "types": [
+            (
+                words(
+                    (
+                        "any",
+                        "addr",
+                        "bitfield",
+                        "bool",
+                        "bytes",
+                        "__library_type",
+                        "iterator",
+                        "const_iterator",
+                        "int8",
+                        "int16",
+                        "int32",
+                        "int64",
+                        "uint8",
+                        "uint16",
+                        "uint32",
+                        "uint64",
+                        "enum",
+                        "interval",
+                        "interval_ns",
+                        "list",
+                        "map",
+                        "optional",
+                        "port",
+                        "real",
+                        "regexp",
+                        "set",
+                        "sink",
+                        "stream",
+                        "view",
+                        "string",
+                        "time",
+                        "time_ns",
+                        "tuple",
+                        "unit",
+                        "vector",
+                        "void",
+                        "function",
+                        "struct",
+                    ),
+                    prefix=r"\b",
+                    suffix=r"\b",
+                ),
+                Keyword.Type,
+            ),
+            (
+                rf"\b(type)(\s+)((?:{_id})(?:::(?:{_id}))*)\b",
+                bygroups(Keyword, Text, Name.Class),
+            ),
+        ],
+        "modules": [
+            (
+                rf"\b(import)(\s+)({_id})(\s+)(from)(\s+)(\S+)\b",
+                bygroups(
+                    Keyword.Namespace,
+                    Text,
+                    Name.Namespace,
+                    Text,
+                    Keyword.Namespace,
+                    Text,
+                    Name.Namespace,
+                ),
+            ),
+            (
+                rf"\b(module|import)(\s+)({_id})\b",
+                bygroups(Keyword.Namespace, Text, Name.Namespace),
+            ),
+        ],
+        "keywords": [
+            (
+                words(
+                    ("global", "const", "local", "var", "public", "private", "inout"),
+                    prefix=r"\b",
+                    suffix=r"\b",
+                ),
+                Keyword.Declaration,
+            ),
+            (
+                words(
+                    (
+                        "print",
+                        "add",
+                        "delete",
+                        "stop",
+                        "unset",
+                        "assert",
+                        "assert-exception",
+                        "new",
+                        "cast",
+                        "begin",
+                        "end",
+                        "type",
+                        "attribute",
+                        "on",
+                        "priority",
+                        "if",
+                        "else",
+                        "switch",
+                        "case",
+                        "default",
+                        "try",
+                        "catch",
+                        "break",
+                        "return",
+                        "continue",
+                        "while",
+                        "for",
+                        "foreach",
+                        "module",
+                        "import",
+                        "export",
+                        "from",
+                    ),
+                    prefix=r"\b",
+                    suffix=r"\b",
+                ),
+                Keyword,
+            ),
+        ],
+        "literals": [
+            (r'b?"', String, "string"),
+            # Not the greatest match for patterns, but generally helps
+            # disambiguate between start of a pattern and just a division
+            # operator.
+            (r"/(?=.*/)", String.Regex, "regex"),
+            (r"\b(True|False|None|Null)\b", Keyword.Constant),
+            # Port
+            (r"\b\d{1,5}/(udp|tcp)\b", Number),
+            # IPv4 Address
+            (
+                r"\b(25[0-5]|2[0-4][0-9]|[0-1][0-9]{2}|[0-9]{1,2})\.(25[0-5]|2[0-4][0-9]|[0-1][0-9]{2}|[0-9]{1,2})\.(25[0-5]|2[0-4][0-9]|[0-1][0-9]{2}|[0-9]{1,2})\.(25[0-5]|2[0-4][0-9]|[0-1][0-9]{2}|[0-9]{1,2})\b",
+                Number,
+            ),
+            # IPv6 Address (not 100% correct: that takes more effort)
+            (
+                r"\[([0-9a-fA-F]{0,4}:){2,7}([0-9a-fA-F]{0,4})?((25[0-5]|2[0-4][0-9]|[0-1][0-9]{2}|[0-9]{1,2})\.(25[0-5]|2[0-4][0-9]|[0-1][0-9]{2}|[0-9]{1,2})\.(25[0-5]|2[0-4][0-9]|[0-1][0-9]{2}|[0-9]{1,2})\.(25[0-5]|2[0-4][0-9]|[0-1][0-9]{2}|[0-9]{1,2}))?\]",
+                Number,
+            ),
+            # Numeric
+            (rf"\b0[xX]{_hex}+\b", Number.Hex),
+            (rf"\b{_float}\b", Number.Float),
+            (r"\b(\d+)\b", Number.Integer),
+        ],
+        "operators": [
+            (r"[$][$]", Name.Builtin.Pseudo),  # just-parsed-element
+            (r"[$]\d+", Name.Builtin.Pseudo),  # capture-group
+            (r"\b(in)\b", Operator.Word),
+            (r"[-+*=&|<>.]{2}", Operator),
+            (r"[-+*/=!><]=", Operator),
+            (r"[?][.]", Operator),
+            (r"[.][?]", Operator),
+            (r"[-][>]", Operator),
+            (r"[!][<>]", Operator),
+            (r"[!%*/+<=>~|&^-]", Operator),
+            # Technically, colons are often used for punctuation/sepration.
+            # E.g. field name/type separation.
+            (r"[?:]", Operator),
+        ],
+        "punctuation": [
+            (r"[{}()\[\],;:.]", Punctuation),
+        ],
+        "function-call": [
+            (rf"\b((?:{_id})(?:::(?:{_id}))*)(?=\s*\()", Name.Function),
+        ],
+        "identifiers": [
+            (r"\b(self)\b", Name.Builtin.Pseudo),
+            (r"([a-zA-Z_]\w*)(::)", bygroups(Name, Punctuation)),
+            (r"[a-zA-Z_]\w*", Name),
+        ],
+        "string": [
+            (r"\\.", String.Escape),
+            (r"%-?[0-9]*(\.[0-9]+)?[DTdxsefg]", String.Escape),
+            (r'"', String, "#pop"),
+            (r".", String),
+        ],
+        "regex": [
+            (r"\\.", String.Escape),
+            (r"/", String.Regex, "#pop"),
+            (r".", String.Regex),
+        ],
+    }
+
+
+class SpicyEvtLexer(RegexLexer):
+    """
+    For `Spicy <https://github.com/zeek/spicy>`_ Zeek interface definitions.
+    """
+
+    name = "SpicyEvt"
+    aliases = ["spicy-evt"]
+    filenames = ["*.evt"]
+
+    _id = r"[a-zA-Z_][a-zA-Z_0-9]*"
+
+    tokens = {
+        "root": [
+            include("whitespace"),
+            include("comments"),
+            include("directives"),
+            include("hooks"),
+            include("modules"),
+            include("keywords"),
+            include("literals"),
+            include("operators"),
+            include("punctuation"),
+            include("function-call"),
+            include("identifiers"),
+        ],
+        "whitespace": SpicyLexer.tokens["whitespace"],
+        "comments": SpicyLexer.tokens["comments"],
+        "directives": SpicyLexer.tokens["directives"],
+        "hooks": SpicyLexer.tokens["hooks"],
+        "modules": SpicyLexer.tokens["modules"],
+        "keywords": [
+            (
+                rf"\b(analyzer|with|replaces)(\s+)({_id}(::{_id})*)",
+                bygroups(Keyword, Text, Name.Class),
+            ),
+            (
+                words(("protocol", "packet", "file"), prefix=r"\b", suffix=r"\b"),
+                Keyword.Type,
+            ),
+            (
+                words(
+                    ("port", "event", "parse", "over", "mime-type"),
+                    prefix=r"\b",
+                    suffix=r"\b",
+                ),
+                Keyword,
+            ),
+            (words(("cast"), prefix=r"\b", suffix=r"\b"), Keyword),
+            (
+                words(
+                    (
+                        "if",
+                        "else",
+                        "switch",
+                        "case",
+                        "default",
+                        "try",
+                        "catch",
+                        "break",
+                        "return",
+                        "continue",
+                        "while",
+                        "for",
+                        "foreach",
+                    ),
+                    prefix=r"\b",
+                    suffix=r"\b",
+                ),
+                Keyword,
+            ),
+        ],
+        "literals": SpicyLexer.tokens["literals"],
+        "operators": SpicyLexer.tokens["operators"],
+        "punctuation": SpicyLexer.tokens["punctuation"],
+        "function-call": SpicyLexer.tokens["function-call"],
+        "identifiers": [
+            (r"\b(ZEEK_VERSION)\b", Name.Builtin),
+            (r"\b(self)\b", Name.Builtin.Pseudo),
+            (r"[$](conn|file|is_orig)", Name.Builtin.Pseudo),
+            (r"([a-zA-Z_]\w*)(::)", bygroups(Name, Punctuation)),
+            (r"[a-zA-Z_]\w*", Name),
+        ],
+        "string": SpicyLexer.tokens["string"],
+        "regex": SpicyLexer.tokens["regex"],
+    }
diff --git a/doc/ext/zeek.py b/doc/ext/zeek.py
new file mode 100644
index 0000000000..00117d112a
--- /dev/null
+++ b/doc/ext/zeek.py
@@ -0,0 +1,597 @@
+"""
+The Zeek domain for Sphinx.
+"""
+
+import collections
+
+
+def setup(Sphinx):
+    Sphinx.add_domain(ZeekDomain)
+    Sphinx.add_node(see)
+    Sphinx.add_directive_to_domain("zeek", "see", SeeDirective)
+    Sphinx.connect("object-description-transform", object_description_transform)
+    Sphinx.connect("doctree-resolved", process_see_nodes)
+    return {
+        "parallel_read_safe": True,
+    }
+
+
+from sphinx import addnodes, version_info
+from sphinx.directives import ObjectDescription
+from sphinx.domains import Domain, Index, ObjType
+from sphinx.locale import _
+from sphinx.roles import XRefRole
+from sphinx.util import docfields, logging
+from sphinx.util.nodes import make_refnode
+
+logger = logging.getLogger(__name__)
+
+from docutils import nodes
+from docutils.parsers.rst import Directive, directives
+
+
+class see(nodes.General, nodes.Element):
+    refs = []
+
+
+class SeeDirective(Directive):
+    has_content = True
+
+    def run(self):
+        n = see("")
+        n.refs = " ".join(self.content).split()
+        return [n]
+
+
+# Wrapper for creating a tuple for index nodes, staying backwards
+# compatible to Sphinx < 1.4:
+def make_index_tuple(indextype, indexentry, targetname, targetname2):
+    if version_info >= (1, 4, 0, "", 0):
+        return (indextype, indexentry, targetname, targetname2, None)
+    else:
+        return (indextype, indexentry, targetname, targetname2)
+
+
+def object_description_transform(app, domain, objtype, contentnode):
+    """
+    Add all collected record fields as a "Field" field to a ZeekType.
+    """
+    if domain != "zeek" or objtype != "type":
+        return
+
+    type_name = app.env.ref_context["zeek:type"]
+    record_fields = app.env.domaindata["zeek"].get("fields", {}).get(type_name)
+
+    if not record_fields:
+        return
+
+    field_list = contentnode[0]
+
+    name = nodes.field_name("", _("Fields"))
+    body = nodes.field_body("")
+
+    for field_name, record_field in record_fields.items():
+        body += record_field["idx"]
+        body += record_field["signode"]
+
+    field_list.append(nodes.field("", name, body))
+
+
+def process_see_nodes(app, doctree, fromdocname):
+    for node in doctree.traverse(see):
+        content = []
+        para = nodes.paragraph()
+        para += nodes.Text("See also:", "See also:")
+        for name in node.refs:
+            join_str = " "
+            if name != node.refs[0]:
+                join_str = ", "
+            link_txt = join_str + name
+            if name not in app.env.domaindata["zeek"]["idtypes"]:
+                # Just create the text and issue warning
+                logger.warning(
+                    '%s: unknown target for ".. zeek:see:: %s"',
+                    fromdocname,
+                    name,
+                    location=node,
+                )
+                para += nodes.Text(link_txt, link_txt)
+            else:
+                # Create a reference
+                typ = app.env.domaindata["zeek"]["idtypes"][name]
+                todocname = app.env.domaindata["zeek"]["objects"][(typ, name)]
+
+                newnode = nodes.reference("", "")
+                innernode = nodes.literal(_(name), _(name), classes=["xref"])
+                newnode["refdocname"] = todocname
+                newnode["refuri"] = app.builder.get_relative_uri(fromdocname, todocname)
+                newnode["refuri"] += "#" + typ + "-" + name
+                newnode.append(innernode)
+                para += nodes.Text(join_str, join_str)
+                para += newnode
+
+        content.append(para)
+        node.replace_self(content)
+
+
+class ZeekGeneric(ObjectDescription):
+    option_spec = {"source-code": directives.unchanged}
+
+    def __init__(self, *args, **kwargs):
+        super(ObjectDescription, self).__init__(*args, **kwargs)
+        options = args[2]
+        self.code_url = None
+
+        if "source-code" in options and "zeek-code-url" in self.env.config:
+            base_url = self.env.config["zeek-code-url"]
+            path, start, end = options["source-code"].split()
+            path_parts = path.split("/")
+            file_name = path_parts[-1]
+
+            # Don't have anything to link to for BIFs
+            if not file_name.endswith(".bif.zeek"):
+                self.code_url = f"{base_url}/scripts/{path}#L{start}-L{end}"
+
+    def get_obj_name(self):
+        return self.objtype
+
+    def update_type_map(self, idname):
+        if "idtypes" not in self.env.domaindata["zeek"]:
+            self.env.domaindata["zeek"]["idtypes"] = {}
+        self.env.domaindata["zeek"]["idtypes"][idname] = self.get_obj_name()
+
+    def process_signode(self, name, sig, signode, targetname):
+        signode["names"].append(targetname)
+        signode["ids"].append(targetname)
+        signode["first"] = not self.names
+        self.state.document.note_explicit_target(signode)
+
+    def add_target_and_index(self, name, sig, signode):
+        targetname = self.get_obj_name() + "-" + name
+
+        if targetname not in self.state.document.ids:
+            self.process_signode(name, sig, signode, targetname)
+
+            objects = self.env.domaindata["zeek"]["objects"]
+            key = (self.get_obj_name(), name)
+
+            if (
+                key in objects
+                and self.get_obj_name() != "id"
+                and self.get_obj_name() != "type"
+                and self.get_obj_name() != "field"
+            ):
+                logger.warning(
+                    "%s: duplicate description of %s %s, other instance in %s %s",
+                    self.env.docname,
+                    self.get_obj_name(),
+                    name,
+                    self.env.doc2path(objects[key]),
+                    self.lineno,
+                )
+
+            objects[key] = self.env.docname
+            self.update_type_map(name)
+
+        indextext = self.get_index_text(name)
+
+        if indextext:
+            self.indexnode["entries"].append(
+                make_index_tuple("single", indextext, targetname, targetname)
+            )
+
+    def get_index_text(self, name):
+        return _("%s (%s)") % (name, self.get_obj_name())
+
+    def handle_signature(self, sig, signode):
+        if self.code_url:
+            signode += nodes.reference(
+                sig, sig, refuri=self.code_url, reftitle="View Source Code"
+            )
+
+            # Could embed snippets directly, but would probably want to clean
+            # up how it's done: don't use an external script, figure out why
+            # tab/indentation is broken, toggle snippet visibility on mouse
+            # hover or other explicit button/link, fix the colors/theming...
+            # But for now, leaving this commented out as an example and quick
+            # way of checking that the code ranges that Zeekygen outputs are
+            # sensible.
+
+            # import urllib
+            # snippet_target = urllib.parse.quote(self.code_url, '')
+            # snippet_url = 'https://emgithub.com/embed.js'
+            # snippet_url += f'?target={snippet_target}'
+            # snippet_url += '&style=github'
+            # snippet_url += '&showLineNumbers=on'
+            # snippet_url += '&showBorder=on'
+            # snippet_url += '&ts=4'
+            # rawnode = nodes.raw('', f'<script src="{snippet_url}"></script>',
+            #                     format='html')
+            # signode += rawnode
+
+        else:
+            signode += addnodes.desc_name("", sig)
+
+        return sig
+
+
+class ZeekNamespace(ZeekGeneric):
+    def add_target_and_index(self, name, sig, signode):
+        targetname = self.get_obj_name() + "-" + name
+
+        if targetname not in self.state.document.ids:
+            signode["names"].append(targetname)
+            signode["ids"].append(targetname)
+            signode["first"] = not self.names
+            self.state.document.note_explicit_target(signode)
+
+            objects = self.env.domaindata["zeek"]["objects"]
+            key = (self.get_obj_name(), name)
+            objects[key] = self.env.docname
+            self.update_type_map(name)
+
+        indextext = self.get_index_text(name)
+        self.indexnode["entries"].append(
+            make_index_tuple("single", indextext, targetname, targetname)
+        )
+        self.indexnode["entries"].append(
+            make_index_tuple("single", f"namespaces; {sig}", targetname, targetname)
+        )
+
+    def get_index_text(self, name):
+        return _("%s (namespace); %s") % (name, self.env.docname)
+
+    def handle_signature(self, sig, signode):
+        signode += addnodes.desc_name("", sig)
+        return sig
+
+
+class ZeekEnum(ZeekGeneric):
+    def add_target_and_index(self, name, sig, signode):
+        targetname = self.get_obj_name() + "-" + name
+
+        if targetname not in self.state.document.ids:
+            self.process_signode(name, sig, signode, targetname)
+
+            objects = self.env.domaindata["zeek"]["objects"]
+            key = (self.get_obj_name(), name)
+            objects[key] = self.env.docname
+            self.update_type_map(name)
+
+        # indextext = self.get_index_text(name)
+        # self.indexnode['entries'].append(make_index_tuple('single', indextext,
+        #                                  targetname, targetname))
+        m = sig.split()
+
+        if len(m) < 2:
+            logger.warning(
+                "%s: zeek:enum directive missing argument(s)", self.env.docname
+            )
+            return
+
+        if m[1] == "Notice::Type":
+            if "notices" not in self.env.domaindata["zeek"]:
+                self.env.domaindata["zeek"]["notices"] = []
+            self.env.domaindata["zeek"]["notices"].append(
+                (m[0], self.env.docname, targetname)
+            )
+
+        self.indexnode["entries"].append(
+            make_index_tuple(
+                "single", f"{m[1]} (enum values); {m[0]}", targetname, targetname
+            )
+        )
+
+    def handle_signature(self, sig, signode):
+        m = sig.split()
+        name = m[0]
+        signode += addnodes.desc_name("", name)
+        return name
+
+
+class ZeekParamField(docfields.GroupedField):
+    has_arg = True
+    is_typed = True
+
+
+class ZeekIdentifier(ZeekGeneric):
+    zeek_param_field = ZeekParamField("param", label="Parameters", can_collapse=True)
+    field_type_map = {"param": (zeek_param_field, False)}
+
+    def get_index_text(self, name):
+        return name
+
+    def get_field_type_map(self):
+        return self.field_type_map
+
+
+class ZeekNative(ZeekGeneric):
+    def handle_signature(self, sig, signode):
+        # The run() method is overridden to drop signode anyway in favor of
+        # simply adding the index and a target nodes and leaving up
+        # to the .rst document to explicitly add things that need to
+        # be presented in the final rendering (e.g. a section header)
+        self.native_name = sig
+        return sig
+
+    def process_signode(self, name, sig, signode, targetname):
+        pass
+
+    def run(self):
+        ns = super().run()
+        index_node = ns[0]
+
+        target_id = self.get_obj_name() + "-" + self.native_name
+        target_node = nodes.target("", "", ids=[target_id])
+        self.state.document.note_explicit_target(target_node)
+
+        # Replace the description node from Sphinx with a simple target node
+        return [index_node, target_node]
+
+
+class ZeekKeyword(ZeekNative):
+    def get_index_text(self, name):
+        if name and name[0] == "@":
+            return _("%s (directive)") % (name)
+        else:
+            return _("%s (keyword)") % (name)
+
+
+class ZeekAttribute(ZeekNative):
+    def get_index_text(self, name):
+        return _("%s (attribute)") % (name)
+
+
+class ZeekType(ZeekGeneric):
+    """
+    Put the type that's currently documented into env.ref_context
+    for usage with the ZeekField directive.
+    """
+
+    def before_content(self):
+        self.env.ref_context["zeek:type"] = self.arguments[0]
+
+    def after_content(self):
+        self.env.ref_context.pop("zeek:type", None)
+
+
+class ZeekField(ZeekGeneric):
+    def handle_signature(self, sig, signode):
+        """
+        The signature for .. zeek:field: currently looks like the following:
+
+          .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&optional`
+        """
+        parts = sig.split(" ", 2)
+        name, type_str = parts[0:2]
+        record_type = self.env.ref_context["zeek:type"]
+        fullname = "$".join([record_type, name])
+        attrs_str = ""
+        if len(parts) == 3:
+            attrs_str = parts[2]
+
+        type_nodes, _ = self.state.inline_text(type_str, -1)
+
+        signode += addnodes.desc_name(name, name)
+        signode += addnodes.desc_sig_punctuation("", ":")
+        signode += addnodes.desc_sig_space()
+        signode += type_nodes
+
+        if attrs_str:
+            attr_nodes, _ = self.state.inline_text(attrs_str, -1)
+            signode += addnodes.desc_sig_space()
+            signode += attr_nodes
+
+        signode["class"] = record_type
+        signode["fullname"] = fullname
+
+        return fullname
+
+    def run(self):
+        idx, signode = super().run()
+
+        record_type = self.env.ref_context["zeek:type"]
+
+        fields = self.env.domaindata["zeek"].setdefault("fields", {})
+        rfields = fields.setdefault(record_type, collections.OrderedDict())
+        rfields[signode[0]["fullname"]] = {
+            "idx": idx,
+            "signode": signode,
+        }
+
+        return []
+
+
+class ZeekNativeType(ZeekNative):
+    def get_obj_name(self):
+        # As opposed to using 'native-type', just imitate 'type'.
+        return "type"
+
+
+class ZeekFieldXRefRole(XRefRole):
+    def process_link(self, env, refnode, has_explicit_title, title, target):
+        title, target = super().process_link(
+            env, refnode, has_explicit_title, title, target
+        )
+
+        parts = title.split("$")
+        if len(parts) == 2 and parts[0] and parts[1]:
+            # If a field is in Type$field, form, strip Type.
+            title = parts[1]
+
+        return title, target
+
+
+class ZeekNotices(Index):
+    """
+    Index subclass to provide the Zeek notices index.
+    """
+
+    name = "noticeindex"
+    localname = _("Zeek Notice Index")
+    shortname = _("notices")
+
+    def generate(self, docnames=None):
+        content = {}
+
+        if "notices" not in self.domain.env.domaindata["zeek"]:
+            return content, False
+
+        for n in self.domain.env.domaindata["zeek"]["notices"]:
+            modname = n[0].split("::")[0]
+            entries = content.setdefault(modname, [])
+            entries.append([n[0], 0, n[1], n[2], "", "", ""])
+
+        content = sorted(content.items())
+
+        return content, False
+
+
+class ZeekDomain(Domain):
+    """Zeek domain."""
+
+    name = "zeek"
+    label = "Zeek"
+
+    object_types = {
+        "type": ObjType(_("type"), "type"),
+        "native-type": ObjType(_("type"), "type"),
+        "namespace": ObjType(_("namespace"), "namespace"),
+        "id": ObjType(_("id"), "id"),
+        "keyword": ObjType(_("keyword"), "keyword"),
+        "enum": ObjType(_("enum"), "enum"),
+        "attr": ObjType(_("attr"), "attr"),
+        "field": ObjType(_("field"), "field"),
+    }
+
+    directives = {
+        "type": ZeekType,
+        "native-type": ZeekNativeType,
+        "namespace": ZeekNamespace,
+        "id": ZeekIdentifier,
+        "keyword": ZeekKeyword,
+        "enum": ZeekEnum,
+        "attr": ZeekAttribute,
+        "field": ZeekField,
+    }
+
+    roles = {
+        "type": XRefRole(),
+        "namespace": XRefRole(),
+        "id": XRefRole(),
+        "keyword": XRefRole(),
+        "enum": XRefRole(),
+        "attr": XRefRole(),
+        "see": XRefRole(),
+        "field": ZeekFieldXRefRole(),
+    }
+
+    indices = [
+        ZeekNotices,
+    ]
+
+    initial_data = {
+        "objects": {},  # fullname -> docname, objtype
+    }
+
+    def clear_doc(self, docname):
+        to_delete = []
+
+        for (typ, name), doc in self.data["objects"].items():
+            if doc == docname:
+                to_delete.append((typ, name))
+
+        for typ, name in to_delete:
+            del self.data["objects"][typ, name]
+
+    def resolve_xref(self, env, fromdocname, builder, typ, target, node, contnode):
+        objects = self.data["objects"]
+
+        if typ == "see":
+            if target not in self.data["idtypes"]:
+                logger.warning(
+                    '%s: unknown target for ":zeek:see:`%s`"', fromdocname, target
+                )
+                return []
+
+            objtype = self.data["idtypes"][target]
+            return make_refnode(
+                builder,
+                fromdocname,
+                objects[objtype, target],
+                objtype + "-" + target,
+                contnode,
+                target + " " + objtype,
+            )
+        elif typ == "field" and "$" not in target:
+            # :zeek:field:`x` without a record type ends up just x, no ref.
+            return []
+        else:
+            objtypes = self.objtypes_for_role(typ)
+
+            for objtype in objtypes:
+                if (objtype, target) in objects:
+                    return make_refnode(
+                        builder,
+                        fromdocname,
+                        objects[objtype, target],
+                        objtype + "-" + target,
+                        contnode,
+                        target + " " + objtype,
+                    )
+                else:
+                    logger.warning(
+                        '%s: unknown target for ":zeek:%s:`%s`"',
+                        fromdocname,
+                        typ,
+                        target,
+                    )
+
+    def get_objects(self):
+        for (typ, name), docname in self.data["objects"].items():
+            yield name, name, typ, docname, typ + "-" + name, 1
+
+    def merge_domaindata(self, docnames, otherdata):
+        """
+        Merge domaindata in multiprocess mode.
+
+        I'm quite unclear how the objects dict works out okay in single
+        process mode. For example, the file_entropy() event is defined
+        in scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek.rst
+        *and* in script-reference/autogenerated-file-analyzer-index.rst.
+        The current documentation refers to the first one for :zeek:see:.
+        It seems in single process mode the reading sorts filenames and
+        just uses the last highest sorting one. That ends-up being the one
+        in scripts/base.
+
+            In [4]: "script-reference/autogenerated" < "scripts/base"
+            Out[4]: True
+
+        """
+        for target, data in otherdata.items():
+            if target == "version":
+                continue
+            elif hasattr(data, "items"):
+                target_data = self.env.domaindata["zeek"].setdefault(target, {})
+
+                # Iterate manually over the elements for debugging
+                for k, v in data.items():
+                    if k not in target_data:
+                        target_data[k] = v
+                    else:
+                        # The > comparison below updates the objects domaindata
+                        # to filenames that sort higher. See comment above.
+                        if isinstance(v, str):
+                            if v > target_data[k]:
+                                target_data[k] = v
+                        else:
+                            # Otherwise assume it's a dict and we can merge
+                            # using update()
+                            target_data[k].update(v)
+
+            elif hasattr(data, "extend"):
+                # notices are a list
+                target_data = self.env.domaindata["zeek"].setdefault(target, [])
+                target_data.extend(data)
+            else:
+                raise NotImplementedError(target, type(data))
diff --git a/doc/ext/zeek_pygments.py b/doc/ext/zeek_pygments.py
new file mode 100644
index 0000000000..aaa9f449fe
--- /dev/null
+++ b/doc/ext/zeek_pygments.py
@@ -0,0 +1,247 @@
+from pygments.lexer import RegexLexer, bygroups, include, words
+from pygments.token import (
+    Comment,
+    Keyword,
+    Literal,
+    Name,
+    Number,
+    Operator,
+    Punctuation,
+    String,
+    Text,
+)
+
+
+def setup(Sphinx):
+    return {
+        "parallel_read_safe": True,
+    }
+
+
+class ZeekLexer(RegexLexer):
+    """
+    For `Zeek <https://www.zeek.org/>`_ scripts.
+
+    .. versionadded:: 2.5
+    """
+
+    name = "Zeek"
+    aliases = ["zeek"]
+    filenames = ["*.zeek"]
+
+    _hex = r"[0-9a-fA-F]"
+    _float = r"((\d*\.?\d+)|(\d+\.?\d*))([eE][-+]?\d+)?"
+    _h = r"[A-Za-z0-9][-A-Za-z0-9]*"
+
+    tokens = {
+        "root": [
+            include("whitespace"),
+            include("comments"),
+            include("directives"),
+            include("attributes"),
+            include("types"),
+            include("keywords"),
+            include("literals"),
+            include("operators"),
+            include("punctuation"),
+            (
+                r"\b((?:[A-Za-z_][A-Za-z_0-9]*)(?:::(?:[A-Za-z_][A-Za-z_0-9]*))*)(?=\s*\()",
+                Name.Function,
+            ),
+            include("identifiers"),
+        ],
+        "whitespace": [
+            (r"\n", Text),
+            (r"\s+", Text),
+            (r"\\\n", Text),
+        ],
+        "comments": [
+            (r"#.*$", Comment),
+        ],
+        "directives": [
+            (r"(@(load-plugin|load-sigs|load|unload))\b.*$", Comment.Preproc),
+            (
+                r"(@(DEBUG|DIR|FILENAME|deprecated|if|ifdef|ifndef|else|endif))\b",
+                Comment.Preproc,
+            ),
+            (r"(@prefixes)\s*(\+?=).*$", Comment.Preproc),
+        ],
+        "attributes": [
+            (
+                words(
+                    (
+                        "redef",
+                        "priority",
+                        "log",
+                        "optional",
+                        "default",
+                        "add_func",
+                        "delete_func",
+                        "expire_func",
+                        "read_expire",
+                        "write_expire",
+                        "create_expire",
+                        "synchronized",
+                        "persistent",
+                        "rotate_interval",
+                        "rotate_size",
+                        "encrypt",
+                        "raw_output",
+                        "mergeable",
+                        "error_handler",
+                        "broker_allow_complex_type",
+                        "is_assigned",
+                        "is_used",
+                        "type_column",
+                        "deprecated",
+                        "on_change",
+                        "backend",
+                        "broker_store",
+                    ),
+                    prefix=r"&",
+                    suffix=r"\b",
+                ),
+                Keyword.Pseudo,
+            ),
+        ],
+        "types": [
+            (
+                words(
+                    (
+                        "any",
+                        "enum",
+                        "record",
+                        "set",
+                        "table",
+                        "vector",
+                        "function",
+                        "hook",
+                        "event",
+                        "addr",
+                        "bool",
+                        "count",
+                        "double",
+                        "file",
+                        "int",
+                        "interval",
+                        "pattern",
+                        "port",
+                        "string",
+                        "subnet",
+                        "time",
+                    ),
+                    prefix=r"\b",
+                    suffix=r"\b",
+                ),
+                Keyword.Type,
+            ),
+            (
+                r"\b(opaque)(\s+)(of)(\s+)((?:[A-Za-z_][A-Za-z_0-9]*)(?:::(?:[A-Za-z_][A-Za-z_0-9]*))*)\b",
+                bygroups(Keyword.Type, Text, Operator.Word, Text, Keyword.Type),
+            ),
+            (
+                r"\b(type)(\s+)((?:[A-Za-z_][A-Za-z_0-9]*)(?:::(?:[A-Za-z_][A-Za-z_0-9]*))*)(\s*)(:)(\s*)\b(record|enum)\b",
+                bygroups(Keyword, Text, Name.Class, Text, Operator, Text, Keyword.Type),
+            ),
+            (
+                r"\b(type)(\s+)((?:[A-Za-z_][A-Za-z_0-9]*)(?:::(?:[A-Za-z_][A-Za-z_0-9]*))*)(\s*)(:)",
+                bygroups(Keyword, Text, Name, Text, Operator),
+            ),
+            (
+                r"\b(redef)(\s+)(record|enum)(\s+)((?:[A-Za-z_][A-Za-z_0-9]*)(?:::(?:[A-Za-z_][A-Za-z_0-9]*))*)\b",
+                bygroups(Keyword, Text, Keyword.Type, Text, Name.Class),
+            ),
+        ],
+        "keywords": [
+            (
+                words(
+                    (
+                        "redef",
+                        "export",
+                        "if",
+                        "else",
+                        "for",
+                        "while",
+                        "return",
+                        "break",
+                        "next",
+                        "continue",
+                        "fallthrough",
+                        "switch",
+                        "default",
+                        "case",
+                        "add",
+                        "delete",
+                        "copy",
+                        "when",
+                        "timeout",
+                        "schedule",
+                    ),
+                    prefix=r"\b",
+                    suffix=r"\b",
+                ),
+                Keyword,
+            ),
+            (r"\b(print)\b", Keyword),
+            (r"\b(global|local|const|option)\b", Keyword.Declaration),
+            (
+                r"\b(module)(\s+)(([A-Za-z_][A-Za-z_0-9]*)(?:::([A-Za-z_][A-Za-z_0-9]*))*)\b",
+                bygroups(Keyword.Namespace, Text, Name.Namespace),
+            ),
+        ],
+        "literals": [
+            (r'"', String, "string"),
+            # Not the greatest match for patterns, but generally helps
+            # disambiguate between start of a pattern and just a division
+            # operator.
+            (r"/(?=.*/)", String.Regex, "regex"),
+            (r"\b(T|F)\b", Keyword.Constant),
+            # Port
+            (r"\b\d{1,5}/(udp|tcp|icmp|unknown)\b", Number),
+            # IPv4 Address
+            (
+                r"\b(25[0-5]|2[0-4][0-9]|[0-1][0-9]{2}|[0-9]{1,2})\.(25[0-5]|2[0-4][0-9]|[0-1][0-9]{2}|[0-9]{1,2})\.(25[0-5]|2[0-4][0-9]|[0-1][0-9]{2}|[0-9]{1,2})\.(25[0-5]|2[0-4][0-9]|[0-1][0-9]{2}|[0-9]{1,2})\b",
+                Number,
+            ),
+            # IPv6 Address (not 100% correct: that takes more effort)
+            (
+                r"\[([0-9a-fA-F]{0,4}:){2,7}([0-9a-fA-F]{0,4})?((25[0-5]|2[0-4][0-9]|[0-1][0-9]{2}|[0-9]{1,2})\.(25[0-5]|2[0-4][0-9]|[0-1][0-9]{2}|[0-9]{1,2})\.(25[0-5]|2[0-4][0-9]|[0-1][0-9]{2}|[0-9]{1,2})\.(25[0-5]|2[0-4][0-9]|[0-1][0-9]{2}|[0-9]{1,2}))?\]",
+                Number,
+            ),
+            # Numeric
+            (r"\b0[xX]" + _hex + r"+\b", Number.Hex),
+            (r"\b" + _float + r"\s*(day|hr|min|sec|msec|usec)s?\b", Literal.Date),
+            (r"\b" + _float + r"\b", Number.Float),
+            (r"\b(\d+)\b", Number.Integer),
+            # Hostnames
+            (_h + r"(\." + _h + r")+", String),
+        ],
+        "operators": [
+            (r"[!%*/+<=>~|&^-]", Operator),
+            (r"([-+=&|]{2}|[+=!><-]=)", Operator),
+            (r"\b(in|as|is|of)\b", Operator.Word),
+            (r"\??\$", Operator),
+            # Technically, colons are often used for punctuation/separation.
+            # E.g. field name/type separation.
+            (r"[?:]", Operator),
+        ],
+        "punctuation": [
+            (r"\?\$", Punctuation),
+            (r"[{}()\[\],;:.]", Punctuation),
+        ],
+        "identifiers": [
+            (r"([a-zA-Z_]\w*)(::)", bygroups(Name, Punctuation)),
+            (r"[a-zA-Z_]\w*", Name),
+        ],
+        "string": [
+            (r"\\.", String.Escape),
+            (r"%-?[0-9]*(\.[0-9]+)?[DTdxsefg]", String.Escape),
+            (r'"', String, "#pop"),
+            (r".", String),
+        ],
+        "regex": [
+            (r"\\.", String.Escape),
+            (r"/", String.Regex, "#pop"),
+            (r".", String.Regex),
+        ],
+    }
diff --git a/doc/frameworks/broker.rst b/doc/frameworks/broker.rst
new file mode 100644
index 0000000000..a70b042e5a
--- /dev/null
+++ b/doc/frameworks/broker.rst
@@ -0,0 +1,644 @@
+.. _CAF: https://github.com/actor-framework/actor-framework
+
+.. _broker-framework:
+
+==============================
+Broker Communication Framework
+==============================
+
+.. rst-class:: opening
+
+    Zeek uses the `Broker Library
+    <https://docs.zeek.org/projects/broker>`_ to exchange information with
+    other Zeek processes.  Broker itself uses CAF_ (C++ Actor Framework)
+    internally for connecting nodes and exchanging arbitrary data over
+    networks.  Broker then introduces, on top of CAF, a topic-based
+    publish/subscribe communication pattern using a data model that is
+    compatible to Zeek's.  Broker itself can be utilized outside the
+    context of Zeek, with Zeek itself making use of only a few predefined
+    Broker message formats that represent Zeek events, log entries, etc.
+
+    In summary, the Zeek's Broker framework provides basic facilities for
+    connecting broker-enabled peers (e.g. Zeek instances) to each other
+    and exchanging messages (e.g. events and logs).
+
+Cluster Layout / API
+====================
+
+Layout / Topology
+-----------------
+
+In a Zeek cluster setup, every Zeek process is assigned a cluster role.
+Such a process is then called a Zeek node, a cluster node, or just named
+after the role of the process (the manager, the loggers, ...). A basic Zeek
+cluster uses four different node types, enumerated in the script-level
+variable :zeek:see:`Cluster::NodeType`.
+
+- Manager
+- Logger
+- Worker
+- Proxy
+
+In small Zeek deployments, all nodes may run on a single host. In large
+Zeek deployments, nodes may be distributed across multiple physical
+systems for scaling.
+
+Currently, a single Manager node in a Zeek cluster exists. Further, connectivity
+between nodes is determined statically based on their type:
+
+- Every node connects to all loggers and the manager.
+
+- Each worker connects to all proxies.
+
+
+.. figure:: broker/cluster-layout.png
+
+Some general suggestions as to the purpose/utilization of each node type:
+
+- Workers: are a good first choice for doing the brunt of any work you need
+  done.  They should be spending a lot of time performing the actual job
+  of parsing/analyzing incoming data from packets, so you might choose
+  to look at them as doing a "first pass" analysis and then deciding how
+  the results should be shared with other nodes in the cluster.
+
+- Proxies: serve as intermediaries for data storage and work/calculation
+  offloading.  Good for helping offload work or data in a scalable and
+  distributed way.  Since any given worker is connected to all
+  proxies and can agree on an "arbitrary key -> proxy node" mapping
+  (more on that later), you can partition work or data amongst them in a
+  uniform manner.  e.g. you might choose to use proxies as a method of
+  sharing non-persistent state or as a "second pass" analysis for any
+  work that you don't want interfering with the workers' capacity to
+  keep up with capturing and parsing packets.  Note that the default scripts
+  that come with Zeek make minimal use of proxies, so if you are coming
+  from a previous ZeekControl deployment, you may want to try reducing down
+  to a single proxy node.  If you come to have custom/community scripts
+  that utilize proxies, that would be the time to start considering scaling
+  up the number of proxies to meet demands.
+
+- Manager: this node will be good at performing decisions that require a
+  global view of things since it is in a centralized location, connected
+  to everything.  However, that also makes it easy to overload, so try
+  to use it sparingly and only for tasks that must be done in a
+  centralized or authoritative location. Optionally, for some
+  deployments, the Manager can also serve as the sole Logger.
+
+- Loggers: these nodes should simply be spending their time writing out
+  logs to disk and not used for much else.  In the default cluster
+  configuration, logs get distributed among available loggers in a
+  round-robin fashion, providing failover capability should any given
+  logger temporarily go offline.
+
+Data Management/Sharing Strategies
+==================================
+
+There's maybe no single, best approach or pattern to use when you need a
+Zeek script to store or share long-term state and data.  The two
+approaches that were previously used were either using the ``&synchronized``
+attribute on tables/sets or by explicitly sending events to specific
+nodes on which you wanted data to be stored.  The former is no longer
+possible, though there are several new possibilities that the new
+Broker/Cluster framework offer, namely distributed data store and data
+partitioning APIs.
+
+Data Stores
+-----------
+
+Broker provides a distributed key-value store interface with optional
+choice of using a persistent backend. For more detail, see
+:ref:`this example <data_store_example>`.
+
+Some ideas/considerations/scenarios when deciding whether to use
+a data store for your use-case:
+
+* If you need the full data set locally in order to achieve low-latency
+  queries using data store "clones" can provide that.
+
+* If you need data that persists across restarts of Zeek processes, then
+  data stores can also provide that.
+
+* If the data you want to store is complex (tables, sets, records) or
+  you expect to read, modify, and store back, then data stores may not
+  be able to provide simple, race-free methods of performing the pattern
+  of logic that you want.
+
+* If the data set you want to store is excessively large, that's still
+  problematic even for stores that use a persistent backend as they are
+  implemented in a way that requires a full snapshot of the store's
+  contents to fit in memory (this limitation may change in the future).
+
+Data Partitioning
+-----------------
+
+New data partitioning strategies are available using the API in
+:doc:`/scripts/base/frameworks/cluster/pools.zeek`.  Using that API, developers
+of custom Zeek scripts can define a custom pool of nodes that best fits the
+needs of their script.
+
+One example strategy is to use Highest Random Weight (HRW) hashing to
+partition data tables amongst the pool of all proxy nodes.  e.g. using
+:zeek:see:`Cluster::publish_hrw`.  This could allow clusters to
+be scaled more easily than the approach of "the entire data set gets
+synchronized to all nodes" as the solution to memory limitations becomes
+"just add another proxy node".  It may also take away some of the
+messaging load that used to be required to synchronize data sets across
+all nodes.
+
+The tradeoff of this approach, is that nodes that leave the pool (due to
+crashing, etc.) cause a temporary gap in the total data set until
+workers start hashing keys to a new proxy node that is still alive,
+causing data to now be located and updated there.
+
+If the developer of a script expects its workload to be particularly
+intensive, wants to ensure that their operations get exclusive
+access to nodes, or otherwise set constraints on the number of nodes within
+a pool utilized by their script, then the :zeek:see:`Cluster::PoolSpec`
+structure will allow them to do that while still allowing users of that script
+to override the default suggestions made by the original developer.
+
+Broker Framework Examples
+=========================
+
+The broker framework provides basic facilities for connecting Zeek instances
+to each other and exchanging messages, like events or logs.
+
+See :doc:`/scripts/base/frameworks/broker/main.zeek` for an overview
+of the main Broker API.
+
+.. _broker_topic_naming:
+
+Topic Naming Conventions
+------------------------
+
+All Broker-based messaging involves two components: the information you
+want to send (e.g. an event w/ its arguments) along with an associated
+topic name string.  The topic strings are used as a filtering mechanism:
+Broker uses a publish/subscribe communication pattern where peers
+advertise interest in topic **prefixes** and only receive messages which
+match one of their prefix subscriptions.
+
+Broker itself supports arbitrary topic strings, however Zeek generally
+follows certain conventions in choosing these topics to help avoid
+conflicts and generally make them easier to remember.
+
+As a reminder of how topic subscriptions work, subscribers advertise
+interest in a topic **prefix** and then receive any messages published by a
+peer to a topic name that starts with that prefix.  E.g. Alice
+subscribes to the "alice/dogs" prefix, then would receive the following
+message topics published by Bob:
+
+- topic "alice/dogs/corgi"
+- topic "alice/dogs"
+- topic "alice/dogsarecool/oratleastilikethem"
+
+Alice would **not** receive the following message topics published by Bob:
+
+- topic "alice/cats/siamese"
+- topic "alice/cats"
+- topic "alice/dog"
+- topic "alice"
+
+Note that the topics aren't required to form a slash-delimited hierarchy,
+the subscription matching is purely a byte-per-byte prefix comparison.
+
+However, Zeek scripts generally will follow a topic naming hierarchy and
+any given script will make the topic names it uses apparent via some
+redef'able constant in its export section.  Generally topics that Zeek
+scripts use will be along the lines of :samp:`zeek/{<namespace>}/{<specifics>}`
+with :samp:`{<namespace>}` being the script's module name (in all-undercase).
+For example, you might expect an imaginary ``Pretend`` framework to
+publish/subscribe using topic names like ``zeek/pretend/my_cool_event``.
+For scripts that use Broker as a means of cluster-aware analysis,
+it's usually sufficient for them to make use of the topics declared
+by the cluster framework.  For scripts that are meant to establish
+communication flows unrelated to Zeek cluster, new topics are declared
+(examples being the NetControl and Control frameworks).
+
+For cluster operation, see :doc:`/scripts/base/frameworks/cluster/main.zeek`
+for a list of topics that are useful for steering published events to
+the various node classes.  E.g. you have the ability to broadcast
+to all nodes of a given class (e.g. just workers) or just send to a
+specific node within a class.
+
+The topic names that logs get published under are a bit nuanced.  In the
+default cluster configuration, they are round-robin published to
+explicit topic names that identify a single logger.  In standalone Zeek
+processes, logs get published to the topic indicated by
+:zeek:see:`Broker::default_log_topic_prefix`.
+
+For those writing their own scripts which need new topic names, a
+suggestion would be to avoid prefixing any new topics/prefixes with
+``zeek/`` as any changes in scripts shipping with Zeek will use that prefix
+and it's better to not risk unintended conflicts.  Again, it's
+often less confusing to just re-use existing topic names instead
+of introducing new topic names.  The typical use case is writing
+a cluster-enabled script, which usually just needs to route events
+based upon node classes, and that already has usable topics in the
+cluster framework.
+
+Connecting to Peers
+-------------------
+
+Zeek can accept incoming connections by calling :zeek:see:`Broker::listen`.
+
+.. literalinclude:: broker/connecting-listener.zeek
+   :caption: connecting-listener.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Zeek can initiate outgoing connections by calling :zeek:see:`Broker::peer`.
+
+.. literalinclude:: broker/connecting-connector.zeek
+   :caption: connecting-connector.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+In either case, connection status updates are monitored via the
+:zeek:see:`Broker::peer_added` and :zeek:see:`Broker::peer_lost` events.
+
+Remote Events
+-------------
+
+To receive remote events, you need to first subscribe to a "topic" to which
+the events are being sent.  A topic is just a string chosen by the sender,
+and named in a way that helps organize events into various categories.
+See the :ref:`topic naming conventions section <broker_topic_naming>` for
+more on how topics work and are chosen.
+
+Use the :zeek:see:`Broker::subscribe` function to subscribe to topics and
+define any event handlers for events that peers will send.
+
+.. literalinclude:: broker/events-listener.zeek
+   :caption: events-listener.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+To send an event, call the :zeek:see:`Broker::publish` function which you can
+supply directly with the event and its arguments or give it the return value of
+:zeek:see:`Broker::make_event` in case you need to send the same event/args
+multiple times.  When publishing events like this, local event handlers for
+the event are not called, even if a matching subscription exists.
+
+.. literalinclude:: broker/events-connector.zeek
+   :caption: events-connector.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Note that the subscription model is prefix-based, meaning that if you subscribe
+to the ``zeek/events`` topic prefix you would receive events that are published
+to topic names ``zeek/events/foo`` and ``zeek/events/bar`` but not
+``zeek/misc``.
+
+.. note::
+
+   In prior Zeek versions, ``Broker::auto_publish`` was available to automatically
+   send events to peers whenever the events were called locally via the normal
+   event invocation syntax. When auto-publishing events, local event handlers for
+   the event were called in addition to sending the event to any subscribed peers.
+
+   ``Broker::auto_publish`` was removed due to its
+   `implicit nature <https://github.com/zeek/zeek/discussions/3637>`_.
+
+
+Remote Logging
+--------------
+
+.. literalinclude:: broker/testlog.zeek
+   :caption: testlog.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+To toggle remote logs, redef :zeek:see:`Log::enable_remote_logging`.
+Use the :zeek:see:`Broker::subscribe` function to advertise interest
+in logs written by peers.  The topic names that Zeek uses are determined by
+:zeek:see:`Broker::log_topic`.
+
+.. literalinclude:: broker/logs-listener.zeek
+   :caption: logs-listener.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. literalinclude:: broker/logs-connector.zeek
+   :caption: logs-connector.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Note that logging events are only raised locally on the node that performs
+the :zeek:see:`Log::write` and not automatically published to peers.
+
+.. _data_store_example:
+
+Distributed Data Stores
+-----------------------
+
+See :doc:`/scripts/base/frameworks/broker/store.zeek` for an overview
+of the Broker data store API.
+
+There are two flavors of key-value data store interfaces: master and clone.
+
+A master data store can be cloned from remote peers which may then
+perform lightweight, local queries against the clone, which
+automatically stays synchronized with the master store.  Clones cannot
+modify their content directly, instead they send modifications to the
+centralized master store which applies them and then broadcasts them to
+all clones.
+
+Master stores get to choose what type of storage backend to
+use.  E.g. In-memory versus SQLite for persistence.
+
+Data stores also support expiration on a per-key basis using an amount of
+time relative to the entry's last modification time.
+
+.. literalinclude:: broker/stores-listener.zeek
+   :caption: stores-listener.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. literalinclude:: broker/stores-connector.zeek
+   :caption: stores-connector.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Note that all data store queries must be made within Zeek's asynchronous
+``when`` statements and must specify a timeout block.
+
+
+SQLite Data Store Tuning
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+When leveraging the SQLite backend for persistence, SQLite's default journaling
+and consistency settings are used. Concretely, ``journal_mode`` is set to
+``DELETE`` and ``synchronous`` to ``FULL``. This in turn is not optimal for
+`high INSERT or UPDATE rates <https://www.sqlite.org/faq.html#q19>`_
+due to SQLite waiting for the required IO to complete until data is safely
+on disk. This can also have a non-negligible system effect when the
+SQLite database is located on the same device as other IO critical processes.
+
+Starting with Zeek 5.2, it is possible to tune and relax these settings by
+providing an appropriate :zeek:see:`Broker::BackendOptions` and
+:zeek:see:`Broker::SQLiteOptions` instance to
+:zeek:see:`Broker::create_master`. The following example changes the
+data store to use `Write-Ahead Logging <https://www.sqlite.org/wal.html>`_
+which should perform significantly faster than the default.
+
+
+.. literalinclude:: broker/store-sqlite-tuning.zeek
+   :caption: store-sqlite-tuning.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+If your use-case turns out to require more and lower-level tuning around
+SQLite options, please get in contact or open a feature request on GitHub.
+
+
+Cluster Framework Examples
+==========================
+
+This section contains a few brief examples of how various communication
+patterns one might use when developing Zeek scripts that are to operate in
+the context of a cluster.
+
+.. _event-namespacing-pitfall:
+
+A Reminder About Events and Module Namespaces
+---------------------------------------------
+
+For simplicity, the following examples do not use any modules/namespaces.
+If you choose to use them within your own code, it's important to
+remember that the ``event`` and ``schedule`` dispatching statements
+should always use the fully-qualified event name.
+
+For example, this will likely not work as expected:
+
+.. code-block:: zeek
+
+    module MyModule;
+
+    export {
+        global my_event: event();
+    }
+
+    event my_event()
+        {
+        print "got my event";
+        }
+
+    event zeek_init()
+        {
+        event my_event();
+        schedule 10sec { my_event() };
+        }
+
+This code runs without errors, however, the local ``my_event`` handler
+will never be called and also not any remote handlers either. Instead, at
+minimum you would need change the ``zeek_init()`` handler:
+
+.. code-block:: zeek
+
+    event zeek_init()
+        {
+        event MyModule::my_event();
+        schedule 10sec { MyModule::my_event() };
+        }
+
+Though, an easy rule of thumb to remember would be to always use the
+explicit module namespace scoping and you can't go wrong:
+
+.. code-block:: zeek
+
+    module MyModule;
+
+    export {
+        global MyModule::my_event: event();
+    }
+
+    event MyModule::my_event()
+        {
+        print "got my event";
+        }
+
+    event zeek_init()
+        {
+        event MyModule::my_event();
+        schedule 10sec { MyModule::my_event() };
+        }
+
+Event types that reside in the default namespace (such as :zeek:id:`zeek_init` or
+:zeek:id:`connection_established`) require no qualification, even when scheduled from
+inside a module. Don't force qualification of such events by prefixing with
+``GLOBAL::``.
+
+Note that other identifiers in Zeek do not have this inconsistency
+related to module namespacing, it's just events that require
+explicitness.
+
+Manager Sending Events To Workers
+---------------------------------
+
+This is fairly straightforward, we just need a topic name which we know
+all workers are subscribed combined with the event we want to send them.
+
+.. code-block:: zeek
+
+    event manager_to_workers(s: string)
+        {
+        print "got event from manager", s;
+        }
+
+    event some_event_handled_on_manager()
+        {
+        Broker::publish(Cluster::worker_topic, manager_to_workers,
+                        "hello v0");
+
+        # If you know this event is only handled on the manager, you don't
+        # need any of the following conditions, they're just here as an
+        # example of how you can further discriminate based on node identity.
+
+        # Can check based on the name of the node.
+        if ( Cluster::node == "manager" )
+            Broker::publish(Cluster::worker_topic, manager_to_workers,
+                            "hello v1");
+
+        # Can check based on the type of the node.
+        if ( Cluster::local_node_type() == Cluster::MANAGER )
+            Broker::publish(Cluster::worker_topic, manager_to_workers,
+                            "hello v2");
+
+        # The run-time overhead of the above conditions can even be
+        # eliminated by using the following conditional directives.
+        # It's evaluated once per node at parse-time and, if false,
+        # any code within is just ignored / treated as not existing at all.
+    @if ( Cluster::local_node_type() == Cluster::MANAGER )
+            Broker::publish(Cluster::worker_topic, manager_to_workers,
+                            "hello v3");
+    @endif
+        }
+
+Worker Sending Events To Manager
+--------------------------------
+
+This should look almost identical to the previous case of sending an event
+from the manager to workers, except it simply changes the topic name to
+one which the manager is subscribed.
+
+.. code-block:: zeek
+
+    event worker_to_manager(worker_name: string)
+        {
+        print "got event from worker", worker_name;
+        }
+
+    event some_event_handled_on_worker()
+        {
+        Broker::publish(Cluster::manager_topic, worker_to_manager,
+                        Cluster::node);
+        }
+
+Worker Sending Events To All Workers
+------------------------------------
+
+Since workers are not directly connected to each other in the cluster
+topology, this type of communication is a bit different than what we
+did before since we have to manually relay the event via some node that *is*
+connected to all workers.  The manager or a proxy satisfies that requirement:
+
+.. code-block:: zeek
+
+    event worker_to_workers(worker_name: string)
+        {
+    @if ( Cluster::local_node_type() == Cluster::MANAGER ||
+          Cluster::local_node_type() == Cluster::PROXY )
+            Broker::publish(Cluster::worker_topic, worker_to_workers,
+                            worker_name);
+    @else
+            print "got event from worker", worker_name;
+    @endif
+        }
+
+    event some_event_handled_on_worker()
+        {
+        # We know the manager is connected to all workers, so we could
+        # choose to relay the event across it.
+        Broker::publish(Cluster::manager_topic,  worker_to_workers,
+                        Cluster::node + " (via manager)");
+
+        # We also know that any given proxy is connected to all workers,
+        # though now we have a choice of which proxy to use.  If we
+        # want to distribute the work associated with relaying uniformly,
+        # we can use a round-robin strategy.  The key used here is simply
+        # used by the cluster framework internally to keep track of
+        # which node is up next in the round-robin.
+        local pt = Cluster::rr_topic(Cluster::proxy_pool, "example_key");
+        Broker::publish(pt, worker_to_workers,
+                        Cluster::node + " (via a proxy)");
+        }
+
+Worker Distributing Events Uniformly Across Proxies
+---------------------------------------------------
+
+If you want to offload some data/work from a worker to your proxies,
+we can make use of a `Highest Random Weight (HRW) hashing
+<https://en.wikipedia.org/wiki/Rendezvous_hashing>`_ distribution strategy
+to uniformly map an arbitrary key space across all available proxies.
+
+.. code-block:: zeek
+
+    event worker_to_proxies(worker_name: string)
+        {
+        print "got event from worker", worker_name;
+        }
+
+    global my_counter = 0;
+
+    event some_event_handled_on_worker()
+        {
+        # The key here is used to choose which proxy shall receive
+        # the event.  Different keys may map to different nodes, but
+        # any given key always maps to the same node provided the
+        # pool of nodes remains consistent.  If a proxy goes offline,
+        # that key maps to a different node until the original comes
+        # back up.
+        Cluster::publish_hrw(Cluster::proxy_pool,
+                             cat("example_key", ++my_counter),
+                             worker_to_proxies, Cluster::node);
+        }
+
+Broker-backed Zeek Tables for Data Synchronization and Persistence
+==================================================================
+
+Starting with Zeek 3.2, it is possible to "bind" a Zeek table to a backing
+Broker store. Changes to the Zeek table are sent to the Broker store. Similarly,
+changes of the Broker store are applied to the Zeek table.
+
+This feature allows easy distribution of table contents across a cluster.
+It also offers persistence for tables (when using a persistent Broker store
+backend like SQLite).
+
+To give a short example, to distribute a table over a cluster you can use
+the :zeek:attr:`&backend` attribute.
+
+.. code-block:: zeek
+
+    global t: table[string] of count &backend=Broker::MEMORY;
+
+The :zeek:attr:`&backend` attribute creates a master data store on the
+manager and a clone data store on all other node on the cluster. This
+in essence means that the table exists twice in each Zeek process. One
+copy of the table is contained in a Broker data store (either a master
+or a clone depending on the node), which data store distributes the
+data across the cluster---and, depending on the backend, might also
+make the data persistent. Since Broker data stores are only accessible
+via asynchronous operations, and accessing them might not always be
+immediate, a second copy of the table, which is immediately
+accessible, is held inside the Zeek core. This is the copy that you
+see and interact with on the Zeek side.
diff --git a/doc/frameworks/broker/cluster-layout.png b/doc/frameworks/broker/cluster-layout.png
new file mode 100644
index 0000000000..3813bfbfda
Binary files /dev/null and b/doc/frameworks/broker/cluster-layout.png differ
diff --git a/doc/frameworks/broker/cluster-layout.xml b/doc/frameworks/broker/cluster-layout.xml
new file mode 100644
index 0000000000..4269c6723f
--- /dev/null
+++ b/doc/frameworks/broker/cluster-layout.xml
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<mxfile userAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36" version="9.0.3-1" editor="www.draw.io" type="device"><diagram name="Page-1" id="42789a77-a242-8287-6e28-9cd8cfd52e62">7VxLc6M4EP41Po4LSUjAcZJJZg+7VVOVrd3ZowwKZgYjFyaxvb9+hZEwEhA/eITs2JdYrZYE0ve1ultyZuh+tfua0vXyDx6weAatYDdDX2ZQfDxL/Mkl+0Li2G4hCNMoKETgKHiK/mVSKNuFL1HANppixnmcRWtd6PMkYX6myWia8q2u9sxjfdQ1DVlN8OTTuC79OwqypZQCyzpW/MaicCmHdrGsWFD/Z5jyl0SON4Po+fApqldU9SX1N0sa8G1FhB5m6D7lPCu+rXb3LM7nVk1b0e6xpbZ87pQl2VkNGEXAcTwrgD71XPQJoKKLVxq/MPUOhyfN9mp2WCAmSxYTnog/d4dXZnmnQJSW2SqWX2O6YPFdOSv3PObpsdkmo2n2OV8wQ/YYxXkPlipLiGBRZkmgWvgx3Wwi/89llBQVshkoSpVGP1iW7WWZvmRciHiaLXnIExr/zvlattpkKf/J1FOK1fOIgz6TskahIdd95kn2SFdRnIP8L5YGNKFSLEcCUJYrHVqHj5An/KEyj4dH3kXZ9/yt51iW/pFzcHxWqVpfZ7n0G/6S+qxtcSWVaBqyrEXHK3TyNa50LNHzlfEVy9K9UEhZTLPoVScMlbwLSz3ZVKwY3VcU1jxKsk2l52+5QCgoE6KYJg0IcqCOY1MfQTFp1Ra2bVdbiC/FM6hS5WWOogM7zmWKfWPKL80UNAmmAHIZUwB0RmdKjSgrAYCQpTNIYjG7d4v8W5iVq1VlUByLTT9H+3YZZexpTQ9rthV+h06fI68OVFD7al7l81Xky4pTLGsANW0BtWBQRZOBADOnO9hpHIVJzliBVzFDbwD4laUZ270JPVWL9BVHyrpuj86NctmWFbdGQasJrBW4XIYG2GA2Cxhs1jRRQFinfLf/BJsQUkjEuFX9qQEncLyFZZ0DnOdnRnx/msCBUAcOwHXgOLgOHDwEcJo80zpwYh4Ky5LbnI+BE7Ig+CwDI4IIOFWcePoeZJN3hIlXg4mERIN7dlv7HjYXD7/b4t+CVQ1QXxzvrm3T6Qac0uGuuNvFg4sV+14tKEe87rT35JrDM1xzMIhrXvOlbYLmnmMjDCxgI9dBjsYED84RJB7GmCAHQ7334h1lh29Fth6YE9GLhRwxAlbOerkj2/Y8790Rr01sYBFjmGKaasO0Rxka9S5z/JsC4jbPDtw8u3e12kbUOKZjh29Ge1yjrTImNaNtDWW07enYaAKN/Agi1xlirLwN1RExOhrT1JIbh0biUMmVObIcjS9zizRSpjk52UimQ2ffWBqJpc8t+2Eqe2PYMKn8GjGQbTAM4OsYZqO+GdaSArWMiAVoh2SdE6DOjZwjRyU1plVoS1yDtfC8je56bl4VsgxzmlAnK3J1jlnOdWRFjt4RgEZHPZEV4mHJqixphZx63FBhYnu0ezU57lxs42ZyNMXcBdL7ctO8Oi7tcWBonu/a5lFDCwwvNvVQD5e9nsFDLrPsJp5OOeij4GxANE30dgFCRvRrGbdkTuirMHgo/d5tnNsNpsfNFI9q+Grb+phQhSNZQqLvo90tYYewEoFuQGmwZxXM1C3avJNjORGbNo17IMjM6J2yaeRCG9VR37BpdR4YUSS2+7WB9WPBpuT0lqc/i6PCD5qdXrRzwsxOuz6bana6TBKPcYAMG5BxC9ff4xDRmtumfzFooH5OEu0WlzeP4wwblt/uoU/nlGhOiJn5nmYObaSEN1Fucpnwdq/jKnb1jgA09rO+cmjuwDk0XOPmFTHCIKHk4EedgJwBzJFiSdfMqoGB8KTOUAfKqjmXmfoWhNXzpu8UabaA8PBI/WFsJOMHjPN0bOYrumLsVPx6Kv48s/5UPFp7z57jURWQdgX5W0dfo2TrhjSkw5xGDJM6s/pZT2M1p2WyejVYI0VW4NRRU0+b4qVnChem0zqp9x6dNd0/as2mfdy7nv+PbNqYv8ZoSrP+wmH7G1Z4oGTamCcfI13hhMZ9rauvcNrmTTUT8n1dMDN+EmPsBd19x/ovam8sGzU5dpELNUc5UrT8WemZX5ccO8e9Gomc5W1P5Wp4BqfOJWf5EwTl4pgd9UVO0is5RfH471oK9eP/xEEP/wE=</diagram></mxfile>
\ No newline at end of file
diff --git a/doc/frameworks/broker/connecting-connector.zeek b/doc/frameworks/broker/connecting-connector.zeek
new file mode 100644
index 0000000000..f1f8cbf872
--- /dev/null
+++ b/doc/frameworks/broker/connecting-connector.zeek
@@ -0,0 +1,12 @@
+redef exit_only_after_terminate = T;
+
+event zeek_init()
+	{
+	Broker::peer("127.0.0.1");
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added", endpoint;
+	terminate();
+	}
diff --git a/doc/frameworks/broker/connecting-listener.zeek b/doc/frameworks/broker/connecting-listener.zeek
new file mode 100644
index 0000000000..7802229996
--- /dev/null
+++ b/doc/frameworks/broker/connecting-listener.zeek
@@ -0,0 +1,17 @@
+redef exit_only_after_terminate = T;
+
+event zeek_init()
+	{
+	Broker::listen("127.0.0.1");
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added", endpoint;
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer lost", endpoint;
+	terminate();
+	}
diff --git a/doc/frameworks/broker/events-connector.zeek b/doc/frameworks/broker/events-connector.zeek
new file mode 100644
index 0000000000..fb4bec92ef
--- /dev/null
+++ b/doc/frameworks/broker/events-connector.zeek
@@ -0,0 +1,26 @@
+redef exit_only_after_terminate = T;
+global my_event: event(msg: string, c: count);
+
+event zeek_init()
+	{
+	Broker::peer("127.0.0.1");
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added", endpoint;
+	Broker::publish("zeek/event/my_event", my_event, "hi", 0);
+	Broker::publish("zeek/event/my_event", my_event, "...", 1);
+	local e = Broker::make_event(my_event, "bye", 2);
+	Broker::publish("zeek/event/my_event", e);
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+event my_event(msg: string, c: count)
+	{
+	print "got my_event", msg, c;
+	}
diff --git a/doc/frameworks/broker/events-listener.zeek b/doc/frameworks/broker/events-listener.zeek
new file mode 100644
index 0000000000..374dc5db11
--- /dev/null
+++ b/doc/frameworks/broker/events-listener.zeek
@@ -0,0 +1,24 @@
+redef exit_only_after_terminate = T;
+global msg_count = 0;
+global my_event: event(msg: string, c: count);
+global my_auto_event: event(msg: string, c: count);
+
+event zeek_init()
+	{
+	Broker::subscribe("zeek/event/");
+	Broker::listen("127.0.0.1");
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added", endpoint;
+	}
+
+event my_event(msg: string, c: count)
+	{
+	++msg_count;
+	print "got my_event", msg, c;
+
+	if ( msg_count == 5 )
+		terminate();
+	}
diff --git a/doc/frameworks/broker/logs-connector.zeek b/doc/frameworks/broker/logs-connector.zeek
new file mode 100644
index 0000000000..47d912e294
--- /dev/null
+++ b/doc/frameworks/broker/logs-connector.zeek
@@ -0,0 +1,36 @@
+@load ./testlog
+
+redef exit_only_after_terminate = T;
+global n = 0;
+
+event zeek_init()
+	{
+	Broker::peer("127.0.0.1");
+	}
+
+event do_write()
+	{
+	if ( n == 6 )
+		return;
+
+	Log::write(Test::LOG, [$msg = "ping", $num = n]);
+	++n;
+	event do_write();
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added", endpoint;
+	event do_write();
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+event Test::log_test(rec: Test::Info)
+	{
+	print "wrote log", rec;
+	Broker::publish("zeek/logs/forward/test", Test::log_test, rec);
+	}
diff --git a/doc/frameworks/broker/logs-listener.zeek b/doc/frameworks/broker/logs-listener.zeek
new file mode 100644
index 0000000000..654551b940
--- /dev/null
+++ b/doc/frameworks/broker/logs-listener.zeek
@@ -0,0 +1,22 @@
+@load ./testlog
+
+redef exit_only_after_terminate = T;
+
+event zeek_init()
+	{
+	Broker::subscribe("zeek/logs");
+	Broker::listen("127.0.0.1");
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added", endpoint;
+	}
+
+event Test::log_test(rec: Test::Info)
+	{
+	print "got log event", rec;
+
+	if ( rec$num == 5 )
+		terminate();
+	}
diff --git a/doc/frameworks/broker/store-sqlite-tuning.zeek b/doc/frameworks/broker/store-sqlite-tuning.zeek
new file mode 100644
index 0000000000..4c59456013
--- /dev/null
+++ b/doc/frameworks/broker/store-sqlite-tuning.zeek
@@ -0,0 +1,19 @@
+global h: opaque of Broker::Store;
+
+event zeek_init()
+	{
+	# Use WAL mode.
+	local sqlite_options=Broker::SQLiteOptions(
+		$synchronous=Broker::SQLITE_SYNCHRONOUS_NORMAL,
+		$journal_mode=Broker::SQLITE_JOURNAL_MODE_WAL,
+	);
+	local options = Broker::BackendOptions($sqlite=sqlite_options);
+	h = Broker::create_master("persistent-store", Broker::SQLITE, options);
+
+	local c = 1000;
+	while (c > 0)
+		{
+		Broker::put(h, cat(c), rand(10000));
+		--c;
+		}
+	}
diff --git a/doc/frameworks/broker/stores-connector.zeek b/doc/frameworks/broker/stores-connector.zeek
new file mode 100644
index 0000000000..4c09d9b950
--- /dev/null
+++ b/doc/frameworks/broker/stores-connector.zeek
@@ -0,0 +1,29 @@
+redef exit_only_after_terminate = T;
+
+global h: opaque of Broker::Store;
+
+global ready: event();
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+event zeek_init()
+	{
+	h = Broker::create_master("mystore");
+
+	local myset: set[string] = {"a", "b", "c"};
+	local myvec: vector of string = {"alpha", "beta", "gamma"};
+	Broker::put(h, "one", 110);
+	Broker::put(h, "two", 223);
+	Broker::put(h, "myset", myset);
+	Broker::put(h, "myvec", myvec);
+	Broker::increment(h, "one");
+	Broker::decrement(h, "two");
+	Broker::insert_into_set(h, "myset", "d");
+	Broker::remove_from(h, "myset", "b");
+	Broker::push(h, "myvec", "delta");
+
+	Broker::peer("127.0.0.1");
+	}
diff --git a/doc/frameworks/broker/stores-listener.zeek b/doc/frameworks/broker/stores-listener.zeek
new file mode 100644
index 0000000000..059444226f
--- /dev/null
+++ b/doc/frameworks/broker/stores-listener.zeek
@@ -0,0 +1,79 @@
+redef exit_only_after_terminate = T;
+
+global h: opaque of Broker::Store;
+global expected_key_count = 4;
+global key_count = 0;
+
+# Lookup a value in the store based on an arbitrary key string.
+function do_lookup(key: string)
+	{
+	when ( local res = Broker::get(h, key) )
+		{
+		++key_count;
+		print "lookup", key, res;
+
+		# End after we iterated over looking up each key in the store twice.
+		if ( key_count == expected_key_count * 2 )
+			terminate();
+		}
+	# All data store queries must specify a timeout
+	timeout 3sec
+		{ print "timeout", key; }
+	}
+
+event check_keys()
+	{
+	# Here we just query for the list of keys in the store, and show how to
+	# look up each one's value.
+	when ( local res = Broker::keys(h) )
+		{
+		print "clone keys", res;
+
+		if ( res?$result )
+			{
+			# Since we know that the keys we are storing are all strings,
+			# we can conveniently cast the result of Broker::keys to
+			# a native Bro type, namely 'set[string]'.
+			for ( k in res$result as string_set )
+				do_lookup(k);
+
+			# Alternatively, we can use a generic iterator to iterate
+			# over the results (which we know is of the 'set' type because
+			# that's what Broker::keys() always returns).  If the keys
+			# we stored were not all of the same type, then you would
+			# likely want to use this method of inspecting the store's keys.
+			local i = Broker::set_iterator(res$result);
+
+			while ( ! Broker::set_iterator_last(i) )
+				{
+				do_lookup(Broker::set_iterator_value(i) as string);
+				Broker::set_iterator_next(i);
+				}
+			}
+		}
+	# All data store queries must specify a timeout.
+	# You also might see timeouts on connecting/initializing a clone since
+	# it hasn't had time to get fully set up yet.
+	timeout 1sec
+		{
+		print "timeout";
+		schedule 1sec { check_keys() };
+		}
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added";
+	# We could create a clone early, like in zeek_init and it will periodically
+	# try to synchronize with its master once it connects, however, we just
+	# create it now since we know the peer w/ the master store has just
+	# connected.
+	h = Broker::create_clone("mystore");
+
+	event check_keys();
+	}
+
+event zeek_init()
+	{
+	Broker::listen("127.0.0.1");
+	}
diff --git a/doc/frameworks/broker/testlog.zeek b/doc/frameworks/broker/testlog.zeek
new file mode 100644
index 0000000000..f52f177cf1
--- /dev/null
+++ b/doc/frameworks/broker/testlog.zeek
@@ -0,0 +1,17 @@
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		msg: string &log;
+		num: count &log;
+	};
+
+	global log_test: event(rec: Test::Info);
+}
+
+event zeek_init() &priority=5
+	{
+	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test, $path="test"]);
+	}
diff --git a/doc/frameworks/cluster.rst b/doc/frameworks/cluster.rst
new file mode 100644
index 0000000000..ed9766f45c
--- /dev/null
+++ b/doc/frameworks/cluster.rst
@@ -0,0 +1,630 @@
+
+.. _cluster-framework:
+
+=================
+Cluster Framework
+=================
+
+The basic premise of Zeek clusterization is to break down network traffic into
+smaller pieces, while preserving the affinity of individual network sessions to
+a single analysis process.  Cluster architecture thus allows Zeek to distribute
+that analysis across many dozens or hundreds of worker processes, allowing the
+monitoring system to scale up to line speeds of 100G or more.
+
+.. figure:: /images/cluster-diagram.png
+
+  Figure 1: Block diagram of cluster setup showing multiple network feeds to a
+  traffic aggregator. This device sends traffic to workers after symmetric
+  hashing/load-balancing. Traffic is then fed to the Zeek cluster using
+  load-balancing network cards.
+
+Zeek's Cluster Components
+=========================
+
+By distributing network traffic across hosts and processes, overall traffic
+finally reaches a volume that can be effectively analyzed by a single worker
+process. Zeek then acts as a distributed network security monitor to perform
+analysis across many dozens or hundreds of workers, all acting on a small
+fraction of the overall traffic volume. The analysis of the worker process is
+further facilitated by nodes such as manager and proxies, ultimately logging
+the alerts and or relevant network logs. A Zeek cluster therefore consists of
+four main components: a manager, workers, proxies, and a logger.
+
+Manager
+-------
+
+The manager is a Zeek process that has two primary jobs. It normally receives
+log messages and notices from the rest of the nodes in the cluster using the
+Zeek communications protocol.  It combines the individual logs that each worker
+produces, so that the result is a set of joint logs instead of many discrete
+logs that you would have to combine in some manner with post-processing. (Note
+that if you use a separate logger node, then the logger receives all logs
+instead of the manager.) The manager also supports other functionality and
+analysis which requires a centralized, global view of events or data.
+
+Worker
+------
+
+The worker is the Zeek process that sniffs network traffic and does protocol
+analysis on the reassembled traffic streams. Most of the work of an active
+cluster takes place on the workers. Workers typically represent the bulk of the
+Zeek processes that are running in a cluster. The fastest memory and CPU core
+speed you can afford is recommended since all of the protocol parsing and most
+analysis will take place here. There are no particular requirements for the
+disks in workers since almost all logging is done remotely to the manager (or
+dedicated logger). Normally, very little is written to disk.
+
+Proxy
+-----
+
+A proxy is a Zeek process that may be used to offload data storage or any
+arbitrary workload. A cluster may contain multiple proxy nodes.
+Zeek's default scripts make only minimal use of proxies.
+Custom scripts or third-party packages may exercise proxies more heavily
+to partition data or workloads, providing greater cluster scalability potential.
+The number of required proxy nodes in a cluster depends on the deployed scripts,
+cluster size and traffic characteristics. For small clusters with four or less workers,
+a single proxy node is usually sufficient. For larger clusters, you may want to
+closely monitor :ref:`CPU and memory usage <framework-telemetry>` of proxy
+nodes and increase their number as needed.
+
+Zeek processes acting as proxies don’t tend to be extremely hard on CPU or
+memory, and users frequently run proxy processes on the same physical host as
+the manager.
+
+Logger
+------
+
+A logger is an optional Zeek process that receives log messages from the rest
+of the nodes in the cluster using the Zeek communications protocol. The purpose
+of having a logger to receive logs instead of the manager is to reduce the load
+on the manager. If no logger is needed, then the manager will receive logs
+instead.
+
+Running a Zeek Cluster
+======================
+
+Zeek Cluster Setup
+------------------
+
+This :ref:`link <cluster-configuration>` describes the cluster setup in great
+detail.
+
+General Usage and Deployment
+----------------------------
+
+The biggest advantage to using a Zeek cluster is that most of its inner
+workings are transparent to the user. Clusterization is a clever trick to
+divide-and-conquer ever increasing network traffic volume.
+
+As a practitioner one must know how to set up a cluster by defining components
+such as the manager, proxies, loggers and workers in the
+:samp:`{<prefix>}/etc/node.cfg` file on the manager.
+
+Edit the ZeekControl node configuration file, :samp:`{<prefix>}/etc/node.cfg`,
+to define where the logger, manager, proxies, and workers will run. For a
+cluster configuration, comment-out (or remove) the standalone node in that
+file, and either uncomment or add node entries for each node in your cluster
+(logger, manager, proxy, and workers).
+
+For example, to run five Zeek nodes (two workers, one proxy, a logger, and a
+manager) on a cluster consisting of three machines, the cluster configuration
+would look like this::
+
+  [logger]
+  type=logger
+  host=10.0.0.10
+
+  [manager]
+  type=manager
+  host=10.0.0.10
+
+  [proxy-1]
+  type=proxy
+  host=10.0.0.10
+
+  [worker-1]
+  type=worker
+  host=10.0.0.11
+  interface=eth0
+
+  [worker-2]
+  type=worker
+  host=10.0.0.12
+  interface=eth0
+
+
+To set up a cluster we need a network-aggregator/load balancing device which
+can aggregate inputs from network sources, such as taps or span ports. This
+device also performs the critical function of ensuring each TCP session is
+distributed to a single link. This function is provided through symmetric
+hashing.
+
+Once the tap aggregator is set, output from each port is sent to a “Zeek node”
+which is typically built on commodity hardware. Zeek clusters have evolved from
+running the manager, workers and proxies on individual servers, to most often
+now running a “cluster-in-a-box” setup, where a powerful multi-core box with
+dedicated cores hosts the workers, proxies logger and manager. We’ve seen
+instances of 90 workers running on a single physical server.
+
+At present the preferred way to run a cluster is to use a load-balancing
+network card such as Myricom NICs or Intel cards with PF_RING or AF_PACKET
+support.  The NIC (and associated software) further divides the traffic to
+multiple Zeek worker processes running on the ‘Zeek- node’.
+
+While the Zeek cluster allows us to monitor traffic at scale, an optional
+add-on technology called “shunting” is helpful to reduce the volume that needs
+be processed.. Shunting can detect specific large data flows based on
+predetermined characteristics and communicate with the network tap via an API
+to stop sending those flows to Zeek for analysis.  This allows Zeek to maintain
+awareness and logs of these shunted large flows while dramatically reducing the
+analysis load necessary to process traffic.
+
+The following links gives more specific information on how to set up
+clusterization using one of the above approaches: :ref:`cluster-configuration`.
+
+Developing Scripts/Heuristics
+=============================
+
+This section is for developers who are interested in writing
+packages/scripts/heuristics and want to take advantage of clusterization.
+
+In order to make your scripts/packages “clusterized,” one must understand the
+purpose of each of the cluster components (manager, workers, proxies and
+logger) and how/where the data is generated and how to move data/information
+across the different nodes in the cluster.
+
+* **Workers**: Workers are a good first choice for doing the brunt of any work.
+  They should be spending a lot of time parsing or analyzing incoming data from
+  packets. You might choose them to do a “first pass” analysis and then decide
+  how the results should be shared with other nodes in the cluster.
+
+* **Proxies**: Proxies serve as intermediaries for data storage and computation
+  offloading. Proxies help offload work or data in a scalable and distributed
+  way. Since any given worker is connected to all proxies and can agree on an
+  “arbitrary key -> proxy node” mapping (discussed later), you can partition
+  work or data amongst them in a uniform manner. You might choose to use
+  proxies as a method to share non-persistent state or as a “second pass”
+  analysis for any work that you don’t want interfering with the workers’
+  capacity to keep up with capturing and parsing packets. The default scripts
+  that come with Zeek make minimal use of proxies. If you are migrating from a
+  previous ZeekControl deployment, you may want to implement a single proxy
+  node. If you have custom or community scripts that utilize proxies,
+  considering scaling up the number of proxies to meet demand.
+
+* **Manager**: A manager will make decisions that require a global view, as it
+  is in a centralized location and connected to everything. However, that
+  connectivity also makes it easy to overload it. Try to use a manager
+  sparingly and only for tasks that must be done in a centralized or
+  authoritative location. Optionally, for some deployments, the manager can
+  also serve as the sole logger.
+
+* **Loggers**: Loggers should simply write logs to disk. In the default cluster
+  configuration, log content gets distributed among available loggers in a
+  round-robin fashion, providing failover capability should any given logger
+  temporarily go offline.
+
+The Need to Move Data and Events Across Different Nodes
+-------------------------------------------------------
+
+Imagine you have a list of IP addresses that you want to distribute across all
+workers to keep in a watch list, such as the Intel framework. You may also want
+to aggregate results across workers to see if that count crosses a threshold,
+such as using scan detection. Finally, you might want to extract URLs from
+emails and then redistribute the extracted URLs to all workers to be able to
+find which of these extracted URLs got clicked on. All these examples tend to
+introduce challenges in a Zeek cluster setup due to data centrality issues. In
+other words, the very advantageous divide-and-conquer approach of
+clusterization also introduces complexity in Zeek scripts. However, with the
+introduction of the Broker communication framework and additional helper
+functions, data centrality complexities can be addressed efficiently. One must
+rely on clusterization techniques provided by Zeek scripting, the Broker API,
+and clusterization components.
+
+When clustering your scripts, the fundamental work to move data or events in
+the context of a cluster falls primarily on few high level abstractions of
+communication patterns:
+
+  1. Manager-to-worker
+  2. Worker-to-manager
+  3. Worker-to-proxy
+  4. Worker-to-manager-to-worker
+  5. Manager-to-worker-to-manager
+
+All the communication between workers, proxies and manager is established by
+Zeek via the Broker framework. The Broker framework provides basic facilities
+for connecting Zeek instances to each other and exchanging messages, events or
+data.
+
+Cluster Topics
+--------------
+
+All Broker-based messaging involves two components: the information you want to
+send, such as an event with its arguments, along with an associated topic name
+string. The topic strings are used as a filtering mechanism: Broker uses a
+publish-subscribe communication pattern where peers advertise interest in topic
+prefixes and only receive messages which match one of their prefix
+subscriptions. Broker itself supports arbitrary topic strings. However, Zeek
+generally follows certain conventions in choosing these topics to help avoid
+conflicts and generally make them easier to remember.
+
+To communicate between workers, proxies and manager one needs to know the topic
+name to which all workers, proxies and manager are subscribed to. These are:
+
+  1. :zeek:see:`Cluster::worker_topic`  - to which all workers are subscribed
+  2. :zeek:see:`Cluster::proxy_topic` - to which all proxies are subscribed
+  3. :zeek:see:`Cluster::manager_topic` - to which manager is subscribed
+
+
+The following table illustrates all the topics and communication events for
+clusterization, along with potential use cases:
+
+.. list-table::
+  :header-rows: 1
+
+  * - Event
+    - Topic
+    - Use cases
+
+  * - Manager to worker
+    - :zeek:see:`Cluster::worker_topic`
+    - * Read input file on manager
+      * Distribute data and events from manager to workers
+
+  * - Worker to manager
+    - :zeek:see:`Cluster::manager_topic`
+    - * Find characteristics of a “scan” eg. SYN-only pkts
+      * Send data to manager for aggregation
+
+  * - Worker or manager to proxy
+    - :zeek:see:`Cluster::proxy_topic`
+    - * Run operation on all proxies
+      * Disseminate notice suppression
+
+  * - Worker to manager to worker
+    - :zeek:see:`Cluster::manager_topic` + :zeek:see:`Cluster::worker_topic`
+    - * Find URLs in emails
+      * Send to manager
+      * Distribute to workers to check against HTTP GET requests
+
+  * - Manager to worker to manager
+    - :zeek:see:`Cluster::worker_topic` + :zeek:see:`Cluster::manager_topic`
+    - * Read input file on manager
+      * Distribute data to workers
+      * Workers to report counts of connections to manager
+      * Aggregate the counts on manager
+
+Cluster Pools
+-------------
+
+In addition to topics, Zeek nodes can join a :zeek:see:`Cluster::Pool`.
+Using :zeek:see:`Cluster::publish_hrw` and :zeek:see:`Cluster::publish_rr`,
+pools allow to publish events to individual proxies without prior knowledge
+of a cluster's shape and size.
+
+A popular pool is the :zeek:see:`Cluster::proxy_pool`. It comprises all
+the proxies of a cluster. Examples of its use are listed in the following table.
+
+
+.. list-table::
+  :header-rows: 1
+
+  * - Event
+    - Pool
+    - Use cases
+
+  * - Workers to individual proxy processes
+    - :zeek:see:`Cluster::proxy_pool`
+    - * Aggregation based on Highest Random Weight (eg. DNS query types, see the :ref:`section below <cluster-framework-proxies-uniform>` for details.)
+      * Aggregation of Software versions for a given host
+      * Offloading tasks in round-robin fashion across proxies
+
+
+Publishing Events Across the Cluster
+------------------------------------
+
+Broker, as well as Zeek’s higher-level cluster framework, provide a set of
+function to publish events, including:
+
+.. list-table::
+  :header-rows: 1
+
+  * - Function
+    - Description
+    - Use
+
+  * - :zeek:see:`Cluster::publish`
+    - Publishes an event at a given topic
+    - Standard function to send an event to all nodes subscribed to a given
+      topic.
+
+  * - :zeek:see:`Cluster::publish_hrw`
+    - Publishes an event to a node within a pool according to
+      Highest Random Weight (HRW) hashing strategy; see details below
+    - Use this in cases of any aggregation needs - eg. scan detection or
+      anything that needs a counter going.
+
+  * - :zeek:see:`Cluster::publish_rr`
+    - Publishes an event to a node within a pool according to Round-Robin
+      distribution strategy.
+    - Generally used inside Zeek for multiple logger nodes.
+
+  * - :zeek:see:`Broker::publish`
+    - Publishes an event at a given topic
+    - Standard function to send an event to all nodes subscribed to a given
+      topic.
+
+      Starting with Zeek 7.1, this function should only be used in
+      Broker-specific scripts. Use :zeek:see:`Cluster::publish` otherwise.
+
+
+.. note::
+
+   The ``Cluster::publish`` function was added in Zeek 7.1. In contrast to
+   ``Broker:publish``, it publishes events even when a non-Broker cluster
+   backend is in use. Going forward, ``Cluster:publish`` should be preferred
+   over ``Broker::publish``, unless the script is specific to the Broker backend,
+   e.g. when interacting with an external application using native Python
+   bindings for Broker.
+
+
+An example sending an event from worker to manager:
+
+.. code-block:: zeek
+
+  event worker_to_manager(worker_name: string)
+      {
+      print "got event from worker", worker_name;
+      }
+
+  event some_event_handled_on_worker()
+      {
+      Broker::publish(Cluster::manager_topic, worker_to_manager,
+                      Cluster::node);
+      }
+
+More details and code snippets and documentation on Broker communication
+frameworks are available at :ref:`broker-framework`.
+
+
+.. _cluster-framework-proxies-uniform:
+
+Distributing Events Uniformly Across Proxies
+--------------------------------------------
+
+If you want to offload some data/work from a worker to your proxies, we can
+make use of a `Highest Random Weight (HRW) hashing
+<https://en.wikipedia.org/wiki/Rendezvous_hashing>`_ distribution strategy to
+uniformly map an arbitrary key space across all available proxies through
+:zeek:see:`Cluster::publish_hrw`. This function publishes an event to one node
+within a pool according to a Highest Random Weight hashing strategy. By
+assigning :zeek:see:`Cluster::proxy_pool` to this event, one can utilize
+proxies to handle it. Note that :zeek:see:`Cluster::publish_hrw` requires a
+unique key as an input to the hashing function to uniformly distribute keys
+among available nodes. Often this key is a source or destination IP address. If
+you are using :zeek:see:`Cluster::publish_hrw` for an aggregate function, such
+as counts unique across the workers, make sure to appropriately select the
+hashing key.
+
+The following example illustrates this issue. Assume that we are counting the
+number of scanner IPs from each ``/24`` subnet. If the key were the source IP,
+then depending on the hashing, different IP addresses from the same ``/24``
+might end up on different proxies for the aggregation function. In this case
+one might instead want to use a more inclusive hashing key, such as the subnet
+(``/24``) itself.  To illustrate the issue, in the notice log below, you see
+that 3 scanners each from ``52.100.165.0/24`` went to ``proxy-1`` and
+``proxy-2``.  Ideally we want a single count of 6 scanners instead.
+
+::
+
+  1600212249.061779             Scan::Subnet  52.100.165.0/24 has 3 spf IPs originating from it 52.100.165.249  52.100.165.237  52.100.165.246  -       52.100.165.246  -       -             proxy-2 Notice::ACTION_LOG      3600.000000          F
+
+  1600212293.581745       Scan::Subnet        52.100.165.0/24 has 3 spf IPs originating from it 52.100.165.247  52.100.165.244  52.100.165.205        -       52.100.165.205  -       -       proxy-1 Notice::ACTION_LOG      3600.000000
+
+Instead, we can ensure the hash key is ``52.100.165.0/24`` instead of the
+original IP, as the hash for ``52.100.165.0/24`` will be the same for all
+addresses belonging to this subnet. Then the data will reach only one proxy.
+To that end, we can use the ``mask_address`` function to extract subnet
+information for a given IP address to use as a key in the hash function:
+
+.. code-block:: zeek
+
+  local spf = mask_address(orig);
+
+  @if ( Cluster::is_enabled())
+      Cluster::publish_hrw(Cluster::proxy_pool, spf, smtpsink::aggregate_stats, c) ;
+  @else
+      event smtpsink::aggregate_stats(c);
+  @endif
+
+Carefully select the key for :zeek:see:`Cluster::publish_hrw`. If done right,
+this feature will bring tremendous benefits in code scalability, especially
+when working with aggregate and threshold functions.
+
+.. note::
+
+  In scripting for clusterization, using the correct module names and
+  namespaces is crucial as both events and data are transmitted to different
+  systems. In order to make sure the contexts are correct, all functions,
+  events and datasets should be scoped within their respective namespaces and
+  modules. An easy rule of thumb is to always use the explicit module namespace
+  scoping.  See :ref:`event-namespacing-pitfall` for further explanation and
+  examples.
+
+Clusterization of Zeek scripts can be an intimidating task for beginners.
+However, with reliance on the new Broker framework, clusterization has become
+simpler and straightforward.  Consider the following:
+
+1. Communication overhead: Be sure not to generate unnecessary communication
+   overhead. For example, scan detection is one of the worst cases for
+   distributed analysis. One needs to count connections from a given IP address
+   across all workers and then aggregate them on a proxy or manager. All the
+   connections have to reach an aggregate function before Zeek can determine if
+   a given source is a scanner or not. This happens because each worker only
+   has a limited picture of the activity generated by a given remote IP.
+
+2. Communication optimizations: Once a given remote IP is identified as
+   desired, make sure a manager reports that to the worker, and workers stop
+   sending any further data for that IP to the manager. This is especially
+   useful in scan detection where it takes only a few connections to identify
+   scans, while a given scanner might send millions of probes eventually. If
+   done right, workers will only send the first N connections, and stop after
+   that, thus saving a lot of communication overheads. However, it makes sense
+   to stop workers from sending any further connection information
+
+3. Clusterization also requires timely state synchronization across the
+   workers, to make sure that all workers have a common view of a particular
+   heuristic.
+
+4. When writing scripts for clusterization make sure your detection runs in
+   both cluster and standalone setup.
+
+A Cluster Script Walkthrough
+----------------------------
+
+Let's say we want to count how many connections a remote IP is making to a host
+in our network on port 3389 UDP. Due to the distributed nature of Zeek
+clusters, connections are distributed across the workers based on a 5-tuple
+hash (source IP, source port, destination IP, destination port, and protocol).
+To get a central view of a connection between a given IP pair, one must deploy
+a clusterized scripting approach. The following example highlights how to go
+about doing so.
+
+In this use case, we intend to create an aggregation function.
+:zeek:see:`Cluster::publish_hrw` appears to be the appropriate function, since
+it allows offloading a lot of work to proxies, thus leaving workers and manager
+to process traffic.
+
+In order to make sure all the connections between two hosts go to a single
+specific proxy, we need to make sure the key for the hashing function
+accommodates this constraint. We will use ``orig_h+resp_h`` as the key. We
+create a new data-type called ``pair``  as seen in code below. This allows us
+to use the ``orig+resp`` as a unique key across the code, including in the
+candidate table.  Further, we create a new data type called ``stats`` to keep
+track of additional data associated with a connection pair.
+
+.. code-block:: zeek
+
+  module DoS;
+
+  export {
+
+      redef enum Notice::Type += {
+          Threshold,
+          Victim_3389UDP,
+      };
+
+      type pair: record {
+            orig: addr;
+            resp: addr;
+      };
+
+      type stats: record {
+          orig: addr;
+          resp: addr ;
+          orig_bytes: count &default=0;
+          resp_bytes: count &default=0;
+          conns: count &default=0;
+      };
+
+      global dos_candidates: table [pair] of stats  &create_expire=1 day;
+
+      global DoS::aggregate_stats:event(s: stats);
+  }
+
+We choose the :zeek:see:`connection_state_remove` event as the primary event to
+tap into.  :zeek:see:`connection_state_remove` is generated when a connection’s
+internal state is about to be removed from memory. It's appropriate for this
+case, as all the information about the connection is now included in the
+:zeek:see:`connection` record ``c``.  One disadvantage of using
+:zeek:see:`connection_state_remove` is that the event is fired at the very end
+of the connection, after the expiration timeouts are over. Thus, there are
+delays, and any operation which happens on the data is “after-the-fact” that
+connection is over. While this could be a problem in approaches such as
+proactive blocking and early detection heuristics, in this case of aggregation
+it is not an issue.
+
+The thing to pay attention to in the code snippet below is the
+:zeek:see:`@if`-:zeek:see:`@else`-:zeek:see:`@endif` directives which
+differentiate between clusterized and standalone operation of the script.  With
+the :zeek:see:`@if` construct, the specified expression must evaluate to type
+bool. If the value is true, then the following script lines (up to the next
+:zeek:see:`@else` or :zeek:see:`@endif`) are available to be executed.  In this
+case we check if :zeek:see:`Cluster::is_enabled`. If so, we call
+:zeek:see:`Cluster::publish_hrw` along with the key (``hash_pair``) and the
+aggregate function followed by parameters, which is the stats record in this
+case. If the cluster isn’t running that aggregate function, it is directly
+called.
+
+.. code-block:: zeek
+
+  event connection_state_remove(c: connection)
+      {
+      local service = c$id$resp_p;
+      local resp = c$id$resp_h;
+
+      if ( service != 3389/udp )
+          return;
+
+      if ( resp !in Site::local_nets )
+          return;
+
+      local s: stats;
+      s$orig = c$id$orig_h;
+      s$resp = c$id$resp_h;
+      s$orig_bytes = c$conn$orig_ip_bytes;
+      s$resp_bytes = c$conn$resp_ip_bytes;
+
+      local hash_pair: pair;
+      hash_pair$orig = c$id$orig_h;
+      hash_pair$resp = resp;
+
+      @if ( Cluster::is_enabled() )
+          Cluster::publish_hrw(Cluster::proxy_pool, hash_pair, DoS::aggregate_stats, s);
+      @else
+          event DoS::aggregate_stats(s);
+      @endif
+      }
+
+Since ``hash_pair`` makes the key unique, irrespective of what worker this
+specific connection has gone to, it will end up on a one specific proxy only.
+
+.. code-block:: zeek
+
+  event DoS::aggregate_stats(s: stats)
+      {
+      local p: pair ;
+      p$orig = s$orig;
+      p$resp = s$resp ;
+
+      if ( p !in dos_candidates )
+          {
+          local tmp_s: stats;
+          tmp_s$orig = s$orig;
+          tmp_s$resp = s$resp;
+          tmp_s$orig_bytes = 0;
+          tmp_s$resp_bytes= 0;
+          tmp_s$conns = 0;
+
+          dos_candidates[p] = tmp_s;
+          }
+
+      dos_candidates[p]$conns += 1;
+      dos_candidates[p]$orig_bytes += s$orig_bytes;
+      dos_candidates[p]$resp_bytes += s$resp_bytes;
+
+      local n = dos_candidates[p]$conns;
+
+      local thresh = check_ip_threshold(dos_threshold, ip_pair_threshold_idx, p, n);
+
+      if ( thresh )
+          {
+          local msg = fmt("%s pair has reached %s threshold %s",
+                          p, n, dos_candidates[p]);
+          NOTICE([$note=DoS::Threshold, $src=p$orig, $msg=msg]);
+
+          if ( dos_candidates[p]$resp_bytes > 0 )
+              NOTICE([$note=DoS::Victim, $src=p$orig, $msg=msg,
+                     $identifier=cat(p$resp), $suppress_for=1 hrs]);
+          }
+      }
diff --git a/doc/frameworks/configuration.rst b/doc/frameworks/configuration.rst
new file mode 100644
index 0000000000..91492b231b
--- /dev/null
+++ b/doc/frameworks/configuration.rst
@@ -0,0 +1,356 @@
+
+.. _framework-configuration:
+
+=======================
+Configuration Framework
+=======================
+
+Zeek includes a configuration framework that allows updating script options at
+runtime. This functionality consists of an :zeek:see:`option` declaration in
+the Zeek language, configuration files that enable changing the value of
+options at runtime, option-change callbacks to process updates in your Zeek
+scripts, a couple of script-level functions to manage config settings directly,
+and a log file (:file:`config.log`) that contains information about every
+option value change according to :zeek:see:`Config::Info`.
+
+Introduction
+============
+
+The configuration framework provides an alternative to using Zeek script
+constants to store various Zeek settings.
+
+While traditional constants work well when a value is not expected to change at
+runtime, they cannot be used for values that need to be modified occasionally.
+While a :zeek:see:`redef` allows a re-definition of an already defined constant
+in Zeek, these redefinitions can only be performed when Zeek first starts.
+Afterwards, constants can no longer be modified.
+
+However, it is clearly desirable to be able to change at runtime many of the
+configuration options that Zeek offers. Restarting Zeek can be time-consuming
+and causes it to lose all connection state and knowledge that it accumulated.
+Zeek’s configuration framework solves this problem.
+
+Declaring Options
+=================
+
+The :zeek:see:`option` keyword allows variables to be declared as configuration
+options:
+
+.. code-block:: zeek
+
+  module Test;
+
+  export {
+      option my_networks: set[subnet] = {};
+      option enable_feature = F;
+      option hostname = "testsystem";
+      option timeout_after = 1min;
+      option my_ports: vector of port = {};
+  }
+
+Options combine aspects of global variables and constants. Like global
+variables, options cannot be declared inside a function, hook, or event
+handler. Like constants, options must be initialized when declared (the type
+can often be inferred from the initializer but may need to be specified when
+ambiguous). The value of an option can change at runtime, but options cannot be
+assigned a new value using normal assignments.
+
+The initial value of an option can be redefined with a :zeek:see:`redef`
+declaration just like for global variables and constants. However, there is no
+need to specify the :zeek:see:`&redef` attribute in the declaration of an
+option. For example, given the above option declarations, here are possible
+redefs that work anyway:
+
+.. code-block:: zeek
+
+  redef Test::enable_feature = T;
+  redef Test::my_networks += { 10.1.0.0/16, 10.2.0.0/16 };
+
+Changing Options
+================
+
+The configuration framework facilitates reading in new option values from
+external files at runtime. Configuration files contain a mapping between option
+names and their values. Each line contains one option assignment, formatted as
+follows::
+
+  [option name][tab/spaces][new value]
+
+Lines starting with ``#`` are comments and ignored.
+
+You register configuration files by adding them to
+:zeek:see:`Config::config_files`, a set of filenames. Simply say something like
+the following in :file:`local.zeek`:
+
+.. code-block:: zeek
+
+  redef Config::config_files += { "/path/to/config.dat" };
+
+Zeek will then monitor the specified file continuously for changes. For
+example, editing a line containing::
+
+  Test::enable_feature T
+
+to the config file while Zeek is running will cause it to automatically update
+the option’s value in the scripting layer. The next time your code accesses the
+option, it will see the new value.
+
+.. note::
+
+  The config framework is clusterized. In a cluster configuration, only the
+  manager node watches the specified configuration files, and relays option
+  updates across the cluster.
+
+Config File Formatting
+----------------------
+
+The formatting of config option values in the config file is not the same as in
+Zeek’s scripting language. Keep an eye on the :file:`reporter.log` for warnings
+from the config reader in case of incorrectly formatted values, which it’ll
+generally ignore when encountered. The following table summarizes supported
+types and their value representations:
+
+.. list-table::
+  :header-rows: 1
+
+  * - Data Type
+    - Sample Config File Entry
+    - Comments
+
+  * - :zeek:see:`addr`
+    - ``1.2.3.4``
+    - Plain IPv4 or IPv6 address, as in Zeek. No ``/32`` or similar netmasks.
+
+  * - :zeek:see:`bool`
+    - ``T``
+    - ``T`` or ``1`` for true, ``F`` or ``0`` for false
+
+  * - :zeek:see:`count`
+    - ``42``
+    - Plain, nonnegative integer.
+
+  * - :zeek:see:`double`
+    - ``-42.5``
+    - Plain double number.
+
+  * - :zeek:see:`enum`
+    - ``Enum::FOO_A``
+    - Plain enum string.
+
+  * - :zeek:see:`int`
+    - ``-1``
+    - Plain integer.
+
+  * - :zeek:see:`interval`
+    - ``3600.0``
+    - Always in epoch seconds, with optional fraction of seconds. Never
+      includes a time unit.
+
+  * - :zeek:see:`pattern`
+    - ``/(foo|bar)/``
+    - The regex pattern, within forward-slash characters.
+
+  * - :zeek:see:`port`
+    - ``42/tcp``
+    - Port number with protocol, as in Zeek. When the protocol part is missing,
+      Zeek interprets it as ``/unknown``.
+
+  * - :zeek:see:`set`
+    - ``80/tcp,53/udp``
+    - The set members, formatted as per their own type, separated by commas.
+      For an empty set, use an empty string: just follow the option name with
+      whitespace.
+
+      Sets with multiple index types (e.g. ``set[addr,string]``) are currently
+      not supported in config files.
+
+  * - :zeek:see:`string`
+    - ``Don’t bite, Zeek``
+    - Plain string, no quotation marks. Given quotation marks become part of
+      the string. Everything after the whitespace separator delineating the
+      option name becomes the string. Saces and special characters are fine.
+      Backslash characters (e.g. ``\n``) have no special meaning.
+
+  * - :zeek:see:`subnet`
+    - ``1.2.3.4/16``
+    - Plain subnet, as in Zeek.
+
+  * - :zeek:see:`time`
+    - ``1608164505.5``
+    - Always in epoch seconds, with optional fraction of seconds. Never
+      includes a time unit.
+
+  * - :zeek:see:`vector`
+    - ``1,2,3,4``
+    - The set members, formatted as per their own type, separated by commas.
+      For an empty vector, use an empty string: just follow the option name
+      with whitespace.
+
+This leaves a few data types unsupported, notably tables and records. If you
+require these, build up an instance of the corresponding type manually (perhaps
+from a separate input framework file) and then call
+:zeek:see:`Config::set_value` to update the option:
+
+.. code-block:: zeek
+
+  module Test;
+
+  export {
+      option host_port: table[addr] of port = {};
+  }
+
+  event zeek_init() {
+      local t: table[addr] of port = { [10.0.0.2] = 123/tcp };
+      Config::set_value("Test::host_port", t);
+  }
+
+
+Regardless of whether an option change is triggered by a config file or via
+explicit :zeek:see:`Config::set_value` calls, Zeek always logs the change to
+:file:`config.log`. A sample entry::
+
+  #fields ts      id      old_value       new_value       location
+  #types  time    string  string  string  string
+  1608167352.498872      Test::a_count     42      3      config.txt
+
+Mentioning options repeatedly in the config files leads to multiple update
+events; the last entry “wins”. Mentioning options that do not correspond to
+existing options in the script layer is safe, but triggers warnings in
+:file:`reporter.log`::
+
+  warning: config.txt/Input::READER_CONFIG: Option 'an_unknown' does not exist. Ignoring line.
+
+Internally, the framework uses the Zeek input framework to learn about config
+changes. If you inspect the configuration framework scripts, you will notice
+that the scripts simply catch input framework events and call
+:zeek:see:`Config::set_value` to set the relevant option to the new value. If
+you want to change an option in your scripts at runtime, you can likewise call
+:zeek:see:`Config::set_value` directly from a script (in a cluster
+configuration, this only needs to happen on the manager, as the change will be
+automatically sent to all other nodes in the cluster).
+
+.. note::
+
+  The input framework is usually very strict about the syntax of input files, but
+  that is not the case for configuration files. These require no header lines,
+  and both tabs and spaces are accepted as separators. A custom input reader,
+  specifically for reading config files, facilitates this.
+
+.. tip::
+
+  The gory details of option-parsing reside in ``Ascii::ParseValue()`` in
+  :file:`src/threading/formatters/Ascii.cc` and ``Value::ValueToVal`` in
+  :file:`src/threading/SerialTypes.cc` in the Zeek core.
+
+Change Handlers
+===============
+
+A change handler is a user-defined function that Zeek calls each time an option
+value changes. This allows you to react programmatically to option changes. The
+following example shows how to register a change handler for an option that has
+a data type of :zeek:see:`addr` (for other data types, the return type and
+second parameter data type must be adjusted accordingly):
+
+.. code-block:: zeek
+
+  module Test;
+
+  export {
+      option testaddr = 127.0.0.1;
+  }
+
+  # Note: the data type of 2nd parameter and return type must match
+  function change_addr(id: string, new_value: addr): addr
+      {
+      print fmt("Value of %s changed from %s to %s", id, testaddr, new_value);
+      return new_value;
+      }
+
+  event zeek_init()
+      {
+      Option::set_change_handler("Test::testaddr", change_addr);
+      }
+
+Immediately before Zeek changes the specified option value, it invokes any
+registered change handlers. The value returned by the change handler is the
+value Zeek assigns to the option.  This allows, for example, checking of values
+to reject invalid input (the original value can be returned to override the
+change).
+
+.. note::
+
+  :zeek:see:`Option::set_change_handler` expects the name of the option to
+  invoke the change handler for, not the option itself. Also, that name
+  includes the module name, even when registering from within the module.
+
+It is possible to define multiple change handlers for a single option. In this
+case, the change handlers are chained together: the value returned by the first
+change handler is the “new value” seen by the next change handler, and so on.
+The built-in function :zeek:see:`Option::set_change_handler` takes an optional
+third argument that can specify a priority for the handlers.
+
+A change handler function can optionally have a third argument of type string.
+When a config file triggers a change, then the third argument is the pathname
+of the config file. When the :zeek:see:`Config::set_value` function triggers a
+change, then the third argument of the change handler is the value passed to
+the optional third argument of the :zeek:see:`Config::set_value` function.
+
+.. tip::
+
+  Change handlers are also used internally by the configuration framework. If
+  you look at the script-level source code of the config framework, you can see
+  that change handlers log the option changes to :file:`config.log`.
+
+When Change Handlers Trigger
+----------------------------
+
+Change handlers often implement logic that manages additional internal state.
+For example, depending on a performance toggle option, you might initialize or
+clean up a caching structure. In such scenarios you need to know exactly when
+and whether a handler gets invoked. The following hold:
+
+* When no config files get registered in :zeek:see:`Config::config_files`,
+  change handlers do not run.
+* When none of any registered config files exist on disk, change handlers do
+  not run.
+
+That is, change handlers are tied to config files, and don’t automatically run
+with the option’s default values.
+
+* When a config file exists on disk at Zeek startup, change handlers run with
+  the file’s config values.
+* When the config file contains the same value the option already defaults to,
+  its change handlers are invoked anyway.
+* :zeek:see:`zeek_init` handlers run before any change handlers — i.e., they
+  run with the options’ default values.
+* Since the config framework relies on the input framework, the input
+  framework’s inherent asynchrony applies: you can’t assume when exactly an
+  option change manifests in the code.
+
+If your change handler needs to run consistently at startup and when options
+change, you can call the handler manually from :zeek:see:`zeek_init` when you
+register it. That way, initialization code always runs for the option’s default
+value, and also for any new values.
+
+.. code-block:: zeek
+
+  module Test;
+
+  export {
+      option use_cache = T;
+  }
+
+  function use_cache_hdlr(id: string, new_value: bool): bool
+      {
+      if ( new_value ) {
+          # Ensure caching structures are set up properly
+      }
+
+      return new_value;
+      }
+
+  event zeek_init()
+      {
+      use_cache_hdlr("Test::use_cache", use_cache);
+      Option::set_change_handler("Test::use_cache", use_cache_hdlr);
+      }
diff --git a/doc/frameworks/denylist.jsonl b/doc/frameworks/denylist.jsonl
new file mode 100644
index 0000000000..1ea6a1851e
--- /dev/null
+++ b/doc/frameworks/denylist.jsonl
@@ -0,0 +1,3 @@
+{"ip": "192.168.17.1", "timestamp": 1333252748, "reason": "Malware host"}
+{"ip": "192.168.27.2", "timestamp": 1330235733, "reason": "Botnet server"}
+{"ip": "192.168.250.3", "timestamp": 1333145108, "reason": "Virus detected"}
diff --git a/doc/frameworks/file-analysis.rst b/doc/frameworks/file-analysis.rst
new file mode 100644
index 0000000000..03f152af49
--- /dev/null
+++ b/doc/frameworks/file-analysis.rst
@@ -0,0 +1,283 @@
+
+.. _file-analysis-framework:
+
+=======================
+File Analysis Framework
+=======================
+
+.. TODO: integrate BoZ revisions
+
+.. rst-class:: opening
+
+    In the past, writing Zeek scripts with the intent of analyzing file
+    content could be cumbersome because of the fact that the content
+    would be presented in different ways, via events, at the
+    script-layer depending on which network protocol was involved in the
+    file transfer.  Scripts written to analyze files over one protocol
+    would have to be copied and modified to fit other protocols.  The
+    file analysis framework (FAF) instead provides a generalized
+    presentation of file-related information.  The information regarding
+    the protocol involved in transporting a file over the network is
+    still available, but it no longer has to dictate how one organizes
+    their scripting logic to handle it.  A goal of the FAF is to
+    provide analysis specifically for files that is analogous to the
+    analysis Zeek provides for network connections.
+
+Supported Protocols
+===================
+
+Zeek ships with file analysis for the following protocols:
+:ref:`FTP <plugin-zeek-ftp>`,
+:ref:`HTTP <plugin-zeek-http>`,
+:ref:`IRC <plugin-zeek-irc>`,
+:ref:`Kerberos <plugin-zeek-krb>`,
+:ref:`MIME <plugin-zeek-mime>`,
+:ref:`RDP <plugin-zeek-rdp>`,
+:ref:`SMTP <plugin-zeek-smtp>`, and
+:ref:`SSL/TLS/DTLS <plugin-zeek-ssl>`.
+Protocol analyzers are regular :ref:`Zeek plugins <writing-plugins>`, so users
+are welcome to provide additional ones in separate Zeek packages.
+
+File Lifecycle Events
+=====================
+
+The key events that may occur during the lifetime of a file are:
+:zeek:see:`file_new`, :zeek:see:`file_over_new_connection`,
+:zeek:see:`file_sniff`, :zeek:see:`file_timeout`, :zeek:see:`file_gap`, and
+:zeek:see:`file_state_remove`.  Handling any of these events provides
+some information about the file such as which network
+:zeek:see:`connection` and protocol are transporting the file, how many
+bytes have been transferred so far, and its MIME type.
+
+Here's a simple example:
+
+.. literalinclude:: file_analysis_01.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek -r http/get.trace file_analysis_01.zeek
+   file_state_remove
+   FakNcS1Jfe01uljb3
+   CHhAvVGS1DHFjwGM9
+   [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
+   HTTP
+   connection_state_remove
+   CHhAvVGS1DHFjwGM9
+   [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
+   HTTP
+
+This doesn't perform any interesting analysis yet, but does highlight
+the similarity between analysis of connections and files.  Connections
+are identified by the usual 5-tuple or a convenient UID string while
+files are identified just by a string of the same format as the
+connection UID.  So there's unique ways to identify both files and
+connections and files hold references to a connection (or connections)
+that transported it.
+
+File Type Identification
+========================
+
+Zeek ships with its own library of content signatures to determine the type of a
+file, conveyed as MIME types in the :zeek:see:`file_sniff` event. You can find
+those signatures in the Zeek distribution's ``scripts/base/frameworks/files/magic/``
+directory. (Despite the name, Zeek does *not* rely on libmagic for content analysis.)
+
+Adding Analysis
+===============
+
+Zeek supports customized file analysis via *file analyzers* that users can
+attach to observed files. You can attach analyzers selectively to individual
+files, or register them for auto-attachment under certain conditions. Once
+attached, file analyzers start receiving the contents of files as Zeek parses
+them from ongoing network connections.
+
+Zeek comes with the following built-in analyzers:
+
+    * :ref:`plugin-zeek-filedataevent` to access file content via
+      events (as data streams or content chunks),
+    * :ref:`plugin-zeek-fileentropy` to compute various entropy for a file,
+    * :ref:`plugin-zeek-fileextract` to extract files to disk,
+    * :ref:`plugin-zeek-filehash` to produce common hash values for files,
+    * :ref:`plugin-zeek-pe` to parse executables in PE format, and
+    * :ref:`plugin-zeek-x509` to extract information about x509 certificates.
+
+Like protocol parsers, file analyzers are regular :ref:`Zeek plugins
+<writing-plugins>`. Users are free to contribute additional ones via Zeek
+packages.
+
+Per-file analyzer registration
+------------------------------
+
+To attach an analyzer to a specific file, call :zeek:see:`Files::add_analyzer`
+with the analyzer's component tag (such as :zeek:see:`Files::ANALYZER_MD5`;
+consult the above analyzers for details). Some file analyzers support parameters
+that you can provide to this function via a :zeek:see:`Files::AnalyzerArgs`
+record, while others introduce additional event types and tunable script-layer
+settings.
+
+You can add multiple analyzers to a file, and add the same analyzer type
+multiple times, assuming you use varying :zeek:see:`Files::AnalyzerArgs`
+parameterization. You may remove these selectively from files via calls to
+:zeek:see:`Files::remove_analyzer`. You may also enable and disable file
+analyzers globally by calling :zeek:see:`Files::enable_analyzer` and
+:zeek:see:`Files::disable_analyzer`, respectively.
+
+Generic analyzer registration
+-----------------------------
+
+The framework provides mechanisms for automatically attaching analyzers to
+files. For example, the :zeek:see:`Files::register_for_mime_types` function
+ensures that Zeek automatically attaches a given analyzer to all files of a
+given MIME type. For fully customized auto-attachment logic take a look at
+:zeek:see:`Files::register_analyzer_add_callback`, and refer to
+:doc:`base/frameworks/files/main.zeek </scripts/base/frameworks/files/main.zeek>`
+for additional APIs and data structures.
+
+Regardless of which file analyzers end up acting on a file, general
+information about the file (e.g. size, time of last data transferred,
+MIME type, etc.) is logged in :file:`files.log`.
+
+Protocol-specific state
+-----------------------
+
+Some protocol analyzers redefine the ``fa_file`` record to add additional
+state. For example, ``base/protocols/http/entities.zeek``, which Zeek loads by
+default as part of the HTTP analyzer, makes the transaction's
+:zeek:see:`HTTP::Info` record available via ``f$http`` to provide HTTP
+context. As always, make sure to test the presence of optional fields via the
+``a?$b`` :ref:`record field operator <record-field-operators>` before accessing
+them.
+
+Examples
+--------
+
+File hashing
+^^^^^^^^^^^^
+
+The following script uses the MD5 file analyzer to calculate the hashes of plain
+text files:
+
+.. literalinclude:: file_analysis_02.zeek
+   :caption:
+   :language: zeek
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek -r http/get.trace file_analysis_02.zeek
+   new file, FakNcS1Jfe01uljb3
+   file_hash, FakNcS1Jfe01uljb3, md5, 397168fd09991a0e712254df7bc639ac
+
+File extraction
+^^^^^^^^^^^^^^^
+
+The following example sets up extraction of observed files to disk:
+
+.. code-block:: zeek
+
+    global idx: count = 0;
+
+    event file_new(f: fa_file)
+        {
+        Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
+                            [$extract_filename=fmt("file-%04d", ++idx)]);
+        }
+
+The file extraction analyzer now writes the content of each observed file to a
+separate file on disk. The output file name results from concatenating the
+:zeek:see:`FileExtract::prefix` (normally ``./extract_files/``) and the
+enumerated ``file-NNNN`` strings.
+
+In a production setting you'll likely want to include additional information in
+the output, for example from state attached to the provided file record. The
+Zeek distribution ships with a starting point for such approaches: the
+``policy/frameworks/files/extract-all-files.zeek`` script. For additional
+configurability, take a look at the `file-extraction
+<https://github.com/hosom/file-extraction>`_ Zeek package.
+
+Script-level content analysis
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The ``FileDataEvent`` analyzer provides script-layer access to file content for
+customized analysis. Since observed files can be very large, Zeek cannot buffer
+these files and provide their entire content to the script layer once
+complete. Instead, the ``FileDataEvent`` analyzer reflects the incremental
+nature of file content as Zeek observes it, and supports two types of events to
+allow you to process it: user-provided *stream events* receive new file content
+as supplied by connection-oriented protocols, while *chunk events* receive
+observed data as provided by protocols that do not feature stream semantics.
+
+The following example manually computes the SHA256 hash of each observed file by
+building up hash state and feeding streamed file content into the hash
+computation. When Zeek removes a file's state (because it has fully observed it,
+or perhaps because its state is timing out), it prints the resulting hash to the
+console:
+
+.. code-block:: zeek
+
+    global hashstate: table[string] of opaque of sha256;
+
+    event file_stream(f: fa_file, data: string)
+        {
+        if ( f$id !in hashstate )
+            hashstate[f$id] = sha256_hash_init();
+
+        sha256_hash_update(hashstate[f$id], data);
+        }
+
+    event file_new(f: fa_file)
+        {
+        Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, [$stream_event=file_stream]);
+        }
+
+    event file_state_remove(f: fa_file)
+        {
+        if ( f$id in hashstate )
+            {
+            print(sha256_hash_finish(hashstate[f$id]));
+            delete hashstate[f$id];
+            }
+        }
+
+Be careful with this approach, as it can quickly prove expensive to route all
+file content through the script layer. Make sure to add the analyzer only for
+relevant files, and consider removing it via :zeek:see:`Files::remove_analyzer`
+when you no longer require content analysis. For performance-critical
+applications a new file analyzer plugin could be a better approach.
+
+Input Framework Integration
+===========================
+
+The FAF comes with a simple way to integrate with the :doc:`Input
+Framework <input>`, so that Zeek can analyze files from external sources
+in the same way it analyzes files that it sees coming over traffic from
+a network interface it's monitoring.  It only requires a call to
+:zeek:see:`Input::add_analysis`:
+
+.. literalinclude:: file_analysis_03.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Note that the "source" field of :zeek:see:`fa_file` corresponds to the
+"name" field of :zeek:see:`Input::AnalysisDescription` since that is what
+the input framework uses to uniquely identify an input stream.
+
+Example output of the above script may be:
+
+.. code-block:: console
+
+   $ echo "Hello world" > myfile
+   $ zeek file_analysis_03.zeek
+   new file, FZedLu4Ajcvge02jA8
+   file_hash, FZedLu4Ajcvge02jA8, md5, f0ef7081e1539ac00ef5b761b4fb01b3
+   file_state_remove
+
+Nothing that special, but it at least verifies the MD5 file analyzer
+saw all the bytes of the input file and calculated the checksum
+correctly!
diff --git a/doc/frameworks/file_analysis_01.zeek b/doc/frameworks/file_analysis_01.zeek
new file mode 100644
index 0000000000..a48f8184ad
--- /dev/null
+++ b/doc/frameworks/file_analysis_01.zeek
@@ -0,0 +1,20 @@
+event connection_state_remove(c: connection)
+    {
+    print "connection_state_remove";
+    print c$uid;
+    print c$id;
+    for ( s in c$service )
+        print s;
+    }
+
+event file_state_remove(f: fa_file)
+    {
+    print "file_state_remove";
+    print f$id;
+    for ( cid in f$conns )
+        {
+        print f$conns[cid]$uid;
+        print cid;
+        }
+    print f$source;
+    }
diff --git a/doc/frameworks/file_analysis_02.zeek b/doc/frameworks/file_analysis_02.zeek
new file mode 100644
index 0000000000..fd4f0e775e
--- /dev/null
+++ b/doc/frameworks/file_analysis_02.zeek
@@ -0,0 +1,12 @@
+event file_sniff(f: fa_file, meta: fa_metadata)
+    {
+	if ( ! meta?$mime_type ) return;
+    print "new file", f$id;
+    if ( meta$mime_type == "text/plain" )
+        Files::add_analyzer(f, Files::ANALYZER_MD5);
+    }
+
+event file_hash(f: fa_file, kind: string, hash: string)
+    {
+    print "file_hash", f$id, kind, hash;
+    }
diff --git a/doc/frameworks/file_analysis_03.zeek b/doc/frameworks/file_analysis_03.zeek
new file mode 100644
index 0000000000..3f8aa35d31
--- /dev/null
+++ b/doc/frameworks/file_analysis_03.zeek
@@ -0,0 +1,25 @@
+redef exit_only_after_terminate = T;
+
+event file_new(f: fa_file)
+    {
+    print "new file", f$id;
+    Files::add_analyzer(f, Files::ANALYZER_MD5);
+    }
+
+event file_state_remove(f: fa_file)
+    {
+    print "file_state_remove";
+    Input::remove(f$source);
+    terminate();
+    }
+
+event file_hash(f: fa_file, kind: string, hash: string)
+    {
+    print "file_hash", f$id, kind, hash;
+    }
+
+event zeek_init()
+    {
+    local source: string = "./myfile";
+    Input::add_analysis([$source=source, $name=source]);
+    }
diff --git a/doc/frameworks/index.rst b/doc/frameworks/index.rst
new file mode 100644
index 0000000000..a9ef76f884
--- /dev/null
+++ b/doc/frameworks/index.rst
@@ -0,0 +1,38 @@
+
+==========
+Frameworks
+==========
+
+Zeek includes several software frameworks that provide commonly used
+functionality to the scripting layer. Among other things, these frameworks
+enhance Zeek’s ability to ingest data, structure and filter its outputs, adapt
+settings at runtime, and interact with other components in your network. Most
+frameworks include functionality implemented in Zeek’s core, with
+corresponding data structures and APIs exposed to the script layer.
+
+Some frameworks target relatively specific use cases, while others run in
+nearly every Zeek installation. The logging framework, for example, provides
+the machinery behind all of the Zeek logs covered earlier. Frameworks also
+build on each other, so it’s well worth knowing their capabilities. The next
+sections cover them in detail.
+
+.. toctree::
+   :maxdepth: 1
+
+   broker
+   cluster
+   configuration
+   file-analysis
+   input
+   intel
+   logging
+   management
+   netcontrol
+   notice
+   packet-analysis
+   signatures
+   storage
+   sumstats
+   supervisor
+   telemetry
+   tls-decryption
diff --git a/doc/frameworks/input.rst b/doc/frameworks/input.rst
new file mode 100644
index 0000000000..994eec01eb
--- /dev/null
+++ b/doc/frameworks/input.rst
@@ -0,0 +1,640 @@
+
+.. _framework-input:
+
+===============
+Input Framework
+===============
+
+Zeek features a flexible input framework that allows users to import arbitrary
+data into Zeek. Data is either read into Zeek tables or directly converted to
+events for scripts to handle as they see fit. A modular reader architecture
+allows reading from files, databases, or other data sources.
+
+This chapter gives an overview of how to use the input framework, with
+examples. For more complex scenarios take a look at the test cases in
+:file:`testing/btest/scripts/base/frameworks/input/` in the Zeek distribution.
+
+.. note::
+
+  The input framework has no awareness of Zeek’s cluster architecture. Zeek
+  supports all of the mechanisms covered below on any cluster node. The config
+  and intelligence frameworks both leverage the input framework, adding logic
+  that applies the input framework on the manager node, distributing ingested
+  information across the cluster via events.
+
+Reading Data into Tables
+========================
+
+Probably the most interesting use-case of the input framework is to read data
+into a Zeek table. By default, the input framework reads the data in the same
+format as it is written by Zeek’s logging framework: a tab-separated ASCII
+file.
+
+We will show the ways to read files into Zeek with a simple example. For this
+example we assume that we want to import data from a denylist that contains
+server IP addresses as well as the timestamp and the reason for the block.
+
+An example input file could look like this (note that all fields must be
+tab-separated)::
+
+  #fields ip timestamp reason
+  192.168.17.1 1333252748 Malware host
+  192.168.27.2 1330235733 Botnet server
+  192.168.250.3 1333145108 Virus detected
+
+To read a file into a Zeek table, two record types have to be defined. One
+contains the types and names of the columns that should constitute the table
+keys, and the second contains the types and names of the columns that should
+constitute the table values.
+
+In our case, we want to be able to look up IPs. Hence, our key record only
+contains the server IP. All other elements should be stored as the table
+content.
+
+.. code-block:: zeek
+
+  type Idx: record {
+      ip: addr;
+  };
+
+  type Val: record {
+      timestamp: time;
+      reason: string;
+  };
+
+Note that the names of the fields in the record definitions must correspond to
+the column names listed in the ``#fields`` line of the input file, in this case
+``ip``, ``timestamp``, and ``reason``. Also note that the ordering of the
+columns does not matter, because each column is identified by name.
+
+The input file is read into the table with a call of the
+:zeek:see:`Input::add_table` function:
+
+.. code-block:: zeek
+
+  global denylist: table[addr] of Val = table();
+
+  event zeek_init() {
+      Input::add_table([$source="denylist.file", $name="denylist",
+                        $idx=Idx, $val=Val, $destination=denylist]);
+      Input::remove("denylist");
+  }
+
+With these three lines we first create an empty table that should receive the
+denylist data and then instruct the input framework to open an input stream
+named “denylist” to read the data into the table. The third line removes the
+input stream again, because we do not need it any more after the data has been
+read.
+
+Note that while the key and content records may use :zeek:attr:`&optional`
+fields, omitting columns (usually via the "-" character) requires care. Since
+the key record's columns expand into a list of values for indexing into the
+receiving table (note how in the above example ``denylist`` is indexed via a
+plain ``addr``) and all of those values must be present for indexing, you cannot
+in practice omit these values. For content records, omitting is meaningful, but
+only permitted for columns with the :zeek:attr:`&optional` attribute. The
+framework skips offending input lines with a warning.
+
+.. note::
+
+  Prior to version 4.1 Zeek accepted such inputs, unsafely. When transitioning
+  from such versions to Zeek 4.1 or newer, users with omitted fields in their
+  input data may observe discrepancies in the loaded data sets.
+
+Asynchronous processing
+-----------------------
+
+Since some data files might be rather large, the input framework works
+asynchronously. A new thread is created for each new input stream. This thread
+opens the input data file, converts the data into an internal format and sends
+it back to the main Zeek thread. Because of this, the data is not immediately
+accessible. Depending on the size of the data source it might take from a few
+milliseconds up to a few seconds until all data is present in the table. Please
+note that this means that when Zeek is running without an input source or on
+very short captured files, it might terminate before the data is present in the
+table (because Zeek already handled all packets before the import thread
+finished).
+
+Subsequent calls to an input source are queued until the previous action has
+been completed. Because of this it is, for example, possible to call
+:zeek:see:`Input::add_table` and :zeek:see:`Input::remove` in two subsequent
+lines: the remove action will remain queued until the first read has been
+completed.
+
+Once the input framework finishes reading from a data source, it fires the
+:zeek:see:`Input::end_of_data` event. Once this event has been received all
+data from the input file is available in the table.
+
+.. code-block:: zeek
+
+  event Input::end_of_data(name: string, source: string) {
+      # now all data is in the table
+      print denylist;
+  }
+
+The table can be used while the data is still being read — it just might not
+contain all lines from the input file before the event has fired. After the
+table has been populated it can be used like any other Zeek table and denylist
+entries can easily be tested:
+
+.. code-block:: zeek
+
+  if ( 192.168.18.12 in denylist )
+      # take action
+
+
+Sets instead of tables
+----------------------
+
+For some use cases the key/value notion that drives tabular data does not
+apply, for example when the main purpose of the data is to test for membership
+in a set. The input framework supports this approach by using sets as the
+destination data type, and omitting ``$val`` in :zeek:see:`Input::add_table`:
+
+.. code-block:: zeek
+
+  type Idx: record {
+      ip: addr;
+  };
+
+  global denylist: set[addr] = set();
+
+  event zeek_init() {
+      Input::add_table([$source="denylist.file", $name="denylist",
+                       $idx=Idx, $destination=denylist]);
+      Input::remove("denylist");
+  }
+
+Re-reading and streaming data
+-----------------------------
+
+For some data sources (such as many denylists), the input data changes
+continually. The input framework supports additional techniques to manage such
+ever-changing input.
+
+The first, very basic method is an explicit refresh of an input stream. When an
+input stream is open (meaning it has not yet been removed by a call to
+:zeek:see:`Input::remove`), the function :zeek:see:`Input::force_update` can be
+called. This will trigger a complete refresh of the table: any changed elements
+from the file will be updated, new ones added, and any elements no longer in
+the input data get removed. After the update is finished the
+:zeek:see:`Input::end_of_data` event will be raised.
+
+In our example the call would look as follows:
+
+.. code-block:: zeek
+
+  Input::force_update("denylist");
+
+Alternatively, the input framework can automatically refresh the table contents
+when it detects a change to the input file. To use this feature you need to
+specify a non-default read mode by setting the mode option of the
+:zeek:see:`Input::add_table` call. Valid values are :zeek:see:`Input::MANUAL`
+(the default), :zeek:see:`Input::REREAD`, and :zeek:see:`Input::STREAM`. For
+example, setting the value of the mode option in the previous example would
+look like this:
+
+.. code-block:: zeek
+
+  Input::add_table([$source="denylist.file", $name="denylist",
+                    $idx=Idx, $val=Val, $destination=denylist,
+                    $mode=Input::REREAD]);
+
+When using the reread mode (i.e., ``$mode=Input::REREAD``), Zeek continually
+checks if the input file has been changed. If the file has been changed, it is
+re-read and the data in the Zeek table is updated to reflect the current state.
+Each time a change has been detected and all the new data has been read into
+the table, the :zeek:see:`Input::end_of_data` event is raised.
+
+When using the streaming mode (i.e., ``$mode=Input::STREAM``), Zeek
+assumes that the input is an append-only file to which new data is
+continually appended. Zeek also checks to see if the file being
+followed has been renamed or rotated. The file is closed and reopened
+when tail detects that the filename being read from has a new inode
+number. Zeek continually checks for new data at the end of the file
+and will add the new data to the table. If newer lines in the file
+have the same table index as previous lines, they will overwrite
+the values in the output table. Because of the nature of streaming
+reads (data is continually added to the table), the
+:zeek:see:`Input::end_of_data` event is never raised when using
+streaming reads.
+
+.. tip::
+
+  Change detection happens via periodic “heartbeat” events, defaulting to a
+  frequency of once per second as defined by the global
+  :zeek:see:`Threading::heartbeat_interval` constant. The reader considers the
+  input file changed when the file’s inode or modification time has changed
+  since the last check.
+
+Receiving change events
+-----------------------
+
+When re-reading files, it might be interesting to know exactly which lines in
+the source files have changed. For this reason, the input framework can raise
+an event each time when a data item is added to, removed from, or changed in a
+table.
+
+The event definition looks like this (note that you can change the name of this
+event in your own Zeek script):
+
+.. code-block:: zeek
+
+  event entry(description: Input::TableDescription, tpe: Input::Event,
+              left: Idx, right: Val) {
+      # do something here...
+      print fmt("%s = %s", left, right);
+  }
+
+The event must be specified in ``$ev`` in the :zeek:see:`Input::add_table`
+call:
+
+.. code-block:: zeek
+
+  Input::add_table([$source="denylist.file", $name="denylist",
+                    $idx=Idx, $val=Val, $destination=denylist,
+                    $mode=Input::REREAD, $ev=entry]);
+
+The description argument of the event contains the arguments that were
+originally supplied to the :zeek:see:`Input::add_table` call. Hence, the name
+of the stream can, for example, be accessed with ``description$name``. The
+``tpe`` argument of the event is an enum containing the type of the change that
+occurred.
+
+If a line that was not previously present in the table has been added, then the
+value of ``tpe`` will be :zeek:see:`Input::EVENT_NEW`. In this case left
+contains the index of the added table entry and right contains the values of
+the added entry.
+
+If a table entry that already was present is altered during the re-reading or
+streaming read of a file, then the value of ``tpe`` will be
+:zeek:see:`Input::EVENT_CHANGED`.  In this case ``left`` contains the index of
+the changed table entry and ``right`` contains the values of the entry before
+the change. The reason for this is that the table already has been updated when
+the event is raised. The current value in the table can be ascertained by
+looking up the current table value. Hence it is possible to compare the new and
+the old values of the table.
+
+If a table element is removed because it was no longer present during a
+re-read, then the value of ``tpe`` will be :zeek:see:`Input::EVENT_REMOVED`. In
+this case ``left`` contains the index and ``right`` the values of the removed
+element.
+
+Filtering data during import
+----------------------------
+
+The input framework also allows a user to filter the data during the import. To
+this end, predicate functions are used. A predicate function is called before a
+new element is added/changed/removed from a table. The predicate can either
+accept or veto the change by returning true for an accepted change and false
+for a rejected change. Furthermore, it can alter the data before it is written
+to the table.
+
+The following example filter will reject adding entries to the table when they
+were generated over a month ago. It will accept all changes and all removals of
+values that are already present in the table.
+
+.. code-block:: zeek
+
+  Input::add_table([$source="denylist.file", $name="denylist",
+                    $idx=Idx, $val=Val, $destination=denylist,
+                    $mode=Input::REREAD,
+                    $pred(tpe: Input::Event, left: Idx, right: Val) = {
+                      if ( tpe != Input::EVENT_NEW ) {
+                          return T;
+                      }
+                      return (current_time() - right$timestamp) < 30day;
+                    }]);
+
+To change elements while they are being imported, the predicate function can
+manipulate ``left`` and ``right``. Note that predicate functions are called
+before the change is committed to the table. Hence, when a table element is
+changed (``tpe`` is :zeek:see:`Input::EVENT_CHANGED`), ``left`` and ``right``
+contain the new values, but the destination (``denylist`` in our example) still
+contains the old values. This allows predicate functions to examine the changes
+between the old and the new version before deciding if they should be allowed.
+
+Broken input data
+-----------------
+
+The input framework notifies you of problems during data ingestion in two ways.
+First, reporter messages, ending up in :file:`reporter.log`, indicate the type of
+problem and the file in which the problem occurred::
+
+  #fields ts      level   message location
+  0.000000        Reporter::WARNING       denylist.file/Input::READER_ASCII: Did not find requested field ip in input data file denylist.file.   (empty)
+
+Second, the :zeek:see:`Input::TableDescription` and
+:zeek:see:`Input::EventDescription` records feature an ``$error_ev`` member to
+trigger events indicating the same message and severity levels as shown above.
+The use of these events mirrors that of change events.
+
+For both approaches, the framework suppresses repeated messages regarding the
+same file, so mistakes in large data files do not trigger a message flood.
+
+Finally, the ASCII reader allows coarse control over the robustness in case of
+problems during data ingestion. Concretely, the
+:zeek:see:`InputAscii::fail_on_invalid_lines` and
+:zeek:see:`InputAscii::fail_on_file_problem` flags indicate whether problems
+should merely trigger warnings or lead to processing failure. Both default to
+warnings.
+
+Reading Data to Events
+======================
+
+The second data ingestion mode of the input framework directly generates Zeek
+events from ingested data instead of inserting them to a table. Event streams
+work very similarly to the table streams discussed above, and most of the
+features discussed (such as predicates for filtering) also work for event
+streams. To read the denylist of the previous example into an event stream, we
+use the :zeek:see:`Input::add_event` function:
+
+.. code-block:: zeek
+
+  type Val: record {
+      ip: addr;
+      timestamp: time;
+      reason: string;
+  };
+
+  event denylistentry(description: Input::EventDescription,
+                       tpe: Input::Event, data: Val) {
+      # do something here...
+      print "data:", data;
+  }
+
+  event zeek_init() {
+      Input::add_event([$source="denylist.file", $name="denylist",
+                       $fields=Val, $ev=denylistentry]);
+  }
+
+Event streams differ from table streams in two ways:
+
+* An event stream needs no separate index and value declarations — instead, all
+  source data types are provided in a single record definition.
+* Since the framework perceives a continuous stream of events, it has no
+  concept of a data baseline (e.g. a table) to compare the incoming data to.
+  Therefore the change event type (an :zeek:see:`Input::Event` instance,
+  ``tpe`` in the above) is currently always :zeek:see:`Input::EVENT_NEW`.
+
+These aside, event streams work exactly the same as table streams and support
+most of the options that are also supported for table streams.
+
+Data Readers
+============
+
+The input framework supports different kinds of readers for different kinds of
+source data files. At the moment, the framework defaults to ingesting ASCII
+files formatted in the Zeek log file format (tab-separated values with a
+``#fields`` header line). Several other readers are included in Zeek, and Zeek
+packages/plugins can provide additional ones.
+
+Reader selection proceeds as follows. The :zeek:see:`Input::default_reader`
+variable defines the default reader: :zeek:see:`Input::READER_ASCII`. When you
+call :zeek:see:`Input::add_table` or :zeek:see:`Input::add_event` this reader
+gets used automatically.  You can override the default by assigning the
+``$reader`` member in the description record passed into these calls. See test
+cases in :file:`testing/btest/scripts/base/frameworks/input/` for examples.
+
+The ASCII Reader
+----------------
+
+The ASCII reader, enabled by default or by selecting
+:zeek:see:`Input::READER_ASCII`, understands Zeek’s TSV log format. It actually
+understands the full set of directives in the preamble of those log files, e.g.
+to define the column separator. This is rarely used, and most commonly input
+files merely start with a tab-separated row that names the ``#fields`` in the
+input file, as shown earlier.
+
+.. warning::
+
+  The ASCII reader has no notion of file locking, including UNIX’s advisory
+  locking. For large files, this means the framework might process a file
+  that’s still written to. The reader handles resulting errors robustly (e.g.
+  via the reporter log, as described earlier), but nevertheless will encounter
+  errors. In order to avoid these problems it’s best to produce a new input
+  file on the side, and then atomically rename it to the filename monitored by
+  the framework.
+
+There’s currently no JSON ingestion mode for this reader, but see the section
+about using the :ref:`raw reader <input-raw-reader>` together with the
+builtin :zeek:see:`from_json` function.
+
+The Benchmark Reader
+--------------------
+
+The benchmark reader, selected via :zeek:see:`Input::READER_BENCHMARK`, helps
+the Zeek developers optimize the speed of the input framework. It can generate
+arbitrary amounts of semi-random data in all Zeek data types supported by the
+input framework.
+
+The Binary Reader
+-----------------
+
+This reader, selected via :zeek:see:`Input::READER_BINARY`, is intended for
+use with file analysis input streams to ingest file content (and is the default
+type of reader for those streams).
+
+.. _input-raw-reader:
+
+The Raw Reader
+--------------
+
+The raw reader, selected via :zeek:see:`Input::READER_RAW`, reads a file that
+is split by a specified record separator (newline by default). The contents are
+returned line-by-line as strings; it can, for example, be used to read
+configuration files and the like and is probably only useful in the event mode
+and not for reading data to tables.
+
+Reading JSON Lines
+~~~~~~~~~~~~~~~~~~
+
+.. versionadded:: 6.0
+
+
+While the ASCII reader does not currently support JSON natively, it is
+possible to use the raw reader together with the builtin :zeek:see:`from_json`
+function to read files in JSON lines format and instantiate Zeek record
+values based on the input.
+
+The following example shows how this can be done, holding two state tables
+in order to allow for removal updates of the read data.
+
+.. literalinclude:: denylist.jsonl
+   :caption:
+   :language: json
+   :linenos:
+   :tab-width: 4
+
+.. literalinclude:: input_json_1.zeek
+   :caption: Loading denylist.jsonl, converting to Zeek types, populating a table.
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+If your input data is already in, or can be easily converted into, JSON Lines format
+the above approach can be used to load it into Zeek.
+
+.. _input-sqlite-reader:
+
+The SQLite Reader
+-----------------
+
+The SQLite input reader, selected via :zeek:see:`Input::READER_SQLITE`,
+provides a way to access SQLite databases from Zeek. SQLite is a simple,
+file-based, widely used SQL database system. Due to the transactional nature of
+SQLite, databases can be used by several applications simultaneously. Hence
+they can, for example, be used to make constantly evolving datasets available
+to Zeek on a continuous basis.
+
+Reading Data from SQLite Databases
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Like with Zeek’s logging support, reading data from SQLite databases is built
+into Zeek without any extra configuration needed. Just like text-based input
+readers, the SQLite reader can read data — in this case the result of SQL
+queries — into tables or events.
+
+Reading Data into Tables
+************************
+
+To read data from a SQLite database, we first have to provide Zeek with the
+information how the resulting data will be structured. For this example, we
+expect that we have a SQLite database, which contains host IP addresses and the
+user accounts that are allowed to log into a specific machine.
+
+The SQLite commands to create the schema are as follows::
+
+  create table machines_to_users (
+  host text unique not null,
+  users text not null);
+
+  insert into machines_to_users values (
+      '192.168.17.1', 'johanna,matthias,seth');
+  insert into machines_to_users values (
+      '192.168.17.2', 'johanna');
+  insert into machines_to_users values (
+      '192.168.17.3', 'seth,matthias');
+
+After creating a file called hosts.sqlite with this content, we can read the
+resulting table into Zeek:
+
+.. code-block:: zeek
+
+  type Idx: record {
+     host: addr;
+  };
+
+  type Val: record {
+     users: set[string];
+  };
+
+  global hostslist: table[addr] of Val = table();
+
+  event zeek_init()
+     {
+     Input::add_table([$source="/var/db/hosts",
+         $name="hosts",
+         $idx=Idx,
+         $val=Val,
+         $destination=hostslist,
+         $reader=Input::READER_SQLITE,
+         $config=table(["query"] = "select * from machines_to_users;")
+         ]);
+
+     Input::remove("hosts");
+     }
+
+  event Input::end_of_data(name: string, source: string)
+     {
+     if ( name != "hosts" )
+         return;
+
+     # now all data is in the table
+     print "Hosts list has been successfully imported";
+
+     # List the users of one host.
+     print hostslist[192.168.17.1]$users;
+     }
+
+The ``hostslist`` table can now be used to check host logins against an
+available user list.
+
+Turning Data into Events
+************************
+
+The second mode is to use the SQLite reader to output the input data as events.
+Typically there are two reasons to do this. First, the structure of the input
+data is too complicated for a direct table import. In this case, the data can
+be read into an event which can then create the necessary data structures in
+Zeek in scriptland. Second, the dataset is too big to hold in memory. In this
+case, event-driven ingestion can perform checks on-demand.
+
+As an example, let’s consider a large database with malware hashes. Live
+database queries allow us to cross-check sporadically occurring downloads
+against this evolving database. The SQLite commands to create the schema are as
+follows::
+
+  create table malware_hashes (
+      hash text unique not null,
+      description text not null);
+
+  insert into malware_hashes values ('86f7e437faa5a7fce15d1ddcb9eaeaea377667b8', 'malware a');
+  insert into malware_hashes values ('e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98', 'malware b');
+  insert into malware_hashes values ('84a516841ba77a5b4648de2cd0dfcb30ea46dbb4', 'malware c');
+  insert into malware_hashes values ('3c363836cf4e16666669a25da280a1865c2d2874', 'malware d');
+  insert into malware_hashes values ('58e6b3a414a1e090dfc6029add0f3555ccba127f', 'malware e');
+  insert into malware_hashes values ('4a0a19218e082a343a1b17e5333409af9d98f0f5', 'malware f');
+  insert into malware_hashes values ('54fd1711209fb1c0781092374132c66e79e2241b', 'malware g');
+  insert into malware_hashes values ('27d5482eebd075de44389774fce28c69f45c8a75', 'malware h');
+  insert into malware_hashes values ('73f45106968ff8dc51fba105fa91306af1ff6666', 'ftp-trace');
+
+The following code uses the file-analysis framework to get the sha1 hashes of
+files that are transmitted over the network. For each hash, a SQL-query runs
+against SQLite. If the query returns a result, we output the matching hash.
+
+.. code-block:: zeek
+
+  @load frameworks/files/hash-all-files
+
+  type Val: record {
+     hash: string;
+     description: string;
+  };
+
+  event line(description: Input::EventDescription, tpe: Input::Event, r: Val)
+     {
+     print fmt("malware-hit with hash %s, description %s", r$hash, r$description);
+     }
+
+  global malware_source = "/var/db/malware";
+
+  event file_hash(f: fa_file, kind: string, hash: string)
+     {
+
+     # check all sha1 hashes
+     if ( kind=="sha1" )
+         {
+         Input::add_event(
+             [
+             $source=malware_source,
+             $name=hash,
+             $fields=Val,
+             $ev=line,
+             $want_record=T,
+             $config=table(
+                 ["query"] = fmt("select * from malware_hashes where hash='%s';", hash)
+                 ),
+             $reader=Input::READER_SQLITE
+             ]);
+         }
+     }
+
+  event Input::end_of_data(name: string, source:string)
+     {
+     if ( source == malware_source )
+         Input::remove(name);
+     }
+
+If you run this script against the trace in
+:file:`testing/btest/Traces/ftp/ipv4.trace`, you will get one hit.
diff --git a/doc/frameworks/input_json_1.zeek b/doc/frameworks/input_json_1.zeek
new file mode 100644
index 0000000000..8a829e4375
--- /dev/null
+++ b/doc/frameworks/input_json_1.zeek
@@ -0,0 +1,56 @@
+## Read a denylist.jsonl file in JSON Lines format
+module Denylist;
+
+type JsonLine: record {
+   s: string;
+};
+
+type Entry: record {
+	ip: addr;
+	timestamp: time;
+	reason: string;
+};
+
+global staged_denies: table[addr] of Entry;
+global active_denies: table[addr] of Entry;
+
+event Input::end_of_data(name: string, source: string)
+	{
+	if ( name != "denylist" )
+		return;
+
+	# Switch active and staging tables when input file has been read.
+	active_denies = staged_denies;
+	staged_denies = table();
+
+	print network_time(), "end_of_data() active:", table_keys(active_denies);
+	}
+
+
+event Denylist::json_line(description: Input::EventDescription, tpe: Input::Event, l: string)
+	{
+	local parse_result = from_json(l, Entry);
+
+	# Parsing of JSON may fail, so ignore anything invalid.
+	if ( ! parse_result$valid )
+		return;
+
+	# Cast parsed value as Entry...
+	local entry = parse_result$v as Entry;
+
+	# ...and populate staging table.
+	staged_denies[entry$ip] = entry;
+	}
+
+event zeek_init()
+	{
+	Input::add_event([
+		$source="denylist.jsonl",
+		$name="denylist",
+		$reader=Input::READER_RAW,
+		$mode=Input::REREAD,
+		$fields=JsonLine,
+		$ev=Denylist::json_line,
+		$want_record=F,
+	]);
+	}
diff --git a/doc/frameworks/intel.rst b/doc/frameworks/intel.rst
new file mode 100644
index 0000000000..dd7500f4c7
--- /dev/null
+++ b/doc/frameworks/intel.rst
@@ -0,0 +1,270 @@
+
+======================
+Intelligence Framework
+======================
+
+Introduction
+============
+
+The goals of Zeek’s Intelligence Framework are to consume intelligence data,
+make it available for matching, and provide infrastructure to improve
+performance and memory utilization.
+
+Data in the Intelligence Framework is an atomic piece of intelligence such as
+an IP address or an e-mail address. This atomic data will be packed with
+metadata such as a freeform source field, a freeform descriptive field, and a
+URL which might lead to more information about the specific item. The metadata
+in the default scripts has been deliberately kept to a minimum.
+
+Quick Start
+===========
+
+First we need to define the intelligence data to match. Let's look for the
+domain ``www.reddit.com``. For the details of the file format see the
+:ref:`Loading Intelligence <loading-intelligence>` section below.
+
+::
+
+  #fields	indicator	indicator_type	meta.source
+  www.reddit.com	Intel::DOMAIN	my_special_source
+
+Now we need to tell Zeek about the data. Add this line to your local.zeek to
+load an intelligence file:
+
+.. code-block:: zeek
+
+  redef Intel::read_files += { "/somewhere/yourdata.txt" };
+
+In a cluster, the text files only need to reside on the manager.
+
+Add the following line to :file:`local.zeek` to load the scripts that send
+“seen” data into the Intelligence Framework to be checked against the loaded
+intelligence data:
+
+.. code-block:: zeek
+
+  @load frameworks/intel/seen
+
+Intelligence data matches will be logged to the :file:`intel.log` file. A match
+on ``www.reddit.com`` might look like this::
+
+  {
+  "ts":1320279566.452687,
+  "uid":"C4llPsinsviGyNY45",
+  "id.orig_h":"192.168.2.76",
+  "id.orig_p":52026,
+  "id.resp_h":"132.235.215.119",
+  "id.resp_p":80,
+  "seen.indicator":"www.reddit.com",
+  "seen.indicator_type":"Intel::DOMAIN",
+  "seen.where":"HTTP::IN_HOST_HEADER",
+  "seen.node":"zeek",
+  "matched":[
+	  "Intel::DOMAIN"
+  ],
+  "sources":[
+	  "my_special_source"
+  ]}
+
+You can explore this example on `try.zeek.org
+<https://try.zeek.org/#/?example=intel-intel-1>`_.
+
+Architecture
+============
+
+The Intelligence Framework can be thought of as containing three separate
+portions. The first part involves loading intelligence data. The second is a
+mechanism for indicating to the intelligence framework that a piece of data
+which needs to be checked has been seen. The third handles when a positive
+match has been discovered.
+
+.. image:: /images/intel-architecture.png
+  :align: center
+
+The figure above depicts how these portions work together: loading intelligence
+*inserts* the data into an in-memory data store that is managed by the
+intelligence framework. During traffic analysis, scripts report the *seen* data
+to the framework to check against the loaded items.
+
+.. _loading-intelligence:
+
+Loading Intelligence
+--------------------
+
+By default, intelligence data is loaded through plain text files using the
+Input Framework. In clusters the manager is the only node that needs the
+intelligence data. The intelligence framework has distribution mechanisms which
+will push data out to all of the nodes that need it.
+
+Here is an example of the intelligence data format. All fields must be
+separated by a single tab character and fields containing only a hyphen are
+considered to be null values. Note that there may be additional fields
+depending on the loaded extensions. One example is the
+:doc:`/scripts/policy/frameworks/intel/do_notice.zeek` script as described
+below.
+
+::
+
+  #fields indicator       indicator_type  meta.source     meta.desc       meta.url
+  1.2.3.4 Intel::ADDR     source1 Sending phishing email  http://source1.com/badhosts/1.2.3.4
+  a.b.com Intel::DOMAIN   source2 Name used for data exfiltration -
+
+For a list of all built-in ``indicator_type`` values, please refer to the
+documentation of :zeek:see:`Intel::Type`.
+
+To load the data once the files are created, add the following to your
+``local.zeek`` to specify which intel files to load (with your own file names
+of course):
+
+.. code-block:: zeek
+
+  redef Intel::read_files += {
+          "/somewhere/feed1.txt",
+          "/somewhere/feed2.txt",
+  };
+
+Remember, the files only need to be present on the file system of the manager
+node on cluster deployments.
+
+The intel framework is very flexible so that intelligence matching can be
+extended in numerous ways. For example, the
+:doc:`/scripts/policy/frameworks/intel/do_notice.zeek`
+script implements a
+simple mechanism to raise a Zeek notice (of type :zeek:see:`Intel::Notice`) for
+user-specified intelligence matches. To use this feature, add the following
+line to ``local.zeek``:
+
+.. code-block:: zeek
+
+  @load frameworks/intel/do_notice
+
+The script adds additional metadata fields. In particular, if the ``do_notice``
+field of type bool is set to ``T`` for an intelligence item, Zeek will create a
+notice when the item is matched.
+
+Seen Data
+---------
+
+When some bit of data is extracted from network traffic (such as an email
+address in the “From” header in a SMTP message), the Intelligence Framework
+needs to be informed that this data was discovered so that its presence will be
+checked within the loaded intelligence data. This is accomplished through the
+:zeek:see:`Intel::seen` function.
+
+Zeek includes a default set of scripts that will send data to the intelligence
+framework. To load all of the scripts included with Zeek for sending “seen”
+data to the intelligence framework, just add this line to ``local.zeek``:
+
+.. code-block:: zeek
+
+  @load frameworks/intel/seen
+
+Alternatively, specific scripts in that directory can be loaded. Keep in mind
+that as more data is sent to the intelligence framework, the CPU load consumed
+by Zeek will increase depending on how many times the :zeek:see:`Intel::seen`
+function is being called. The effect of this condition depends on the nature
+and volume of the traffic Zeek monitors.
+
+Zeek's intelligence framework can only match loaded items if corresponding
+occurrences are reported as *seen*. For example, the scripts included with Zeek
+will only report IP addresses from established TCP connections to the
+intelligence framework. Thus, neither UDP traffic nor one-sided traffic will
+trigger intelligence hits by default. However, it is easy to report additional
+observations to the framework. The following will report the IPs of all
+connections (including ICMP, UDP and one-sided traffic) to the intelligence
+framework:
+
+.. code-block:: zeek
+
+  event new_connection(c: connection)
+	  {
+	  Intel::seen([$host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG]);
+	  Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]);
+	  }
+
+Note that using the :zeek:see:`new_connection` event could have a significant
+impact on the overall performance as much more data might be processed by the
+intelligence framework.
+
+Intelligence Matches
+--------------------
+
+The Intelligence Framework provides an event that is generated whenever a match
+is discovered. This event is named :zeek:see:`Intel::match` and receives two
+arguments.  First, a record of type :zeek:see:`Intel::Seen` that describes the
+observation as reported to the framework. It contains information about what
+was seen (e.g., the domain ``www.slideshare.net``), where it was seen (e.g. in
+an X509 certificate) and further context (e.g., a connection or a file record)
+if available. The second argument is a set of intelligence items that matched
+the observation. A set is used because multiple items may match a given
+observation. For example, assume you have ingested the IP ``1.2.3.4`` from
+source A and from source B as well as the subnet ``1.2.3.0/24`` from source B.
+If the IP ``1.2.3.4`` is seen in your traffic, the match event will receive all
+three intelligence items.
+
+In a cluster setup, the match event is raised on the manager. This is important
+to keep in mind when writing a script that handles the event. While the context
+information about the match is available through the event parameters, the
+handler itself is executed on the manager. Thus, one cannot access any state
+that is local to the worker node that reported the observation in the first
+place. Other interaction is also limited. For example, one cannot reliably
+trigger file extraction based on an intelligence hit: Once the manager
+processes the match event and comes to the conclusion that file extraction
+would be desired, the worker that triggered the hit is most likely done
+processing the corresponding data. Instead, one would need to start by
+extracting all files that are potentially relevant, keep the ones that refer to
+an intelligence hit and regularly discard the others.
+
+Intelligence matches are logged to the :file:`intel.log` file. For further
+description of each field in that file, see the documentation for the
+:zeek:see:`Intel::Info` record.
+
+The following are two matches from a sample :file:`intel.log`::
+
+  {
+    "ts": "2019-03-12T18:22:19.252191Z",
+    "uid": "Cpue7J1KNReqCodXHc",
+    "id.orig_h": "192.168.4.6",
+    "id.orig_p": 64738,
+    "id.resp_h": "13.107.18.13",
+    "id.resp_p": 443,
+    "seen.indicator": "www.slideshare.net",
+    "seen.indicator_type": "Intel::DOMAIN",
+    "seen.where": "X509::IN_CERT",
+    "seen.node": "so16-enp0s8-1",
+    "matched": [
+      "Intel::DOMAIN"
+    ],
+    "sources": [
+      "from http://hosts-file.net/fsa.txt via intel.criticalstack.com"
+    ],
+    "fuid": "FnRp0j1YMig5KhcMDg",
+    "file_mime_type": "application/x-x509-user-cert",
+    "file_desc": "13.107.18.13:443/tcp"
+  }
+  {
+    "ts": "2019-03-12T18:32:19.821962Z",
+    "uid": "CvusFJ2HdbTnCLxEUa",
+    "id.orig_h": "192.168.4.6",
+    "id.orig_p": 64826,
+    "id.resp_h": "13.107.42.14",
+    "id.resp_p": 443,
+    "seen.indicator": "www.slideshare.net",
+    "seen.indicator_type": "Intel::DOMAIN",
+    "seen.where": "X509::IN_CERT",
+    "seen.node": "so16-enp0s8-1",
+    "matched": [
+      "Intel::DOMAIN"
+    ],
+    "sources": [
+      "from http://hosts-file.net/fsa.txt via intel.criticalstack.com"
+    ],
+    "fuid": "FUrrLa45T7a8hjdRy",
+    "file_mime_type": "application/x-x509-user-cert",
+    "file_desc": "13.107.42.14:443/tcp"
+  }
+
+These examples show there were matches in a domain observed in a X509
+certificate. That domain was ``www.slideshare.net``. This is unusual as that
+domain is used for legitimate purposes. This example demonstrates that analysts
+must vet intelligence feeds for their local use and applicability.
diff --git a/doc/frameworks/logging-input-sqlite.rst b/doc/frameworks/logging-input-sqlite.rst
new file mode 100644
index 0000000000..a785e99b58
--- /dev/null
+++ b/doc/frameworks/logging-input-sqlite.rst
@@ -0,0 +1,8 @@
+:orphan:
+
+====================
+SQLite Input/Logging
+====================
+
+* :ref:`SQLite Input Reader <input-sqlite-reader>`
+* :ref:`SQLite Log Writer <logging-sqlite-writer>`
diff --git a/doc/frameworks/logging.rst b/doc/frameworks/logging.rst
new file mode 100644
index 0000000000..b764a730cc
--- /dev/null
+++ b/doc/frameworks/logging.rst
@@ -0,0 +1,1087 @@
+
+.. _framework-logging:
+
+=================
+Logging Framework
+=================
+
+Zeek comes with a flexible logging interface that allows fine-grained control of
+what gets logged and how it is logged. This section explains how you can use
+this framework to customize and extended your logs.
+
+Terminology
+===========
+
+Zeek’s logging interface is built around three main abstractions:
+
+  Streams
+    A log stream corresponds to a single log. It defines the set of fields that
+    a log consists of with their names and types. Examples are the conn stream
+    for recording connection summaries, and the http stream for recording HTTP
+    activity.
+
+  Filters
+    Each stream has a set of filters attached to it that determine what
+    information gets written out, and how. By default, each stream has one
+    default filter that just logs everything directly to disk. However,
+    additional filters can be added to record only a subset of the log records,
+    write to different outputs, or set a custom rotation interval. If all
+    filters are removed from a stream, then output is disabled for that stream.
+
+  Writers
+    Each filter has a writer. A writer defines the actual output format for the
+    information being logged. The default writer is the ASCII writer, which
+    produces tab-separated ASCII files. Other writers are available, like for
+    binary output or direct logging into a database.
+
+There are several different ways to customize Zeek’s logging: you can create a
+new log stream, you can extend an existing log with new fields, you can apply
+filters to an existing log stream, or you can customize the output format by
+setting log writer options. All of these approaches are described below.
+
+Streams
+=======
+
+In order to log data to a new log stream, all of the following needs to be done:
+
+* A :zeek:see:`record` type must be defined which consists of all the fields
+  that will be logged (by convention, the name of this record type is usually
+  “Info”).
+* A log stream ID (an :zeek:see:`enum` with type name :zeek:see:`Log::ID`) must
+  be defined that uniquely identifies the new log stream.
+* A log stream must be created using the :zeek:see:`Log::create_stream`
+  function.
+* When the data to be logged becomes available, the :zeek:see:`Log::write`
+  function must be called.
+
+In the following example, we create a new module, ``Foo``, which creates a new
+log stream.
+
+.. code-block:: zeek
+
+  module Foo;
+
+  export {
+      # Create an ID for our new stream. By convention, this is
+      # called "LOG".
+      redef enum Log::ID += { LOG };
+
+      # Define the record type that will contain the data to log.
+      type Info: record {
+          ts: time        &log;
+          id: conn_id     &log;
+          service: string &log &optional;
+          missed_bytes: count &log &default=0;
+      };
+  }
+
+  # Optionally, we can add a new field to the connection record so that
+  # the data we are logging (our "Info" record) will be easily
+  # accessible in a variety of event handlers.
+  redef record connection += {
+      # By convention, the name of this new field is the lowercase name
+      # of the module.
+      foo: Info &optional;
+  };
+
+  # This event is handled at a priority higher than zero so that if
+  # users modify this stream in another script, they can do so at the
+  # default priority of zero.
+  event zeek_init() &priority=5
+      {
+      # Create the stream. This adds a default filter automatically.
+      Log::create_stream(Foo::LOG, [$columns=Info, $path="foo"]);
+      }
+
+In the definition of the ``Info`` record above, notice that each field has the
+:zeek:see:`&log` attribute. Without this attribute, a field will not appear in
+the log output. Also notice one field has the :zeek:see:`&optional` attribute.
+This indicates that the field might not be assigned any value before the log
+record is written.  Finally, a field with the :zeek:see:`&default` attribute
+has a default value assigned to it automatically.
+
+At this point, the only thing missing is a call to the :zeek:see:`Log::write`
+function to send data to the logging framework. The actual event handler where
+this should take place will depend on where your data becomes available. In
+this example, the :zeek:see:`connection_established` event provides our data,
+and we also store a copy of the data being logged into the
+:zeek:see:`connection` record:
+
+.. code-block:: zeek
+
+  event connection_established(c: connection)
+      {
+      local rec: Foo::Info = [$ts=network_time(), $id=c$id];
+
+      # Store a copy of the data in the connection record so other
+      # event handlers can access it.
+      c$foo = rec;
+
+      Log::write(Foo::LOG, rec);
+      }
+
+If you run Zeek with this script, a new log file :file:`foo.log` will be
+created.  Although we only specified four fields in the ``Info`` record above,
+the log output will actually contain seven fields because one of the fields
+(the one named ``id``) is itself a record type. Since a :zeek:see:`conn_id`
+record has four fields, then each of these fields is a separate column in the
+log output. Note that the way that such fields are named in the log output
+differs slightly from the way we would refer to the same field in a Zeek script
+(each dollar sign is replaced with a period). For example, to access the first
+field of a :zeek:see:`conn_id` in a Zeek script we would use the notation
+``id$orig_h``, but that field is named ``id.orig_h`` in the log output.
+
+When you are developing scripts that add data to the :zeek:see:`connection`
+record, care must be given to when and how long data is stored. Normally data
+saved to the connection record will remain there for the duration of the
+connection and from a practical perspective it’s not uncommon to need to delete
+that data before the end of the connection.
+
+Add Fields to a Log
+-------------------
+
+You can add additional fields to a log by extending the record type that
+defines its content, and setting a value for the new fields before each log
+record is written.
+
+Let’s say we want to add a boolean field ``is_private`` to
+:zeek:see:`Conn::Info` that indicates whether the originator IP address is part
+of the :rfc:`1918` space:
+
+.. code-block:: zeek
+
+  # Add a field to the connection log record.
+  redef record Conn::Info += {
+      ## Indicate if the originator of the connection is part of the
+      ## "private" address space defined in RFC1918.
+      is_private: bool &default=F &log;
+  };
+
+As this example shows, when extending a log stream’s ``Info`` record, each new
+field must always be declared either with a &default value or as
+:zeek:see:`&optional`.  Furthermore, you need to add the :zeek:see:`&log`
+attribute or otherwise the field won’t appear in the log file.
+
+Now we need to set the field. Although the details vary depending on which log
+is being extended, in general it is important to choose a suitable event in
+which to set the additional fields because we need to make sure that the fields
+are set before the log record is written. Sometimes the right choice is the
+same event which writes the log record, but at a higher priority (in order to
+ensure that the event handler that sets the additional fields is executed
+before the event handler that writes the log record).
+
+In this example, since a connection’s summary is generated at the time its
+state is removed from memory, we can add another handler at that time that sets
+our field correctly:
+
+.. code-block:: zeek
+
+  event connection_state_remove(c: connection)
+      {
+      if ( c$id$orig_h in Site::private_address_space )
+          c$conn$is_private = T;
+      }
+
+Now :file:`conn.log` will show a new field ``is_private`` of type
+:zeek:see:`bool`. If you look at the Zeek script which defines the connection
+log stream :doc:`/scripts/base/protocols/conn/main.zeek`, you will see that
+:zeek:see:`Log::write` gets called in an event handler for the same event as
+used in this example to set the additional fields, but at a lower priority than
+the one used in this example (i.e., the log record gets written after we assign
+the ``is_private`` field).
+
+For extending logs this way, one needs a bit of knowledge about how the script
+that creates the log stream is organizing its state keeping. Most of the
+standard Zeek scripts attach their log state to the :zeek:see:`connection`
+record where it can then be accessed, just like ``c$conn`` above. For example,
+the HTTP analysis adds a field http of type :zeek:see:`HTTP::Info` to the
+:zeek:see:`connection` record.
+
+Define a Logging Event
+----------------------
+
+Sometimes it is helpful to do additional analysis of the information being
+logged. For these cases, a stream can specify an event that will be generated
+every time a log record is written to it. To do this, we need to modify the
+example module shown above to look something like this:
+
+.. code-block:: zeek
+
+  module Foo;
+
+  export {
+      redef enum Log::ID += { LOG };
+
+      type Info: record {
+          ts: time     &log;
+          id: conn_id  &log;
+          service: string &log &optional;
+          missed_bytes: count &log &default=0;
+      };
+
+      # Define a logging event. By convention, this is called
+      # "log_<stream>".
+      global log_foo: event(rec: Info);
+  }
+
+  event zeek_init() &priority=5
+      {
+      # Specify the "log_foo" event here in order for Zeek to raise it.
+      Log::create_stream(Foo::LOG, [$columns=Info, $ev=log_foo,
+                         $path="foo"]);
+      }
+
+All of Zeek’s default log streams define such an event. For example, the
+connection log stream raises the event :zeek:see:`Conn::log_conn`. You could
+use that for example for flagging when a connection to a specific destination
+exceeds a certain duration:
+
+.. code-block:: zeek
+
+  redef enum Notice::Type += {
+      ## Indicates that a connection remained established longer
+      ## than 5 minutes.
+      Long_Conn_Found
+  };
+
+  event Conn::log_conn(rec: Conn::Info)
+      {
+      if ( rec?$duration && rec$duration > 5mins )
+          NOTICE([$note=Long_Conn_Found,
+                  $msg=fmt("unusually long conn to %s", rec$id$resp_h),
+                  $id=rec$id]);
+      }
+
+Often, these events can be an alternative to post-processing Zeek logs
+externally with Perl scripts. Much of what such an external script would do
+later offline, one may instead do directly inside of Zeek in real-time.
+
+Disable a Stream
+----------------
+
+One way to “turn off” a log is to completely disable the stream. For example,
+the following example will prevent the :file:`conn.log` from being written:
+
+.. code-block:: zeek
+
+  event zeek_init()
+      {
+      Log::disable_stream(Conn::LOG);
+      }
+
+Note that this must run after the stream is created, so the priority of this
+event handler must be lower than the priority of the event handler where the
+stream was created.
+
+
+Delaying Log Writes
+-------------------
+
+.. versionadded:: 6.2
+
+The logging framework allows delaying log writes using the
+:zeek:see:`Log::delay` function.
+
+This functionality enables querying or waiting for additional data to attach to
+an in-flight log record for which a :zeek:see:`Log::write` has happened.
+Common examples are the execution of DNS reverse lookups for the addresses
+of a connection, or - more generally - asynchronous queries to external systems.
+Similarly, waiting a small duration for more data from an external process
+pertaining to specific connections or events is another. For example, endpoint
+agents may provide detailed process information for specific connections
+logged by Zeek.
+
+Conceptually, the delay of a log record is placed after the execution of the
+global :zeek:see:`Log::log_stream_policy` hook and before the execution of
+:ref:`policy hooks attached to filters <logging-filtering-log-records>`.
+At this point, calling :zeek:see:`Log::delay` is only valid for the currently
+*active write* during the execution of the global :zeek:see:`Log::log_stream_policy`
+hook. Calling :zeek:see:`Log::delay` in any other context or with the wrong
+arguments results in runtime errors.
+
+.. note::
+
+   While this may appear very restrictive, it does make it explicit that it is
+   the action of a :zeek:see:`Log::write` for a given stream and log record
+   that is being delayed as well as providing a defined point where a delay starts.
+
+   Prior ideas entertained the idea of an implicit and very lax interface, but
+   in the end was deemed too loose and provided too much flexibility that would
+   be hard to later restrict again or keep stable. The current interface might
+   be made more lax in the future if it turns out to be too rigid.
+
+
+By default, log records are not delayed. That is, during the execution of
+the :zeek:see:`Log::write` function, a serialized version of the given log
+record is handed off to a remote logger or a local logging thread.
+Modifications of the same log record after :zeek:see:`Log::write` has returned
+have no effect.
+
+In contrast, when a log write is delayed using the :zeek:see:`Log::delay`
+function, the record is enqueued into a per-stream record queue and the
+:zeek:see:`Log::write` returns. Processing of the delayed write resumes once
+it is released by using the :zeek:see:`Log::delay_finish` function or until
+a maximum, per-stream configurable, delay duration expires.
+
+When processing of a log write is resumed, first, all post delay callbacks
+given to :zeek:see:`Log::delay` are executed. Thereafter, as for non-delayed
+writes, filter policy hooks are executed and the log record is serialized.
+
+Policy hooks attached to filters and the serialization step observe any
+mutations done during the delay. Filter policy hooks may even use these
+modifications for deciding on the verdict of the given log record.
+
+.. note::
+
+   Policy hooks attached to filters are often used to skip logging of
+   uninteresting log records. When combined with log write delaying, users
+   should consider lifting such filter logic up into the
+   :zeek:see:`Log::log_stream_policy` hook to avoid unnecessarily delaying
+   records when it is known that these will be discarded later on.
+
+
+The :zeek:see:`Log::delay` and :zeek:see:`Log::delay_finish` functions increment
+and decrement an internal reference count for a given write. To continue a
+delayed write, :zeek:see:`Log::delay_finish` must be called as often as
+:zeek:see:`Log::delay`.
+
+
+Zeek delays a log record by a configurable interval defined for each log stream.
+It defaults to the global :zeek:see:`Log::default_max_delay_interval`, and can be
+adapted by calling :zeek:see:`Log::set_max_delay_interval` on the stream.
+It is possible to explicitly extend the delay duration by providing a post
+delay callback to :zeek:see:`Log::delay`. Calling :zeek:see:`Log::delay` from
+within such a post delay callback re-delays the record, essentially putting
+it at the end of the per-stream queue again.
+
+.. note::
+
+   While this puts additional burden on the script writer to realize per-record
+   specific longer delay intervals, it allows for a simpler internal implementation.
+   Additionally, the explicit re-delaying is also meant to make users aware of the
+   consequences when using such long delays either on purpose or by accident.
+
+   For multiple second or even longer delays, it is suggested to consider resumable,
+   robust and non-ephemeral external post processing steps based on Zeek logs instead.
+   In the face of worker crashes or uncontrolled restarts of a Zeek cluster, all
+   delayed log records are inevitably lost.
+
+
+The following example shows how to use the :ref:`when <when-statement>` to asynchronously
+lookup the DNS names of the originator and responder addresses to enrich an
+in-flight :zeek:see:`Conn::Info` record. By default, a stream's maximum delay
+interval is 200 milliseconds - the ``timeout 150msec`` part ensures a delayed
+write resumes after 150 milliseconds already by explicitly calling
+:zeek:see:`Log::delay_finish`.
+
+
+.. literalinclude:: logging/delay1.zeek
+   :caption: Enriching conn.log with originator and responder names.
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+
+Filters
+=======
+
+A stream has one or more filters attached to it. A stream without any filters
+will not produce any log output. Filters govern two aspects of log production:
+they control which of the stream’s log entries get written out, and they define
+how to actually implement the log writes. They do the latter by specifying a
+log writer that implements the write operation, such as the ASCII writer (see
+below) for text file output. When a stream is created, it automatically gets a
+default filter attached to it. This default filter can be removed or replaced,
+or other filters can be added to the stream. This is accomplished by using
+either the :zeek:see:`Log::add_filter` or :zeek:see:`Log::remove_filter`
+function. This section shows how to use filters to do such tasks as rename a
+log file, split the output into multiple files, control which records are
+written, and set a custom rotation interval.
+
+Each filter has a unique name, scoped to the stream it belongs to. That is, all
+filters attached to a given stream have different names. Calling
+:zeek:see:`Log::add_filter` to add a filter with a name that already exists for
+the stream replaces the existing filter.
+
+Rename a Log File
+-----------------
+
+Normally, the log filename for a given log stream is determined when the stream
+is created, unless you explicitly specify a different one by adding a filter.
+
+The easiest way to change a log filename is to simply replace the default log
+filter with a new filter that specifies a value for the ``path`` field. In this
+example, :file:`conn.log` will be changed to :file:`myconn.log`:
+
+.. code-block:: zeek
+
+  event zeek_init()
+      {
+      # Replace default filter for the Conn::LOG stream in order to
+      # change the log filename.
+
+      local f = Log::get_filter(Conn::LOG, "default");
+      f$path = "myconn";
+      Log::add_filter(Conn::LOG, f);
+      }
+
+Keep in mind that the ``path`` field of a log filter never contains the
+filename extension. The extension will be determined later by the log writer.
+
+Change the Logging Directory
+----------------------------
+
+By default, Zeek log files are created in the current working directory.
+To write logs into a different directory, set :zeek:see:`Log::default_logdir`:
+
+.. code-block:: zeek
+
+  redef Log::default_logdir = /path/to/output_log_directory
+
+The :zeek:see:`Log::default_logdir` option is honored by all file based
+writes included with Zeek (ASCII and SQLite).
+
+Add an Additional Output File
+-----------------------------
+
+Normally, a log stream writes to only one log file. However, you can add
+filters so that the stream writes to multiple files. This is useful if you want
+to restrict the set of fields being logged to the new file.
+
+In this example, a new filter is added to the :zeek:see:`Conn::LOG` stream that
+writes two fields to a new log file:
+
+.. code-block:: zeek
+
+  event zeek_init()
+      {
+      # Add a new filter to the Conn::LOG stream that logs only
+      # timestamp and originator address.
+
+      local filter: Log::Filter = [$name="orig-only", $path="origs",
+                                   $include=set("ts", "id.orig_h")];
+      Log::add_filter(Conn::LOG, filter);
+      }
+
+.. note::
+
+  When multiple filters added to a stream use the same path value, Zeek will
+  disambiguate the output file names by adding numeric suffixes to the name. If
+  we say ``$path="conn"`` in the above example, Zeek warns us about the fact that
+  it’ll write this filter’s log entries to a different file::
+
+    1071580905.346457 warning: Write using filter 'orig-only' on path 'conn' changed to use new path 'conn-2' to avoid conflict with filter 'default'
+
+  The same also happens when omitting a path value, in which case the filter
+  inherits the value of the stream’s path member.
+
+Notice how the ``include`` filter attribute specifies a set that limits the
+fields to the ones given. The names correspond to those in the
+:zeek:see:`Conn::Info` record (however, because the ``id`` field is itself a
+record, we can specify an individual field of ``id`` by the dot notation shown
+in the example).
+
+Using the code above, in addition to the regular :file:`conn.log`, you will now
+also get a new log file :file:`origs.log` that looks like the regular
+:file:`conn.log`, but will have only the fields specified in the ``include``
+filter attribute.
+
+If you want to skip only some fields but keep the rest, there is a
+corresponding exclude filter attribute that you can use instead of include to
+list only the ones you are not interested in.
+
+If you want to make this the only log file for the stream, you can remove the
+default filter:
+
+.. code-block:: zeek
+
+  event zeek_init()
+      {
+      # Remove the filter called "default".
+      Log::remove_filter(Conn::LOG, "default");
+      }
+
+Determine Log Path Dynamically
+------------------------------
+
+Instead of using the ``path`` filter attribute, a filter can determine output
+paths *dynamically* based on the record being logged. That allows, e.g., to
+record local and remote connections into separate files. To do this, you define
+a function that returns the desired path, and use the ``path_func`` filter
+attribute:
+
+.. code-block:: zeek
+
+  function myfunc(id: Log::ID, path: string, rec: Conn::Info) : string
+      {
+      # Return "conn-local" if originator is a local IP, otherwise
+      # return "conn-remote".
+      local r = Site::is_local_addr(rec$id$orig_h) ? "local" : "remote";
+      return fmt("%s-%s", path, r);
+      }
+
+  event zeek_init()
+      {
+      local filter: Log::Filter = [$name="conn-split",
+               $path_func=myfunc, $include=set("ts", "id.orig_h")];
+      Log::add_filter(Conn::LOG, filter);
+      }
+
+Running this will now produce two new files, :file:`conn-local.log` and
+:file:`conn-remote.log`, with the corresponding entries. For this example
+to work, :zeek:see:`Site::local_nets` must specify your local network.
+It defaults to IANA's standard private address space. One
+could extend this further for example to log information by subnets or even by
+IP address. Be careful, however, as it is easy to create many files very
+quickly.
+
+The ``myfunc`` function has one drawback: it can be used only with the :zeek:see:`Conn::LOG`
+stream as the record type is hardcoded into its argument list. However, Zeek
+allows to do a more generic variant:
+
+.. code-block:: zeek
+
+  function myfunc(id: Log::ID, path: string,
+                  rec: record { id: conn_id; } ) : string
+      {
+      local r = Site::is_local_addr(rec$id$orig_h) ? "local" : "remote";
+      return fmt("%s-%s", path, r);
+      }
+
+This function can be used with all log streams that have records containing an
+``id: conn_id`` field.
+
+.. _logging-filtering-log-records:
+
+Filtering Log Records
+---------------------
+
+We just saw ways how to customize the logged columns. The logging framework also
+lets you control which records Zeek writes out. It relies on Zeek’s :zeek:see:`hook`
+mechanism to do this, as follows. The framework provides two levels of "policy"
+hooks, a global one and a set of filter-level ones. The hook handlers can
+implement additional processing of a log record, including vetoing the writing
+of the record.  Any handler that uses a :zeek:see:`break` statement to leave the
+hook declares that a record shall not be written out. Anyone can attach handlers
+to these hooks, which look as follows:
+
+.. code-block:: zeek
+
+  type Log::StreamPolicyHook: hook(rec: any, id: ID);
+  type Log::PolicyHook: hook(rec: any, id: ID, filter: Filter);
+
+For both hook types, the ``rec`` argument contains the entry to be logged and is
+an instance of the record type associated with the stream’s columns, and ``id``
+identifies the log stream.
+
+The logging framework defines one global hook policy hook: :zeek:see:`Log::log_stream_policy`.
+For every log write, this hook gets invoked first. Any of its handlers may
+decide to veto the log entry. The framework then iterates over the log stream's
+filters. Each filter has a ``filter$policy`` hook of type :zeek:see:`Log::PolicyHook`.
+Its handlers receive the log record, the ID of the log stream, and the filter
+record itself. Each handler can veto the write. After the filter's hook has run,
+any veto (by :zeek:see:`Log::log_stream_policy` or the filter's hook) aborts the
+write via that filter. If no veto has occurred, the filter now steers the log
+record to its output.
+
+You can pass arbitrary state through these hook handlers. For example, you can
+extending streams or filters via a :zeek:see:`redef`, or pass key-value pairs
+via the ``filter$config`` table..
+
+Since you'll often want to use uniform handling for all writes on a given
+stream, log streams offer a default hook, provided when constructing the stream,
+that the stream's filters will use if they don't provide their own. To support
+hooks on your log streams, you should always define a default hook when creating
+new streams, as follows:
+
+.. code-block:: zeek
+
+  module Foo;
+
+  export {
+      ## The logging stream identifier.
+      redef enum Log::ID += { LOG };
+
+      ## A default logging policy hook for the stream.
+      global log_policy: Log::PolicyHook;
+
+      # Define the record type that will contain the data to log.
+      type Info: record {
+          ts: time        &log;
+          id: conn_id     &log;
+          service: string &log &optional;
+          missed_bytes: count &log &default=0;
+      };
+  }
+
+  event zeek_init() &priority=5
+      {
+      # Create the stream, adding the default policy hook:
+      Log::create_stream(Foo::LOG, [$columns=Info, $path="foo", $policy=log_policy]);
+      }
+
+With this hook in place, it’s now easy to add a filtering predicate for the ``Foo``
+log from anywhere:
+
+.. code-block:: zeek
+
+  hook Foo::log_policy(rec: Foo::Info, id: Log::ID, filter: Log::Filter)
+      {
+      # Let's only log complete information:
+      if ( rec$missed_bytes > 0 )
+          break;
+      }
+
+The Zeek distribution features default hooks for all of its streams. Here’s a
+more realistic example, using HTTP:
+
+.. code-block:: zeek
+
+  hook HTTP::log_policy(rec: HTTP::Info, id: Log::ID, filter: Log::Filter)
+      {
+      # Record only connections with successfully analyzed HTTP traffic
+      if ( ! rec?$service || rec$service != "http" )
+          break;
+      }
+
+To override a hook selectively in a new filter, set the hook when adding the
+filter to a stream:
+
+.. code-block:: zeek
+
+  hook my_policy(rec: Foo::Info, id: Log::ID, filter: Log::Filter)
+      {
+      # Let's only log incomplete flows:
+      if ( rec$missed_bytes == 0 )
+          break;
+      }
+
+  event zeek_init()
+      {
+      local filter: Log::Filter = [$name="incomplete-only",
+                                   $path="foo-incomplete",
+                                   $policy=my_policy];
+      Log::add_filter(Foo::LOG, filter);
+      }
+
+Note that this approach has subtle implications: the new filter does not use the
+``Foo::log_policy`` hook, and that hook does not get invoked for writes to this
+filter. Any vetoes or additional processing implemented in ``Foo::log_policy``
+handlers no longer happens for the new filter. Such hook replacement should
+rarely be necessary; you may find it preferable to narrow the stream's default
+handler to the filter in question:
+
+.. code-block:: zeek
+
+  hook Foo::log_policy(rec: Foo::Info, id: Log::ID, filter: Log::Filter)
+      {
+      if ( filter$name != "incomplete-only" )
+          return;
+
+      # Let's only log incomplete flows:
+      if ( rec$missed_bytes == 0 )
+          break;
+      }
+
+For tasks that need to run once per-write, not once per-write-and-filter,
+use the :zeek:see:`Log::log_stream_policy` instead:
+
+.. code-block:: zeek
+
+  hook Log::log_stream_policy(rec: Foo::Info, id: Log::ID)
+      {
+      # Called once per write
+      }
+
+  hook Foo::log_policy(rec: Foo::Info, id: Log::ID, filter: Log::Filter)
+      {
+      # Called once for each of Foo's filters.
+      }
+
+To change an existing filter first retrieve it, then update it, and
+re-establish it:
+
+.. code-block:: zeek
+
+  hook my_policy(rec: Foo::Info, id: Log::ID, filter: Log::Filter)
+      {
+      # Let's only log incomplete flows:
+      if ( rec$missed_bytes == 0 )
+          break;
+      }
+
+  event zeek_init()
+      {
+      local f = Log::get_filter(Foo::LOG, "default");
+      f$policy = my_policy;
+      Log::add_filter(Foo::LOG, f);
+      }
+
+.. note::
+
+    Policy hooks can also modify the log records, but with subtle implications.
+    The logging framework applies all of a stream’s log filters sequentially to
+    the same log record, so modifications made in a hook handler will persist
+    not only into subsequent handlers in the same hook, but also into any in
+    filters processed subsequently. In contrast to hook priorities, filters
+    provide no control over their processing order.
+
+Log Rotation and Post-Processing
+--------------------------------
+
+The logging framework provides fine-grained control over when and how to rotate
+log files. Log rotation means that Zeek periodically renames an active log
+file, such as :file:`conn.log`, in a manner configurable by the user (e.g.,
+renaming to :file:`conn_21-01-03_14-05-00.log` to timestamp it), and starts
+over on a fresh :file:`conn.log` file. Post-processing means that Zeek can also
+apply optional additional processing to the rotated file, such as compression
+or file transfers. These mechanisms apply naturally to file-based log writers,
+but are available to other writers as well for more generalized forms of
+periodic additional processing of their outputs.
+
+Rotation Timing
+~~~~~~~~~~~~~~~
+
+The log rotation interval is globally controllable for all filters by
+redefining the :zeek:see:`Log::default_rotation_interval` constant, or
+specifically for certain :zeek:see:`Log::Filter` instances by setting their
+``interv`` field. The default value, ``0secs``, disables rotation.
+
+.. note::
+
+  When using ZeekControl, this option is set automatically via the ZeekControl
+  configuration.
+
+Here’s an example of changing just the :zeek:see:`Conn::LOG` stream’s default
+filter rotation:
+
+.. code-block:: zeek
+
+  event zeek_init()
+      {
+      local f = Log::get_filter(Conn::LOG, "default");
+      f$interv = 1 min;
+      Log::add_filter(Conn::LOG, f);
+      }
+
+Controlling File Naming
+~~~~~~~~~~~~~~~~~~~~~~~
+
+The redef’able :zeek:see:`Log::rotation_format_func` determines the naming of
+the rotated-to file. The logging framework invokes the function with sufficient
+context (a :zeek:see:`Log::RotationFmtInfo` record), from which it determines
+the output name in two parts: the output directory, and the output file’s base
+name, meaning its name without a suffix. It returns these two components via a
+:zeek:see:`Log::RotationPath` record. The output directory defaults to
+:zeek:see:`Log::default_rotation_dir` (a config option) and incorporates a
+timestamp in the base name, as specified by
+:zeek:see:`Log::default_rotation_date_format`.
+
+When :zeek:see:`Log::default_logdir` is in use and :zeek:see:`Log::rotation_format_func`
+does not set an output directory (e.g. when :zeek:see:`Log::default_rotation_dir` is not set),
+:zeek:see:`Log::default_logdir` is used as the default output directory.
+
+For examples of customized log rotation, take a look at the
+`relevant <https://github.com/zeek/zeek/blob/master/testing/btest/scripts/base/frameworks/logging/rotate-custom-fmt-func.zeek>`_
+`test <https://github.com/zeek/zeek/blob/master/testing/btest/scripts/base/frameworks/logging/rotate-custom.zeek>`_
+`cases <https://github.com/zeek/zeek/blob/master/testing/btest/scripts/base/frameworks/logging/rotate.zeek>`_.
+
+Post-Processing of Rotated Logs
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Post-processing can proceed via defaults configured across all log filters, or
+with per-filter customizations. Zeek provides helpful default infrastructure to
+simplify running shell commands on rotated logs, but you’re free to define your
+own post-processing infrastructure from scratch.
+
+By default, the :zeek:see:`Log::default_rotation_postprocessor_cmd`, if
+defined, runs on every rotated log. The wrapper function making the actual
+command invocation is :zeek:see:`Log::run_rotation_postprocessor_cmd`. It
+passes six additional arguments to the configured shell command:
+
+* The rotated-to file name (e.g. ``conn_21-01-03_14-05-00.log``)
+* The original base name (e.g. ``conn``)
+* The timestamp at which the original log file got created (e.g. ``21-01-03_14.04.00``)
+* The timestamp at which the original log file got rotated (e.g. ``21-01-03_15.05.00``)
+* ``1`` if Zeek is terminating, ``0`` otherwise
+* The name of the writer (e.g. ``ascii`` for the ASCII writer)
+
+.. warning::
+
+   Zeek ignores failures (non-zero exit codes) of this shell command: the
+   default rotation postprocessor command returns ``T`` regardless. Be careful
+   if you implement your own postprocessor function: returning ``F`` from it
+   will cause the corresponding log writer instance to shut down, therefore do
+   so only when the writer really won’t be able to continue.
+
+Zeek ships with ready-to-use postprocessors for file transfer via :doc:`SCP
+</scripts/base/frameworks/logging/postprocessors/scp.zeek>` and
+:doc:`SFTP </scripts/base/frameworks/logging/postprocessors/sftp.zeek>`.  The
+Zeek project also provides an external tool, `zeek-archiver
+<https://github.com/zeek/zeek-archiver>`_, that performs log compression
+outside of the Zeek process for robustness.
+
+Other Features
+--------------
+
+Log Extension Fields
+~~~~~~~~~~~~~~~~~~~~
+
+The logging framework provides rudimentary support for adding additional
+columns to an already defined log format, globally for all logs or for
+individual log filters only. Records returned by the
+:zeek:see:`Log::default_ext_func` function get added to every log, and the
+``ext_func`` member of :zeek:see:`Log::Filter` in filter records allows local
+overrides.
+
+You can configure a prefix string separately for either of these options — this
+string ensures that the resulting fields don’t collide with already existing
+log fields. The prefix defaults to an underscore, via
+:zeek:see:`Log::default_ext_prefix`.  The ``ext_prefix`` field in filter
+records overrides as needed.
+
+The following example, taken straight from a Zeek testcase, adds three extra
+columns to all logs:
+
+.. code-block:: zeek
+
+  type Extension: record {
+      write_ts: time &log;
+      stream: string &log;
+      system_name: string &log;
+  };
+
+  function add_extension(path: string): Extension
+    {
+    return Extension($write_ts    = network_time(),
+                     $stream      = path,
+                     $system_name = peer_description);
+    }
+
+  redef Log::default_ext_func = add_extension;
+
+A resulting :file:`conn.log`::
+
+  #fields  _write_ts  _stream  _system_name  ts  uid …
+  #types  time  string  string  time  string  …
+  1071580905.346457  conn  zeek  1071580904.891921  Cod6Wj3YeJFHgkaO8j …
+
+.. note::
+
+   Extension fields remain separate from the original log record. They remain
+   invisible to filters, policy hooks, and log events. *After* filter processing
+   determines that an entry is to be logged, the framework simply tucks the
+   extension's members onto the list of fields to write out.
+
+Field Name Mapping
+~~~~~~~~~~~~~~~~~~
+
+On occasion it can be handy to rewrite column names as they appear in a Zeek
+log. A typical use case for this would be to ensure that column naming complies
+with the requirements of your log ingestion system. To achieve this, you can
+provide name translation maps, and here too you can do this either globally or
+per-filter. The maps are simple string tables with the keys being Zeek’s field
+names and the values being the ones to actually write out. Field names not
+present in the maps remain unchanged. The global variant is the (normally
+empty) :zeek:see:`Log::default_field_name_map`, and the corresponding
+filter-local equivalent is the filter’s ``field_name_map`` member.
+
+For example, the following name map gets rid of the dots in the usual naming of
+connection IDs:
+
+.. code-block:: zeek
+
+  redef Log::default_field_name_map = {
+       ["id.orig_h"] = "id_orig_h",
+       ["id.orig_p"] = "id_orig_p",
+       ["id.resp_h"] = "id_resp_h",
+       ["id.resp_p"] = "id_resp_p"
+  };
+
+With it, all logs rendering a connection identifier tuple now use ...
+
+::
+
+  #fields  ts  uid  id_orig_h  id_orig_p  id_resp_h  id_resp_p ...
+
+… instead of the default names:
+
+::
+
+  #fields  ts  uid  id.orig_h  id.orig_p  id.resp_h  id.resp_p ...
+
+If you’d prefer this change only for a given log filter, make the change to the
+filter record directly. The following changes the naming only for
+:file:`conn.log`:
+
+.. code-block:: zeek
+
+  event zeek_init()
+     {
+     local f = Log::get_filter(Conn::LOG, "default");
+     f$field_name_map = table(
+         ["id.orig_h"] = "id_orig_h",
+         ["id.orig_p"] = "id_orig_p",
+         ["id.resp_h"] = "id_resp_h",
+         ["id.resp_p"] = "id_resp_p");
+     Log::add_filter(Conn::LOG, f);
+     }
+
+Printing to Log Messages
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Zeek’s :zeek:see:`print` statement normally writes to ``stdout`` or a specific
+output file. By adjusting the :zeek:see:`Log::print_to_log` enum value you can
+redirect such statements to instead go directly into a Zeek log. Possible
+values include:
+
+* :zeek:see:`Log::REDIRECT_NONE`: the default, which doesn’t involve Zeek logs
+* :zeek:see:`Log::REDIRECT_STDOUT`: prints that would normally go to stdout go
+  to a log
+* :zeek:see:`Log::REDIRECT_ALL`: any prints end up in a log instead of stdout
+  or other files
+
+The :zeek:see:`Log::print_log_path` defines the name of the log file,
+:zeek:see:`Log::PrintLogInfo` its columns, and :zeek:see:`Log::log_print`
+events allow you to process logged messages via event handlers.
+
+Local vs Remote Logging
+~~~~~~~~~~~~~~~~~~~~~~~
+
+In its log processing, Zeek considers whether log writes should happen locally
+to a Zeek node or remotely on another node, after forwarding log entries to it.
+Single-node Zeek setups default to local logging, whereas cluster setups enable
+local logging only on logger nodes, and log remotely on all but the logger
+nodes. You normally don’t need to go near these settings, but you can do so by
+``redef``’ing the :zeek:see:`Log::enable_local_logging` and
+:zeek:see:`Log::enable_remote_logging` booleans, respectively.
+
+Writers
+=======
+
+Each filter has a writer. If you do not specify a writer when adding a filter
+to a stream, then the ASCII writer is the default.
+
+There are two ways to specify a non-default writer. To change the default
+writer for all log filters, just redefine the :zeek:see:`Log::default_writer`
+option.  Alternatively, you can specify the writer to use on a per-filter basis
+by setting a value for the filter’s ``writer`` field. Consult the documentation
+of the writer to use to see if there are other options that are needed.
+
+ASCII Writer
+------------
+
+By default, the ASCII writer outputs log files that begin with several lines of
+metadata, followed by the actual log output. The metadata describes the format
+of the log file, the ``path`` of the log (i.e., the log filename without file
+extension), and also specifies the time that the log was created and the time
+when Zeek finished writing to it. The ASCII writer has a number of options for
+customizing the format of its output, see
+:doc:`/scripts/base/frameworks/logging/writers/ascii.zeek`. If you change the
+output format options, then be careful to check whether your post-processing
+scripts can still recognize your log files.
+
+Some writer options are global (i.e., they affect all log filters using that
+log writer). For example, to change the output format of all ASCII logs to JSON
+format:
+
+.. code-block:: zeek
+
+  redef LogAscii::use_json = T;
+
+
+Some writer options are filter-specific (i.e., they affect only the filters
+that explicitly specify the option). For example, to change the output format
+of the :file:`conn.log` only:
+
+.. code-block:: zeek
+
+  event zeek_init()
+      {
+      local f = Log::get_filter(Conn::LOG, "default");
+      # Use tab-separated-value mode
+      f$config = table(["tsv"] = "T");
+      Log::add_filter(Conn::LOG, f);
+      }
+
+.. _logging-sqlite-writer:
+
+SQLite Writer
+-------------
+
+SQLite is a simple, file-based, widely used SQL database system. Using SQLite
+allows Zeek to write and access data in a format that is easy to use in
+interchange with other applications. Due to the transactional nature of SQLite,
+databases can be used by several applications simultaneously. Zeek’s input
+framework supports a :ref:`SQLite reader <input-sqlite-reader>`.
+
+Logging support for SQLite is available in all Zeek installations. There is no
+need to load any additional scripts or for any compile-time configurations.
+Sending data from existing logging streams to SQLite is rather straightforward.
+Most likely you’ll want SQLite output only for select log filters, so you have
+to configure one to use the SQLite writer. The following example code adds
+SQLite as a filter for the connection log:
+
+.. code-block:: zeek
+
+  event zeek_init()
+      {
+      local filter: Log::Filter =
+          [
+          $name="sqlite",
+          $path="/var/db/conn",
+          $config=table(["tablename"] = "conn"),
+          $writer=Log::WRITER_SQLITE
+          ];
+
+       Log::add_filter(Conn::LOG, filter);
+      }
+
+Zeek will create the database file :file:`/var/db/conn.sqlite` if it does not
+already exist. It will also create a table with the name ``conn`` (if it does
+not exist) and start appending connection information to the table.
+
+Zeek does not currently support rotating SQLite databases as it does for ASCII
+logs. You have to take care to create them in adequate locations.
+
+If you examine the resulting SQLite database, the schema will contain the same
+fields that are present in the ASCII log files:
+
+.. code-block:: console
+
+  sqlite3 /var/db/conn.sqlite
+
+::
+
+  SQLite version 3.8.0.2 2013-09-03 17:11:13
+  Enter ".help" for instructions
+  Enter SQL statements terminated with a ";"
+  sqlite> .schema
+  CREATE TABLE conn (
+  'ts' double precision,
+  'uid' text,
+  'id.orig_h' text,
+  'id.orig_p' integer,
+  ...
+
+Note that with the above code the ASCII :file:`conn.log` will still be created,
+because it adds an additional log filter alongside the default, ASCII-logging
+one. To prevent this you can remove the default filter:
+
+.. code-block:: zeek
+
+  Log::remove_filter(Conn::LOG, "default");
+
+To create a custom SQLite log file, you have to create a new log stream that
+contains just the information you want to commit to the database. See the above
+documentation on how to create custom log streams.
+
+None Writer
+-----------
+
+The ``None`` writer, selected via :zeek:see:`Log::WRITER_NONE`, is largely a
+troubleshooting and development aide. It discards all log entries it receives,
+but behaves like a proper writer to the rest of the logging framework,
+including, for example, pretended log rotation. If you enable its debugging
+mode by setting :zeek:see:`LogNone::debug` to ``T``, Zeek reports operational
+details about the writer’s activity to ``stdout``.
diff --git a/doc/frameworks/logging/delay1.zeek b/doc/frameworks/logging/delay1.zeek
new file mode 100644
index 0000000000..ae75bd76ca
--- /dev/null
+++ b/doc/frameworks/logging/delay1.zeek
@@ -0,0 +1,37 @@
+@load base/protocols/conn
+
+redef record Conn::Info += {
+	orig_name: string &log &optional;
+	resp_name: string &log &optional;
+};
+
+hook Log::log_stream_policy(rec: Conn::Info, id: Log::ID)
+	{
+	if ( id != Conn::LOG )
+		return;
+
+	local token1 = Log::delay(id, rec);
+	local token2 = Log::delay(id, rec);
+
+	when [id, rec, token1] ( local orig_name = lookup_addr(rec$id$orig_h) )
+		{
+		rec$orig_name = orig_name;
+		Log::delay_finish(id, rec, token1);
+		}
+	timeout 150msec
+		{
+		Reporter::warning(fmt("lookup_addr timeout for %s", rec$id$orig_h));
+		Log::delay_finish(id, rec, token1);
+		}
+
+	when [id, rec, token2] ( local resp_name = lookup_addr(rec$id$resp_h) )
+		{
+		rec$resp_name = resp_name;
+		Log::delay_finish(id, rec, token2);
+		}
+	timeout 150msec
+		{
+		Reporter::warning(fmt("lookup_addr timeout for %s", rec$id$resp_h));
+		Log::delay_finish(id, rec, token2);
+		}
+	}
diff --git a/doc/frameworks/management.rst b/doc/frameworks/management.rst
new file mode 100644
index 0000000000..f8d7499339
--- /dev/null
+++ b/doc/frameworks/management.rst
@@ -0,0 +1,867 @@
+.. _framework-management:
+
+====================
+Management Framework
+====================
+
+.. rst-class:: opening
+
+   The management framework provides a Zeek-based, service-oriented architecture
+   and event-driven APIs to manage a Zeek cluster that monitors live traffic. It
+   provides a central, stateful *controller* that relays and orchestrates
+   cluster management tasks across connected *agents*. Each agent manages Zeek
+   processes in its local *instance*, the Zeek process tree controlled by the
+   local Zeek :ref:`Supervisor <framework-supervisor>`. A management *client*
+   lets the user interact with the controller to initiate cluster management
+   tasks, such as deployment of cluster configurations, monitoring of
+   operational aspects, or to restart cluster nodes. The default client is
+   ``zeek-client``, included in the Zeek distribution.
+
+.. _framework-management-quickstart:
+
+Quickstart
+==========
+
+Run the following (as root) to launch an all-in-one management instance on your
+system:
+
+.. code-block:: console
+
+   # zeek -C -j policy/frameworks/management/controller policy/frameworks/management/agent
+
+The above will stay in the foreground. In a new shell, save the following
+content to a file ``cluster.cfg`` and adapt the workers' sniffing interfaces to
+your system:
+
+.. literalinclude:: management/mini-config.ini
+   :language: ini
+
+Run the following command (as any user) to deploy the configuration:
+
+.. literalinclude:: management/mini-deployment.console
+   :language: console
+
+You are now running a Zeek cluster on your system. Try ``zeek-client get-nodes``
+to see more details about the cluster's current status. (In the above, "testbox"
+is the system's hostname.)
+
+Architecture and Terminology
+============================
+
+Controller
+----------
+
+The controller forms the central hub of cluster management. It exists once in
+every installation and runs as a Zeek process solely dedicated to management
+tasks. It awaits instructions from a management client and communicates with one
+or more agents to manage their cluster nodes.
+
+All controller communication happens via :ref:`Broker <broker-framework>`-based
+Zeek event exchange, usually in the form of request-response event pairs tagged
+with a request ID to provide context. The controller is stateful and persists
+cluster configurations to disk. In a multi-system setup, the controller runs
+inside a separate, dedicated Zeek instance. In a single-system setup, the
+controller can run as an additional process in the local instance.
+
+The controller's API resides in the :zeek:see:`Management::Controller::API` module.
+Additional code documentation is :doc:`here </scripts/policy/frameworks/management/controller/index>`.
+
+Instance
+--------
+
+A Zeek instance comprises the set of processes managed by a Zeek
+:ref:`Supervisor <framework-supervisor>`. The management framework builds
+heavily on the Supervisor framework and cannot run without it. Typically, a
+single instance includes all Zeek processes on the local system (a physical
+machine, a container, etc), but running multiple instances on a system is
+possible.
+
+Agent
+-----
+
+Management agents implement instance-level cluster management tasks. Every
+instance participating in cluster management runs an agent. Agents peer with the
+controller to receive instructions (a node restart, say), carry them out, and
+respond with the outcome. The direction of connection establishment for the
+peering depends on configuration and can go either way (more on this below); by
+default, agents connect to the controller.
+
+The agent's API resides in the :zeek:see:`Management::Agent::API` module.
+Additional code documentation is :doc:`here </scripts/policy/frameworks/management/agent/index>`.
+
+Agents add script-layer code to both the Supervisor (details :doc:`here
+</scripts/policy/frameworks/management/supervisor/index>`) and Zeek cluster
+nodes (details :doc:`here </scripts/policy/frameworks/management/node/index>`)
+to enable management tasks (e.g. to tap into node stdout/stderr output) and to
+receive confirmation of successful node startup.
+
+Cluster nodes
+-------------
+
+The Zeek processes involved in traffic analysis and log output make up the Zeek
+*cluster*, via the :ref:`cluster framework <cluster-framework>`. The management
+framework does not change the cluster framework, and all of its concepts (the
+manager, logger(s), workers, etc) apply as before. Cluster *nodes* refer to
+individual Zeek processes in the cluster, as managed by the Supervisor.
+
+Client
+------
+
+The management client provides the user's interface to cluster management. It
+allows configuration and deployment of the Zeek cluster, insight into the
+running cluster, the ability to restart nodes, etc. The client uses the
+controller's event API to communicate and is the only component in the framework
+not (necessarily) implemented in Zeek's script layer. The Zeek distribution
+ships with ``zeek-client``, a command-line client implemented in Python, to
+provide management functionality. Users are welcome to implement other clients.
+
+.. _framework-management-visual-example:
+
+A Visual Example
+================
+
+Consider the following setup, consisting of a single instance, controller, and a
+connected ``zeek-client``, all running on different machines:
+
+.. image:: /images/management.png
+   :align: center
+
+The cluster system runs a single management instance, with an agent listening on
+TCP port 2151, the default. Since the agent needs to communicate with the
+Supervisor for node management tasks and the two run in separate processes, the
+Supervisor listens for Broker peerings, on TCP port 9999 (again, the default),
+and the two communicate events over topic ``zeek/supervisor``. As shown, the
+agent has launched a 4-node Zeek cluster consisting of two workers, a logger,
+and a manager, communicating internally as usual.
+
+The controller system is more straightforward, consisting merely of a
+Supervisor-governed management controller. This controller has connected to and
+peered with the agent on the cluster system, to relay commands received by the
+client via the agent's API and receive responses over Broker topic
+``zeek/management/agent``. Since the controller doesn't need to interact with
+the Supervisor, the latter doesn't listen on any ports. Standalone controllers,
+as running here, still require a Supervisor, to simplify co-located deployment
+of agent and controller in a single instance.
+
+Finally, the admin system doesn't run Zeek, but has it installed to provide
+``zeek-client``, the CLI for issuing cluster management requests. This client
+connects to and peers with the controller, exchanging controller API events over
+topic ``zeek/management/controller``. For more details on ``zeek-client``, see
+:ref:`below <framework-management-zeek-client>`.
+
+In practice you can simplify the deployment by running ``zeek-client`` directly
+on the controller machine, or by running agent and controller jointly on a
+single system. We cover this in :ref:`more detail
+<framework-management-running>`.
+
+Goals and Relationship to ZeekControl
+=====================================
+
+The management framework first shipped in usable form in Zeek 5.0. It will
+replace the aging :ref:`ZeekControl <cluster-configuration>` over the course of
+the coming releases. The framework is not compatible with ZeekControl's approach
+to cluster management: use one or the other, not both.
+
+The framework currently targets single-instance deployments, i.e., setups in
+which traffic monitoring happens on a single system. While the management
+framework technically supports clusters spanning multiple monitoring systems,
+much of the infrastructure users know from ``zeekctl`` (such as the ability to
+deploy Zeek scripts and additional configuration) is not yet available in the
+management framework.
+
+ZeekControl remains included in the Zeek distribution, and remains the
+recommended solution for multi-system clusters and those needing rich management
+capabilities.
+
+.. _framework-management-running:
+
+Running Controller and Agent
+============================
+
+.. _joint-launch:
+
+Joint launch
+------------
+
+The easiest approach is to run a single Zeek instance in which the Supervisor
+launches both an agent and the controller. The framework comes pre-configured for
+this use-case. Its invocation looks as follows:
+
+.. code-block:: console
+
+   # zeek -j policy/frameworks/management/controller policy/frameworks/management/agent
+
+The ``-j`` flag enables the Supervisor and is required for successful launch of
+the framework. (Without it, the above command will simply return.)
+
+.. note::
+
+   If you're planning to monitor the machine's own traffic, add the ``-C`` flag
+   to avoid checksum errors, which commonly happen in local monitoring due to
+   offload of the checksum computation to the NIC.
+
+The following illustrates this setup:
+
+.. image:: /images/management-all-in-one.png
+   :align: center
+   :scale: 75%
+
+Separate controller and agent instances
+---------------------------------------
+
+You can also separate the agent and controller instances. For this, you'd say
+
+.. code-block:: console
+
+   # zeek -j policy/frameworks/management/agent
+
+for the agent, and
+
+.. code-block:: console
+
+   # zeek -j policy/frameworks/management/controller
+
+for the controller. You can run the latter as a regular user, assuming the user
+has write access to the installation's spool and log directories (more on this
+below). While technically not required to operate a stand-alone controller, the
+Supervisor is currently also required in this scenario, so don't omit the
+``-j``.
+
+This looks as follows:
+
+.. image:: /images/management-all-in-one-two-zeeks.png
+   :align: center
+
+
+Controller and agent instances on separate systems
+--------------------------------------------------
+
+You can also separate the two across different systems, though that approach
+will only really start to make sense when the framework fully supports running
+multiple traffic-sniffing instances. To do this, you either need to configure
+the agent to find the controller, or tell the controller where to find the
+agent. For the former, redefine the corresponding config setting, for example by
+saying
+
+.. code-block:: zeek
+
+   redef Management::Agent::controller = [$address="1.2.3.4", $bound_port=21500/tcp];
+
+in ``local.zeek`` and then launching
+
+.. code-block:: console
+
+   # zeek -j policy/frameworks/management/agent local
+
+The result looks as already covered :ref:`earlier <framework-management-visual-example>`:
+
+.. image:: /images/management.png
+   :align: center
+
+To make the controller connect to remote agents, deploy configurations that
+include the location of such agents in the configuration. More on this below.
+
+Multiple instances
+------------------
+
+You can run multiple instances on a single system, but it requires some
+care. Doing so requires specifying a different listening port for each agent,
+and additionally providing a different listening port for each instance's
+Supervisor. Since agents communicate with their Supervisor to facilitate node
+management, the Supervisor needs to listen (though only locally).  Furthermore,
+you need to ensure this agent runs with a unique name (see the next section for
+more on naming).
+
+Assuming you already have an instance running, a launch of an additional agent
+might look as follows:
+
+.. code-block:: console
+
+   # zeek -j policy/frameworks/management/agent \
+     Management::Agent::default_port=2152/tcp \
+     Management::Agent::name=agent-standby \
+     Broker::default_port=10001/tcp
+
+Finally, as already mentioned, you can spread multiple instances across multiple
+systems to explore distributed cluster management. This simplifies the
+individual launch invocations, but for practical distributed cluster use you may
+find the framework's current cluster management features lacking when compared
+to ZeekControl.
+
+Controller and agent naming
+---------------------------
+
+The management framework identifies all nodes in the system by name, and all
+nodes (agent(s), controller, and Zeek cluster nodes) must have unique names. By
+default, the framework chooses ``agent-<hostname>`` and
+``controller-<hostname>`` for agent and controller, respectively. To reconfigure
+naming, set the ``ZEEK_AGENT_NAME`` / ``ZEEK_CONTROLLER_NAME`` environment
+variables, or redefine the following:
+
+.. code-block:: zeek
+
+   redef Management::Controller::name = "controller1";
+   redef Management::Agent::name = "agent1";
+
+Firewalling and encryption
+--------------------------
+
+By default, the controller listens for clients and agents on ports ``2149/tcp`` and
+``2150/tcp``. The former port supports Broker's WebSocket data format, the latter its
+traditional one.
+Unless you run all components, including the client, on a single system, you'll
+want to open up these ports on the controller's system. The agent's default port
+is ``2151/tcp``. It always listens; this allows cluster nodes to connect to it
+to send status reports. If the agents connect to the controller, your firewall
+may block the agent's port since host-local connectivity from cluster nodes to
+the agent process suffices.
+
+To switch agent and/or controller to different ports, set environment variables
+``ZEEK_CONTROLLER_PORT`` / ``ZEEK_CONTROLLER_WEBSOCKET_PORT`` / ``ZEEK_AGENT_PORT``,
+or use the following:
+
+.. code-block:: zeek
+
+   redef Management::Controller::default_port_websocket = 21490/tcp;
+   redef Management::Controller::default_port = 21500/tcp;
+   redef Management::Agent::default_port = 21510/tcp;
+
+By default, agent and controller listen globally. To make them listen on a
+specific interface, set environment variables ``ZEEK_CONTROLLER_ADDR`` /
+``ZEEK_CONTROLLER_WEBSOCKET_ADDR`` / ``ZEEK_AGENT_ADDR``,
+or redefine the framework's fallback default address:
+
+.. code-block:: zeek
+
+   redef Management::default_address = "127.0.0.1";
+
+The framework inherits Broker's TLS capabilities and defaults. For details,
+please refer to the :doc:`Broker config settings
+</scripts/base/frameworks/broker/main.zeek>`.
+
+.. note::
+
+   ``zeek-client`` currently doesn't support client-side certificates.
+
+Additional framework configuration
+----------------------------------
+
+The framework features a number of additional settings that we cover as needed
+in the remainder of this chapter. Refer to the following to browse them all:
+
+* :doc:`General settings </scripts/policy/frameworks/management/config.zeek>`
+* :doc:`Controller </scripts/policy/frameworks/management/controller/config.zeek>`
+* :doc:`Agents </scripts/policy/frameworks/management/agent/config.zeek>`
+* :doc:`Cluster nodes </scripts/policy/frameworks/management/node/config.zeek>`
+* :doc:`Supervisor </scripts/policy/frameworks/management/supervisor/config.zeek>`
+
+Node Operation and Outputs
+==========================
+
+The framework places every Supervisor-created node into its own working
+directory, located in ``$(zeek-config --prefix)/var/lib/nodes/<name>``. You can
+reconfigure this by setting the ``ZEEK_MANAGEMENT_STATE_DIR`` or redefining
+:zeek:see:`Management::state_dir`. Doing either will change the toplevel
+directory (i.e., replacing the path up to and including ``var/lib`` in the
+above); the framework will still create the ``nodes/<name>`` directory structure
+within it.
+
+Outputs in the resulting directory include:
+
+* Two separate ad-hoc logs (not structured by Zeek's logging framework)
+  capturing the node's stdout and stderr streams. Their naming is configurable,
+  defaulting simply to ``stdout`` and ``stderr``.
+
+* Zeek log files prior to log rotation.
+
+* Persisted Zeek state, such as Broker-backed tables.
+
+
+Log Management
+==============
+
+The framework configures log rotation and archival via Zeek's included
+`zeek-archiver tool <https://github.com/zeek/zeek-archiver>`_, as follows:
+
+* The :zeek:see:`Log::default_rotation_interval` is one hour, with both local
+  and remote logging enabled. You are free to adjust it as needed.
+
+* The log rotation directory defaults to ``$(zeek-config --prefix)/spool/log-queue``.
+  To adjust this, redefine :zeek:see:`Log::default_rotation_dir` as usual.
+  You can also relocate the spool by setting the ``ZEEK_MANAGEMENT_SPOOL_DIR``
+  environment variable or redefining :zeek:see:`Management::spool_dir`. The
+  framework will place ``log-queue`` into that new destination.
+
+* The log rotation callback rotates node-local logs into the log queue, with
+  naming suitable for ``zeek-archiver``. An example:
+
+  .. code-block:: console
+
+     conn__2022-06-20-10-00-00__2022-06-20-11-00-00__.log
+
+  For details, take a look at the implementation in
+  ``scripts/policy/frameworks/management/persistence.zeek``.
+
+* Once per log rotation interval, the agent launches log archival to archive
+  rotated logs into the installation's log directory (``$(zeek-config
+  --root)/logs``). By default this invokes ``zeek-archiver``, which establishes
+  a datestamp directory in the ``logs`` directory and places the compressed logs
+  into it:
+
+  .. code-block:: console
+
+     # cd $(zeek-config --root)/logs
+     # ls -l
+     total 4
+     drwx------. 2 root root 4096 Jun 20 21:17 2022-06-20
+     # cd 2022-06-20
+     # ls -l
+     total 712
+     -rw-r--r--. 1 root root   280 Jun 20 20:17 broker.19:00:00-20:00:00.log.gz
+     -rw-r--r--. 1 root root 24803 Jun 20 20:17 conn.19:00:00-20:00:00.log.gz
+     -rw-r--r--. 1 root root 26036 Jun 20 21:17 conn.20:00:00-21:00:00.log.gz
+     -rw-r--r--. 1 root root   350 Jun 20 20:17 dhcp.19:00:00-20:00:00.log.gz
+     -rw-r--r--. 1 root root   400 Jun 20 21:17 dhcp.20:00:00-21:00:00.log.gz
+     ...
+
+You can adapt the log archival configuration via the following settings:
+
+* Redefine :zeek:see:`Management::Agent::archive_logs` to ``F`` to disable
+  archival entirely.
+
+* Redefine :zeek:see:`Management::Agent::archive_interval` for an interval other
+  than the log rotation one.
+
+* Redefine :zeek:see:`Management::Agent::archive_dir` to change the
+  destination directory.
+
+* Redefine :zeek:see:`Management::Agent::archive_cmd` to invoke an executable
+  other than the included ``zeek-archiver``. The replacement should accept the
+  same argument structure: ``<executable> -1 <input dir> <output dir>``. The
+  ``-1`` here refers to ``zeek-archiver``'s one-shot processing mode.
+
+.. _framework-management-zeek-client:
+
+The zeek-client CLI
+===================
+
+Zeek ships with a command-line client for the Management framework:
+``zeek-client``, installed alongside the other executables in the
+distribution. It looks as follows:
+
+.. literalinclude:: management/zeek-client-help.console
+   :language: console
+
+Run commands with ``--help`` for additional details.
+
+The majority of ``zeek-client``'s commands send off a request to the controller,
+wait for it to act on it, retrieve the response, and render it to the
+console. The output is typically in JSON format, though a few commands also
+support ``.ini`` output.
+
+Looking at the :zeek:see:`Management::Controller::API` module, you'll notice
+that the structure of response event arguments is fairly rigid, consisting of
+one or more :zeek:see:`Management::Result` records. ``zeek-client`` does not
+render these directly to JSON. Instead, it translates the responses to a more
+convenient JSON format reflecting specific types of requests. Several commands
+share a common output format.
+
+.. _zeek-client-installation:
+
+Standalone installation
+-----------------------
+
+As mentioned above, Zeek ships with ``zeek-client`` by default. Since users will
+often want to use the client from machines not otherwise running Zeek, the
+client is also available as a standalone Python package via ``pip``:
+
+.. code-block:: console
+
+   $ pip install zeek-client
+
+Users with custom Zeek builds who don't require a Zeek-bundled ``zeek-client``
+can skip its installation by configuring their build with
+``--disable-zeek-client``.
+
+.. _zeek-client-compatibility:
+
+Compatibility
+-------------
+
+Zeek 5.2 switched client/controller communication from Broker's native wire
+format to the newer `WebSocket data transport
+<https://docs.zeek.org/projects/broker/en/current/web-socket.html>`_, with
+``zeek-client`` 1.2.0 being the first version to exclusively use WebSockets.
+This has a few implications:
+
+* Since Broker dedicates separate ports to the respective wire formats, the
+  controller listens on TCP port 2149 for WebSocket connections, while
+  TCP port 2150 remains available for connections by native-Broker clients, as well
+  as by management agents connecting to the controller.
+
+* ``zeek-client`` 1.2.0 and newer default to connecting to port 2149.
+
+* Controllers running Zeek older than 5.2 need tweaking to listen on a WebSocket
+  port, for example by saying:
+
+  .. code-block:: console
+
+     event zeek_init()
+         {
+         Broker::listen_websocket("0.0.0.0", 2149/tcp);
+         }
+
+* Older clients continue to work with Zeek 5.2 and newer.
+
+.. _zeek-client-configuration:
+
+Configuration
+-------------
+
+The client features a handful of configuration settings, reported when running
+``zeek-client show-settings``:
+
+.. literalinclude:: management/zeek-client-show-settings.console
+   :language: console
+
+You can override these via a configuration file, the environment variable
+``ZEEK_CLIENT_CONFIG_SETTINGS``, and the ``--set`` command-line argument, in
+order of increasing precedence. To identify a setting, use
+``<section>.<setting>``, as shown by your client. For example, in order to
+specify a controller's location on the network, you could:
+
+* Put the following in a config file, either at its default location shown in
+  the help output (usually ``$(zeek-config --prefix)/etc/zeek-client.cfg``)
+  or one that you provide via ``-c``/``--configfile``:
+
+  .. code-block:: ini
+
+     [controller]
+     host = mycontroller
+     port = 21490
+
+* Set the environment:
+
+  .. code-block:: console
+
+     ZEEK_CLIENT_CONFIG_SETTINGS="controller.host=mycontroller controller.port=21490"
+
+* Use the ``--set`` option, possibly repeatedly:
+
+  .. code-block:: console
+
+     $ zeek-client --set controller.host=mycontroller --set controller.port=21490 ...
+
+Other than the controller coordinates, the settings should rarely require
+changing. If you're curious about their meaning, please consult the `source code
+<https://github.com/zeek/zeek-client/blob/master/zeekclient/config.py>`_.
+
+Auto-complete
+-------------
+
+On systems with an installed `argcomplete <https://pypi.org/project/argcomplete/>`_
+package, ``zeek-client`` features command-line auto-completion. For example:
+
+.. code-block:: console
+
+   $ zeek-client --set controller.<TAB>
+   controller.host=127.0.0.1  controller.port=2149
+
+Common cluster management tasks
+===============================
+
+With a running controller and agent, it's time start using ``zeek-client`` for
+actual cluster management tasks. By default, the client will connect to a
+controller running on the local system. If that doesn't match your setting,
+instruct the client to contact the controller via one of the approaches shown
+:ref:`earlier <zeek-client-configuration>`.
+
+Checking connected agents
+-------------------------
+
+Use ``zeek-client get-instances`` to get a summary of agents currently peered
+with the controller:
+
+.. code-block:: console
+
+   $ zeek-client get-instances
+   {
+     "agent-testbox": {
+       "host": "127.0.0.1"
+     }
+   }
+
+For agents connecting to the controller you'll see the above output; for agents
+the controller connected to you'll also see those agent's listening ports.
+
+Defining a cluster configuration
+--------------------------------
+
+For ``zeek-client``, cluster configurations are simple ``.ini`` files with two
+types of sections: the special ``instances`` section defines the instances
+involved in the cluster, represented by their agents. All other sections in the
+file name individual cluster nodes and describe their roles and properties.
+
+Here's a full-featured configuration describing the available options, assuming
+a single agent running on a machine "testbox" with default settings:
+
+.. literalinclude:: management/full-config.ini
+   :language: ini
+
+.. _simplification-instance-local:
+
+Simplification for instance-local deployment
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+In practice you can omit many of the settings. We already saw in the
+:ref:`Quickstart <framework-management-quickstart>` section that a configuration
+deployed locally in a :ref:`joint agent-controller setup <joint-launch>` need
+not specify any instances at all. In that case, use of the local instance
+``agent-<hostname>`` is implied. If you use other agent naming or more complex
+setups, every node needs to specify its instance.
+
+Simplification for agent-to-controller connectivity
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+In setups where agents connect to the controller, you may omit the ``instances``
+section if it would merely repeat the list of instances claimed by the nodes.
+
+Simplification for port selection
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+All but the worker nodes in a Zeek cluster require a listening port, and you can
+specify one for each node as shown in the above configuration. If you'd rather
+not pick ports, the controller can auto-enumerate ports for you, as follows:
+
+* The :zeek:see:`Management::Controller::auto_assign_broker_ports` Boolean, which defaults to
+  ``T``, controls whether port auto-enumeration is active. Redefining to ``F``
+  disables the feature.
+
+* :zeek:see:`Management::Controller::auto_assign_broker_start_port` defines the starting point
+  for port enumeration. This defaults to ``2200/tcp``.
+
+* Any nodes with explicitly configured ports will keep them.
+
+* For other nodes, the controller will assign ports first to the manager, then
+  logger(s), then proxies. Within each of those groups, it first groups nodes
+  in the same instance (to obtain locally sequential ports), and orders these
+  alphabetically by name before enumerating. It also avoids conflicts with
+  configured agent and controller ports.
+
+* The controller does not verify that selected ports are in fact unclaimed.
+  It's up to you to ensure an available pool of unclaimed listening ports from
+  the start port onward.
+
+By retrieving the deployed configuration from the controller (see the next two
+sections) you can examine which ports the controller selected.
+
+Configuration of the Telemetry framework
+----------------------------------------
+
+By default, the framework will enable Prometheus metrics exposition ports,
+including a service discovery endpoint on the manager (refer to the
+:ref:`Telemetry Framework <framework-telemetry>` for details), and
+auto-assign them for you. Specifically, the controller will enumerate ports
+starting from
+:zeek:see:`Management::Controller::auto_assign_metrics_start_port`, which
+defaults to ``9000/tcp``. Any ports you define manually will be preserved.  To
+disable metrics port auto-assignment, redefine
+:zeek:see:`Management::Controller::auto_assign_metrics_ports` to ``F``.
+
+Staging and deploying configurations
+------------------------------------
+
+The framework structures deployment of a cluster configuration into two
+phases:
+
+#. First, the cluster configuration is *staged*: the client uploads it to the
+   controller, which validates its content, and --- upon successful validation
+   --- persists this configuration to disk. Restarting the controller at this
+   point will preserve this configuration in its staged state. Validation checks
+   the configuration for consistency and structural errors, such as doubly
+   defined nodes, port collisions, or inconsistent instance use. The controller
+   only ever stores a single staged configuration.
+
+#. Then, *deployment* applies needed finalization to the configuration (e.g. to
+   auto-enumerate ports) and, assuming all needed instances have peered,
+   distributes the configuration to their agents. Deployment replaces any
+   preexisting Zeek cluster, shutting down the existing node processes. The
+   controller also persists the deployed configuration to disk, alongside the
+   staged one. Deployment does *not* need to be successful to preserve a
+   deployed configuration: it's the attempt to deploy that matters.
+
+Internally, configurations bear an identifier string to allow tracking. The
+client selects this identifier, which comes with no further assurances --- for
+example, identical configurations need not bear the same identifier.
+
+To stage a configuration, use the following:
+
+.. code-block:: console
+
+   $ zeek-client stage-config cluster.cfg
+   {
+     "errors": [],
+     "results": {
+       "id": "5e90197a-f850-11ec-a77f-7c10c94416bb"
+     }
+   }
+
+The ``errors`` array contains textual description of any validation problems
+encountered, causing the client to exit with error. The reported ``id`` is the
+configuration's identifier, as set by the client.
+
+Then, trigger deployment of the staged configuration:
+
+.. code-block:: console
+
+   $ zeek-client deploy
+   {
+     "errors": [],
+     "results": {
+       "id": "5e90197a-f850-11ec-a77f-7c10c94416bb"
+       "nodes": {
+         "logger": {
+           "instance": "agent-testbox4",
+           "success": true
+         },
+         "manager": {
+           "instance": "agent-testbox4",
+           "success": true
+         },
+         "worker-01": {
+           "instance": "agent-testbox4",
+           "success": true
+         },
+         "worker-02": {
+           "instance": "agent-testbox4",
+           "success": true
+         }
+       }
+     }
+   }
+
+Success! Note the matching identifiers. The errors array covers any internal
+problems, and per-node summaries report the deployment outcome. In case of
+launch errors in individual nodes, stdout/stderr is captured and hopefully
+provides clues. Revisiting the quickstart example, let's introduce an error in
+``cluster.cfg``:
+
+.. literalinclude:: management/mini-config-with-error.ini
+   :language: ini
+
+Since staging and deployment will frequently go hand-in-hand, the client
+provides the ``deploy-config`` command to combine them into one. Let's use it:
+
+.. literalinclude:: management/mini-deployment-error.console
+   :language: console
+
+The client exits with error, the timeout error refers to the fact that one of
+the launch commands timed out, and ``worker-02``'s stderr shows the problem. The
+Supervisor will continue to try to launch the node with ever-increasing
+reattempt delays, and keep failing.
+
+Retrieving configurations
+-------------------------
+
+The client's ``get-config`` command lets you retrieve staged and deployed
+configurations from the controller, in JSON or :file:`.ini` form. This is helpful for
+examining the differences between the two. Following the successful deployment
+shown above, we have:
+
+.. literalinclude:: management/mini-deployment-get-config-staged.console
+   :language: console
+
+You can see here how the client's :ref:`instance-local simplification
+<simplification-instance-local>` filled in instances under the hood.
+
+The ``.ini`` output is reusable as deployable configuration. The same
+configuration is available in JSON, showing more detail:
+
+.. literalinclude:: management/mini-deployment-get-config-staged-json.console
+   :language: console
+
+Finally, you can also retrieve the deployed configuration (in either format):
+
+.. literalinclude:: management/mini-deployment-get-config-deployed.console
+   :language: console
+
+Note the manager's and logger's auto-enumerated ports in this one.
+
+Showing the current instance nodes
+----------------------------------
+
+To see the current node status as visible to the Supervisors in each agent's
+instance, use the ``get-nodes`` command:
+
+.. literalinclude:: management/mini-deployment-get-nodes.console
+   :language: console
+
+This groups nodes by instances, while also showing agents and controllers, so
+``agent-testbox`` shows up twice in the above. Nodes can be in two states,
+``PENDING`` upon launch and before the new node has checked in with the agent,
+and ``RUNNING`` once that has happened. Nodes also have a role either in cluster
+management (as ``AGENT`` or ``CONTROLLER``), or in the Zeek cluster. The
+information shown per node essentially reflects the framework's
+:zeek:see:`Management::NodeStatus` record.
+
+Showing current global identifier values
+----------------------------------------
+
+For troubleshooting scripts in production it can be very handy to verify the
+contents of global variables in specific nodes. The client supports this via the
+``get-id-value`` command. To use it, specify the name of a global identifier, as
+well as any node names from which you'd like to retrieve it. The framework
+renders the value to JSON directly in the queried cluster node, side-stepping
+potential serialization issues for complex types, and integrates the result in
+the response:
+
+.. literalinclude:: management/get-id-value-simple.console
+   :language: console
+
+.. literalinclude:: management/get-id-value-complex.console
+   :language: console
+
+Restarting cluster nodes
+------------------------
+
+The ``restart`` command allows you to restart specific cluster nodes, or the
+entire cluster. Note that this refers only to the operational cluster (manager,
+workers, etc) --- this will not restart any agents or a co-located controller.
+
+Here's the current manager:
+
+.. code-block:: console
+
+   $ zeek-client get-nodes | jq '.results."agent-testbox".manager'
+   {
+     "cluster_role": "MANAGER",
+     "mgmt_role": null,
+     "pid": 54073,
+     "port": 2200,
+     "state": "RUNNING"
+   }
+
+Let's restart it:
+
+.. code-block:: console
+
+   $ zeek-client restart manager
+   {
+     "errors": [],
+     "results": {
+       "manager": true
+     }
+   }
+
+It's back up and running (note the PID change):
+
+.. code-block:: console
+
+   $ zeek-client get-nodes | jq '.results."agent-testbox".manager'
+   {
+     "cluster_role": "MANAGER",
+     "mgmt_role": null,
+     "pid": 68752,
+     "port": 2200,
+     "state": "RUNNING"
+   }
diff --git a/doc/frameworks/management/full-config.ini b/doc/frameworks/management/full-config.ini
new file mode 100644
index 0000000000..c4c3912d5e
--- /dev/null
+++ b/doc/frameworks/management/full-config.ini
@@ -0,0 +1,88 @@
+# The instances section describes where you run Management agents
+# and whether these agents connect to the controller, or the controller
+# connects to them. Each instance (or, equivalently, the agent running
+# on it) is identified by a unique name. The names in this configuration
+# must match the names the agents use in the Zeek configuration. Without
+# customization, that name is "agent-<hostname>".
+[instances]
+# A value-less entry means this agent connects to the controller:
+agent-testbox
+
+# An entry with a value of the form "<host>:<port>" means the controller will
+# connect to them.
+#
+# agent-testbox = 12.34.56.78:1234
+
+# All other sections identify Zeek cluster nodes. The section name sets
+# the name of the node:
+[manager]
+
+# Nodes typically state which instance they run on:
+instance = agent-testbox
+
+# Every node needs to define its role. Possible values are "manager",
+# "logger", "proxy", and "worker".
+role = manager
+
+# For nodes that require a listening port (all roles but workers),
+# you can choose to define a port. If you omit it, the framework will
+# define ports for you. Only give a number; TCP is implied.
+#
+# port = 1234
+
+# You can optionally specify explicit metrics exposition ports for each
+# node. If you omit these, the framework (specifically, the controller)
+# will define ports for you. Only give a number; TCP is implied.
+#
+# metrics_port = 9090
+
+# You can provide additional scripts that a node should run. These scripts
+# must be available on the instance. Space-separate multiple scripts.
+#
+# scripts = policy/tuning/json-logs policy/misc/loaded-scripts
+
+# You can define environment variables for the node. List them as <key>=<value>,
+# space-separated if you provide multiple. If the value has whitespace, say
+# <key>="<the value>'
+#
+# env = FOO=BAR
+
+# For workers, specify a sniffing interface as follows:
+#
+# interface = <name>
+
+# To express CPU affinity, use the following:
+#
+# cpu_affinity = <num>
+
+[logger]
+instance = agent-testbox
+role = logger
+
+[proxy1]
+instance = agent-testbox
+role = proxy
+
+[proxy2]
+instance = agent-testbox
+role = proxy
+
+[worker1]
+instance = agent-testbox
+role = worker
+interface = eth0
+
+[worker2]
+instance = agent-testbox
+role = worker
+interface = eth1
+
+[worker3]
+instance = agent-testbox
+role = worker
+interface = eth2
+
+[worker4]
+instance = agent-testbox
+role = worker
+interface = eth3
diff --git a/doc/frameworks/management/get-id-value-complex.console b/doc/frameworks/management/get-id-value-complex.console
new file mode 100644
index 0000000000..34657be5dc
--- /dev/null
+++ b/doc/frameworks/management/get-id-value-complex.console
@@ -0,0 +1,31 @@
+$ zeek-client get-id-value Log::all_streams worker-01
+{
+  "errors": [],
+  "results": {
+    "worker-01": {
+      "Broker::LOG": {
+        "columns": null,
+        "path": "broker",
+        "policy": "Broker::log_policy"
+      },
+      "Cluster::LOG": {
+        "columns": null,
+        "path": "cluster",
+        "policy": "Cluster::log_policy"
+      },
+      ...
+      "X509::LOG": {
+        "columns": null,
+        "ev": "X509::log_x509",
+        "path": "x509",
+        "policy": "X509::log_policy"
+      },
+      "mysql::LOG": {
+        "columns": null,
+        "ev": "MySQL::log_mysql",
+        "path": "mysql",
+        "policy": "MySQL::log_policy"
+      }
+    }
+  }
+}
diff --git a/doc/frameworks/management/get-id-value-simple.console b/doc/frameworks/management/get-id-value-simple.console
new file mode 100644
index 0000000000..e8ce2a69f1
--- /dev/null
+++ b/doc/frameworks/management/get-id-value-simple.console
@@ -0,0 +1,10 @@
+$ zeek-client get-id-value LogAscii::use_json
+{
+  "errors": [],
+  "results": {
+    "logger": false,
+    "manager": false,
+    "worker-01": false,
+    "worker-02": false
+  }
+}
diff --git a/doc/frameworks/management/mini-config-with-error.ini b/doc/frameworks/management/mini-config-with-error.ini
new file mode 100644
index 0000000000..9f5f27c109
--- /dev/null
+++ b/doc/frameworks/management/mini-config-with-error.ini
@@ -0,0 +1,13 @@
+[manager]
+role = manager
+
+[logger]
+role = logger
+
+[worker-01]
+role = worker
+interface = lo
+
+[worker-02]
+role = worker
+interface = not-a-valid-interface
diff --git a/doc/frameworks/management/mini-config.ini b/doc/frameworks/management/mini-config.ini
new file mode 100644
index 0000000000..51bd5ad8d7
--- /dev/null
+++ b/doc/frameworks/management/mini-config.ini
@@ -0,0 +1,13 @@
+[manager]
+role = manager
+
+[logger]
+role = logger
+
+[worker-01]
+role = worker
+interface = lo
+
+[worker-02]
+role = worker
+interface = eth0
diff --git a/doc/frameworks/management/mini-deployment-error.console b/doc/frameworks/management/mini-deployment-error.console
new file mode 100644
index 0000000000..6ced5e61ea
--- /dev/null
+++ b/doc/frameworks/management/mini-deployment-error.console
@@ -0,0 +1,29 @@
+$ zeek-client deploy-config cluster.cfg
+{
+  "errors": [
+    "request timed out"
+  ],
+  "results": {
+    "id": "eed87b02-f851-11ec-80e7-7c10c94416bb",
+    "nodes": {
+      "logger": {
+        "instance": "agent-testbox",
+        "success": true
+      },
+      "manager": {
+        "instance": "agent-testbox",
+        "success": true
+      },
+      "worker-01": {
+        "instance": "agent-testbox",
+        "success": true
+      },
+      "worker-02": {
+        "instance": "agent-testbox",
+        "stderr": "fatal error: problem with interface not-a-valid-interface (pcap_error: No such device exists (pcap_activate))",
+        "stdout": "",
+        "success": false
+      }
+    }
+  }
+}
diff --git a/doc/frameworks/management/mini-deployment-get-config-deployed.console b/doc/frameworks/management/mini-deployment-get-config-deployed.console
new file mode 100644
index 0000000000..4850b73dba
--- /dev/null
+++ b/doc/frameworks/management/mini-deployment-get-config-deployed.console
@@ -0,0 +1,23 @@
+$ zeek-client get-config --deployed
+[instances]
+agent-testbox
+
+[logger]
+instance = agent-testbox
+role = LOGGER
+port = 2201
+
+[manager]
+instance = agent-testbox
+role = MANAGER
+port = 2200
+
+[worker-01]
+instance = agent-testbox
+role = WORKER
+interface = lo
+
+[worker-02]
+instance = agent-testbox
+role = WORKER
+interface = eth0
diff --git a/doc/frameworks/management/mini-deployment-get-config-staged-json.console b/doc/frameworks/management/mini-deployment-get-config-staged-json.console
new file mode 100644
index 0000000000..8ce19a1853
--- /dev/null
+++ b/doc/frameworks/management/mini-deployment-get-config-staged-json.console
@@ -0,0 +1,55 @@
+$ zeek-client get-config --as-json
+{
+  "id": "5e90197a-f850-11ec-a77f-7c10c94416bb",
+  "instances": [
+    {
+      "name": "agent-testbox"
+    }
+  ],
+  "nodes": [
+    {
+      "cpu_affinity": null,
+      "env": {},
+      "instance": "agent-testbox",
+      "interface": null,
+      "name": "logger",
+      "options": null,
+      "port": null,
+      "role": "LOGGER",
+      "scripts": null
+    },
+    {
+      "cpu_affinity": null,
+      "env": {},
+      "instance": "agent-testbox",
+      "interface": null,
+      "name": "manager",
+      "options": null,
+      "port": null,
+      "role": "MANAGER",
+      "scripts": null
+    },
+    {
+      "cpu_affinity": null,
+      "env": {},
+      "instance": "agent-testbox",
+      "interface": "lo",
+      "name": "worker-01",
+      "options": null,
+      "port": null,
+      "role": "WORKER",
+      "scripts": null
+    },
+    {
+      "cpu_affinity": null,
+      "env": {},
+      "instance": "agent-testbox",
+      "interface": "eth0",
+      "name": "worker-02",
+      "options": null,
+      "port": null,
+      "role": "WORKER",
+      "scripts": null
+    }
+  ]
+}
diff --git a/doc/frameworks/management/mini-deployment-get-config-staged.console b/doc/frameworks/management/mini-deployment-get-config-staged.console
new file mode 100644
index 0000000000..f1f2595961
--- /dev/null
+++ b/doc/frameworks/management/mini-deployment-get-config-staged.console
@@ -0,0 +1,21 @@
+$ zeek-client get-config
+[instances]
+agent-testbox
+
+[logger]
+instance = agent-testbox
+role = LOGGER
+
+[manager]
+instance = agent-testbox
+role = MANAGER
+
+[worker-01]
+instance = agent-testbox
+role = WORKER
+interface = lo
+
+[worker-02]
+instance = agent-testbox
+role = WORKER
+interface = eth0
diff --git a/doc/frameworks/management/mini-deployment-get-nodes.console b/doc/frameworks/management/mini-deployment-get-nodes.console
new file mode 100644
index 0000000000..cdd1776529
--- /dev/null
+++ b/doc/frameworks/management/mini-deployment-get-nodes.console
@@ -0,0 +1,47 @@
+$ zeek-client get-nodes
+{
+  "errors": [],
+  "results": {
+    "agent-testbox": {
+      "agent-testbox": {
+        "cluster_role": null,
+        "mgmt_role": "AGENT",
+        "pid": 52076,
+        "state": "RUNNING"
+      },
+      "controller-testbox": {
+        "cluster_role": null,
+        "mgmt_role": "CONTROLLER",
+        "pid": 52075,
+        "port": 2151,
+        "state": "RUNNING"
+      },
+      "logger": {
+        "cluster_role": "LOGGER",
+        "mgmt_role": null,
+        "pid": 54075,
+        "port": 2201,
+        "state": "RUNNING"
+      },
+      "manager": {
+        "cluster_role": "MANAGER",
+        "mgmt_role": null,
+        "pid": 54073,
+        "port": 2200,
+        "state": "RUNNING"
+      },
+      "worker-01": {
+        "cluster_role": "WORKER",
+        "mgmt_role": null,
+        "pid": 54074,
+        "state": "RUNNING"
+      },
+      "worker-02": {
+        "cluster_role": "WORKER",
+        "mgmt_role": null,
+        "pid": 54072,
+        "state": "RUNNING"
+      }
+    }
+  }
+}
diff --git a/doc/frameworks/management/mini-deployment.console b/doc/frameworks/management/mini-deployment.console
new file mode 100644
index 0000000000..90ea8f2490
--- /dev/null
+++ b/doc/frameworks/management/mini-deployment.console
@@ -0,0 +1,25 @@
+$ zeek-client deploy-config cluster.cfg
+{
+  "errors": [],
+  "results": {
+    "id": "9befc56c-f7e8-11ec-8626-7c10c94416bb",
+    "nodes": {
+      "logger": {
+        "instance": "agent-testbox",
+        "success": true
+      },
+      "manager": {
+        "instance": "agent-testbox",
+        "success": true
+      },
+      "worker-01": {
+        "instance": "agent-testbox",
+        "success": true
+      },
+      "worker-02": {
+        "instance": "agent-testbox",
+        "success": true
+      }
+    }
+  }
+}
diff --git a/doc/frameworks/management/zeek-client-help.console b/doc/frameworks/management/zeek-client-help.console
new file mode 100644
index 0000000000..cd3d56fd60
--- /dev/null
+++ b/doc/frameworks/management/zeek-client-help.console
@@ -0,0 +1,45 @@
+$ zeek-client --help
+usage: zeek-client [-h] [-c FILE] [--controller HOST:PORT]
+                   [--set SECTION.KEY=VAL] [--quiet | --verbose] [--version]
+                   {deploy,deploy-config,get-config,get-id-value,get-instances,get-nodes,monitor,restart,stage-config,show-settings,test-timeout}
+                   ...
+
+A Zeek management client
+
+options:
+  -h, --help            show this help message and exit
+  -c FILE, --configfile FILE
+                        Path to zeek-client config file. (Default:
+                        /usr/local/zeek/etc/zeek-client.cfg)
+  --controller HOST:PORT
+                        Address and port of the controller, either of which
+                        may be omitted (default: 127.0.0.1:2149)
+  --set SECTION.KEY=VAL
+                        Adjust a configuration setting. Can use repeatedly.
+                        See show-settings.
+  --quiet, -q           Suppress informational output to stderr.
+  --verbose, -v         Increase informational output to stderr. Repeat for
+                        more output (e.g. -vvv).
+  --version             Show version number and exit.
+
+commands:
+  {deploy,deploy-config,get-config,get-id-value,get-instances,get-nodes,monitor,restart,stage-config,show-settings,test-timeout}
+                        See `zeek-client <command> -h` for per-command usage
+                        info.
+    deploy              Deploy a staged cluster configuration.
+    deploy-config       Upload a cluster configuration and deploy it.
+    get-config          Retrieve staged or deployed cluster configuration.
+    get-id-value        Show the value of a given identifier in Zeek cluster
+                        nodes.
+    get-instances       Show instances connected to the controller.
+    get-nodes           Show active Zeek nodes at each instance.
+    monitor             For troubleshooting: do nothing, just report events.
+    restart             Restart cluster nodes.
+    stage-config        Upload a cluster configuration for later deployment.
+    show-settings       Show zeek-client's own configuration.
+    test-timeout        Send timeout test event.
+
+environment variables:
+
+    ZEEK_CLIENT_CONFIG_FILE:      Same as `--configfile` argument, but lower precedence.
+    ZEEK_CLIENT_CONFIG_SETTINGS:  Same as a space-separated series of `--set` arguments, but lower precedence.
diff --git a/doc/frameworks/management/zeek-client-show-settings.console b/doc/frameworks/management/zeek-client-show-settings.console
new file mode 100644
index 0000000000..e87a42ada3
--- /dev/null
+++ b/doc/frameworks/management/zeek-client-show-settings.console
@@ -0,0 +1,14 @@
+$ zeek-client show-settings
+[client]
+request_timeout_secs = 20
+peer_retry_secs = 1
+peering_status_attempts = 10
+peering_status_retry_delay_secs = 0.5
+rich_logging_format = False
+pretty_json = True
+verbosity = 0
+
+[controller]
+host = 127.0.0.1
+port = 2150
+
diff --git a/doc/frameworks/netcontrol-1-drop-with-debug.zeek b/doc/frameworks/netcontrol-1-drop-with-debug.zeek
new file mode 100644
index 0000000000..d4bbcde042
--- /dev/null
+++ b/doc/frameworks/netcontrol-1-drop-with-debug.zeek
@@ -0,0 +1,10 @@
+event NetControl::init()
+	{
+	local debug_plugin = NetControl::create_debug(T);
+	NetControl::activate(debug_plugin, 0);
+	}
+
+event connection_established(c: connection)
+	{
+	NetControl::drop_connection(c$id, 20 secs);
+	}
diff --git a/doc/frameworks/netcontrol-10-use-skeleton.zeek b/doc/frameworks/netcontrol-10-use-skeleton.zeek
new file mode 100644
index 0000000000..4f683dfd83
--- /dev/null
+++ b/doc/frameworks/netcontrol-10-use-skeleton.zeek
@@ -0,0 +1,10 @@
+event NetControl::init()
+	{
+	local skeleton_plugin = NetControl::create_skeleton("");
+	NetControl::activate(skeleton_plugin, 0);
+	}
+
+event connection_established(c: connection)
+	{
+	NetControl::drop_connection(c$id, 20 secs);
+	}
diff --git a/doc/frameworks/netcontrol-2-ssh-guesser.zeek b/doc/frameworks/netcontrol-2-ssh-guesser.zeek
new file mode 100644
index 0000000000..2b8757cdea
--- /dev/null
+++ b/doc/frameworks/netcontrol-2-ssh-guesser.zeek
@@ -0,0 +1,16 @@
+
+@load protocols/ssh/detect-bruteforcing
+
+redef SSH::password_guesses_limit=10;
+
+event NetControl::init()
+	{
+	local debug_plugin = NetControl::create_debug(T);
+	NetControl::activate(debug_plugin, 0);
+	}
+
+hook Notice::policy(n: Notice::Info)
+	{
+	if ( n$note == SSH::Password_Guessing )
+		NetControl::drop_address(n$src, 60min);
+	}
diff --git a/doc/frameworks/netcontrol-3-ssh-guesser.zeek b/doc/frameworks/netcontrol-3-ssh-guesser.zeek
new file mode 100644
index 0000000000..6f6065350c
--- /dev/null
+++ b/doc/frameworks/netcontrol-3-ssh-guesser.zeek
@@ -0,0 +1,16 @@
+
+@load protocols/ssh/detect-bruteforcing
+
+redef SSH::password_guesses_limit=10;
+
+event NetControl::init()
+	{
+	local debug_plugin = NetControl::create_debug(T);
+	NetControl::activate(debug_plugin, 0);
+	}
+
+hook Notice::policy(n: Notice::Info)
+	{
+	if ( n$note == SSH::Password_Guessing )
+		add n$actions[Notice::ACTION_DROP];
+	}
diff --git a/doc/frameworks/netcontrol-4-drop.zeek b/doc/frameworks/netcontrol-4-drop.zeek
new file mode 100644
index 0000000000..b95822736d
--- /dev/null
+++ b/doc/frameworks/netcontrol-4-drop.zeek
@@ -0,0 +1,26 @@
+function our_drop_connection(c: conn_id, t: interval)
+	{
+	# As a first step, create the NetControl::Entity that we want to block
+	local e = NetControl::Entity($ty=NetControl::CONNECTION, $conn=c);
+	# Then, use the entity to create the rule to drop the entity in the forward path
+	local r = NetControl::Rule($ty=NetControl::DROP,
+		$target=NetControl::FORWARD, $entity=e, $expire=t);
+
+	# Add the rule
+	local id = NetControl::add_rule(r);
+
+	if ( id == "" )
+		print "Error while dropping";
+	}
+
+event NetControl::init()
+	{
+	local debug_plugin = NetControl::create_debug(T);
+	NetControl::activate(debug_plugin, 0);
+	}
+
+event connection_established(c: connection)
+	{
+	our_drop_connection(c$id, 20 secs);
+	}
+
diff --git a/doc/frameworks/netcontrol-5-hook.zeek b/doc/frameworks/netcontrol-5-hook.zeek
new file mode 100644
index 0000000000..dee8d5547a
--- /dev/null
+++ b/doc/frameworks/netcontrol-5-hook.zeek
@@ -0,0 +1,22 @@
+hook NetControl::rule_policy(r: NetControl::Rule)
+	{
+	if ( r$ty == NetControl::DROP &&
+	     r$entity$ty == NetControl::CONNECTION &&
+			 r$entity$conn$orig_h in 192.168.0.0/16 )
+			 {
+			 print "Ignored connection from", r$entity$conn$orig_h;
+			 break;
+			 }
+	}
+
+event NetControl::init()
+	{
+	local debug_plugin = NetControl::create_debug(T);
+	NetControl::activate(debug_plugin, 0);
+	}
+
+event connection_established(c: connection)
+	{
+	NetControl::drop_connection(c$id, 20 secs);
+	}
+
diff --git a/doc/frameworks/netcontrol-6-find.zeek b/doc/frameworks/netcontrol-6-find.zeek
new file mode 100644
index 0000000000..9e7677dfac
--- /dev/null
+++ b/doc/frameworks/netcontrol-6-find.zeek
@@ -0,0 +1,17 @@
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T);
+	NetControl::activate(netcontrol_debug, 0);
+	}
+
+event connection_established(c: connection)
+	{
+	if ( |NetControl::find_rules_addr(c$id$orig_h)| > 0 )
+		{
+		print "Rule already exists";
+		return;
+		}
+
+	NetControl::drop_connection(c$id, 20 secs);
+	print "Rule added";
+	}
diff --git a/doc/frameworks/netcontrol-7-catch-release.zeek b/doc/frameworks/netcontrol-7-catch-release.zeek
new file mode 100644
index 0000000000..189a89e68d
--- /dev/null
+++ b/doc/frameworks/netcontrol-7-catch-release.zeek
@@ -0,0 +1,10 @@
+event NetControl::init()
+	{
+	local debug_plugin = NetControl::create_debug(T);
+	NetControl::activate(debug_plugin, 0);
+	}
+
+event connection_established(c: connection)
+	{
+	NetControl::drop_address_catch_release(c$id$orig_h);
+	}
diff --git a/doc/frameworks/netcontrol-8-multiple.zeek b/doc/frameworks/netcontrol-8-multiple.zeek
new file mode 100644
index 0000000000..4d134a577c
--- /dev/null
+++ b/doc/frameworks/netcontrol-8-multiple.zeek
@@ -0,0 +1,29 @@
+function our_openflow_check(p: NetControl::PluginState, r: NetControl::Rule): bool
+	{
+	if ( r$ty == NetControl::DROP &&
+		r$entity$ty == NetControl::ADDRESS &&
+		subnet_width(r$entity$ip) == 32 &&
+		subnet_to_addr(r$entity$ip) in 192.168.17.0/24 )
+		return F;
+
+	return T;
+	}
+
+event NetControl::init()
+	{
+	# Add debug plugin with low priority
+	local debug_plugin = NetControl::create_debug(T);
+	NetControl::activate(debug_plugin, 0);
+
+	# Instantiate OpenFlow debug plugin with higher priority
+	local of_controller = OpenFlow::log_new(42);
+	local netcontrol_of = NetControl::create_openflow(of_controller, [$check_pred=our_openflow_check]);
+	NetControl::activate(netcontrol_of, 10);
+	}
+
+event NetControl::init_done()
+	{
+	NetControl::drop_address(10.0.0.1, 1min);
+	NetControl::drop_address(192.168.17.2, 1min);
+	NetControl::drop_address(192.168.18.2, 1min);
+	}
diff --git a/doc/frameworks/netcontrol-9-skeleton.zeek b/doc/frameworks/netcontrol-9-skeleton.zeek
new file mode 100644
index 0000000000..f768ba8b0e
--- /dev/null
+++ b/doc/frameworks/netcontrol-9-skeleton.zeek
@@ -0,0 +1,39 @@
+module NetControl;
+
+export {
+	## Instantiates the plugin.
+	global create_skeleton: function(argument: string) : PluginState;
+}
+
+function skeleton_name(p: PluginState) : string
+	{
+	return "NetControl skeleton plugin";
+	}
+
+function skeleton_add_rule_fun(p: PluginState, r: Rule) : bool
+	{
+	print "add", r;
+	event NetControl::rule_added(r, p);
+	return T;
+	}
+
+function skeleton_remove_rule_fun(p: PluginState, r: Rule, reason: string &default="") : bool
+	{
+	print "remove", r;
+	event NetControl::rule_removed(r, p);
+	return T;
+	}
+
+global skeleton_plugin = Plugin(
+	$name = skeleton_name,
+	$can_expire = F,
+	$add_rule = skeleton_add_rule_fun,
+	$remove_rule = skeleton_remove_rule_fun
+	);
+
+function create_skeleton(argument: string) : PluginState
+	{
+	local p = PluginState($plugin=skeleton_plugin);
+
+	return p;
+	}
diff --git a/doc/frameworks/netcontrol-architecture.graffle b/doc/frameworks/netcontrol-architecture.graffle
new file mode 100644
index 0000000000..136cbdb2b0
Binary files /dev/null and b/doc/frameworks/netcontrol-architecture.graffle differ
diff --git a/doc/frameworks/netcontrol-architecture.png b/doc/frameworks/netcontrol-architecture.png
new file mode 100644
index 0000000000..4f7b585c66
Binary files /dev/null and b/doc/frameworks/netcontrol-architecture.png differ
diff --git a/doc/frameworks/netcontrol-openflow.graffle b/doc/frameworks/netcontrol-openflow.graffle
new file mode 100644
index 0000000000..09a418f716
Binary files /dev/null and b/doc/frameworks/netcontrol-openflow.graffle differ
diff --git a/doc/frameworks/netcontrol-openflow.png b/doc/frameworks/netcontrol-openflow.png
new file mode 100644
index 0000000000..e760c9b074
Binary files /dev/null and b/doc/frameworks/netcontrol-openflow.png differ
diff --git a/doc/frameworks/netcontrol-rules.png b/doc/frameworks/netcontrol-rules.png
new file mode 100644
index 0000000000..5141c81ceb
Binary files /dev/null and b/doc/frameworks/netcontrol-rules.png differ
diff --git a/doc/frameworks/netcontrol.rst b/doc/frameworks/netcontrol.rst
new file mode 100644
index 0000000000..70e08174c5
--- /dev/null
+++ b/doc/frameworks/netcontrol.rst
@@ -0,0 +1,812 @@
+
+.. _framework-netcontrol:
+
+====================
+NetControl Framework
+====================
+
+.. TODO: integrate BoZ revisions
+
+.. rst-class:: opening
+
+  Zeek can connect with network devices like, for example, switches
+  or soft- and hardware firewalls using the NetControl framework. The
+  NetControl framework provides a flexible, unified interface for active
+  response and hides the complexity of heterogeneous network equipment
+  behind a simple task-oriented API, which is easily usable via Zeek
+  scripts. This section gives an overview of how to use the NetControl
+  framework in different scenarios; to get a better understanding of how
+  it can be used in practice, it might be worthwhile to take a look at
+  the integration tests.
+
+NetControl Architecture
+=======================
+
+.. figure:: netcontrol-architecture.png
+    :width: 600
+    :align: center
+    :alt: NetControl framework architecture
+    :target: ../_images/netcontrol-architecture.png
+
+    NetControl architecture (click to enlarge).
+
+The basic architecture of the NetControl framework is shown in the figure above.
+Conceptually, the NetControl framework sits between the user provided scripts
+(which use the Zeek event engine) and the network device (which can either be a
+hardware or software device), that is used to implement the commands.
+
+The NetControl framework supports a number of high-level calls, like the
+:zeek:see:`NetControl::drop_address` function, or a lower level rule
+syntax. After a rule has been added to the NetControl framework, NetControl
+sends the rule to one or several of its *backends*. Each backend is responsible
+to communicate with a single hard- or software device. The NetControl framework
+tracks rules throughout their entire lifecycle and reports the status (like
+success, failure and timeouts) back to the user scripts.
+
+The backends are implemented as Zeek scripts using a plugin based API; an example
+for this is :doc:`/scripts/base/frameworks/netcontrol/plugins/broker.zeek`. We'll
+show how to write plugins in :ref:`framework-netcontrol-plugins`.
+
+NetControl API
+==============
+
+High-level NetControl API
+-------------------------
+
+In this section, we will introduce the high level NetControl API. As mentioned
+above, NetControl uses *backends* to communicate with the external devices that
+will implement the rules. You will need at least one active backend before you
+can use NetControl. For our examples, we will just use the debug plugin to
+create a backend. This plugin outputs all actions that are taken to the standard
+output.
+
+Backends should be initialized in the :zeek:see:`NetControl::init` event, calling
+the :zeek:see:`NetControl::activate` function after the plugin instance has been
+initialized. The debug plugin can be initialized as follows:
+
+.. code-block:: zeek
+
+  event NetControl::init()
+    {
+    local debug_plugin = NetControl::create_debug(T);
+    NetControl::activate(debug_plugin, 0);
+    }
+
+After at least one backend has been added to the NetControl framework, the
+framework can be used and will send added rules to the added backend.
+
+The NetControl framework contains several high level functions that allow users
+to drop connections of certain addresses and networks, shunt network traffic,
+etc. The following table shows and describes all of the currently available
+high-level functions.
+
+.. list-table::
+    :widths: 32 40
+    :header-rows: 1
+
+    * - Function
+      - Description
+
+    * - :zeek:see:`NetControl::drop_address`
+      - Calling this function causes NetControl to block all packets involving
+        an IP address from being forwarded.
+
+    * - :zeek:see:`NetControl::drop_connection`
+      - Calling this function stops all packets of a specific connection
+        (identified by its 5-tuple) from being forwarded.
+
+    * - :zeek:see:`NetControl::drop_address_catch_release`
+      - Calling this function causes all packets of a specific source IP to be
+        blocked. This function uses catch-and-release functionality and the IP
+        address is only dropped for a short amount of time to conserve rule
+        space in the network hardware. It is immediately re-dropped when it is
+        seen again in traffic. See :ref:`framework-netcontrol-catchrelease` for
+        more information.
+
+    * - :zeek:see:`NetControl::shunt_flow`
+      - Calling this function causes NetControl to stop forwarding a
+        uni-directional flow of packets to Zeek. This allows Zeek to conserve
+        resources by shunting flows that have been identified as being benign.
+
+    * - :zeek:see:`NetControl::redirect_flow`
+      - Calling this function causes NetControl to redirect a uni-directional
+        flow to another port of the networking hardware.
+
+    * - :zeek:see:`NetControl::quarantine_host`
+      - Calling this function allows Zeek to quarantine a host by sending DNS
+        traffic to a host with a special DNS server, which resolves all queries
+        as pointing to itself. The quarantined host is only allowed between the
+        special server, which will serve a warning message detailing the next
+        steps for the user.
+
+    * - :zeek:see:`NetControl::whitelist_address`
+      - Calling this function causes NetControl to push a whitelist entry for an
+        IP address to the networking hardware.
+
+    * - :zeek:see:`NetControl::whitelist_subnet`
+      - Calling this function causes NetControl to push a whitelist entry for a
+        subnet to the networking hardware.
+
+After adding a backend, all of these functions can immediately be used and will
+start sending the rules to the added backend(s). To give a very simple example,
+the following script will simply block the traffic of all connections that it
+sees being established:
+
+.. literalinclude:: netcontrol-1-drop-with-debug.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Running this script on a file containing one connection will cause the debug
+plugin to print one line to the standard output, which contains information
+about the rule that was added. It will also cause creation of :file:`netcontrol.log`,
+which contains information about all actions that are taken by NetControl:
+
+.. code-block:: console
+
+   $ zeek -C -r tls/ecdhe.pcap netcontrol-1-drop-with-debug.zeek
+   netcontrol debug (Debug-All): init
+   netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
+
+   $ cat netcontrol.log
+   #separator \x09
+   #set_separator    ,
+   #empty_field      (empty)
+   #unset_field      -
+   #path     netcontrol
+   #open     2018-12-14-18-50-53
+   #fields   ts      rule_id category        cmd     state   action  target  entity_type     entity  mod     msg     priority        expire  location        plugin
+   #types    time    string  enum    string  enum    string  enum    string  string  string  string  int     interval        string  string
+   0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       activating plugin with priority 0       -       -       -       Debug-All
+   0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       activation finished     -       -       -       Debug-All
+   0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       plugin initialization done      -       -       -       -
+   1398529018.678276 2       NetControl::RULE        ADD     NetControl::REQUESTED   NetControl::DROP        NetControl::FORWARD     NetControl::CONNECTION  192.168.18.50/56981<->74.125.239.97/443 -       -       0       20.000000       -       Debug-All
+   1398529018.678276 2       NetControl::RULE        ADD     NetControl::SUCCEEDED   NetControl::DROP        NetControl::FORWARD     NetControl::CONNECTION  192.168.18.50/56981<->74.125.239.97/443 -       -       0       20.000000       -       Debug-All
+   #close    2018-12-14-18-50-53
+
+In our case, :file:`netcontrol.log` contains several :zeek:see:`NetControl::MESSAGE`
+entries, which show that the debug plugin has been initialized and added.
+Afterwards, there are two :zeek:see:`NetControl::RULE` entries; the first shows
+that the addition of a rule has been requested (state is
+:zeek:see:`NetControl::REQUESTED`). The following line shows that the rule was
+successfully added (the state is :zeek:see:`NetControl::SUCCEEDED`). The
+remainder of the log line gives more information about the added rule, which in
+our case applies to a specific 5-tuple.
+
+In addition to the :file:`netcontrol.log`, the drop commands also create a second,
+additional log called :file:`netcontrol_drop.log`. This log file is much more succinct and
+only contains information that is specific to drops that are enacted by
+NetControl:
+
+.. code-block:: console
+
+   $ cat netcontrol_drop.log
+   #separator \x09
+   #set_separator    ,
+   #empty_field      (empty)
+   #unset_field      -
+   #path     netcontrol_drop
+   #open     2018-12-14-18-50-53
+   #fields   ts      rule_id orig_h  orig_p  resp_h  resp_p  expire  location
+   #types    time    string  addr    port    addr    port    interval        string
+   1398529018.678276 2       192.168.18.50   56981   74.125.239.97   443     20.000000       -
+   #close    2018-12-14-18-50-53
+
+While this example of blocking all connections is usually not very useful, the
+high-level API gives an easy way to take action, for example when a host is
+identified doing some harmful activity. To give a more realistic example, the
+following code automatically blocks a recognized SSH guesser:
+
+.. literalinclude:: netcontrol-2-ssh-guesser.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek -C -r ssh/sshguess.pcap netcontrol-2-ssh-guesser.zeek
+   netcontrol debug (Debug-All): init
+   netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.56.1/32, mac=<uninitialized>], expire=1.0 hr, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
+
+   $ cat netcontrol.log
+   #separator \x09
+   #set_separator    ,
+   #empty_field      (empty)
+   #unset_field      -
+   #path     netcontrol
+   #open     2018-12-14-18-50-54
+   #fields   ts      rule_id category        cmd     state   action  target  entity_type     entity  mod     msg     priority        expire  location        plugin
+   #types    time    string  enum    string  enum    string  enum    string  string  string  string  int     interval        string  string
+   0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       activating plugin with priority 0       -       -       -       Debug-All
+   0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       activation finished     -       -       -       Debug-All
+   0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       plugin initialization done      -       -       -       -
+   1427726759.303199 2       NetControl::RULE        ADD     NetControl::REQUESTED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     192.168.56.1/32 -       -       0       3600.000000     -       Debug-All
+   1427726759.303199 2       NetControl::RULE        ADD     NetControl::SUCCEEDED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     192.168.56.1/32 -       -       0       3600.000000     -       Debug-All
+   #close    2018-12-14-18-50-54
+
+Note that in this case, instead of calling NetControl directly, we also can use
+the :zeek:see:`Notice::ACTION_DROP` action of the notice framework:
+
+.. literalinclude:: netcontrol-3-ssh-guesser.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek -C -r ssh/sshguess.pcap netcontrol-3-ssh-guesser.zeek
+   netcontrol debug (Debug-All): init
+   netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.56.1/32, mac=<uninitialized>], expire=10.0 mins, priority=0, location=ACTION_DROP: T, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
+
+   $ cat netcontrol.log
+   #separator \x09
+   #set_separator    ,
+   #empty_field      (empty)
+   #unset_field      -
+   #path     netcontrol
+   #open     2018-12-14-18-50-55
+   #fields   ts      rule_id category        cmd     state   action  target  entity_type     entity  mod     msg     priority        expire  location        plugin
+   #types    time    string  enum    string  enum    string  enum    string  string  string  string  int     interval        string  string
+   0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       activating plugin with priority 0       -       -       -       Debug-All
+   0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       activation finished     -       -       -       Debug-All
+   0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       plugin initialization done      -       -       -       -
+   1427726759.303199 2       NetControl::RULE        ADD     NetControl::REQUESTED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     192.168.56.1/32 -       -       0       600.000000      ACTION_DROP: T  Debug-All
+   1427726759.303199 2       NetControl::RULE        ADD     NetControl::SUCCEEDED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     192.168.56.1/32 -       -       0       600.000000      ACTION_DROP: T  Debug-All
+   #close    2018-12-14-18-50-55
+
+Using the :zeek:see:`Notice::ACTION_DROP` action of the notice framework also
+will cause the ``dropped`` column in :file:`notice.log` to be set to true each time that
+the NetControl framework enacts a block:
+
+.. code-block:: console
+
+   $ cat notice.log
+   #separator \x09
+   #set_separator    ,
+   #empty_field      (empty)
+   #unset_field      -
+   #path     notice
+   #open     2018-12-14-18-50-55
+   #fields   ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       fuid    file_mime_type  file_desc       proto   note    msg     sub     src     dst     p       n       peer_descr      actions suppress_for    dropped remote_location.country_code    remote_location.region  remote_location.city    remote_location.latitude        remote_location.longitude
+   #types    time    string  addr    port    addr    port    string  string  string  enum    enum    string  string  addr    addr    port    count   string  set[enum]       interval        bool    string  string  string  double  double
+   1427726759.303199 -       -       -       -       -       -       -       -       -       SSH::Password_Guessing  192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).     Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103        192.168.56.1    -       -       -       -       Notice::ACTION_DROP,Notice::ACTION_LOG  3600.000000     F       -       -       -       -       -
+   #close    2018-12-14-18-50-55
+
+Rule API
+--------
+
+As already mentioned in the last section, in addition to the high-level API, the
+NetControl framework also supports a Rule based API which allows greater
+flexibility while adding rules. Actually, all the high-level functions are
+implemented using this lower-level rule API; the high-level functions simply
+convert their arguments into the lower-level rules and then add the rules
+directly to the NetControl framework (by calling :zeek:see:`NetControl::add_rule`).
+
+The following figure shows the main components of NetControl rules:
+
+.. figure:: netcontrol-rules.png
+    :width: 600
+    :align: center
+    :alt: NetControl rule overview
+    :target: ../_images/netcontrol-rules.png
+
+    NetControl Rule overview (click to enlarge).
+
+The types that are used to make up a rule are defined in
+:doc:`/scripts/base/frameworks/netcontrol/types.zeek`.
+
+Rules are defined as a :zeek:see:`NetControl::Rule` record. Rules have a *type*,
+which specifies what kind of action is taken. The possible actions are to
+**drop** packets, to **modify** them, to **redirect** or to **whitelist** them.
+The *target* of a rule specifies if the rule is applied in the *forward path*,
+and affects packets as they are forwarded through the network, or if it affects
+the *monitor path* and only affects the packets that are sent to Zeek, but not
+the packets that traverse the network. The *entity* specifies the address,
+connection, etc. that the rule applies to. In addition, each rule has a
+*timeout* (which can be left empty), a *priority* (with higher priority rules
+overriding lower priority rules). Furthermore, a *location* string with more
+text information about each rule can be provided.
+
+There are a couple more fields that are only needed for some rule types. For
+example, when you insert a redirect rule, you have to specify the port that
+packets should be redirected to. All these fields are shown in the
+:zeek:see:`NetControl::Rule` documentation.
+
+To give an example on how to construct your own rule, we are going to write
+our own version of the :zeek:see:`NetControl::drop_connection` function. The only
+difference between our function and the one provided by NetControl is the fact
+that the NetControl function has additional functionality, e.g. for logging.
+
+Once again, we are going to test our function with a simple example that simply
+drops all connections on the network:
+
+.. literalinclude:: netcontrol-4-drop.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek -C -r tls/ecdhe.pcap netcontrol-4-drop.zeek
+   netcontrol debug (Debug-All): init
+   netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=<uninitialized>, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
+
+   $ cat netcontrol.log
+   #separator \x09
+   #set_separator    ,
+   #empty_field      (empty)
+   #unset_field      -
+   #path     netcontrol
+   #open     2018-12-14-18-50-55
+   #fields   ts      rule_id category        cmd     state   action  target  entity_type     entity  mod     msg     priority        expire  location        plugin
+   #types    time    string  enum    string  enum    string  enum    string  string  string  string  int     interval        string  string
+   0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       activating plugin with priority 0       -       -       -       Debug-All
+   0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       activation finished     -       -       -       Debug-All
+   0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       plugin initialization done      -       -       -       -
+   1398529018.678276 2       NetControl::RULE        ADD     NetControl::REQUESTED   NetControl::DROP        NetControl::FORWARD     NetControl::CONNECTION  192.168.18.50/56981<->74.125.239.97/443 -       -       0       20.000000       -       Debug-All
+   1398529018.678276 2       NetControl::RULE        ADD     NetControl::SUCCEEDED   NetControl::DROP        NetControl::FORWARD     NetControl::CONNECTION  192.168.18.50/56981<->74.125.239.97/443 -       -       0       20.000000       -       Debug-All
+   #close    2018-12-14-18-50-55
+
+The last example shows that :zeek:see:`NetControl::add_rule` returns a string
+identifier that is unique for each rule (uniqueness is not preserved across
+restarts of Zeek). This rule id can be used to later remove rules manually using
+:zeek:see:`NetControl::remove_rule`.
+
+Similar to :zeek:see:`NetControl::add_rule`, all the high-level functions also
+return their rule IDs, which can be removed in the same way.
+
+Interacting with Rules
+----------------------
+
+The NetControl framework offers a number of different ways to interact with
+rules. Before a rule is applied by the framework, a number of different hooks
+allow you to either modify or discard rules before they are added. Furthermore,
+a number of events can be used to track the lifecycle of a rule while it is
+being managed by the NetControl framework. It is also possible to query and
+access the current set of active rules.
+
+Rule Policy
+***********
+
+The hook :zeek:see:`NetControl::rule_policy` provides the mechanism for modifying
+or discarding a rule before it is sent onwards to the backends. Hooks can be
+thought of as multi-bodied functions and using them looks very similar to
+handling events. In contrast to events, they are processed immediately. Like
+events, hooks can have priorities to sort the order in which they are applied.
+Hooks can use the ``break`` keyword to show that processing should be aborted;
+if any :zeek:see:`NetControl::rule_policy` hook uses ``break``, the rule will be
+discarded before further processing.
+
+Here is a simple example which tells Zeek to discard all rules for connections
+originating from the 192.168.* network:
+
+.. literalinclude:: netcontrol-5-hook.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek -C -r tls/ecdhe.pcap netcontrol-5-hook.zeek
+   netcontrol debug (Debug-All): init
+   Ignored connection from, 192.168.18.50
+
+NetControl Events
+*****************
+
+In addition to the hooks, the NetControl framework offers a variety of events
+that are raised by the framework to allow users to track rules, as well as the
+state of the framework.
+
+We already encountered and used one event of the NetControl framework,
+:zeek:see:`NetControl::init`, which is used to initialize the framework. After
+the framework has finished initialization and will start accepting rules, the
+:zeek:see:`NetControl::init_done` event will be raised.
+
+When rules are added to the framework, the following events will be called in
+this order:
+
+.. list-table::
+    :widths: 20 80
+    :header-rows: 1
+
+    * - Event
+      - Description
+
+    * - :zeek:see:`NetControl::rule_new`
+      - Signals that a new rule is created by the NetControl framework due to
+        :zeek:see:`NetControl::add_rule`. At this point, the rule has not
+        yet been added to any backend.
+
+    * - :zeek:see:`NetControl::rule_added`
+      - Signals that a new rule has successfully been added by a backend.
+
+    * - :zeek:see:`NetControl::rule_exists`
+      - This event is raised instead of :zeek:see:`NetControl::rule_added` when a
+        backend reports that a rule was already existing.
+
+    * - :zeek:see:`NetControl::rule_timeout`
+      - Signals that a rule timeout was reached. If the hardware does not support
+        automatic timeouts, the NetControl framework will automatically call
+        :zeek:see:`NetControl::remove_rule`.
+
+    * - :zeek:see:`NetControl::rule_removed`
+      - Signals that a new rule has successfully been removed a backend.
+
+    * - :zeek:see:`NetControl::rule_destroyed`
+      - This event is the pendant to :zeek:see:`NetControl::rule_added`, and
+        reports that a rule is no longer being tracked by the NetControl framework.
+        This happens, for example, when a rule was removed from all backends.
+
+    * - :zeek:see:`NetControl::rule_error`
+      - This event is raised whenever an error occurs during any rule operation.
+
+Finding active rules
+********************
+
+The NetControl framework provides two functions for finding currently active
+rules: :zeek:see:`NetControl::find_rules_addr` finds all rules that affect a
+certain IP address and :zeek:see:`NetControl::find_rules_subnet` finds all rules
+that affect a specified subnet.
+
+Consider, for example, the case where a Zeek instance monitors the traffic at the
+border, before any firewall or switch rules were applied. In this case, Zeek will
+still be able to see connection attempts of already blocked IP addresses. In this
+case, :zeek:see:`NetControl::find_rules_addr` could be used to check if an
+address already was blocked in the past.
+
+Here is a simple example, which uses a trace that contains two connections from
+the same IP address. After the first connection, the script recognizes that the
+address is already blocked in the second connection.
+
+.. literalinclude:: netcontrol-6-find.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek -C -r tls/google-duplicate.trace netcontrol-6-find.zeek
+   netcontrol debug (Debug-All): init
+   netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.4.149, orig_p=60623/tcp, resp_h=74.125.239.129, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
+   Rule added
+   Rule already exists
+
+Notice that the functions return vectors because it is possible that several
+rules exist simultaneously that affect one IP; either there could be
+rules with different priorities, or rules for the subnet that an IP address is
+part of.
+
+
+
+.. _framework-netcontrol-catchrelease:
+
+Catch and Release
+-----------------
+
+We already mentioned earlier that in addition to the
+:zeek:see:`NetControl::drop_connection` and :zeek:see:`NetControl::drop_address`
+functions, which drop a connection or address for a specified amount of time,
+NetControl also comes with a blocking function that uses an approach called
+*catch and release*.
+
+Catch and release is a blocking scheme that conserves valuable rule space in
+your hardware. Instead of using long-lasting blocks, catch and release first
+only installs blocks for a short amount of time (typically a few minutes). After
+these minutes pass, the block is lifted, but the IP address is added to a
+watchlist and the IP address will immediately be re-blocked again (for a longer
+amount of time), if it is seen reappearing in any traffic, no matter if the new
+traffic triggers any alert or not.
+
+This makes catch and release blocks similar to normal, longer duration blocks,
+while only requiring a small amount of space for the currently active rules. IP
+addresses that only are seen once for a short time are only blocked for a few
+minutes, monitored for a while and then forgotten. IP addresses that keep
+appearing will get re-blocked for longer amounts of time.
+
+In contrast to the other high-level functions that we have documented so far, the
+catch and release functionality is much more complex and adds a number of
+different specialized functions to NetControl. The documentation for catch and
+release is contained in the file
+:doc:`/scripts/policy/frameworks/netcontrol/catch-and-release.zeek`.
+
+Using catch and release in your scripts is easy; just use
+:zeek:see:`NetControl::drop_address_catch_release` like in this example:
+
+.. literalinclude:: netcontrol-7-catch-release.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek -C -r tls/ecdhe.pcap netcontrol-7-catch-release.zeek
+   netcontrol debug (Debug-All): init
+   netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], expire=10.0 mins, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
+
+Note that you do not have to provide the block time for catch and release;
+instead, catch and release uses the time intervals specified in
+:zeek:see:`NetControl::catch_release_intervals` (by default 10 minutes, 1 hour,
+24 hours, 7 days). That means when an address is first blocked, it is blocked
+for 10 minutes and monitored for 1 hour. If the address reappears after the
+first 10 minutes, it is blocked for 1 hour and then monitored for 24 hours, etc.
+
+Catch and release adds its own new logfile in addition to the already existing
+ones (:file:`netcontrol_catch_release.log`):
+
+.. code-block:: console
+
+   $ cat netcontrol_catch_release.log
+   #separator \x09
+   #set_separator    ,
+   #empty_field      (empty)
+   #unset_field      -
+   #path     netcontrol_catch_release
+   #open     2018-12-14-18-50-58
+   #fields   ts      rule_id ip      action  block_interval  watch_interval  blocked_until   watched_until   num_blocked     location        message
+   #types    time    string  addr    enum    interval        interval        time    time    count   string  string
+   1398529018.678276 2       192.168.18.50   NetControl::DROP        600.000000      3600.000000     1398529618.678276       1398532618.678276       1       -       -
+   1398529018.678276 2       192.168.18.50   NetControl::DROPPED     600.000000      3600.000000     1398529618.678276       1398532618.678276       1       -       -
+   #close    2018-12-14-18-50-58
+
+In addition to the blocking function, catch and release comes with the
+:zeek:see:`NetControl::get_catch_release_info` function to
+check if an address is already blocked by catch and release (and get information
+about the block). The :zeek:see:`NetControl::unblock_address_catch_release`
+function can be used to unblock addresses from catch and release.
+
+.. note::
+
+    Since catch and release does its own connection tracking in addition to the
+    tracking used by the NetControl framework, it is not sufficient to remove
+    rules that were added by catch and release using :zeek:see:`NetControl::remove_rule`.
+    You have to use :zeek:see:`NetControl::unblock_address_catch_release` in this
+    case.
+
+.. _framework-netcontrol-plugins:
+
+NetControl Plugins
+==================
+
+Using the existing plugins
+--------------------------
+
+In the API part of the documentation, we exclusively used the debug plugin,
+which simply outputs its actions to the screen. In addition to this debugging
+plugin, Zeek ships with a small number of plugins that can be used to interface
+the NetControl framework with your networking hard- and software.
+
+The plugins that currently ship with NetControl are:
+
+.. list-table::
+    :widths: 15 55
+    :header-rows: 1
+
+    * - Plugin name
+      - Description
+
+    * - OpenFlow plugin
+      - This is the most fully featured plugin which allows the NetControl
+        framework to be interfaced with OpenFlow switches. The source of this
+        plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/openflow.zeek`.
+
+    * - Broker plugin
+      - This plugin provides a generic way to send NetControl commands using the
+        new Zeek communication library (Broker). External programs can receive
+        the rules and take action; we provide an example script that calls
+        command-line programs triggered by NetControl. The source of this
+        plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/broker.zeek`.
+
+    * - acld plugin
+      - This plugin adds support for the acld daemon, which can interface with
+        several switches and routers. The current version of acld is available
+        from the `LBL ftp server <ftp://ftp.ee.lbl.gov/acld.tar.gz>`_. The source of this
+        plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/acld.zeek`.
+
+    * - PacketFilter plugin
+      - This plugin uses the Zeek process-level packet filter (see
+        :zeek:see:`install_src_net_filter` and
+        :zeek:see:`install_dst_net_filter`). Since the functionality of the
+        PacketFilter is limited, this plugin is mostly for demonstration purposes. The source of this
+        plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek`.
+
+    * - Debug plugin
+      - The debug plugin simply outputs its action to the standard output. The source of this
+        plugin is contained in :doc:`/scripts/base/frameworks/netcontrol/plugins/debug.zeek`.
+
+Activating plugins
+******************
+
+In the API reference we already used the debug plugin.
+We first had to instantiate it by calling
+:zeek:see:`NetControl::create_debug` and then add it to NetControl by
+calling :zeek:see:`NetControl::activate`.
+
+As we already hinted before, NetControl supports having several plugins that are
+active at the same time. The second argument to the :zeek:see:`NetControl::activate`
+function is the priority of the backend that was just added. Each rule is sent
+to all plugins in order, from highest priority to lowest priority. The backend
+can then choose if it accepts the rule and pushes it out to the hardware that it
+manages. Or, it can opt to reject the rule. In this case, the NetControl
+framework will try to apply the rule to the backend with the next lower
+priority. If no backend accepts a rule, the rule insertion is marked as failed.
+
+The choice if a rule is accepted or rejected stays completely with each plugin.
+The debug plugin we used so far just accepts all rules. However, for other
+plugins you can specify what rules they will accept. Consider, for example, a
+network with two OpenFlow switches. The first switch forwards packets from the
+network to the external world, the second switch sits in front of your Zeek
+cluster to provide packet shunting. In this case, you can add two OpenFlow
+backends to NetControl. When you create the instances using
+:zeek:see:`NetControl::create_openflow`, you set the ``monitor`` and ``forward``
+attributes of the configuration in :zeek:see:`NetControl::OfConfig`
+appropriately. Afterwards, one of the backends will only accept rules for the
+monitor path; the other backend will only accept rules for the forward path.
+
+Commonly, plugins also support predicate functions, that allow the user to
+specify restrictions on the rules that they will accept. This can for example be
+used if you have a network where certain switches are responsible for specified
+subnets. The predicate can examine the subnet of the rule and only accept the
+rule if the rule matches the subnet that the specific switch is responsible for.
+
+To give an example, the following script adds two backends to NetControl. One
+backend is the NetControl debug backend, which just outputs the rules to the
+console. The second backend is an OpenFlow backend, which uses the OpenFlow
+debug mode that outputs the openflow rules to :file:`openflow.log`. The OpenFlow
+backend uses a predicate function to only accept rules with a source address in
+the 192.168.17.0/24 network; all other rules will be passed on to the debug
+plugin. We manually block a few addresses in the
+:zeek:see:`NetControl::init_done` event to verify the correct functionality.
+
+.. literalinclude:: netcontrol-8-multiple.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek netcontrol-8-multiple.zeek
+   netcontrol debug (Debug-All): init
+   netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.17.2/32, mac=<uninitialized>], expire=1.0 min, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
+
+As you can see, only the single block affecting the 192.168.17.0/24 network is
+output to the command line. The other two lines are handled by the OpenFlow
+plugin. We can verify this by looking at :file:`netcontrol.log`. The plugin column shows
+which plugin handled a rule and reveals that two rules were handled by OpenFlow:
+
+.. code-block:: console
+
+   $ cat netcontrol.log
+   #separator \x09
+   #set_separator    ,
+   #empty_field      (empty)
+   #unset_field      -
+   #path     netcontrol
+   #open     2018-12-14-18-50-58
+   #fields   ts      rule_id category        cmd     state   action  target  entity_type     entity  mod     msg     priority        expire  location        plugin
+   #types    time    string  enum    string  enum    string  enum    string  string  string  string  int     interval        string  string
+   1544813458.913148 -       NetControl::MESSAGE     -       -       -       -       -       -       -       activating plugin with priority 0       -       -       -       Debug-All
+   1544813458.913148 -       NetControl::MESSAGE     -       -       -       -       -       -       -       activation finished     -       -       -       Debug-All
+   1544813458.913148 -       NetControl::MESSAGE     -       -       -       -       -       -       -       activating plugin with priority 10      -       -       -       Openflow-Log-42
+   1544813458.913148 -       NetControl::MESSAGE     -       -       -       -       -       -       -       activation finished     -       -       -       Openflow-Log-42
+   1544813458.913148 -       NetControl::MESSAGE     -       -       -       -       -       -       -       plugin initialization done      -       -       -       -
+   1544813458.913148 2       NetControl::RULE        ADD     NetControl::REQUESTED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     10.0.0.1/32     -       -       0       60.000000       -       Openflow-Log-42
+   1544813458.913148 3       NetControl::RULE        ADD     NetControl::REQUESTED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     192.168.17.2/32 -       -       0       60.000000       -       Debug-All
+   1544813458.913148 4       NetControl::RULE        ADD     NetControl::REQUESTED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     192.168.18.2/32 -       -       0       60.000000       -       Openflow-Log-42
+   1544813458.913148 3       NetControl::RULE        ADD     NetControl::SUCCEEDED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     192.168.17.2/32 -       -       0       60.000000       -       Debug-All
+   1544813458.913148 2       NetControl::RULE        ADD     NetControl::SUCCEEDED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     10.0.0.1/32     -       -       0       60.000000       -       Openflow-Log-42
+   1544813458.913148 4       NetControl::RULE        ADD     NetControl::SUCCEEDED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     192.168.18.2/32 -       -       0       60.000000       -       Openflow-Log-42
+   #close    2018-12-14-18-50-58
+
+Furthermore, :file:`openflow.log` also shows the two added rules, converted to OpenFlow
+flow mods:
+
+.. code-block:: console
+
+   $ cat openflow.log
+   #separator \x09
+   #set_separator    ,
+   #empty_field      (empty)
+   #unset_field      -
+   #path     openflow
+   #open     2018-12-14-18-50-58
+   #fields   ts      dpid    match.in_port   match.dl_src    match.dl_dst    match.dl_vlan   match.dl_vlan_pcp       match.dl_type   match.nw_tos    match.nw_proto  match.nw_src    match.nw_dst    match.tp_src    match.tp_dst    flow_mod.cookie flow_mod.table_id       flow_mod.command        flow_mod.idle_timeout   flow_mod.hard_timeout   flow_mod.priority       flow_mod.out_port       flow_mod.out_group      flow_mod.flags  flow_mod.actions.out_ports      flow_mod.actions.vlan_vid       flow_mod.actions.vlan_pcp       flow_mod.actions.vlan_strip     flow_mod.actions.dl_src flow_mod.actions.dl_dst flow_mod.actions.nw_tos flow_mod.actions.nw_src flow_mod.actions.nw_dst flow_mod.actions.tp_src flow_mod.actions.tp_dst
+   #types    time    count   count   string  string  count   count   count   count   count   subnet  subnet  count   count   count   count   enum    count   count   count   count   count   count   vector[count]   count   count   bool    string  string  count   addr    addr    count   count
+   1544813458.913148 42      -       -       -       -       -       2048    -       -       10.0.0.1/32     -       -       -       4398046511108   -       OpenFlow::OFPFC_ADD     0       60      0       -       -       1       (empty) -       -       F       -       -       -       -       -       -       -
+   1544813458.913148 42      -       -       -       -       -       2048    -       -       -       10.0.0.1/32     -       -       4398046511109   -       OpenFlow::OFPFC_ADD     0       60      0       -       -       1       (empty) -       -       F       -       -       -       -       -       -       -
+   1544813458.913148 42      -       -       -       -       -       2048    -       -       192.168.18.2/32 -       -       -       4398046511112   -       OpenFlow::OFPFC_ADD     0       60      0       -       -       1       (empty) -       -       F       -       -       -       -       -       -       -
+   1544813458.913148 42      -       -       -       -       -       2048    -       -       -       192.168.18.2/32 -       -       4398046511113   -       OpenFlow::OFPFC_ADD     0       60      0       -       -       1       (empty) -       -       F       -       -       -       -       -       -       -
+   #close    2018-12-14-18-50-58
+
+.. note::
+
+    You might have asked yourself what happens when you add two or more with the
+    same priority. In this case, the rule is sent to all the backends
+    simultaneously. This can be useful, for example when you have redundant
+    switches that should keep the same rule state.
+
+Interfacing with external hardware
+**********************************
+
+Now that we know which plugins exist, and how they can be added to NetControl,
+it is time to discuss how we can interface Zeek with actual hardware. The typical
+way to accomplish this is to use the Zeek communication library (Broker), which
+can be used to exchange Zeek events with external programs and scripts. The
+NetControl plugins can use Broker to send events to external programs, which can
+then take action depending on these events.
+
+The following figure shows this architecture with the example of the OpenFlow
+plugin. The OpenFlow plugin uses Broker to send events to an external Python
+script, which uses the `Ryu SDN controller <https://ryu-sdn.org/>`_ to
+communicate with the Switch.
+
+.. figure:: netcontrol-openflow.png
+    :width: 600
+    :align: center
+    :alt: NetControl and OpenFlow architecture.
+    :target: ../_images/netcontrol-openflow.png
+
+    NetControl and OpenFlow architecture (click to enlarge).
+
+The Python scripts that are used to interface with the available NetControl
+plugins are contained in the ``zeek-netcontrol`` repository (`github link <https://github.com/zeek/zeek-netcontrol>`_).
+The repository contains scripts for the OpenFlow as well as the acld plugin.
+Furthermore, it contains a script for the broker plugin which can be used to
+call configurable command-line programs when used with the broker plugin.
+
+The repository also contains documentation on how to install these connectors.
+The ``netcontrol`` directory contains an API that allows you to write your own
+connectors to the broker plugin.
+
+Writing plugins
+---------------
+
+In addition to using the plugins that are part of NetControl, you can write your
+own plugins to interface with hard- or software that we currently do not support
+out of the box.
+
+Creating your own plugin is easy; besides a bit of boilerplate, you only need to
+create two functions: one that is called when a rule is added, and one that is
+called when a rule is removed. The following script creates a minimal plugin
+that just outputs a rule when it is added or removed. Note that you have to
+raise the :zeek:see:`NetControl::rule_added` and
+:zeek:see:`NetControl::rule_removed` events in your plugin to let NetControl know
+when a rule was added and removed successfully.
+
+.. literalinclude:: netcontrol-9-skeleton.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+This example is already fully functional and we can use it with a script similar
+to our very first example:
+
+.. literalinclude:: netcontrol-10-use-skeleton.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek -C -r tls/ecdhe.pcap netcontrol-10-use-skeleton.zeek
+   add, [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={
+
+   }, _active_plugin_ids={
+
+   }, _no_expire_plugins={
+
+   }, _added=F]
+
+If you want to write your own plugins, it will be worthwhile to look at the
+plugins that ship with the NetControl framework to see how they define the
+predicates and interact with Broker.
diff --git a/doc/frameworks/notice.rst b/doc/frameworks/notice.rst
new file mode 100644
index 0000000000..cd8bc6e73f
--- /dev/null
+++ b/doc/frameworks/notice.rst
@@ -0,0 +1,434 @@
+
+.. _notice-framework:
+
+================
+Notice Framework
+================
+
+One of the easiest ways to customize Zeek is writing a local notice policy.
+Zeek can detect a large number of potentially interesting situations, and the
+notice policy hook identifies which of them the user wants to be acted upon in
+some manner. In particular, the notice policy can specify actions to be taken,
+such as sending an email or compiling regular alarm emails. This page gives an
+introduction into writing such a notice policy.
+
+Overview
+========
+
+Let’s start with a little bit of background on Zeek’s philosophy on reporting
+things. Zeek ships with a large number of policy scripts which perform a wide
+variety of analyses. Most of these scripts monitor for activity which might be
+of interest for the user. However, none of these scripts determines the
+importance of what it finds itself. Instead, the scripts only flag situations
+as *potentially* interesting, leaving it to the local configuration to define
+which of them are in fact actionable. This decoupling of detection and
+reporting allows Zeek to address the different needs that different sites have.
+Definitions of what constitutes an attack or even a compromise differ quite a
+bit between environments, and activity deemed malicious at one site might be
+fully acceptable at another.
+
+Whenever one of Zeek’s analysis scripts sees something potentially interesting
+it flags the situation by calling the :zeek:see:`NOTICE` function and giving it
+a single :zeek:see:`Notice::Info` record. A Notice has a
+:zeek:see:`Notice::Type`, which reflects the kind of activity that has been
+seen, and it is usually also augmented with further context about the
+situation.
+
+More information about raising notices can be found in the :ref:`Raising
+Notices <raising-notices>` section.
+
+Once a notice is raised, it can have any number of actions applied to it by
+writing :zeek:see:`Notice::policy` hooks which are described in the
+:ref:`Notice Policy <notice-policy>` section below. Such actions can for
+example send email to configured address(es), or simply ignore the
+notice. Currently, the following actions are defined:
+
+.. list-table::
+  :header-rows: 1
+
+  * - Action
+    - Description
+
+  * - :zeek:see:`Notice::ACTION_LOG`
+    - Write the notice to the :zeek:see:`Notice::LOG` logging stream.
+
+  * - :zeek:see:`Notice::ACTION_ALARM`
+    - Log into the :zeek:see:`Notice::ALARM_LOG` stream which will rotate
+      hourly and email the contents to the email address or addresses in the
+      :zeek:field:`Notice::Info$email_dest` field of that notice's :zeek:see:`Notice::Info` record.
+
+  * - :zeek:see:`Notice::ACTION_EMAIL`
+    - Send the notice in an email to the email address or addresses in the
+      :zeek:field:`Notice::Info$email_dest` field of that notice's :zeek:see:`Notice::Info` record.
+
+  * - :zeek:see:`Notice::ACTION_PAGE`
+    - Send an email to the email address or addresses in the
+      :zeek:field:`Notice::Info$email_dest` field of that notice's :zeek:see:`Notice::Info` record.
+
+How these notice actions are applied to notices is discussed in the
+:ref:`Notice Policy <notice-policy>` and :ref:`Notice Policy Shortcuts
+<notice-policy-shortcuts>` sections.
+
+Processing Notices
+==================
+
+.. _notice-policy:
+
+Notice Policy
+-------------
+
+The hook :zeek:see:`Notice::policy` provides the mechanism for applying actions
+and generally modifying the notice before it’s sent onward to the action
+plugins.  Hooks can be thought of as multi-bodied functions and using them
+looks very similar to handling events. The difference is that they don’t go
+through the event queue like events. Users can alter notice processing by
+directly modifying fields in the :zeek:see:`Notice::Info` record given as the
+argument to the hook.
+
+Here’s a simple example which tells Zeek to send an email for all notices of
+type :zeek:see:`SSH::Password_Guessing` if the guesser attempted to log in to
+the server at ``192.168.56.103``:
+
+.. code-block:: zeek
+  :caption: notice_ssh_guesser.zeek
+
+  @load protocols/ssh/detect-bruteforcing
+
+  redef SSH::password_guesses_limit=10;
+
+  hook Notice::policy(n: Notice::Info)
+      {
+      if ( n$note == SSH::Password_Guessing && /192\.168\.56\.103/ in n$sub )
+          {
+          add n$actions[Notice::ACTION_EMAIL];
+          n$email_dest = "ssh_alerts@example.net";
+          }
+      }
+
+.. code-block:: console
+
+  $ zeek -C -r ssh/sshguess.pcap notice_ssh_guesser.zeek
+  $ cat notice.log
+
+::
+
+  #separator \x09
+  #set_separator    ,
+  #empty_field      (empty)
+  #unset_field      -
+  #path     notice
+  #open     2018-12-13-22-56-35
+  #fields   ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       fuid    file_mime_type  file_desc       proto   note    msg     sub     src     dst     p       n       peer_descr      actions email-dest   suppress_for    dropped remote_location.country_code    remote_location.region  remote_location.city    remote_location.latitude        remote_location.longitude
+  #types    time    string  addr    port    addr    port    string  string  string  enum    enum    string  string  addr    addr    port    count   string  set[enum]       set[string]   interval        bool    string  string  string  double  double
+  1427726759.303199 -       -       -       -       -       -       -       -       -       SSH::Password_Guessing  192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).     Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103        192.168.56.1    -       -       -       -       Notice::ACTION_EMAIL,Notice::ACTION_LOG  ssh_alerts@example.net    3600.000000     F       -       -       -       -       -
+  #close    2018-12-13-22-56-35
+
+.. note::
+
+  Keep in mind that the semantics of the :zeek:see:`SSH::Password_Guessing`
+  notice are such that it is only raised when Zeek heuristically detects a
+  failed login.
+
+Hooks can also have priorities applied to order their execution like events
+with a default priority of 0. Greater values are executed first. Setting a hook
+body to run before default hook bodies might look like this:
+
+.. code-block:: zeek
+
+  hook Notice::policy(n: Notice::Info) &priority=5
+      {
+      # Insert your code here.
+      }
+
+Hooks can also abort later hook bodies with the :zeek:see:`break` keyword. This
+is primarily useful if one wants to completely preempt processing by lower
+priority :zeek:see:`Notice::policy` hooks.
+
+.. _notice-policy-shortcuts:
+
+Notice Policy Shortcuts
+-----------------------
+
+Although the notice framework provides a great deal of flexibility and
+configurability there are many times that the full expressiveness isn’t needed
+and actually becomes a hindrance to achieving results. The framework provides a
+default :zeek:see:`Notice::policy` hook body as a way of giving users the
+shortcuts to easily apply many common actions to notices.
+
+These are implemented as sets and tables indexed with a
+:zeek:see:`Notice::Type` enum value. The following table shows and describes
+all of the variables available for shortcut configuration of the notice
+framework.
+
+.. list-table::
+  :header-rows: 1
+
+  * - Variable name
+    - Description
+
+  * - :zeek:see:`Notice::ignored_types`
+    - Adding a :zeek:see:`Notice::Type` to this set results in the notice being
+      ignored. It won’t have any other action applied to it, not even
+      :zeek:see:`Notice::ACTION_LOG`.
+
+  * - :zeek:see:`Notice::emailed_types`
+    - Adding a :zeek:see:`Notice::Type` to this set results in
+      :zeek:see:`Notice::ACTION_EMAIL` being applied to the notices of that
+      type.
+
+  * - :zeek:see:`Notice::alarmed_types`
+    - Adding a :zeek:see:`Notice::Type` to this set results in
+      :zeek:see:`Notice::ACTION_ALARM` being applied to the notices of that
+      type.
+
+  * - :zeek:see:`Notice::not_suppressed_types`
+    - Adding a :zeek:see:`Notice::Type` to this set results in that notice no
+      longer undergoing the normal notice suppression that would take place. Be
+      careful when using this in production it could result in a dramatic
+      increase in the number of notices being processed.
+
+  * - :zeek:see:`Notice::type_suppression_intervals`
+    - This is a table indexed on :zeek:see:`Notice::Type` and yielding an
+      interval. It can be used as an easy way to extend the default suppression
+      interval for an entire :zeek:see:`Notice::Type` without having to create
+      a whole :zeek:see:`Notice::policy` entry and setting the
+      ``$suppress_for`` field.
+
+.. _raising-notices:
+
+Raising Notices
+===============
+
+A script should raise a notice for any occurrence that a user may want to be
+notified about or take action on. For example, whenever the base SSH analysis
+script sees enough failed logins to a given host, it raises a notice of the
+type :zeek:see:`SSH::Password_Guessing`. The code in the base SSH analysis
+script which raises the notice looks like this:
+
+.. code-block:: zeek
+
+  NOTICE([$note=Password_Guessing,
+          $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num),
+          $src=key$host,
+          $identifier=cat(key$host)]);
+
+:zeek:see:`NOTICE` is a normal function in the global namespace which wraps a
+function within the Notice namespace. It takes a single argument of the
+:zeek:see:`Notice::Info` record type. The most common fields used when raising
+notices are described in the following table:
+
+.. list-table::
+  :header-rows: 1
+
+  * - Field name
+    - Description
+
+  * - :zeek:field:`note`
+    - This field is required and is an enum value which represents the notice
+      type.
+
+  * - :zeek:field:`msg`
+    - This is a human readable message which is meant to provide more
+      information about this particular instance of the notice type.
+
+  * - :zeek:field:`sub`
+    - This is a sub-message meant for human readability but will frequently
+      also be used to contain data meant to be matched with the
+      :zeek:see:`Notice::policy`.
+
+  * - :zeek:field:`conn`
+    - If a connection record is available when the notice is being raised and
+      the notice represents some attribute of the connection, then the
+      connection record can be given here. Other fields such as :zeek:field:`id` and :zeek:field:`src`
+      will automatically be populated from this value.
+
+  * - :zeek:field:`id`
+    - If a :zeek:see:`conn_id` record is available when the notice is being
+      raised and the notice represents some attribute of the connection, then
+      the connection can be given here. Other fields such as :zeek:field:`src` will
+      automatically be populated from this value.
+
+  * - :zeek:field:`src`
+    - If the notice represents an attribute of a single host then it’s possible
+      that only this field should be filled out to represent the host that is
+      being “noticed”.
+
+  * - :zeek:field:`n`
+    - This normally represents a number if the notice has to do with some
+      number. It’s most frequently used for numeric tests in the
+      :zeek:see:`Notice::policy` for making policy decisions.
+
+  * - :zeek:field:`identifier`
+    - This represents a unique identifier for this notice. This field is
+      described in more detail in the :ref:`Automated Suppression
+      <automated-notice-suppression>` section.
+
+  * - :zeek:field:`suppress_for`
+    - This field can be set if there is a natural suppression interval for the
+      notice that may be different than the default value. The value set to
+      this field can also be modified by a user’s :zeek:see:`Notice::policy` so
+      the value is not set permanently and unchangeably.
+
+When writing Zeek scripts that raise notices, some thought should be given to
+what the notice represents and what data should be provided to give a consumer
+of the notice the best information about the notice. If the notice is
+representative of many connections and is an attribute of a host (e.g., a
+scanning host) it probably makes most sense to fill out the :zeek:field:`src` field and
+not give a connection or :zeek:see:`conn_id`. If a notice is representative of
+a connection attribute (e.g. an apparent SSH login) then it makes sense to fill
+out either :zeek:field:`Notice::Info$conn` or :zeek:field:`Notice::Info$id`
+based on the data that is available when the notice is raised.
+
+Using care when inserting data into a notice will make later analysis easier
+when only the data to fully represent the occurrence that raised the notice is
+available. If complete connection information is included when an SSL server
+certificate is expiring, for example, the logs will be very confusing because
+the connection that the certificate was detected on is a side topic to the fact
+that an expired certificate was detected. It’s possible in many cases that two
+or more separate notices may need to be generated. As an example, one could be
+for the detection of the expired SSL certificate and another could be for if
+the client decided to go ahead with the connection neglecting the expired
+certificate.
+
+.. _automated-notice-suppression:
+
+Automated Suppression
+=====================
+
+The notice framework supports suppression for notices if the author of the
+script that is generating the notice has indicated to the notice framework how
+to identify notices that are intrinsically the same. Identification of these
+“intrinsically duplicate” notices is implemented with an optional field in
+:zeek:see:`Notice::Info` records named :zeek:field:`Notice::Info$identifier`
+which is a simple string. If the :zeek:field:`Notice::Info$identifier` and
+:zeek:field:`Notice::Info$note` fields are the same for two notices, the notice
+framework actually considers them to be the same thing and
+can use that information to suppress duplicates for a configurable period of
+time.
+
+.. note::
+
+   If the :zeek:field:`identifier` is left out of a notice, no notice suppression takes
+   place due to the framework’s inability to identify duplicates. This could be
+   completely legitimate usage if no notices could ever be considered to be
+   duplicates.
+
+The :zeek:field:`Notice::Info$identifier` field typically comprises several pieces of data related to
+the notice that when combined represent a unique instance of that notice. Here
+is an example of the script
+:doc:`/scripts/policy/protocols/ssl/validate-certs.zeek` raising a notice for
+session negotiations where the certificate or certificate chain did not
+validate successfully against the available certificate authority certificates.
+
+.. code-block:: zeek
+
+  NOTICE([$note=SSL::Invalid_Server_Cert,
+          $msg=fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status),
+          $sub=c$ssl$subject,
+          $conn=c,
+          $identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$validation_status,c$ssl$cert_hash)]);
+
+In the above example you can see that the :zeek:field:`identifier` field contains a
+string that is built from the responder IP address and port, the validation
+status message, and the MD5 sum of the server certificate. Those fields in
+particular are chosen because different SSL certificates could be seen on any
+port of a host, certificates could fail validation for different reasons, and
+multiple server certificates could be used on that combination of IP address
+and port with the server_name SSL extension (explaining the addition of the MD5
+sum of the certificate). The result is that if a certificate fails validation
+and all four pieces of data match (IP address, port, validation status, and
+certificate hash) that particular notice won’t be raised again for the default
+suppression period.
+
+Setting the :zeek:field:`Notice::Info$identifier` field is left to those raising notices because it’s
+assumed that the script author who is raising the notice understands the full
+problem set and edge cases of the notice which may not be readily apparent to
+users. If users don’t want the suppression to take place or simply want a
+different interval, they can set a notice’s suppression interval to ``0secs``
+or delete the value from the :zeek:field:`identifier` field in a
+:zeek:see:`Notice::policy` hook.
+
+Extending Notice Framework
+==========================
+
+There are a couple of mechanisms for extending the notice framework and adding
+new capabilities.
+
+Configuring Notice Emails
+-------------------------
+
+If :zeek:see:`Notice::mail_dest` is set, notices with an associated
+e-mail action will be sent to that address. For additional
+customization, users can use the :zeek:see:`Notice::policy` hook to
+modify the :zeek:field:`Notice::Info$email_dest` field. The following example would result in three
+separate e-mails:
+
+.. code-block:: zeek
+
+  hook Notice::policy(n: Notice::Info)
+    {
+    n$email_dest = set(
+        "snow.white@example.net",
+        "doc@example.net",
+        "happy@example.net,sleepy@example.net,bashful@example.net"
+    );
+    }
+
+You can also use :zeek:see:`Notice::policy` hooks to add extra information to
+emails. The :zeek:see:`Notice::Info` record contains a vector of strings named
+:zeek:field:`Notice::Info$email_body_sections` which Zeek will include verbatim when sending email.
+An example of including some information from an HTTP request is included below.
+
+.. code-block:: zeek
+
+  hook Notice::policy(n: Notice::Info)
+    {
+    if ( n?$conn && n$conn?$http && n$conn$http?$host )
+      n$email_body_sections[|n$email_body_sections|] = fmt("HTTP host header: %s", n$conn$http$host);
+    }
+
+Cluster Considerations
+======================
+
+When running Zeek in a cluster, most of the information above stays the same.
+Notices are generated, the :zeek:see:`Notice::policy` hook is evaluated, and
+any actions are run on the node which generated the notice (most often a worker
+node). Of note to users/developers of Zeek is that any files or access needed
+to run the notice actions must be available to the respective node(s).
+
+The role of the manager is to receive and distribute notice suppression
+information, so that duplicate notices do not get generated. Bear in mind that
+some amount of latency is intrinsic in this synchronization, so it’s
+possible that rapidly-generating notices will be duplicates. In this case, any
+actions will also execute multiple times, once by each notice-generating
+node.
+
+The Weird Log
+=============
+
+A wide range of “weird” activity detected by Zeek can trigger corresponding
+events that inform the script layer of this activity. These events exist at
+various granularities, including :zeek:see:`conn_weird`,
+:zeek:see:`flow_weird`, :zeek:see:`net_weird`, :zeek:see:`file_weird`, and
+others. Built atop the notice framework, the :doc:`Weird
+</scripts/base/frameworks/notice/weird.zeek>` module implements event handlers
+that funnel the various “weirds” into the usual notice framework handlers. To
+get an idea of the available weird-types, take a look at the
+:zeek:see:`Weird::actions` table, which defines default actions for the various
+types of activity. Weirds generally do not indicate security-relevant activity
+— they’re just, well, weird things that you generally wouldn’t expect to
+happen, such as odd TCP state machine violations, unexpected HTTP header
+constellations, or DNS message properties that fall outside of the relevant RFC
+specifications. That is, don’t consider them actionable detections in an IDS
+sense, though they might well provide meaningful additional clues for a
+security incident.
+
+The notice type for weirds is :zeek:see:`Weird::Activity`. You have a wide range of actions at
+your disposal for how to handle weirds: you can ignore them, log them, or have
+them trigger notice, all at various reduction/filtering granularities (see the
+:zeek:see:`Weird::Action` enum values for details). For dynamic filtering, the
+:zeek:see:`Weird::ignore_hosts` and :zeek:see:`Weird::weird_ignore` sets allow
+exclusion of activity from reporting.
+
+The framework provides a few additional tuning knobs. See
+:doc:`/scripts/base/frameworks/notice/weird.zeek` for details.
diff --git a/doc/frameworks/notice_ssh_guesser.zeek b/doc/frameworks/notice_ssh_guesser.zeek
new file mode 100644
index 0000000000..34ffe2e95e
--- /dev/null
+++ b/doc/frameworks/notice_ssh_guesser.zeek
@@ -0,0 +1,10 @@
+
+@load protocols/ssh/detect-bruteforcing
+
+redef SSH::password_guesses_limit=10;
+
+hook Notice::policy(n: Notice::Info)
+	{
+	if ( n$note == SSH::Password_Guessing && /192\.168\.56\.103/ in n$sub )
+		add n$actions[Notice::ACTION_EMAIL];
+	}
diff --git a/doc/frameworks/packet-analysis-1-ethernet.zeek b/doc/frameworks/packet-analysis-1-ethernet.zeek
new file mode 100644
index 0000000000..bea6014bcd
--- /dev/null
+++ b/doc/frameworks/packet-analysis-1-ethernet.zeek
@@ -0,0 +1,26 @@
+module PacketAnalyzer::ETHERNET;
+
+export {
+	## Default analyzer
+	const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
+
+	## IEEE 802.2 SNAP analyzer
+	global snap_analyzer: PacketAnalyzer::Tag &redef;
+	## Novell raw IEEE 802.3 analyzer
+	global novell_raw_analyzer: PacketAnalyzer::Tag &redef;
+	## IEEE 802.2 LLC analyzer
+	global llc_analyzer: PacketAnalyzer::Tag &redef;
+}
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8847, PacketAnalyzer::ANALYZER_MPLS);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x0800, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x86DD, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x0806, PacketAnalyzer::ANALYZER_ARP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8035, PacketAnalyzer::ANALYZER_ARP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8100, PacketAnalyzer::ANALYZER_VLAN);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x88A8, PacketAnalyzer::ANALYZER_VLAN);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x9100, PacketAnalyzer::ANALYZER_VLAN);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8864, PacketAnalyzer::ANALYZER_PPPOE);
+	}
diff --git a/doc/frameworks/packet-analysis-2-llc.cc b/doc/frameworks/packet-analysis-2-llc.cc
new file mode 100644
index 0000000000..4d72b7cf9e
--- /dev/null
+++ b/doc/frameworks/packet-analysis-2-llc.cc
@@ -0,0 +1,23 @@
+bool LLCDemo::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// Rudimentary parsing of 802.2 LLC
+	if ( 17 >= len )
+		{
+		packet->Weird("truncated_llc_header");
+		return false;
+		}
+
+	if ( ! llc_demo_message )
+		return true;
+
+	auto dsap = data[14];
+	auto ssap = data[15];
+	auto control = data[16];
+
+	event_mgr.Enqueue(llc_demo_message,
+		val_mgr->Count(dsap),
+		val_mgr->Count(ssap),
+		val_mgr->Count(control));
+
+	return true;
+	}
diff --git a/doc/frameworks/packet-analysis-pdu.svg b/doc/frameworks/packet-analysis-pdu.svg
new file mode 100644
index 0000000000..65c5ed7c74
--- /dev/null
+++ b/doc/frameworks/packet-analysis-pdu.svg
@@ -0,0 +1 @@
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="850" height="160"><style xmlns="http://www.w3.org/1999/xhtml"></style><defs/><g transform="translate(0,0)"><g><rect fill="#FFFFFF" stroke="none" x="0" y="0" width="850" height="160"/></g><g transform="matrix(1,0,0,1,175,45)"><g transform="translate(0,0)"><g transform="translate(-249.71428571428572,-72.28571428571428) translate(74.71428571428572,27.285714285714278) matrix(1,0,0,1,0,0)"><g><g><path fill="none" stroke="#7d7d7d" stroke-dasharray="8,8" d="M 190 60 L 190 100" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,175,45)"><g transform="translate(0,0)"><g transform="translate(-249.71428571428572,-72.28571428571428) translate(74.71428571428572,27.285714285714278) matrix(1,0,0,1,0,0)"><g><g><path fill="none" stroke="#7d7d7d" stroke-dasharray="8,8" d="M 190 60 L 190 100" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,645,45)"><g transform="translate(0,0)"><g transform="translate(-723.4285714285714,-72.85714285714286) translate(78.42857142857144,27.85714285714286) matrix(1,0,0,1,0,0)"><g><g><path fill="none" stroke="#7d7d7d" stroke-dasharray="8,8" d="M 660 60 L 840 100" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,645,45)"><g transform="translate(0,0)"><g transform="translate(-723.4285714285714,-72.85714285714286) translate(78.42857142857144,27.85714285714286) matrix(1,0,0,1,0,0)"><g><g><path fill="none" stroke="#7d7d7d" stroke-dasharray="8,8" d="M 660 60 L 840 100" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="translate(0,0) matrix(-1,1.2246467991473532e-16,-1.2246467991473532e-16,-1,660,60)"><g><g transform="translate(0,0) scale(4.7,0.3)"><g><g transform="scale(0.2127659574468085,3.3333333333333335)"><path fill="#b6d7a8" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 470 30 L 0 30 L 0 0 Z"/><path fill="none" stroke="#b6d7a8" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 470 30 L 0 30 L 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,10,10)"><g><g transform="translate(0,0) scale(6.5,0.2)"><g><path fill="#b6d7a8" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(0.15384615384615385,5)"><path fill="none" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 650 0 Q 650 0 650 0 L 650 20 Q 650 20 650 20 L 0 20 Q 0 20 0 20 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#333333" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 650 0 Q 650 0 650 0 L 650 20 Q 650 20 650 20 L 0 20 Q 0 20 0 20 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,31,11)"><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="608" height="19" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="608" height="19" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="256.8500061035156" y="0.75" width="94" height="17" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="256.8500061035156" y="0.75" width="94" height="17" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="256.8500061035156" y="0.75" width="94" height="17" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="&quot;Arial&quot;" font-size="16px" font-style="normal" font-weight="700" text-decoration="" line-height="18.5px" x="256.8500061035156" y="14.75">Layer</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="&quot;Arial&quot;" font-size="16px" font-style="normal" font-weight="700" text-decoration="" line-height="18.5px" x="304" y="14.75">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="&quot;Arial&quot;" font-size="16px" font-style="normal" font-weight="700" text-decoration="" line-height="18.5px" x="317.3500061035156" y="14.75">PDU</text></g><g><g/></g></g><g transform="translate(0,0) matrix(1,0,0,1,10,30)"><g><g transform="translate(0,0) scale(0.2,0.3)"><g><path fill="#b6d7a8" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(5,3.3333333333333335)"><path fill="none" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 20 0 Q 20 0 20 0 L 20 30 Q 20 30 20 30 L 0 30 Q 0 30 0 30 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#333333" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 20 0 Q 20 0 20 0 L 20 30 Q 20 30 20 30 L 0 30 Q 0 30 0 30 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,190,100)"><g><g transform="translate(0,0) scale(6.5,0.2)"><g><path fill="#c9daf8" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(0.15384615384615385,5)"><path fill="none" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 650 0 Q 650 0 650 0 L 650 20 Q 650 20 650 20 L 0 20 Q 0 20 0 20 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#333333" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 650 0 Q 650 0 650 0 L 650 20 Q 650 20 650 20 L 0 20 Q 0 20 0 20 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,211,101)"><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="608" height="19" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="608" height="19" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="256.8500061035156" y="0.75" width="94" height="17" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="256.8500061035156" y="0.75" width="94" height="17" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="&quot;Arial&quot;" font-size="16px" font-style="normal" font-weight="700" text-decoration="" line-height="18.5px" x="256.8500061035156" y="14.75">Layer</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="&quot;Arial&quot;" font-size="16px" font-style="normal" font-weight="700" text-decoration="" line-height="18.5px" x="304" y="14.75">2</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="&quot;Arial&quot;" font-size="16px" font-style="normal" font-weight="700" text-decoration="" line-height="18.5px" x="317.3500061035156" y="14.75">PDU</text></g><g><g/></g></g><g transform="translate(0,0) matrix(1,0,0,1,190,120)"><g><g transform="translate(0,0) scale(1.1,0.3)"><g><path fill="#c9daf8" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(0.9090909090909091,3.3333333333333335)"><path fill="none" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 110.00000000000001 0 Q 110.00000000000001 0 110.00000000000001 0 L 110.00000000000001 30 Q 110.00000000000001 30 110.00000000000001 30 L 0 30 Q 0 30 0 30 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#333333" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 110.00000000000001 0 Q 110.00000000000001 0 110.00000000000001 0 L 110.00000000000001 30 Q 110.00000000000001 30 110.00000000000001 30 L 0 30 Q 0 30 0 30 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,190,30)"><g><g transform="translate(0,0) scale(4.7,0.3)"><g><g transform="scale(0.2127659574468085,3.3333333333333335)"><path fill="#c9daf8" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 470 30 L 0 30 L 0 0 Z"/><path fill="none" stroke="#c9daf8" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 470 30 L 0 30 L 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,200,36)"><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="450" height="19" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="450" height="19" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="167.1666717529297" y="0.75" width="116" height="17" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="167.1666717529297" y="0.75" width="116" height="17" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="&quot;Arial&quot;" font-size="16px" font-style="normal" font-weight="normal" text-decoration="" line-height="18.5px" x="167.1666717529297" y="14.75">Layer</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="&quot;Arial&quot;" font-size="16px" font-style="normal" font-weight="normal" text-decoration="" line-height="18.5px" x="211.64999389648438" y="14.75">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="&quot;Arial&quot;" font-size="16px" font-style="normal" font-weight="normal" text-decoration="" line-height="18.5px" x="225" y="14.75">Payload</text></g><g><g/></g></g><g transform="translate(0,0) matrix(1,0,0,1,190,30)"><g><g transform="translate(0,0) scale(4.7,0.3)"><g><path fill="rgb(255,255,255)" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z" fill-opacity="0.008"/><g transform="scale(0.2127659574468085,3.3333333333333335)"><path fill="none" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 470 0 Q 470 0 470 0 L 470 30 Q 470 30 470 30 L 0 30 Q 0 30 0 30 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#333333" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 470 0 Q 470 0 470 0 L 470 30 Q 470 30 470 30 L 0 30 Q 0 30 0 30 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="translate(0,0) matrix(-1,1.2246467991473532e-16,-1.2246467991473532e-16,-1,840,150)"><g><g transform="translate(0,0) scale(4.7,0.3)"><g><g transform="scale(0.2127659574468085,3.3333333333333335)"><path fill="#c9daf8" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 470 30 L 0 30 L 0 0 Z"/><path fill="none" stroke="#c9daf8" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 470 30 L 0 30 L 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,370,120)"><g><g transform="translate(0,0) scale(4.7,0.3)"><g><g transform="scale(0.2127659574468085,3.3333333333333335)"><path fill="#fff2cc" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 470 30 L 0 30 L 0 0 Z"/><path fill="none" stroke="#fff2cc" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 470 30 L 0 30 L 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,380,126)"><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="450" height="19" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="450" height="19" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="167.1666717529297" y="0.75" width="116" height="17" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="167.1666717529297" y="0.75" width="116" height="17" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="&quot;Arial&quot;" font-size="16px" font-style="normal" font-weight="normal" text-decoration="" line-height="18.5px" x="167.1666717529297" y="14.75">Layer</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="&quot;Arial&quot;" font-size="16px" font-style="normal" font-weight="normal" text-decoration="" line-height="18.5px" x="211.64999389648438" y="14.75">2</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="&quot;Arial&quot;" font-size="16px" font-style="normal" font-weight="normal" text-decoration="" line-height="18.5px" x="225" y="14.75">Payload</text></g><g><g/></g></g><g transform="translate(0,0) matrix(1,0,0,1,370,120)"><g><g transform="translate(0,0) scale(4.7,0.3)"><g><path fill="rgb(255,255,255)" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z" fill-opacity="0.008"/><g transform="scale(0.2127659574468085,3.3333333333333335)"><path fill="none" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 470 0 Q 470 0 470 0 L 470 30 Q 470 30 470 30 L 0 30 Q 0 30 0 30 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#333333" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 470 0 Q 470 0 470 0 L 470 30 Q 470 30 470 30 L 0 30 Q 0 30 0 30 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,30,30)"><g><g transform="translate(0,0) scale(0.35,0.3)"><g><path fill="#c9daf8" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(2.857142857142857,3.3333333333333335)"><path fill="none" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 35 0 Q 35 0 35 0 L 35 30 Q 35 30 35 30 L 0 30 Q 0 30 0 30 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#333333" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 35 0 Q 35 0 35 0 L 35 30 Q 35 30 35 30 L 0 30 Q 0 30 0 30 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,39,36)"><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="18" height="19" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="18" height="19" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0.7833404541015625" y="0.75" width="16" height="17" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0.7833404541015625" y="0.75" width="16" height="17" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0.7833404541015625" y="0.75" width="16" height="17" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="&quot;Arial&quot;" font-size="16px" font-style="normal" font-weight="normal" text-decoration="" line-height="18.5px" x="0.7833404541015625" y="14.75">ID</text></g><g><g/></g></g><g transform="translate(0,0) matrix(1,0,0,1,65,30)"><g><g transform="translate(0,0) scale(1.2500000000000002,0.3)"><g><path fill="#b6d7a8" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(0.7999999999999998,3.3333333333333335)"><path fill="none" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 125.00000000000003 0 Q 125.00000000000003 0 125.00000000000003 0 L 125.00000000000003 30 Q 125.00000000000003 30 125.00000000000003 30 L 0 30 Q 0 30 0 30 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#333333" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 125.00000000000003 0 Q 125.00000000000003 0 125.00000000000003 0 L 125.00000000000003 30 Q 125.00000000000003 30 125.00000000000003 30 L 0 30 Q 0 30 0 30 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,330,120)"><g><g transform="translate(0,0) scale(0.4,0.3)"><g><path fill="#c9daf8" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(2.5,3.3333333333333335)"><path fill="none" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 40 0 Q 40 0 40 0 L 40 30 Q 40 30 40 30 L 0 30 Q 0 30 0 30 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#333333" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 40 0 Q 40 0 40 0 L 40 30 Q 40 30 40 30 L 0 30 Q 0 30 0 30 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,295,120)"><g><g transform="translate(0,0) scale(0.35,0.3)"><g><path fill="#fff2cc" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(2.857142857142857,3.3333333333333335)"><path fill="none" stroke="none" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 35 0 Q 35 0 35 0 L 35 30 Q 35 30 35 30 L 0 30 Q 0 30 0 30 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#333333" stroke-dasharray="1.7976931348623157e+308" d="M 0 0 L 35 0 Q 35 0 35 0 L 35 30 Q 35 30 35 30 L 0 30 Q 0 30 0 30 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,304,126)"><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="18" height="19" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="18" height="19" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0.7833404541015625" y="0.75" width="16" height="17" fill-opacity="0"/></g></g><g><g><rect fill="rgb(0,0,0)" stroke="none" x="0.7833404541015625" y="0.75" width="16" height="17" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="&quot;Arial&quot;" font-size="16px" font-style="normal" font-weight="normal" text-decoration="" line-height="18.5px" x="0.7833404541015625" y="14.75">ID</text></g><g><g/></g></g></g></svg>
\ No newline at end of file
diff --git a/doc/frameworks/packet-analysis.rst b/doc/frameworks/packet-analysis.rst
new file mode 100644
index 0000000000..b77ef607a4
--- /dev/null
+++ b/doc/frameworks/packet-analysis.rst
@@ -0,0 +1,170 @@
+
+.. _packet-analysis:
+
+===============
+Packet Analysis
+===============
+
+.. TODO: integrate BoZ revisions
+
+.. rst-class:: opening
+
+  The Packet Analysis plugin architecture handles parsing of packet headers at
+  layers below Zeek's existing Session analysis. In particular, this allows to
+  add new link and network layer protocols to Zeek.
+  This section provides an overview of the underlying architecture as well as
+  an example-based walk-through. For further details, consider to take a look
+  at the built-in packet analyzers as well as the packet analyzer tests.
+
+The Flow of Packets
+===================
+
+The basic packet flow through Zeek is as follows.  First, an ``IOSource`` deals with
+getting the packets into Zeek. While an ``IOSource`` can be used to interface all
+sorts of capturing mechanisms, the default source makes use of libpcap to either
+read PCAP files or sniff an interface. Once acquired, a packet is handed into
+the packet analysis and processed layer by layer.
+
+.. figure:: packet-analysis-pdu.svg
+    :width: 600
+    :align: center
+    :alt: Nesting of Protocol Data Units (PDUs)
+    :target: ../_images/netcontrol-openflow.png
+
+    Nesting of Protocol Data Units (PDUs).
+
+At the lower layers, Protocol Data Units (PDUs) typically consist of a header
+and a payload, where the payload is the next layer's PDU and the header carries
+a numeric identifier that determines the encapsulated protocol (see figure
+above, where "ID" denotes the location of such a numeric protocol identifier
+within the header).
+
+Each packet analyzer parses the packet's header according to the implemented
+protocol, determines a suitable analyzer for the encapsulated protocol and hands its
+payload to that next analyzer. Once the IP layer is reached, packet analysis is
+finished and Zeek continues by constructing a session for the observed
+connection. After session analysis, which includes processing of TCP and UDP,
+the packet continues its journey into the land of application layer analyzers.
+There, Dynamic Protocol Detection is used to determine the application layer
+protocol and continue the analysis.
+
+Packet Analyzer Configuration
+=============================
+
+The following script shows an example configuration of the Ethernet packet
+analyzer:
+
+.. literalinclude:: packet-analysis-1-ethernet.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Within :zeek:see:`zeek_init`, various EtherType-to-PacketAnalyzer mappings are
+registered by using :zeek:see:`PacketAnalyzer::register_packet_analyzer`.  For
+example, for EtherType ``0x8864``, the packet's payload is passed to the PPPoE
+analyzer.
+
+The ``default_analyzer`` analyzer specifies which packet analyzer to use if
+none of the mappings matched. In case of Ethernet, we try to fall back to IP.
+
+Furthermore, Ethernet needs to handle different types of frames, with three of
+them identified using the first payload bytes (see `Wikipedia
+<https://en.wikipedia.org/wiki/Ethernet_frame#Types>`_).
+As the EtherType needs to be interpreted with respect to the frame type in these
+cases, the Ethernet analyzer provides three additional configuration parameters,
+``snap_analyzer``, ``novell_raw_analyzer``, and ``llc_analyzer``.
+to configure analyzers that handle the different frame types.
+
+.. note::
+
+  There are a few conventions involved here:
+
+  * The name of the module is expected to be ``PacketAnalyzer::<analyzer's canonical name>``.
+  * The default analyzer is expected to be named ``default_analyzer``.
+
+Packet analysis starts at a root analyzer that dispatches based on the link
+types obtained from the ``IOSource``. Accordingly
+:doc:`/scripts/base/packet-protocols/root/main.zeek` contains the following
+call to integrate the Ethernet analyzer:
+
+.. code-block:: zeek
+
+  PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_EN10MB, PacketAnalyzer::ANALYZER_ETHERNET);
+
+Packet Analyzer API
+===================
+
+Just like for other parts of Zeek, a plugin may provide a packet analyzer by
+adding a packet analysis component that instantiates an analyzer. The packet
+analyzer itself is implemented by inheriting from
+``zeek::packet_analysis::Analyzer`` and overriding the ``AnalyzePacket()``
+method. The following is an excerpt from a test case that shows the exemplary
+analysis of LLC:
+
+.. literalinclude:: packet-analysis-2-llc.cc
+   :caption:
+   :language: C++
+   :linenos:
+   :tab-width: 4
+
+First, we verify that the size of the packet matches what we expect. If that is
+not the case, we create a weird using the ``Packet`` object that is passed along
+the chain of analyzers. To signal that the analysis failed, the method returns
+``false``. For valid packets, we just read some protocol-specific values. As of
+now, there is no mechanism to pass extracted meta data on to other analyzers.
+While it is possible to trigger events that receive these values as parameters,
+keep in mind that handling events for every packet can be *extremely
+expensive*. However, for our test case we defined an event as follows in a
+separate ``.bif`` file:
+
+.. code-block:: zeek
+
+  event llc_demo_message%(dsap: count, ssap: count, control: count%);
+
+Before we can expect the event to be generated, we need to integrate the
+analyzer. The configuration might be included in the scripts that are shipped
+with the packet analyzer. For example, one could add a new EtherType by
+adding a call to :zeek:see:`PacketAnalyzer::register_packet_analyzer` from
+within a :zeek:see:`zeek_init` event handler.
+For the LLC example we redefine one of the additional constants:
+
+.. code-block:: zeek
+
+  redef PacketAnalyzer::ETHERNET::llc_analyzer = PacketAnalyzer::ANALYZER_LLC_DEMO;
+
+In this example, packet analysis as well as all further analysis ends with the
+LLC analyzer. The ``ForwardPacket()`` method can be used to pass data to another
+packet analyzer. The method takes a pointer to the beginning of the data to
+process (usually the start of the payload in the current context), the length of
+the data to process, a pointer to the ``Packet`` object and an identifier. The
+identifier would be used to lookup the next analyzer based on which other
+analyzers were previously associated with LLC as a parent analyzer in a call to
+:zeek:see:`PacketAnalyzer::register_packet_analyzer`.  If there is no
+previously-registered analyzer that matches the identifier, it will fall back
+to the ``default_analyzer`` if available.
+
+In case a packet analyzer requires initialization, e.g., reading additional
+configuration values from script-land, this can be implemented by overriding
+the ``Initialize()`` method. When overriding this method, always make sure to
+call the base-class version to ensure proper initialization.
+
+With the addition of the transport-layer analyzer to the packet analysis framework,
+it's now possible to register for ports as the identifier. This is natural, given
+that a port number is just another numeric identifier for moving from one
+protocol to another. Packet analyzers should call
+``PacketAnalyzer::register_for_port`` or ``PacketAnalyzer::register_for_ports``
+to ensure that the ports are also stored in the global ``Analyzer::ports`` table for
+use with BPF filters.
+
+The packet analysis framework also provides a ``register_protocol_detection``
+method that is used to register a packet analyzer to use protocol detection
+instead of using a numeric identifier. Analyzers can use this method and then
+override ``Analyzer::DetectProtocol`` to search the packet data for byte strings
+or other markers to detect whether a protocol exists in the data. This is similar
+to how DPD works for non-packet analyzers, but is not limited to pattern matching.
+
+.. note::
+
+  When writing your own packet analyzer, take a look into the existing code to
+  identify idiomatic ways to handle tasks like looking up configuration values.
diff --git a/doc/frameworks/signatures.rst b/doc/frameworks/signatures.rst
new file mode 100644
index 0000000000..c1dc8dbd18
--- /dev/null
+++ b/doc/frameworks/signatures.rst
@@ -0,0 +1,486 @@
+
+===================
+Signature Framework
+===================
+
+.. rst-class:: opening
+
+    Zeek relies primarily on its extensive scripting language for
+    defining and analyzing detection policies, but it also
+    provides an independent *signature language* for doing
+    low-level, Snort-style pattern matching. While signatures are
+    *not* Zeek's preferred detection tool, they sometimes come in handy
+    and are closer to what many people are familiar with from using
+    other NIDS. This page gives a brief overview on Zeek's signatures
+    and covers some of their technical subtleties.
+
+Basics
+======
+
+Let's look at an example signature first::
+
+    signature my-first-sig {
+        ip-proto == tcp
+        dst-port == 80
+        payload /.*root/
+        event "Found root!"
+    }
+
+This signature asks Zeek to match the regular expression ``.*root`` on
+all TCP connections going to port 80. When the signature triggers, Zeek
+will raise an event :zeek:id:`signature_match` of the form:
+
+.. code-block:: zeek
+
+    event signature_match(state: signature_state, msg: string, data: string)
+
+Here, ``state`` contains more information on the connection that
+triggered the match, ``msg`` is the string specified by the
+signature's event statement (``Found root!``), and data is the last
+piece of payload which triggered the pattern match.
+
+.. versionadded:: 7.1
+
+An alternative form of :zeek:id:`signature_match` has an additional ``end_of_match`` parameter.
+
+.. code-block:: zeek
+
+    event signature_match(state: signature_state, msg: string, data: string, end_of_match: count)
+
+The ``end_of_match`` parameter represents the offset into ``data`` where
+the match ended, or said differently, the length of the matching data within ``data``.
+If a signature matches across packet boundaries, ``data`` contains just the
+payload of the packet where a signature match triggered.
+
+To turn such :zeek:id:`signature_match` events into actual alarms, you can
+load Zeek's :doc:`/scripts/base/frameworks/signatures/main.zeek` script.
+This script contains a default event handler that raises
+:zeek:enum:`Signatures::Sensitive_Signature` :doc:`Notices <notice>`
+(as well as others; see the beginning of the script).
+
+As documented in :ref:`signatures-actions`, it's possible to use a custom
+event instead of :zeek:id:`signature_match`.
+
+As signatures are independent of Zeek's scripts, they are put into
+their own file(s). There are three ways to specify which files contain
+signatures: By using the ``-s`` flag when you invoke Zeek, or by
+extending the Zeek variable :zeek:id:`signature_files` using the ``+=``
+operator, or by using the ``@load-sigs`` directive inside a Zeek script.
+If a signature file is given without a full path, it is searched for
+along the normal ``ZEEKPATH``.  Additionally, the ``@load-sigs``
+directive can be used to load signature files in a path relative to the
+Zeek script in which it's placed, e.g. ``@load-sigs ./mysigs.sig`` will
+expect that signature file in the same directory as the Zeek script. The
+default extension of the file name is ``.sig``, and Zeek appends that
+automatically when necessary.
+
+Signature Language for Network Traffic
+======================================
+
+Let's look at the format of a signature more closely. Each individual
+signature has the format ``signature <id> { <attributes> }``, where ``<id>``
+is a unique label for the signature. There are two types of
+attributes: *conditions* and *actions*. The conditions define when the
+signature matches, while the actions declare what to do in the case of
+a match. Conditions can be further divided into four types: *header*,
+*content*, *dependency*, and *context*. We discuss these all in more
+detail in the following.
+
+Conditions
+----------
+
+Header Conditions
+~~~~~~~~~~~~~~~~~
+
+Header conditions limit the applicability of the signature to a subset
+of traffic that contains matching packet headers.  This type of matching
+is performed only for the first packet of a connection.
+
+There are pre-defined header conditions for some of the most used
+header fields. All of them generally have the format ``<keyword> <cmp>
+<value-list>``, where ``<keyword>`` names the header field; ``cmp`` is
+one of ``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``; and
+``<value-list>`` is a list of comma-separated values or value-ranges to
+compare against (e.g. ``5,7-10`` for numbers 5 to 10, excluding 6).
+The following keywords are defined:
+
+``src-ip``/``dst-ip <cmp> <address-list>``
+    Source and destination address, respectively. Addresses can be given
+    as IPv4 or IPv6 addresses or CIDR masks.  For IPv6 addresses/masks
+    the colon-hexadecimal representation of the address must be enclosed
+    in square brackets (e.g. ``[fe80::1]`` or ``[fe80::0]/16``).
+
+``src-port``/``dst-port <cmp> <int-list>``
+    Source and destination port, respectively.
+
+``ip-proto <cmp> tcp|udp|icmp|icmp6|ip|ip6``
+    IPv4 header's Protocol field or the Next Header field of the final
+    IPv6 header (i.e. either Next Header field in the fixed IPv6 header
+    if no extension headers are present or that field from the last
+    extension header in the chain).  Note that the IP-in-IP forms of
+    tunneling are automatically decapsulated by default and signatures
+    apply to only the inner-most packet, so specifying ``ip`` or ``ip6``
+    is a no-op.
+
+For lists of multiple values, they are sequentially compared against
+the corresponding header field. If at least one of the comparisons
+evaluates to true, the whole header condition matches (exception: with
+``!=``, the header condition only matches if all values differ).
+
+In addition to these pre-defined header keywords, a general header
+condition can be defined either as::
+
+    header <proto>[<offset>:<size>] [& <integer>] <cmp> <value-list>
+
+This compares the value found at the given position of the packet header
+with a list of values. ``offset`` defines the position of the value
+within the header of the protocol defined by ``proto`` (which can be
+``ip``, ``ip6``, ``tcp``, ``udp``, ``icmp`` or ``icmp6``). ``size`` is
+either 1, 2, or 4 and specifies the value to have a size of this many
+bytes. If the optional ``& <integer>`` is given, the packet's value is
+first masked with the integer before it is compared to the value-list.
+``cmp`` is one of ``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``.
+``value-list`` is a list of comma-separated integers or integer-ranges
+similar to those described above.  The integers within the list may be
+followed by an additional ``/ mask`` where ``mask`` is a value from 0 to 32.
+This corresponds to the CIDR notation for netmasks and is translated into a
+corresponding bitmask applied to the packet's value prior to the
+comparison (similar to the optional ``& integer``).  IPv6 address values
+are not allowed in the value-list, though you can still inspect any 1,
+2, or 4 byte section of an IPv6 header using this keyword.
+
+Putting it all together, this is an example condition that is
+equivalent to ``dst-ip == 1.2.3.4/16, 5.6.7.8/24``::
+
+    header ip[16:4] == 1.2.3.4/16, 5.6.7.8/24
+
+Note that the analogous example for IPv6 isn't currently possible since
+4 bytes is the max width of a value that can be compared.
+
+Content Conditions
+~~~~~~~~~~~~~~~~~~
+
+Content conditions are defined by regular expressions. We
+differentiate two kinds of content conditions: first, the expression
+may be declared with the ``payload`` statement, in which case it is
+matched against the raw payload of a connection (for reassembled TCP
+streams) or of each packet (for ICMP, UDP, and non-reassembled TCP).
+Second, it may be prefixed with an analyzer-specific label, in which
+case the expression is matched against the data as extracted by the
+corresponding analyzer.
+
+A ``payload`` condition has the form::
+
+    payload /<regular expression>/
+
+Currently, the following analyzer-specific content conditions are
+defined (note that the corresponding analyzer has to be activated by
+loading its policy script):
+
+``http-request /<regular expression>/``
+    The regular expression is matched against decoded URIs of HTTP
+    requests. Obsolete alias: ``http``.
+
+``http-request-header /<regular expression>/``
+    The regular expression is matched against client-side HTTP headers.
+
+``http-request-body /<regular expression>/``
+    The regular expression is matched against client-side bodys of
+    HTTP requests.
+
+``http-reply-header /<regular expression>/``
+    The regular expression is matched against server-side HTTP headers.
+
+``http-reply-body /<regular expression>/``
+    The regular expression is matched against server-side bodys of
+    HTTP replies.
+
+``ftp /<regular expression>/``
+    The regular expression is matched against the command line input
+    of FTP sessions.
+
+``finger /<regular expression>/``
+    The regular expression is matched against finger requests.
+
+For example, ``http-request /.*(etc/(passwd|shadow)/`` matches any URI
+containing either ``etc/passwd`` or ``etc/shadow``. To filter on request
+types, e.g. ``GET``, use ``payload /GET /``.
+
+Note that HTTP pipelining (that is, multiple HTTP transactions in a
+single TCP connection) has some side effects on signature matches. If
+multiple conditions are specified within a single signature, this
+signature matches if all conditions are met by any HTTP transaction
+(not necessarily always the same!) in a pipelined connection.
+
+Dependency Conditions
+~~~~~~~~~~~~~~~~~~~~~
+
+To define dependencies between signatures, there are two conditions:
+
+
+``requires-signature [!] <id>``
+    Defines the current signature to match only if the signature given
+    by ``id`` matches for the same connection. Using ``!`` negates the
+    condition: The current signature only matches if ``id`` does not
+    match for the same connection (using this defers the match
+    decision until the connection terminates).
+
+``requires-reverse-signature [!] <id>``
+    Similar to ``requires-signature``, but ``id`` has to match for the
+    opposite direction of the same connection, compared to the current
+    signature. This allows to model the notion of requests and
+    replies.
+
+Context Conditions
+~~~~~~~~~~~~~~~~~~
+
+Context conditions pass the match decision on to other components of
+Zeek. They are only evaluated if all other conditions have already
+matched. The following context conditions are defined:
+
+``eval <policy-function>``
+    The given policy function is called and has to return a boolean
+    confirming the match. If false is returned, no signature match is
+    going to be triggered. The function has to be of type ``function
+    cond(state: signature_state, data: string): bool``. Here,
+    ``data`` may contain the most recent content chunk available at
+    the time the signature was matched. If no such chunk is available,
+    ``data`` will be the empty string. See :zeek:type:`signature_state`
+    for its definition.
+
+``payload-size <cmp> <integer>``
+    Compares the integer to the size of the payload of a packet. For
+    reassembled TCP streams, the integer is compared to the size of
+    the first in-order payload chunk. Note that the latter is not very
+    well defined.
+
+``same-ip``
+    Evaluates to true if the source address of the IP packets equals
+    its destination address.
+
+``tcp-state <state-list>``
+    Imposes restrictions on the current TCP state of the connection.
+    ``state-list`` is a comma-separated list of the keywords
+    ``established`` (the three-way handshake has already been
+    performed), ``originator`` (the current data is send by the
+    originator of the connection), and ``responder`` (the current data
+    is send by the responder of the connection).
+
+``udp-state <state-list>``
+    Imposes restrictions on which UDP flow direction to match.  ``state-list``
+    is a comma-separated list of either ``originator`` (the current data is
+    send by the originator of the connection) or ``responder`` (the current
+    data is send by the responder of the connection).  The ``established``
+    state is rejected as an error in the signature since it does not have a
+    useful meaning like it does for TCP.
+
+.. _signatures-actions:
+
+Actions
+-------
+
+Actions define what to do if a signature matches. Currently, there are
+two actions defined, ``event`` and ``enable``.
+
+``event <string>``
+    Raises a :zeek:id:`signature_match` event. The event handler has either
+    of the following types:
+
+    .. code-block:: zeek
+
+        event signature_match(state: signature_state, msg: string, data: string)
+
+        event signature_match(state: signature_state, msg: string, data: string, end_of_match: count)
+
+    The given string is passed in as ``msg``, and data is the current
+    part of the payload that has eventually lead to the signature
+    match (this may be empty for signatures without content
+    conditions). The ``end_of_match`` parameter represents the length of
+    the matching payload in ``data``.
+
+``event event_name [string]``
+
+    .. versionadded:: 6.2
+
+    To raise a custom event, the event's name can be inserted before the string::
+
+        event my_signature_match "Found root!"
+
+    Instead of :zeek:id:`signature_match`, this raises ``my_signature_match``.
+    The parameters for the ``my_signature_match`` event are expected to be the
+    same as for :zeek:id:`signature_match`.
+
+    It is further possible to omit the string altogether::
+
+      event found_root
+
+    In this case, the type of the ``found_root`` event handler does not have
+    a ``msg`` parameter:
+
+    .. code-block:: zeek
+
+        event found_root(state: signature_state, data: string)
+
+    Like the :zeek:id:`signature_match` event, custom events can have an additional
+    ``end_of_match`` parameter.
+
+    .. code-block:: zeek
+
+        event found_root(state: signature_state, data: string, end_of_match: count)
+
+    .. note::
+
+      Matches for signatures that use custom events do not appear
+      in :file:`signatures.log`.
+
+
+``enable <string>``
+    Enables the protocol analyzer ``<string>`` for the matching
+    connection (``"http"``, ``"ftp"``, etc.). This is used by Zeek's
+    dynamic protocol detection to activate analyzers on the fly.
+
+Signature Language for File Content
+===================================
+
+The signature framework can also be used to identify MIME types of files
+irrespective of the network protocol/connection over which the file is
+transferred.  A special type of signature can be written for this
+purpose and will be used automatically by the :doc:`Files Framework
+<file-analysis>` or by Zeek scripts that use the :zeek:see:`file_magic`
+built-in function.
+
+Conditions
+----------
+
+File signatures use a single type of content condition in the form of a
+regular expression:
+
+``file-magic /<regular expression>/``
+
+This is analogous to the ``payload`` content condition for the network
+traffic signature language described above.  The difference is that
+``payload`` signatures are applied to payloads of network connections,
+but ``file-magic`` can be applied to any arbitrary data, it does not
+have to be tied to a network protocol/connection.
+
+Actions
+-------
+
+Upon matching a chunk of data, file signatures use the following action
+to get information about that data's MIME type:
+
+``file-mime <string> [, <integer>]``
+
+The arguments include the MIME type string associated with the file
+magic regular expression and an optional "strength" as a signed integer.
+Since multiple file magic signatures may match against a given chunk of
+data, the strength value may be used to help choose a "winner".  Higher
+values are considered stronger.
+
+Things to keep in mind when writing signatures
+==============================================
+
+* Each signature is reported at most once for every connection,
+  further matches of the same signature are ignored.
+
+* The content conditions perform pattern matching on elements
+  extracted from an application protocol dialogue. For example, ``http
+  /.*passwd/`` scans URLs requested within HTTP sessions. The thing to
+  keep in mind here is that these conditions only perform any matching
+  when the corresponding application analyzer is actually *active* for
+  a connection. Note that by default, analyzers are not enabled if the
+  corresponding Zeek script has not been loaded. A good way to
+  double-check whether an analyzer "sees" a connection is checking its
+  log file for corresponding entries. If you cannot find the
+  connection in the analyzer's log, very likely the signature engine
+  has also not seen any application data.
+
+* As the name indicates, the ``payload`` keyword matches on packet
+  *payload* only. You cannot use it to match on packet headers; use
+  the header conditions for that.
+
+* For TCP connections, header conditions are only evaluated for the
+  *first packet from each endpoint*. If a header condition does not
+  match the initial packets, the signature will not trigger. Zeek
+  optimizes for the most common application here, which is header
+  conditions selecting the connections to be examined more closely
+  with payload statements.
+
+* For UDP and ICMP flows, the payload matching is done on a per-packet
+  basis; i.e., any content crossing packet boundaries will not be
+  found. For TCP connections, the matching semantics depend on whether
+  Zeek is *reassembling* the connection (i.e., putting all of a
+  connection's packets in sequence). By default, Zeek is reassembling
+  the first 1K of every TCP connection, which means that within this
+  window, matches will be found without regards to packet order or
+  boundaries (i.e., *stream-wise matching*).
+
+* For performance reasons, by default Zeek *stops matching* on a
+  connection after seeing 1K of payload; see the section on options
+  below for how to change this behaviour. The default was chosen with
+  Zeek's main user of signatures in mind: dynamic protocol detection
+  works well even when examining just connection heads.
+
+* Regular expressions are implicitly anchored, i.e., they work as if
+  prefixed with the ``^`` operator. For reassembled TCP connections,
+  they are anchored at the first byte of the payload *stream*. For all
+  other connections, they are anchored at the first payload byte of
+  each packet. To match at arbitrary positions, you can prefix the
+  regular expression with ``.*``, as done in the examples above.
+
+* To match on non-ASCII characters, Zeek's regular expressions support
+  the ``\x<hex>`` operator. CRs/LFs are not treated specially by the
+  signature engine and can be matched with ``\r`` and ``\n``,
+  respectively. Generally, Zeek follows `flex's regular expression
+  syntax
+  <http://westes.github.io/flex/manual/Patterns.html>`_.
+  See the DPD signatures in ``base/frameworks/dpd/dpd.sig`` for some examples
+  of fairly complex payload patterns.
+
+* The data argument of the :zeek:id:`signature_match` handler might not carry
+  the full text matched by the regular expression. Zeek performs the
+  matching incrementally as packets come in; when the signature
+  eventually fires, it can only pass on the most recent chunk of data.
+
+
+Options
+=======
+
+The following options control details of Zeek's matching process:
+
+* :zeek:see:`dpd_reassemble_first_packets`
+
+    If true, Zeek reassembles the beginning of every TCP connection (of
+    up to :zeek:see:`dpd_buffer_size` bytes, see below also), to facilitate
+    reliable matching across packet boundaries. If false, only
+    connections are reassembled for which an application-layer
+    analyzer gets activated (e.g., by Zeek's dynamic protocol
+    detection).
+
+* :zeek:see:`dpd_match_only_beginning`
+
+    If true, Zeek performs packet matching only within the initial payload
+    window of :zeek:see:`dpd_buffer_size`. If false, it keeps matching
+    on subsequent payload as well.
+
+* :zeek:see:`dpd_buffer_size`
+
+    Defines the buffer size for the two preceding options. In
+    addition, this value determines the amount of bytes Zeek buffers
+    for each connection in order to activate application analyzers
+    even after parts of the payload have already passed through. This
+    is needed by the dynamic protocol detection capability to defer
+    the decision of which analyzers to use.
+
+So, how about using Snort signatures with Zeek?
+===============================================
+
+There was once a script, ``snort2bro``, that converted Snort signatures
+automatically into Zeek's (then called "Bro") signature syntax.
+However, in our experience this didn't turn out to be a very useful
+thing to do because by simply using Snort signatures, one can't benefit
+from the additional capabilities that Zeek provides; the approaches of
+the two systems are just too different. We therefore stopped maintaining
+the ``snort2bro`` script, and there are now many newer Snort options
+which it doesn't support. The script is now no longer part of the Zeek
+distribution.
diff --git a/doc/frameworks/sqlite-conn-filter.zeek b/doc/frameworks/sqlite-conn-filter.zeek
new file mode 100644
index 0000000000..2e4a455f3e
--- /dev/null
+++ b/doc/frameworks/sqlite-conn-filter.zeek
@@ -0,0 +1,12 @@
+event zeek_init()
+    {
+    local filter: Log::Filter =
+        [
+        $name="sqlite",
+        $path="/var/db/conn",
+        $config=table(["tablename"] = "conn"),
+        $writer=Log::WRITER_SQLITE
+        ];
+    
+     Log::add_filter(Conn::LOG, filter);
+    }
diff --git a/doc/frameworks/sqlite-read-events.zeek b/doc/frameworks/sqlite-read-events.zeek
new file mode 100644
index 0000000000..f14513e0cb
--- /dev/null
+++ b/doc/frameworks/sqlite-read-events.zeek
@@ -0,0 +1,40 @@
+@load frameworks/files/hash-all-files
+
+type Val: record {
+    hash: string;
+    description: string;
+};
+
+event line(description: Input::EventDescription, tpe: Input::Event, r: Val)
+    {
+    print fmt("malware-hit with hash %s, description %s", r$hash, r$description);
+    }
+
+global malware_source = "/var/db/malware";
+
+event file_hash(f: fa_file, kind: string, hash: string)
+    {
+
+    # check all sha1 hashes
+    if ( kind=="sha1" )
+        {
+        Input::add_event(
+            [
+            $source=malware_source,
+            $name=hash,
+            $fields=Val,
+            $ev=line,
+            $want_record=T,
+            $config=table(
+                ["query"] = fmt("select * from malware_hashes where hash='%s';", hash)
+                ),
+            $reader=Input::READER_SQLITE
+            ]);
+        }
+    }
+
+event Input::end_of_data(name: string, source:string)
+    {
+    if ( source == malware_source )
+        Input::remove(name);
+    }
diff --git a/doc/frameworks/sqlite-read-table.zeek b/doc/frameworks/sqlite-read-table.zeek
new file mode 100644
index 0000000000..12499f0c4d
--- /dev/null
+++ b/doc/frameworks/sqlite-read-table.zeek
@@ -0,0 +1,35 @@
+type Idx: record {
+    host: addr;
+};
+
+type Val: record {
+    users: set[string];
+};
+
+global hostslist: table[addr] of Val = table();
+
+event zeek_init()
+    {
+    Input::add_table([$source="/var/db/hosts",
+        $name="hosts",
+        $idx=Idx,
+        $val=Val,
+        $destination=hostslist,
+        $reader=Input::READER_SQLITE,
+        $config=table(["query"] = "select * from machines_to_users;")
+        ]);
+
+    Input::remove("hosts");
+    }
+
+event Input::end_of_data(name: string, source: string)
+    {
+    if ( name != "hosts" )
+        return;
+
+    # now all data is in the table
+    print "Hosts list has been successfully imported";
+
+    # List the users of one host.
+    print hostslist[192.168.17.1]$users;
+    }
diff --git a/doc/frameworks/storage.rst b/doc/frameworks/storage.rst
new file mode 100644
index 0000000000..98fc5c7688
--- /dev/null
+++ b/doc/frameworks/storage.rst
@@ -0,0 +1,216 @@
+.. _framework-storage:
+
+.. versionadded:: 7.2
+
+=================
+Storage Framework
+=================
+
+The storage framework provides a plugin-based system for short- and long-term storage of
+data, accessible from Zeek script-land. This is not packet data itself, but data artifacts
+generated from the packet data. It has interchangeable asynchronous and synchronous
+modes. The framework provides just a simple key-value store, using Zeek values as the keys
+to store and lookup data.
+
+This chapter gives an overview of the storage framework, plus examples of using it. For
+more examples, see the test cases in ``testing/btest/scripts/base/frameworks/storage`` and
+an example storage plugin in ``testing/btest/plugin/storage-src``.
+
+Terminology
+===========
+
+Zeek's storage framework uses two main components:
+
+  Backend
+    A backend plugin provides access to a storage system. Backends can be network-based
+    storage systems such as Redis, on-disk database systems such as SQLite, etc. Backend
+    plugins can define script-level records for configuring them when they're opened. Zeek
+    provides backends for Redis and SQLite by default, but others may be implemented as
+    external packages.
+
+  Serializer
+    A serializer plugin provides a mechanism for converting data from Zeek scripts into
+    formats that backends can use.  Serializers are intended to be agnostic to
+    backends. They convert between Zeek values and opaque byte buffers, and backends
+    should be able to handle the result of any individual serializer. Zeek provides a JSON
+    serializer by default, but others may be implemented as external packages.
+
+Asynchronous Mode vs Synchronous Mode
+=====================================
+
+Storage backends support both asynchronous and synchronous modes. The difference between
+using the two modes is that asynchronous calls must be used as part of :zeek:see:`when`
+statements, whereas synchronous calls can be used either with ``when`` statements or
+called directly. Synchronous functions will block until the backend returns
+data. Otherwise, all of the arguments and return values are the same between them. They
+are split between two script-level modules: :zeek:see:`Storage::Async` loaded from
+``base/frameworks/storage/async`` and :zeek:see:`Storage::Sync` loaded from
+``base/frameworks/storage/sync``.
+
+When reading pcap data via the ``-r`` Zeek argument, all backends operate in a synchronous
+manner internally to ensure that Zeek's timers run correctly. Regardless of this behavior,
+asynchronous functions are required to be used with the ``when`` statement, but they'll
+essentially be translated to synchronous calls.
+
+Using the Storage Framework
+===========================
+
+All of the examples below use the SQLite backend. Usage of other backends follows the same
+model. Switching the examples to a different backend involves only using a different tag
+and options record with the :zeek:see:`Storage::Async::open_backend`/
+:zeek:see:`Storage::Sync::open_backend` functions.
+
+Operation Return Values
+-----------------------
+
+All backend methods return a record of type :zeek:see:`Storage::OperationResult`. This
+record contains a code that indicates the result of the operation. For failures, backends
+may provide more details in the optional error message. The record will also contain data
+for operations that return values, namely ``open_backend`` or ``get``.
+:zeek:see:`Storage::ReturnCode` contains all of the codes that can be returned from the
+various operations. Not all codes are valid for all operations.
+:zeek:see:`Storage::ReturnCode` can be redefined by backends to add new backend-specific
+statuscodes as needed.
+
+.. _storage-opening-closing:
+
+Opening and Closing a Backend
+-----------------------------
+
+Opening a backend starts with defining a set of options for that backend. The
+:zeek:see:`Storage::BackendOptions` is defined with some fields by default, but loading a
+policy for a specific backend type may add new fields to it. In the example below, we
+loaded the SQLite policy, which adds a new ``sqlite`` field with additional options. These
+options are filled in to denote where to store the sqlite database file and what table to
+use. This allows users to separate different instances of a backend from each other in a
+single database file.
+
+The script then sets a serializer. The storage framework sets this to the JSON
+(:zeek:see:`Storage::STORAGE_SERIALIZER_JSON`) serializer by default, but setting it
+explicitly is included below as an example.
+
+Calling :zeek:see:`Storage::Sync::open_backend` instantiates a backend connection. As
+described above, ``open_backend`` returns a :zeek:see:`Storage::OperationResult`. On
+success, it stores the handle to the backend in the ``value`` field of the result
+record. We check the ``code`` field as well to make sure the operation succeeded.  Backend
+handles can be stored in global values just like any other value. They can be opened
+during startup, such as in a :zeek:see:`zeek_init` event handler, and reused throughout
+the runtime of Zeek. When a backend is successfully opened, a
+:zeek:see:`Storage::backend_opened` event will be emitted.
+
+The two type arguments to ``open_backend`` define the script-level types for keys and
+values. Attempting to use other types with the backend results in
+:zeek:see:`Storage::KEY_TYPE_MISMATCH` errors.
+
+Lastly, we call :zeek:see:`Storage::Sync::close_backend` to close the backend before
+exiting. When a backend is successfully closed, a :zeek:see:`Storage::backend_lost` event
+will be emitted.
+
+.. code-block:: zeek
+
+  @load base/frameworks/storage/sync
+  @load policy/frameworks/storage/backend/sqlite
+
+  local backend_opts: Storage::BackendOptions;
+  local backend: Storage::BackendHandle;
+
+  # Loading the sqlite policy adds this field to the options record.
+  opts$sqlite = [$database_path="test.sqlite", $table_name="testing"];
+
+  # This is the default, but is shown here for how to set it.
+  opts$serializer = Storage::STORAGE_SERIALIZER_JSON;
+
+  local res = Storage::Sync::open_backend(Storage::STORAGE_BACKEND_SQLITE, opts, string, string);
+  if ( res$code == Storage::SUCCESS )
+    backend = res$value;
+
+  res = Storage::Sync::close_backend(backend);
+
+Storing, Retrieving, and Erasing Data
+-------------------------------------
+
+The true point of the storage framework is to store and retrieve data. This example shows
+making synchronous calls to add a new key/value pair to a backend, retrieve it, and erase
+the entry associated with the key. This assumes that the ``backend`` variable used below
+points to an opened backend handle. The idea is that users do not need to worry about the
+underlying backend implementation. In terms of Zeek's script-layer API, SQLite, Redis, or
+other backends should behave identically.
+
+First, we make a call to :zeek:see:`Storage::Sync::put`, passing a key and a value to be
+stored. These must be of the same types that were passed in the arguments to
+``open_backend``, as described in the :ref:`earlier section <storage-opening-closing>`.
+The arguments passed into ``put`` are contained in a record of type
+:zeek:see:`Storage::PutArgs`. See the documentation for that type for descriptions of the
+fields available. In this case, we specify a key and a value plus an expiration time. This
+expiration time indicates when the data should be automatically removed from the
+backend. We check the result value, and print the error string and return if the operation
+failed.
+
+Next, we attempt to retrieve the same key from the backend. Assuming that the key hasn't
+been erased, either manually or via expiration, the value is returned in the ``value``
+field of the result record. If the key has been removed already, the backend should return
+a :zeek:see:`Storage::KEY_NOT_FOUND` code.
+
+Finally, we manually attempt to erase the key. This will remove the key/value pair from
+the store, assuming that it hasn't already been removed manually or via expiration. Same
+as with ``get``, :zeek:see:`Storage::KEY_NOT_FOUND` should be returned if the key doesn't
+exist.
+
+.. code-block:: zeek
+
+  local res = Storage::Sync::put(backend, [$key="abc", $value="def", $expire_time=45sec]);
+  if ( res$code != Storage::SUCCESS )
+    {
+    print(res$error_str);
+    return;
+    }
+
+  res = Storage::Sync::get(backend, "abc");
+  if ( res$code != Storage::SUCCESS )
+    {
+    print(res$error_str);
+    return;
+    }
+
+  res = Storage:Sync::erase(backend, "abc");
+  if ( res$code != Storage::SUCCESS )
+    {
+    print(res$error_str);
+    return;
+    }
+
+Events
+======
+
+Two events exist for the storage framework: :zeek:see:`Storage::backend_lost` and
+:zeek:see:`Storage::backend_opened`. Both events were mentioned in the :ref:`example of
+opening and closing a backend <storage-opening-closing>`, but an additional point needs to
+be made about the :zeek:see:`Storage::backend_lost` event. This event is also raised when
+a connection is lost unexpectedly. This gives users information about connection failures,
+as well an opportunity to handle those failures by reconnecting.
+
+Notes for Built-in Backends
+===========================
+
+Redis
+-----
+
+- The Redis backend requires the ``hiredis`` library to installed on the system in order
+  to build. At least version 1.1.0 (Released Nov 2022) is required.
+
+- Redis server version 6.2.0 or later (or a third-party server implementing the equivalent
+  level of the Redis API) is required. This is due to some API features the backend uses
+  not being implemented until that version.
+
+SQLite
+------
+
+- The default batch of pragmas in :zeek:see:`Storage::Backend::SQLite::Options` set
+  ``journal_mode`` to ``WAL``. ``WAL`` mode does not work over network filesystems. If
+  this mode is used, the database file must be stored on the same computer as all of the
+  Zeek processes opening it. See the documentation in https://www.sqlite.org/wal.html for
+  more information.
+
+- Usage of in-memory databases (i.e. passing ``:memory:`` as the database path) will
+  result in data not being synced between nodes. Each process will open its own database
+  within that process's memory space.
diff --git a/doc/frameworks/sumstats-countconns.zeek b/doc/frameworks/sumstats-countconns.zeek
new file mode 100644
index 0000000000..5d899f9dd2
--- /dev/null
+++ b/doc/frameworks/sumstats-countconns.zeek
@@ -0,0 +1,36 @@
+@load base/frameworks/sumstats
+
+event connection_established(c: connection)
+	{
+	# Make an observation!
+	# This observation is global so the key is empty.
+	# Each established connection counts as one so the observation is always 1.
+	SumStats::observe("conn established", 
+	                  SumStats::Key(), 
+	                  SumStats::Observation($num=1));
+	}
+
+event zeek_init()
+	{
+	# Create the reducer.
+	# The reducer attaches to the "conn established" observation stream
+	# and uses the summing calculation on the observations.
+	local r1 = SumStats::Reducer($stream="conn established", 
+	                             $apply=set(SumStats::SUM));
+
+	# Create the final sumstat.
+	# We give it an arbitrary name and make it collect data every minute.
+	# The reducer is then attached and a $epoch_result callback is given 
+	# to finally do something with the data collected.
+	SumStats::create([$name = "counting connections",
+	                  $epoch = 1min,
+	                  $reducers = set(r1),
+	                  $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
+	                  	{
+	                  	# This is the body of the callback that is called when a single 
+	                  	# result has been collected.  We are just printing the total number
+	                  	# of connections that were seen.  The $sum field is provided as a 
+	                  	# double type value so we need to use %f as the format specifier.
+	                  	print fmt("Number of connections established: %.0f", result["conn established"]$sum);
+	                  	}]);
+	}
diff --git a/doc/frameworks/sumstats-toy-scan.zeek b/doc/frameworks/sumstats-toy-scan.zeek
new file mode 100644
index 0000000000..ba0e496603
--- /dev/null
+++ b/doc/frameworks/sumstats-toy-scan.zeek
@@ -0,0 +1,45 @@
+@load base/frameworks/sumstats
+
+# We use the connection_attempt event to limit our observations to those
+# which were attempted and not successful.
+event connection_attempt(c: connection)
+	{
+	# Make an observation!
+	# This observation is about the host attempting the connection.
+	# Each established connection counts as one so the observation is always 1.
+	SumStats::observe("conn attempted", 
+	                  SumStats::Key($host=c$id$orig_h), 
+	                  SumStats::Observation($num=1));
+	}
+
+event zeek_init()
+	{
+	# Create the reducer.
+	# The reducer attaches to the "conn attempted" observation stream
+	# and uses the summing calculation on the observations. Keep
+	# in mind that there will be one result per key (connection originator).
+	local r1 = SumStats::Reducer($stream="conn attempted", 
+	                             $apply=set(SumStats::SUM));
+
+	# Create the final sumstat.
+	# This is slightly different from the last example since we're providing
+	# a callback to calculate a value to check against the threshold with 
+	# $threshold_val.  The actual threshold itself is provided with $threshold.
+	# Another callback is provided for when a key crosses the threshold.
+	SumStats::create([$name = "finding scanners",
+	                  $epoch = 5min,
+	                  $reducers = set(r1),
+	                  # Provide a threshold.
+	                  $threshold = 5.0,
+	                  # Provide a callback to calculate a value from the result
+	                  # to check against the threshold field.
+	                  $threshold_val(key: SumStats::Key, result: SumStats::Result) =
+	                  	{
+	                  	return result["conn attempted"]$sum;
+	                  	},
+	                  # Provide a callback for when a key crosses the threshold.
+	                  $threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
+	                  	{
+	                  	print fmt("%s attempted %.0f or more connections", key$host, result["conn attempted"]$sum);
+	                  	}]);
+	}
diff --git a/doc/frameworks/sumstats.rst b/doc/frameworks/sumstats.rst
new file mode 100644
index 0000000000..30b637de8b
--- /dev/null
+++ b/doc/frameworks/sumstats.rst
@@ -0,0 +1,112 @@
+
+.. _sumstats-framework:
+
+==================
+Summary Statistics
+==================
+
+.. TODO: integrate BoZ revisions
+
+.. rst-class:: opening
+
+    Measuring aspects of network traffic is an extremely common task in Zeek.
+    Zeek provides data structures which make this very easy as well in
+    simplistic cases such as size limited trace file processing. In
+    real-world deployments though, there are difficulties that arise from
+    clusterization (many processes sniffing traffic) and unbounded data sets
+    (traffic never stops). The Summary Statistics (otherwise referred to as
+    SumStats) framework aims to define a mechanism for consuming unbounded
+    data sets and making them measurable in practice on large clustered and
+    non-clustered Zeek deployments.
+
+Overview
+========
+
+The Sumstat processing flow is broken into three pieces. Observations, where
+some aspect of an event is observed and fed into the Sumstats framework.
+Reducers, where observations are collected and measured, typically by taking
+some sort of summary statistic measurement like average or variance (among
+others). Sumstats, where reducers have an epoch (time interval) that their
+measurements are performed over along with callbacks for monitoring thresholds
+or viewing the collected and measured data.
+
+Terminology
+===========
+
+    Observation
+
+        A single point of data. Observations have a few components of their
+        own. They are part of an arbitrarily named observation stream, they
+        have a key that is something the observation is about, and the actual
+        observation itself.
+
+    Reducer
+
+        Calculations are applied to an observation stream here to reduce the
+        full unbounded set of observations down to a smaller representation.
+        Results are collected within each reducer per-key so care must be
+        taken to keep the total number of keys tracked down to a reasonable
+        level.
+
+    Sumstat
+
+        The final definition of a Sumstat where one or more reducers is
+        collected over an interval, also known as an epoch. Thresholding can
+        be applied here along with a callback in the event that a threshold is
+        crossed. Additionally, a callback can be provided to access each
+        result (per-key) at the end of each epoch.
+
+Examples
+========
+
+These examples may seem very simple to an experienced Zeek script developer and
+they're intended to look that way. Keep in mind that these scripts will work
+on small single process Zeek instances as well as large many-worker clusters.
+The complications from dealing with flow based load balancing can be ignored
+by developers writing scripts that use Sumstats due to its built-in cluster
+transparency.
+
+Printing the number of connections
+----------------------------------
+
+Sumstats provides a simple way of approaching the problem of trying to count
+the number of connections over a given time interval.  Here is a script with
+inline documentation that does this with the Sumstats framework:
+
+.. literalinclude:: sumstats-countconns.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+When run on a sample PCAP file from the Zeek test suite, the following output
+is created:
+
+.. code-block:: console
+
+   $ zeek -r workshop_2011_browse.trace sumstats-countconns.zeek
+   Number of connections established: 6
+
+Toy scan detection
+------------------
+
+Taking the previous example even further, we can implement a simple detection
+to demonstrate the thresholding functionality.  This example is a toy to
+demonstrate how thresholding works in Sumstats and is not meant to be a
+real-world functional example.
+
+.. literalinclude:: sumstats-toy-scan.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Let's see if there are any hosts that crossed the threshold in a PCAP file
+containing a host running nmap:
+
+.. code-block:: console
+
+   $ zeek -r nmap-vsn.trace sumstats-toy-scan.zeek
+   192.168.1.71 attempted 5 or more connections
+
+It seems the host running nmap was detected!
diff --git a/doc/frameworks/supervisor.rst b/doc/frameworks/supervisor.rst
new file mode 100644
index 0000000000..9fa055519d
--- /dev/null
+++ b/doc/frameworks/supervisor.rst
@@ -0,0 +1,162 @@
+
+.. _framework-supervisor:
+
+====================
+Supervisor Framework
+====================
+
+.. rst-class:: opening
+
+    The Supervisor framework enables an entirely new mode for Zeek, one that
+    supervises a set of Zeek processes that are meant to be persistent.  A
+    Supervisor automatically revives any process that dies or exits prematurely
+    and also arranges for an ordered shutdown of the entire process tree upon
+    its own termination.  This Supervisor mode for Zeek provides the basic
+    foundation for process configuration/management that could be used to
+    deploy a Zeek cluster similar to what ZeekControl does, but is also simpler
+    to integrate as a standard system service.
+
+Simple Example
+==============
+
+A simple example of using the Supervisor to monitor one Zeek process
+sniffing packets from an interface looks like the following:
+
+.. code-block:: console
+
+  $ zeek -j simple-supervisor.zeek
+
+.. literalinclude:: supervisor/simple-supervisor.zeek
+   :caption: simple-supervisor.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+The command-line argument of ``-j`` toggles Zeek to run in "Supervisor mode" to
+allow for creation and management of child processes.  If you're going to test
+this locally, be sure to change ``en0`` to a real interface name you can sniff.
+
+Notice that the ``simple-supervisor.zeek`` script is loaded and executed by
+both the main Supervisor process and also the child Zeek process that it spawns
+via :zeek:see:`Supervisor::create` with :zeek:see:`Supervisor::is_supervisor`
+or :zeek:see:`Supervisor::is_supervised` being able to distinguish the
+Supervisor process from the supervised child process, respectively.
+You can also distinguish between multiple supervised child processes by
+inspecting the contents of :zeek:see:`Supervisor::node` (e.g. comparing node
+names).
+
+If you happened to be running this locally on an interface with checksum
+offloading and want Zeek to ignore checksums, instead simply run with the
+``-C`` command-line argument like:
+
+.. code-block:: console
+
+  $ zeek -j -C simple-supervisor.zeek
+
+Most command-line arguments to Zeek are automatically inherited by any
+supervised child processes that get created.  The notable ones that are *not*
+inherited are the options to read pcap files and live interfaces, ``-r`` and
+``-i``, respectively.
+
+For node-specific configuration options, see :zeek:see:`Supervisor::NodeConfig`
+which gets passed as argument to :zeek:see:`Supervisor::create`.
+
+Supervised Cluster Example
+==========================
+
+To run a full Zeek cluster similar to what you may already know, try the
+following script:
+
+.. code-block:: console
+
+  $ zeek -j cluster-supervisor.zeek
+
+.. literalinclude:: supervisor/cluster-supervisor.zeek
+   :caption: cluster-supervisor.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+This script now spawns four nodes: a cluster manager, logger, worker, and
+proxy.  It also configures each node to use a separate working directory
+corresponding to the node's name within the current working directory of the
+Supervisor process.  Any stdout/stderr output of the nodes is automatically
+redirected through the Supervisor process and prefixes with relevant
+information, like the node name that the output came from.
+
+The Supervisor process also listens on a port of its own for further
+instructions from other external/remote processes via
+:zeek:see:`Broker::listen`.  For example, you could use this other script to
+tell the Supervisor to restart all processes, perhaps to re-load Zeek scripts
+you've changed in the meantime:
+
+.. code-block:: console
+
+  $ zeek supervisor-control.zeek
+
+.. literalinclude:: supervisor/supervisor-control.zeek
+   :caption: supervisor-control.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Any Supervisor instruction you can perform via an API call in a local script
+can also be triggered via an associated external event.
+
+For further details, consult the ``Supervisor`` API at
+:doc:`/scripts/base/frameworks/supervisor/api.zeek` and
+``SupervisorControl`` API (for remote management) at
+:doc:`/scripts/base/frameworks/supervisor/control.zeek`.
+
+Internal Architecture
+=====================
+
+The following details aren't necessarily important for most users, but instead
+aim to give developers a high-level overview of how the process supervision
+framework is implemented.  The process tree in "supervisor" mode looks like:
+
+.. figure:: supervisor/zeek-supervisor-architecture.png
+
+The top-level "Supervisor" process does not directly manage any of the
+supervised nodes that are created.  Instead, it spawns in intermediate process,
+called "Stem", to manage the lifetime of supervised nodes.  This is done for
+two reasons:
+
+1. Avoids the need to ``exec()`` the supervised processes which requires
+   executing whatever version of the ``zeek`` binary happens to exist on
+   the filesystem at the time of call and it may have changed in the meantime.
+   This can help avoid potential incompatibility or race-condition pitfalls
+   associated with system maintenance/upgrades.  The one situation that does
+   still require an ``exec()`` is if the Stem process dies prematurely, but
+   that is expected to be a rare scenario.
+2. Zeek run-time operation generally taints global state, so creating an early
+   ``fork()`` for use as the Stem process provides a pure baseline image to use
+   for supervised processes.
+
+Ultimately, there are two tiers of process supervision happening: the
+Supervisor will revive the Stem process if needed and the Stem process will
+revive any of its children when needed.
+
+Also, either the Stem or any of its supervised children processes will
+automatically detect if they are orphaned from their parent process and
+self-terminate.  The Stem checks for orphaning simply by waking up every second
+from its ``poll()`` loop to look if its parent PID changed.  A supervised node
+checks for orphaning similarly, but instead does so from a recurring ``Timer``.
+Other than the orphaning-check and how it establishes the desired
+configuration from a combination of inheriting command-line arguments and
+inspecting Supervisor-specific options, a supervised node does not operate
+differently at run-time from a traditional Zeek process.
+
+Node Revival
+============
+
+The Supervisor framework assumes that supervised nodes run until something asks
+the Supervisor to stop them. When a supervised node exits unexpectedly, the Stem
+attempts to revive it during its periodic polling routine. This revival
+procedure implements exponential delay, as follows: starting from a delay of one
+second, the Stem revives the node up to 3 times. At that point, it doubles the
+revival delay, and again tries up to 3 times. This continues indefinitely: the
+Stem never gives up on a node, while the revival delay keeps growing. Once a
+supervised node has remained up for at least 30 seconds, the revival state
+clears and will start from scratch as just described, should the node exit
+again. The Supervisor codebase currently hard-wires these thresholds and delays.
diff --git a/doc/frameworks/supervisor/cluster-supervisor.zeek b/doc/frameworks/supervisor/cluster-supervisor.zeek
new file mode 100644
index 0000000000..0a920586ed
--- /dev/null
+++ b/doc/frameworks/supervisor/cluster-supervisor.zeek
@@ -0,0 +1,28 @@
+event zeek_init()
+	{
+	if ( ! Supervisor::is_supervisor() )
+		return;
+
+	Broker::listen("127.0.0.1", 9999/tcp);
+
+	local cluster: table[string] of Supervisor::ClusterEndpoint;
+	cluster["manager"] = [$role=Supervisor::MANAGER, $host=127.0.0.1, $p=10000/tcp];
+	cluster["logger"] = [$role=Supervisor::LOGGER, $host=127.0.0.1, $p=10001/tcp];
+	cluster["proxy"] = [$role=Supervisor::PROXY, $host=127.0.0.1, $p=10002/tcp];
+	cluster["worker"] = [$role=Supervisor::WORKER, $host=127.0.0.1, $p=10003/tcp, $interface="en0"];
+
+	for ( n, ep in cluster )
+		{
+		local sn = Supervisor::NodeConfig($name=n);
+		sn$cluster = cluster;
+		sn$directory = n;
+
+		if ( ep?$interface )
+			sn$interface = ep$interface;
+
+		local res = Supervisor::create(sn);
+
+		if ( res != "" )
+			print fmt("supervisor failed to create node '%s': %s", n, res);
+		}
+	}
diff --git a/doc/frameworks/supervisor/simple-supervisor.zeek b/doc/frameworks/supervisor/simple-supervisor.zeek
new file mode 100644
index 0000000000..f90c98fbad
--- /dev/null
+++ b/doc/frameworks/supervisor/simple-supervisor.zeek
@@ -0,0 +1,23 @@
+event zeek_init()
+	{
+	if ( Supervisor::is_supervisor() )
+		{
+		local sn = Supervisor::NodeConfig($name="foo", $interface="en0");
+		local res = Supervisor::create(sn);
+
+		if ( res == "" )
+			print "supervisor created a new node";
+		else
+			print "supervisor failed to create node", res;
+		}
+	else
+		print fmt("supervised node '%s' zeek_init()", Supervisor::node()$name);
+	}
+
+event zeek_done()
+	{
+	if ( Supervisor::is_supervised() )
+		print fmt("supervised node '%s' zeek_done()", Supervisor::node()$name);
+	else
+		print "supervisor zeek_done()";
+	}
diff --git a/doc/frameworks/supervisor/supervisor-control.zeek b/doc/frameworks/supervisor/supervisor-control.zeek
new file mode 100644
index 0000000000..596c974bf7
--- /dev/null
+++ b/doc/frameworks/supervisor/supervisor-control.zeek
@@ -0,0 +1,15 @@
+event zeek_init()
+	{
+	Broker::peer("127.0.0.1", 9999/tcp, 1sec);
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	Broker::publish(SupervisorControl::topic_prefix, SupervisorControl::restart_request, "", "");
+	}
+
+event SupervisorControl::restart_response(reqid: string, result: bool)
+	{
+	print fmt("got result of supervisor restart request: %s", result);
+	terminate();
+	}
diff --git a/doc/frameworks/supervisor/zeek-supervisor-architecture.png b/doc/frameworks/supervisor/zeek-supervisor-architecture.png
new file mode 100644
index 0000000000..250dba974e
Binary files /dev/null and b/doc/frameworks/supervisor/zeek-supervisor-architecture.png differ
diff --git a/doc/frameworks/telemetry.rst b/doc/frameworks/telemetry.rst
new file mode 100644
index 0000000000..6af4660e98
--- /dev/null
+++ b/doc/frameworks/telemetry.rst
@@ -0,0 +1,441 @@
+.. _histogram_quantile(): https://prometheus.io/docs/prometheus/latest/querying/functions/#histogram_quantile
+.. _Prometheus: https://prometheus.io
+.. _Prometheus Getting Started Guide: https://prometheus.io/docs/prometheus/latest/getting_started/
+.. _Prometheus Metric Types: https://prometheus.io/docs/concepts/metric_types/
+.. _Prometheus HTTP Service Discovery: https://prometheus.io/docs/prometheus/latest/http_sd/
+.. _prometheus-cpp: https://github.com/jupp0r/prometheus-cpp
+
+.. _framework-telemetry:
+
+===================
+Telemetry Framework
+===================
+
+.. note::
+
+   This framework changed considerably with Zeek 7, and is not API-compatible
+   with earlier versions.  While earlier versions relied on an implementation
+   in :ref:`Broker <broker-framework>`, Zeek now maintains its
+   own implementation, building on `prometheus-cpp`_, with Broker adding its
+   telemetry to Zeek's internal registry of metrics.
+
+The telemetry framework continuously collects metrics during Zeek's operation,
+and provides ways to export this telemetry to third-party consumers. Zeek ships
+with a pre-defined set of metrics and allows you to add your own, via
+script-layer and in-core APIs you use to instrument relevant parts of the
+code. Metrics target Zeek's operational behavior, or track characteristics of
+monitored traffic. Metrics are not an additional export vehicle for Zeek's
+various regular logs. Zeek's telemetry data model closely resembles that of
+`Prometheus`_, and supports its text-based exposition format for scraping by
+third-party collectors.
+
+This section outlines usage examples, and gives brief API examples for
+composing your own metrics. Head to the :zeek:see:`Telemetry` API documentation
+for more details.
+
+Metric Types
+============
+
+Zeek supports the following metric types:
+
+  Counter
+    A continuously increasing value, resetting on process restart.
+    Examples of counters are the number of log writes since process start,
+    packets processed, or ``process_seconds`` representing CPU usage.
+
+  Gauge
+    A gauge metric is a numerical value that can increase and decrease
+    over time. Examples are table sizes or the :zeek:see:`val_footprint`
+    of Zeek script values over the lifetime of the process. More general
+    examples include a temperature or memory usage.
+
+  Histogram
+    Pre-configured buckets of observations with corresponding counts.
+    Examples of histograms are connection durations, delays, or transfer
+    sizes. Generally, it is useful to know the expected range and distribution
+    of such values, as the bounds of a histogram's buckets are defined when
+    this metric gets created.
+
+Zeek uses :zeek:type:`double` throughout to track metric values. Since
+terminology around telemetry can be complex, it helps to know a few additional
+terms:
+
+  Labels
+    A given metric sometimes doesn't exist in isolation, but comes with
+    additional labeling to disambiguate related observations. For example, Zeek
+    ships with gauge called ``zeek_active_sessions`` that labels counts for TCP,
+    UDP, and other transport protocols separately. Labels have a name (for
+    example, "protocol") to refer to value (such as "tcp"). A metric can have
+    multiple labels. Labels are thus a way to associate textual information with
+    the numerical values of metrics.
+
+  Family
+    The set of such metrics, differing only by their labeling, is a known as a
+    Family. Zeek's script-layer metrics API lets you operate on individual
+    metrics and families.
+
+Zeek has no equivalent to Prometheus's Summary type. A good reference to
+consult for more details is the official `Prometheus Metric Types`_
+documentation.
+
+Cluster Considerations
+======================
+
+When running Zeek as a cluster, every node maintains its own metrics registry,
+independently of the other nodes. Zeek does not automatically synchronize,
+centralize, or aggregate metrics across the cluster. Instead, it adds the name
+of the node a particular metric originated from at collection time, leaving any
+aggregation to post-processing where desired.
+
+.. note::
+
+   This is a departure from the design in earlier versions of Zeek, which could
+   (either by default, or after activation) centralize metrics in the cluster's
+   manager node.
+
+Accordingly, the :zeek:see:`Telemetry::collect_metrics` and
+:zeek:see:`Telemetry::collect_histogram_metrics` functions only return
+node-local metrics.
+
+Metrics Export
+==============
+
+Zeek supports two mechanisms for exporting telemetry: traditional logs, and
+Prometheus-compatible endpoints for scraping by a third-party service. We cover
+them in turn.
+
+Zeek Logs
+---------
+
+Zeek can export current metrics continuously via :file:`telemetry.log` and
+:file:`telemetry_histogram.log`. It does not do so by default. To enable, load the
+policy script ``frameworks/telemetry/log`` on the command line, or via
+``local.zeek``.
+
+The :zeek:see:`Telemetry::Info` and :zeek:see:`Telemetry::HistogramInfo` records
+define the logs.  Both records include a ``peer`` field that conveys the
+cluster node the metric originated from.
+
+By default, Zeek reports current telemetry every 60 seconds, as defined by the
+:zeek:see:`Telemetry::log_interval`, which you're free to adjust.
+
+Also, by default only metrics with the ``prefix`` (namespace) ``zeek`` and
+``process`` are included in above logs. If you add new metrics with your own
+prefix and expect these to be included, redefine the
+:zeek:see:`Telemetry::log_prefixes` option::
+
+    @load frameworks/telemetry/log
+
+    redef Telemetry::log_prefixes += { "my_prefix" };
+
+Clearing the set will cause all metrics to be logged. As with any logs, you may
+employ :ref:`policy hooks <logging-filtering-log-records>`,
+:zeek:see:`Telemetry::log_policy` and
+:zeek:see:`Telemetry::log_policy_histogram`, to define potentially more granular
+filtering.
+
+Native Prometheus Export
+------------------------
+
+Every Zeek process, regardless of whether it's running long-term standalone or
+as part of a cluster, can run an HTTP server that renders current telemetry in
+Prometheus's `text-based exposition format
+<https://github.com/prometheus/docs/blob/main/content/docs/instrumenting/exposition_formats.md#text-format-example>`_.
+
+The :zeek:see:`Telemetry::metrics_port` variable controls this behavior. Its
+default of ``0/unknown`` disables exposing the port; setting it to another TCP
+port will enable it. In clusterized operation, the cluster topology can specify
+each node's metrics port via the corresponding :zeek:see:`Cluster::Node` field,
+and the framework will adjust ``Telemetry::metrics_port`` accordingly.  Both
+zeekctl and the management framework let you define specific ports and can also
+auto-populate their values, similarly to Broker's listening ports.
+
+To query a node's telemetry, point an HTTP client or Prometheus scraper at the
+node's metrics port::
+
+  $ curl -s http://<node>:<node-metrics-port>/metrics
+  # HELP exposer_transferred_bytes_total Transferred bytes to metrics services
+  # TYPE exposer_transferred_bytes_total counter
+  exposer_transferred_bytes_total 0
+  ...
+  # HELP zeek_event_handler_invocations_total Number of times the given event handler was called
+  # TYPE zeek_event_handler_invocations_total counter
+  zeek_event_handler_invocations_total{endpoint="manager",name="run_sync_hook"} 2
+  ...
+
+To simplify telemetry collection from all nodes in a cluster, Zeek supports
+`Prometheus HTTP Service Discovery`_ on the manager node. Using this approach, the
+endpoint ``http://<manager>:<manager-metrics-port>/services.json`` returns a
+JSON data structure that itemizes all metrics endpoints in the
+cluster. Prometheus scrapers supporting service discovery then proceed to
+collect telemetry from the listed endpoints in turn.
+
+The following is an example service discovery scrape config entry within
+Prometheus server's ``prometheus.yml`` configuration file::
+
+    ...
+    scrape_configs:
+      - job_name: zeek-discovery
+        scrape_interval: 5s
+        http_sd_configs:
+          - url: http://localhost:9991/services.json
+            refresh_interval: 10s
+
+See the `Prometheus Getting Started Guide`_ for additional information.
+
+.. note::
+
+   .. versionchanged:: 7.0
+
+   The built-in aggregation for Zeek telemetry to the manager node has been
+   removed, in favor of the Prometheus-compatible service discovery
+   endpoint. The new approach requires cluster administrators to manage access
+   to the additional ports. However, it allows Prometheus to conduct the
+   aggregation, instead of burdening the Zeek manager with it, which has
+   historically proved expensive.
+
+If these setups aren't right for your environment, there's the possibility to
+redefine the options in ``local.zeek`` to something more suitable. For example,
+the following snippet selects the metrics port of each Zeek process relative
+to the cluster port used in ``cluster-layout.zeek``::
+
+    @load base/frameworks/cluster
+
+    global my_node = Cluster::nodes[Cluster::node];
+    global my_metrics_port = count_to_port(port_to_count(my_node$p) - 1000, tcp);
+
+    redef Telemetry::metrics_port = my_metrics_port;
+
+
+Examples of Metrics Application
+===============================
+
+Counting Log Writes per Stream
+------------------------------
+
+In combination with the :zeek:see:`Log::log_stream_policy` hook, it is
+straightforward to record :zeek:see:`Log::write` invocations over the dimension
+of the :zeek:see:`Log::ID` value.  This section shows three different approaches
+to do this. Which approach is most applicable depends mostly on the expected
+script layer performance overhead for updating the metric.  For example, calling
+:zeek:see:`Telemetry::counter_with` and :zeek:see:`Telemetry::counter_inc`
+within a handler of a high-frequency event may be prohibitive, while for a
+low-frequency event it's unlikely to matter.
+
+Assuming a :zeek:see:`Telemetry::metrics_port` of 9090, querying the Prometheus
+endpoint using ``curl`` provides output resembling the following for each of
+the three approaches.
+
+.. code-block::
+
+   $ curl -s localhost:9090/metrics | grep log_writes
+   # HELP zeek_log_writes_total Number of log writes per stream
+   # TYPE zeek_log_writes_total counter
+   zeek_log_writes_total{endpoint="zeek",log_id="packetfilter_log"} 1
+   zeek_log_writes_total{endpoint="zeek",log_id="loadedscripts_log"} 477
+   zeek_log_writes_total{endpoint="zeek",log_id="stats_log"} 1
+   zeek_log_writes_total{endpoint="zeek",log_id="dns_log"} 200
+   zeek_log_writes_total{endpoint="zeek",log_id="ssl_log"} 9
+   zeek_log_writes_total{endpoint="zeek",log_id="conn_log"} 215
+   zeek_log_writes_total{endpoint="zeek",log_id="captureloss_log"} 1
+
+The above shows a family of 7 ``zeek_log_writes_total`` metrics, each with an
+``endpoint`` label (here, ``zeek``, which would be a cluster node name if
+scraped from a Zeek cluster) and a ``log_id`` one.
+
+Immediate
+^^^^^^^^^
+
+The following example creates a global counter family object and uses
+the :zeek:see:`Telemetry::counter_family_inc` helper to increment the
+counter metric associated with a string representation of the :zeek:see:`Log::ID`
+value.
+
+
+.. literalinclude:: telemetry/log-writes-immediate.zeek
+   :caption: log-writes-immediate.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+With a few lines of scripting code, Zeek now track log writes per stream
+ready to be scraped by a Prometheus server.
+
+
+Cached
+^^^^^^
+
+For cases where creating the label value (stringification, :zeek:see:`gsub` and :zeek:see:`to_lower`)
+and instantiating the label vector as well as invoking the
+:zeek:see:`Telemetry::counter_family_inc` methods cause too much
+performance overhead, the counter instances can also be cached in a lookup table.
+The counters can then be incremented with :zeek:see:`Telemetry::counter_inc`
+directly.
+
+.. literalinclude:: telemetry/log-writes-cached.zeek
+   :caption: log-writes-cached.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+
+For metrics without labels, the metric instances can also be cached as global
+variables directly. The following example counts the number of http requests.
+
+.. literalinclude:: telemetry/global-http-counter.zeek
+   :caption: global-http-counter.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+
+Sync
+^^^^
+
+In case the scripting overhead of the previous approach is still too high,
+individual writes (or events) can be tracked in a table or global variable
+and then synchronized / mirrored to concrete counter and gauge instances
+during execution of the :zeek:see:`Telemetry::sync` hook.
+
+.. literalinclude:: telemetry/log-writes-sync.zeek
+   :caption: log-writes-sync.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+For tracking log writes, this is unlikely to be required (and Zeek exposes
+various logging natively through the framework already), but for updating
+metrics within high frequency events that otherwise have low script processing
+overhead, it's a valuable approach.
+
+
+.. versionchanged:: 7.1
+
+The :zeek:see:`Telemetry::sync` hook is invoked on-demand only. Either when
+one of the :zeek:see:`Telemetry::collect_metrics`
+or :zeek:see:`Telemetry::collect_histogram_metrics` functions is invoked, or
+when querying Prometheus endpoint. It's an error to call either of the
+collection BiFs within the :zeek:see:`Telemetry::sync` hook and results
+in a reporter warning.
+
+
+.. note::
+
+   In versions before Zeek 7.1, :zeek:see:`Telemetry::sync` was invoked on a
+   fixed schedule, potentially resulting in stale metrics at collection time,
+   as well as generating small runtime overhead when metrics are not collected.
+
+Table Sizes
+-----------
+
+It can be useful to expose the size of tables as metrics, as they often
+indicate the approximate amount of state maintained in memory.
+As table sizes may increase and decrease, a :zeek:see:`Telemetry::Gauge`
+is appropriate for this purpose.
+
+The following example records the size of the :zeek:see:`Tunnel::active` table
+and its footprint with two gauges. The gauges are updated during the
+:zeek:see:`Telemetry::sync` hook. Note, there are no labels in use, both
+gauge instances are simple globals.
+
+.. literalinclude:: telemetry/table-size-tracking.zeek
+   :caption: log-writes-sync.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Example representation of these metrics when querying the Prometheus endpoint:
+
+.. code-block::
+
+   $ curl -s localhost:9090/metrics | grep tunnel
+   # HELP zeek_monitored_tunnels_active_footprint Footprint of the Tunnel::active table
+   # TYPE zeek_monitored_tunnels_active_footprint gauge
+   zeek_monitored_tunnels_active_footprint{endpoint="zeek"} 324
+   # HELP zeek_monitored_tunnels_active Number of currently active tunnels as tracked in Tunnel::active
+   # TYPE zeek_monitored_tunnels_active gauge
+   zeek_monitored_tunnels_active{endpoint="zeek"} 12
+
+
+Instead of tracking footprints per variable, :zeek:see:`global_container_footprints`,
+could be leveraged to track all global containers at once, using the variable
+name as label.
+
+Connection Durations as Histogram
+---------------------------------
+
+To track the distribution of certain measurements, a :zeek:see:`Telemetry::Histogram`
+can be used. The histogram's buckets have to be preconfigured.
+
+The following example observes the duration of each connection that Zeek has
+monitored.
+
+.. literalinclude:: telemetry/connection-durations.zeek
+   :caption: connection-durations.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Due to the way Prometheus represents histograms and the fact that durations
+are broken down by protocol and service in the given example, the resulting
+representation becomes rather verbose.
+
+.. code-block::
+
+   $ curl -s localhost:9090/metrics | grep monitored_connection_duration
+   # HELP zeek_monitored_connection_duration_seconds Duration of monitored connections
+   # TYPE zeek_monitored_connection_duration_seconds histogram
+   zeek_monitored_connection_duration_seconds_bucket{endpoint="zeek",proto="udp",service="dns",le="0.1"} 970
+   zeek_monitored_connection_duration_seconds_bucket{endpoint="zeek",proto="udp",service="dns",le="1"} 998
+   zeek_monitored_connection_duration_seconds_bucket{endpoint="zeek",proto="udp",service="dns",le="10"} 1067
+   zeek_monitored_connection_duration_seconds_bucket{endpoint="zeek",proto="udp",service="dns",le="30"} 1108
+   zeek_monitored_connection_duration_seconds_bucket{endpoint="zeek",proto="udp",service="dns",le="60"} 1109
+   zeek_monitored_connection_duration_seconds_bucket{endpoint="zeek",proto="udp",service="dns",le="+Inf"} 1109
+   zeek_monitored_connection_duration_seconds_sum{endpoint="zeek",proto="udp",service="dns"} 1263.085691
+   zeek_monitored_connection_duration_seconds_count{endpoint="zeek",proto="udp",service="dns"} 1109
+   zeek_monitored_connection_duration_seconds_bucket{endpoint="zeek",proto="tcp",service="http",le="0.1"} 16
+   zeek_monitored_connection_duration_seconds_bucket{endpoint="zeek",proto="tcp",service="http",le="1"} 54
+   zeek_monitored_connection_duration_seconds_bucket{endpoint="zeek",proto="tcp",service="http",le="10"} 56
+   zeek_monitored_connection_duration_seconds_bucket{endpoint="zeek",proto="tcp",service="http",le="30"} 57
+   zeek_monitored_connection_duration_seconds_bucket{endpoint="zeek",proto="tcp",service="http",le="60"} 57
+   zeek_monitored_connection_duration_seconds_bucket{endpoint="zeek",proto="tcp",service="http",le="+Inf"} 57
+
+
+To work with histogram data, Prometheus provides specialized query functions.
+For example `histogram_quantile()`_.
+
+Note, when using data from :file:`conn.log` and post-processing, a proper
+histogram of connection durations can be calculated and possibly preferred.
+The above example is meant for demonstration purposes. Histograms may be
+primarily be useful for Zeek operational metrics such as processing times
+or queueing delays, response times to external systems, etc.
+
+
+Exporting the Zeek Version
+--------------------------
+
+A common pattern in the Prometheus ecosystem is to expose the version
+information of the running process as gauge metric with a value of 1.
+
+The following example does just that with a Zeek script:
+
+.. literalinclude:: telemetry/version.zeek
+   :caption: version.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+In Prometheus's exposition format, this turns into the following:
+
+.. code-block::
+
+   $ curl -s localhost:9090/metrics | grep version
+   # HELP zeek_version_info The Zeek version
+   # TYPE zeek_version_info gauge
+   zeek_version_info{beta="true",commit="0",debug="true",major="7",minor="0",patch="0",version_number="70000",version_string="7.0.0-rc4-debug"} 1
+   zeek_version_info{beta="false",commit="289",debug="true",endpoint="zeek",major="5",minor="1",patch="0",version_number="50100",version_string="5.1.0-dev.289-debug"} 1.000000
+
+
+Zeek already ships with this gauge, via
+:doc:`/scripts/base/frameworks/telemetry/main.zeek`. There is no need to add
+above snippet to your site.
diff --git a/doc/frameworks/telemetry/connection-durations.zeek b/doc/frameworks/telemetry/connection-durations.zeek
new file mode 100644
index 0000000000..d05532e203
--- /dev/null
+++ b/doc/frameworks/telemetry/connection-durations.zeek
@@ -0,0 +1,23 @@
+global conn_durations_hf = Telemetry::register_histogram_family([
+	$prefix="zeek",
+	$name="monitored_connection_duration",
+	$unit="seconds",
+	$help_text="Duration of monitored connections",
+	$bounds=vector(0.1, 1.0, 10.0, 30.0, 60.0),
+	$label_names=vector("proto", "service")
+]);
+
+event connection_state_remove(c: connection)
+	{
+	local proto = cat(c$conn$proto);
+	local service: set[string] = {"unknown"};
+
+	if ( |c$service| != 0 )
+		service = c$service;
+
+	for (s in service )
+		{
+		local h = Telemetry::histogram_with(conn_durations_hf, vector(proto, to_lower(s)));
+		Telemetry::histogram_observe(h, interval_to_double(c$duration));
+		}
+	}
diff --git a/doc/frameworks/telemetry/global-http-counter.zeek b/doc/frameworks/telemetry/global-http-counter.zeek
new file mode 100644
index 0000000000..2e030200f5
--- /dev/null
+++ b/doc/frameworks/telemetry/global-http-counter.zeek
@@ -0,0 +1,14 @@
+global http_counter_cf = Telemetry::register_counter_family([
+	$prefix="zeek",
+	$name="monitored_http_requests",
+	$unit="1",
+	$help_text="Number of http requests observed"
+]);
+
+global http_counter = Telemetry::counter_with(http_counter_cf);
+
+event http_request(c: connection, method: string, original_URI: string,
+                   unescaped_URI: string, version: string)
+	{
+	Telemetry::counter_inc(http_counter);
+	}
diff --git a/doc/frameworks/telemetry/log-writes-cached.zeek b/doc/frameworks/telemetry/log-writes-cached.zeek
new file mode 100644
index 0000000000..fce51612a4
--- /dev/null
+++ b/doc/frameworks/telemetry/log-writes-cached.zeek
@@ -0,0 +1,22 @@
+global log_writes_cf = Telemetry::register_counter_family([
+	$prefix="zeek",
+	$name="log_writes",
+	$unit="1",
+	$help_text="Number of log writes per stream",
+	$label_names=vector("log_id")
+]);
+
+# Cache for the Telemetry::Counter instances.
+global log_write_counters: table[Log::ID] of Telemetry::Counter;
+
+hook Log::log_stream_policy(rec: any, id: Log::ID)
+	{
+	if ( id !in log_write_counters )
+		{
+		local log_id = to_lower(gsub(cat(id), /:+/, "_"));
+		log_write_counters[id] = Telemetry::counter_with(log_writes_cf,
+		                                                 vector(log_id));
+		}
+
+	Telemetry::counter_inc(log_write_counters[id]);
+	}
diff --git a/doc/frameworks/telemetry/log-writes-immediate.zeek b/doc/frameworks/telemetry/log-writes-immediate.zeek
new file mode 100644
index 0000000000..d7066f6b99
--- /dev/null
+++ b/doc/frameworks/telemetry/log-writes-immediate.zeek
@@ -0,0 +1,13 @@
+global log_writes_cf = Telemetry::register_counter_family([
+	$prefix="zeek",
+	$name="log_writes",
+	$unit="1",
+	$help_text="Number of log writes per stream",
+	$label_names=vector("log_id")
+]);
+
+hook Log::log_stream_policy(rec: any, id: Log::ID)
+	{
+	local log_id = to_lower(gsub(cat(id), /:+/, "_"));
+	Telemetry::counter_family_inc(log_writes_cf, vector(log_id));
+	}
diff --git a/doc/frameworks/telemetry/log-writes-sync.zeek b/doc/frameworks/telemetry/log-writes-sync.zeek
new file mode 100644
index 0000000000..e6d7937f1a
--- /dev/null
+++ b/doc/frameworks/telemetry/log-writes-sync.zeek
@@ -0,0 +1,23 @@
+global log_writes_cf = Telemetry::register_counter_family([
+	$prefix="zeek",
+	$name="log_writes",
+	$unit="1",
+	$help_text="Number of log writes per stream",
+	$label_names=vector("log_id")
+]);
+
+global log_writes: table[Log::ID] of count &default=0;
+
+hook Log::log_stream_policy(rec: any, id: Log::ID)
+	{
+	++log_writes[id];
+	}
+
+hook Telemetry::sync()
+	{
+	for ( id, v in log_writes )
+		{
+		local log_id = to_lower(gsub(cat(id), /:+/, "_"));
+		Telemetry::counter_family_inc(log_writes_cf, vector(log_id));
+		}
+	}
diff --git a/doc/frameworks/telemetry/table-size-tracking.zeek b/doc/frameworks/telemetry/table-size-tracking.zeek
new file mode 100644
index 0000000000..106c13519b
--- /dev/null
+++ b/doc/frameworks/telemetry/table-size-tracking.zeek
@@ -0,0 +1,25 @@
+module Tunnel;
+
+global tunnels_active_size_gf = Telemetry::register_gauge_family([
+	$prefix="zeek",
+	$name="monitored_tunnels_active",
+	$unit="1",
+	$help_text="Number of currently active tunnels as tracked in Tunnel::active"
+]);
+
+global tunnels_active_size_gauge = Telemetry::gauge_with(tunnels_active_size_gf);
+
+global tunnels_active_footprint_gf = Telemetry::register_gauge_family([
+	$prefix="zeek",
+	$name="monitored_tunnels_active_footprint",
+	$unit="1",
+	$help_text="Footprint of the Tunnel::active table"
+]);
+
+global tunnels_active_footprint_gauge = Telemetry::gauge_with(tunnels_active_footprint_gf);
+
+hook Telemetry::sync() {
+
+	Telemetry::gauge_set(tunnels_active_size_gauge, |Tunnel::active|);
+	Telemetry::gauge_set(tunnels_active_footprint_gauge, val_footprint(Tunnel::active));
+}
diff --git a/doc/frameworks/telemetry/version.zeek b/doc/frameworks/telemetry/version.zeek
new file mode 100644
index 0000000000..731f1bb5b8
--- /dev/null
+++ b/doc/frameworks/telemetry/version.zeek
@@ -0,0 +1,19 @@
+global version_gf = Telemetry::register_gauge_family([
+	$prefix="zeek",
+	$name="version_info",
+	$unit="1",
+	$help_text="The Zeek version",
+	$label_names=vector("version_number", "major", "minor", "patch", "commit", "beta", "debug","version_string")
+]);
+
+event zeek_init()
+	{
+	local v = Version::info;
+	local labels = vector(cat(v$version_number),
+	                      cat(v$major), cat(v$minor), cat (v$patch),
+	                      cat(v$commit),
+	                      v$beta ? "true" : "false",
+	                      v$debug ? "true" : "false",
+	                      v$version_string);
+	Telemetry::gauge_family_set(version_gf, labels, 1.0);
+	}
diff --git a/doc/frameworks/tls-decryption.rst b/doc/frameworks/tls-decryption.rst
new file mode 100644
index 0000000000..29e37ffcfe
--- /dev/null
+++ b/doc/frameworks/tls-decryption.rst
@@ -0,0 +1,165 @@
+
+.. _framework-tls-decryption:
+
+==============
+TLS Decryption
+==============
+
+.. rst-class:: opening
+
+
+   Zeek has limited support for decrypting TLS connections, if the necessary key material is
+   available. If decryption is possible, Zeek can forward the decrypted data to other analyzers - like
+   the HTTP analyzer.
+
+   Note that this support is currently limited to a single version of TLS and a single cipher suite.
+   Zeek can currently only decrypt TLS 1.2 connections that use the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+   cipher. Any other TLS version or cipher will not be decrypted. We do not currently plan to extend
+   this support to other versions of TLS, or to other ciphersuites.
+
+Capturing and decrypting a trace file
+=====================================
+
+The most common use-case for TLS decryption is to capture a trace file together with the necessary key material
+to allow Zeek to decrypt it. In principle, it is possible to allow Zeek to decrypt TLS connections in live traffic.
+However, this kind of setup is much more complex and will require the user to set up a way to transport the
+key material to Zeek in real-time. We will talk a bit about the possibility of this below.
+
+Capturing a trace file with keys
+--------------------------------
+
+To be able to decrypt the TLS connections contained in a trace file, we need access to the symmetric keys that
+were used to encrypt the connection. Specifically, for our supported version of TLS, we need the pre-master secret
+for the TLS connection.
+
+Firefox and Chrome allow users to capture the key material of all TLS connections that they perform by setting
+the ``SSLKEYLOGFILE`` environment variable. For example, on Mac OS, you can instruct Firefox to record the TLS
+key material by starting it in the following way:
+
+.. code-block:: console
+
+   export SSLKEYLOGFILE=$HOME/keylogfile.txt
+   open -a firefox
+
+After running Firefox like this, and accessing some web pages, you should end up with the file ``keylogfile.txt``
+in your home directory that contains lines like this::
+
+   # SSL/TLS secrets log file, generated by NSS
+   CLIENT_RANDOM 47d1becb619e0851ee363c2cf37187228227ca4e680f9a7c0bd15069aa7a5970 ad03ceda4890fa581e989f5e3862023e2a4e3e8ad81325238d908066e1d35cc875979e34c08e6fdfd9d8c6f356e385c1
+   CLIENT_RANDOM 2095006fcb3f93d255cbb6562587f0dd010212fdee9d233aff64e6ed36cd5c45 0d36faaa2eadbda2a8095f951de1cbac46b81b008fbf391d91951b3485476bab73288a1e17cd0ce80e0fc0401dbe9e3f
+   CLIENT_RANDOM 8f58b32bf97e7d3856e2fccbbe80798ec2e3f515251082ad63bbc7c231d8bee0 9a7cf946a04718a19f4d20c3f80c1cf8c823c3e2b1c337ef64322d751b410543315f6ecf7dbf45ec9be194a3cc7c1a0f
+
+These log lines contain the pre-master secrets for the connections that your browser established. The secrets
+are indexed with the client random of the connections. This allows applications (like Zeek) to identify which
+secret to use to decrypt a connection.
+
+If you capture this key log file together with a trace-file, you will be able to decrypt the sessions using Zeek
+(assuming they use a supported TLS version and ciphersuite).
+
+Decrypting a trace file
+-----------------------
+
+The next step is to convert the keylogfile into a format that can be ingested by the Zeek. This bash-script
+will perform the conversion:
+
+.. code-block:: bash
+
+   #!/usr/bin/env bash
+
+   if [ $# -ne 1 ]; then
+   	echo "Script expects one argument (key log filename)" >/dev/stderr
+   	exit -1
+   fi
+
+   FILE=$1
+
+   if [ ! -f ${FILE} ]; then
+   	echo "${FILE} does not exist or is not readable" >/dev/stderr
+   	exit -1
+   fi
+
+   echo "#fields	client_random	secret"
+   grep CLIENT_RANDOM ${FILE} | sed 's/^CLIENT_RANDOM ........\(.*\) \(.*\)$/\1	\2/' | sed 's/[A-Za-z0-9][A-Za-z0-9]/\\x&/g'
+
+Note that the script just converts the keylog file in a standard Zeek tsv-file. Furthermore, it removes
+the first 16 characters of the CLIENT_RANDOM; this is needed due to a design-choice of Zeek that makes accessing
+the first 8 bytes (equivalent to 16 hex-characters) of the client random inconvenient - thus these bytes are not
+used for matching.
+
+If you run the bash script on the ``keylogfile.txt`` you created earlier, you will get a Zeek tsv-file.
+
+.. code-block:: console
+
+   ./convert-keylog.sh ~/keylogfile.txt > ~/keylogfile.log
+
+   cat ~/keylogfile.log
+   #fields	client_random	secret
+   \x0e\x78\x2d\x35\x63\x95\x5d\x8a\x30\xa9\xcf\xb6\x4f\x47\xf3\x96\x34\x8a\x1e\x79\x1a\xa2\x32\x55\xe2\x2f\xc5\x7a	\x34\x4f\x12\x65\xbf\x43\x40\xb3\x61\x6b\xa0\x16\x5d\x2b\x4d\xb9\xb1\xe8\x4a\x3d\xa2\x42\x0e\x38\xab\x01\x50\x62\x84\xcc\x34\xcd\xe0\x34\x10\xfe\x1a\x02\x30\x49\x74\x6c\x46\x43\xa7\x0c\x67\x0d
+   \x24\x8c\x7e\x24\xee\xfb\x13\xcd\xee\xde\xb1\xf4\xb6\xd6\xd5\xee\x67\x8d\xd3\xff\xc7\xe7\x39\x23\x18\x3f\x99\xb4	\xe7\xed\x24\x26\x0d\x25\xd9\xfd\xf5\x0f\xc0\xf4\x56\x51\x0e\x4e\xec\x7f\x58\x9c\xaf\x39\x25\x14\x16\xa6\x71\xdd\xea\xfe\xe9\xc0\x93\xbe\x89\x4c\xab\xcc\xff\xb2\xf0\x9a\xea\x98\xf5\xb2\x53\x1e
+   \x57\xd7\xc7\x7a\x2d\x5e\x35\x29\x2c\xd7\xe7\x94\xee\xf8\x6f\x31\x45\xf6\xbe\x25\x08\xed\x1d\x92\xd2\x0b\x9b\x04	\xc1\x93\x17\x93\xd9\x7d\xd2\x98\xb3\xe0\xdb\x2c\x5d\xbe\x71\x31\xa7\x9a\xf5\x91\xf9\x87\x90\xee\xb7\x79\x9f\x6b\xb4\x1f\x47\xa7\x69\x62\x4b\xa3\x99\x0c\xa9\x43\xf9\xea\x3b\x4d\x5f\x2f\xfe\xfb
+
+Now we can run Zeek on the trace-file that we recorded. We need a small additional script for this, which
+stops processing while the TLS keylog file is loaded. It also loads the required policy script.
+
+.. literalinclude:: tls_decryption-1-suspend-processing.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ export ZEEK_TLS_KEYLOG_FILE=~/keylogfile.log
+   $ zeek -C -r tls/tls-1.2-stream-keylog.pcap tls_decryption-1-suspend-processing.zeek
+
+   $ cat conn.log
+   #separator \x09
+   #set_separator	,
+   #empty_field	(empty)
+   #unset_field	-
+   #path	conn
+   #open	2022-03-01-16-57-26
+   #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+   #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+   1646150638.631834	CTy5Us4OUaTOcyrPvc	192.168.20.12	60679	193.99.144.85	443	tcp	http,ssl	7.246461	10853	151695	SF	-	-	0	ShADadFf	98	15961	139	158931	-
+   #close	2022-03-01-16-57-26
+
+   $ cat http.log
+   #separator \x09
+   #set_separator	,
+   #empty_field	(empty)
+   #unset_field	-
+   #path	http
+   #open	2022-03-01-16-57-25
+   #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+   #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+   1646150638.735969	CTy5Us4OUaTOcyrPvc	192.168.20.12	60679	193.99.144.85	443	1	GET	www.heise.de	/assets/akwa/v24/js/akwa.js?.ltc.c61e84978682308f631c	https://www.heise.de/	1.1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0	-	0	375340	200	OK	-	-	(empty)	-	-	-	-	-	-	FSJiWr34wfIujxxtm3	-	text/plain
+   1646150638.944774	CTy5Us4OUaTOcyrPvc	192.168.20.12	60679	193.99.144.85	443	2	GET	www.heise.de	/assets/heise/images/mit_technology_review_singleline.b768.ltc.svg	https://www.heise.de/	1.1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0	-	0	3430	200	OK	-	-	(empty)	-	-	-	-	-	-	FgivhC1pvnYeQS4u18	-	text/plain
+   1646150638.976118	CTy5Us4OUaTOcyrPvc	192.168.20.12	60679	193.99.144.85	443	3	GET	www.heise.de	/assets/heise/hobell/css/hobell.css?.ltc.3746e7e49abafa23b5fb	https://www.heise.de/	1.1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0	-	0	85280	200	OK	-	-	(empty)	-	-	-	-	-	-	FyvBkl2nwRXf0hkDO1	-	text/plain
+   ...
+
+Now :file:`conn.log` shows that the HTTP as well as the SSL analyzers were attached. :file:`http.log` shows the
+information from the decrypted HTTP session.
+
+If you try this yourself note that today a lot of encrypted Internet traffic uses HTTP/2. Zeek currently does not
+ship with an HTTP/2 parser by default. If you capture your own traffic make sure that your browser uses
+HTTP/1. Alternatively, you can add an HTTP/2 analyzer to Zeek, e.g. using a package.
+
+Decrypting live traffic
+=======================
+
+In principle, it is possible to decrypt live traffic using this approach. When you want to do this, you have to supply the secrets
+to Zeek as the connections are happening. Note that there are timing constraints here - the secrets should arrive at the Zeek instance
+that will decrypt the traffic before encrypted application data is exchanged.
+
+The :doc:`/scripts/policy/protocols/ssl/decryption.zeek` policy script sets up a two events for this purpose. You can send key material
+to the Zeek worker in question via Broker, using the ``/zeek/tls/decryption`` topic. The two events used for this are
+:zeek:see:`SSL::add_keys` and :zeek:see:`SSL::add_secret`.
+
+TLS Decryption API
+==================
+
+If the policy script does not suit your use-case, you can use the TLS decryption API directly to decrypt a connection. You can use either the
+:zeek:see:`set_secret` or the :zeek:see:`set_keys` functions to provide the decryption keys for an ongoing SSL connection.
+
+Note that you will have to make sure to set :zeek:see:`SSL::disable_analyzer_after_detection` to false if you use this functionality directly.
diff --git a/doc/frameworks/tls_decryption-1-suspend-processing.zeek b/doc/frameworks/tls_decryption-1-suspend-processing.zeek
new file mode 100644
index 0000000000..6b6b26ee1a
--- /dev/null
+++ b/doc/frameworks/tls_decryption-1-suspend-processing.zeek
@@ -0,0 +1,13 @@
+@load protocols/ssl/decryption
+@load base/protocols/http
+
+event zeek_init()
+	{
+	suspend_processing();
+	}
+
+event Input::end_of_data(name: string, source: string)
+	{
+	if ( name == "tls-keylog-file" )
+		continue_processing();
+	}
diff --git a/doc/get-started.rst b/doc/get-started.rst
new file mode 100644
index 0000000000..fb37934e3c
--- /dev/null
+++ b/doc/get-started.rst
@@ -0,0 +1,11 @@
+===========
+Get Started
+===========
+
+.. toctree::
+   :maxdepth: 2
+
+   install
+   quickstart
+   cluster-setup
+   building-from-source
diff --git a/doc/images/architecture.png b/doc/images/architecture.png
new file mode 100644
index 0000000000..fc775160ca
Binary files /dev/null and b/doc/images/architecture.png differ
diff --git a/doc/images/cluster-diagram.png b/doc/images/cluster-diagram.png
new file mode 100644
index 0000000000..745a9220b4
Binary files /dev/null and b/doc/images/cluster-diagram.png differ
diff --git a/doc/images/cluster/Makefile b/doc/images/cluster/Makefile
new file mode 100644
index 0000000000..21fb7fb85e
--- /dev/null
+++ b/doc/images/cluster/Makefile
@@ -0,0 +1,6 @@
+MMDC?=./node_modules/.bin/mmdc
+
+%.png : %.mermaid
+	$(MMDC) -i $< -e png -o $@
+
+all: zeromq-cluster.png zeromq-pubsub.png zeromq-logging.png
diff --git a/doc/images/cluster/README.md b/doc/images/cluster/README.md
new file mode 100644
index 0000000000..ab93a3580c
--- /dev/null
+++ b/doc/images/cluster/README.md
@@ -0,0 +1,24 @@
+## Install mermaid-cli
+
+    npm install @mermaid-js/mermaid-cli
+
+## Apparmor Errors
+
+If running ``mmdc`` fails under Linux (e.g. with Ubuntu 24.04) with apparmor
+errors about ``userns_create`` in the ``demsg`` output, put the following into
+``/etc/apparmor.d/chrome-headless``
+
+    # This profile allows everything and only exists to give the
+    # application a name instead of having the label "unconfined"
+    abi <abi/4.0>,
+    include <tunables/global>
+
+    profile chrome /home/awelzel/.cache/puppeteer/**/chrome-headless-shell flags=(unconfined) {
+      userns,
+
+      # Site-specific additions and overrides. See local/README for details.
+      include if exists <local/chrome>
+    }
+
+
+See also: https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md#option-2_a-safer-way
diff --git a/doc/images/cluster/zeromq-cluster.mermaid b/doc/images/cluster/zeromq-cluster.mermaid
new file mode 100644
index 0000000000..d5dd1bef86
--- /dev/null
+++ b/doc/images/cluster/zeromq-cluster.mermaid
@@ -0,0 +1,95 @@
+graph TD
+
+  w1-xpub-->broker-xsub
+  broker-xpub-->w1-xsub
+
+  w2-xpub-->broker-xsub
+  broker-xpub-->w2-xsub
+
+  w3-xpub-->broker-xsub
+  broker-xpub-->w3-xsub
+
+  p1-xpub-->broker-xsub
+  broker-xpub-->p1-xsub
+
+  p2-xpub-->broker-xsub
+  broker-xpub-->p2-xsub
+
+  l1-xpub-->broker-xsub
+  broker-xpub-->l1-xsub
+
+  l2-xpub-->broker-xsub
+  broker-xpub-->l2-xsub
+
+  m-xpub-->broker-xsub
+  broker-xpub-->m-xsub
+
+  %% Logging
+  w1-push-->l1-pull
+  w1-push-->l2-pull
+  w2-push-->l1-pull
+  w2-push-->l2-pull
+  w3-push-->l1-pull
+  w3-push-->l2-pull
+  p1-push-->l1-pull
+  p1-push-->l2-pull
+  p2-push-->l1-pull
+  p2-push-->l2-pull
+  m-push-->l1-pull
+  m-push-->l2-pull
+
+subgraph broker ["broker"]
+  broker-xpub((XPUB))
+  broker-xsub((XSUB))
+  broker-xpub-->broker-xsub
+  broker-xsub-->broker-xpub
+end
+
+
+subgraph l1 [logger-1]
+  l1-xpub((XPUB))
+  l1-xsub((XSUB))
+  l1-pull(PULL)
+end
+
+subgraph l2 [logger-2]
+  l2-xpub((XPUB))
+  l2-xsub((XSUB))
+  l2-pull(PULL)
+end
+
+subgraph manager
+  m-xpub((XPUB))
+  m-xsub((XSUB))
+  m-push(PUSH)
+end
+
+subgraph p1 [proxy-1]
+  p1-xpub((XPUB))
+  p1-xsub((XSUB))
+  p1-push(PUSH)
+end
+
+subgraph p2 [proxy-2]
+  p2-xpub((XPUB))
+  p2-xsub((XSUB))
+  p2-push(PUSH)
+end
+
+subgraph w1 [worker-1]
+  w1-xpub((XPUB))
+  w1-xsub((XSUB))
+  w1-push(PUSH)
+end
+
+subgraph w2 [worker-2]
+  w2-xpub((XPUB))
+  w2-xsub((XSUB))
+  w2-push(PUSH)
+end
+
+subgraph w3 [worker-3]
+  w3-xpub((XPUB))
+  w3-xsub((XSUB))
+  w3-push(PUSH)
+end
diff --git a/doc/images/cluster/zeromq-cluster.png b/doc/images/cluster/zeromq-cluster.png
new file mode 100644
index 0000000000..bc2af6502a
Binary files /dev/null and b/doc/images/cluster/zeromq-cluster.png differ
diff --git a/doc/images/cluster/zeromq-logging.mermaid b/doc/images/cluster/zeromq-logging.mermaid
new file mode 100644
index 0000000000..fcdd378dcf
--- /dev/null
+++ b/doc/images/cluster/zeromq-logging.mermaid
@@ -0,0 +1,49 @@
+flowchart TD
+
+  %% Logging
+  w1-push-->l1-pull
+  w1-push-->l2-pull
+  w2-push-->l1-pull
+  w2-push-->l2-pull
+  w3-push-->l1-pull
+  w3-push-->l2-pull
+  p1-push-->l1-pull
+  p1-push-->l2-pull
+  p2-push-->l1-pull
+  p2-push-->l2-pull
+  m-push-->l1-pull
+  m-push-->l2-pull
+
+subgraph l1 [logger-1]
+  l1-pull(PULL)
+end
+
+subgraph l2 [logger-2]
+  l2-pull(PULL)
+end
+
+subgraph m [manager]
+  m-push(PUSH)
+end
+
+subgraph p1 [proxy-1]
+  p1-push(PUSH)
+end
+
+subgraph p2 [proxy-2]
+  p2-push(PUSH)
+end
+
+subgraph w1 [worker-1]
+  w1-push(PUSH)
+end
+
+subgraph w2 [worker-2]
+  w2-push(PUSH)
+end
+
+subgraph w3 [worker-3]
+
+  w3-push(PUSH)
+end
+
diff --git a/doc/images/cluster/zeromq-logging.png b/doc/images/cluster/zeromq-logging.png
new file mode 100644
index 0000000000..6c9e9afb3e
Binary files /dev/null and b/doc/images/cluster/zeromq-logging.png differ
diff --git a/doc/images/cluster/zeromq-pubsub.mermaid b/doc/images/cluster/zeromq-pubsub.mermaid
new file mode 100644
index 0000000000..7710f8774f
--- /dev/null
+++ b/doc/images/cluster/zeromq-pubsub.mermaid
@@ -0,0 +1,72 @@
+graph TD
+
+  w1-xpub-->broker-xsub
+  broker-xpub-->w1-xsub
+
+  w2-xpub-->broker-xsub
+  broker-xpub-->w2-xsub
+
+  w3-xpub-->broker-xsub
+  broker-xpub-->w3-xsub
+
+  p1-xpub-->broker-xsub
+  broker-xpub-->p1-xsub
+
+  p2-xpub-->broker-xsub
+  broker-xpub-->p2-xsub
+
+  l1-xpub-->broker-xsub
+  broker-xpub-->l1-xsub
+
+  l2-xpub-->broker-xsub
+  broker-xpub-->l2-xsub
+
+  m-xpub-->broker-xsub
+  broker-xpub-->m-xsub
+
+subgraph broker ["broker"]
+  broker-xpub((XPUB))
+  broker-xsub((XSUB))
+  broker-xpub-->broker-xsub
+  broker-xsub-->broker-xpub
+end
+
+subgraph l1 [logger-1]
+  l1-xpub((XPUB))
+  l1-xsub((XSUB))
+end
+
+subgraph l2 [logger-2]
+  l2-xpub((XPUB))
+  l2-xsub((XSUB))
+end
+subgraph m [manager]
+  m-xpub((XPUB))
+  m-xsub((XSUB))
+end
+
+subgraph p1 [proxy-1]
+  p1-xpub((XPUB))
+  p1-xsub((XSUB))
+end
+
+subgraph p2 [proxy-2]
+  p2-xpub((XPUB))
+  p2-xsub((XSUB))
+end
+
+subgraph w1 [worker-1]
+  w1-xpub((XPUB))
+  w1-xsub((XSUB))
+end
+
+subgraph w2 [worker-2]
+  w2-xpub((XPUB))
+  w2-xsub((XSUB))
+end
+
+subgraph w3 [worker-3]
+  w3-xpub((XPUB))
+  w3-xsub((XSUB))
+end
+
diff --git a/doc/images/cluster/zeromq-pubsub.png b/doc/images/cluster/zeromq-pubsub.png
new file mode 100644
index 0000000000..108946d75a
Binary files /dev/null and b/doc/images/cluster/zeromq-pubsub.png differ
diff --git a/doc/images/collection-figure1.png b/doc/images/collection-figure1.png
new file mode 100644
index 0000000000..793bed5ee3
Binary files /dev/null and b/doc/images/collection-figure1.png differ
diff --git a/doc/images/collection-figure2.png b/doc/images/collection-figure2.png
new file mode 100644
index 0000000000..5ac1a59a16
Binary files /dev/null and b/doc/images/collection-figure2.png differ
diff --git a/doc/images/collection-figure3.png b/doc/images/collection-figure3.png
new file mode 100644
index 0000000000..2f45d84dfe
Binary files /dev/null and b/doc/images/collection-figure3.png differ
diff --git a/doc/images/deployment.png b/doc/images/deployment.png
new file mode 100644
index 0000000000..abd9b92722
Binary files /dev/null and b/doc/images/deployment.png differ
diff --git a/doc/images/intel-architecture.png b/doc/images/intel-architecture.png
new file mode 100644
index 0000000000..e10a5adc79
Binary files /dev/null and b/doc/images/intel-architecture.png differ
diff --git a/doc/images/management-all-in-one-two-zeeks.png b/doc/images/management-all-in-one-two-zeeks.png
new file mode 100644
index 0000000000..18c1d68adf
Binary files /dev/null and b/doc/images/management-all-in-one-two-zeeks.png differ
diff --git a/doc/images/management-all-in-one-two-zeeks.svgz b/doc/images/management-all-in-one-two-zeeks.svgz
new file mode 100644
index 0000000000..fae14164e9
Binary files /dev/null and b/doc/images/management-all-in-one-two-zeeks.svgz differ
diff --git a/doc/images/management-all-in-one.png b/doc/images/management-all-in-one.png
new file mode 100644
index 0000000000..c5f1fe2a4f
Binary files /dev/null and b/doc/images/management-all-in-one.png differ
diff --git a/doc/images/management-all-in-one.svgz b/doc/images/management-all-in-one.svgz
new file mode 100644
index 0000000000..ae26d3a729
Binary files /dev/null and b/doc/images/management-all-in-one.svgz differ
diff --git a/doc/images/management.png b/doc/images/management.png
new file mode 100644
index 0000000000..2103c4d5d7
Binary files /dev/null and b/doc/images/management.png differ
diff --git a/doc/images/management.svgz b/doc/images/management.svgz
new file mode 100644
index 0000000000..067842635c
Binary files /dev/null and b/doc/images/management.svgz differ
diff --git a/doc/images/troubleshooting/flamegraph.png b/doc/images/troubleshooting/flamegraph.png
new file mode 100644
index 0000000000..16bc2d37bf
Binary files /dev/null and b/doc/images/troubleshooting/flamegraph.png differ
diff --git a/doc/images/troubleshooting/http-fake-state-growth.gif b/doc/images/troubleshooting/http-fake-state-growth.gif
new file mode 100644
index 0000000000..b1c9c6d8f8
Binary files /dev/null and b/doc/images/troubleshooting/http-fake-state-growth.gif differ
diff --git a/doc/images/websocket-api/one-api-many-zeek-ws-bridge.svg b/doc/images/websocket-api/one-api-many-zeek-ws-bridge.svg
new file mode 100644
index 0000000000..5bb224b906
--- /dev/null
+++ b/doc/images/websocket-api/one-api-many-zeek-ws-bridge.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:lucid="lucid" width="602" height="522"><g transform="translate(401 -199)" lucid:page-tab-id="0_0"><path d="M-500 0H500v1000H-500z" fill="#fff"/><path d="M-400 406a6 6 0 0 1 6-6h148a6 6 0 0 1 6 6v108a6 6 0 0 1-6 6h-148a6 6 0 0 1-6-6z" stroke="#000" stroke-width="2" fill="#fff"/><use xlink:href="#a" transform="matrix(1,0,0,1,-388,412) translate(50.253689236111114 57.52777777777778)"/><path d="M40 206a6 6 0 0 1 6-6h148a6 6 0 0 1 6 6v108a6 6 0 0 1-6 6H46a6 6 0 0 1-6-6z" stroke="#000" stroke-width="2" fill="#fff"/><use xlink:href="#b" transform="matrix(1,0,0,1,52,212) translate(41.95833333333333 24.52777777777778)"/><use xlink:href="#c" transform="matrix(1,0,0,1,52,212) translate(30.570529513888886 56.79340277777778)"/><use xlink:href="#d" transform="matrix(1,0,0,1,52,212) translate(63.480685763888886 89.05902777777777)"/><path d="M40 406a6 6 0 0 1 6-6h148a6 6 0 0 1 6 6v108a6 6 0 0 1-6 6H46a6 6 0 0 1-6-6z" stroke="#000" stroke-width="2" fill="#fff"/><use xlink:href="#b" transform="matrix(1,0,0,1,52,412) translate(41.95833333333333 24.52777777777778)"/><use xlink:href="#c" transform="matrix(1,0,0,1,52,412) translate(30.570529513888886 56.79340277777778)"/><use xlink:href="#e" transform="matrix(1,0,0,1,52,412) translate(61.22374131944444 89.05902777777777)"/><path d="M40 606a6 6 0 0 1 6-6h148a6 6 0 0 1 6 6v108a6 6 0 0 1-6 6H46a6 6 0 0 1-6-6z" stroke="#000" stroke-width="2" fill="#fff"/><use xlink:href="#b" transform="matrix(1,0,0,1,52,612) translate(41.95833333333333 24.52777777777778)"/><use xlink:href="#c" transform="matrix(1,0,0,1,52,612) translate(30.570529513888886 56.79340277777778)"/><use xlink:href="#f" transform="matrix(1,0,0,1,52,612) translate(59.628689236111114 89.05902777777777)"/><path d="M22.62 260h-124.07a6 6 0 0 0-6 6v16.62" stroke="#3a414a" fill="none"/><path d="M37.38 260l-14.26 4.63v-9.26zM-107.45 297.38l-4.63-14.26h9.27z" stroke="#3a414a" fill="#3a414a"/><path d="M-107.45 360.7v59.97a6 6 0 0 1-6 6h-109.17" stroke="#3a414a" fill="none"/><path d="M-107.45 345.93l4.64 14.27h-9.28zM-237.38 426.67l14.26-4.64v9.27z" stroke="#3a414a" fill="#3a414a"/><path d="M22.62 460h-32.68" stroke="#3a414a" fill="none"/><path d="M37.38 460l-14.26 4.63v-9.26zM-24.83 460l14.27-4.63v9.26z" stroke="#3a414a" fill="#3a414a"/><path d="M-189.94 460h-32.68" stroke="#3a414a" fill="none"/><path d="M-175.17 460l-14.27 4.63v-9.26zM-237.38 460l14.26-4.63v9.26z" stroke="#3a414a" fill="#3a414a"/><path d="M-100 561.2v-60.53a6 6 0 0 0-6-6h-116.62" stroke="#3a414a" fill="none"/><path d="M-100 574.68l-7.5-12.98h15zM-237.38 494.67l14.26-4.64v9.27z" stroke="#3a414a" fill="#3a414a"/><path d="M24.5 660H-94a6 6 0 0 1-6-6v-16.62" stroke="#3a414a" fill="none"/><path d="M38 660l-13 7.5v-15zM-100 622.62l4.64 14.26h-9.28z" stroke="#3a414a" fill="#3a414a"/><path d="M106 574.6a6 6 0 0 1-6-6v-17.2a6 6 0 0 1 6-6h24.9a6 6 0 0 1 6 6v17.2a6 6 0 0 1-6 6z" fill="none"/><use xlink:href="#g" transform="matrix(6.123233995736766e-17,-1,1,6.123233995736766e-17,105.00000000000006,569.6078645833334) translate(0 21.58376736111111)"/><path d="M-180 306a6 6 0 0 1 6-6h133.1a6 6 0 0 1 6 6v31.3a6 6 0 0 1-6 6H-174a6 6 0 0 1-6-6z" stroke="#000" stroke-width="2" fill="#fff"/><g><use xlink:href="#h" transform="matrix(1,0,0,1,-168,312) translate(-2.6447482638888857 21.52777777777778)"/></g><path d="M-172.55 444.34a6 6 0 0 1 6-6h133.1a6 6 0 0 1 6 6v31.32a6 6 0 0 1-6 6h-133.1a6 6 0 0 1-6-6z" stroke="#000" stroke-width="2" fill="#fff"/><g><use xlink:href="#i" transform="matrix(1,0,0,1,-160.55442090211994,450.34261004316113) translate(-4.527343749999986 21.52777777777778)"/></g><path d="M-172.55 582.68a6 6 0 0 1 6-6h133.1a6 6 0 0 1 6 6V614a6 6 0 0 1-6 6h-133.1a6 6 0 0 1-6-6z" stroke="#000" stroke-width="2" fill="#fff"/><g><use xlink:href="#j" transform="matrix(1,0,0,1,-160.55442090211994,588.6852200863223) translate(-6.496744791666657 21.52777777777778)"/></g><defs><path d="M52 0l541-1490h220L1361 0h-200l-149-416H398L254 0H52zm404-582h497c-103-290-145-390-251-756-108 377-145 460-246 756" id="k"/><path d="M180 0v-1490h510c348 0 508 209 508 474 0 266-160 477-507 477H370V0H180zm190-706h312c236 0 327-133 327-310 0-176-91-307-329-307H370v617" id="l"/><path d="M370-1490V0H180v-1490h190" id="m"/><g id="a"><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#k"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,15.33203125,0)" xlink:href="#l"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,29.524739583333332,0)" xlink:href="#m"/></g><path d="M130 0v-134l666-991c45-67 96-135 147-202-269 9-546 3-821 5v-168h1036v136L502-379c-49 72-103 145-157 216 268-9 546-3 821-5V0H130" id="n"/><path d="M628 24c-324 0-524-230-524-574 0-343 198-582 503-582 237 0 487 146 487 559v75H286c9 234 145 362 343 362 132 0 231-58 273-172l174 48C1024-91 857 24 628 24zM287-650h624c-17-190-120-322-304-322-192 0-309 151-320 322" id="o"/><path d="M158 0v-1490h180v865h22l478-493h223L593-638 1096 0H865L456-523 338-412V0H158" id="p"/><g id="b"><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#n"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,13.975694444444445,0)" xlink:href="#o"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,26.93142361111111,0)" xlink:href="#o"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,39.88715277777778,0)" xlink:href="#p"/></g><path d="M783 20c-382 0-661-292-661-764 0-473 279-766 661-766 302 0 548 182 601 489h-190c-42-204-217-313-411-313-268 0-476 208-476 590 0 381 209 588 476 588 195 0 369-110 411-313h190c-52 303-296 489-601 489" id="q"/><path d="M338-1490V0H158v-1490h180" id="r"/><path d="M537 14c-226 0-379-139-379-422v-710h180v695c0 172 97 275 253 275 160 0 281-109 281-300v-670h181V0H879v-209C806-46 684 14 537 14" id="s"/><path d="M538 24C308 24 148-78 108-271l171-41c32 123 123 178 257 178 156 0 256-77 256-169 0-77-54-128-164-154l-186-44c-203-48-300-148-300-305 0-192 176-326 414-326 230 0 351 112 402 269l-163 42c-31-80-94-158-238-158-133 0-233 69-233 162 0 83 57 129 188 160l169 40c203 48 298 149 298 302 0 196-179 339-441 339" id="t"/><path d="M598-1118v154H368v674c0 100 37 144 132 144 23 0 62-6 92-12L629-6c-37 13-88 20-134 20-193 0-307-107-307-290v-688H20v-154h168v-266h180v266h230" id="u"/><path d="M158 0v-1118h174v172h12c41-113 157-188 290-188 26 0 70 2 91 3v181c-11-2-60-10-108-10-161 0-279 109-279 260V0H158" id="v"/><g id="c"><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#q"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,16.23263888888889,0)" xlink:href="#r"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,21.614583333333336,0)" xlink:href="#s"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,34.75477430555556,0)" xlink:href="#t"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,46.484375,0)" xlink:href="#u"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,53.5373263888889,0)" xlink:href="#o"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,66.49305555555556,0)" xlink:href="#v"/></g><path d="M653-1490V0H466v-1314h-10L96-1047v-204l324-239h233" id="w"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#w" id="d"/><path d="M154 0v-137l495-537c165-179 249-281 249-418 0-156-121-253-280-253-170 0-278 110-278 278H158c0-264 200-443 465-443 266 0 455 183 455 416 0 161-73 288-336 568L416-179v12h687V0H154" id="x"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#x" id="e"/><path d="M180 0v-1490h224l606 953c40 63 108 177 176 312-27-437-7-821-13-1265h190V0h-226C860-448 622-778 356-1262c27 476 11 792 15 1262H180" id="y"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#y" id="f"/><path d="M295 13c-75 0-135-60-135-135s60-135 135-135 135 60 135 135S370 13 295 13" id="z"/><g id="g"><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#z"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,6.401909722222222,0)" xlink:href="#z"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,12.803819444444445,0)" xlink:href="#z"/></g><path d="M409 0L70-1118h191c89 329 165 560 243 925 75-353 154-601 240-925h192c85 325 161 564 235 922 77-354 157-598 244-922h191L1267 0h-179c-86-307-176-590-250-913C763-588 675-308 588 0H409" id="A"/><path d="M798-719v166H144v-166h654" id="B"/><path d="M677 24c-213 0-288-135-325-197h-20V0H158v-1490h180v551h14c37-59 106-193 324-193 279 0 474 222 474 576 0 356-194 580-473 580zm-27-161c209 0 317-186 317-421 0-232-105-413-317-413-206 0-314 166-314 413 0 249 111 421 314 421" id="C"/><path d="M158 0v-1118h180V0H158zm91-1301c-68 0-125-53-125-119s57-119 125-119c69 0 126 53 126 119s-57 119-126 119" id="D"/><path d="M577 24c-279 0-473-224-473-580 0-354 195-576 474-576 218 0 287 134 324 193h14v-551h180V0H922v-173h-20C865-111 790 24 577 24zm27-161c203 0 314-172 314-421 0-247-108-413-314-413-212 0-317 181-317 413 0 235 108 421 317 421" id="E"/><path d="M611 442c-248 0-391-105-460-228l146-94c47 65 117 165 314 165 178 0 307-82 307-266v-224h-17C863-141 792-18 576-18c-268 0-472-195-472-546 0-346 197-568 476-568 216 0 288 133 326 193h17v-179h175V29c0 289-215 413-487 413zm-5-620c203 0 314-146 314-390 0-237-108-403-314-403-213 0-319 180-319 403 0 230 109 390 319 390" id="F"/><g id="h"><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#A"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,18.18576388888889,0)" xlink:href="#t"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,29.915364583333336,0)" xlink:href="#B"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,40.13671875,0)" xlink:href="#C"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,53.74348958333333,0)" xlink:href="#v"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,62.45659722222221,0)" xlink:href="#D"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,67.83854166666666,0)" xlink:href="#E"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,81.44531249999999,0)" xlink:href="#F"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,95.0737847222222,0)" xlink:href="#o"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,108.02951388888887,0)" xlink:href="#B"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,118.25086805555556,0)" xlink:href="#w"/></g><g id="i"><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#A"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,18.18576388888889,0)" xlink:href="#t"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,29.915364583333336,0)" xlink:href="#B"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,40.13671875,0)" xlink:href="#C"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,53.74348958333333,0)" xlink:href="#v"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,62.45659722222221,0)" xlink:href="#D"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,67.83854166666666,0)" xlink:href="#E"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,81.44531249999999,0)" xlink:href="#F"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,95.0737847222222,0)" xlink:href="#o"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,108.02951388888887,0)" xlink:href="#B"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,117.50217013888887,0)" xlink:href="#x"/></g><g id="j"><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#A"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,18.18576388888889,0)" xlink:href="#t"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,29.915364583333336,0)" xlink:href="#B"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,40.13671875,0)" xlink:href="#C"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,53.74348958333333,0)" xlink:href="#v"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,62.45659722222221,0)" xlink:href="#D"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,67.83854166666666,0)" xlink:href="#E"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,81.44531249999999,0)" xlink:href="#F"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,95.0737847222222,0)" xlink:href="#o"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,108.02951388888887,0)" xlink:href="#B"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,118.25086805555556,0)" xlink:href="#y"/></g></defs></g></svg>
\ No newline at end of file
diff --git a/doc/images/websocket-api/one-api-many-zeek.svg b/doc/images/websocket-api/one-api-many-zeek.svg
new file mode 100644
index 0000000000..7171dd712c
--- /dev/null
+++ b/doc/images/websocket-api/one-api-many-zeek.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:lucid="lucid" width="602" height="522"><g transform="translate(401 -199)" lucid:page-tab-id="0_0"><path d="M-500 0H500v1000H-500z" fill="#fff"/><path d="M-400 406a6 6 0 0 1 6-6h148a6 6 0 0 1 6 6v108a6 6 0 0 1-6 6h-148a6 6 0 0 1-6-6z" stroke="#000" stroke-width="2" fill="#fff"/><use xlink:href="#a" transform="matrix(1,0,0,1,-388,412) translate(50.253689236111114 57.52777777777778)"/><path d="M40 206a6 6 0 0 1 6-6h148a6 6 0 0 1 6 6v108a6 6 0 0 1-6 6H46a6 6 0 0 1-6-6z" stroke="#000" stroke-width="2" fill="#fff"/><use xlink:href="#b" transform="matrix(1,0,0,1,52,212) translate(41.95833333333333 24.52777777777778)"/><use xlink:href="#c" transform="matrix(1,0,0,1,52,212) translate(30.570529513888886 56.79340277777778)"/><use xlink:href="#d" transform="matrix(1,0,0,1,52,212) translate(63.480685763888886 89.05902777777777)"/><path d="M40 406a6 6 0 0 1 6-6h148a6 6 0 0 1 6 6v108a6 6 0 0 1-6 6H46a6 6 0 0 1-6-6z" stroke="#000" stroke-width="2" fill="#fff"/><use xlink:href="#b" transform="matrix(1,0,0,1,52,412) translate(41.95833333333333 24.52777777777778)"/><use xlink:href="#c" transform="matrix(1,0,0,1,52,412) translate(30.570529513888886 56.79340277777778)"/><use xlink:href="#e" transform="matrix(1,0,0,1,52,412) translate(61.22374131944444 89.05902777777777)"/><path d="M40 606a6 6 0 0 1 6-6h148a6 6 0 0 1 6 6v108a6 6 0 0 1-6 6H46a6 6 0 0 1-6-6z" stroke="#000" stroke-width="2" fill="#fff"/><use xlink:href="#b" transform="matrix(1,0,0,1,52,612) translate(41.95833333333333 24.52777777777778)"/><use xlink:href="#c" transform="matrix(1,0,0,1,52,612) translate(30.570529513888886 56.79340277777778)"/><use xlink:href="#f" transform="matrix(1,0,0,1,52,612) translate(59.628689236111114 89.05902777777777)"/><path d="M22.62 260H-94a6 6 0 0 0-6 6v154.67a6 6 0 0 1-6 6h-116.62" stroke="#3a414a" fill="none"/><path d="M37.38 260l-14.26 4.63v-9.26zM-237.38 426.67l14.26-4.64v9.27z" stroke="#3a414a" fill="#3a414a"/><path d="M22.62 460h-245.24" stroke="#3a414a" fill="none"/><path d="M37.38 460l-14.26 4.63v-9.26zM-237.38 460l14.26-4.63v9.26z" stroke="#3a414a" fill="#3a414a"/><path d="M24.5 660H-94a6 6 0 0 1-6-6V500.67a6 6 0 0 0-6-6h-116.62" stroke="#3a414a" fill="none"/><path d="M38 660l-13 7.5v-15zM-237.38 494.67l14.26-4.64v9.27z" stroke="#3a414a" fill="#3a414a"/><g><path d="M106 574.6a6 6 0 0 1-6-6v-17.2a6 6 0 0 1 6-6h24.9a6 6 0 0 1 6 6v17.2a6 6 0 0 1-6 6z" fill="none"/></g><g><use xlink:href="#g" transform="matrix(6.123233995736766e-17,-1,1,6.123233995736766e-17,105.00000000000006,569.6078645833334) translate(0 21.58376736111111)"/></g><defs><path d="M52 0l541-1490h220L1361 0h-200l-149-416H398L254 0H52zm404-582h497c-103-290-145-390-251-756-108 377-145 460-246 756" id="h"/><path d="M180 0v-1490h510c348 0 508 209 508 474 0 266-160 477-507 477H370V0H180zm190-706h312c236 0 327-133 327-310 0-176-91-307-329-307H370v617" id="i"/><path d="M370-1490V0H180v-1490h190" id="j"/><g id="a"><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#h"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,15.33203125,0)" xlink:href="#i"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,29.524739583333332,0)" xlink:href="#j"/></g><path d="M130 0v-134l666-991c45-67 96-135 147-202-269 9-546 3-821 5v-168h1036v136L502-379c-49 72-103 145-157 216 268-9 546-3 821-5V0H130" id="k"/><path d="M628 24c-324 0-524-230-524-574 0-343 198-582 503-582 237 0 487 146 487 559v75H286c9 234 145 362 343 362 132 0 231-58 273-172l174 48C1024-91 857 24 628 24zM287-650h624c-17-190-120-322-304-322-192 0-309 151-320 322" id="l"/><path d="M158 0v-1490h180v865h22l478-493h223L593-638 1096 0H865L456-523 338-412V0H158" id="m"/><g id="b"><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#k"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,13.975694444444445,0)" xlink:href="#l"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,26.93142361111111,0)" xlink:href="#l"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,39.88715277777778,0)" xlink:href="#m"/></g><path d="M783 20c-382 0-661-292-661-764 0-473 279-766 661-766 302 0 548 182 601 489h-190c-42-204-217-313-411-313-268 0-476 208-476 590 0 381 209 588 476 588 195 0 369-110 411-313h190c-52 303-296 489-601 489" id="n"/><path d="M338-1490V0H158v-1490h180" id="o"/><path d="M537 14c-226 0-379-139-379-422v-710h180v695c0 172 97 275 253 275 160 0 281-109 281-300v-670h181V0H879v-209C806-46 684 14 537 14" id="p"/><path d="M538 24C308 24 148-78 108-271l171-41c32 123 123 178 257 178 156 0 256-77 256-169 0-77-54-128-164-154l-186-44c-203-48-300-148-300-305 0-192 176-326 414-326 230 0 351 112 402 269l-163 42c-31-80-94-158-238-158-133 0-233 69-233 162 0 83 57 129 188 160l169 40c203 48 298 149 298 302 0 196-179 339-441 339" id="q"/><path d="M598-1118v154H368v674c0 100 37 144 132 144 23 0 62-6 92-12L629-6c-37 13-88 20-134 20-193 0-307-107-307-290v-688H20v-154h168v-266h180v266h230" id="r"/><path d="M158 0v-1118h174v172h12c41-113 157-188 290-188 26 0 70 2 91 3v181c-11-2-60-10-108-10-161 0-279 109-279 260V0H158" id="s"/><g id="c"><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#n"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,16.23263888888889,0)" xlink:href="#o"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,21.614583333333336,0)" xlink:href="#p"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,34.75477430555556,0)" xlink:href="#q"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,46.484375,0)" xlink:href="#r"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,53.5373263888889,0)" xlink:href="#l"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,66.49305555555556,0)" xlink:href="#s"/></g><path d="M653-1490V0H466v-1314h-10L96-1047v-204l324-239h233" id="t"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#t" id="d"/><path d="M154 0v-137l495-537c165-179 249-281 249-418 0-156-121-253-280-253-170 0-278 110-278 278H158c0-264 200-443 465-443 266 0 455 183 455 416 0 161-73 288-336 568L416-179v12h687V0H154" id="u"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#u" id="e"/><path d="M180 0v-1490h224l606 953c40 63 108 177 176 312-27-437-7-821-13-1265h190V0h-226C860-448 622-778 356-1262c27 476 11 792 15 1262H180" id="v"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#v" id="f"/><path d="M295 13c-75 0-135-60-135-135s60-135 135-135 135 60 135 135S370 13 295 13" id="w"/><g id="g"><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,0,0)" xlink:href="#w"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,6.401909722222222,0)" xlink:href="#w"/><use transform="matrix(0.010850694444444444,0,0,0.010850694444444444,12.803819444444445,0)" xlink:href="#w"/></g></defs></g></svg>
\ No newline at end of file
diff --git a/doc/images/zeek-favicon.ico b/doc/images/zeek-favicon.ico
new file mode 100644
index 0000000000..c979c54037
Binary files /dev/null and b/doc/images/zeek-favicon.ico differ
diff --git a/doc/images/zeek-logo-sidebar.png b/doc/images/zeek-logo-sidebar.png
new file mode 100644
index 0000000000..8a5c0cc528
Binary files /dev/null and b/doc/images/zeek-logo-sidebar.png differ
diff --git a/doc/images/zeek-logo-text.png b/doc/images/zeek-logo-text.png
new file mode 100644
index 0000000000..1ea172adc3
Binary files /dev/null and b/doc/images/zeek-logo-text.png differ
diff --git a/doc/images/zeek-logo.png b/doc/images/zeek-logo.png
new file mode 100644
index 0000000000..b4cb7c2158
Binary files /dev/null and b/doc/images/zeek-logo.png differ
diff --git a/doc/index.rst b/doc/index.rst
new file mode 100644
index 0000000000..77d152833b
--- /dev/null
+++ b/doc/index.rst
@@ -0,0 +1,70 @@
+
+.. image:: /images/zeek-logo-text.png
+   :align: center
+
+==================
+Zeek Documentation
+==================
+
+.. important::
+
+  Make sure to read the :ref:`appropriate documentation version
+  <documentation-versioning>`.
+
+The purpose of this manual is to assist the Zeek community with implementing
+Zeek in their environments. It includes material on Zeek's unique
+capabilities, how to install it, how to interpret the default logs that Zeek
+generates, and how to modify Zeek to fit your needs. This documentation is the
+result of a volunteer community effort. If you would like to contribute, or
+want more information, please visit the `Zeek web page
+<https://zeek.org/getting-started-in-the-zeek-community/>`_ for details on how
+to connect with the community.
+
+.. toctree::
+   :maxdepth: 2
+   :caption: Table of Contents
+
+   get-started
+   about
+   monitoring
+   log-formats
+   logs/index
+   scripting/index
+   frameworks/index
+   customizations
+   troubleshooting
+   script-reference/index
+   devel/index
+   components/index
+   acknowledgements
+
+* :ref:`Index <genindex>`
+
+.. _documentation-versioning:
+
+Documentation Versioning
+========================
+
+.. attention::
+
+  The Zeek codebase has three primary branches of interest to users so this
+  document is also maintained as three different versions, one associated with
+  each branch of Zeek.  The default version of `docs.zeek.org
+  <https://docs.zeek.org>`_ tracks Zeek's latest Git development:
+
+    * Git *master* branch: https://docs.zeek.org/en/master
+
+  If you instead use a Zeek Long-Term Support (LTS) or Feature release these
+  are the appropriate starting points:
+
+    * Long-Term Support Release: https://docs.zeek.org/en/lts
+    * Current Feature Release: https://docs.zeek.org/en/current
+
+  To help clarify which release you are using, the version numbering
+  scheme for the two release branches is described in the `Release
+  Cadence <https://github.com/zeek/zeek/wiki/Release-Cadence>`_ policy.
+
+  Documentation for older Zeek releases remains available for approximately one
+  full major-version release cycle, i.e., about a year. You can browse recent
+  versions via the fly-out menu in the bottom left, and find all available
+  versions on the `RTD website <https://readthedocs.org/projects/zeek-docs/versions/>`_.
diff --git a/doc/install.rst b/doc/install.rst
new file mode 100644
index 0000000000..f8cf15c652
--- /dev/null
+++ b/doc/install.rst
@@ -0,0 +1,140 @@
+
+.. _Homebrew: https://brew.sh
+.. _zkg package manager: https://docs.zeek.org/projects/package-manager/en/stable/
+
+.. _installing-zeek:
+
+===============
+Installing Zeek
+===============
+
+To run Zeek, grab our official Docker images, download our Linux binary
+packages, install via Homebrew_ on your Mac, use the ports collections on FreeBSD
+and OpenBSD. See the :doc:`building-from-source` section to build Zeek yourself. 
+For details about our release cadence and the significance of Zeek's version
+numbers, please refer to our `Release Cadence 
+<https://github.com/zeek/zeek/wiki/Release-Cadence>`_ wiki page.
+
+.. _docker-images:
+
+Docker Images
+=============
+
+We provide official Docker images on Docker Hub at https://hub.docker.com/u/zeek
+
+    * For the latest feature release: ``docker pull zeek/zeek:latest``
+    * For the latest LTS release: ``docker pull zeek/zeek:lts``
+    * For the latest release in a given series: ``docker pull zeek/zeek:7.2``
+    * For a specific release: ``docker pull zeek/zeek:7.0.8``
+    * For the nightly build: ``docker pull zeek/zeek-dev:latest``
+
+Additionally, we push these images to Amazon's Public Elastic Container
+Registry (ECR) in the `Zeek Project <https://gallery.ecr.aws/zeek>`_
+public gallery. To use Amazon's container registry instead of Docker Hub,
+prefix images with ``public.ecr.aws/zeek`` instead of ``zeek``.
+
+    * For instance, to pull the latest feature release: ``docker pull public.ecr.aws/zeek/zeek:latest``
+
+The images are Debian-based and feature a complete Zeek installation with ``zeek``,
+``zkg``, and the Spicy toolchain, but are otherwise minimal to avoid bloat in
+derived images. For example, if you'd like to install Zeek plugins in those
+images, you'll need to install their needed toolchain, typically at least
+``g++`` for compilation, ``cmake`` and ``make`` as build tools, and
+``libpcap-dev`` to build against Zeek headers. Similarly, you'll need ``g++``
+for Spicy's JIT compilation, as well as ``cmake`` and ``make`` to build Spicy
+analyzer packages.
+
+  .. code-block:: console
+
+    apt-get update
+    apt-get install -y --no-install-recommends g++ cmake make libpcap-dev
+
+The source files used to create the container images are on
+`GitHub <https://github.com/zeek/zeek/blob/master/docker>`_.
+
+.. _binary-packages:
+
+Binary Packages
+===============
+
+Linux
+-----
+
+We provide `binary packages <https://build.opensuse.org/project/show/security:zeek>`_
+for a wide range of Linux distributions via the `openSUSE Build Service
+<https://build.opensuse.org/>`_. To install, first add the relevant OBS
+package repository to your system, then use your system's package manager
+as usual.
+
+We provide the following groups of packages:
+
+    * ``zeek-X.0``: specific LTS release lines, currently `7.0.x <https://software.opensuse.org/download.html?project=security%3Azeek&package=zeek-7.0>`_ (`sources <https://build.opensuse.org/package/show/security:zeek/zeek-7.0>`__), `6.0.x <https://software.opensuse.org/download.html?project=security%3Azeek&package=zeek-6.0>`_ (`sources <https://build.opensuse.org/package/show/security:zeek/zeek-6.0>`__), and `5.0.x <https://software.opensuse.org/download.html?project=security%3Azeek&package=zeek-5.0>`_ (`sources <https://build.opensuse.org/package/show/security:zeek/zeek-5.0>`__).
+    * ``zeek``: the `latest Zeek release <https://software.opensuse.org//download.html?project=security%3Azeek&package=zeek>`_ (`sources <https://build.opensuse.org/package/show/security:zeek/zeek>`__)
+    * ``zeek-nightly``: our `nightly builds <https://software.opensuse.org/download.html?project=security%3Azeek&package=zeek-nightly>`_ (`sources <https://build.opensuse.org/package/show/security:zeek/zeek-nightly>`__)
+    * ``zeek-rc``: our `release candidates <https://software.opensuse.org/download.html?project=security%3Azeek&package=zeek-rc>`_ (`sources <https://build.opensuse.org/package/show/security:zeek/zeek-rc>`__)
+
+For example, for the latest Zeek 7.0 LTS release on Ubuntu 22.04 the steps look as follows:
+
+  .. code-block:: console
+
+     echo 'deb https://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
+     curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
+     sudo apt update
+     sudo apt install zeek-7.0
+
+.. note:: Our motivation for this approach is twofold. First, it guarantees LTS
+   users that they won't unexpectedly end up on a newer LTS line when it comes
+   out. For example, when you install the ``zeek-6.0`` packages, you will not
+   end up on Zeek 7.0 until you decide to switch. Second, it reflects the fact
+   that we consider our x.1 and x.2 feature release lines transient, because
+   they go out of support immediately once we move to the next line of feature
+   releases. Therefore, users of the ``zeek`` packages automatically obtain the
+   latest releases as we publish them.
+
+   In the past our binary packages also automatically transitioned our LTS users
+   to newer versions, via the older ``zeek-lts`` packages. These remain visible
+   on OBS but are no longer supported.
+
+The primary install prefix for binary packages is :file:`/opt/zeek` (depending
+on which version you’re using), and includes a complete Zeek environment with
+``zeek`` itself, the `zkg package manager`_, the Spicy toolchain, etc.
+
+See our `Binary Packages wiki page <https://github.com/zeek/zeek/wiki/Binary-Packages>`_
+for the latest updates on binary releases.
+
+macOS
+-----
+
+The Zeek `Homebrew formula <https://formulae.brew.sh/formula/zeek>`_
+provides binary packages ("bottles"). To install:
+
+  .. code-block:: console
+
+     brew install zeek
+
+These packages are not maintained by the Zeek project.
+
+FreeBSD
+-------
+
+Zeek is available from the `FreeBSD ports collection <https://www.freshports.org/security/zeek>`_.
+To install:
+
+  .. code-block:: console
+
+     sudo pkg install -y zeek
+
+These packages are not maintained by the Zeek project.
+
+OpenBSD
+-------
+
+Zeek is available from the `OpenBSD ports collection <https://ports.to/path/net/bro.html>`_.
+To install:
+
+  .. code-block:: console
+
+     sudo pkg_add zeek
+
+These packages are not maintained by the Zeek project.
+
diff --git a/doc/log-formats.rst b/doc/log-formats.rst
new file mode 100644
index 0000000000..d239a1acf1
--- /dev/null
+++ b/doc/log-formats.rst
@@ -0,0 +1,657 @@
+.. _logschema: https://github.com/zeek/logschema
+
+===============================
+Zeek Log Formats and Inspection
+===============================
+
+Zeek creates a variety of logs when run in its default configuration. This
+data can be intimidating for a first-time user. In this section, we will
+process a sample packet trace with Zeek, and take a brief look at the sorts
+of logs Zeek creates. We will look at logs created in Zeek's traditional TSV
+format, how to switch to logging in JSON format, and assorted tooling to
+help you work with the logs. Finally, we'll cover Zeek's support for log
+schemas that describe what Zeek's logs look like in detail.
+
+Working with a Sample Trace
+===========================
+
+For the examples that follow, we will use Zeek on a Linux system to process
+network traffic captured and stored to disk. We saved this trace file earlier
+in packet capture (PCAP) format as :file:`tm1t.pcap`. The command line protocol
+analyzer Tcpdump, which ships with most Unix-like distributions, summarizes the
+contents of this file.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test$ tcpdump -n -r tm1t.pcap
+
+::
+
+  reading from file tm1t.pcap, link-type EN10MB (Ethernet)
+  14:39:59.305988 IP 192.168.4.76.36844 > 192.168.4.1.53: 19671+ A? testmyids.com. (31)
+  14:39:59.306059 IP 192.168.4.76.36844 > 192.168.4.1.53: 8555+ AAAA? testmyids.com. (31)
+  14:39:59.354577 IP 192.168.4.1.53 > 192.168.4.76.36844: 8555 0/1/0 (94)
+  14:39:59.372840 IP 192.168.4.1.53 > 192.168.4.76.36844: 19671 1/0/0 A 31.3.245.133 (47)
+  14:39:59.430166 IP 192.168.4.76.46378 > 31.3.245.133.80: Flags [S], seq 3723031366, win 65535, options [mss 1460,sackOK,TS val 3137978796 ecr 0,nop,wscale 11], length 0
+  14:39:59.512232 IP 31.3.245.133.80 > 192.168.4.76.46378: Flags [S.], seq 2993782376, ack 3723031367, win 28960, options [mss 1460,sackOK,TS val 346747623 ecr 3137978796,nop,wscale 7], length 0
+  14:39:59.512284 IP 192.168.4.76.46378 > 31.3.245.133.80: Flags [.], ack 1, win 32, options [nop,nop,TS val 3137978878 ecr 346747623], length 0
+  14:39:59.512593 IP 192.168.4.76.46378 > 31.3.245.133.80: Flags [P.], seq 1:78, ack 1, win 32, options [nop,nop,TS val 3137978878 ecr 346747623], length 77: HTTP: GET / HTTP/1.1
+  14:39:59.600488 IP 31.3.245.133.80 > 192.168.4.76.46378: Flags [.], ack 78, win 227, options [nop,nop,TS val 346747711 ecr 3137978878], length 0
+  14:39:59.604000 IP 31.3.245.133.80 > 192.168.4.76.46378: Flags [P.], seq 1:296, ack 78, win 227, options [nop,nop,TS val 346747713 ecr 3137978878], length 295: HTTP: HTTP/1.1 200 OK
+  14:39:59.604020 IP 192.168.4.76.46378 > 31.3.245.133.80: Flags [.], ack 296, win 33, options [nop,nop,TS val 3137978970 ecr 346747713], length 0
+  14:39:59.604493 IP 192.168.4.76.46378 > 31.3.245.133.80: Flags [F.], seq 78, ack 296, win 33, options [nop,nop,TS val 3137978970 ecr 346747713], length 0
+  14:39:59.684281 IP 31.3.245.133.80 > 192.168.4.76.46378: Flags [F.], seq 296, ack 79, win 227, options [nop,nop,TS val 346747796 ecr 3137978970], length 0
+  14:39:59.684346 IP 192.168.4.76.46378 > 31.3.245.133.80: Flags [.], ack 297, win 33, options [nop,nop,TS val 3137979050 ecr 346747796], length 0
+
+This is a simple exchange involving domain name system (DNS) traffic followed
+by HyperText Transfer Protocol (HTTP) traffic.
+
+Rather than run Zeek against a live interface, we will ask Zeek to digest this
+trace. This process allows us to vary Zeek’s run-time operation, keeping the
+traffic constant.
+
+First we make two directories to store the log files that Zeek will produce.
+Then we will move into the “default” directory.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test$ mkdir default
+  zeek@zeek:~/zeek-test$ mkdir json
+  zeek@zeek:~/zeek-test$ cd default/
+
+Zeek TSV Format Logs
+====================
+
+From this location on disk, we tell Zeek to digest the :file:`tm1t.pcap` file.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/default$ zeek -C -r ../tm1t.pcap
+
+The ``-r`` flag tells Zeek where to find the trace of interest.
+
+The ``-C`` flag tells Zeek to ignore any TCP checksum errors. This happens on
+many systems due to a feature called “checksum offloading,” but it does not
+affect our analysis.
+
+Zeek completes its task without reporting anything to the command line. This is
+standard Unix-like behavior. Using the :program:`ls` command we see what files
+Zeek created when processing the trace.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/default$ ls -al
+
+::
+
+  total 28
+  drwxrwxr-x 2 zeek zeek 4096 Jun  5 14:48 .
+  drwxrwxr-x 4 zeek zeek 4096 Jun  5 14:43 ..
+  -rw-rw-r-- 1 zeek zeek  737 Jun  5 14:48 conn.log
+  -rw-rw-r-- 1 zeek zeek  778 Jun  5 14:48 dns.log
+  -rw-rw-r-- 1 zeek zeek  712 Jun  5 14:48 files.log
+  -rw-rw-r-- 1 zeek zeek  883 Jun  5 14:48 http.log
+  -rw-rw-r-- 1 zeek zeek  254 Jun  5 14:48 packet_filter.log
+
+Zeek created five files. We will look at the contents of Zeek log data in
+detail in later sections. For now, we will take a quick look at each file,
+beginning with the :file:`conn.log`.
+
+We use the :program:`cat` command to show the contents of each log.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/default$ cat conn.log
+
+::
+
+  #separator \x09
+  #set_separator  ,
+  #empty_field    (empty)
+  #unset_field    -
+  #path   conn
+  #open   2020-06-05-14-48-32
+  #fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       proto   service duration        orig_bytes      resp_bytes      conn_state    local_orig      local_resp      missed_bytes    history orig_pkts       orig_ip_bytes   resp_pkts       resp_ip_bytes   tunnel_parents  ip_proto
+  #types  time    string  addr    port    addr    port    enum    string  interval        count   count   string  bool    bool    count   string  count   count count    count   set[string]    count
+  1591367999.305988       CazOhH2qDUiJTWMCY       192.168.4.76    36844   192.168.4.1     53      udp     dns     0.066852        62      141     SF      -    -0       Dd      2       118     2       197     -       17
+  1591367999.430166       CLqEx41jYPOdfHF586      192.168.4.76    46378   31.3.245.133    80      tcp     http    0.254115        77      295     SF      -    -0       ShADadFf        6       397     4       511     -       6
+  #close  2020-06-05-14-48-32
+
+Next we look at Zeek’s :file:`dns.log`.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/default$ cat dns.log
+
+::
+
+  #separator \x09
+  #set_separator  ,
+  #empty_field    (empty)
+  #unset_field    -
+  #path   dns
+  #open   2020-06-05-14-48-32
+  #fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       proto   trans_id        rtt     query   qclass  qclass_name     qtypeqtype_name       rcode   rcode_name      AA      TC      RD      RA      Z       answers TTLs    rejected
+  #types  time    string  addr    port    addr    port    enum    count   interval        string  count   string  count   string  count   string  bool    bool bool     bool    count   vector[string]  vector[interval]        bool
+  1591367999.306059       CazOhH2qDUiJTWMCY       192.168.4.76    36844   192.168.4.1     53      udp     8555    -       testmyids.com   1       C_INTERNET   28       AAAA    0       NOERROR F       F       T       F       0       -       -       F
+  1591367999.305988       CazOhH2qDUiJTWMCY       192.168.4.76    36844   192.168.4.1     53      udp     19671   0.066852        testmyids.com   1       C_INTERNET    1       A       0       NOERROR F       F       T       T       0       31.3.245.133    3600.000000     F
+  #close  2020-06-05-14-48-32
+
+Next we look at Zeek’s :file:`files.log`.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/default$ cat files.log
+
+::
+
+  #separator \x09
+  #set_separator  ,
+  #empty_field    (empty)
+  #unset_field    -
+  #path   files
+  #open   2020-06-05-14-48-32
+  #fields ts      fuid    uid     id.orig_h       id.origh_p      id.resp_h       id.resp_p       source  depth   analyzers       mime_type       filename        duration        local_orig    is_orig seen_bytes      total_bytes     missing_bytes   overflow_bytes  timedout        parent_fuid     md5     sha1    sha256  extracted       extracted_cutoff      extracted_size
+  #types  time    string  string  addr    port    addr    port    string  count   set[string]     string  string  interval        bool    bool    countcount    count   count   bool    string  string  string  string  string  bool    count
+  1591367999.604000       FEEsZS1w0Z0VJIb5x4      CLqEx41jYPOdfHF586      192.168.4.76    46378   31.3.245.133    80      HTTP    0       (empty) text/plain      -       0.000000      -       F       39      39      0       0       F       -       -       -       -       -       -       -
+  #close  2020-06-05-14-48-32
+
+Next we look at Zeek’s :file:`http.log`.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/default$ cat http.log
+
+::
+
+  #separator \x09
+  #set_separator  ,
+  #empty_field    (empty)
+  #unset_field    -
+  #path   http
+  #open   2020-06-05-14-48-32
+  #fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       trans_depth     method  host    uri     referrer        version user_agent    origin  request_body_len        response_body_len       status_code     status_msg      info_code       info_msg        tags    username        password      proxied orig_fuids      orig_filenames  orig_mime_types resp_fuids      resp_filenames  resp_mime_types
+  #types  time    string  addr    port    addr    port    count   string  string  string  string  string  string  string  count   count   count   string  countstring   set[enum]       string  string  set[string]     vector[string]  vector[string]  vector[string]  vector[string]  vector[string]  vector[string]
+  1591367999.512593       CLqEx41jYPOdfHF586      192.168.4.76    46378   31.3.245.133    80      1       GET     testmyids.com   /       -       1.1     curl/7.47.0   -       0       39      200     OK      -       -       (empty) -       -       -       -       -       -       FEEsZS1w0Z0VJIb5x4      -       text/plain
+  #close  2020-06-05-14-48-32
+
+Finally, we look at Zeek’s :file:`packet_filter.log`.  This log shows any
+filters that Zeek applied when processing the trace.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/default$ cat packet_filter.log
+
+::
+
+  #separator \x09
+  #set_separator  ,
+  #empty_field    (empty)
+  #unset_field    -
+  #path   packet_filter
+  #open   2020-06-05-14-48-32
+  #fields ts      node    filter  init    success
+  #types  time    string  string  bool    bool
+  1591368512.420771       zeek    ip or not ip    T       T
+  #close  2020-06-05-14-48-32
+
+As we can see with each log file, there is a set of headers beginning with the
+hash character (``#``) followed by metadata about the trace. This format is the
+standard version of Zeek data, represented as tab separated values (TSV).
+
+Interpreting this data as shown requires remembering which “column” applies to
+which “value.” For example, in the :file:`dns.log`, the third field is
+``id.orig_h``, so when we see data in that field, such as ``192.168.4.76``, we
+know that ``192.168.4.76`` is ``id.orig_h``.
+
+One of the common use cases for interacting with Zeek log files requires
+analyzing specific fields. Investigators may not need to see all of the fields
+produced by Zeek when solving a certain problem. The following sections offer a
+few ways to address this concern when processing Zeek logs in text format.
+
+Zeek TSV Format and :program:`awk`
+==================================
+
+A very traditional way of interacting with Zeek logs involves using native
+Unix-like text processing tools like :program:`awk`. Awk requires specifying
+the fields of interest as positions in the log file. Take a second look at the
+:file:`dns.log` entry above, and consider the parameters necessary to view only
+the source IP address, the query, and the response. These values appear in the
+3rd, 10th, and 22nd fields in the Zeek TSV log entries. Therefore, we could
+invoke :program:`awk` using the following syntax:
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/default$ awk '/^[^#]/ {print $3, $10, $22}' dns.log
+
+::
+
+  192.168.4.76 testmyids.com -
+  192.168.4.76 testmyids.com 31.3.245.133
+
+Now we have a much more compact view, with just the fields we want.
+Unfortunately, this requires specifying fields by location. If we were to
+modify the log output, or if the Zeek project were to change the log output,
+any scripts we built using :program:`awk` and field locations would require
+modification.  For this reason, the Zeek project recommends alternatives like
+the following.
+
+Zeek TSV Format and :program:`zeek-cut`
+=======================================
+
+The Zeek project provides a tool called :program:`zeek-cut` to make it easier
+for analysts to interact with Zeek logs in TSV format. It parses the header in
+each file and allows the user to refer to the specific columnar data available.
+This is in contrast to tools like :program:`awk` that require the user to refer
+to fields referenced by their position.
+
+Consider the :file:`dns.log` generated earlier. If we process it with
+:program:`zeek-cut`, without any modifications, this is the result:
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/default$ cat dns.log | zeek-cut
+
+::
+
+  1591367999.306059       CazOhH2qDUiJTWMCY       192.168.4.76    36844   192.168.4.1     53      udp     8555    -       testmyids.com   1       C_INTERNET   28       AAAA    0       NOERROR F       F       T       F       0       -       -       F
+  1591367999.305988       CazOhH2qDUiJTWMCY       192.168.4.76    36844   192.168.4.1     53      udp     19671   0.066852        testmyids.com   1       C_INTERNET    1       A       0       NOERROR F       F       T       T       0       31.3.245.133    3600.000000     F
+
+That is the :file:`dns.log`, minus the header fields showed earlier. Note we
+have to invoke the cat utility in a pipeline to process files with
+:program:`zeek-cut`.
+
+If we pass :program:`zeek-cut` the fields we wish to see, the output looks like
+this:
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/default$ cat dns.log | zeek-cut id.orig_h query answers
+
+::
+
+  192.168.4.76    testmyids.com   -
+  192.168.4.76    testmyids.com   31.3.245.133
+
+The sequence of field names given to :program:`zeek-cut` determines the output
+order. This means you can also use :program:`zeek-cut` to reorder fields. For
+example:
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/default$ cat dns.log | zeek-cut query answers id.orig_h
+
+::
+
+  testmyids.com   -               192.168.4.76
+  testmyids.com   31.3.245.133    192.168.4.76
+
+This feature can be helpful when piping output into programs like :program:`sort`.
+
+:program:`zeek-cut` uses output redirection through the :program:`cat` command
+and ``|`` operator. Whereas tools like :program:`awk` allow you to indicate the
+log file as a command line option, :program:`zeek-cut` only takes input through
+redirection such as ``|`` and ``<``.
+
+For example, instead of using :program:`cat` and the pipe redirector, we could
+obtain the previous output with this syntax:
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/default$ zeek-cut id.orig_h query answers < dns.log
+
+::
+
+  192.168.4.76    testmyids.com   -
+  192.168.4.76    testmyids.com   31.3.245.133
+
+Note that in its default setup using ZeekControl (but not with a simple
+command-line invocation like ``zeek -i eth0``), watching a live interface and
+writing logs to disk, Zeek will rotate log files on an hourly basis. Zeek will
+move the current log file into a directory named using the format
+``YYYY-MM-DD``. Zeek will use :program:`gzip` to compress the file with a naming
+convention that includes the log file type and time range of the file.
+
+When processing a compressed log file, use the :program:`zcat` tool instead of
+:program:`cat` to read the file. Consider working with the gzip-encoding file
+created in the following example. For demonstration purposes, we create a copy
+of the :file:`dns.log` file as :file:`dns1.log`, :program:`gzip` it, and then
+read it with :program:`zcat` instead of :program:`cat`.
+
+.. code-block:: console
+
+  so16@so16:~/zeek-test/default$ cp dns.log dns1.log
+  so16@so16:~/zeek-test/default$ gzip dns1.log
+  so16@so16:~/zeek-test/default$ zcat dns1.log.gz
+
+::
+
+  #separator \x09
+  #set_separator  ,
+  #empty_field    (empty)
+  #unset_field    -
+  #path   dns
+  #open   2020-06-05-14-48-32
+  #fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       proto   trans_id        rtt     query   qclass  qclass_name     qtypeqtype_name       rcode   rcode_name      AA      TC      RD      RA      Z       answers TTLs    rejected
+  #types  time    string  addr    port    addr    port    enum    count   interval        string  count   string  count   string  count   string  bool    bool bool     bool    count   vector[string]  vector[interval]        bool
+  1591367999.306059       CazOhH2qDUiJTWMCY       192.168.4.76    36844   192.168.4.1     53      udp     8555    -       testmyids.com   1       C_INTERNET   28       AAAA    0       NOERROR F       F       T       F       0       -       -       F
+  1591367999.305988       CazOhH2qDUiJTWMCY       192.168.4.76    36844   192.168.4.1     53      udp     19671   0.066852        testmyids.com   1       C_INTERNET    1       A       0       NOERROR F       F       T       T       0       31.3.245.133    3600.000000     F
+  #close  2020-06-05-14-48-32
+
+:program:`zeek-cut` accepts the flag ``-d`` to convert the epoch time values in
+the log files to human-readable format. For example, observe the default
+timestamp value:
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/default$ zcat dns1.log.gz | zeek-cut ts id.orig_h query answers
+
+::
+
+  1591367999.306059       192.168.4.76    testmyids.com   -
+  1591367999.305988       192.168.4.76    testmyids.com   31.3.245.133
+
+Now see the effect of using the ``-d`` flag:
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/default$ cat dns.log | zeek-cut -d ts id.orig_h query answers
+
+::
+
+  2020-06-05T14:39:59+0000        192.168.4.76    testmyids.com   -
+  2020-06-05T14:39:59+0000        192.168.4.76    testmyids.com   31.3.245.133
+
+Converting the timestamp from a log file to UTC can be accomplished with the
+``-u`` option.
+
+The default time format when using the ``-d`` or ``-u`` is the ``strftime``
+format string ``%Y-%m-%dT%H:%M:%S%z`` which results in a string with year,
+month, day of month, followed by hour, minutes, seconds and the timezone
+offset.
+
+The default format can be altered by using the ``-D`` and ``-U`` flags, using the
+standard ``strftime`` syntax. For example, to format the timestamp in the
+US-typical “Middle Endian” you could use a format string of:
+``%m-%d-%YT%H:%M:%S%z``
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/default$ cat dns.log | zeek-cut -D %d-%m-%YT%H:%M:%S%z ts id.orig_h query answers
+
+::
+
+  06-05-2020T14:39:59+0000        192.168.4.76    testmyids.com   -
+  06-05-2020T14:39:59+0000        192.168.4.76    testmyids.com   31.3.245.133
+
+Using :program:`awk` and :program:`zeek-cut` have been the traditional method
+of interacting with Zeek logs. In the next section we will look at the
+possibilities once we enable an alternative output format.
+
+Zeek JSON Format Logs
+=====================
+
+During the last decade, the JavaScript Object Notation (JSON) format has become
+a standard way to label and store many types of data. Zeek offers support for
+this format. In the following example we will re-run the :file:`tm1t.pcap` trace
+through Zeek, but request that it output logs in JSON format.
+
+First we change into the json directory to avoid overwriting our existing log
+files.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/default$ cd ../json/
+
+Next we tell Zeek to output logs in JSON format using the command as shown.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/json$ zeek -C -r ../tm1t.pcap LogAscii::use_json=T
+
+When we look at the directory contents, we see the same five output files.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/json$ ls -al
+
+::
+
+  total 28
+  drwxrwxr-x 2 zeek zeek 4096 Jun  5 14:47 .
+  drwxrwxr-x 4 zeek zeek 4096 Jun  5 14:43 ..
+  -rw-rw-r-- 1 zeek zeek  708 Jun  5 14:47 conn.log
+  -rw-rw-r-- 1 zeek zeek  785 Jun  5 14:47 dns.log
+  -rw-rw-r-- 1 zeek zeek  325 Jun  5 14:47 files.log
+  -rw-rw-r-- 1 zeek zeek  405 Jun  5 14:47 http.log
+  -rw-rw-r-- 1 zeek zeek   90 Jun  5 14:47 packet_filter.log
+
+However, if we look at the file contents, the format is much different.
+
+First we look at :file:`packet_filter.log`.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/json$ cat packet_filter.log
+
+::
+
+  {"ts":1591368442.854585,"node":"zeek","filter":"ip or not ip","init":true,"success":true}
+
+Next we look at :file:`conn.log` and :file:`dns.log`:
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/json$ cat conn.log
+
+::
+
+  {"ts":1591367999.305988,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","service":"dns","duration":0.06685185432434082,"orig_bytes":62,"resp_bytes":141,"conn_state":"SF","missed_bytes":0,"history":"Dd","orig_pkts":2,"orig_ip_bytes":118,"resp_pkts":2,"resp_ip_bytes":197,"ip_proto":17}
+  {"ts":1591367999.430166,"uid":"C5bLoe2Mvxqhawzqqd","id.orig_h":"192.168.4.76","id.orig_p":46378,"id.resp_h":"31.3.245.133","id.resp_p":80,"proto":"tcp","service":"http","duration":0.25411510467529297,"orig_bytes":77,"resp_bytes":295,"conn_state":"SF","missed_bytes":0,"history":"ShADadFf","orig_pkts":6,"orig_ip_bytes":397,"resp_pkts":4,"resp_ip_bytes":511,"ip_proto":6}
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/json$ cat dns.log
+
+::
+
+  {"ts":1591367999.306059,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":8555,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":28,"qtype_name":"AAAA","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":false,"Z":0,"rejected":false}
+  {"ts":1591367999.305988,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":19671,"rtt":0.06685185432434082,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["31.3.245.133"],"TTLs":[3600.0],"rejected":false}
+
+Next we look at :file:`files.log`.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/json$ cat files.log
+
+::
+
+  {"ts":1591367999.604,"fuid":"FEEsZS1w0Z0VJIb5x4","uid":"C5bLoe2Mvxqhawzqqd","id.orig_h":"192.168.4.76","id.orig_p":46378,"id.resp_h":"31.3.245.133","id.resp_p":80,"source":"HTTP","depth":0,"analyzers":[],"mime_type":"text/plain","duration":0.0,"is_orig":false,"seen_bytes":39,"total_bytes":39,"missing_bytes":0,"overflow_bytes":0,"timedout":false}
+
+Next we look at the :file:`http.log`.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/json$ cat http.log
+
+::
+
+  {"ts":1591367999.512593,"uid":"C5bLoe2Mvxqhawzqqd","id.orig_h":"192.168.4.76","id.orig_p":46378,"id.resp_h":"31.3.245.133","id.resp_p":80,"trans_depth":1,"method":"GET","host":"testmyids.com","uri":"/","version":"1.1","user_agent":"curl/7.47.0","request_body_len":0,"response_body_len":39,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FEEsZS1w0Z0VJIb5x4"],"resp_mime_types":["text/plain"]}
+
+Comparing the two log styles, we see strengths and weaknesses for each. For
+example, the TSV format shows the Zeek types associated with each entry, such
+as ``string``, ``addr``, ``port``, and so on. The JSON format does not include
+that data.  However, the JSON format associates each field “key” with a
+“value,” such as ``"id.orig_p":46378``. While this necessarily increases the
+amount of disk space used to store the raw logs, it makes it easier for
+analysts and software to interpret the data, as the key is directly associated
+with the value that follows. For this reason, most developers and analysts have
+adopted the JSON output format for Zeek logs. That is the format we will use
+for the log analysis sections of the documentation.
+
+Zeek JSON Format and :program:`jq`
+==================================
+
+Analysts sometimes choose to inspect JSON-formatted Zeek files using
+applications that recognize JSON format, such as :program:`jq`,  which is a
+JSON parser by Stephen Dolan, available at GitHub
+(https://stedolan.github.io/jq/). It may already be installed on your Unix-like
+system.
+
+In the following example we process the :file:`dns.log` file with the ``.``
+filter, which tells :program:`jq` to simply output what it finds in the file.
+By default :program:`jq` outputs JSON formatted data in its “pretty-print”
+style, which puts one key:value pair on each line as shown.
+
+.. code-block:: console
+
+  so16@so16:~/zeek-test/json$ jq . dns.log
+
+::
+
+  {
+    "ts": 1591367999.306059,
+    "uid": "CMdzit1AMNsmfAIiQc",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 36844,
+    "id.resp_h": "192.168.4.1",
+    "id.resp_p": 53,
+    "proto": "udp",
+    "trans_id": 8555,
+    "query": "testmyids.com",
+    "qclass": 1,
+    "qclass_name": "C_INTERNET",
+    "qtype": 28,
+    "qtype_name": "AAAA",
+    "rcode": 0,
+    "rcode_name": "NOERROR",
+    "AA": false,
+    "TC": false,
+    "RD": true,
+    "RA": false,
+    "Z": 0,
+    "rejected": false
+  }
+  {
+    "ts": 1591367999.305988,
+    "uid": "CMdzit1AMNsmfAIiQc",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 36844,
+    "id.resp_h": "192.168.4.1",
+    "id.resp_p": 53,
+    "proto": "udp",
+    "trans_id": 19671,
+    "rtt": 0.06685185432434082,
+    "query": "testmyids.com",
+    "qclass": 1,
+    "qclass_name": "C_INTERNET",
+    "qtype": 1,
+    "qtype_name": "A",
+    "rcode": 0,
+    "rcode_name": "NOERROR",
+    "AA": false,
+    "TC": false,
+    "RD": true,
+    "RA": true,
+    "Z": 0,
+    "answers": [
+      "31.3.245.133"
+    ],
+    "TTLs": [
+      3600
+    ],
+    "rejected": false
+  }
+
+We can tell :program:`jq` to output what it sees in “compact” format using the
+``-c`` switch.
+
+.. code-block:: console
+
+  so16@so16:~/zeek-test/json$ jq . -c dns.log
+
+::
+
+  {"ts":1591367999.306059,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":8555,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":28,"qtype_name":"AAAA","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":false,"Z":0,"rejected":false}
+  {"ts":1591367999.305988,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":19671,"rtt":0.06685185432434082,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["31.3.245.133"],"TTLs":[3600],"rejected":false}
+
+The power of :program:`jq` becomes evident when we decide we only want to see
+specific values. For example, the following tells :program:`jq` to look at the
+:file:`dns.log` and report the source IP of systems doing DNS queries, followed
+by the query, and any answer to the query.
+
+.. code-block:: console
+
+  so16@so16:~/zeek-test/json$ jq -c '[."id.orig_h", ."query", ."answers"]' dns.log
+
+::
+
+  ["192.168.4.76","testmyids.com",null]
+  ["192.168.4.76","testmyids.com",["31.3.245.133"]]
+
+For a more comprehensive description of the capabilities of :program:`jq`,
+see the `jq manual <https://stedolan.github.io/jq/manual/>`_.
+
+With this basic understanding of how to interact with Zeek logs, we can now
+turn to specific logs and interpret their values.
+
+Log Schemas
+===========
+
+It's important to note that the exact set and shape of Zeek's logs is highly
+site-dependent.  While every Zeek version ships with a set of logs enabled by
+default, it also includes optional ones that you're welcome to enable.  (Feel
+free to peruse the :ref:`full set<log-files>`.)  In addition, many of Zeek's
+`add-on packages <https://packages.zeek.org/>`_ introduce logs of their own, or
+enrich existing ones with additional metadata.  And finally, Zeek's
+:ref:`logging framework <framework-logging>` lets you apply your own log
+customizations with a bit of scripting.
+
+Zeek's `logschema <https://github.com/zeek/logschema>`_ package helps you
+understand your Zeek logs. It produces log schemas that detail your
+installation's set of logs and their fields.  For each field, the schemas
+provide rich metadata including name, type, and docstrings. They can also
+explain the source of a field, such as the specific script or the name of the
+Zeek package that added it. Log schemas are also a great way to understand how
+and whether your logs change when you upgrade to a newer version of Zeek.
+
+To produce schemas, you need to tell Zeek which schema exporters to load.
+An easy way to do this is to simply start Zeek with your installed packages
+and an exporter of your choice. To get started, try the following:
+
+  .. code-block:: console
+
+    $ zkg install logschema
+    $ zeek logschema/export/jsonschema packages
+
+Your local directory will now contain a JSON Schema description for each of your
+installation's logs.
+
+  .. code-block:: console
+
+    $ cat zeek-conn-log.schema.json | jq
+    {
+      "$schema": "https://json-schema.org/draft/2020-12/schema",
+      "title": "Schema for Zeek conn.log",
+      "description": "JSON Schema for Zeek conn.log",
+      "type": "object",
+      "properties": {
+        "ts": {
+          "description": "This is the time of the first packet.",
+          "type": "number",
+          "examples": [
+            "1737691432.132607"
+          ],
+          "x-zeek": {
+            "type": "time",
+            "record_type": "Conn::Info",
+            "is_optional": false,
+            "script": "base/protocols/conn/main.zeek"
+          }
+        },
+    ...
+    }
+
+The logschema package supports a range of schema formats including JSON Schema
+and CSV, and works with Zeek 5.2 and newer. Take a look at the package's
+`documentation <https://github.com/zeek/logschema>`_ for details.
diff --git a/doc/logs/analyzer.rst b/doc/logs/analyzer.rst
new file mode 100644
index 0000000000..67933a40f1
--- /dev/null
+++ b/doc/logs/analyzer.rst
@@ -0,0 +1,403 @@
+============
+analyzer.log
+============
+
+Dynamic protocol detection (DPD) is a method by which Zeek identifies protocols
+on ports beyond those used as standard services. Rather than selecting which
+application protocol analyzer to use based on a connection’s server port,
+Zeek’s dynamic analyzer framework associates an analyzer tree with every
+connection. This analyzer tree permits Zeek to perform protocol analysis
+independently of port numbers.
+
+By using a set of signatures which match typical protocol dialogues, Zeek is
+able to look at payload to find the correct analyzers. When such a signature
+matches, it turns on the corresponding analyzer to confirm it. Zeek can turn
+off analyzers when it becomes obvious that they are parsing the wrong protocol.
+This allows Zeek to use “loose” protocol signatures, and, if in doubt, try
+multiple analyzers in parallel.
+
+Zeek’s :file:`analyzer.log` reports problems with the DPD mechanism. This section
+provides examples of this reporting in action.
+
+For full details on each field in the :file:`analyzer.log` file, please refer to
+:zeek:see:`Analyzer::Logging::Info`.
+
+.. note::
+
+   This log underwent a revamp in Zeek 8.0 and resembles what dpd.log provided
+   in older versions of Zeek. Please review Zeek 8.0's release notes for more
+   details on the changes in this log.
+
+One Specific Example
+====================
+
+The following is an example of traffic that generated a :file:`analyzer.log` entry.
+
+:program:`tcpdump` and :program:`tshark`
+----------------------------------------
+
+:program:`tcpdump` reports the traffic as follows::
+
+  02:44:24.274569 IP 192.168.4.142.50540 > 184.168.176.1.443: Flags [S], seq 163388510, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
+  02:44:24.339007 IP 184.168.176.1.443 > 192.168.4.142.50540: Flags [S.], seq 3902980842, ack 163388511, win 14600, options [mss 1460,nop,wscale 8], length 0
+  02:44:24.340486 IP 192.168.4.142.50540 > 184.168.176.1.443: Flags [.], ack 1, win 513, length 0
+  02:44:24.340668 IP 192.168.4.142.50540 > 184.168.176.1.443: Flags [P.], seq 1:518, ack 1, win 513, length 517
+  02:44:24.407539 IP 184.168.176.1.443 > 192.168.4.142.50540: Flags [.], ack 518, win 62, length 0
+  02:44:24.410681 IP 184.168.176.1.443 > 192.168.4.142.50540: Flags [P.], seq 1:468, ack 518, win 62, length 467
+  02:44:24.411048 IP 184.168.176.1.443 > 192.168.4.142.50540: Flags [F.], seq 468, ack 518, win 62, length 0
+  02:44:24.412575 IP 192.168.4.142.50540 > 184.168.176.1.443: Flags [.], ack 469, win 511, length 0
+  02:44:24.412857 IP 192.168.4.142.50540 > 184.168.176.1.443: Flags [P.], seq 518:525, ack 469, win 511, length 7
+  02:44:24.412860 IP 192.168.4.142.50540 > 184.168.176.1.443: Flags [F.], seq 525, ack 469, win 511, length 0
+  02:44:24.477936 IP 184.168.176.1.443 > 192.168.4.142.50540: Flags [.], ack 526, win 62, length 0
+
+On the face of it, there does not appear to be anything unusual about this
+traffic. It appears to be a brief session to TCP port 443.
+
+:program:`tshark` reports the traffic as follows:
+
+.. literal-emph::
+
+    2 192.168.4.142 50540 184.168.176.1 443 TCP 66 50540 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
+    4 184.168.176.1 443 192.168.4.142 50540 TCP 62 443 → 50540 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 WS=256
+    6 192.168.4.142 50540 184.168.176.1 443 TCP 60 50540 → 443 [ACK] Seq=1 Ack=1 Win=131328 Len=0
+    7 192.168.4.142 50540 184.168.176.1 443 TLSv1 571 Client Hello
+    9 184.168.176.1 443 192.168.4.142 50540 TCP 60 443 → 50540 [ACK] Seq=1 Ack=518 Win=15872 Len=0
+   **10 184.168.176.1 443 192.168.4.142 50540 HTTP 521 HTTP/1.1 400 Bad Request  (text/html)**
+   11 184.168.176.1 443 192.168.4.142 50540 TCP 60 443 → 50540 [FIN, ACK] Seq=468 Ack=518 Win=15872 Len=0
+   13 192.168.4.142 50540 184.168.176.1 443 TCP 60 50540 → 443 [ACK] Seq=518 Ack=469 Win=130816 Len=0
+   14 192.168.4.142 50540 184.168.176.1 443 TCP 61 50540 → 443 [PSH, ACK] Seq=518 Ack=469 Win=130816 Len=7
+   15 192.168.4.142 50540 184.168.176.1 443 TCP 60 50540 → 443 [FIN, ACK] Seq=525 Ack=469 Win=130816 Len=0
+   24 184.168.176.1 443 192.168.4.142 50540 TCP 60 443 → 50540 [ACK] Seq=469 Ack=526 Win=15872 Len=0
+
+:program:`tshark` reveals something weird is happening here. Frame 10 shows
+that :program:`tshark` decoded a plain-text HTTP message from port 443 TCP.
+This should not be happening. A second look shows that the TLS session did not
+appear to complete, as there is no response to the TLS client hello message.
+
+Here is frame 10 in detail. I passed :program:`tshark` the ``-x`` switch to
+provide a hex and ASCII output at the end.
+
+.. literal-emph::
+
+  Frame 10: 521 bytes on wire (4168 bits), 521 bytes captured (4168 bits)
+      Encapsulation type: Ethernet (1)
+      Arrival Time: Dec 10, 2020 02:44:24.410681000 UTC
+      [Time shift for this packet: 0.000000000 seconds]
+      Epoch Time: 1607568264.410681000 seconds
+      [Time delta from previous captured frame: 0.003142000 seconds]
+      [Time delta from previous displayed frame: 0.003142000 seconds]
+      [Time since reference or first frame: 0.136113000 seconds]
+      Frame Number: 10
+      Frame Length: 521 bytes (4168 bits)
+      Capture Length: 521 bytes (4168 bits)
+      [Frame is marked: False]
+      [Frame is ignored: False]
+      [Protocols in frame: eth:ethertype:ip:tcp:http:data-text-lines]
+  Ethernet II, Src: fc:ec:da:49:e0:10, Dst: 60:f2:62:3c:9c:68
+      Destination: 60:f2:62:3c:9c:68
+          Address: 60:f2:62:3c:9c:68
+          .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
+          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+      Source: fc:ec:da:49:e0:10
+          Address: fc:ec:da:49:e0:10
+          .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
+          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+      Type: IPv4 (0x0800)
+  Internet Protocol Version 4, Src: 184.168.176.1, Dst: 192.168.4.142
+      0100 .... = Version: 4
+      .... 0101 = Header Length: 20 bytes (5)
+      Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
+          0000 00.. = Differentiated Services Codepoint: Default (0)
+          .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
+      Total Length: 507
+      Identification: 0xcc4e (52302)
+      Flags: 0x4000, Don't fragment
+          0... .... .... .... = Reserved bit: Not set
+          .1.. .... .... .... = Don't fragment: Set
+          ..0. .... .... .... = More fragments: Not set
+          ...0 0000 0000 0000 = Fragment offset: 0
+      Time to live: 55
+      Protocol: TCP (6)
+      Header checksum: 0x47ce [validation disabled]
+      [Header checksum status: Unverified]
+      Source: 184.168.176.1
+      Destination: 192.168.4.142
+  Transmission Control Protocol, Src Port: 443, Dst Port: 50540, Seq: 1, Ack: 518, Len: 467
+      Source Port: 443
+      Destination Port: 50540
+      [Stream index: 1]
+      [TCP Segment Len: 467]
+      Sequence number: 1    (relative sequence number)
+      [Next sequence number: 468    (relative sequence number)]
+      Acknowledgment number: 518    (relative ack number)
+      0101 .... = Header Length: 20 bytes (5)
+      Flags: 0x018 (PSH, ACK)
+          000. .... .... = Reserved: Not set
+          ...0 .... .... = Nonce: Not set
+          .... 0... .... = Congestion Window Reduced (CWR): Not set
+          .... .0.. .... = ECN-Echo: Not set
+          .... ..0. .... = Urgent: Not set
+          .... ...1 .... = Acknowledgment: Set
+          .... .... 1... = Push: Set
+          .... .... .0.. = Reset: Not set
+          .... .... ..0. = Syn: Not set
+          .... .... ...0 = Fin: Not set
+          [TCP Flags: ·······AP···]
+      Window size value: 62
+      [Calculated window size: 15872]
+      [Window size scaling factor: 256]
+      Checksum: 0xde95 [unverified]
+      [Checksum Status: Unverified]
+      Urgent pointer: 0
+      [SEQ/ACK analysis]
+          [iRTT: 0.065917000 seconds]
+          [Bytes in flight: 467]
+          [Bytes sent since last PSH flag: 467]
+      [Timestamps]
+          [Time since first frame in this TCP stream: 0.136112000 seconds]
+          [Time since previous frame in this TCP stream: 0.003142000 seconds]
+      TCP payload (467 bytes)
+  **Hypertext Transfer Protocol**
+      **[Expert Info (Warning/Security): Unencrypted HTTP protocol detected over encrypted port, could indicate a dangerous misconfiguration.]**
+          **[Unencrypted HTTP protocol detected over encrypted port, could indicate a dangerous misconfiguration.]**
+          **[Severity level: Warning]**
+          **[Group: Security]**
+      **HTTP/1.1 400 Bad Request\r\n**
+          [Expert Info (Chat/Sequence): HTTP/1.1 400 Bad Request\r\n]
+              [HTTP/1.1 400 Bad Request\r\n]
+              [Severity level: Chat]
+              [Group: Sequence]
+          Response Version: HTTP/1.1
+          Status Code: 400
+          [Status Code Description: Bad Request]
+          Response Phrase: Bad Request
+      Date: Thu, 10 Dec 2020 02:44:24 GMT\r\n
+      Server: Apache\r\n
+      Content-Length: 301\r\n
+          [Content length: 301]
+      Connection: close\r\n
+      Content-Type: text/html; charset=iso-8859-1\r\n
+      \r\n
+      [HTTP response 1/1]
+      File Data: 301 bytes
+  Line-based text data: text/html (10 lines)
+      <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n
+      <html><head>\n
+      <title>400 Bad Request</title>\n
+      </head><body>\n
+      <h1>Bad Request</h1>\n
+      <p>Your browser sent a request that this server could not understand.<br />\n
+      </p>\n
+      <hr>\n
+      <address>Apache Server at virtualhost.184.168.176.1 Port 80</address>\n
+      </body></html>\n
+
+  0000  60 f2 62 3c 9c 68 fc ec da 49 e0 10 08 00 45 00   `.b<.h...I....E.
+  0010  01 fb cc 4e 40 00 37 06 47 ce b8 a8 b0 01 c0 a8   ...N@.7.G.......
+  0020  04 8e 01 bb c5 6c e8 a2 c2 eb 09 bd 1e 64 50 18   .....l.......dP.
+  0030  00 3e de 95 00 00 **48 54 54** 50 2f 31 2e 31 20 34   .>....**HTT**P/1.1 4
+  0040  30 30 20 42 61 64 20 52 65 71 75 65 73 74 0d 0a   00 Bad Request..
+  0050  44 61 74 65 3a 20 54 68 75 2c 20 31 30 20 44 65   Date: Thu, 10 De
+  0060  63 20 32 30 32 30 20 30 32 3a 34 34 3a 32 34 20   c 2020 02:44:24
+  0070  47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61   GMT..Server: Apa
+  0080  63 68 65 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e   che..Content-Len
+  0090  67 74 68 3a 20 33 30 31 0d 0a 43 6f 6e 6e 65 63   gth: 301..Connec
+  00a0  74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 43 6f 6e   tion: close..Con
+  00b0  74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f   tent-Type: text/
+  00c0  68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73   html; charset=is
+  00d0  6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f   o-8859-1....<!DO
+  00e0  43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49   CTYPE HTML PUBLI
+  00f0  43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20   C "-//IETF//DTD
+  0100  48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c   HTML 2.0//EN">.<
+  0110  68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74   html><head>.<tit
+  0120  6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65   le>400 Bad Reque
+  0130  73 74 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61   st</title>.</hea
+  0140  64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 42 61 64   d><body>.<h1>Bad
+  0150  20 52 65 71 75 65 73 74 3c 2f 68 31 3e 0a 3c 70    Request</h1>.<p
+  0160  3e 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65   >Your browser se
+  0170  6e 74 20 61 20 72 65 71 75 65 73 74 20 74 68 61   nt a request tha
+  0180  74 20 74 68 69 73 20 73 65 72 76 65 72 20 63 6f   t this server co
+  0190  75 6c 64 20 6e 6f 74 20 75 6e 64 65 72 73 74 61   uld not understa
+  01a0  6e 64 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c   nd.<br />.</p>.<
+  01b0  68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61   hr>.<address>Apa
+  01c0  63 68 65 20 53 65 72 76 65 72 20 61 74 20 76 69   che Server at vi
+  01d0  72 74 75 61 6c 68 6f 73 74 2e 31 38 34 2e 31 36   rtualhost.184.16
+  01e0  38 2e 31 37 36 2e 31 20 50 6f 72 74 20 38 30 3c   8.176.1 Port 80<
+  01f0  2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79   /address>.</body
+  0200  3e 3c 2f 68 74 6d 6c 3e 0a                        ></html>.
+
+You can see the HTTP headers and page content in the payload of this frame. I
+bolded the hex and ASCII output for the ``HTT`` part of the HTTP header in the
+payload. :program:`tshark` reports a warning as seen in the bolded output.
+
+:file:`conn.log`
+----------------
+
+Here is the :file:`conn.log` that Zeek generated for this activity:
+
+.. literal-emph::
+
+  {
+    "ts": 1607568264.274569,
+    **"uid": "C8blOJ21azairPrWf8",**
+    "id.orig_h": "192.168.4.142",
+    "id.orig_p": 50540,
+    "id.resp_h": "184.168.176.1",
+    "id.resp_p": 443,
+    "proto": "tcp",
+    "duration": 0.1382908821105957,
+    "orig_bytes": 524,
+    "resp_bytes": 467,
+    "conn_state": "SF",
+    "missed_bytes": 0,
+    "history": "ShADadfF",
+    "orig_pkts": 6,
+    "orig_ip_bytes": 776,
+    "resp_pkts": 5,
+    "resp_ip_bytes": 675,
+    "ip_proto": 6
+  }
+
+The :file:`conn.log` entry is fairly normal.
+
+:file:`ssl.log`
+---------------
+
+Here is the :file:`ssl.log` that Zeek generated for this activity:
+
+.. literal-emph::
+
+  {
+    "ts": 1607568264.340668,
+    "uid": "C8blOJ21azairPrWf8",
+    "id.orig_h": "192.168.4.142",
+    "id.orig_p": 50540,
+    "id.resp_h": "184.168.176.1",
+    "id.resp_p": 443,
+    "server_name": "usafaikidonews.com",
+    "resumed": false,
+    **"established": false**
+  }
+
+The :file:`ssl.log` shows that a TLS encrypted session was not established.
+
+:file:`analyzer.log`
+--------------------
+
+Here is the :file:`analyzer.log` that Zeek generated for this activity:
+
+.. literal-emph::
+
+  {
+    "ts": 1607568264.410681,
+    "analyzer_kind": "protocol",
+    **"analyzer_name": "SSL",**
+    "uid": "C8blOJ21azairPrWf8",
+    "id.orig_h": "192.168.4.142",
+    "id.orig_p": 50540,
+    "id.resp_h": "184.168.176.1",
+    "id.resp_p": 443,
+    "proto": "tcp",
+    **"failure_reason": "Invalid version late in TLS connection. Packet reported version: 21588"**
+  }
+
+Here we see that DPD and the SSL analyzer report an error in the TLS
+connection, as expected. The question is, to what does ``version: 21588``
+refer?
+
+Decoding 21588
+==============
+
+Let’s take a look at part of frame 9, which is the TLS client hello:
+
+.. literal-emph::
+
+  Secure Sockets Layer
+      TLSv1 Record Layer: Handshake Protocol: Client Hello
+          **Content Type: Handshake (22)**
+          **Version: TLS 1.0 (0x0301)**
+          Length: 512
+          Handshake Protocol: Client Hello
+              Handshake Type: Client Hello (1)
+              Length: 508
+              **Version: TLS 1.2 (0x0303)**
+  ...truncated...
+
+  0000  fc ec da 49 e0 10 60 f2 62 3c 9c 68 08 00 45 00   ...I..`.b<.h..E.
+  0010  02 2d 97 6c 40 00 80 06 33 7e c0 a8 04 8e b8 a8   .-.l@...3~......
+  0020  b0 01 c5 6c 01 bb 09 bd 1c 5f e8 a2 c2 eb 50 18   ...l....._....P.
+  0030  02 01 6e 33 00 00 **16 03 01** 02 00 01 00 01 fc **03**   ..n3............
+  0040  **03** 97 16 82 4f e0 ff e3 3e 6f d8 33 28 9a 97 b8   ....O...>o.3(...
+  0050  1a f0 73 6b 12 98 af 25 e2 a5 bc 6c 2e aa b1 69   ..sk...%...l...i
+  0060  be 20 bf d4 27 c5 22 bf 0d 90 83 24 80 36 ad 11   . ..'."....$.6..
+  0070  17 8a 2d a2 a1 42 1d ef 6b 1f ef ce cf 9a e2 f5   ..-..B..k.......
+  0080  be 79 00 20 2a 2a 13 01 13 02 13 03 c0 2b c0 2f   .y. **.......+./
+  0090  c0 2c c0 30 cc a9 cc a8 c0 13 c0 14 00 9c 00 9d   .,.0............
+  00a0  00 2f 00 35 01 00 01 93 ca ca 00 00 00 00 00 17   ./.5............
+  00b0  00 15 00 00 12 75 73 61 66 61 69 6b 69 64 6f 6e   .....usafaikidon
+  00c0  65 77 73 2e 63 6f 6d 00 17 00 00 ff 01 00 01 00   ews.com.........
+
+I’ve bolded a few points. The important ones are ``0x160301``. These are the
+values indicating a TLS handshake and TLS 1.0. This is apparently not an
+attempt at a TLS 1.0 connection, however, as the second bolded hex value of
+``0x0303`` shows TLS 1.2 in play.
+
+Now, compare this output with what appeared in the odd “HTTP” frame shown
+earlier:
+
+.. literal-emph::
+
+  0000  60 f2 62 3c 9c 68 fc ec da 49 e0 10 08 00 45 00   `.b<.h...I....E.
+  0010  01 fb cc 4e 40 00 37 06 47 ce b8 a8 b0 01 c0 a8   ...N@.7.G.......
+  0020  04 8e 01 bb c5 6c e8 a2 c2 eb 09 bd 1e 64 50 18   .....l.......dP.
+  0030  00 3e de 95 00 00 **48 54 54** 50 2f 31 2e 31 20 34   .>....**HTT**P/1.1 4
+  0040  30 30 20 42 61 64 20 52 65 71 75 65 73 74 0d 0a   00 Bad Request..
+
+The ``0x48`` value is in the location where a TLS content type message would
+sit.  In the previous frame, the value was ``0x16``, for a handshake. Here it
+is ``0x48``, which is ASCII letter H. Next we see ``0x5454``, which is ASCII
+letters ``T T``. In decimal, the value for ``0x5454`` is 21588. In other words,
+where Zeek was looking to find a TLS version, it found decimal 21588. In the
+previous frame, the corresponding value was ``0x0301`` for TLSv1.0. That is why
+Zeek generated an error in its :file:`analyzer.log` with the message "Invalid
+version late in TLS connection. Packet reported version: 21588".
+
+Assorted Examples
+=================
+
+The following represents a summary of some :file:`analyzer.log` entries, sorted by count,
+observed in my reference network.
+
+.. code-block:: console
+
+  $ find ./logs/ -name "analyzer*20**.gz" | while read -r file; do zcat -f "$file"; done | jq -c '[."proto", ."analyzer_kind", ."failure_reason"]' | sort | uniq -c | sort -nr
+
+::
+
+   165341 ["tcp","HTTP","not a http reply line"]
+      162 ["tcp","SSL","Invalid version late in TLS connection. Packet reported version: 0"]
+      114 ["tcp","SSL","Invalid version late in TLS connection. Packet reported version: 21588"]
+       36 ["tcp","SSL","Invalid version late in TLS connection. Packet reported version: 25344"]
+       28 ["udp","NTP","Binpac exception: binpac exception: out_of_bound: Extension_Field:value: 3476019 > 52"]
+       17 ["udp","SIP","Binpac exception: binpac exception: string mismatch at /bro/src/analyzer/protocol/sip/sip-protocol.pac:43: \nexpected pattern: \"SIP/\"\nactual data: \"\\x05\""]
+        9 ["tcp","SSL","Invalid version late in TLS connection. Packet reported version: 8516"]
+        8 ["udp","SIP","Binpac exception: binpac exception: string mismatch at /bro/src/analyzer/protocol/sip/sip-protocol.pac:43: \nexpected pattern: \"SIP/\"\nactual data: \"\\x01\""]
+  ...edited...
+        1 ["udp","SIP","Binpac exception: binpac exception: out_of_bound: SIP_Version:anonymous_field_009: 4 > 2"]
+        1 ["udp","DTLS","Invalid version in DTLS connection. Packet reported version: 59228"]
+        1 ["udp","DTLS","Invalid version in DTLS connection. Packet reported version: 52736"]
+        1 ["udp","DTLS","Invalid version in DTLS connection. Packet reported version: 52480"]
+        1 ["tcp","SSL","Invalid version late in TLS connection. Packet reported version: 5123"]
+        1 ["tcp","SSL","Invalid version late in TLS connection. Packet reported version: 40499"]
+        1 ["tcp","IRC","too many long lines"]
+
+As you can see, Zeek saw problems with HTTP, SSL, NTP, Session Initiation
+Protocol (SIP), Datagram Transport Layer Security (DTLS), and IRC.
+
+Conclusion
+==========
+
+Zeek’s :file:`analyzer.log` may help analysts identify suspicious activity,
+depending on how it violates Zeek’s protocol parsers. In that sense, it is sort
+of a specialized version of Zeek’s :file:`weird.log`. Periodic analysis of the
+entries may identify traffic worthy of additional investigation.
diff --git a/doc/logs/capture-loss-and-reporter.rst b/doc/logs/capture-loss-and-reporter.rst
new file mode 100644
index 0000000000..d946f02ba4
--- /dev/null
+++ b/doc/logs/capture-loss-and-reporter.rst
@@ -0,0 +1,98 @@
+=================================
+capture_loss.log and reporter.log
+=================================
+
+Zeek produces several logs that tell administrators how well Zeek is managing
+its analysis and reporting on network traffic.
+
+This :file:`capture_loss.log` reports analysis of missing traffic. Zeek bases
+its conclusions on analysis of TCP sequence numbers. When it detects a “gap,”
+it assumes that the missing traffic corresponds to traffic loss.
+
+The :file:`reporter.log` reports internal warnings and errors. Zeek generates
+these based on how it is handling traffic and computing requirements.
+
+Details on the format of each log appears in :zeek:see:`CaptureLoss::Info`
+and :zeek:see:`Reporter::Info`.
+
+:file:`capture_loss.log`
+========================
+
+The following is an example of entries in a :file:`capture_loss.log`:
+
+.. literal-emph::
+
+  {
+    "ts": "2021-01-04T00:04:24.688236Z",
+    "ts_delta": 900.0000550746918,
+    "peer": "so16-enp0s8-1",
+    "gaps": 41,
+    "acks": 9944,
+    **"percent_lost": 0.412308930008045**
+  }
+  {
+    "ts": "2021-01-04T00:19:24.688265Z",
+    "ts_delta": 900.0000290870667,
+    "peer": "so16-enp0s8-1",
+    "gaps": 9,
+    "acks": 8530,
+    **"percent_lost": 0.10550996483001172**
+  }
+  {
+    "ts": "2021-01-04T00:34:24.688449Z",
+    "ts_delta": 900.0001838207245,
+    "peer": "so16-enp0s8-1",
+    "gaps": 0,
+    "acks": 52019,
+    **"percent_lost": 0**
+  }
+  {
+    "ts": "2021-01-04T00:49:24.688552Z",
+    "ts_delta": 900.0001029968262,
+    "peer": "so16-enp0s8-1",
+    "gaps": 0,
+    "acks": 108863,
+    **"percent_lost": 0**
+  }
+
+In these logs, capture loss never exceeded 1%. For example, when Zeek reports
+``0.412308930008045``, that means 0.4123% capture loss, not 41.23% capture
+loss.  In other words, this sensor is doing well capturing the traffic on the
+link it monitors (a small amount of loss is tolerable).
+
+:file:`reporter.log`
+====================
+
+The following is an example entries in the :file:`reporter.log`:
+
+.. literal-emph::
+
+  {
+    "ts": "2021-01-04T01:15:02.622164Z",
+    "level": "Reporter::INFO",
+    **"message": "received termination signal",**
+    "location": ""
+  }
+  {
+    "ts": "2021-01-04T01:19:15.713689Z",
+    "level": "Reporter::INFO",
+    **"message": "BPFConf filename set: /etc/nsm/so16-enp0s8/bpf-bro.conf (logger)",**
+    "location": "/opt/bro/share/zeek/securityonion/./bpfconf.zeek, line 81"
+  }
+  {
+    "ts": "2021-01-04T01:19:22.786812Z",
+    "level": "Reporter::INFO",
+    **"message": "BPFConf filename set: /etc/nsm/so16-enp0s8/bpf-bro.conf (proxy)",**
+    "location": "/opt/bro/share/zeek/securityonion/./bpfconf.zeek, line 81"
+  }
+
+The first message refers to Zeek receiving a termination signal. The second two
+messages refer to Zeek setting a file for configuring Berkeley Packet Filters.
+
+Conclusion
+==========
+
+The :file:`capture_loss.log` and :file:`reporter.log` files are helpful when
+administrators need to understand how their Zeek deployment is performing. Keep
+an eye on the :file:`capture_loss.log` to keep the performance within an
+acceptable level.
diff --git a/doc/logs/conn.rst b/doc/logs/conn.rst
new file mode 100644
index 0000000000..6cb995807c
--- /dev/null
+++ b/doc/logs/conn.rst
@@ -0,0 +1,444 @@
+========
+conn.log
+========
+
+The connection log, or :file:`conn.log`, is one of the most important logs Zeek
+creates. It may seem like the idea of a “connection” is most closely associated
+with stateful protocols like Transmission Control Protocol (TCP), unlike
+stateless protocols like User Datagram Protocol (UDP). Zeek’s :file:`conn.log`,
+however, tracks both sorts of protocols. This section of the manual will
+explain key elements of the :file:`conn.log`.
+
+The Zeek script reference, derived from the Zeek code, completely explains the
+meaning of each field in the :file:`conn.log` (and other logs). It would be
+duplicative to manually recreate that information in another format here.
+Therefore, this entry seeks to show how an analyst would make use of the
+information in the conn.log. Those interested in getting details on every
+element of the :file:`conn.log` should reference :zeek:see:`Conn::Info`.
+For additional explanation, including Zeek's notions of originator and
+responder, see :ref:`writing-scripts-connection-record`.
+
+Throughout the sections that follow, we will inspect Zeek logs in JSON format.
+
+Inspecting the :file:`conn.log`
+===============================
+
+To inspect the :file:`conn.log`, we will use the same techniques we learned in
+the last section of the manual. First, we have a JSON-formatted log file,
+either collected by Zeek watching a live interface, or by Zeek processing
+stored traffic. We use the :program:`jq` utility to review the contents.
+
+.. code-block:: console
+
+  zeek@zeek:~zeek-test/json$ jq . -c conn.log
+
+::
+
+  {"ts":1591367999.305988,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","service":"dns","duration":0.06685185432434082,"orig_bytes":62,"resp_bytes":141,"conn_state":"SF","missed_bytes":0,"history":"Dd","orig_pkts":2,"orig_ip_bytes":118,"resp_pkts":2,"resp_ip_bytes":197,"ip_proto":17}
+
+  {"ts":1591367999.430166,"uid":"C5bLoe2Mvxqhawzqqd","id.orig_h":"192.168.4.76","id.orig_p":46378,"id.resp_h":"31.3.245.133","id.resp_p":80,"proto":"tcp","service":"http","duration":0.25411510467529297,"orig_bytes":77,"resp_bytes":295,"conn_state":"SF","missed_bytes":0,"history":"ShADadFf","orig_pkts":6,"orig_ip_bytes":397,"resp_pkts":4,"resp_ip_bytes":511,"ip_proto":6}
+
+Alternatively, we could see each field printed on its own line:
+
+.. code-block:: console
+
+  zeek@zeek:~zeek-test/json$ jq . conn.log
+
+::
+
+  {
+    "ts": 1591367999.305988,
+    "uid": "CMdzit1AMNsmfAIiQc",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 36844,
+    "id.resp_h": "192.168.4.1",
+    "id.resp_p": 53,
+    "proto": "udp",
+    "service": "dns",
+    "duration": 0.06685185432434082,
+    "orig_bytes": 62,
+    "resp_bytes": 141,
+    "conn_state": "SF",
+    "missed_bytes": 0,
+    "history": "Dd",
+    "orig_pkts": 2,
+    "orig_ip_bytes": 118,
+    "resp_pkts": 2,
+    "resp_ip_bytes": 197,
+    "ip_proto": 17
+  }
+  {
+    "ts": 1591367999.430166,
+    "uid": "C5bLoe2Mvxqhawzqqd",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 46378,
+    "id.resp_h": "31.3.245.133",
+    "id.resp_p": 80,
+    "proto": "tcp",
+    "service": "http",
+    "duration": 0.25411510467529297,
+    "orig_bytes": 77,
+    "resp_bytes": 295,
+    "conn_state": "SF",
+    "missed_bytes": 0,
+    "history": "ShADadFf",
+    "orig_pkts": 6,
+    "orig_ip_bytes": 397,
+    "resp_pkts": 4,
+    "resp_ip_bytes": 511,
+    "ip_proto": 6
+  }
+
+What an analyst derives from any log is a function of the questions that he or
+she is trying to ask of it. The :file:`conn.log` primarily captures so-called
+“layer 3” and “layer 4” elements of network activity. This is essentially who
+is talking to whom, when, for how long, and with what protocol.
+
+Understanding the Second :file:`conn.log` Entry
+===============================================
+
+Let’s use this framework to parse the two log entries. We will start with the
+second entry first. I will explain why shortly. For reference, that entry is
+the following:
+
+::
+
+  {
+    "ts": 1591367999.430166,
+    "uid": "C5bLoe2Mvxqhawzqqd",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 46378,
+    "id.resp_h": "31.3.245.133",
+    "id.resp_p": 80,
+    "proto": "tcp",
+    "service": "http",
+    "duration": 0.25411510467529297,
+    "orig_bytes": 77,
+    "resp_bytes": 295,
+    "conn_state": "SF",
+    "missed_bytes": 0,
+    "history": "ShADadFf",
+    "orig_pkts": 6,
+    "orig_ip_bytes": 397,
+    "resp_pkts": 4,
+    "resp_ip_bytes": 511,
+    "ip_proto": 6
+  }
+
+For the second log, ``192.168.4.76`` talked to ``31.3.245.133``.
+
+The log *timestamp*, indicated by the ``ts`` field, is ``1591367999.430166``,
+which translates as shown below, courtesy of the Unix :program:`date` command:
+
+.. code-block:: console
+
+  zeek@zeek:~zeek-test/json$ date -d @"1591367999.430166"
+
+::
+
+  Fri Jun  5 14:39:59 UTC 2020
+
+The two systems conversation only lasted ``0.25411510467529297`` seconds. (The
+operating system provides this value.)
+
+They spoke the HyperText Transfer Protocol (HTTP), identified by Zeek as HTTP
+over TCP using TCP port 80 listening on ``31.3.245.133``.
+
+If we wanted to move beyond who talked with whom, when, for how long, and with
+what protocol, the second :file:`conn.log` entry offers a few more items of interest.
+For example, we know that ``192.168.4.76`` sent 77 bytes of data in its application
+layer payload, and 397 bytes in its IP layer payload.
+
+We can verify that 77 byte figure by decoding the HTTP traffic sent from
+``192.168.4.76`` during this session. We use :program:`tshark`, the command
+line version of Wireshark, to do so.
+
+.. code-block:: console
+
+  zeek@zeek:~zeek-test/json$ tshark -V -r ../../tmi1.pcap http and ip.src==192.168.4.76
+
+.. literal-emph::
+
+  Frame 21: 143 bytes on wire (1144 bits), 143 bytes captured (1144 bits)
+      Encapsulation type: Ethernet (1)
+      Arrival Time: Jun  5, 2020 14:39:59.512593000 UTC
+      [Time shift for this packet: 0.000000000 seconds]
+      Epoch Time: 1591367999.512593000 seconds
+      [Time delta from previous captured frame: 0.000309000 seconds]
+      [Time delta from previous displayed frame: 0.000000000 seconds]
+      [Time since reference or first frame: 17.461008000 seconds]
+      Frame Number: 21
+      Frame Length: 143 bytes (1144 bits)
+      Capture Length: 143 bytes (1144 bits)
+      [Frame is marked: False]
+      [Frame is ignored: False]
+      [Protocols in frame: eth:ethertype:ip:tcp:http]
+  Ethernet II, Src: 08:00:27:97:99:0d, Dst: fc:ec:da:49:e0:10
+      Destination: fc:ec:da:49:e0:10
+          Address: fc:ec:da:49:e0:10
+          .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
+          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+      Source: 08:00:27:97:99:0d
+          Address: 08:00:27:97:99:0d
+          .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
+          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+      Type: IPv4 (0x0800)
+  Internet Protocol Version 4, **Src: 192.168.4.76, Dst: 31.3.245.133**
+      0100 .... = Version: 4
+      .... 0101 = Header Length: 20 bytes (5)
+      Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
+          0000 00.. = Differentiated Services Codepoint: Default (0)
+          .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
+      Total Length: 129
+      Identification: 0xfdf1 (65009)
+      Flags: 0x4000, Don't fragment
+          0... .... .... .... = Reserved bit: Not set
+          .1.. .... .... .... = Don't fragment: Set
+          ..0. .... .... .... = More fragments: Not set
+          ...0 0000 0000 0000 = Fragment offset: 0
+      Time to live: 64
+      Protocol: TCP (6)
+      Header checksum: 0x6308 [validation disabled]
+      [Header checksum status: Unverified]
+      **Source: 192.168.4.76**
+      **Destination: 31.3.245.133**
+  Transmission Control Protocol, **Src Port: 46378, Dst Port: 80**, Seq: 1, Ack: 1, **Len: 77**
+      **Source Port: 46378**
+      **Destination Port: 80**
+      [Stream index: 0]
+      **[TCP Segment Len: 77]**
+      Sequence number: 1    (relative sequence number)
+      [Next sequence number: 78    (relative sequence number)]
+      Acknowledgment number: 1    (relative ack number)
+      1000 .... = Header Length: 32 bytes (8)
+      Flags: 0x018 (PSH, ACK)
+          000. .... .... = Reserved: Not set
+          ...0 .... .... = Nonce: Not set
+          .... 0... .... = Congestion Window Reduced (CWR): Not set
+          .... .0.. .... = ECN-Echo: Not set
+          .... ..0. .... = Urgent: Not set
+          .... ...1 .... = Acknowledgment: Set
+          .... .... 1... = Push: Set
+          .... .... .0.. = Reset: Not set
+          .... .... ..0. = Syn: Not set
+          .... .... ...0 = Fin: Not set
+          [TCP Flags: ·······AP···]
+      Window size value: 32
+      [Calculated window size: 65536]
+      [Window size scaling factor: 2048]
+      Checksum: 0xd9f0 [unverified]
+      [Checksum Status: Unverified]
+      Urgent pointer: 0
+      Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
+          TCP Option - No-Operation (NOP)
+              Kind: No-Operation (1)
+          TCP Option - No-Operation (NOP)
+              Kind: No-Operation (1)
+          TCP Option - Timestamps: TSval 3137978878, TSecr 346747623
+              Kind: Time Stamp Option (8)
+              Length: 10
+              Timestamp value: 3137978878
+              Timestamp echo reply: 346747623
+      [SEQ/ACK analysis]
+          [iRTT: 0.082118000 seconds]
+          **[Bytes in flight: 77]**
+          [Bytes sent since last PSH flag: 77]
+      [Timestamps]
+          [Time since first frame in this TCP stream: 0.082427000 seconds]
+          [Time since previous frame in this TCP stream: 0.000309000 seconds]
+      **TCP payload (77 bytes)**
+  Hypertext Transfer Protocol
+      **GET / HTTP/1.1\r\n**
+          [Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n]
+              [GET / HTTP/1.1\r\n]
+              [Severity level: Chat]
+              [Group: Sequence]
+          Request Method: GET
+          Request URI: /
+          Request Version: HTTP/1.1
+      **Host: testmyids.com\r\n**
+      **User-Agent: curl/7.47.0\r\n**
+      **Accept: */*\r\n**
+      **\r\n**
+      [Full request URI: http://testmyids.com/]
+      [HTTP request 1/1]
+
+In the highlighted output, we see that :program:`tshark` notes 77 bytes of data
+carried by TCP from ``192.168.4.76``. I highlighted what that data was,
+beginning with a GET request.
+
+The ``orig_pkts`` and ``resp_pkts`` fields report the number of IP packets
+transferred in the respective directions. The ``orig_ip_bytes`` and
+``resp_ip_bytes`` indicate the total IP packet-level byte counts, respectively.
+
+Another way to look at this TCP segment is to dump the hex contents using a
+different :program:`tshark` option, as shown below.
+
+.. code-block:: console
+
+  zeek@zeek:~zeek-test/json$ tshark -x -r ../../tmi1.pcap http and ip.src==192.168.4.76
+
+.. literal-emph::
+
+  0000  fc ec da 49 e0 10 08 00 27 97 99 0d 08 00 45 00   ...I....'.....E.
+  0010  00 81 fd f1 40 00 40 06 63 08 c0 a8 04 4c 1f 03   ....@.@.c....L..
+  0020  f5 85 b5 2a 00 50 dd e8 f3 47 b2 71 7e 69 80 18   ...*.P...G.q~i..
+  0030  00 20 d9 f0 00 00 01 01 08 0a bb 09 c1 fe 14 aa   . ..............
+  0040  f2 e7 **47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31   ..GET / HTTP/1.1**
+  0050  **0d 0a 48 6f 73 74 3a 20 74 65 73 74 6d 79 69 64   ..Host: testmyid**
+  0060  **73 2e 63 6f 6d 0d 0a 55 73 65 72 2d 41 67 65 6e   s.com..User-Agen**
+  0070  **74 3a 20 63 75 72 6c 2f 37 2e 34 37 2e 30 0d 0a   t: curl/7.47.0..**
+  0080  **41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 0d 0a      Accept: */***....
+
+The hexadecimal values appear on the left, and the ASCII decode appears on the
+right. If you count the highlighted hex values, you will find 77 of them, hence
+the 77 bytes of application layer data carried by TCP.
+
+The connection state field, ``conn_state``, showed that the connection
+terminated normally, as depicted by the ``SF`` entry. This means that, for this
+TCP session, both sides adopted a “graceful close” mechanism. If you remember
+this trace from the last chapter, you’ll remember seeing that it opened with a
+TCP three way handshake (SYN - SYN ACK - ACK) and terminated with a graceful
+close (FIN ACK - FIN ACK - ACK).
+
+Finally, the ``history`` field contains the string ``ShADadFf``. Remember that
+capitalized letters indicate an action by the connection originator. Lowercase
+letters indicate an action by the responder. This means that ``ShADadFf``
+translates to the following:
+
+::
+
+  S - The originator sent a SYN segment.
+  h - The responder sent a SYN ACK segment.
+  A - The originator sent an ACK segment.
+  D - The originator sent at least one segment with payload data. In this case, that was HTTP over TCP.
+  a - The responder replied with an ACK segment.
+  d - The responder replied with at least one segment with payload data.
+  F - The originator sent a FIN ACK segment.
+  f - The responder replied with a FIN ACK segment.
+
+This log entry demonstrates how Zeek is able to pack so much information into a
+compact representation.
+
+Understanding the First :file:`conn.log` Entry
+==============================================
+
+Now let’s turn to the first :file:`conn.log` entry, reproduced below for easy
+reference.
+
+::
+
+  {
+    "ts": 1591367999.305988,
+    "uid": "CMdzit1AMNsmfAIiQc",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 36844,
+    "id.resp_h": "192.168.4.1",
+    "id.resp_p": 53,
+    "proto": "udp",
+    "service": "dns",
+    "duration": 0.06685185432434082,
+    "orig_bytes": 62,
+    "resp_bytes": 141,
+    "conn_state": "SF",
+    "missed_bytes": 0,
+    "history": "Dd",
+    "orig_pkts": 2,
+    "orig_ip_bytes": 118,
+    "resp_pkts": 2,
+    "resp_ip_bytes": 197,
+    "ip_proto": 17
+  }
+
+For the first entry, ``192.168.4.76`` talked to ``192.168.4.1``.
+
+The log timestamp is ``1591367999.305988``, which translates as shown below,
+courtesy of the Unix :program:`date` command:
+
+.. code-block:: console
+
+  zeek@zeek:~zeek-test/json$ date -d @"1591367999.305988"
+
+::
+
+  Fri Jun  5 14:39:59 UTC 2020
+
+The two systems’ “conversation” only lasted ``0.06685185432434082`` seconds.
+(Again, such precision!)
+
+They spoke the Domain Name System (DNS) protocol, identified by Zeek as DNS
+over UDP using UDP port 53 listening on ``192.168.4.1``.
+
+The connection state for this conversation is listed as ``SF``, the same as the
+TCP version. However, UDP has no concept of state, leaving that duty to a
+higher level protocol. In the context of UDP, ``SF`` means that Zeek assesses
+the conversations as “normal establishment and termination” of the
+“connection.”
+
+Similarly, the ``history`` field is simply ``Dd``, indicating that each party
+to the conversation sent data to the other.
+
+The ``ip_proto`` Field
+======================
+
+.. versionadded:: 7.1
+
+The numeric ``ip_proto`` field reports the `IP protocol number
+<https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml>`_ of
+the connection. It relates to the ``proto`` field, but while the former
+represents a :zeek:type:`transport_proto` value that exclusively covers
+*transport* protocols Zeek knows how to parse (and ties into Zeek's
+:zeek:type:`port` type), the ``ip_proto`` field is always present, including for
+non-transport IP packet flows such as IGMP or OSPF. For example, an OSPF flow
+might look as follows:
+
+::
+
+  {
+    "ts": 1098361214.420459,
+    "uid": "C9EV8R4fN8bfSj08f",
+    "id.orig_h": "192.168.170.2",
+    "id.orig_p": 0,
+    "id.resp_h": "224.0.0.6",
+    "id.resp_p": 0,
+    "proto": "unknown_transport",
+    "duration": 6.437546968460083,
+    "orig_bytes": 0,
+    "resp_bytes": 0,
+    "conn_state": "OTH",
+    "local_orig": true,
+    "local_resp": false,
+    "missed_bytes": 0,
+    "orig_pkts": 4,
+    "orig_ip_bytes": 768,
+    "resp_pkts": 0,
+    "resp_ip_bytes": 0,
+    "ip_proto": 89
+  }
+
+You can adapt this feature in several ways. Load the
+:doc:`/scripts/policy/protocols/conn/ip-proto-name-logging.zeek` policy script
+to add an ``ip_proto_name`` column with a string version of the ``ip_proto``
+value. Also, you may disable the whole feature by loading the
+:doc:`/scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek`
+script, returning :file:`conn.log` to its pre-7.1 state. Zeek's :ref:`logging framework
+<framework-logging>` supports additional customizations.
+
+The ``uid`` and Other Fields
+============================
+
+Notice that both :file:`conn.log` entries contain ``uid`` fields. These are
+unique identifiers assigned by Zeek that we will use to track related activity
+in other transaction logs.
+
+There are other fields which may appear in the :file:`conn.log`, depending on
+the protocol being summarized. For details on the meaning of those fields, see
+:zeek:see:`Conn::Info`.
+
+Conclusion
+==========
+
+Zeek’s :file:`conn.log` is a foundational log that offers a great deal of
+information on its own. However, it becomes even more useful when it acts as
+the starting point for investigating related Zeek logs. We turn to that
+capability in the following sections.
diff --git a/doc/logs/dhcp.rst b/doc/logs/dhcp.rst
new file mode 100644
index 0000000000..f64d2d7492
--- /dev/null
+++ b/doc/logs/dhcp.rst
@@ -0,0 +1,439 @@
+========
+dhcp.log
+========
+
+Dynamic Host Configuration Protocol is a core protocol found in Internet
+Protocol (IP) networks. Using the protocol, DHCP servers provide clients with
+IP addresses and other key information needed to make use of the network. This
+entry will describe some aspects of Zeek’s :file:`dhcp.log` that may be of use to
+network and security personnel.
+
+As with all entries in this chapter, see :zeek:see:`DHCP::Info` for full
+explanation of each field in the log.
+
+DORA via Tcpdump
+================
+
+The method by which a client requests and receives an IP address and other
+parameters from a DHCP server is represented by the acronym DORA. DORA stands
+for Discover - Offer - Request - Acknowledge. The following :program:`tcpdump`
+output of a complete DORA exchange demonstrates this protocol in action.
+
+.. code-block:: console
+
+  $ tcpdump -n -r snort.log.1601610971.bootp.pcap
+
+.. literal-emph::
+
+  reading from file snort.log.1601610971.bootp.pcap, link-type EN10MB (Ethernet)
+
+  04:14:39.119370 IP **0.0.0.0.68 > 255.255.255.255.67**: BOOTP/DHCP, Request from 3c:58:c2:2f:91:21, length 302
+  04:14:39.120138 IP **192.168.4.1.67 > 192.168.4.152.68**: BOOTP/DHCP, Reply, length 302
+  04:14:39.158211 IP **0.0.0.0.68 > 255.255.255.255.67**: BOOTP/DHCP, Request from 3c:58:c2:2f:91:21, length 337
+  04:14:39.456915 IP **192.168.4.1.67 > 192.168.4.152.68**: BOOTP/DHCP, Reply, length 302
+
+The default output for :program:`tcpdump` doesn’t say much, other than showing
+the IP addresses (or lack thereof, in the case of the ``0.0.0.0``` source IP
+addresses). It is helpful to see this “simplified” output, however, before
+delving into the details. It is slightly deceptive in the “request” and “reply”
+messages, as strictly speaking these are more detailed and are DORA messages.
+
+DORA via Tcpdump Verbose Mode
+=============================
+
+We can add the ``-vvv`` flag to :program:`tcpdump` to provide more verbose
+output, as shown in the examples that follow.
+
+The first datagram shows that a host that does not have an IP address set
+(i.e., it’s using ``0.0.0.0``) sends a broadcast to ``255.255.255.255`` on port
+67 UDP.  This client has had an IP address before as shown by its request for
+``192.168.4.152``. Note the hostname and the presence of a Microsoft 5.0 vendor
+class.
+
+This is a DHCP Discover message from a client to any DHCP server listening on
+the local network:
+
+.. literal-emph::
+
+  04:14:39.119370 IP (tos 0x0, ttl 128, id 44414, offset 0, flags [none], **proto UDP** (17), length 330)
+      **0.0.0.0.68 > 255.255.255.255.67**: [udp sum ok] BOOTP/DHCP, Request from 3c:58:c2:2f:91:21, length 302, **xid 0xfd9859a7**, Flags [none] (0x0000)
+            **Client-Ethernet-Address 3c:58:c2:2f:91:21**
+            Vendor-rfc1048 Extensions
+              Magic Cookie 0x63825363
+              **DHCP-Message Option 53, length 1: Discover**
+              Client-ID Option 61, length 7: ether 3c:58:c2:2f:91:21
+              **Requested-IP Option 50, length 4: 192.168.4.152**
+              **Hostname Option 12, length 15: "3071N0098017422"**
+              **Vendor-Class Option 60, length 8: "MSFT 5.0"**
+              Parameter-Request Option 55, length 14:
+                Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
+                Router-Discovery, Static-Route, Vendor-Option, Netbios-Name-Server
+                Netbios-Node, Netbios-Scope, Option 119, Classless-Static-Route
+                Classless-Static-Route-Microsoft, Option 252
+              END Option 255, length 0
+
+The second datagram is a reply from the local DHCP server running on
+``192.168.4.1``. The server replies directly to ``192.168.4.152``, which in
+this case will end up at the system using MAC address ``3c:58:c2:2f:91:21``,
+such that the destination IP address is probably not relevant here. Remember
+that if the client at MAC address ``3c:58:c2:2f:91:21`` had no IP address to
+begin with, it would only receive the DHCP offer by virtue of the DHCP offer
+datagram being addressed to its MAC address. The server is not offering a
+specified domain name other than “localdomain.”
+
+This is a DHCP Offer message, from the DHCP server to the client:
+
+.. literal-emph::
+
+  04:14:39.120138 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 330)
+      **192.168.4.1.67 > 192.168.4.152.68**: [udp sum ok] **BOOTP/DHCP, Reply**, length 302, **xid 0xfd9859a7**, Flags [none] (0x0000)
+            **Your-IP 192.168.4.152**
+            **Client-Ethernet-Address 3c:58:c2:2f:91:21**
+            Vendor-rfc1048 Extensions
+              Magic Cookie 0x63825363
+              **DHCP-Message Option 53, length 1: Offer**
+              **Server-ID Option 54, length 4: 192.168.4.1**
+              **Lease-Time Option 51, length 4: 86400**
+              **Subnet-Mask Option 1, length 4: 255.255.255.0**
+              **Default-Gateway Option 3, length 4: 192.168.4.1**
+              **Domain-Name-Server Option 6, length 4: 192.168.4.1**
+              Domain-Name Option 15, length 11: "localdomain"
+              T119 Option 119, length 13: 11.108.111.99.97.108.100.111.109.97.105.110.0
+              END Option 255, length 0
+
+The third datagram is a reply to the server’s reply. Here the client requests
+the IP address ``192.168.4.152``. We also see it provide a fully qualified
+domain name (FQDN) for itself, belonging to the FCPS educational domain. Again
+note the client does not include an IP address for itself in the layer 3
+header. It uses ``0.0.0.0`` as in the initial Discover message.
+
+This is a DHCP Request message from the client to the DHCP server:
+
+.. literal-emph::
+
+  04:14:39.158211 IP (tos 0x0, ttl 128, id 44415, offset 0, flags [none], proto UDP (17), length 365)
+      **0.0.0.0.68 > 255.255.255.255.67**: [udp sum ok] **BOOTP/DHCP, Request from 3c:58:c2:2f:91:21**, length 337, **xid 0xfd9859a7**, Flags [none] (0x0000)
+            **Client-Ethernet-Address 3c:58:c2:2f:91:21**
+            Vendor-rfc1048 Extensions
+              Magic Cookie 0x63825363
+              **DHCP-Message Option 53, length 1: Request**
+              **Client-ID Option 61, length 7: ether 3c:58:c2:2f:91:21**
+              **Requested-IP Option 50, length 4: 192.168.4.152**
+              **Server-ID Option 54, length 4: 192.168.4.1**
+              Hostname Option 12, length 15: "3071N0098017422"
+              **FQDN Option 81, length 27: "3071N0098017422.fcps.edu"**
+              **Vendor-Class Option 60, length 8: "MSFT 5.0"**
+              Parameter-Request Option 55, length 14:
+                Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
+                Router-Discovery, Static-Route, Vendor-Option, Netbios-Name-Server
+                Netbios-Node, Netbios-Scope, Option 119, Classless-Static-Route
+                Classless-Static-Route-Microsoft, Option 252
+              END Option 255, length 0
+
+Finally the server sends its last message, essentially confirming the
+information sent in the DHCP Offer message. Note that :program:`tcpdump` is
+unable to make sense of what it renders as ``T119 Option 119``. We will return
+to that shortly.
+
+This is a DHCP Acknowledgement message, sent from the DHCP server to the client:
+
+.. literal-emph::
+
+  04:14:39.456915 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 330)
+      **192.168.4.1.67 > 192.168.4.152.68**: [udp sum ok] **BOOTP/DHCP, Reply**, length 302, xid 0xfd9859a7, Flags [none] (0x0000)
+            **Your-IP 192.168.4.152**
+            **Client-Ethernet-Address 3c:58:c2:2f:91:21**
+            Vendor-rfc1048 Extensions
+              Magic Cookie 0x63825363
+              **DHCP-Message Option 53, length 1: ACK**
+              **Server-ID Option 54, length 4: 192.168.4.1**
+              **Lease-Time Option 51, length 4: 86400**
+              **Subnet-Mask Option 1, length 4: 255.255.255.0**
+              **Default-Gateway Option 3, length 4: 192.168.4.1**
+              **Domain-Name-Server Option 6, length 4: 192.168.4.1**
+              Domain-Name Option 15, length 11: "localdomain"
+              T119 Option 119, length 13: 11.108.111.99.97.108.100.111.109.97.105.110.0
+              END Option 255, length 0
+
+Acknowledgement via :program:`tshark`
+=====================================
+
+We could look at the entire trace using :program:`tshark` (the command line
+version of Wireshark), but it would largely be redundant. Rather, I would like
+to look at the Acknowledgment message to explain about the T119 Option that
+:program:`tcpdump` could not decode.
+
+To find the datagram of interest, I tell :program:`tshark` to read the packet
+capture of interest. I tell it to look for the “bootp” transaction identifier
+associated with the DORA exchange of interest. (BOOTP refers to Bootstrap, a
+precursor protocol that Tshark still uses for DHCP filters.) I also tell
+:program:`tshark` to look for the specific BOOTP (DHCP) option value (5)
+associated with the ACK message.
+
+.. code-block:: console
+
+  $ tshark -V -n -r snort.log.1601610971.bootp.pcap bootp.id == 0xfd9859a7 and bootp.option.dhcp == 5
+
+.. literal-emph::
+
+  Frame 4: 344 bytes on wire (2752 bits), 344 bytes captured (2752 bits) on interface 0
+      Interface id: 0 (unknown)
+          Interface name: unknown
+      Encapsulation type: Ethernet (1)
+      Arrival Time: Oct  2, 2020 04:14:39.456915000 UTC
+      [Time shift for this packet: 0.000000000 seconds]
+      Epoch Time: 1601612079.456915000 seconds
+      [Time delta from previous captured frame: 0.298704000 seconds]
+      [Time delta from previous displayed frame: 0.000000000 seconds]
+      [Time since reference or first frame: 0.337545000 seconds]
+      Frame Number: 4
+      Frame Length: 344 bytes (2752 bits)
+      Capture Length: 344 bytes (2752 bits)
+      [Frame is marked: False]
+      [Frame is ignored: False]
+      [Protocols in frame: eth:ethertype:ip:udp:bootp]
+  **Ethernet II, Src: fc:ec:da:49:e0:10, Dst: 3c:58:c2:2f:91:21**
+      Destination: 3c:58:c2:2f:91:21
+          Address: 3c:58:c2:2f:91:21
+          .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
+          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+      Source: fc:ec:da:49:e0:10
+          Address: fc:ec:da:49:e0:10
+          .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
+          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+      Type: IPv4 (0x0800)
+  **Internet Protocol Version 4, Src: 192.168.4.1, Dst: 192.168.4.152**
+      0100 .... = Version: 4
+      .... 0101 = Header Length: 20 bytes (5)
+      Differentiated Services Field: 0x10 (DSCP: Unknown, ECN: Not-ECT)
+          0001 00.. = Differentiated Services Codepoint: Unknown (4)
+          .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
+      Total Length: 330
+      Identification: 0x0000 (0)
+      Flags: 0x0000
+          0... .... .... .... = Reserved bit: Not set
+          .0.. .... .... .... = Don't fragment: Not set
+          ..0. .... .... .... = More fragments: Not set
+          ...0 0000 0000 0000 = Fragment offset: 0
+      Time to live: 128
+      Protocol: UDP (17)
+      Header checksum: 0xafa9 [validation disabled]
+      [Header checksum status: Unverified]
+      Source: 192.168.4.1
+      Destination: 192.168.4.152
+  **User Datagram Protocol, Src Port: 67, Dst Port: 68**
+      Source Port: 67
+      Destination Port: 68
+      Length: 310
+      Checksum: 0x92db [unverified]
+      [Checksum Status: Unverified]
+      [Stream index: 1]
+  **Bootstrap Protocol (ACK)**
+      Message type: Boot Reply (2)
+      Hardware type: Ethernet (0x01)
+      Hardware address length: 6
+      Hops: 0
+      **Transaction ID: 0xfd9859a7**
+      Seconds elapsed: 0
+      Bootp flags: 0x0000 (Unicast)
+          0... .... .... .... = Broadcast flag: Unicast
+          .000 0000 0000 0000 = Reserved flags: 0x0000
+      Client IP address: 0.0.0.0
+      **Your (client) IP address: 192.168.4.152**
+      Next server IP address: 0.0.0.0
+      Relay agent IP address: 0.0.0.0
+      **Client MAC address: 3c:58:c2:2f:91:21**
+      Client hardware address padding: 00000000000000000000
+      Server host name not given
+      Boot file name not given
+      Magic cookie: DHCP
+      **Option: (53) DHCP Message Type (ACK)**
+          Length: 1
+          **DHCP: ACK (5)**
+      Option: (54) DHCP Server Identifier
+          Length: 4
+          **DHCP Server Identifier: 192.168.4.1**
+      Option: (51) IP Address Lease Time
+          Length: 4
+          IP Address Lease Time: (86400s) 1 day
+      Option: (1) Subnet Mask
+          Length: 4
+          **Subnet Mask: 255.255.255.0**
+      Option: (3) Router
+          Length: 4
+          **Router: 192.168.4.1**
+      Option: (6) Domain Name Server
+          Length: 4
+          **Domain Name Server: 192.168.4.1**
+      Option: (15) Domain Name
+          Length: 11
+          Domain Name: localdomain
+      **Option: (119) Domain Search**
+          **Length: 13**
+          **FQDN: localdomain**
+      Option: (255) End
+          Option End: 255
+
+This output looks similar to what :program:`tcpdump` reported, except here we
+can see the decode for Option 119. It looks like the DHCP server is providing
+the FQDN of “localdomain.”
+
+Zeek’s Rendition of DORA
+========================
+
+With this background, let’s look at Zeek’s depiction of this DHCP exchange.
+
+::
+
+  {
+    "ts": "2020-10-02T04:14:39.135304Z",
+    "uids": [
+      "COoA8M1gbTowuPlVT",
+      "CapFoX32zVg3R6TATc"
+    ],
+    "client_addr": "192.168.4.152",
+    "server_addr": "192.168.4.1",
+    "mac": "3c:58:c2:2f:91:21",
+    "host_name": "3071N0098017422",
+    "client_fqdn": "3071N0098017422.fcps.edu",
+    "domain": "localdomain",
+    "requested_addr": "192.168.4.152",
+    "assigned_addr": "192.168.4.152",
+    "lease_time": 86400,
+    "msg_types": [
+      "DISCOVER",
+      "OFFER",
+      "REQUEST",
+      "ACK"
+    ],
+    "duration": 0.416348934173584
+  }
+
+As you can see, Zeek has taken the important elements from all four DORA
+messages and produced a single log entry. Every field is interesting, so I did
+not highlight them all.
+
+Two UIDs
+========
+
+You might be wondering why there are two UID fields for this single DHCP
+exchange. Let’s look at the two corresponding :file:`conn.log` entries.
+
+The first one shows a “conversation” between ``0.0.0.0`` and ``255.255.255.0``.
+This represents the DHCP Discover message, caused by a client not knowing its
+source IP address, sending its search to the local network for a DHCP server.
+
+.. literal-emph::
+
+  {
+    "ts": "2020-10-02T04:14:14.443346Z",
+    "uid": "COoA8M1gbTowuPlVT",
+    **"id.orig_h": "0.0.0.0",**
+    **"id.orig_p": 68,**
+    **"id.resp_h": "255.255.255.255",**
+    **"id.resp_p": 67,**
+    "proto": "udp",
+    "service": "dhcp",
+    "duration": 63.16645097732544,
+    "orig_bytes": 1211,
+    "resp_bytes": 0,
+    "conn_state": "S0",
+    "local_orig": false,
+    "local_resp": false,
+    "missed_bytes": 0,
+    "history": "D",
+    **"orig_pkts": 4,**
+    "orig_ip_bytes": 1323,
+    "resp_pkts": 0,
+    "resp_ip_bytes": 0,
+    "ip_proto": 17
+  }
+
+Notice that Zeek has tracked 4 “orig packets” here, which does not strictly
+correspond to the 2 datagrams from ``0.0.0.0`` to ``255.255.255.255``. Remember
+the DORA via :program:`tcpdump` output?
+
+It’s possible Zeek included other packets involving ``0.0.0.0`` and
+``255.255.255.255`` when it created this log entry since this is a broadcast
+and Zeek generally may trouble with that because it doesn't fit the
+"connection" abstraction.
+
+The second message shows a conversation between ``192.168.4.152``, the DHCP
+client, and ``192.168.4.1``, the DHCP server.
+
+.. literal-emph::
+
+  {
+    "ts": "2020-10-02T04:14:39.120138Z",
+    "uid": "CapFoX32zVg3R6TATc",
+    **"id.orig_h": "192.168.4.152",**
+    **"id.orig_p": 68,**
+    **"id.resp_h": "192.168.4.1",**
+    **"id.resp_p": 67,**
+    "proto": "udp",
+    "service": "dhcp",
+    "duration": 0.3367769718170166,
+    "orig_bytes": 0,
+    "resp_bytes": 604,
+    "conn_state": "SHR",
+    "local_orig": true,
+    "local_resp": true,
+    "missed_bytes": 0,
+    "history": "^d",
+    "orig_pkts": 0,
+    "orig_ip_bytes": 0,
+    "resp_pkts": 2,
+    "resp_ip_bytes": 660,
+    "ip_proto": 17
+  }
+
+Here the count of 2 ``resp_pkts`` is correct.
+
+Enumerating DHCP Servers
+========================
+
+Analysts can use Zeek’s :file:`dhcp.log` to enumerate systems providing DHCP
+services. Consider the output of the following query.
+
+.. code-block:: console
+
+  $ find . -name "dhcp**.gz" | while read -r file; do zcat -f "$file"; done | jq -c '[."server_addr"]' | sort | uniq -c | sort -nr | head -10
+
+::
+
+     1337 [null]
+      119 ["192.168.4.1"]
+
+Here we see that ``192.168.4.1`` is providing DHCP services on this network.
+The null entries refer to DHCP log entries that do not have a ``server_addr``
+field. One example is Zeek’s log for this DHCP Discover message:
+
+.. literal-emph::
+
+  {
+    "ts": "2020-10-06T23:59:48.577749Z",
+    "uids": [
+      "CctZMx18mIK1qj9Vci"
+    ],
+    "mac": "80:ee:73:52:eb:59",
+    "host_name": "ds61",
+    "msg_types": [
+      **"DISCOVER"**
+    ],
+    "duration": 0
+  }
+
+This log entry does not have a ``server_addr`` field, so the query above returns a null result.
+
+Conclusion
+==========
+
+DHCP is crucial to the proper operation of any IP network. DHCP logs help
+analysts map IP addresses to MAC addresses, and may also reveal hostnames. When
+investigating suspicious or malicious activity, analysts need to know what
+system was assigned what IP address, as DHCP leases expire. However, depending
+on the network, systems may retain specific IP addresses for a long time as
+they may request an old address as was seen in this example. Of course,
+administrators who have configured DHCP to provide fixed IP addresses based on
+MAC address will ensure that these machines receive the same IP address,
+despite relying on the “dynamic” nature of DHCP.
diff --git a/doc/logs/dns.rst b/doc/logs/dns.rst
new file mode 100644
index 0000000000..ee670b7061
--- /dev/null
+++ b/doc/logs/dns.rst
@@ -0,0 +1,267 @@
+=======
+dns.log
+=======
+
+The Domain Name System (DNS) log, or :file:`dns.log`, is one of the most
+important data sources generated by Zeek. Although recent developments in
+domain name resolution have challenged traditional methods for collecting DNS
+data, :file:`dns.log` remains a powerful tool for security and network
+administrators.
+
+Those interested in getting details on every element of the :file:`dns.log`
+should refer to :zeek:see:`DNS::Info`.
+
+Throughout the sections that follow, we will inspect Zeek logs in JSON format.
+
+Inspecting the :file:`dns.log`
+==============================
+
+To inspect the :file:`dns.log`, we will use the same techniques we learned
+earlier in the manual. First, we have a JSON-formatted log file, either
+collected by Zeek watching a live interface, or by Zeek processing stored
+traffic. We use the :program:`jq` utility to review the contents.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/json$ jq . -c dns.log
+
+::
+
+  {"ts":1591367999.306059,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":8555,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":28,"qtype_name":"AAAA","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":false,"Z":0,"rejected":false}
+
+  {"ts":1591367999.305988,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":19671,"rtt":0.06685185432434082,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["31.3.245.133"],"TTLs":[3600],"rejected":false}
+
+As before, we could see each field printed on its own line:
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/json$ jq . dns.log
+
+::
+
+  {
+    "ts": 1591367999.306059,
+    "uid": "CMdzit1AMNsmfAIiQc",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 36844,
+    "id.resp_h": "192.168.4.1",
+    "id.resp_p": 53,
+    "proto": "udp",
+    "trans_id": 8555,
+    "query": "testmyids.com",
+    "qclass": 1,
+    "qclass_name": "C_INTERNET",
+    "qtype": 28,
+    "qtype_name": "AAAA",
+    "rcode": 0,
+    "rcode_name": "NOERROR",
+    "AA": false,
+    "TC": false,
+    "RD": true,
+    "RA": false,
+    "Z": 0,
+    "rejected": false
+  }
+  {
+    "ts": 1591367999.305988,
+    "uid": "CMdzit1AMNsmfAIiQc",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 36844,
+    "id.resp_h": "192.168.4.1",
+    "id.resp_p": 53,
+    "proto": "udp",
+    "trans_id": 19671,
+    "rtt": 0.06685185432434082,
+    "query": "testmyids.com",
+    "qclass": 1,
+    "qclass_name": "C_INTERNET",
+    "qtype": 1,
+    "qtype_name": "A",
+    "rcode": 0,
+    "rcode_name": "NOERROR",
+    "AA": false,
+    "TC": false,
+    "RD": true,
+    "RA": true,
+    "Z": 0,
+    "answers": [
+      "31.3.245.133"
+    ],
+    "TTLs": [
+      3600
+    ],
+    "rejected": false
+  }
+
+As emphasized in the :file:`conn.log` material, what an analyst derives from
+any log is a function of the questions that he or she is trying to ask of it.
+The :file:`dns.log` captures application-level name resolution activity,
+assuming that traffic is not encrypted, as is the case with DNS over HTTPS
+(DoH) or DNS over TLS (DoT). Applications mainly use DNS to resolve names to IP
+addresses, IP addresses to names, and certain other functions. Intruders use
+DNS for the same purposes, but may also subvert the protocol to carry
+command-and-control traffic, obfuscated or encrypted payload data, or other
+unwanted functions. DNS is a suitable protocol for these nefarious activities
+because administrators tend to allow it throughout their purview, as it is
+necessary for normal network operation.
+
+In brief, when looking at the :file:`dns.log`, analysts will primarily want to
+know who is asking a question, what is the nature of the question, who answered
+the question, and how was the question answered.
+
+Understanding the Second :file:`dns.log` Entry
+==============================================
+
+Let’s use this framework to parse the two log entries. We will start with the
+second entry. For reference, that entry is the following:
+
+::
+
+  {
+    "ts": 1591367999.305988,
+    "uid": "CMdzit1AMNsmfAIiQc",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 36844,
+    "id.resp_h": "192.168.4.1",
+    "id.resp_p": 53,
+    "proto": "udp",
+    "trans_id": 19671,
+    "rtt": 0.06685185432434082,
+    "query": "testmyids.com",
+    "qclass": 1,
+    "qclass_name": "C_INTERNET",
+    "qtype": 1,
+    "qtype_name": "A",
+    "rcode": 0,
+    "rcode_name": "NOERROR",
+    "AA": false,
+    "TC": false,
+    "RD": true,
+    "RA": true,
+    "Z": 0,
+    "answers": [
+      "31.3.245.133"
+    ],
+    "TTLs": [
+      3600
+    ],
+    "rejected": false
+  }
+
+According to this log entry, ``192.168.4.76`` asked ``192.168.4.1`` for the A
+record of the host ``testmyids.com``, and received the answer ``31.3.245.133``.
+There are more details in the log, but those are the key elements an analyst
+should be able to extract.
+
+Understanding the First :file:`dns.log` Entry
+=============================================
+
+Let’s take a look at the first :file:`dns.log` entry. For reference, that entry
+is the following:
+
+::
+
+  {
+    "ts": 1591367999.306059,
+    "uid": "CMdzit1AMNsmfAIiQc",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 36844,
+    "id.resp_h": "192.168.4.1",
+    "id.resp_p": 53,
+    "proto": "udp",
+    "trans_id": 8555,
+    "query": "testmyids.com",
+    "qclass": 1,
+    "qclass_name": "C_INTERNET",
+    "qtype": 28,
+    "qtype_name": "AAAA",
+    "rcode": 0,
+    "rcode_name": "NOERROR",
+    "AA": false,
+    "TC": false,
+    "RD": true,
+    "RA": false,
+    "Z": 0,
+    "rejected": false
+  }
+
+According to this log entry, ``192.168.4.76`` asked ``192.168.4.1`` for the
+AAAA record of the host ``testmyids.com``, and did not receive an answer.
+
+This is technically true, but it is not the whole story. If we augment stock
+Zeek with an additional script available from the project, we get a bit more
+information.
+
+Specifically, we can enable a new script,
+:doc:`/scripts/policy/protocols/dns/auth-addl.zeek`.
+
+We can invoke the script using this syntax:
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/json2$ zeek -C LogAscii::use_json=T protocols/dns/auth-addl.zeek -r ../tm1t.pcap
+
+The end result shows more information for the first :file:`dns.log` entry:
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/json2$ cat dns.log | head -1
+
+.. literal-emph::
+
+  {"ts":1591367999.306059,"uid":"CQsafSKqmlOyqrgC6","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":8555,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":28,"qtype_name":"AAAA","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":false,"Z":0,"rejected":false,**"auth":["ns59.1and1.co.uk"]**}
+
+The bolded ``auth`` item in the log entry shows that ``ns59.1and1.co.uk`` is the
+authoritative name server that is designated to answer questions about the AAAA
+record for ``testmyids.com``.
+
+There are more details in the log, but those are the key elements an analyst
+should be able to extract.
+
+The ``uid`` and Other Fields
+============================
+
+Note the ``uid`` field in both log entries is ``CMdzit1AMNsmfAIiQc``. This is
+the same UID value that appeared in the :file:`conn.log` entry for a DNS
+record. That means the DNS activity in the :file:`conn.log` and the DNS
+activity in this :file:`dns.log` entry are the same.
+
+You could have used the UID in the :file:`conn.log` to search for the
+corresponding records in the :file:`dns.log` using this UID. For example:
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/json$ grep CMdzit1AMNsmfAIiQc dns.log
+
+::
+
+  {"ts":1591367999.306059,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":8555,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":28,"qtype_name":"AAAA","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":false,"Z":0,"rejected":false}
+
+  {"ts":1591367999.305988,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":19671,"rtt":0.06685185432434082,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["31.3.245.133"],"TTLs":[3600.0],"rejected":false}
+
+Note the matching ``uid`` fields in the :file:`dns.log` entries. In this simple
+example, these are the only two entries in the :file:`dns.log`. Extrapolate
+this technique to logs with billions of records and you will appreciate the
+value!
+
+Remember that a single :file:`conn.log` entry summarized all of the DNS traffic
+associate with the “connection” bearing UID ``CMdzit1AMNsmfAIiQc``. Zeek
+treated the 4 packets associated with this conversation as a connection because
+they shared the same source and destination IP addresses and ports, and
+occurred over the UDP protocol. The single :file:`conn.log` entry had the
+timestamp ``1591367999.305988``, which is also the timestamp of the first
+:file:`dns.log` entry.
+
+Zeek’s DNS protocol analyzer created two log entries because it recognized two
+different DNS exchanges. The first involved a query and response for
+IPv6-related information, i.e., a AAAA record for ``testmyids.com``. The second
+involved a query and response for IPv4-related information, i.e., an A record
+for ``testmyids.com``. It is interesting to note that the DNS resolver on the
+``192.168.4.76`` system requested IPv6 information first, and then IPv4.
+
+Conclusion
+==========
+
+Zeek’s :file:`dns.log` is a critical log that offers a great deal of
+information on how systems are interacting with the Internet and each other. In
+the next section we will look at other core Internet protocols.
diff --git a/doc/logs/files.rst b/doc/logs/files.rst
new file mode 100644
index 0000000000..be625d9ac0
--- /dev/null
+++ b/doc/logs/files.rst
@@ -0,0 +1,371 @@
+=========
+files.log
+=========
+
+One of Zeek’s powerful features is the ability to extract content from network
+traffic and write it to disk as a file, via its
+:ref:`File Analysis framework <file-analysis-framework>`. This is easiest to understand with a
+protocol like File Transfer Protocol (FTP), a classic means to exchange files
+over a channel separate from that used to exchange commands. Protocols like
+HTTP are slightly more complicated, as it includes headers which must be
+interpreted and not included in any file content transferred by the protocol.
+
+Zeek’s :file:`files.log` is a record of files that Zeek observed while
+inspecting network traffic. The existence of an entry in :file:`files.log` does
+not mean that Zeek necessarily extracted file content and wrote it to disk.
+Analysts must configure Zeek to extract files by type in order to have them
+written to disk.
+
+In the following example, an analyst has configured Zeek to extract files of
+MIME type ``application/x-dosexec`` and write them to disk. To understand the
+chain of events that result in having a file on disk, we will start with the
+:file:`conn.log`, progress to the :file:`http.log`, and conclude with the
+:file:`files.log`.
+
+The Zeek scripting manual, derived from the Zeek source code, completely
+explains the meaning of each field in the :file:`files.log` (and other logs).
+It would be duplicative to manually recreate that information in another format
+here.  Therefore, this entry seeks to show how an analyst would make use of the
+information in the :file:`files.log`. Those interested in getting details on
+every element of the :file:`files.log` should refer to :zeek:see:`Files::Info`.
+
+Throughout the sections that follow, we will inspect Zeek logs in JSON format.
+As we have shown how to access logs like this previously using the command
+line, we will only show the log entries themselves.
+
+Inspecting the :file:`conn.log`
+===============================
+
+The log with which we begin our analysis for this case is the :file:`conn.log`.
+It contains the following entry of interest.
+
+.. literal-emph::
+
+  {
+    "ts": 1596820191.94147,
+    **"uid": "CzoFRWTQ6YIzfFXHk"**,
+    **"id.orig_h": "192.168.4.37",**
+    "id.orig_p": 58264,
+    **"id.resp_h": "23.195.64.241",**
+    **"id.resp_p": 80,**
+    "proto": "tcp",
+    **"service": "http",**
+    "duration": 0.050640106201171875,
+    "orig_bytes": 211,
+    "resp_bytes": 179604,
+    "conn_state": "SF",
+    "missed_bytes": 0,
+    "history": "ShADadtFf",
+    "orig_pkts": 93,
+    "orig_ip_bytes": 5091,
+    "resp_pkts": 129,
+    "resp_ip_bytes": 186320
+  }
+
+We see that ``192.168.4.37`` contacted ``23.195.64.241`` via HTTP and connected
+to port 80 TCP. The responder sent 179604 bytes of data during the
+conversation.
+
+Because this conversation appears to have taken place using HTTP, a clear text
+protocol, there is a good chance that we can directly inspect the HTTP headers
+and the payloads that were exchanged.
+
+We will use the UID, ``CzoFRWTQ6YIzfFXHk``, to find corresponding entries in
+other log sources to better understand what happened during this conversation.
+
+Inspecting the :file:`http.log`
+===============================
+
+We search our :file:`http.log` files for samples containing the UID of interest
+and find the following entry:
+
+.. literal-emph::
+
+  {
+    "ts": 1596820191.94812,
+    **"uid": "CzoFRWTQ6YIzfFXHk",**
+    "id.orig_h": "192.168.4.37",
+    "id.orig_p": 58264,
+    "id.resp_h": "23.195.64.241",
+    "id.resp_p": 80,
+    "trans_depth": 1,
+    **"method": "GET",**
+    **"host": "download.microsoft.com",**
+    **"uri": "/download/d/e/5/de5351d6-4463-4cc3-a27c-3e2274263c43/wfetch.exe",**
+    "version": "1.1",
+    **"user_agent": "Wget/1.19.4 (linux-gnu)",**
+    "request_body_len": 0,
+    "response_body_len": 179272,
+    **"status_code": 200,**
+    **"status_msg": "OK",**
+    "tags": [],
+    "resp_fuids": [
+      **"FBbQxG1GXLXgmWhbk9"**
+    ],
+    "resp_mime_types": [
+      **"application/x-dosexec"**
+    ]
+  }
+
+The most interesting elements of this log entry include the following::
+
+  "method": "GET",
+  "host": "download.microsoft.com",
+  "uri": "/download/d/e/5/de5351d6-4463-4cc3-a27c-3e2274263c43/wfetch.exe",
+
+This shows us what file the client was trying to retrieve, ``wfetch.exe``,
+from what site, ``download.microsoft.com``.
+
+The following element shows us the client that made the request::
+
+  "user_agent": "Wget/1.19.4 (linux-gnu)",
+
+According to this log entry, the user agent was not a Microsoft product, but
+was a Linux version of the :program:`wget` utility. User agent fields can be
+manipulated, so we cannot trust that this was exactly what happened. It is
+probable however that :program:`wget` was used in this case.
+
+The following entry shows us that the Web server responding positively to the
+request::
+
+  "status_code": 200,
+  "status_msg": "OK",
+
+Based on this entry and the amount of bytes transferred, it is likely that the
+client received the file it requested.
+
+The final two entries of interest tell us something more about the content that
+was transferred and how to locate it::
+
+  "resp_fuids": [
+    "FBbQxG1GXLXgmWhbk9"
+  ],
+  "resp_mime_types": [
+    "application/x-dosexec"
+
+The first entry provides a file identifier. This is similar to the connection
+identifier in the :file:`conn.log`, except that we use the file identifier to
+locate specific file contents when written to disk.
+
+The second entry shows that Zeek recognized the file content as
+``application/x-dosexec``, which likely means that the client retrieved a
+Windows executable file.
+
+Inspecting the :file:`files.log`
+================================
+
+Armed with the file identifier value, we can search any of our
+:file:`files.log` repositories for matching values. By searching for the FUID
+of ``FBbQxG1GXLXgmWhbk9`` we find the following entry.
+
+.. literal-emph::
+
+  {
+    "ts": 1596820191.969902,
+    **"fuid": "FBbQxG1GXLXgmWhbk9",**
+    "uid": "CzoFRWTQ6YIzfFXHk",
+    "id.orig_h": "192.168.4.37",
+    "id.orig_p": 58264,
+    "id.resp_h": "23.195.64.241",
+    "id.resp_p": 80,
+    "source": "HTTP",
+    "depth": 0,
+    "analyzers": [
+      "EXTRACT",
+      "PE"
+    ],
+    **"mime_type": "application/x-dosexec",**
+    "duration": 0.015498876571655273,
+    "is_orig": false,
+    "seen_bytes": 179272,
+    "total_bytes": 179272,
+    "missing_bytes": 0,
+    "overflow_bytes": 0,
+    "timedout": false,
+    **"extracted": "HTTP-FBbQxG1GXLXgmWhbk9.exe",**
+    "extracted_cutoff": false
+  }
+
+Note that this :file:`files.log` entry also contains the UID we found in the
+:file:`conn.log`, e.g., ``CzoFRWTQ6YIzfFXHk``. Theoretically we could have just
+searched for that UID value and not bothered to locate the FUID in the
+:file:`http.log`.  However, I find that it makes sense to follow this sort of
+progression, as we cannot rely on this same analytical workflow for all cases.
+
+In this :file:`files.log` data, we see that the ``EXTRACT`` and ``PE`` analyzer
+events were activated. Zeek saw 179272 bytes transferred and does not appear to
+have missed any bytes. Zeek extracted the file it saw as
+``HTTP-FBbQxG1GXLXgmWhbk9.exe``, which means we should be able to locate that
+file on disk.
+
+The ``is_orig`` field in a :file:`files.log` entry can be used to determine
+which endpoint sent the file. When ``is_orig`` is ``false``, the responder of
+the connection is sending the file. In the example above we can tell that
+the HTTP server at ``23.195.64.241`` is sending the file and ``192.168.4.37``
+is receiving it.
+
+Inspecting the Extracted File
+=============================
+
+The location for extracted files will vary depending on your Zeek
+configuration. In my example, Zeek wrote extracted files to a directory called
+:file:`extract_files/`. Here is the file in question:
+
+.. code-block:: console
+
+  $ ls -al HTTP-FBbQxG1GXLXgmWhbk9.exe
+
+::
+
+  -rw-rw-r-- 1 zeek zeek 179272 Aug  7 17:23 HTTP-FBbQxG1GXLXgmWhbk9.exe
+
+Note the byte count, 179272, matches the value in the :file:`files.log`.
+
+Here is what the Linux file command thinks of this file.
+
+.. code-block:: console
+
+  $ file HTTP-FBbQxG1GXLXgmWhbk9.exe
+
+::
+
+  HTTP-FBbQxG1GXLXgmWhbk9.exe: PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
+
+This looks like a Windows executable. You can use the :program:`md5sum` utility to
+generate a MD5 hash of the file.
+
+.. code-block:: console
+
+  $ md5sum HTTP-FBbQxG1GXLXgmWhbk9.exe
+
+::
+
+  6711727adf76599bf50c9426057a35fe  HTTP-FBbQxG1GXLXgmWhbk9.exe
+
+We can search by the hash value on VirusTotal using the :program:`vt` command
+line tool, provided we have registered and initialized :program:`vt` with our
+free API key.
+
+.. code-block:: console
+
+  $ ./vt file 6711727adf76599bf50c9426057a35fe
+
+::
+
+  - _id: "82f39086658ce80df4da6a49fef9d3062a00fd5795a4dd5042de32907bcb5b89"
+    _type: "file"
+    authentihash: "2a07d356273d32bf0c5aff83ea847351128fc3971b44052f92b6fb4f45c2272f"
+    creation_date: 1030609542  # 2002-08-29 08:25:42 +0000 UTC
+    first_submission_date: 1354191312  # 2012-11-29 12:15:12 +0000 UTC
+    last_analysis_date: 1592215708  # 2020-06-15 10:08:28 +0000 UTC
+    last_analysis_results:
+      ALYac:
+        category: "undetected"
+        engine_name: "ALYac"
+        engine_update: "20200615"
+        engine_version: "1.1.1.5"
+        method: "blacklist"
+  ...edited…
+   last_analysis_stats:
+      confirmed-timeout: 0
+      failure: 0
+      harmless: 0
+      malicious: 0
+      suspicious: 0
+      timeout: 0
+      type-unsupported: 2
+      undetected: 74
+    last_modification_date: 1592220693  # 2020-06-15 11:31:33 +0000 UTC
+    last_submission_date: 1539056691  # 2018-10-09 03:44:51 +0000 UTC
+    magic: "PE32 executable for MS Windows (GUI) Intel 80386 32-bit"
+    md5: "6711727adf76599bf50c9426057a35fe"
+    meaningful_name: "WEXTRACT.EXE"
+    names:
+    - "Wextract"
+    - "WEXTRACT.EXE"
+    - "wfetch.exe"
+    - "583526"
+    packers:
+      F-PROT: "CAB, ZIP"
+      PEiD: "Microsoft Visual C++ v6.0 SPx"
+    pe_info:
+      entry_point: 23268
+      imphash: "1494de9b53e05fc1f40cb92afbdd6ce4"
+      import_list:
+      - imported_functions:
+        - "GetLastError"
+        - "IsDBCSLeadByte"
+        - "DosDateTimeToFileTime"
+        - "ReadFile"
+        - "GetStartupInfoA"
+        - "GetSystemInfo"
+        - "lstrlenA"
+  ...edited...
+   size: 179272
+    ssdeep: "3072:BydJq5oyVzs+h0Jk5irDStDD5QOsP0CLRQq8ZZ3xlf/AQnFlFuKIUaKJH:UW2+AiDWOsPxQq8HHf/A07namH"
+    tags:
+    - "invalid-signature"
+    - "peexe"
+    - "signed"
+    - "overlay"
+    times_submitted: 33
+    total_votes:
+      harmless: 1
+      malicious: 0
+    trid:
+    - file_type: "Microsoft Update - Self Extracting Cabinet"
+      probability: 46.3
+    - file_type: "Win32 MS Cabinet Self-Extractor (WExtract stub)"
+      probability: 41.4
+    - file_type: "Win32 Executable MS Visual C++ (generic)"
+      probability: 4.2
+    - file_type: "Win64 Executable (generic)"
+      probability: 3.7
+    - file_type: "Win16 NE executable (generic)"
+      probability: 1.9
+    type_description: "Win32 EXE"
+    type_tag: "peexe"
+    unique_sources: 24
+    vhash: "  size: 179272
+    ssdeep: "3072:BydJq5oyVzs+h0Jk5irDStDD5QOsP0CLRQq8ZZ3xlf/AQnFlFuKIUaKJH:UW2+AiDWOsPxQq8HHf/A07namH"
+    tags:
+    - "invalid-signature"
+    - "peexe"
+    - "signed"
+    - "overlay"
+    times_submitted: 33
+    total_votes:
+      harmless: 1
+      malicious: 0
+    trid:
+    - file_type: "Microsoft Update - Self Extracting Cabinet"
+      probability: 46.3
+    - file_type: "Win32 MS Cabinet Self-Extractor (WExtract stub)"
+      probability: 41.4
+    - file_type: "Win32 Executable MS Visual C++ (generic)"
+      probability: 4.2
+    - file_type: "Win64 Executable (generic)"
+      probability: 3.7
+    - file_type: "Win16 NE executable (generic)"
+      probability: 1.9
+    type_description: "Win32 EXE"
+    type_tag: "peexe"
+    unique_sources: 24
+    vhash: "0150366d1570e013z1004cmz1f03dz"
+
+You can access the entire report `via the Web here
+<https://www.virustotal.com/gui/file/82f39086658ce80df4da6a49fef9d3062a00fd5795a4dd5042de32907bcb5b89/detection>`_.
+
+It appears this is a harmless Windows executable. However, by virtue of having
+it extracted from network traffic, analysts have many options for investigation
+when the file is not considered benign.
+
+Conclusion
+==========
+
+Zeek’s file extraction capabilities offer many advantages to analysts.
+Administrators can configure Zeek to compute MD5 hashes of files that Zeek sees
+in network traffic. Rather than computing a hash on a file written to disk,
+Zeek could simply compute the hash as part of its inspection process. The
+purpose of this section was to show some of the data in the :file:`files.log`,
+how it relates to other Zeek logs, and how analysts might make use of it.
diff --git a/doc/logs/ftp.rst b/doc/logs/ftp.rst
new file mode 100644
index 0000000000..ec4ad6c69e
--- /dev/null
+++ b/doc/logs/ftp.rst
@@ -0,0 +1,313 @@
+=======
+ftp.log
+=======
+
+Zeek’s :file:`ftp.log` summarizes activity using the File Transfer Protocol
+(FTP).  Similar to the :file:`http.log`, :file:`ftp.log` captures the essential
+information an analyst would likely need to understand how a client and server
+interact using FTP.
+
+FTP is an interesting protocol in the sense that it uses one TCP connection as
+a control channel and a second TCP connection as a file transfer channel. The
+control channel usually involves a FTP server listening on port 21 TCP. The
+file transfer channel, however, depends on the choices made by the client and
+server. With “passive FTP,” the server advertises a second TCP port to which
+the client should connect, and the client connects to that TCP port to initiate
+the file transfer. With “active FTP,” the server connects to a TCP port
+advertised by the client, although the server uses a source port of 20 TCP. It
+is more common to see passive FTP on the Internet today due to middleboxes
+(such as firewalls or other filtering devices) interfering with active FTP
+connections inbound to clients.
+
+For full details on each field in the :file:`ftp.log` file, please refer to
+:zeek:see:`FTP::Info`.
+
+Finding the :file:`ftp.log`
+===========================
+
+In the following example, an analyst knows to look for Zeek logs on a specific
+day bearing a specific UID. They search in the specified directory using the
+:program:`zgrep` command and pipe the results to the Unix command
+:program:`sed`, removing characters prior to the ``.gz:`` that would appear in
+the output. This facilitates piping the results into the :program:`jq` utility
+for easier viewing.
+
+.. code-block:: console
+
+  $ zgrep "CLkXf2CMo11hD8FQ5" 2020-08-16/* | sed 's/.*gz://' | jq .
+
+::
+
+  {
+    "_path": "conn",
+    "_system_name": "ds61",
+    "_write_ts": "2020-08-16T06:26:10.266225Z",
+    "_node": "worker-01",
+    "ts": "2020-08-16T06:26:01.485394Z",
+    "uid": "CLkXf2CMo11hD8FQ5",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 53380,
+    "id.resp_h": "196.216.2.24",
+    "id.resp_p": 21,
+    "proto": "tcp",
+    "service": "ftp",
+    "duration": 3.780829906463623,
+    "orig_bytes": 184,
+    "resp_bytes": 451,
+    "conn_state": "SF",
+    "local_orig": true,
+    "local_resp": false,
+    "missed_bytes": 0,
+    "history": "ShAdDafF",
+    "orig_pkts": 20,
+    "orig_ip_bytes": 1232,
+    "resp_pkts": 17,
+    "resp_ip_bytes": 1343,
+    "ip_proto": 6,
+    "community_id": "1:lEESxqaSVYqFZvWNb4OccTa9sTs="
+  }
+  {
+    "_path": "ftp",
+    "_system_name": "ds61",
+    "_write_ts": "2020-08-16T06:26:04.077276Z",
+    "_node": "worker-01",
+    "ts": "2020-08-16T06:26:03.553287Z",
+    "uid": "CLkXf2CMo11hD8FQ5",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 53380,
+    "id.resp_h": "196.216.2.24",
+    "id.resp_p": 21,
+    "user": "anonymous",
+    "password": "ftp@example.com",
+    "command": "EPSV",
+    "reply_code": 229,
+    "reply_msg": "Entering Extended Passive Mode (|||31746|).",
+    "data_channel.passive": true,
+    "data_channel.orig_h": "192.168.4.76",
+    "data_channel.resp_h": "196.216.2.24",
+    "data_channel.resp_p": 31746
+  }
+  {
+    "_path": "ftp",
+    "_system_name": "ds61",
+    "_write_ts": "2020-08-16T06:26:05.117287Z",
+    "_node": "worker-01",
+    "ts": "2020-08-16T06:26:04.597290Z",
+    "uid": "CLkXf2CMo11hD8FQ5",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 53380,
+    "id.resp_h": "196.216.2.24",
+    "id.resp_p": 21,
+    "user": "anonymous",
+    "password": "ftp@example.com",
+    "command": "RETR",
+    "arg": "ftp://196.216.2.24/pub/stats/afrinic/delegated-afrinic-extended-latest.md5",
+    "file_size": 74,
+    "reply_code": 226,
+    "reply_msg": "Transfer complete.",
+    "fuid": "FueF95uKPrUuDnMc4"
+  }
+
+This output presents three log files. The first is a :file:`conn.log` entry for
+the FTP control channel connection involving port 21 TCP. The second two
+describe what happened during the FTP control channel.
+
+Before looking at the details, let’s see a reconstruction of the FTP control
+channel.
+
+Reconstructing the FTP Control Channel
+======================================
+
+In the following example, we use the :program:`tcpflow` program introduced in
+the :file:`http.log` section to reconstruct the FTP control channel. By using
+the ``-c`` option, we can tell :program:`tcpflow`` to interleave the traffic
+sent by both sides of the conversation.  I pass it the port 53380 parameter to
+be sure I reconstruct traffic involving that connection, which was the source
+port for the FTP client. (If I chose something like 21 TCP instead, I could
+have reconstructed numerous FTP sessions beyond the one in question here.)
+
+In this example, ``196.216.2.24`` is the FTP server, and ``192.168.4.76`` is
+the FTP client.
+
+After the first two entries, I have manually edited the output for readability.
+
+.. code-block:: console
+
+  $ tcpflow -c -r snort.log.1597554100-196.216.2.24.pcap port 53380
+
+.. literal-emph::
+
+  196.216.002.024.00021-192.168.004.076.53380 [**server** to client]: 220 ::::: Welcome to the AFRINIC FTP service ::::::
+
+  192.168.004.076.53380-196.216.002.024.00021 [**client** to server]: USER anonymous
+
+  server: 331 Please specify the password.
+
+  client: PASS ftp@example.com
+
+  server: 230 Login successful.
+
+  client: PWD
+
+  server: 257 "/"
+
+  client: CWD pub
+
+  server: 250 Directory successfully changed.
+
+  client: CWD stats
+
+  server: 250 Directory successfully changed.
+
+  client: CWD afrinic
+
+  server: 250 Directory successfully changed.
+
+  client: EPSV
+
+  server: 229 Entering Extended Passive Mode (|||31746|).
+
+  client: TYPE I
+
+  server: 200 Switching to Binary mode.
+
+  client: SIZE delegated-afrinic-extended-latest.md5
+
+  server: 213 74
+
+  client: RETR delegated-afrinic-extended-latest.md5
+
+  server: 150 Opening BINARY mode data connection for delegated-afrinic-extended-latest.md5 (74 bytes).
+
+  server: 226 Transfer complete.
+
+  client: QUIT
+
+  server: 221 Goodbye.
+
+Reading this transcript, some important items include the following:
+
+* This is a FTP server that allows anonymous access.
+* The data channel occurs using passive FTP.
+* The FTP server opens port 31746 TCP to accept the FTP connection over which
+  it will transfer the requested file.
+* The file transferred is ``delegated-afrinic-extended-latest.md5``, a 74 byte
+  file.
+
+With this understanding in place, let’s see how Zeek represents this activity.
+
+Inspecting the :file:`ftp.log`
+==============================
+
+Let’s take a second look at the two :file:`ftp.log` entries.
+
+::
+
+  {
+    "_path": "ftp",
+    "_system_name": "ds61",
+    "_write_ts": "2020-08-16T06:26:04.077276Z",
+    "_node": "worker-01",
+    "ts": "2020-08-16T06:26:03.553287Z",
+    "uid": "CLkXf2CMo11hD8FQ5",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 53380,
+    "id.resp_h": "196.216.2.24",
+    "id.resp_p": 21,
+    "user": "anonymous",
+    "password": "ftp@example.com",
+    "command": "EPSV",
+    "reply_code": 229,
+    "reply_msg": "Entering Extended Passive Mode (|||31746|).",
+    "data_channel.passive": true,
+    "data_channel.orig_h": "192.168.4.76",
+    "data_channel.resp_h": "196.216.2.24",
+    "data_channel.resp_p": 31746
+  }
+
+The first :file:`ftp.log` entry shows us that the FTP client logged in as user
+``ftp@example.com``, requested a form of passive connection for its data
+channel, and the server offered port 31746 TCP for that connection.
+
+::
+
+  {
+    "_path": "ftp",
+    "_system_name": "ds61",
+    "_write_ts": "2020-08-16T06:26:05.117287Z",
+    "_node": "worker-01",
+    "ts": "2020-08-16T06:26:04.597290Z",
+    "uid": "CLkXf2CMo11hD8FQ5",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 53380,
+    "id.resp_h": "196.216.2.24",
+    "id.resp_p": 21,
+    "user": "anonymous",
+    "password": "ftp@example.com",
+    "command": "RETR",
+    "arg": "ftp://196.216.2.24/pub/stats/afrinic/delegated-afrinic-extended-latest.md5",
+    "file_size": 74,
+    "reply_code": 226,
+    "reply_msg": "Transfer complete.",
+    "fuid": "FueF95uKPrUuDnMc4"
+  }
+
+The second :file:`ftp.log` entry gives details on the file retrieved from the
+FTP server, such as the path on the server, its name, and the fact that the
+file transfer completed. We also have a file identifier (``FueF95uKPrUuDnMc4``)
+that we could use to find the file on disk, if we configured Zeek to extract
+and save this sort of content.
+
+Finding the Data Channel
+========================
+
+For the sake of completeness, let’s take a look at the FTP data channel using
+port 31746 TCP as our guide. I grep for the port number and the TCP protocol to
+try to be more specific, although I could have added the source and destination
+IP addresses too.
+
+.. code-block:: console
+
+  $ zcat 2020-08-16/conn_20200816_06\:00\:00-07\:00\:00+0000.log.gz | grep 31746 | grep tcp | sed 's/.*gz://' | jq .
+
+::
+
+  {
+    "_path": "conn",
+    "_system_name": "ds61",
+    "_write_ts": "2020-08-16T06:26:09.771034Z",
+    "_node": "worker-01",
+    "ts": "2020-08-16T06:26:03.774520Z",
+    "uid": "CzLMFA3Eh8KBlY4kS7",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 60474,
+    "id.resp_h": "196.216.2.24",
+    "id.resp_p": 31746,
+    "proto": "tcp",
+    "service": "ftp-data",
+    "duration": 0.9965000152587891,
+    "orig_bytes": 0,
+    "resp_bytes": 74,
+    "conn_state": "SF",
+    "local_orig": true,
+    "local_resp": false,
+    "missed_bytes": 0,
+    "history": "ShAdfFa",
+    "orig_pkts": 4,
+    "orig_ip_bytes": 216,
+    "resp_pkts": 4,
+    "resp_ip_bytes": 290,
+    "ip_proto": 6,
+    "community_id": "1:DNwvGR6Ots6pISvsdXBUIaG8y3Q="
+  }
+
+Zeek notes that this is a ``ftp-data`` service, which is another way we could
+have used to find this connection.
+
+Conclusion
+==========
+
+FTP is still in use, despite the fact that encrypted alternatives abound.
+Zeek’s :file:`ftp.log` provides a compact way to summarize the salient features
+of a FTP control channel, pointing out details of the control activity and how
+to locate the data channel.
diff --git a/doc/logs/http.rst b/doc/logs/http.rst
new file mode 100644
index 0000000000..4a5e99cf71
--- /dev/null
+++ b/doc/logs/http.rst
@@ -0,0 +1,174 @@
+========
+http.log
+========
+
+The HyperText Transfer Protocol (HTTP) log, or :file:`http.log`, is another
+core data source generated by Zeek. With the transition from clear-text HTTP to
+encrypted HTTPS traffic, the :file:`http.log` is less active in many
+environments. In some cases, however, organizations implement technologies or
+practices to expose HTTPS as HTTP. Whether you’re looking at legacy HTTP on the
+wire, or HTTPS that has been exposed as HTTP, Zeek’s :file:`http.log` offers
+utility for examining normal, suspicious, and malicious activity.
+
+The Zeek scripting manual, derived from the Zeek source code, completely
+explains the meaning of each field in the :file:`http.log` (and other logs). It
+would be duplicative to manually recreate that information in another format
+here. Therefore, this entry seeks to show how an analyst would make use of the
+information in the :file:`http.log`. Those interested in getting details on
+every element of the :file:`http.log` should refer to :zeek:see:`HTTP::Info`.
+
+Throughout the sections that follow, we will inspect Zeek logs in JSON format.
+
+Inspecting the :file:`http.log`
+===============================
+
+To inspect the :file:`http.log`, we will use the same techniques we learned
+earlier in the manual. First, we have a JSON-formatted log file, either
+collected by Zeek watching a live interface, or by Zeek processing stored
+traffic. We use the :program:`jq` utility to review the contents.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/json$ jq . -c http.log
+
+::
+
+  {"ts":1591367999.512593,"uid":"C5bLoe2Mvxqhawzqqd","id.orig_h":"192.168.4.76","id.orig_p":46378,"id.resp_h":"31.3.245.133","id.resp_p":80,"trans_depth":1,"method":"GET","host":"testmyids.com","uri":"/","version":"1.1","user_agent":"curl/7.47.0","request_body_len":0,"response_body_len":39,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FEEsZS1w0Z0VJIb5x4"],"resp_mime_types":["text/plain"]}
+
+This is a very simple :file:`http.log`. With only one entry, it’s the simplest
+possible entry. As before, we could see each field printed on its own line:
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test/json$ jq . http.log
+
+::
+
+  {
+    "ts": 1591367999.512593,
+    "uid": "C5bLoe2Mvxqhawzqqd",
+    "id.orig_h": "192.168.4.76",
+    "id.orig_p": 46378,
+    "id.resp_h": "31.3.245.133",
+    "id.resp_p": 80,
+    "trans_depth": 1,
+    "method": "GET",
+    "host": "testmyids.com",
+    "uri": "/",
+    "version": "1.1",
+    "user_agent": "curl/7.47.0",
+    "request_body_len": 0,
+    "response_body_len": 39,
+    "status_code": 200,
+    "status_msg": "OK",
+    "tags": [],
+    "resp_fuids": [
+      "FEEsZS1w0Z0VJIb5x4"
+    ],
+    "resp_mime_types": [
+      "text/plain"
+    ]
+  }
+
+HTTP is a protocol that was initially fairly simple. Over time it has become
+increasingly complicated. It’s not the purpose of this manual to describe how
+HTTP can be used and abused. Rather, we will take a brief look at the most
+important elements of this :file:`http.log` entry, which is almost all of them.
+
+Understanding the :file:`http.log` Entry
+========================================
+
+Similar to the previous :file:`dns.log`, the :file:`http.log` is helpful
+because it combines elements from the conversation between the source and
+destination in one log entry. The most fundamental elements of the log answer
+questions concerning who made a request, who responded, and the nature of the
+request and response.
+
+In this entry, we see that ``192.168.4.76`` made a request to ``31.3.245.133``.
+The originator made a HTTP version 1.1 GET request for the ``/`` or root of the
+site ``testmyids.com`` hosted by the responder, passing a user agent of
+``curl/7.47.0``.
+
+The responder replied with a 200 OK message, with a MIME (Multipurpose Internet
+Mail Extensions) type of ``text/plain``. Zeek provides us a file ID (or
+``fuid``) of ``FEEsZS1w0Z0VJIb5x4``. If we had configured Zeek to log files of
+type ``text/plain``, we could look at the content returned by the responder.
+
+Finally, note the UID of ``C5bLoe2Mvxqhawzqqd``. This is the same UID found in
+the :file:`conn.log` for this TCP connection. This allows us to link the
+:file:`conn.log` entry with this :file:`http.log` entry.
+
+Reviewing the Original Traffic
+==============================
+
+To better understand the original traffic, and how it relates to the Zeek
+:file:`http.log`, let’s look at the contents manually. HTTP is a clear-text
+protocol. Assuming the contents are also clear text, and not obfuscated or
+encrypted, we can look at the contents. In the following example I use the
+venerable program :program:`tcpflow` to create two files. One contains data
+from the originator to the responder, while the second contains data from the
+responder to the originator.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test$ tcpflow -r tm1t.pcap port 80
+
+Let’s first look at the data from the originator to the responder.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test$ cat 192.168.004.076.46378-031.003.245.133.00080
+
+::
+
+  GET / HTTP/1.1
+  Host: testmyids.com
+  User-Agent: curl/7.47.0
+  Accept: */*
+
+Here is the data from the responder to the originator.
+
+.. code-block:: console
+
+  zeek@zeek:~/zeek-test$ cat 031.003.245.133.00080-192.168.004.076.46378
+
+::
+
+  HTTP/1.1 200 OK
+  Server: nginx/1.16.1
+  Date: Fri, 05 Jun 2020 14:40:07 GMT
+  Content-Type: text/html; charset=UTF-8
+  Content-Length: 39
+  Connection: keep-alive
+  Last-Modified: Fri, 10 Jan 2020 21:36:02 GMT
+  ETag: "27-59bcfe9932c32"
+  Accept-Ranges: bytes
+
+  uid=0(root) gid=0(root) groups=0(root)
+
+As you can see, there are elements, particularly in the response, that do not
+appear in the :file:`http.log`. For example, the Server type of
+``nginx/1.16.1`` is not logged. If an analyst or administrator decided that he
+or she wished to include that data in his or her :file:`http.log`, it is
+possible to make adjustments.
+
+The data from the responder also shows the application payload it sent::
+
+  uid=0(root) gid=0(root) groups=0(root)
+
+This is the output of a Unix ``uname -a`` command. It is hosted at the server
+``testmyids.com`` to trigger a “GPL ATTACK_RESPONSE id check returned root”
+alert found in open source intrusion detection engine rule sets, such as that
+supported by Suricata. Analysts sometimes use this site to test if their
+intrusion detection engines are functioning properly. A more modern option with
+many different tests can be found at https://github.com/0xtf/testmynids.org.
+
+Conclusion
+==========
+
+Zeek’s :file:`http.log` is another important log that offers a great deal of
+information on how systems are interacting with the Internet and each other. In
+the example in this section we looked at a very simple interaction between an
+originator and a responder. We could see the benefit of summarizing an HTTP
+request and response in a single log entry.  In the next section we will look
+at other core Internet protocols.
diff --git a/doc/logs/index.rst b/doc/logs/index.rst
new file mode 100644
index 0000000000..6350dee59f
--- /dev/null
+++ b/doc/logs/index.rst
@@ -0,0 +1,31 @@
+=========
+Zeek Logs
+=========
+
+.. toctree::
+   :maxdepth: 1
+
+   analyzer
+   conn
+   dns
+   http
+   files
+   ftp
+   ssl
+   x509
+   smtp
+   ssh
+   pe
+   dhcp
+   ntp
+   smb
+   irc
+   ldap
+   postgresql
+   quic
+   rdp
+   traceroute
+   tunnel
+   known-and-software
+   weird-and-notice
+   capture-loss-and-reporter
diff --git a/doc/logs/irc.rst b/doc/logs/irc.rst
new file mode 100644
index 0000000000..56fbe10fa2
--- /dev/null
+++ b/doc/logs/irc.rst
@@ -0,0 +1,475 @@
+=======
+irc.log
+=======
+
+Internet Relay Chat (IRC) is an older protocol that enables real time chat and
+collaboration. The Zeek project hosted an IRC channel for many years to support
+development and discussion. Some intruders eventually began using IRC to
+control botnets, primarily for two reasons. First, as IRC had legitimate uses,
+it may not have been suspicious or malicious to see IRC traffic on the wire.
+Second, IRC enabled command-and-control, thanks to the ability for operators to
+issue instructions to clients that controlled compromised systems.
+
+Traditionally, IRC clients connect via a clear-text TCP session to an IRC
+server listening on port 6667. The commands and responses are text-based,
+making it possible for an analyst to manually inspect them. More recent
+implementations of IRC servers offer IRC over TLS, with the servers listening
+on port 6697 TCP. However, for both unencrypted or encrypted sessions, IRC
+servers can listen on any TCP port.
+
+For full details on each field in the :file:`irc.log` file, please see
+:zeek:see:`IRC::Info`.
+
+Reconstructing an IRC Session
+=============================
+
+Before examining the data provided by Zeek’s :file:`irc.log`, it might be
+useful to see the contents of an IRC session. I generated the following
+activity using the Hexchat IRC client.
+
+I have edited the transcript to focus on essential items. Text in bold was sent
+by the IRC client. The server sent the remaining text.
+
+.. literal-emph::
+
+  **CAP LS 302**
+  :barjavel.freenode.net NOTICE * :*** Looking up your hostname...
+  **NICK zeektest**
+  **USER zeektest 0 * :realname**
+  :barjavel.freenode.net NOTICE * :*** Checking Ident
+  :barjavel.freenode.net NOTICE * :*** Found your hostname
+  :barjavel.freenode.net NOTICE * :*** No Ident response
+  :barjavel.freenode.net CAP * LS :account-notify away-notify cap-notify chghost extended-join identify-msg multi-prefix sasl tls
+  **CAP REQ :account-notify away-notify cap-notify chghost extended-join identify-msg multi-prefix**
+  **:barjavel.freenode.net CAP zeektest ACK :account-notify away-notify cap-notify chghost extended-join identify-msg multi-prefix **
+  **CAP END**
+  :barjavel.freenode.net 001 zeektest :Welcome to the freenode Internet Relay Chat Network zeektest
+  :barjavel.freenode.net 002 zeektest :Your host is barjavel.freenode.net[195.154.200.232/6667], running version ircd-seven-1.1.9
+  :barjavel.freenode.net 003 zeektest :This server was created Thu Dec 19 2019 at 20:10:02 UTC
+  :barjavel.freenode.net 004 zeektest barjavel.freenode.net ircd-seven-1.1.9 DOQRSZaghilopsuwz CFILMPQSbcefgijklmnopqrstuvz bkloveqjfI
+  :barjavel.freenode.net 005 zeektest CHANTYPES=# EXCEPTS INVEX CHANMODES=eIbq,k,flj,CFLMPQScgimnprstuz CHANLIMIT=#:120 PREFIX=(ov)@+ MAXLIST=bqeI:100 MODES=4 NETWORK=freenode STATUSMSG=@+ CALLERID=g CASEMAPPING=rfc1459 :are supported by this server
+  :barjavel.freenode.net 005 zeektest CHARSET=ascii NICKLEN=16 CHANNELLEN=50 TOPICLEN=390 DEAF=D FNC TARGMAX=NAMES:1,LIST:1,KICK:1,WHOIS:1,PRIVMSG:4,NOTICE:4,ACCEPT:,MONITOR: EXTBAN=$,ajrxz CLIENTVER=3.0 WHOX KNOCK CPRIVMSG :are supported by this server
+  :barjavel.freenode.net 005 zeektest CNOTICE ETRACE SAFELIST ELIST=CTU MONITOR=100 :are supported by this server
+  :barjavel.freenode.net 251 zeektest :There are 101 users and 82081 invisible on 31 servers
+  :barjavel.freenode.net 252 zeektest 43 :IRC Operators online
+  :barjavel.freenode.net 253 zeektest 45 :unknown connection(s)
+  :barjavel.freenode.net 254 zeektest 41982 :channels formed
+  :barjavel.freenode.net 255 zeektest :I have 3809 clients and 1 servers
+  :barjavel.freenode.net 265 zeektest 3809 5891 :Current local users 3809, max 5891
+  :barjavel.freenode.net 266 zeektest 82182 90930 :Current global users 82182, max 90930
+  :barjavel.freenode.net 250 zeektest :Highest connection count: 5892 (5891 clients) (1543159 connections received)
+  :barjavel.freenode.net 375 zeektest :- barjavel.freenode.net Message of the Day -
+  :barjavel.freenode.net 372 zeektest :- Welcome to barjavel.freenode.net in Paris, FR, EU.
+  ...edited…
+  :barjavel.freenode.net 372 zeektest :- Thank you for using freenode!
+  :barjavel.freenode.net 376 zeektest :End of /MOTD command.
+  :zeektest MODE zeektest :+i
+  **JOIN #freenode**
+  :zeektest!~zeektest@pool-XX-XXX-XXX-XX.washdc.fios.verizon.net JOIN #freenode * :realname
+  :barjavel.freenode.net 332 zeektest #freenode :Welcome to #freenode | Don't copy/paste spam | No politics. | Feel free to message staff at any time. You can find us using /stats p (shows immediately-available staff) or /who freenode/staff/* (shows all staff)
+  :barjavel.freenode.net 333 zeektest #freenode deadk 1604191950
+  ...edited…
+  :ChanServ!ChanServ@services. NOTICE zeektest :+[#freenode] Please read the topic.
+  :services. 328 zeektest #freenode :https://freenode.net/
+  **WHO #freenode %chtsunfra,152**
+  :barjavel.freenode.net 324 zeektest #freenode +CLPcntjf 5:10 #freenode-overflow
+  ...edited…
+  **PING LAG641756037**
+  :barjavel.freenode.net PONG barjavel.freenode.net :LAG641756037
+  :willcl_ark!~quassel@cpc123780-trow7-2-0-cust177.18-1.cable.virginm.net AWAY :Away
+  :EGH!~EGH@79.142.76.202 JOIN #freenode EGH :Erik
+  **PRIVMSG #freenode :One more test... thanks everyone.**
+  **QUIT :Leaving**
+  :zeektest!~zeektest@pool-XX-XXX-XXX-XX.washdc.fios.verizon.net QUIT :Client Quit
+  ERROR :Closing Link: pool-XX-XXX-XXX-XX.washdc.fios.verizon.net (Client Quit)
+
+As you can see, there is a lot of detail about the IRC server and the channels
+and users it supports. The client uses the nickname ``zeektest`` and joins the
+``#freenode`` channel. It issues one message. ``One more test… thanks
+everyone``, and then quits.
+
+I captured this traffic by manually setting disabling TLS. Otherwise, the
+protocol exchange would have been opaque to Zeek (and other NSM tools).
+
+With this basic background on IRC, let’s see how Zeek renders this activity.
+
+Port 6667 :file:`conn.log`
+==========================
+
+Zeek generated the following :file:`conn.log` entry for the example traffic.
+
+.. literal-emph::
+
+  {
+    "ts": 1607009493.558305,
+    "uid": "CDsHGC2ZJuJh10XNbk",
+    "id.orig_h": "192.168.4.142",
+    "id.orig_p": 52856,
+    "id.resp_h": "195.154.200.232",
+    **"id.resp_p": 6667,**
+    **"proto": "tcp",**
+    **"service": "irc",**
+    "duration": 55.26594305038452,
+    "orig_bytes": 311,
+    "resp_bytes": 239330,
+    "conn_state": "RSTO",
+    "missed_bytes": 0,
+    "history": "ShADadfR",
+    "orig_pkts": 41,
+    "orig_ip_bytes": 1963,
+    "resp_pkts": 185,
+    "resp_ip_bytes": 246742,
+    "ip_proto": 6
+  }
+
+We see that Zeek correctly identified this traffic as IRC. We can expect to see
+an :file:`irc.log` entry.
+
+Port 6667 :file:`irc.log`
+=========================
+
+Zeek generated the following three :file:`irc.log` entries:
+
+.. literal-emph::
+
+  {
+    "ts": 1607009493.733304,
+    "uid": "CDsHGC2ZJuJh10XNbk",
+    "id.orig_h": "192.168.4.142",
+    "id.orig_p": 52856,
+    "id.resp_h": "195.154.200.232",
+    "id.resp_p": 6667,
+    **"command": "NICK",**
+    **"value": "zeektest"**
+  }
+  {
+    "ts": 1607009493.733304,
+    "uid": "CDsHGC2ZJuJh10XNbk",
+    "id.orig_h": "192.168.4.142",
+    "id.orig_p": 52856,
+    "id.resp_h": "195.154.200.232",
+    "id.resp_p": 6667,
+    **"nick": "zeektest",**
+    **"command": "USER",**
+    **"value": "zeektest",**
+    "addl": "0 * realname"
+  }
+  {
+    "ts": 1607009514.481161,
+    "uid": "CDsHGC2ZJuJh10XNbk",
+    "id.orig_h": "192.168.4.142",
+    "id.orig_p": 52856,
+    "id.resp_h": "195.154.200.232",
+    "id.resp_p": 6667,
+    **"nick": "zeektest",**
+    **"user": "zeektest",**
+    **"command": "JOIN",**
+    **"value": "#freenode",**
+    "addl": ""
+  }
+
+We see that Zeek collected information on three aspects of the IRC activity. It
+captured the setting of the NICK and USER values, as well as a JOIN command.
+
+Looking at the Zeek scripting reference, it looks like Zeek will also track
+Direct Client-to-Client (or Direct Client Connection, also known as DCC)
+activity, usually used to exchange files via IRC.
+
+Now that we know what a traditional unencrypted IRC session looks like, let’s
+see how a modern TLS-encrypted IRC session appears.
+
+Port 6697 :file:`conn.log`
+==========================
+
+Running Zeek against a capture of IRC over TLS, Zeek produces the following
+:file:`conn.log` entry.
+
+.. literal-emph::
+
+  {
+    "ts": 1607009173.307125,
+    "uid": "CxLRXG3BJ8KYCW6flg",
+    "id.orig_h": "192.168.4.142",
+    "id.orig_p": 59423,
+    "id.resp_h": "185.30.166.38",
+    **"id.resp_p": 6697,**
+    **"proto": "tcp",**
+    **"service": "ssl",**
+    "duration": 80.66936779022217,
+    "orig_bytes": 1162,
+    "resp_bytes": 251941,
+    "conn_state": "RSTR",
+    "missed_bytes": 0,
+    "history": "ShADadfr",
+    "orig_pkts": 49,
+    "orig_ip_bytes": 3134,
+    "resp_pkts": 197,
+    "resp_ip_bytes": 259833
+  }
+
+Here we see that Zeek only knows that it is looking at a TLS session.
+
+Port 6697 :file:`ssl.log` and :file:`x509.log`
+==============================================
+
+Because this traffic is encrypted via TLS, Zeek produced :file:`ssl.log` and
+:file:`x509.log` entries.
+
+First, let’s look at :file:`ssl.log`:
+
+.. literal-emph::
+
+  {
+    "ts": 1607009173.826036,
+    "uid": "CxLRXG3BJ8KYCW6flg",
+    "id.orig_h": "192.168.4.142",
+    "id.orig_p": 59423,
+    "id.resp_h": "185.30.166.38",
+    "id.resp_p": 6697,
+    "version": "TLSv12",
+    "cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    "curve": "secp256r1",
+    **"server_name": "chat.freenode.net",**
+    "resumed": false,
+    "established": true,
+    "cert_chain_fuids": [
+      "F6pDkA4niQwyXPxugf",
+      "F1JGJ81fmUN17LOYnk"
+    ],
+    "client_cert_chain_fuids": [],
+    **"subject": "CN=verne.freenode.net",**
+    "issuer": "CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US"
+  }
+
+The references to Freenode and ``chat`` can help clue an analyst to the
+likelihood that the client is engaging in IRC sessions.
+
+Now let’s look at the :file:`x509.log`:
+
+.. literal-emph::
+
+  {
+    "ts": 1607009173.828159,
+    "id": "F6pDkA4niQwyXPxugf",
+    "certificate.version": 3,
+    "certificate.serial": "040831FAE9EF9E4D666A4B9EDE996878C79B",
+    "certificate.subject": "CN=verne.freenode.net",
+    "certificate.issuer": "CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US",
+    "certificate.not_valid_before": 1605501336,
+    "certificate.not_valid_after": 1613277336,
+    "certificate.key_alg": "rsaEncryption",
+    "certificate.sig_alg": "sha256WithRSAEncryption",
+    "certificate.key_type": "rsa",
+    "certificate.key_length": 4096,
+    "certificate.exponent": "65537",
+    "san.dns": [
+      **"chat.au.freenode.com",**
+      **"chat.au.freenode.net",**
+      **"chat.au.freenode.org",**
+      **"chat.eu.freenode.com",**
+      **"chat.eu.freenode.net",**
+      **"chat.eu.freenode.org",**
+      **"chat.freenode.com",**
+      **"chat.freenode.net",**
+      **"chat.freenode.org",**
+      **"chat.ipv4.freenode.com",**
+      **"chat.ipv4.freenode.net",**
+      **"chat.ipv4.freenode.org",**
+      **"chat.ipv6.freenode.com",**
+      **"chat.ipv6.freenode.net",**
+      **"chat.ipv6.freenode.org",**
+      **"chat.us.freenode.com",**
+      **"chat.us.freenode.net",**
+      **"chat.us.freenode.org",**
+      **"ipv6.chat.freenode.net",**
+      **"ipv6.irc.freenode.net",**
+      **"irc.au.freenode.com",**
+      **"irc.au.freenode.net",**
+      **"irc.au.freenode.org",**
+      **"irc.eu.freenode.com",**
+      **"irc.eu.freenode.net",**
+      **"irc.eu.freenode.org",**
+      **"irc.freenode.com",**
+      **"irc.freenode.net",**
+      **"irc.freenode.org",**
+      **"irc.ipv4.freenode.com",**
+      **"irc.ipv4.freenode.net",**
+      **"irc.ipv4.freenode.org",**
+      **"irc.ipv6.freenode.com",**
+      **"irc.ipv6.freenode.net",**
+      **"irc.ipv6.freenode.org",**
+      **"irc.us.freenode.com",**
+      **"irc.us.freenode.net",**
+      **"irc.us.freenode.org",**
+      **"verne.freenode.net"**
+    ],
+    "basic_constraints.ca": false
+  }
+  {
+    "ts": 1607009173.828159,
+    "id": "F1JGJ81fmUN17LOYnk",
+    "certificate.version": 3,
+    "certificate.serial": "0A0141420000015385736A0B85ECA708",
+    "certificate.subject": "CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US",
+    "certificate.issuer": "CN=DST Root CA X3,O=Digital Signature Trust Co.",
+    "certificate.not_valid_before": 1458232846,
+    "certificate.not_valid_after": 1615999246,
+    "certificate.key_alg": "rsaEncryption",
+    "certificate.sig_alg": "sha256WithRSAEncryption",
+    "certificate.key_type": "rsa",
+    "certificate.key_length": 2048,
+    "certificate.exponent": "65537",
+    "basic_constraints.ca": true,
+    "basic_constraints.path_len": 0
+  }
+
+The bolded entries containing strings with “IRC”, “chat”, and Freenode are
+again clues that IRC is in play here.
+
+Port 31337 :file:`conn.log`
+===========================
+
+Here is a different session where port 31337 TCP offered clear-text IRC
+connections. Zeek produced three :file:`conn.log` entries, involving clients
+with IP addresses of ``10.240.0.3``, ``10.240.0.4``, and ``10.240.0.5``. Here
+is an entry for the client ``10.240.0.5``.
+
+.. literal-emph::
+
+  {
+    "ts": 1461774814.057057,
+    "uid": "Cs0hwm3slMw4IBDU0h",
+    "id.orig_h": "10.240.0.5",
+    "id.orig_p": 42277,
+    "id.resp_h": "10.240.0.2",
+    **"id.resp_p": 31337,**
+    **"proto": "tcp",**
+    **"service": "irc",**
+    "duration": 787.9501581192017,
+    "orig_bytes": 1026,
+    "resp_bytes": 10425,
+    "conn_state": "SF",
+    "missed_bytes": 0,
+    "history": "ShADadfF",
+    "orig_pkts": 95,
+    "orig_ip_bytes": 5974,
+    "resp_pkts": 87,
+    "resp_ip_bytes": 14957
+  }
+
+Zeek identified the protocol as IRC by using its dynamic port detection
+functionality. It did not need to see IRC on port 6667 TCP in order to
+recognize the protocol.
+
+Port 31337 :file:`irc.log`
+==========================
+
+Zeek produced many entries in the :file:`irc.log` for this activity, so I
+extracted the key values.
+
+.. code-block:: console
+
+  $ jq -c '[."id.orig_h", ."nick", ."user", ."command", ."value", ."addl"]' irc.log
+
+::
+
+  ["10.240.0.3",null,null,"NICK","Matir",null]
+  ["10.240.0.3","Matir",null,"USER","root-poppopret","root-poppopret 10.240.0.2 matir"]
+  ["10.240.0.3","Matir","root-poppopret","JOIN","#ctf",""]
+  ["10.240.0.4",null,null,"NICK","andrewg",null]
+  ["10.240.0.4","andrewg",null,"USER","root-poppopret","root-poppopret 10.240.0.2 andrewg"]
+  ["10.240.0.4","andrewg","root-poppopret","JOIN","#ctf",""]
+  ["10.240.0.5",null,null,"NICK","itsl0wk3y",null]
+  ["10.240.0.5","itsl0wk3y",null,"USER","root-poppopret","root-poppopret 10.240.0.2 l0w"]
+  ["10.240.0.5","itsl0wk3y","root-poppopret","JOIN","#ctf",""]
+
+As with the previous :file:`irc.log`, you can see elements like the nickname,
+username, commands, and additional data for the connections. You do not see any
+details of what users said to each other.
+
+Botnet IRC Traffic
+==================
+
+The following example is an excerpt from a case provided by the Malware Capture
+Facility, a sister project to the Stratosphere IPS Project. The case is
+CTU-IoT-Malware-Capture-3-1, located here:
+
+https://mcfp.felk.cvut.cz/publicDatasets/IoTDatasets/CTU-IoT-Malware-Capture-3-1/
+
+The case includes IRC traffic caused by systems compromised and under the
+control of the Muhstihk botnet. More details are available in this blog post:
+
+https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/
+
+Here is a summary of the :file:`conn.log` for the malicious IRC traffic.
+
+.. code-block:: console
+
+  $ jq -c '[."id.orig_h", ."id.resp_h", ."id.resp_p", ."proto", ."service"]' conn.log
+
+::
+
+  ["192.168.2.5","111.230.241.23",2407,"tcp","irc"]
+  ["192.168.2.5","51.38.81.99",2407,"tcp","irc"]
+  ["192.168.2.5","185.61.149.22",2407,"tcp",null]
+  ["192.168.2.5","54.39.23.28",2407,"tcp","irc"]
+  ["192.168.2.5","54.39.23.28",2407,"tcp","irc"]
+  ["192.168.2.5","185.47.129.56",2407,"tcp",null]
+  ["213.140.50.114","192.168.2.5",1,"icmp",null]
+  ["192.168.2.5","111.230.241.23",2407,"tcp","irc"]
+  ["192.168.2.5","54.39.23.28",2407,"tcp","irc"]
+
+We see the victim, ``192.168.2.5``, connecting to multiple IRC servers on port
+2407 TCP. Note that Zeek does not recognize all of the IRC traffic using its
+IRC protocol analyzer. Zeek does see six IRC sessions that it parses in the
+:file:`irc.log`.
+
+Here is a summary of the :file:`irc.log` for the IRC traffic created by this
+botnet client.
+
+.. code-block:: console
+
+  $ jq -c '[."id.orig_h", ."id.resp_h", ."nick", ."user", ."command", ."value", ."addl"]' irc.log
+
+::
+
+  ["192.168.2.5","111.230.241.23",null,null,"NICK","A5|1|5358668|black-pe",null]
+  ["192.168.2.5","111.230.241.23","A5|1|5358668|black-pe",null,"USER","muhstik","localhost localhost muhstik-11052018"]
+  ["192.168.2.5","51.38.81.99",null,null,"NICK","A5|1|5358668|black-pe",null]
+  ["192.168.2.5","51.38.81.99","A5|1|5358668|black-pe",null,"USER","muhstik","localhost localhost muhstik-11052018"]
+  ["192.168.2.5","51.38.81.99","A5|1|5358668|black-pe","muhstik","JOIN","#a925d765"," with channel key: ':8974'"]
+  ["192.168.2.5","54.39.23.28",null,null,"NICK","A5|1|5358668|black-pe",null]
+  ["192.168.2.5","54.39.23.28","A5|1|5358668|black-pe",null,"USER","muhstik","localhost localhost muhstik-11052018"]
+  ["192.168.2.5","54.39.23.28","A5|1|5358668|black-pe","muhstik","JOIN","#a925d765"," with channel key: ':8974'"]
+  ["192.168.2.5","54.39.23.28",null,null,"NICK","A5|1|5358668|black-pe",null]
+  ["192.168.2.5","54.39.23.28","A5|1|5358668|black-pe",null,"USER","muhstik","localhost localhost muhstik-11052018"]
+  ["192.168.2.5","54.39.23.28","A5|1|5358668|black-pe","muhstik","JOIN","#a925d765"," with channel key: ':8974'"]
+  ["192.168.2.5","111.230.241.23",null,null,"NICK","A5|1|5358668|black-pe",null]
+  ["192.168.2.5","111.230.241.23","A5|1|5358668|black-pe",null,"USER","muhstik","localhost localhost muhstik-11052018"]
+  ["192.168.2.5","111.230.241.23","A5|1|5358668|black-pe","muhstik","JOIN","#a925d765"," with channel key: ':8974'"]
+  ["192.168.2.5","54.39.23.28",null,null,"NICK","A5|1|5358668|black-pe",null]
+  ["192.168.2.5","54.39.23.28","A5|1|5358668|black-pe",null,"USER","muhstik","localhost localhost muhstik-11052018"]
+  ["192.168.2.5","54.39.23.28","A5|1|5358668|black-pe","muhstik","JOIN","#a925d765"," with channel key: ':8974'"]
+
+Here is an example transcript for one of the IRC sessions:
+
+.. literal-emph::
+
+  **NICK A5|1|5358668|black-pe**
+  **USER muhstik localhost localhost :muhstik-11052018**
+  PING :A2A5630
+  **PONG :A2A5630**
+  :x4.tipu 010 A5|1|5358668|black-pe x4.tipu 0
+  :x4.tipu 010 A5|1|5358668|black-pe pomf 6667
+  ERROR :Closing Link: A5|1|5358668|black-pe[109.81.208.168] (This server is full.)
+
+Thankfully for the analyst, it declares itself using the easily-searchable name
+``muhstik``. This makes it easy to do open source research and identify the
+malicious nature of the activity.
+
+Conclusion
+==========
+
+Security analysts may still encounter IRC when botnets and other malware use it
+for command-and-control. As other forms of modern collaboration and chat have
+become prevalent, the normality of IRC has become a remnant of a bygone era.
diff --git a/doc/logs/known-and-software.rst b/doc/logs/known-and-software.rst
new file mode 100644
index 0000000000..f2187f683c
--- /dev/null
+++ b/doc/logs/known-and-software.rst
@@ -0,0 +1,137 @@
+============================
+known_*.log and software.log
+============================
+
+Zeek produces several logs that help summarize certain aspects of the network
+it monitors. These logs track a few aspects of the local network, such as
+SSL/TLS certificates, host IP addresses, services, and applications.
+
+The sections which follow will present examples of entries in
+:file:`known_certs.log`, :file:`known_hosts.log`, :file:`known_services.log`,
+and :file:`software.log` files collected on live networks.
+
+For full details on each field of those log files, see
+:zeek:see:`Known::CertsInfo`, :zeek:see:`Known::HostsInfo`,
+:zeek:see:`Known::ServicesInfo`, and :zeek:see:`Software::Info`.
+
+:file:`known_certs.log`
+=======================
+
+The :file:`known_certs.log` captures information about SSL/TLS certificates
+seen on the local network. Here is one example::
+
+  {
+    "ts": "2020-12-31T15:15:53.690221Z",
+    "host": "192.168.4.1",
+    "port_num": 443,
+    "subject": "L=San Jose,ST=CA,O=Ubiquiti Networks,CN=UBNT Router UI,C=US",
+    "issuer_subject": "L=San Jose,ST=CA,O=Ubiquiti Networks,CN=UBNT Router UI,C=US",
+    "serial": "98D0AD47D748CDD6"
+  }
+
+This example shows a device offering a TLS server on port 443 TCP, with a
+certificate associated with Ubiquiti Networks.
+
+:file:`known_hosts.log`
+=======================
+
+The :file:`known_hosts.log` simply records a timestamp and an IP address when
+Zeek observes a new system on the local network.
+
+::
+
+  {"ts":"2021-01-03T01:19:26.260073Z","host":"192.168.4.25"}
+  {"ts":"2021-01-03T01:19:27.353353Z","host":"192.168.4.29"}
+  {"ts":"2021-01-03T01:19:32.488179Z","host":"192.168.4.43"}
+  {"ts":"2021-01-03T01:19:58.792683Z","host":"192.168.4.142"}
+  ...edited...
+  {"ts":"2021-01-03T12:17:22.496004Z","host":"192.168.4.115"}
+
+This edited example shows how this log could be part of an IP address inventory
+program.
+
+:file:`known_services.log`
+==========================
+
+The :file:`known_services.log` records a timestamp, IP, port number, protocol,
+and service (if available) when Zeek observes a system offering a new service
+on the local network. Here is what a single entry looks like::
+
+  {
+    "ts": "2021-01-03T01:19:36.242774Z",
+    "host": "192.168.4.1",
+    "port_num": 53,
+    "port_proto": "udp",
+    "service": [
+      "DNS"
+    ]
+  }
+
+For the following list, I used the :program:`jq` utility to remove the
+timestamp but show the other log values.
+
+::
+
+  ["192.168.4.43",51472,"tcp",[]]
+  ["192.168.4.1",443,"tcp",["SSL"]]
+  ["192.168.4.1",80,"tcp",["HTTP"]]
+  ["192.168.4.1",22,"tcp",["SSH"]]
+  ["192.168.4.1",53,"tcp",["DNS"]]
+  ["192.168.4.1",123,"udp",["NTP"]]
+  ["192.168.4.50",49745,"tcp",[]]
+  ["192.168.4.158",4500,"udp",[]]
+  ["192.168.4.159",53032,"tcp",[]]
+  ["192.168.4.142",36807,"udp",[]]
+  ["192.168.4.1",53,"udp",["DNS"]]
+  ["192.168.4.149",8080,"tcp",["HTTP"]]
+  ["192.168.4.1",67,"udp",["DHCP"]]
+  ["192.168.4.43",64744,"tcp",[]]
+  ["192.168.4.43",52793,"tcp",[]]
+  ["192.168.4.29",52827,"tcp",[]]
+  ["192.168.4.43",64807,"tcp",[]]
+  ["192.168.4.43",64752,"tcp",[]]
+  ["192.168.4.149",3478,"udp",[]]
+
+Note how many of the services do not have names associated with them.
+
+:file:`software.log`
+====================
+
+Zeek’s :file:`software.log` collects details on applications operated by the
+hosts it sees on the local network. The log captures information like the
+following::
+
+  {
+    "ts": "2021-01-03T00:16:22.694616Z",
+    "host": "192.168.4.25",
+    "software_type": "HTTP::BROWSER",
+    "name": "Windows-Update-Agent",
+    "version.major": 10,
+    "version.minor": 0,
+    "version.minor2": 10011,
+    "version.minor3": 16384,
+    "version.addl": "Client",
+    "unparsed_version": "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.0"
+  }
+
+It is amazing in 2021 that so many modern applications still use clear text
+protocols subject to collection and analysis by software like Zeek.
+
+Services beyond HTTP may also reveal interesting details. Consider these three
+entries::
+
+  ["192.168.4.1","SSH::SERVER","OpenSSH",6,6,1,null,"p1","OpenSSH_6.6.1p1 Debian-4~bpo70+1"]
+  ["192.168.4.37","SSH::CLIENT","OpenSSH",6,6,1,null,"p1","OpenSSH_6.6.1p1 Debian-4~bpo70+1"]
+  ["192.168.4.37","SSH::CLIENT","OpenSSH",7,6,null,null,"p1","OpenSSH_7.6p1"]
+
+These examples show an SSH server and two different SSH clients.
+
+Conclusion
+==========
+
+Details recorded in :file:`known_certs.log`, :file:`known_hosts.log`,
+:file:`known_services.log`, and :file:`software.log` files can help network and
+security analysts better understand the nature of the activity in their
+environment. Some of this information relies on capturing clear text, while
+other aspects are based solely on the presence of the services and hosts on the
+network.
diff --git a/doc/logs/ldap.rst b/doc/logs/ldap.rst
new file mode 100644
index 0000000000..d8e073a76b
--- /dev/null
+++ b/doc/logs/ldap.rst
@@ -0,0 +1,140 @@
+============================
+ldap.log and ldap_search.log
+============================
+
+.. versionadded:: 6.1
+
+The Lightweight Directory Access Protocol (LDAP) is a
+widely observed protocol commonly used for authenticating, directory lookups,
+centralizing organisational information and accessing client information on
+email servers. Accordingly, the protocol attracts significant attention from
+those with adversarial intention.
+
+
+LDAP Protocol Overview
+======================
+
+LDAP communicates using a client-server model. The LDAP server contains the
+directory information and the LDAP client performs operations against this
+information. This is a quick overview of how the protocol works:
+
+    Sessions: An LDAP session begins with a client connecting to an LDAP server,
+    optionally securing the connection with encryption, and then binding to the
+    server by providing credentials.
+
+    Queries: Clients search for entries in the LDAP directory using LDAP
+    queries, which consist of a base Distinguished Name (DN), a scope (such
+    as one level or the entire subtree), and a filter to match entries. Queries
+    are read only.
+
+    Operations: Clients with the correct privileges can perform a variety of
+    operations; in addition to search, they can add, delete or modify.
+
+    Data Format: LDAP data entries are formatted as records consisting of a
+    DN and a set of attributes. Each attribute has a name and one or more values.
+
+The LDAP analyzer outputs two LDAP related logs. :file:`ldap.log` contains
+details about the LDAP session except those related to searches.
+:file:`ldap_search.log` contains information related to LDAP searches.
+
+For details on every element of the :file:`ldap.log` and :file:`ldap_search.log`
+refer to :zeek:see:`LDAP::MessageInfo` and :zeek:see:`LDAP::SearchInfo`, respectively.
+Below is an inspection of the :file:`ldap.log` and :file:`ldap_search.log` in JSON format.
+
+:file:`ldap.log`
+================
+
+An example of an :file:`ldap.log`.
+
+.. code-block:: console
+
+    zeek@zeek-6.1:~ zeek -C LogAscii::use_json=T LDAP::default_log_search_attributes=T -r ldap-simpleauth.pcap
+    zeek@zeek-6.1:~ jq . ldap.log
+
+::
+
+    {
+      "ts": 1463256456.051759,
+      "uid": "ChD43F3guxAmJ5f2aj",
+      "id.orig_h": "10.0.0.1",
+      "id.orig_p": 25936,
+      "id.resp_h": "10.0.0.2",
+      "id.resp_p": 3268,
+      "message_id": 3,
+      "version": 3,
+      "opcode": "bind simple",
+      "result": "success",
+      "object": "CN=xxxxxxxx,OU=Users,OU=Accounts,DC=xx,DC=xxx,DC=xxxxx,DC=net",
+      "argument": "REDACTED"
+    }
+
+
+:file:`ldap_search.log`
+=======================
+
+An example of an :file:`ldap_search.log`. Note the default for
+:zeek:see:`LDAP::default_log_search_attributes` is F, excluding attributes
+from the log.
+
+.. code-block:: console
+
+    zeek@zeek-6.1:~ zeek -C LogAscii::use_json=T LDAP::default_log_search_attributes=T -r ldap-simpleauth.pcap
+    zeek@zeek-6.1:~ jq . ldap_search.log
+
+::
+
+    {
+      "ts": 1463256456.047579,
+      "uid": "CAOF1l3FR8UzQ7mIb8",
+      "id.orig_h": "10.0.0.1",
+      "id.orig_p": 25936,
+      "id.resp_h": "10.0.0.2",
+      "id.resp_p": 3268,
+      "message_id": 2,
+      "scope": "tree",
+      "deref_aliases": "always",
+      "base_object": "DC=xx,DC=xxx,DC=xxxxx,DC=net",
+      "result_count": 1,
+      "result": "success",
+      "filter": "(&(objectclass=*)(sAMAccountName=xxxxxxxx))",
+      "attributes": [
+        "sAMAccountName"
+      ]
+    }
+
+
+StartTLS
+========
+
+.. versionadded:: 7.0
+
+Zeek's LDAP analyzer supports the
+`extended StartTLS <https://datatracker.ietf.org/doc/html/rfc4511#section-4.14>`_
+operation, handing off analysis to Zeek's TLS analyzer. The following shows an
+example :file:`ldap.log` entry for the StartTLS request.
+
+.. code-block:: console
+
+    $ zeek -C LogAscii::use_json=T -r ldap-starttls.pcap
+    $ jq < ldap.log
+    {
+      "ts": 1721218680.158341,
+      "uid": "CW0qzo9A3QsrCWL4k",
+      "id.orig_h": "127.0.0.1",
+      "id.orig_p": 45936,
+      "id.resp_h": "127.0.1.1",
+      "id.resp_p": 389,
+      "message_id": 1,
+      "opcode": "extended",
+      "result": "success",
+      "object": "1.3.6.1.4.1.1466.20037 (StartTLS)"
+    }
+
+The :file:`conn.log`'s history field will contain ``ssl`` and ``ldap`` in
+the ``service`` field.
+
+Conclusion
+==========
+
+The Zeek LDAP logs provide additional insights that help improve observability
+into this protocol.
diff --git a/doc/logs/ntp.rst b/doc/logs/ntp.rst
new file mode 100644
index 0000000000..73bd570280
--- /dev/null
+++ b/doc/logs/ntp.rst
@@ -0,0 +1,294 @@
+=======
+ntp.log
+=======
+
+Network Time Protocol (NTP) is another core protocol found in IP networks. NTP
+is a mechanism by which clients can adjust their local clocks to more closely
+match those of NTP servers. Many devices ship with NTP clients already
+configured to contact public NTP servers. Administrators can use Zeek logs to
+identify NTP clients and servers, and determine if they are operating as
+expected.
+
+As with all entries in this chapter, see :zeek:see:`NTP::Info` for full
+explanation of each field in the log.
+
+NTP via :program:`tcpdump`
+==========================
+
+NTP is a request-response protocol, as demonstrated by the following exchange
+decoded by :program:`tcpdump`::
+
+  00:29:07.927672 IP 192.168.4.49.38461 > 208.79.89.249.123: NTPv4, Client, length 48
+  00:29:07.995844 IP 208.79.89.249.123 > 192.168.4.49.38461: NTPv4, Server, length 48
+
+Using the verbose feature, we see the following details::
+
+  00:29:07.927672 IP (tos 0x10, ttl 64, id 3186, offset 0, flags [DF], proto UDP (17), length 76)
+      192.168.4.49.38461 > 208.79.89.249.123: [udp sum ok] NTPv4, length 48
+          Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 0 (1s), precision 0
+          Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
+            Reference Timestamp:  0.000000000
+            Originator Timestamp: 0.000000000
+            Receive Timestamp:    0.000000000
+            Transmit Timestamp:   3811105747.215585991 (2020/10/08 00:29:07)
+              Originator - Receive Timestamp:  0.000000000
+              Originator - Transmit Timestamp: 3811105747.215585991 (2020/10/08 00:29:07)
+
+  00:29:07.995844 IP (tos 0x0, ttl 56, id 18045, offset 0, flags [DF], proto UDP (17), length 76)
+      208.79.89.249.123 > 192.168.4.49.38461: [udp sum ok] NTPv4, length 48
+          Server, Leap indicator:  (0), Stratum 2 (secondary reference), poll 3 (8s), precision -24
+          Root Delay: 0.009216, Root dispersion: 0.021224, Reference-ID: 127.67.113.92
+            Reference Timestamp:  3811105455.942204197 (2020/10/08 00:24:15)
+            Originator Timestamp: 3811105747.215585991 (2020/10/08 00:29:07)
+            Receive Timestamp:    3811105747.964280626 (2020/10/08 00:29:07)
+            Transmit Timestamp:   3811105747.964314032 (2020/10/08 00:29:07)
+              Originator - Receive Timestamp:  +0.748694635
+              Originator - Transmit Timestamp: +0.748728040
+
+A look at :rfc:`5905`, explaining NTPv4, helps us understand the timestamps
+shown in the decoded output::
+
+  LI Leap Indicator (leap): 2-bit integer warning of an impending leap second
+  to be inserted or deleted in the last minute of the current month with values
+  defined in Figure 9.
+
+             +-------+----------------------------------------+
+             | Value | Meaning                                |
+             +-------+----------------------------------------+
+             | 0     | no warning                             |
+             | 1     | last minute of the day has 61 seconds  |
+             | 2     | last minute of the day has 59 seconds  |
+             | 3     | unknown (clock unsynchronized)         |
+             +-------+----------------------------------------+
+
+                           Figure 9: Leap Indicator
+
+  VN Version Number (version): 3-bit integer representing the NTP version
+  number, currently 4.
+
+  Mode (mode): 3-bit integer representing the mode, with values defined in
+  Figure 10.
+
+                        +-------+--------------------------+
+                        | Value | Meaning                  |
+                        +-------+--------------------------+
+                        | 0     | reserved                 |
+                        | 1     | symmetric active         |
+                        | 2     | symmetric passive        |
+                        | 3     | client                   |
+                        | 4     | server                   |
+                        | 5     | broadcast                |
+                        | 6     | NTP control message      |
+                        | 7     | reserved for private use |
+                        +-------+--------------------------+
+
+                         Figure 10: Association Modes
+
+  Stratum (stratum): 8-bit integer representing the stratum, with values
+  defined in Figure 11.
+
+          +--------+-----------------------------------------------------+
+          | Value  | Meaning                                             |
+          +--------+-----------------------------------------------------+
+          | 0      | unspecified or invalid                              |
+          | 1      | primary server (e.g., equipped with a GPS receiver) |
+          | 2-15   | secondary server (via NTP)                          |
+          | 16     | unsynchronized                                      |
+          | 17-255 | reserved                                            |
+          +--------+-----------------------------------------------------+
+
+                           Figure 11: Packet Stratum
+
+  Poll: 8-bit signed integer representing the maximum interval between
+  successive messages, in log2 seconds.
+
+  Precision: 8-bit signed integer representing the precision of the system
+  clock, in log2 seconds. For instance, a value of -18 corresponds to a
+  precision of about one microsecond.
+
+  Root Delay (rootdelay): Total round-trip delay to the reference clock, in NTP
+  short format.
+
+  Root Dispersion (rootdisp): Total dispersion to the reference clock, in NTP
+  short format.
+
+  Reference ID (refid): 32-bit code identifying the particular server or
+  reference clock.
+
+  Reference Timestamp: Time when the system clock was last set or corrected, in
+  NTP timestamp format.
+
+  Origin Timestamp (org): Time at the client when the request departed for the
+  server, in NTP timestamp format.
+
+  Receive Timestamp (rec): Time at the server when the request arrived from the
+  client, in NTP timestamp format.
+
+  Transmit Timestamp (xmt): Time at the server when the response left for the
+  client, in NTP timestamp format.
+
+  Destination Timestamp (dst): Time at the client when the reply arrived from
+  the server, in NTP timestamp format.
+
+It makes sense that the reference, originator, and receive timestamps would be
+zero in the client request, but non-zero in the server reply.
+
+NTP via :program:`tcpdump` and :program:`tshark`
+================================================
+
+Let’s look at :program:`tshark`’s decode for the NTP-specific data, to see if
+:program:`tcpdump` missed anything::
+
+  Client to server:
+
+  Network Time Protocol (NTP Version 4, client)
+      Flags: 0x23, Leap Indicator: no warning, Version number: NTP Version 4, Mode: client
+          00.. .... = Leap Indicator: no warning (0)
+          ..10 0... = Version number: NTP Version 4 (4)
+          .... .011 = Mode: client (3)
+      Peer Clock Stratum: unspecified or invalid (0)
+      Peer Polling Interval: invalid (0)
+      Peer Clock Precision: 1.000000 sec
+      Root Delay: 0 seconds
+      Root Dispersion: 0 seconds
+      Reference ID: NULL
+      Reference Timestamp: Jan  1, 1970 00:00:00.000000000 UTC
+      Origin Timestamp: Jan  1, 1970 00:00:00.000000000 UTC
+      Receive Timestamp: Jan  1, 1970 00:00:00.000000000 UTC
+      Transmit Timestamp: Oct  8, 2020 00:29:07.215585991 UTC
+
+  Server to client:
+
+  Network Time Protocol (NTP Version 4, server)
+      Flags: 0x24, Leap Indicator: no warning, Version number: NTP Version 4, Mode: server
+          00.. .... = Leap Indicator: no warning (0)
+          ..10 0... = Version number: NTP Version 4 (4)
+          .... .100 = Mode: server (4)
+      Peer Clock Stratum: secondary reference (2)
+      Peer Polling Interval: invalid (3)
+      Peer Clock Precision: 0.000000 sec
+      Root Delay: 0.00921630859375 seconds
+      Root Dispersion: 0.0212249755859375 seconds
+      Reference ID: 127.67.113.92
+      Reference Timestamp: Oct  8, 2020 00:24:15.942204197 UTC
+      Origin Timestamp: Oct  8, 2020 00:29:07.215585991 UTC
+      Receive Timestamp: Oct  8, 2020 00:29:07.964280626 UTC
+      Transmit Timestamp: Oct  8, 2020 00:29:07.964314032 UTC
+
+It does not appear that :program:`tshark` reveals any details that
+:program:`tcpdump` did not. One difference is that for the client reference,
+origin, and receive timestamps, Tshark renders the 0 values as the Unix epoch,
+i.e., ``Jan  1, 1970 00:00:00.000000000 UTC``.
+
+NTP via Zeek
+============
+
+Here is how Zeek summarizes this NTP activity:
+
+.. literal-emph::
+
+  {
+    "ts": "2020-10-08T00:29:07.977170Z",
+    "uid": "CqlPpF1AQVLMPgGiL5",
+    "id.orig_h": "192.168.4.49",
+    "id.orig_p": 38461,
+    "id.resp_h": "208.79.89.249",
+    "id.resp_p": 123,
+    "version": 4,
+    **"mode": 3,**
+    "stratum": 0,
+    "poll": 1,
+    "precision": 1,
+    "root_delay": 0,
+    "root_disp": 0,
+    "ref_id": "\\x00\\x00\\x00\\x00",
+    "ref_time": "1970-01-01T00:00:00.000000Z",
+    "org_time": "1970-01-01T00:00:00.000000Z",
+    "rec_time": "1970-01-01T00:00:00.000000Z",
+    "xmt_time": "2020-10-08T00:29:07.215586Z",
+    "num_exts": 0
+  }
+
+  {
+    "ts": "2020-10-08T00:29:08.081209Z",
+    "uid": "CqlPpF1AQVLMPgGiL5",
+    "id.orig_h": "192.168.4.49",
+    "id.orig_p": 38461,
+    "id.resp_h": "208.79.89.249",
+    "id.resp_p": 123,
+    "version": 4,
+    **"mode": 4,**
+    "stratum": 2,
+    "poll": 8,
+    "precision": 5.960464477539063e-08,
+    "root_delay": 0.00921630859375,
+    "root_disp": 0.0212249755859375,
+    "ref_id": "127.67.113.92",
+    "ref_time": "2020-10-08T00:24:15.942204Z",
+    "org_time": "2020-10-08T00:29:07.215586Z",
+    "rec_time": "2020-10-08T00:29:07.964281Z",
+    "xmt_time": "2020-10-08T00:29:07.964314Z",
+    "num_exts": 0
+  }
+
+By looking at the mode field in each log, we see that the first entry is a NTP
+client request (mode 3), and the second is the server’s reply (mode 4).
+
+These log entries make an interesting comparison with those for DHCP. Zeek’s
+DHCP logs seek to summarize potentially up to four individual datagrams (for
+the DORA exchange) into one log entry. In contrast, Zeek’s NTP logs create an
+entry for each NTP message.
+
+Identifying NTP Servers
+=======================
+
+As with DHCP servers, Zeek can help identify NTP servers used by clients. The
+following query shows a subset of systems and the NTP servers they have
+queried:
+
+.. code-block:: console
+
+  $ find . -name "ntp**.gz" | while read -r file; do zcat -f "$file"; done | jq -c '[."id.orig_h", ."id.resp_h"]' | sort | uniq -c | sort -nr | head -10
+
+::
+
+    570 ["192.168.4.48","193.0.0.229"]
+    271 ["192.168.4.76","91.189.91.157"]
+    271 ["192.168.4.76","216.229.0.50"]
+    270 ["192.168.4.76","74.6.168.73"]
+    270 ["192.168.4.76","72.30.35.88"]
+    270 ["192.168.4.76","38.229.71.1"]
+    216 ["192.168.4.149","84.16.73.33"]
+    206 ["192.168.4.48","50.205.244.21"]
+    164 ["192.168.4.57","216.239.35.12"]
+    162 ["192.168.4.57","216.239.35.8"]
+
+The following query summarizes only the NTP servers seen by Zeek:
+
+.. code-block:: console
+
+  $ find . -name "ntp**.gz" | while read -r file; do zcat -f "$file"; done | jq -c '[."id.resp_h"]' | sort | uniq -c | sort -nr | head -10
+
+::
+
+    570 ["193.0.0.229"]
+    470 ["17.253.20.253"]
+    468 ["17.253.20.125"]
+    357 ["91.189.91.157"]
+    287 ["216.229.0.50"]
+    286 ["74.6.168.73"]
+    276 ["72.30.35.88"]
+    270 ["38.229.71.1"]
+    221 ["84.16.73.33"]
+    206 ["50.205.244.21"]
+
+Security and network administrators can use queries like this to identify
+systems that are polling unauthorized NTP servers.
+
+Conclusion
+==========
+
+NTP is an important protocol for modern network administration. Without
+accurate clocks, many systems will not be able to complete cryptographic
+exchanges. Be sure systems are kept up to date using the NTP servers you expect
+them to query.
diff --git a/doc/logs/pe.rst b/doc/logs/pe.rst
new file mode 100644
index 0000000000..9c4f4090a6
--- /dev/null
+++ b/doc/logs/pe.rst
@@ -0,0 +1,506 @@
+======
+pe.log
+======
+
+Earlier we looked at the data provided by Zeek’s :file:`files.log`. In this
+section we will take a step further for one type of log -- Zeek’s
+:file:`pe.log`. In this instance, “pe” stands for portable executable, a format
+associated with Microsoft binaries.
+
+For more details on the specifics of the format, please refer to
+:zeek:see:`PE::Info`.
+
+Starting with :file:`conn.log`
+==============================
+
+This example starts with the :file:`conn.log`. It’s not strictly necessary to
+explain the :file:`pe.log`, although I wanted to include a recent example
+of a modern application conducting activities via HTTP.
+
+.. literal-emph::
+
+  {
+    "ts": "2020-09-23T00:24:31.210053Z",
+    "uid": "Cq2b9jR12c4lqZafg",
+    **"id.orig_h": "192.168.4.152",**
+    "id.orig_p": 59125,
+    **"id.resp_h": "63.88.73.83",**
+    **"id.resp_p": 80,**
+    "proto": "tcp",
+    **"service": "http",**
+    "duration": 25.614583015441895,
+    "orig_bytes": 5753,
+    "resp_bytes": 1975717,
+    "conn_state": "SF",
+    "local_orig": true,
+    "local_resp": false,
+    "missed_bytes": 0,
+    "history": "ShADadttFf",
+    "orig_pkts": 521,
+    "orig_ip_bytes": 29041,
+    "resp_pkts": 1367,
+    "resp_ip_bytes": 2030409,
+    "ip_proto": 6
+  }
+
+This example shows a host, ``192.168.4.152``, conducting a HTTP session with
+``63.88.73.83`` over port 80 TCP. The server sends 2 MB of content to the
+client.
+
+Continuing with :file:`http.log`
+================================
+
+The :file:`http.log` entries associated with UID ``Cq2b9jR12c4lqZafg`` are
+fascinating. There are multiple entries. I have reproduced a sample of them
+below.
+
+.. literal-emph::
+
+  {
+    "ts": "2020-09-23T00:24:31.235201Z",
+    "uid": "Cq2b9jR12c4lqZafg",
+    **"id.orig_h": "192.168.4.152",**
+    "id.orig_p": 59125,
+    **"id.resp_h": "63.88.73.83",**
+    **"id.resp_p": 80,**
+    "trans_depth": 1,
+    **"method": "HEAD",**
+    **"host": "r8---sn-8xgp1vo-p5ql.gvt1.com",**
+    **"uri": "/edgedl/release2/chrome/SAWXCyZhLAbPfxC5kv_Fkw_85.0.4183.121/85.0.4183.121_85.0.4183.102_chrome_updater.exe?cms_redirect=yes&mh=t-&mip=-public-ip-edited-&mm=28&mn=sn-8xgp1vo-p5ql&ms=nvh&mt=1600820539&mv=m&mvi=8&pl=19&shardbypass=yes",**
+    "version": "1.1",
+    **"user_agent": "Microsoft BITS/7.8",**
+    "request_body_len": 0,
+    "response_body_len": 0,
+    **"status_code": 200,**
+    **"status_msg": "OK",**
+    "tags": []
+  }
+
+The first entry shown above provides details on a HEAD request for a binary
+titled ``85.0.4183.121_85.0.4183.102_chrome_updater.exe``. The user agent is
+the Microsoft Background Intelligent Transfer Service (BITS). The server
+responses with a successful message, 200 OK. Note that I have inserted
+``-public-ip-edited-`` in the URI rather than expose the public IP address of
+the system requesting this file.
+
+The fact that the BITS client provides the public IP address in the URI
+indicates that either the server is sending this information to the client, or
+that the client is requesting this information from an Internet-residing
+system. There is no native way for this client to know its public IP address
+when it is sitting behind a network address (port) translation device.
+
+This aspect of the URI could help administrators better understand their
+networks, as it can sometimes be difficult to map private IP addresses (like
+``192.168.4.152``) to their public representations (here
+``-public-ip-edited-``).
+
+Also note the value for the host field showing
+``r8---sn-8xgp1vo-p5ql.gvt1.com``. I resolved the odd name to see the
+following:
+
+.. code-block:: console
+
+  $ host r8---sn-8xgp1vo-p5ql.gvt1.com
+
+::
+
+  r8---sn-8xgp1vo-p5ql.gvt1.com is an alias for r8.sn-8xgp1vo-p5ql.gvt1.com.
+  r8.sn-8xgp1vo-p5ql.gvt1.com has address 63.88.73.83
+  r8.sn-8xgp1vo-p5ql.gvt1.com has IPv6 address 2600:803:f00:1::13
+
+Let’s look at the next :file:`http.log` entry.
+
+.. literal-emph::
+
+  {
+    "ts": "2020-09-23T00:24:31.334435Z",
+    "uid": "Cq2b9jR12c4lqZafg",
+    **"id.orig_h": "192.168.4.152",**
+    "id.orig_p": 59125,
+    **"id.resp_h": "63.88.73.83",**
+    **"id.resp_p": 80,**
+    "trans_depth": 2,
+    **"method": "GET",**
+    **"host": "r8---sn-8xgp1vo-p5ql.gvt1.com",**
+    **"uri": "/edgedl/release2/chrome/SAWXCyZhLAbPfxC5kv_Fkw_85.0.4183.121/85.0.4183.121_85.0.4183.102_chrome_updater.exe?cms_redirect=yes&mh=t-&mip=-public-ip-edited-&mm=28&mn=sn-8xgp1vo-p5ql&ms=nvh&mt=1600820539&mv=m&mvi=8&pl=19&shardbypass=yes",**
+    "version": "1.1",
+    **"user_agent": "Microsoft BITS/7.8",**
+    "request_body_len": 0,
+    "response_body_len": 1392,
+    **"status_code": 206,**
+    **"status_msg": "Partial Content",**
+    "tags": [],
+    "resp_fuids": [
+      **"FGYKX64SkXc4OcvlFf"**
+    ]
+  }
+
+In the previous :file:`http.log` entry we see that the BITS client has made a
+GET request for the same file. The server is providing it via “partial
+content”, represented by the 206 status code.
+
+Also note we now have a file UID present in the :file:`http.log`:
+``FGYKX64SkXc4OcvlFf``.
+
+The next :file:`http.log` entry is similar, although the amount of data sent is
+different.
+
+.. literal-emph::
+
+  {
+    "ts": "2020-09-23T00:24:35.247333Z",
+    "uid": "Cq2b9jR12c4lqZafg",
+    "id.orig_h": "192.168.4.152",
+    "id.orig_p": 59125,
+    "id.resp_h": "63.88.73.83",
+    "id.resp_p": 80,
+    "trans_depth": 3,
+    "method": "GET",
+    "host": "r8---sn-8xgp1vo-p5ql.gvt1.com",
+    "uri": "/edgedl/release2/chrome/SAWXCyZhLAbPfxC5kv_Fkw_85.0.4183.121/85.0.4183.121_85.0.4183.102_chrome_updater.exe?cms_redirect=yes&mh=t-&mip=-public-ip-edited-&mm=28&mn=sn-8xgp1vo-p5ql&ms=nvh&mt=1600820539&mv=m&mvi=8&pl=19&shardbypass=yes",
+    "version": "1.1",
+    "user_agent": "Microsoft BITS/7.8",
+    "request_body_len": 0,
+    **"response_body_len": 1995,**
+    "status_code": 206,
+    "status_msg": "Partial Content",
+    "tags": []
+  }
+
+I have removed the half a dozen or so intervening messages as they are very
+similar to the preceding entries. I include the last one for reference. It is
+similar to the previous entries, although the response body length shows much
+more data was sent.
+
+.. literal-emph::
+
+  {
+    "ts": "2020-09-23T00:24:46.547359Z",
+    "uid": "Cq2b9jR12c4lqZafg",
+    "id.orig_h": "192.168.4.152",
+    "id.orig_p": 59125,
+    "id.resp_h": "63.88.73.83",
+    "id.resp_p": 80,
+    "trans_depth": 12,
+    "method": "GET",
+    "host": "r8---sn-8xgp1vo-p5ql.gvt1.com",
+    "uri": "/edgedl/release2/chrome/SAWXCyZhLAbPfxC5kv_Fkw_85.0.4183.121/85.0.4183.121_85.0.4183.102_chrome_updater.exe?cms_redirect=yes&mh=t-&mip=-public-ip-edited-&mm=28&mn=sn-8xgp1vo-p5ql&ms=nvh&mt=1600820539&mv=m&mvi=8&pl=19&shardbypass=yes",
+    "version": "1.1",
+    "user_agent": "Microsoft BITS/7.8",
+    "request_body_len": 0,
+    **"response_body_len": 652148,**
+    "status_code": 206,
+    "status_msg": "Partial Content",
+    "tags": []
+  }
+
+That concludes the relevant :file:`http.log` entries. Using the file UID we can
+search the :file:`files.log` next.
+
+Continuing with :file:`files.log`
+=================================
+
+The relevant :file:`files.log` entry contains the following:
+
+.. literal-emph::
+
+  {
+    "ts": "2020-09-23T00:24:31.334435Z",
+    "fuid": "FGYKX64SkXc4OcvlFf",
+    "uid": "Cq2b9jR12c4lqZafg",
+    "id.orig_h": "192.168.4.152",
+    "id.orig_p": 59125,
+    "id.resp_h": "63.88.73.83",
+    "id.resp_p": 80,
+    **"source": "HTTP",**
+    "depth": 0,
+    "analyzers": [
+      "MD5",
+      **"PE",**
+      "SHA1",
+      "EXTRACT"
+    ],
+    **"mime_type": "application/x-dosexec",**
+    "duration": 15.468528032302856,
+    "local_orig": false,
+    "is_orig": false,
+    "seen_bytes": 1967360,
+    "total_bytes": 1967360,
+    "missing_bytes": 0,
+    "overflow_bytes": 0,
+    "timedout": false,
+    **"md5": "a5843bd951f148e99b7265e5bd159fb7",**
+    "sha1": "fc8b8deb5b34fec1f3f094e579667b2bddee0b21",
+    **"extracted": "/nsm/zeek/extracted/HTTP-FGYKX64SkXc4OcvlFf.exe",**
+    "extracted_cutoff": false
+  }
+
+This :file:`files.log` entry shows that the content returned by the BITS server
+included a Windows executable. Zeek calculates MD5 and SHA1 hashes, and also
+shows the location on disk for the extracted file.
+
+Do you remember a similar entry from the Zeek documentation on
+:file:`files.log`?
+
+::
+
+  "analyzers": [
+      "EXTRACT",
+      "PE"
+    ],
+
+In that example, we have active extract and PE analyzers.
+
+In the current :file:`files.log`, we have additional analyzers present:
+
+.. literal-emph::
+
+  "analyzers": [
+    "MD5",
+    **"PE",**
+    "SHA1",
+    "EXTRACT"
+  ],
+
+Thanks to these analyzers, we have the MD5 and SHA1 hashes, along with a
+:file:`pe.log` entry and an extracted file.
+
+Continuing with :file:`pe.log`
+==============================
+
+Finally we come to the :file:`pe.log`. We are able to connect it with the
+appropriate activity using the file UID ``FGYKX64SkXc4OcvlFf``.
+
+.. literal-emph::
+
+  {
+    "ts": "2020-09-23T00:24:36.395445Z",
+    **"id": "FGYKX64SkXc4OcvlFf",**
+    "machine": "AMD64",
+    **"compile_ts": "2020-09-19T00:10:08.000000Z",**
+    **"os": "Windows XP x64 or Server 2003",**
+    **"subsystem": "WINDOWS_GUI",**
+    **"is_exe": true,**
+    **"is_64bit": true,**
+    "uses_aslr": true,
+    "uses_dep": true,
+    "uses_code_integrity": false,
+    "uses_seh": true,
+    "has_import_table": true,
+    "has_export_table": false,
+    "has_cert_table": true,
+    "has_debug_data": true,
+    "section_names": [
+      ".text",
+      ".rdata",
+      ".data",
+      ".pdata",
+      ".00cfg",
+      ".rsrc",
+      ".reloc"
+    ]
+  }
+
+The compile time is one of the more interesting details for analysts. This is a
+freshly compiled Windows executable.
+
+Reviewing the Extracted Binary
+==============================
+
+As we did in the :file:`files.log` documentation, we can analyze our extracted
+file using the command line version of VirusTotal.
+
+Here is the extracted file on disk. Notice the filename includes the file UID
+calculated by Zeek, i.e., ``FGYKX64SkXc4OcvlFf``.
+
+.. code-block:: console
+
+  $ file /nsm/zeek/extracted/HTTP-FGYKX64SkXc4OcvlFf.exe
+
+::
+
+  /nsm/zeek/extracted/HTTP-FGYKX64SkXc4OcvlFf.exe: PE32+ executable (GUI) x86-64, for MS Windows
+
+We use the Linux :program:`md5sum` utility to calculate the MD5 hash.
+
+.. code-block:: console
+
+  $ md5sum /nsm/zeek/extracted/HTTP-FGYKX64SkXc4OcvlFf.exe
+
+::
+
+  a5843bd951f148e99b7265e5bd159fb7  /nsm/zeek/extracted/HTTP-FGYKX64SkXc4OcvlFf.exe
+
+Note the MD5 hash matches the one provided by Zeek in the :file:`files.log`
+entry.
+
+Next we submit the hash, not the binary, to VirusTotal for analysis. Whenever
+possible, submit hashes to cloud file analysis engines. This preserves the
+confidentiality of your sample.
+
+The output is edited for readability.
+
+.. code-block:: console
+
+  $ vt file a5843bd951f148e99b7265e5bd159fb7
+
+.. literal-emph::
+
+  - _id: "14a1b9947b77174244a6f6bfd2cd7e1b1c860a09b3b5d74f07b81e45b5548de4"
+    _type: "file"
+    authentihash: "a4a6a1011bb3e33af37a1dce19bd41b72d5360dc4175d570ec7260d1d9815747"
+    **creation_date: 1600474208  # 2020-09-19 00:10:08 +0000 UTC**
+    **first_submission_date: 1600711798  # 2020-09-21 18:09:58 +0000 UTC**
+    **last_analysis_date: 1600840562  # 2020-09-23 05:56:02 +0000 UTC**
+    last_analysis_results:
+      ALYac:
+        category: "undetected"
+        engine_name: "ALYac"
+        engine_update: "20200923"
+        engine_version: "1.1.1.5"
+        method: "blacklist"
+     ...edited...
+      eGambit:
+        category: "undetected"
+        engine_name: "eGambit"
+        engine_update: "20200923"
+        method: "blacklist"
+    last_analysis_stats:
+      confirmed-timeout: 0
+      failure: 0
+      harmless: 0
+      malicious: 0
+      suspicious: 0
+      timeout: 0
+      type-unsupported: 4
+      undetected: 69
+    last_modification_date: 1600878930  # 2020-09-23 16:35:30 +0000 UTC
+    last_submission_date: 1600830769  # 2020-09-23 03:12:49 +0000 UTC
+    magic: "PE32+ executable for MS Windows (GUI) Mono/.Net assembly"
+    md5: "a5843bd951f148e99b7265e5bd159fb7"
+    **meaningful_name: "mini_installer"**
+    names:
+    **- "85.0.4183.121_85.0.4183.102_chrome_updater.exe"**
+    - "mini_installer"
+    **- "HTTP-FjcOYuaXbbQFV1cJj.exe"**
+    pe_info:
+      entry_point: 4096
+      imphash: "ec06ab323a50409817b4a6a54b98f157"
+      import_list:
+      - imported_functions:
+        - "CommandLineToArgvW"
+        library_name: "SHELL32.dll"
+      - imported_functions:
+        - "GetLastError"
+        - "GetVolumePathNameW"
+     ...edited...
+        - "GetEnvironmentVariableW"
+        library_name: "KERNEL32.dll"
+      machine_type: 34404
+      overlay:
+        chi2: 1124223.375
+        entropy: 4.492208003997803
+        filetype: "binary Computer Graphics Metafile"
+        md5: "ddc7adbbc3760a81d8510e57fedbe055"
+        offset: 1951232
+        size: 16128
+      resource_details:
+      - chi2: 286.0988464355469
+        entropy: 7.999892711639404
+        filetype: "Data"
+        lang: "ENGLISH US"
+        sha256: "133ccfebc6cebb05333ed1677bb419716a8ad00b39417f2f4fa6ee45bdbb92df"
+        type: "B7"
+    ...edited...
+      timestamp: 1600474208
+    reputation: 0
+    sha1: "fc8b8deb5b34fec1f3f094e579667b2bddee0b21"
+    sha256: "14a1b9947b77174244a6f6bfd2cd7e1b1c860a09b3b5d74f07b81e45b5548de4"
+    signature_info:
+      copyright: "Copyright 2020 Google LLC. All rights reserved."
+      counter signers: "TIMESTAMP-SHA256-2019-10-15; DigiCert SHA2 Assured ID Timestamping CA; DigiCert"
+      counter signers details:
+      - algorithm: "sha256RSA"
+        cert issuer: "DigiCert SHA2 Assured ID Timestamping CA"
+        name: "TIMESTAMP-SHA256-2019-10-15"
+        serial number: "04 CD 3F 85 68 AE 76 C6 1B B0 FE 71 60 CC A7 6D"
+        status: "Valid"
+        thumbprint: "0325BD505EDA96302DC22F4FA01E4C28BE2834C5"
+        valid from: "12:00 AM 10/01/2019"
+        valid to: "12:00 AM 10/17/2030"
+        valid usage: "Timestamp Signing"
+      - algorithm: "sha256RSA"
+        cert issuer: "DigiCert Assured ID Root CA"
+        name: "DigiCert SHA2 Assured ID Timestamping CA"
+        serial number: "0A A1 25 D6 D6 32 1B 7E 41 E4 05 DA 36 97 C2 15"
+        status: "Valid"
+        thumbprint: "3BA63A6E4841355772DEBEF9CDCF4D5AF353A297"
+        valid from: "12:00 PM 01/07/2016"
+        valid to: "12:00 PM 01/07/2031"
+        valid usage: "Timestamp Signing"
+      - algorithm: "sha1RSA"
+        cert issuer: "DigiCert Assured ID Root CA"
+        name: "DigiCert"
+        serial number: "0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39"
+        status: "Valid"
+        thumbprint: "0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43"
+        valid from: "12:00 AM 11/10/2006"
+        valid to: "12:00 AM 11/10/2031"
+        valid usage: "Client Auth, Code Signing, Email Protection, Server Auth, Timestamp Signing"
+      **description: "Google Chrome Installer"**
+      **file version: "85.0.4183.121"**
+      **internal name: "mini_installer"**
+      **product: "Google Chrome Installer"**
+      signers: "Google LLC; DigiCert SHA2 Assured ID Code Signing CA; DigiCert"
+      signers details:
+      - algorithm: "sha256RSA"
+        cert issuer: "DigiCert SHA2 Assured ID Code Signing CA"
+        name: "Google LLC"
+        serial number: "0C 15 BE 4A 15 BB 09 03 C9 01 B1 D6 C2 65 30 2F"
+        status: "Valid"
+        thumbprint: "CB7E84887F3C6015FE7EDFB4F8F36DF7DC10590E"
+        valid from: "12:00 AM 11/07/2018"
+        valid to: "12:00 PM 11/17/2021"
+        valid usage: "Code Signing"
+      ...edited...
+    ssdeep: "49152:zS2WLLoAgkZlbpkJDy5KrwM4wN9UT90hZv6AFV56vt9IWA:m2WvgSbpkFAKrwMpTZJV5kgW"
+    tags:
+    - "peexe"
+    - "assembly"
+    - "overlay"
+    - "runtime-modules"
+    - "signed"
+    - "64bits"
+    - "trusted"
+    times_submitted: 2
+    total_votes:
+      harmless: 0
+      malicious: 0
+    trid:
+    - file_type: "OS/2 Executable (generic)"
+      probability: 33.6
+    - file_type: "Generic Win/DOS Executable"
+      probability: 33.1
+    - file_type: "DOS Executable Generic"
+      probability: 33.1
+    **trusted_verdict:**
+      **filename: "85.0.4183.121_85.0.4183.102_chrome_updater.exe"**
+      **link: "https://dl.google.com/dl/release2/chrome/SAWXCyZhLAbPfxC5kv_Fkw_85.0.4183.121/85.0.4183.121_85.0.4183.102_chrome_updater.exe"**
+      **organization: "Google"**
+      **verdict: "goodware"**
+    type_description: "Win32 EXE"
+    type_tag: "peexe"
+    unique_sources: 2
+    vhash: "016076651d151515751az36hz1lz"
+
+This file appears to be a component of the Google Chrome Installer. It is not
+malicious software.
+
+Conclusion
+==========
+
+Although the :file:`pe.log` was only part of this section, I wanted to show an
+integrated set of Zeek logs for this example, beginning with the
+:file:`conn.log`, continuing with the :file:`http.log` and :file:`files.log`,
+and concluding with the :file:`pe.log`.  This is recent activity and shows that
+modern software still uses HTTP in some cases!
diff --git a/doc/logs/postgresql.rst b/doc/logs/postgresql.rst
new file mode 100644
index 0000000000..6477c01809
--- /dev/null
+++ b/doc/logs/postgresql.rst
@@ -0,0 +1,97 @@
+.. _PostgreSQL protocol: https://www.postgresql.org/docs/current/protocol.html
+
+==============
+postgresql.log
+==============
+
+.. versionadded:: 7.1
+
+Overview
+========
+
+Zeek contains a basic spicy-based `PostgreSQL protocol`_ analyzer.
+
+Example
+=======
+
+An example of :file:`postgresql.log`.
+
+.. code-block:: console
+
+    $ zeek -C LogAscii::use_json=T -r psql-create-insert-select-delete-drop.pcap
+    $ jq < postgresql.log
+    {
+      "ts": 1725368066.79174,
+      "uid": "C68Wxi3EStaTmxaUVl",
+      "id.orig_h": "127.0.0.1",
+      "id.orig_p": 40190,
+      "id.resp_h": "127.0.0.1",
+      "id.resp_p": 5432,
+      "user": "postgres",
+      "database": "postgres",
+      "application_name": "psql",
+      "frontend": "simple_query",
+      "frontend_arg": "CREATE TABLE IF NOT EXISTS t (i int, s varchar, t time);",
+      "success": true,
+      "rows": 0
+    }
+    {
+      "ts": 1725368066.80694,
+      "uid": "C68Wxi3EStaTmxaUVl",
+      "id.orig_h": "127.0.0.1",
+      "id.orig_p": 40190,
+      "id.resp_h": "127.0.0.1",
+      "id.resp_p": 5432,
+      "user": "postgres",
+      "database": "postgres",
+      "application_name": "psql",
+      "frontend": "simple_query",
+      "frontend_arg": "INSERT INTO t VALUES (42, 'forty-two', now());",
+      "success": true,
+      "rows": 0
+    }
+
+
+:zeek:see:`PostgreSQL::Info` provides further details about the current output of the
+:file:`postgresql.log`.
+
+TLS
+===
+
+The PostgreSQL protocol provides a mechanism to upgrade client-server connections
+to TLS. The analyzer detects this mechanism and hands off analysis to Zeek's
+TLS analyzer. The :file:`postgresql.log` and :file:`conn.log` files will look
+as follows:
+
+.. code-block:: console
+
+    $ zeek -C LogAscii::use_json=T -r testing/btest/Traces/postgresql/psql-aws-ssl-preferred.pcap
+    $ jq < postgresql.log
+    {
+      "ts": 1670520068.267888,
+      "uid": "CAcbxM1ou0N1V2cGpe",
+      "id.orig_h": "192.168.123.132",
+      "id.orig_p": 39910,
+      "id.resp_h": "52.200.36.167",
+      "id.resp_p": 5432,
+      "frontend": "ssl_request",
+      "backend": "ssl_reply",
+      "backend_arg": "S",
+      "success": true
+    }
+
+    $ jq < conn.log
+    {
+      "ts": 1670520068.15752,
+      "uid": "CAcbxM1ou0N1V2cGpe",
+      "id.orig_h": "192.168.123.132",
+      "id.orig_p": 39910,
+      "id.resp_h": "52.200.36.167",
+      "id.resp_p": 5432,
+      "proto": "tcp",
+      "service": "postgresql,ssl",
+      "duration": 0.931433916091919,
+      "orig_bytes": 786,
+      "resp_bytes": 4542,
+      ...
+    }
diff --git a/doc/logs/quic.rst b/doc/logs/quic.rst
new file mode 100644
index 0000000000..4bcd21ea3c
--- /dev/null
+++ b/doc/logs/quic.rst
@@ -0,0 +1,88 @@
+========
+quic.log
+========
+
+.. versionadded:: 6.1
+
+Overview
+========
+
+The QUIC protocol integrates encryption, stream multiplexing and flow control at
+the transport layer. QUIC uses TLS 1.3 by default. Zeek's QUIC analyzer
+provides greater observability into the protocol's TLS handshake.
+
+
+Example
+=======
+
+An example of a :file:`quic.log`.
+
+.. code-block:: console
+
+    zeek@zeek-6.1:~ zeek -C LogAscii::use_json=T -r chromium-115.0.5790.110-api-cirrus-com.pcap
+    zeek@zeek-6.1:~ jq . quic.log
+
+::
+
+  {
+    "ts": 1692198386.837988,
+    "uid": "CA482y1XJVd3d0RYI7",
+    "id.orig_h": "82.239.54.117",
+    "id.orig_p": 53727,
+    "id.resp_h": "110.213.53.115",
+    "id.resp_p": 443,
+    "version": "1",
+    "client_initial_dcid": "95412c47018cdfe8",
+    "server_scid": "d5412c47018cdfe8",
+    "server_name": "api.cirrus-ci.com",
+    "client_protocol": "h3",
+    "history": "ISisH"
+  }
+
+
+:zeek:see:`QUIC::Info` provides further details on the current output of the
+:file:`quic.log`. Current fields include:
+
+- **version**: A string interpretation of the QUIC version number, usually "1"
+  or "quicv2".
+
+- **client_initial_dcid**: When QUIC initiates a connection it uses Random
+  Number Generators to create the first Destination Connection ID (DCID). This
+  DCID is subsequently used for routing and packet protection by client and
+  server.
+
+- **server_scid**: A QUIC-supported server responds to a DCID by selecting a
+  Source Connection ID (SCID). This usually occurs within the server’s first
+  ``INITIAL`` packet. This is typically used by the client in subsequent
+  packets, although the SCID can change to adapt to new network conditions.
+
+- **client_protocol**: If the ``ClientHello`` packet is successfully extracted
+  and contains the ALPN extension, the extension's first entry is placed in
+  ``client_protocol``.
+
+- **history**: Provides a history of QUIC protocol activity in a connection,
+  similar to the history fields in conn.log and ssh.log. See the
+  :zeek:see:`QUIC::Info` documentation for details. In the example above,
+  the history outlines:
+
+    + An initial packet from the client (I) - a new connection
+
+    + An TLS ``ClientHello`` from the client (S) - the start of a
+      TLS handshake
+
+    + An initial packet from the server (i) - an acknowledgement
+      from the server of the new connection
+
+    + A TLS ServerHello response from the server (s) - the
+      selection of a cipher suite from the options provided by the
+      client
+
+    + A handshake packet from the client (H)
+
+
+Conclusion
+==========
+
+The QUIC analyzer provides some observability into QUIC network traffic,
+particularly around connection establishment. Introduced in version 6.1, it's
+one of Zeek's newer parsers, so feedback is particularly welcome.
diff --git a/doc/logs/rdp.rst b/doc/logs/rdp.rst
new file mode 100644
index 0000000000..cfe17bf0ab
--- /dev/null
+++ b/doc/logs/rdp.rst
@@ -0,0 +1,216 @@
+=======
+rdp.log
+=======
+
+Remote Desktop Protocol (RDP) is a protocol Microsoft developed to enable
+remote graphical communication. RDP implementations exist for other operating
+systems, but RDP is most popular on systems running Windows NT 4.0 and newer.
+
+Older versions of RDP are unencrypted, while newer versions offer SSL and TLS
+encryption.
+
+Standard RDP servers listen on port 3389 TCP. Administrators can configure the
+service to listen on any port, however. The following material investigates the
+process by which a simulated intruder gains access to a system via RDP. First
+he makes many connections to the RDP server, testing usernames and passwords.
+Following the correct guessing of a username and password, he connects and
+briefly interacts with the system offering access via RDP.
+
+For full details on each field in the :file:`rdp.log` file, please refer to
+:zeek:see:`RDP::Info`.
+
+:file:`conn.log`
+================
+
+Let’s start with the :file:`conn.log` for the activity in question. I’ve broken
+it into two sets of activities. The first is the reconnaissance and the second
+is the interactive session.
+
+I’ve summarized the first set of :file:`conn.log` entries using the following syntax:
+
+.. code-block:: console
+
+  $ jq -c '[."id.orig_h", ."id.resp_h", ."id.resp_p", ."service", ."orig_bytes", ."resp_bytes"]' conn.log | sort | uniq -c
+
+::
+
+     38 ["192.168.4.160","192.168.4.161",3389,"ssl",1392,1238]
+      1 ["192.168.4.160","192.168.4.161",3389,"ssl",3365,4855]
+
+We see 38 sessions which contain the same number of bytes sent and received by
+the client and server, and 1 session which contains a different number of
+bytes. That could indicate a successful connection. Port 3389 TCP is the
+destination, but remember that any TCP port could host a RDP server. Also note
+Zeek reports the service as SSL, because this RDP session is encrypted by TLS.
+
+The second set of :file:`conn.log` entries contains the following session:
+
+.. literal-emph::
+
+  {
+    "ts": 1607353272.790635,
+    "uid": "CFdEZNjN5MtPzGMS8",
+    **"id.orig_h": "192.168.4.160",**
+    "id.orig_p": 59758,
+    **"id.resp_h": "192.168.4.161",**
+    **"id.resp_p": 3389,**
+    "proto": "tcp",
+    **"service": "ssl",**
+    "duration": 109.49137687683105,
+    **"orig_bytes": 66747,**
+    **"resp_bytes": 1823511,**
+    "conn_state": "RSTR",
+    "missed_bytes": 0,
+    "history": "ShADdaFr",
+    "orig_pkts": 2913,
+    "orig_ip_bytes": 183287,
+    "resp_pkts": 2250,
+    "resp_ip_bytes": 1913523
+  }
+
+This activity is similar to the previous, except that the client and server
+have sent many more bytes of data.
+
+:file:`rdp.log`
+===============
+
+The following syntax summarizes the relevant content in the first set of Zeek
+:file:`rdp.log` entries, caused by the simulated intruder’s RDP reconnaissance:
+
+.. code-block:: console
+
+  $ jq -c '[."id.orig_h", ."id.resp_h", ."id.resp_p", ."cookie", ."result", ."security_protocol", ."cert_count"]' rdp.log | sort | uniq -c
+
+::
+
+     39 ["192.168.4.160","192.168.4.161",3389,"test","encrypted","HYBRID",0]
+
+There is nothing in these logs to indicate whether the session was successful
+or not. However, Zeek was able to determine that RDP was in use, based on its
+recognition of the protocol.
+
+Here is the entire :file:`rdp.log` entry for the interactive RDP session:
+
+.. literal-emph::
+
+  {
+    "ts": 1607353272.791158,
+    "uid": "CFdEZNjN5MtPzGMS8",
+    **"id.orig_h": "192.168.4.160",**
+    "id.orig_p": 59758,
+    **"id.resp_h": "192.168.4.161",**
+    **"id.resp_p": 3389,**
+    "cookie": "test",
+    "result": "encrypted",
+    "security_protocol": "HYBRID",
+    "cert_count": 0
+  }
+
+As before, there is nothing stating that this is an interactive session.
+
+:file:`ssl.log` and :file:`x509.log`
+====================================
+
+The Zeek logs associated with TLS-encrypted sessions might tell us a bit about
+the RDP server. Here is a :file:`ssl.log` entry for the interactive session:
+
+.. literal-emph::
+
+  {
+    "ts": 1607353272.79572,
+    "uid": "CFdEZNjN5MtPzGMS8",
+    **"id.orig_h": "192.168.4.160",**
+    "id.orig_p": 59758,
+    **"id.resp_h": "192.168.4.161",**
+    **"id.resp_p": 3389,**
+    **"version": "TLSv12",**
+    **"cipher": "TLS_RSA_WITH_AES_256_GCM_SHA384",**
+    **"server_name": "192.168.4.161",**
+    "resumed": false,
+    "established": true,
+    "cert_chain_fuids": [
+      **"FWesoX2H43hXhuqoGb"**
+    ],
+    "client_cert_chain_fuids": [],
+    **"subject": "CN=WinDev2010Eval",**
+    **"issuer": "CN=WinDev2010Eval"**
+  }
+
+From this information it looks like the target is a Windows development server.
+
+Here is the corresponding :file:`x509.log` entry. We match it to the preceding
+:file:`ssl.log` entry using the ``id`` field.
+
+.. literal-emph::
+
+  {
+    "ts": 1607353272.79572,
+    **"id": "FWesoX2H43hXhuqoGb",**
+    "certificate.version": 3,
+    "certificate.serial": "5578FF9983F26AA6442533AB6AD54C72",
+    **"certificate.subject": "CN=WinDev2010Eval",**
+    **"certificate.issuer": "CN=WinDev2010Eval",**
+    "certificate.not_valid_before": 1602434171,
+    "certificate.not_valid_after": 1618245371,
+    "certificate.key_alg": "rsaEncryption",
+    "certificate.sig_alg": "sha256WithRSAEncryption",
+    "certificate.key_type": "rsa",
+    "certificate.key_length": 2048,
+    "certificate.exponent": "65537"
+  }
+
+While this might have some significance in other investigations, here it is not
+as important.
+
+Running the Test
+================
+
+For those who might want to simulate this activity themselves, I wanted to
+share how I conducted this experiment.
+
+.. code-block:: console
+
+  $ hydra -t 1 -V -f -l test -P wordlist.txt rdp://192.168.4.161
+
+.. literal-emph::
+
+  Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
+
+  Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-07 09:46:30
+  [WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
+  [DATA] max 1 task per 1 server, overall 1 task, 4999 login tries (l:1/p:4999), ~4999 tries per task
+  [DATA] attacking rdp://192.168.4.161:3389/
+  [ATTEMPT] target 192.168.4.161 - login "test" - pass "123456" - 1 of 4999 [child 0] (0/0)
+  [ATTEMPT] target 192.168.4.161 - login "test" - pass "12345" - 2 of 4999 [child 0] (0/0)
+  [ATTEMPT] target 192.168.4.161 - login "test" - pass "123456789" - 3 of 4999 [child 0] (0/0)
+  [ATTEMPT] target 192.168.4.161 - login "test" - pass "password" - 4 of 4999 [child 0] (0/0)
+  ...edited...
+  [ATTEMPT] target 192.168.4.161 - login "test" - pass "liverpool" - 38 of 4999 [child 0] (0/0)
+  **[ATTEMPT] target 192.168.4.161 - login "test" - pass "football" - 39 of 4999 [child 0] (0/0)**
+  **[3389][rdp] host: 192.168.4.161   login: test   password: football**
+  [STATUS] attack finished for 192.168.4.161 (valid pair found)
+  **1 of 1 target successfully completed, 1 valid password found**
+  Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-12-07 09:46:53
+
+I used the reconnaissance tool THC-Hydra by van Hauser/THC & David Maciejak. I
+provided a word list that had a password that I had enabled on a test account
+on the Windows RDP server at ``192.168.4.161``. I ran Hydra from a Kali Linux
+virtual machine against a Windows 10 development virtual machine and captured
+the traffic on Kali Linux. I then processed it with Zeek to produce the logs in
+this section.
+
+Conclusion
+==========
+
+When processing unencrypted RDP sessions, Zeek can provide a bit more
+information than that provided here. However, in my experience Zeek is most
+helpful for identifying systems which should or should not be offering RDP
+services. Zeek will also generate records for interactive sessions, helping
+analysts identify when authorized or unauthorized users access systems via RDP.
+
+For more information on analyzing RDP in context of vulnerabilities that
+appeared in 2020, please see the following blog posts:
+
+https://corelight.blog/2019/05/23/how-to-use-corelight-and-zeek-logs-to-mitigate-rds-rdp-vulnerabilities/
+
+https://corelight.blog/2020/05/13/analyzing-encrypted-rdp-connections/
diff --git a/doc/logs/smb.rst b/doc/logs/smb.rst
new file mode 100644
index 0000000000..7241168585
--- /dev/null
+++ b/doc/logs/smb.rst
@@ -0,0 +1,1825 @@
+
+.. _zkg package manager: https://docs.zeek.org/projects/package-manager/en/stable/
+
+=======================================
+SMB Logs (plus DCE-RPC, Kerberos, NTLM)
+=======================================
+
+Server Message Block (SMB) is a protocol most commonly associated with
+Microsoft Windows enterprise administration. While there are implementations
+for other operating systems, such as Linux, Mac OS, FreeBSD, and the like, many
+security and network analysts seek information on SMB due to its use in Windows
+environments.
+
+Introduction
+============
+
+For the most part, the log analyses in this section address a single
+Zeek log, such as :file:`conn.log` or :file:`dns.log`. When Zeek encounters SMB
+protocol usage, it usually creates multiple logs of varying types. In addition
+to the ubiquitous :file:`conn.log`, Zeek may generate :file:`dce_rpc.log`,
+:file:`kerberos.log`, :file:`ntlm.log`, :file:`smb_cmd.log`,
+:file:`smb_files.log`, :file:`smb_mapping.log`, :file:`pe.log`, and even
+:file:`notice.log` entries.
+
+This section will build upon a paper by Nate Marx published December 20, 2017
+titled “An Introduction to SMB for Network Security Analysts.” The paper
+analyzes a set of packet captures that contain activity in a simulated
+compromised Windows environment.
+
+The paper is available here:
+
+https://401trg.github.io/pages/an-introduction-to-smb-for-network-security-analysts.html
+
+The packet captures are available here:
+
+https://github.com/401trg/detections/tree/master/pcaps
+
+Thorough documentation of several versions of SMB are available online thanks
+to Microsoft.
+
+SMB version 1 is posted here:
+
+https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb/f210069c-7086-4dc2-885e-861d837df688
+
+SMB versions 2 and 3 are posted here:
+
+https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/5606ad47-5ee0-437a-817e-70c366052962
+
+For information on the individual field values in these SMB-affiliated logs,
+please refer to :zeek:see:`DCE_RPC::Info`, :zeek:see:`KRB::Info`,
+:zeek:see:`NTLM::Info`, :zeek:see:`SMB::CmdInfo`, :zeek:see:`SMB::FileInfo`,
+and :zeek:see:`SMB::TreeInfo`.
+
+When presenting information in this section, my general convention is to bold
+commands and items of interest in the resulting output.
+
+Leveraging BZAR
+===============
+
+Before looking at individual logs associated with SMB, it’s helpful to first
+consider adding the BZAR package to your repertoire.
+
+BZAR stands for Bro/Zeek ATT&CK-based Analytics and Reporting. Mark Fernandez
+and others from MITRE and the Zeek community wrote BZAR to generate
+:file:`notice.log` entries when certain patterns of activity appear in some SMB
+logs.
+
+You can learn more about BZAR at https://github.com/mitre-attack/bzar and install
+it via the `zkg package manager`_ by saying
+
+.. literal-emph::
+
+   zkg install bzar
+
+I suggest using BZAR when one first begins looking at SMB logs. Without BZAR,
+it could be difficult to know what might be worth investigating and what might
+be normal. However, even with BZAR, it is no easy feat to differentiate among
+normal, suspicious, and malicious SMB activity. Still, leveraging the BZAR
+policy script for Zeek will give analysts a place to begin their
+investigations.
+
+Running the ``net user`` Command
+================================
+
+Let’s start our investigation of SMB logs with the case labelled “RPC” in Nate
+Marx’s paper. The relevant packet capture file is titled
+:file:`20171220_smb_net_user.pcap`.
+
+If we process the packet capture with Zeek and BZAR, the following files appear:
+
+* :file:`conn.log`
+* :file:`dce_rpc.log`
+* :file:`kerberos.log`
+* :file:`notice.log`
+* :file:`packet_filter.log`
+* :file:`smb_mapping.log`
+
+Let’s look at the :file:`conn.log` first to get a general overview of the
+traffic.
+
+.. literal-emph::
+
+  {
+    "ts": 1507562478.10937,
+    "uid": "CzgIrZ31Lh5vCHioWi",
+    **"id.orig_h": "192.168.10.31",**
+    "id.orig_p": 49282,
+    **"id.resp_h": "192.168.10.10",**
+    **"id.resp_p": 445,**
+    "proto": "tcp",
+    "service": "gssapi,smb,dce_rpc,krb",
+    "duration": 0.22932004928588867,
+    "orig_bytes": 16271,
+    "resp_bytes": 13720,
+    "conn_state": "S1",
+    "missed_bytes": 0,
+    "history": "ShADda",
+    "orig_pkts": 78,
+    "orig_ip_bytes": 19403,
+    "resp_pkts": 77,
+    "resp_ip_bytes": 16812,
+    "ip_proto": 6
+  }
+
+We see that ``192.168.10.31`` initiated a connection to ``192.168.10.10``. The
+destination port is 445 TCP, which is associated with SMB activity. Note that
+Zeek observed the services on this connection as ``gssapi,smb,dce_rpc,krb``,
+which represents Generic Security Service Application Programming Interface,
+Server Message Block, Distributed Computing Environment Remote Procedure Call,
+and Kerberos.
+
+The GSS-API reference likely relates to authentication, as noted in the Windows
+protocol guide for SMB versions 2 and 3. It does not produce any logs named
+``gssapi``. SMB is expected as we are looking for it in this case, and will
+create smb-named logs. DCE-RPC is a protocol associated with Windows networking
+and command execution between machines, and will likely create a
+:file:`dce_rpc.log` entry. Kerberos is an authentication protocol that will
+likely create a :file:`kerberos.log` entry.
+
+:file:`notice.log`
+------------------
+
+Let’s see what the :file:`notice.log` has to say about this activity.
+
+.. literal-emph::
+
+  {
+    "ts": 1507562478.117387,
+    **"note": "ATTACK::Discovery",**
+    **"msg": "Detected activity from host 192.168.10.31, total attempts 5 within timeframe 5.0 mins",**
+    "actions": [
+      "Notice::ACTION_LOG"
+    ],
+    "suppress_for": 3600
+  }
+  {
+    "ts": 1507562478.124176,
+    **"note": "ATTACK::Discovery",**
+    **"msg": "Detected activity from host 192.168.10.31, total attempts 10 within timeframe 5.0 mins",**
+    "actions": [
+      "Notice::ACTION_LOG"
+    ],
+    "suppress_for": 3600
+  }
+  {
+    "ts": 1507562478.138992,
+    **"note": "ATTACK::Discovery",**
+    **"msg": "Detected activity from host 192.168.10.31, total attempts 15 within timeframe 5.0 mins",**
+    "actions": [
+      "Notice::ACTION_LOG"
+    ],
+    "suppress_for": 3600
+  }
+
+These three entries all indicate the same sort of activity: ``192.168.10.31``
+is doing some sort of “discovery” action. We do not know the nature of the
+reconnaissance nor do we know the target. However, when combined with the
+:file:`conn.log` we saw previously, we can assume that ``192.168.10.10`` is the
+target.
+
+:file:`dce_rpc.log`
+-------------------
+
+The :file:`notice.log` alerted us to suspicious or malicious activity from
+``192.168.10.31``. Perhaps the :file:`dce_rpc.log` can help us understand what
+is happening?
+
+Let’s look at the first entry in :file:`dce_rpc.log`.
+
+.. literal-emph::
+
+  {
+    "ts": 1507562478.112879,
+    "uid": "CzgIrZ31Lh5vCHioWi",
+    **"id.orig_h": "192.168.10.31",**
+    "id.orig_p": 49282,
+    **"id.resp_h": "192.168.10.10",**
+    **"id.resp_p": 445,**
+    "rtt": 0.0003020763397216797,
+    **"named_pipe": "\\pipe\\lsass",**
+    **"endpoint": "samr",**
+    **"operation": "SamrConnect5"**
+  }
+
+This entry shows that ``192.168.10.31`` connected to ``192.168.10.10`` via a
+named pipe titled ``lsass``. Microsoft’s documentation says “a pipe is a
+section of shared memory that processes use for communication. The process that
+creates a pipe is the pipe server. A process that connects to a pipe is a pipe
+client… Named pipes can be used to provide communication between processes on
+the same computer or between processes on different computers across a
+network.”
+
+Ref: https://docs.microsoft.com/en-us/windows/win32/ipc/pipes
+
+The lsass named pipe refers to the Local Security Authority Subsystem Service
+(LSASS). The endpoint, ``samr``, refers to the Security Accounts Manager.
+Microsoft’s documentation says “the SamrConnect5 method obtains a handle to a
+server object.”
+
+Ref: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/c842a897-0a42-4ca5-a607-2afd05271dae
+
+Even if you do not fully understand all of these details (and who does!), it
+appears that ``192.168.10.31`` is trying to remotely access ``192.168.10.10``
+in a way that requires security authentication on the client, via DCE-RPC over
+SMB.
+
+All of the entries in the :file:`dce_rpc.log` have the same source and
+destination addresses and ports. We can summarize them by extracting only the
+relevant fields using :program:`jq`:
+
+If we look at every one of the 46 entries in the :file:`dce_rpc.log`, we will
+see repeats of some commands. These do not add to our general understanding of
+what is happening. To show a reduced set of commands, I invoke :program:`jq`
+and pipe the output through uniq to only show unique outputs:
+
+.. code-block:: console
+
+  $ jq -c '[."named_pipe", ."endpoint", ."operation"]' dce_rpc.log | uniq
+
+.. literal-emph::
+
+  ["\\pipe\\lsass","samr","SamrConnect5"]
+  ["\\pipe\\lsass","samr","**SamrEnumerateDomainsInSamServer**"]
+  ["\\pipe\\lsass","samr","SamrLookupDomainInSamServer"]
+  ["\\pipe\\lsass","samr","SamrOpenDomain"]
+  ["\\pipe\\lsass","samr","**SamrLookupNamesInDomain**"]
+  ["\\pipe\\lsass","samr","SamrOpenUser"]
+  ["\\pipe\\lsass","samr","**SamrQueryInformationUser**"]
+  ["\\pipe\\lsass","samr","SamrQuerySecurityObject"]
+  ["\\pipe\\lsass","samr","**SamrGetGroupsForUser**"]
+  ["\\pipe\\lsass","samr","SamrGetAliasMembership"]
+  ["\\pipe\\lsass","samr","SamrCloseHandle"]
+  ["\\pipe\\lsass","samr","SamrConnect5"]
+  ["\\pipe\\lsass","samr","SamrEnumerateDomainsInSamServer"]
+  ["\\pipe\\lsass","samr","SamrLookupDomainInSamServer"]
+  ["\\pipe\\lsass","samr","SamrOpenDomain"]
+  ["\\pipe\\lsass","samr","SamrQueryInformationDomain"]
+  ["\\pipe\\lsass","samr","SamrCloseHandle"]
+  ["\\pipe\\lsass","lsarpc","LsarOpenPolicy2"]
+  ["\\pipe\\lsass","lsarpc","LsarQueryInformationPolicy"]
+  ["\\pipe\\lsass","samr","SamrConnect5"]
+  ["\\pipe\\lsass","samr","SamrOpenDomain"]
+  ["\\pipe\\lsass","samr","SamrCloseHandle"]
+  ["\\pipe\\lsass","lsarpc","LsarLookupNames3"]
+  ["\\pipe\\lsass","samr","SamrGetAliasMembership"]
+  ["\\pipe\\lsass","samr","SamrCloseHandle"]
+  ["\\pipe\\lsass","lsarpc","LsarClose"]
+  ["\\pipe\\lsass","samr","SamrConnect5"]
+  ["\\pipe\\lsass","samr","SamrEnumerateDomainsInSamServer"]
+  ["\\pipe\\lsass","samr","SamrLookupDomainInSamServer"]
+  ["\\pipe\\lsass","samr","SamrOpenDomain"]
+  ["\\pipe\\lsass","samr","SamrLookupNamesInDomain"]
+  ["\\pipe\\lsass","samr","SamrOpenUser"]
+  ["\\pipe\\lsass","samr","SamrGetGroupsForUser"]
+  ["\\pipe\\lsass","samr","SamrLookupIdsInDomain"]
+  ["\\pipe\\lsass","samr","SamrCloseHandle"]
+
+The bolded entries indicate that ``192.168.10.31`` is performing some sort of
+user enumeration against ``192.168.10.10``. Again, we don’t necessarily know
+exactly what all of this means, but if there is no reason from
+``192.168.10.31`` to be performing this action, then it’s worth investigating!
+
+:file:`kerberos.log` and :file:`smb_mapping.log`
+------------------------------------------------
+
+Let’s see if the :file:`kerberos.log` has anything new to add to our
+investigation.
+
+.. literal-emph::
+
+  {
+    "ts": 1507562478.110863,
+    "uid": "CzgIrZ31Lh5vCHioWi",
+    **"id.orig_h": "192.168.10.31",**
+    "id.orig_p": 49282,
+    **"id.resp_h": "192.168.10.10",**
+    **"id.resp_p": 445**
+  }
+
+These are the same details we found through the :file:`conn.log`, but it
+confirms that Zeek identified Kerberos authentication in use.
+
+The :file:`smb_mapping.log` offers one entry as well:
+
+.. literal-emph::
+
+  {
+    "ts": 1507562478.111677,
+    "uid": "CzgIrZ31Lh5vCHioWi",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 49282,
+    "id.resp_h": "192.168.10.10",
+    "id.resp_p": 445,
+    **"path": "\\\\DC1.contoso.local\\IPC$",**
+    "share_type": "PIPE"
+  }
+
+Here we see the first mention of the ``IPC$`` share. As noted in Mr. Marx’s
+paper, Windows uses the ``IPC$`` share as a means to enable remote procedure
+calls. We knew this was the case when we reviewed the :file:`dce_rpc.log`. It’s
+possible that the ``DC1`` in the path value for this log means that
+``192.168.10.10`` is a domain controller. It’s likely that there is user
+reconnaissance occurring.
+
+If we look at the explanation for this activity noted in Mr. Marx’s paper, he
+says that a simulated intruder on ``192.168.10.31`` executed the ``net user``
+command against ``192.168.10.10``. The intruder took this action to enumerate
+the user list on the target.
+
+In the next two cases we will see what it looks like when simulated intruders move files from one system to another.
+
+Connecting to a SMB Share and Uploading a File
+==============================================
+
+We continue our exploration of SMB logs by reviewing the first case discussed
+in Mr. Marx’s paper. The relevant packet capture file is titled
+:file:`20171220_smb_mimikatz_copy.pcap`. Mr. Marx’s discussion appears in the
+section “The Basics” in his paper.
+
+If we process the packet capture with Zeek and BZAR, the following files appear:
+
+* :file:`conn.log`
+* :file:`extract_files/`
+* :file:`files.log`
+* :file:`kerberos.log`
+* :file:`notice.log`
+* :file:`packet_filter.log`
+* :file:`pe.log`
+* :file:`smb_files.log`
+* :file:`smb_mapping.log`
+
+Let’s look at the :file:`conn.log` first to get a general overview of the
+traffic.
+
+:file:`conn.log`
+----------------
+
+The :file:`conn.log` has two entries:
+
+.. literal-emph::
+
+  {
+    "ts": 1507565438.203425,
+    "uid": "CR7Vww4LuLkMzi4jMd",
+    **"id.orig_h": "192.168.10.31",**
+    "id.orig_p": 49238,
+    **"id.resp_h": "192.168.10.30",**
+    **"id.resp_p": 445,**
+    "proto": "tcp",
+    **"service": "krb,smb,gssapi",**
+    "duration": 1.1398930549621582,
+    "orig_bytes": 814051,
+    "resp_bytes": 11657,
+    "conn_state": "S1",
+    "missed_bytes": 0,
+    "history": "ShADda",
+    "orig_pkts": 66,
+    "orig_ip_bytes": 816703,
+    "resp_pkts": 91,
+    "resp_ip_bytes": 15309,
+    "ip_proto": 6
+  }
+  {
+    "ts": 1507565425.183882,
+    "uid": "CyeWAg1QrRKQL0HHMi",
+    "id.orig_h": "192.168.10.30",
+    "id.orig_p": 138,
+    **"id.resp_h": "192.168.10.255",**
+    **"id.resp_p": 138,**
+    "proto": "udp",
+    "conn_state": "S0",
+    "missed_bytes": 0,
+    "history": "D",
+    "orig_pkts": 1,
+    "orig_ip_bytes": 207,
+    "resp_pkts": 0,
+    "resp_ip_bytes": 0,
+    "ip_proto": 17
+  }
+
+The first entry shows a connection initiated by ``192.168.10.31`` to
+``192.168.10.30``.
+
+The second entry is likely a SMB-related Windows broadcast, as seen by the
+destination IP address of ``192.168.10.255``. According to a Wireshark decode
+of that datagram, it’s a Windows Browser Protocol message, namely a "Become
+backup browser" command with the "browser to promote" being "VICTIM-PC".
+“Browser” in this case does not refer to a Web browser; it’s about accessing
+resources on the local network.
+
+Let’s next turn to the :file:`notice.log`.
+
+:file:`notice.log`
+------------------
+
+I have selected examples of the two unique log types appearing in
+:file:`notice.log`.
+
+.. literal-emph::
+
+  {
+    "ts": 1507565439.130425,
+    **"uid": "CR7Vww4LuLkMzi4jMd",**
+    **"id.orig_h": "192.168.10.31",**
+    "id.orig_p": 49238,
+    **"id.resp_h": "192.168.10.30",**
+    "id.resp_p": 445,
+    "proto": "tcp",
+    **"note": "ATTACK::Lateral_Movement",**
+    **"msg": "Detected SMB::FILE_WRITE to admin file share '\\\\admin-pc\\c$temp\\mimikatz.exe'",**
+    **"sub": "T1021.002 Remote Services: SMB/Windows Admin Shares + T1570 Lateral Tool Transfer",**
+    **"src": "192.168.10.31",**
+    **"dst": "192.168.10.30",**
+    "p": 445,
+    "actions": [
+      "Notice::ACTION_LOG"
+    ],
+    "suppress_for": 3600
+  }
+
+  {
+    "ts": 1507565439.343318,
+    "uid": "CR7Vww4LuLkMzi4jMd",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 49238,
+    "id.resp_h": "192.168.10.30",
+    "id.resp_p": 445,
+    "fuid": "FwVZpk12AKBjE11UNg",
+    "file_mime_type": "application/x-dosexec",
+    "file_desc": "temp",
+    "proto": "tcp",
+    **"note": "ATTACK::Lateral_Movement_Extracted_File",**
+    **"msg": "Saved a copy of the file written to SMB admin file share",**
+    **"sub": "CR7Vww4LuLkMzi4jMd_FwVZpk12AKBjE11UNg__admin-pc_c$temp_mimikatz.exe",**
+    **"src": "192.168.10.31",**
+    **"dst": "192.168.10.30",**
+    "p": 445,
+    "actions": [
+      "Notice::ACTION_LOG"
+    ],
+    "suppress_for": 3600
+  }
+
+My processing of the packet capture produced 13 of the first entry and 1 of the
+second entry.
+
+These two entries in the :file:`notice.log` tell us a lot, but also provide
+material for additional investigation.
+
+First, the note, msg, and sub entries of each log provide useful information.
+
+Both notes relate to “lateral movement.” If a new analyst is not familiar with
+that term, the sub field in the first log entry provides a reference to “T1570
+Lateral Tool Transfer.” T1570 refers to the MITRE ATT&CK technique number 1570,
+which is described here:
+
+https://attack.mitre.org/techniques/T1570/
+
+The ATT&CK Web site explains Lateral Tool Transfer thus:
+
+  “**Adversaries may transfer tools or other files between systems in a
+  compromised environment**. Files may be copied from one system to another to
+  stage adversary tools or other files over the course of an operation.
+  Adversaries may copy files laterally between internal victim systems to
+  support lateral movement using inherent file sharing protocols such as file
+  sharing over **SMB** to connected network shares or with authenticated
+  connections with **SMB/Windows Admin Shares** or Remote Desktop Protocol. Files
+  can also be copied over on Mac and Linux with native tools like scp, rsync,
+  and sftp.” (emphasis added)
+
+With this understanding, the msg from the first log makes more sense::
+
+  Detected SMB::FILE_WRITE to admin file share '\\\\admin-pc\\c$temp\\mimikatz.exe'
+
+Zeek is trying to tell us that the BZAR script detected a transfer of a file
+called ``mikikatz.exe``.
+
+The details from the second log tell us what actions Zeek took when it noticed
+this activity::
+
+  "msg": "Saved a copy of the file written to SMB admin file share",
+  "sub": "CR7Vww4LuLkMzi4jMd_FwVZpk12AKBjE11UNg__admin-pc_c$temp_mimikatz.exe",
+
+This means we should be able to look in a directory associated with our run of
+Zeek to find an extracted copy of this file.
+
+Finally, as with many Zeek logs, we have an id (in this case,
+``CR7Vww4LuLkMzi4jMd``), and IP addresses which we can use to pivot through other
+Zeek data. Note the src and dst entries in both logs indicate that
+``192.168.10.31`` copied a file to ``192.168.10.30``.
+
+:file:`extract_files/`, :file:`files.log`, and :file:`pe.log`, and VirusTotal
+-----------------------------------------------------------------------------
+
+Next, let’s look for the extracted file. We can use the Linux :program:`file`
+command to get some details:
+
+.. code-block:: console
+
+  $ file extract_files/CR7Vww4LuLkMzi4jMd_FwVZpk12AKBjE11UNg__admin-pc_c\$temp_mimikatz.exe
+
+::
+
+  extract_files/CR7Vww4LuLkMzi4jMd_FwVZpk12AKBjE11UNg__admin-pc_c$temp_mimikatz.exe: PE32+ executable (console) x86-64, for MS Windows
+
+As we learned in the :file:`files.log` documentation, we can look in that data
+for similar information on extracted files:
+
+.. literal-emph::
+
+  {
+    "ts": 1507565439.130425,
+    "fuid": "FwVZpk12AKBjE11UNg",
+    "uid": "CR7Vww4LuLkMzi4jMd",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 49238,
+    "id.resp_h": "192.168.10.30",
+    "id.resp_p": 445
+    "source": "SMB",
+    "depth": 0,
+    "analyzers": [
+      "SHA1",
+      "SHA256",
+      "PE",
+      "MD5",
+      "EXTRACT"
+    ],
+    **"mime_type": "application/x-dosexec",**
+    **"filename": "temp\\mimikatz.exe",**
+    "duration": 0.0034439563751220703,
+    "is_orig": true,
+    "seen_bytes": 804352,
+    "missing_bytes": 0,
+    "overflow_bytes": 0,
+    "timedout": true,
+    **"md5": "2c527d980eb30daa789492283f9bf69e",**
+    "sha1": "d007f64dae6bc5fdfe4ff30fe7be9b7d62238012",
+    "sha256": "fb55414848281f804858ce188c3dc659d129e283bd62d58d34f6e6f568feab37",
+    "extracted": "CR7Vww4LuLkMzi4jMd_FwVZpk12AKBjE11UNg__admin-pc_c$temp_mimikatz.exe",
+    "extracted_cutoff": false
+  }
+
+Here I highlighted the MIME type, showing a Windows executable, as well as the
+filename, which includes a directory.
+
+Let’s take a quick look at the :file:`pe.log` entry:
+
+.. literal-emph::
+
+  {
+    "ts": 1507565439.130425,
+    "id": "FwVZpk12AKBjE11UNg",
+    "machine": "AMD64",
+    **"compile_ts": 1502638084,**
+    "os": "Windows XP x64 or Server 2003",
+    "subsystem": "WINDOWS_CUI",
+    "is_exe": true,
+    "is_64bit": true,
+    "uses_aslr": true,
+    "uses_dep": true,
+    "uses_code_integrity": false,
+    "uses_seh": true,
+    "has_import_table": true,
+    "has_export_table": false,
+    "has_cert_table": false,
+    "has_debug_data": false,
+    "section_names": [
+      ".text",
+      ".rdata",
+      ".data",
+      ".pdata",
+      ".rsrc",
+      ".reloc"
+    ]
+  }
+
+There’s some interesting information in this log, like the compile time. We can
+convert it to a human readable form using the Linux :program:`date` command.
+
+
+.. code-block:: console
+
+  $ date -d @1502638084
+
+::
+
+  Sun Aug 13 15:28:04 UTC 2017
+
+Finally, we can use the md5 from the :file:`file.log` entry to query
+VirusTotal, as we also did previously:
+
+.. code-block:: console
+
+  $ vt file "2c527d980eb30daa789492283f9bf69e"
+
+::
+
+  - _id: "fb55414848281f804858ce188c3dc659d129e283bd62d58d34f6e6f568feab37"
+    _type: "file"
+    authentihash: "02c86c9977c85a08f18ac1dae02f1cdda569eaba51ec6d17aed6f4ebc2adaf21"
+    creation_date: 1502638084  # 2017-08-13 15:28:04 +0000 UTC
+    crowdsourced_yara_results:
+    - description: "mimikatz"
+      rule_name: "mimikatz"
+      ruleset_id: "00043243d1"
+      ruleset_name: "gen_mimikatz"
+      source: "https://github.com/Neo23x0/signature-base"
+    - description: "Detects Mimikatz strings"
+      rule_name: "Mimikatz_Strings"
+      ruleset_id: "00043243d1"
+      ruleset_name: "gen_mimikatz"
+      source: "https://github.com/Neo23x0/signature-base"
+    - description: "Detects Mimikatz SkeletonKey in Memory"
+      rule_name: "HKTL_Mimikatz_SkeletonKey_in_memory_Aug20_1"
+      ruleset_id: "00043243d1"
+      ruleset_name: "gen_mimikatz"
+      source: "https://github.com/Neo23x0/signature-base"
+    - description: "Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)"
+      rule_name: "Powerkatz_DLL_Generic"
+      ruleset_id: "000d2a7a67"
+      ruleset_name: "gen_powerkatz"
+      source: "https://github.com/Neo23x0/signature-base"
+    - description: "Detects Mimikatz by using some special strings"
+      rule_name: "Mimikatz_Gen_Strings"
+      ruleset_id: "000be577b3"
+      ruleset_name: "thor-hacktools"
+      source: "https://github.com/Neo23x0/signature-base"
+    first_submission_date: 1502652611  # 2017-08-13 19:30:11 +0000 UTC
+    last_analysis_date: 1602435563  # 2020-10-11 16:59:23 +0000 UTC
+
+I reproduced the first set of results generated by VirusTotal’s
+crowdsourced_yara_results to show that this is indeed a copy of Mimikatz, the
+ubiquitous credential-dumping tool used for lateral movement in Windows
+environments.
+
+:file:`kerberos.log`, :file:`smb_mapping.log`, and :file:`smb_files.log`
+------------------------------------------------------------------------
+
+We have learned that ``192.168.10.31`` copied :file:`mimikatz.exe` to
+``192.168.10.30``. This is probably the most important aspect of the activity,
+and it is based on BZAR’s interpretation of the SMB logs. Let’s take a quick
+look at those logs to see if we can glean anything more from them.
+
+The :file:`kerberos.log` has a single short entry:
+
+::
+
+  {
+    "ts": 1507565438.204785,
+    "uid": "CR7Vww4LuLkMzi4jMd",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 49238,
+    "id.resp_h": "192.168.10.30",
+    "id.resp_p": 445
+  }
+
+This indicates that Kerberos, an authentication measure used by Windows, had a
+role in this connection.
+
+The :file:`smb_mapping.log` also has a single short entry:
+
+.. literal-emph::
+
+  {
+    "ts": 1507565438.205583,
+    "uid": "CR7Vww4LuLkMzi4jMd",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 49238,
+    "id.resp_h": "192.168.10.30",
+    "id.resp_p": 445,
+    **"path": "\\\\admin-pc\\c$",**
+    "share_type": "DISK"
+  }
+
+We see evidence of connecting to the administrative file share on
+``192.168.10.30``.
+
+The :file:`smb_files.log` has many entries. The first looks like this:
+
+.. literal-emph::
+
+  {
+    "ts": 1507565438.205868,
+    "uid": "CR7Vww4LuLkMzi4jMd",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 49238,
+    "id.resp_h": "192.168.10.30",
+    "id.resp_p": 445,
+    **"action": "SMB::FILE_OPEN",**
+    **"path": "\\\\admin-pc\\c$",**
+    **"name": "<share_root>",**
+    "size": 4096,
+    "times.modified": 1507316839.5820882,
+    "times.accessed": 1507316839.5820882,
+    "times.created": 1247539136.5268176,
+    "times.changed": 1507316839.5820882
+  }
+
+All of the entries have the same ``uid``, ``id.orig_h``, ``id.orig_p``,
+``id.resp_h``, and ``id.resp_p``. The ``size`` and ``times`` entries aren’t
+especially interesting here.
+
+I include the specific :program:`jq` syntax in case you’ve forgotten how to
+tell :program:`jq` what fields you want to see:
+
+.. code-block:: console
+
+  $ jq -c '[."action", ."path", ."name"]' smb_files.log
+
+::
+
+  ["SMB::FILE_OPEN","\\\\admin-pc\\c$","<share_root>"]
+  ["SMB::FILE_OPEN","\\\\admin-pc\\c$","temp"]
+  ["SMB::FILE_OPEN","\\\\admin-pc\\c$","temp"]
+  ["SMB::FILE_OPEN","\\\\admin-pc\\c$","temp\\mimikatz.exe"]
+  ["SMB::FILE_WRITE","\\\\admin-pc\\c$","temp\\mimikatz.exe"]
+  ["SMB::FILE_WRITE","\\\\admin-pc\\c$","temp\\mimikatz.exe"]
+  ["SMB::FILE_OPEN","\\\\admin-pc\\c$","temp\\mimikatz.exe"]
+  ["SMB::FILE_OPEN","\\\\admin-pc\\c$","temp"]
+  ["SMB::FILE_OPEN","\\\\admin-pc\\c$","temp\\mimikatz.exe"]
+
+These results do not tell us anything we did not know from the entries the BZAR
+script made in the :file:`notice.log`. However, I include them here to help
+show how BZAR decided to write in the :file:`notice.log` that it detected
+lateral movement via the copy of the file :file:`mimikatz.exe` from
+``192.168.10.31`` to ``192.168.10.30``.
+
+Connecting to a SMB Share and Downloading a File
+================================================
+
+We continue our exploration of SMB logs by reviewing the second case discussed
+in Nate Marx’s paper. The relevant packet capture file is titled
+:file:`20171220_smb_mimikatz_copy_to_host.pcap`. Mr. Marx’s discussion appears
+at the end of the section titled “The Basics” in his paper.
+
+If we process the packet capture with Zeek and BZAR, the following files appear:
+
+* :file:`conn.log`
+* :file:`files.log`
+* :file:`kerberos.log`
+* :file:`packet_filter.log`
+* :file:`pe.log`
+* :file:`smb_files.log`
+* :file:`smb_mapping.log`
+
+Note that this time we do not have an :file:`extract_files/` directory nor a
+:file:`notice.log`!
+
+We’ll start with the :file:`conn.log` as we did with the previous case.
+
+:file:`conn.log`
+----------------
+
+The :file:`conn.log` for this case has only one entry:
+
+.. literal-emph::
+
+  {
+    "ts": 1512585460.295445,
+    "uid": "C4j5Ds3VyExc2ZAOh9",
+    **"id.orig_h": "192.168.10.31",**
+    "id.orig_p": 1112,
+    **"id.resp_h": "192.168.10.30",**
+    **"id.resp_p": 445,**
+    "proto": "tcp",
+    "service": "krb,gssapi,smb",
+    "duration": 13.435487985610962,
+    "orig_bytes": 5762,
+    "resp_bytes": 812728,
+    "conn_state": "S1",
+    "missed_bytes": 0,
+    "history": "ShADda",
+    "orig_pkts": 74,
+    "orig_ip_bytes": 8734,
+    "resp_pkts": 575,
+    "resp_ip_bytes": 835740,
+    "ip_proto": 6
+  }
+
+We see the same pattern: ``192.168.10.31`` initiated a connection to
+``192.168.10.30``, to port 445 TCP. In the previous case and the current case,
+``192.168.10.31`` connected to a Windows share on ``192.168.10.30``. What
+happened next was different.
+
+In the first case, ``192.168.10.31`` uploaded a file to ``192.168.10.30``.
+
+In the second case, ``192.168.10.31`` downloaded a file from ``192.168.10.30``.
+
+Now let’s look at the :file:`files.log` and :file:`pe.log`, as we do not have a
+:file:`notice.log` to check.
+
+:file:`files.log` and :file:`pe.log`
+------------------------------------
+
+We see one entry in :file:`files.log`:
+
+.. literal-emph::
+
+  {
+    "ts": 1512585460.300969,
+    "fuid": "FNMweB3f2OvTZ4UZLe",
+    "uid": "CR7Vww4LuLkMzi4jMd",
+    **"id.orig_h": "192.168.10.31",**
+    "id.orig_p": 49238,
+    **"id.resp_h": "192.168.10.30",**
+    "id.resp_p": 445
+    "source": "SMB",
+    "source": "SMB",
+    "depth": 0,
+    "analyzers": [
+      "PE"
+    ],
+    "mime_type": "application/x-dosexec",
+    **"filename": "temp\\mimikatz.exe",**
+    "duration": 0.010069131851196289,
+    **"is_orig": false**,
+    "seen_bytes": 804352,
+    "total_bytes": 804352,
+    "missing_bytes": 0,
+    "overflow_bytes": 0,
+    "timedout": false
+  }
+
+This :file:`files.log` entry is similar to that seen in the previous case,
+except the ``is_orig`` value is ``false``. This
+indicates that ``192.168.10.30`` sent a file titled :file:`mimikatz.exe` to
+``192.168.10.31``, or, said differently, ``192.168.10.31`` downloaded a file
+from ``192.168.10.30``.
+
+With either language, the file started at ``192.168.10.30`` (the responder)
+and ended up on ``192.168.10.31`` (the originator).
+
+This is the reverse of the previous case.
+
+Here is the :file:`pe.log`:
+
+.. literal-emph::
+
+  {
+    "ts": 1512585460.300969,
+    "id": "FNMweB3f2OvTZ4UZLe",
+    "machine": "AMD64",
+    **"compile_ts": 1502638084,**
+    "os": "Windows XP x64 or Server 2003",
+    "subsystem": "WINDOWS_CUI",
+    "is_exe": true,
+    "is_64bit": true,
+    "uses_aslr": true,
+    "uses_dep": true,
+    "uses_code_integrity": false,
+    "uses_seh": true,
+    "has_import_table": true,
+    "has_export_table": false,
+    "has_cert_table": false,
+    "has_debug_data": false,
+    "section_names": [
+      ".text",
+      ".rdata",
+      ".data",
+      ".pdata",
+      ".rsrc",
+      ".reloc"
+    ]
+  }
+
+This output is the same as the previous case, to include the compile time.
+There is a different id field because this file was transferred in a different
+connection.
+
+:file:`kerberos.log`, :file:`smb_mapping`.log, and :file:`smb_files.log`
+------------------------------------------------------------------------
+
+Let’s see what the other relevant files say.
+
+The :file:`kerberos.log` has one entry:
+
+::
+
+  {
+    "ts": 1512585460.296744,
+    "uid": "C4j5Ds3VyExc2ZAOh9",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 1112,
+    "id.resp_h": "192.168.10.30",
+    "id.resp_p": 445
+  }
+
+This is very similar to the previous :file:`kerberos.log` entry, because the
+direction of the connection and the authentication is the same.
+
+The :file:`smb_mapping.log` has one entry:
+
+::
+
+  {
+    "ts": 1512585460.297722,
+    "uid": "C4j5Ds3VyExc2ZAOh9",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 1112,
+    "id.resp_h": "192.168.10.30",
+    "id.resp_p": 445,
+    "path": "\\\\admin-pc\\c$",
+    "share_type": "DISK"
+  }
+
+This is also very similar to the previous :file:`smb_mapping.log` entry,
+because the direction of the connection and the share access is the same.
+
+The :file:`smb_files.log` only has two entries:
+
+::
+
+  {
+    "ts": 1512585460.298136,
+    "uid": "C4j5Ds3VyExc2ZAOh9",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 1112,
+    "id.resp_h": "192.168.10.30",
+    "id.resp_p": 445,
+    "action": "SMB::FILE_OPEN",
+    "path": "\\\\admin-pc\\c$",
+    "name": "temp\\mimikatz.exe",
+    "size": 804352,
+    "times.modified": 1512171135.77705,
+    "times.accessed": 1512585399.9219997,
+    "times.created": 1512585399.9219997,
+    "times.changed": 1512585399.9376247
+  }
+  {
+    "ts": 1512585460.299373,
+    "uid": "C4j5Ds3VyExc2ZAOh9",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 1112,
+    "id.resp_h": "192.168.10.30",
+    "id.resp_p": 445,
+    "action": "SMB::FILE_OPEN",
+    "path": "\\\\admin-pc\\c$",
+    "name": "temp",
+    "size": 0,
+    "times.modified": 1512585399.9219997,
+    "times.accessed": 1512585399.9219997,
+    "times.created": 1512585360.2032497,
+    "times.changed": 1512585399.9219997
+  }
+
+These entries are similar to those from the previous case, at least as far as
+the ``id.orig_h`` and ``id.resp_h`` IP addresses and the ``id.resp_p`` port
+values.
+
+Summarizing these two logs, as we did for the previous case, yields these
+values:
+
+.. code-block:: console
+
+  $ jq -c '[."action", ."path", ."name"]' smb_files.log
+
+::
+
+  ["SMB::FILE_OPEN","\\\\admin-pc\\c$","temp\\mimikatz.exe"]
+  ["SMB::FILE_OPEN","\\\\admin-pc\\c$","temp"]
+
+Looking at these logs, I would not as an analyst be able to tell exactly what
+is happening here, other than to say it looks like :file:`mimikatz.exe` is
+being transferred. Only the :file:`files.log` entry makes it possible to see
+the direction of the transfer:
+
+The file started at ``192.168.10.30`` and ended up on ``192.168.10.31``. This
+conclusion is drawn from the originator and responder information and the
+``is_orig`` value for the given entry being ``false``.
+
+In the next section we will look at how someone might execute a file once it is
+present on a target.
+
+Scheduling Mimikatz via the At Service
+======================================
+
+The following analysis is based on the :file:`20171220_smb_at_schedule.pcap`
+and appears near the end of the RPC section of Mr. Marx’s paper.
+
+After processing the packet capture with Zeek and BZAR, we have the following
+logs:
+
+* :file:`conn.log`
+* :file:`files.log`
+* :file:`packet_filter.log`
+* :file:`smb_files.log`
+
+This is a short set of logs to analyze. We will start with the :file:`conn.log`.
+
+:file:`conn.log`
+----------------
+
+Looking at the :file:`conn.log`, we see one entry:
+
+.. literal-emph::
+
+  {
+    "ts": 1508525002.992213,
+    "uid": "Cirxt14nybZjVhpOAk",
+    **"id.orig_h": "192.168.10.31",**
+    "id.orig_p": 49266,
+    **"id.resp_h": "192.168.10.30",**
+    **"id.resp_p": 445,**
+    "proto": "tcp",
+    **"service": "dce_rpc,smb",**
+    "duration": 12.397327899932861,
+    "orig_bytes": 1155,
+    "resp_bytes": 1037,
+    "conn_state": "OTH",
+    "missed_bytes": 0,
+    "history": "DdAR",
+    "orig_pkts": 11,
+    "orig_ip_bytes": 1595,
+    "resp_pkts": 9,
+    "resp_ip_bytes": 1397,
+    "ip_proto": 6
+  }
+
+We see ``192.168.10.31`` initiated a connection to ``192.168.10.30``, port 445
+TCP.  Zeek recognized this as DCE RPC and SMB traffic. Note that for some
+reason Zeek did not create a :file:`dce_rpc.log` for this activity.
+
+:file:`smb_files.log`
+---------------------
+
+The :file:`smb_files.log` holds the next clue to this activity. It contains
+three entries:
+
+.. literal-emph::
+
+  {
+    "ts": 1508525002.992213,
+    "uid": "Cirxt14nybZjVhpOAk",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 49266,
+    "id.resp_h": "192.168.10.30",
+    "id.resp_p": 445,
+    **"action": "SMB::FILE_OPEN",**
+    **"name": "atsvc",**
+    "size": 0
+  }
+  {
+    "ts": 1508525002.992213,
+    "uid": "Cirxt14nybZjVhpOAk",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 49266,
+    "id.resp_h": "192.168.10.30",
+    "id.resp_p": 445,
+    **"action": "SMB::FILE_WRITE",**
+    **"name": "atsvc",**
+    "size": 0,
+    "data_offset_req": 0,
+    "data_len_req": 160
+  }
+  {
+    "ts": 1508525002.992213,
+    "uid": "Cirxt14nybZjVhpOAk",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 49266,
+    "id.resp_h": "192.168.10.30",
+    "id.resp_p": 445,
+    **"fuid": "Fw42Pp34N0CC79C5Ua",**
+    **"action": "SMB::FILE_WRITE",**
+    **"name": "atsvc",**
+    "size": 0,
+    "data_offset_req": 0,
+    "data_len_req": 160
+  }
+
+We see SMB ``FILE_OPEN`` and ``FILE_WRITE`` messages to the ``atsvc``. This
+indicates that ``192.168.10.31`` is accessing the Windows At service, used for
+scheduling processes on Windows. Note that Windows and hence Zeek treats the At
+service as a “file,” even though it is a service offered by Windows.
+
+:file:`files.log`
+-----------------
+
+An odd result of Windows providing the At service as a “file” is that Zeek
+creates a :file:`files.log` entry for it. Here is that entry:
+
+.. literal-emph::
+
+  {
+    "ts": 1508525002.992817,
+    "fuid": "Fw42Pp34N0CC79C5Ua",
+    "uid": "Cirxt14nybZjVhpOAk",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 49266,
+    "id.resp_h": "192.168.10.30",
+    "id.resp_p": 445,
+    **"source": "SMB",**
+    "depth": 0,
+    "analyzers": [],
+    **"filename": "atsvc",**
+    "duration": 0.00038909912109375,
+    "is_orig": true,
+    "seen_bytes": 160,
+    "missing_bytes": 0,
+    "overflow_bytes": 0,
+    "timedout": false
+  }
+
+This file does not tell us anything we did not already know. Zeek did not
+extract a file either, because the “file” in this instance is an abstraction
+used to represent the At service on the Windows target.
+
+Reviewing the Packet Capture with :program:`tshark`
+===================================================
+
+If administrators are authorized to use the At service to schedule jobs, from
+the indicated source to the indicated destination, then it may not be possible
+for a security analyst to identify this as malicious activity. We might be able
+to learn a bit more about the activity by looking at the packet capture
+directly.
+
+To create the following output, I told :program:`tshark` to only display the
+source IP address, the protocol, and the information field for each frame. I
+also specified that it look at SMB version 2 traffic.
+
+.. code-block:: console
+
+  $ tshark -r 20171220_smb_at_schedule.pcap -T fields -e _ws.col.No. -e _ws.col.Source -e _ws.col.Protocol -e _ws.col.Info -Y smb2
+
+.. literal-emph::
+
+  **1       192.168.10.31   SMB2    Create Request File: atsvc**
+  2       192.168.10.30   SMB2    Create Response File: atsvc
+  3       192.168.10.31   SMB2    GetInfo Request FILE_INFO/SMB2_FILE_STANDARD_INFO File: atsvc
+  4       192.168.10.30   SMB2    GetInfo Response
+  5       192.168.10.31   DCERPC  Bind: call_id: 2, Fragment: Single, 3 context items: ATSVC V1.0 (32bit NDR), ATSVC V1.0 (64bit NDR), ATSVC V1.0 (6cb71c2c-9812-4540-0300-000000000000)
+  6       192.168.10.30   SMB2    Write Response
+  7       192.168.10.31   SMB2    Read Request Len:1024 Off:0 File: atsvc
+  8       192.168.10.30   DCERPC  Bind_ack: call_id: 2, Fragment: Single, max_xmit: 4280 max_recv: 4280, 3 results: Provider rejection, Acceptance, Negotiate ACK
+  **9       192.168.10.31   ATSVC   JobAdd request**
+  10      192.168.10.30   SMB2    Ioctl Response, Error: STATUS_PENDING
+  11      192.168.10.30   ATSVC   JobAdd response
+  13      192.168.10.31   SMB2    Close Request File: atsvc
+  14      192.168.10.30   SMB2    Close Response
+  16      192.168.10.31   SMB2    Tree Disconnect Request
+  17      192.168.10.30   SMB2    Tree Disconnect Response
+  18      192.168.10.31   SMB2    Session Logoff Request
+  19      192.168.10.30   SMB2    Session Logoff Response
+
+Right away in frame 1 we see the request to create a “file” for the ``atsvc``.
+
+Frame 9 might have the details of the Atsvc request. We can look at the details
+using :program:`tshark`. The -O (capital letter O) command specifies which
+layer of the decode we want to see.
+
+.. code-block:: console
+
+  $ tshark -r 20171220_smb_at_schedule.pcap -V -Y frame.number==9 -O atsvc
+
+.. literal-emph::
+
+  Frame 9: 338 bytes on wire (2704 bits), 338 bytes captured (2704 bits)
+  Ethernet II, Src: 08:00:27:7f:b5:8b, Dst: 08:00:27:a1:27:e8
+  Internet Protocol Version 4, Src: 192.168.10.31, Dst: 192.168.10.30
+  Transmission Control Protocol, Src Port: 49266, Dst Port: 445, Seq: 636, Ack: 541, Len: 284
+  NetBIOS Session Service
+  SMB2 (Server Message Block Protocol version 2)
+  Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 160, Call: 2, Ctx: 1
+  Microsoft AT-Scheduler Service, JobAdd
+      Operation: JobAdd (0)
+      Pointer to Servername (uint16): \\admin-pc
+          Referent ID: 0x0000000000020000
+          Max Count: 11
+          Offset: 0
+          Actual Count: 11
+          Server: \\admin-pc
+      Pointer to Job Info (atsvc_JobInfo)
+          JobInfo
+              Job Time: 47100000
+              Days Of Month: 0x00000000: (No values set)
+                  .... .... .... .... .... .... .... ...0 = First: First is NOT SET
+                  .... .... .... .... .... .... .... ..0. = Second: Second is NOT SET
+                  .... .... .... .... .... .... .... .0.. = Third: Third is NOT SET
+                  .... .... .... .... .... .... .... 0... = Fourth: Fourth is NOT SET
+                  .... .... .... .... .... .... ...0 .... = Fifth: Fifth is NOT SET
+                  .... .... .... .... .... .... ..0. .... = Sixth: Sixth is NOT SET
+                  .... .... .... .... .... .... .0.. .... = Seventh: Seventh is NOT SET
+                  .... .... .... .... .... .... 0... .... = Eight: Eight is NOT SET
+                  .... .... .... .... .... ...0 .... .... = Ninth: Ninth is NOT SET
+                  .... .... .... .... .... ..0. .... .... = Tenth: Tenth is NOT SET
+                  .... .... .... .... .... .0.. .... .... = Eleventh: Eleventh is NOT SET
+                  .... .... .... .... .... 0... .... .... = Twelfth: Twelfth is NOT SET
+                  .... .... .... .... ...0 .... .... .... = Thitteenth: Thitteenth is NOT SET
+                  .... .... .... .... ..0. .... .... .... = Fourteenth: Fourteenth is NOT SET
+                  .... .... .... .... .0.. .... .... .... = Fifteenth: Fifteenth is NOT SET
+                  .... .... .... .... 0... .... .... .... = Sixteenth: Sixteenth is NOT SET
+                  .... .... .... ...0 .... .... .... .... = Seventeenth: Seventeenth is NOT SET
+                  .... .... .... ..0. .... .... .... .... = Eighteenth: Eighteenth is NOT SET
+                  .... .... .... .0.. .... .... .... .... = Ninteenth: Ninteenth is NOT SET
+                  .... .... .... 0... .... .... .... .... = Twentyth: Twentyth is NOT SET
+                  .... .... ...0 .... .... .... .... .... = Twentyfirst: Twentyfirst is NOT SET
+                  .... .... ..0. .... .... .... .... .... = Twentysecond: Twentysecond is NOT SET
+                  .... .... .0.. .... .... .... .... .... = Twentythird: Twentythird is NOT SET
+                  .... .... 0... .... .... .... .... .... = Twentyfourth: Twentyfourth is NOT SET
+                  .... ...0 .... .... .... .... .... .... = Twentyfifth: Twentyfifth is NOT SET
+                  .... ..0. .... .... .... .... .... .... = Twentysixth: Twentysixth is NOT SET
+                  .... .0.. .... .... .... .... .... .... = Twentyseventh: Twentyseventh is NOT SET
+                  .... 0... .... .... .... .... .... .... = Twentyeighth: Twentyeighth is NOT SET
+                  ...0 .... .... .... .... .... .... .... = Twentyninth: Twentyninth is NOT SET
+                  ..0. .... .... .... .... .... .... .... = Thirtieth: Thirtieth is NOT SET
+                  .0.. .... .... .... .... .... .... .... = Thirtyfirst: Thirtyfirst is NOT SET
+              Days Of Week: 0x00: (No values set)
+                  .... ...0 = DAYSOFWEEK MONDAY: DAYSOFWEEK_MONDAY is NOT SET
+                  .... ..0. = DAYSOFWEEK TUESDAY: DAYSOFWEEK_TUESDAY is NOT SET
+                  .... .0.. = DAYSOFWEEK WEDNESDAY: DAYSOFWEEK_WEDNESDAY is NOT SET
+                  .... 0... = DAYSOFWEEK THURSDAY: DAYSOFWEEK_THURSDAY is NOT SET
+                  ...0 .... = DAYSOFWEEK FRIDAY: DAYSOFWEEK_FRIDAY is NOT SET
+                  ..0. .... = DAYSOFWEEK SATURDAY: DAYSOFWEEK_SATURDAY is NOT SET
+                  .0.. .... = DAYSOFWEEK SUNDAY: DAYSOFWEEK_SUNDAY is NOT SET
+              Flags: 0x00: (No values set)
+                  .... ...0 = JOB RUN PERIODICALLY: JOB_RUN_PERIODICALLY is NOT SET
+                  .... ..0. = JOB EXEC ERROR: JOB_EXEC_ERROR is NOT SET
+                  .... .0.. = JOB RUNS TODAY: JOB_RUNS_TODAY is NOT SET
+                  .... 0... = JOB ADD CURRENT DATE: JOB_ADD_CURRENT_DATE is NOT SET
+                  ...0 .... = JOB NONINTERACTIVE: JOB_NONINTERACTIVE is NOT SET
+              **Pointer to Command (uint16): c:\mimikatz.exe**
+                  **Referent ID: 0x0000000000020000**
+                  **Max Count: 16**
+                  **Offset: 0**
+                  **Actual Count: 16**
+                  **Command: c:\mimikatz.exe**
+
+Once you get past the spelling errors in the “Days of Month” section, we see in
+the “Pointer to Command” section a reference to :file:`c:\mimikatz.exe`. This
+detail was not available in the Zeek logs, but this additional information
+helps us recognize this activity as being likely malicious.
+
+We can look to see if the command succeeded by reviewing the details of frame
+11.
+
+.. code-block:: console
+
+  $ tshark -r 20171220_smb_at_schedule.pcap -V -Y frame.number==11 -O atsvc
+
+.. literal-emph::
+
+  Frame 11: 202 bytes on wire (1616 bits), 202 bytes captured (1616 bits)
+  Ethernet II, Src: 08:00:27:a1:27:e8, Dst: 08:00:27:7f:b5:8b
+  Internet Protocol Version 4, Src: 192.168.10.30, Dst: 192.168.10.31
+  Transmission Control Protocol, Src Port: 445, Dst Port: 49266, Seq: 618, Ack: 920, Len: 148
+  NetBIOS Session Service
+  SMB2 (Server Message Block Protocol version 2)
+  Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Response, Fragment: Single, FragLen: 32, Call: 2, Ctx: 1, [Req: #9]
+  Microsoft AT-Scheduler Service, JobAdd
+      Operation: JobAdd (0)
+      [Request in frame: 9]
+      Pointer to Job Id (uint32)
+          Job Id: 2
+      **NT Error: STATUS_SUCCESS (0x00000000)**
+
+The ``NT Error`` message shows ``STATUS_SUCCESS``, which indicates that the job
+was scheduled via the At service.
+
+In the next section we will introduce another capability associated with
+Windows lateral movement.
+
+Using PsExec to Retrieve a File from a Target
+=============================================
+
+Microsoft describes PsExec in the following terms:
+
+  “PsExec is a light-weight telnet-replacement that lets you execute processes
+  on other systems, complete with full interactivity for console applications,
+  without having to manually install client software. PsExec's most powerful
+  uses include launching interactive command-prompts on remote systems and
+  remote-enabling tools like IpConfig that otherwise do not have the ability to
+  show information about remote systems.”
+
+Ref: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
+
+Intruders are fond of PsExec for the very capabilities that Microsoft
+describes.
+
+The following analysis is based on the
+:file:`20171220_smb_psexec_mimikatz_ticket_dump.pcap` file described in the
+PsExec section of Nate Marx’s paper.
+
+Zeek creates the following output for this packet capture, along with an
+:file:`extract_files/` directory. I use the :program:`wc` command to show how
+many lines appear in each file.
+
+.. code-block:: console
+
+  $ wc -l *.log
+
+::
+
+    9 conn.log
+   20 dce_rpc.log
+    9 dns.log
+    1 files.log
+    2 kerberos.log
+    8 notice.log
+    1 packet_filter.log
+    1 pe.log
+    5 smb_files.log
+    2 smb_mapping.log
+
+We’ll start with the :file:`conn.log` but move to the :file:`notice.log`
+quickly thereafter.
+
+:file:`conn.log`
+----------------
+
+Because we saw that there were 9 entries in the :file:`conn.log`, I’m going to
+summarize them using the following command:
+
+.. code-block:: console
+
+  $ jq -c '[."uid", ."id.orig_h", ."id.resp_h", ."id.resp_p", ."proto", ."service"]' conn.log
+
+::
+
+  ["CT7qITytKtae83Tyi","192.168.10.31","192.168.10.10",88,"tcp","krb_tcp"]
+  ["CBFaLB1HJivXnb9Jw2","192.168.10.31","192.168.10.30",135,"tcp","dce_rpc"]
+  ["CqgZIa4KYnX4cNHJo8","192.168.10.31","192.168.10.30",49155,"tcp","dce_rpc"]
+  ["C95D4lsjb4GjGbBq2","192.168.10.31","192.168.10.255",137,"udp","dns"]
+  ["CEcy2LEJUZQrLwO4b","192.168.10.31","192.168.10.10",53,"udp","dns"]
+  ["CPlgJVWL9yrKdUsX8","192.168.10.31","192.168.10.10",53,"udp","dns"]
+  ["C6zoLD2QgM71nvWdX5","192.168.10.30","192.168.10.255",137,"udp","dns"]
+  ["C6HQVsDf8VCu0XTJe","192.168.10.31","192.168.10.30",445,"tcp","smb,krb,gssapi"]
+  ["Cishox1cH3JLghxiV8","192.168.10.31","192.168.10.10",3,"icmp",null]
+
+The 4 TCP connections likely are the sessions we want to investigate in this
+case. However, because we have a :file:`notice.log` for this activity, it’s
+smartest to look at those entries next.
+
+:file:`notice.log`
+------------------
+
+The :file:`notice.log` for this activity has 8 entries. I tried to distill them
+to the bare minimum required to convey what is happening, according to Zeek and
+BZAR.
+
+.. code-block:: console
+
+  $ jq -c '[."uid", ."note", ."msg", ."sub", ."src", ."dst"]' notice.log | uniq
+
+.. literal-emph::
+
+  ["C6HQVsDf8VCu0XTJe","ATTACK::Lateral_Movement","Detected SMB::FILE_WRITE to admin file share '\\\\admin-pc\\ADMIN$PSEXESVC.exe'","T1021.002 Remote Services: SMB/Windows Admin Shares + **T1570 Lateral Tool Transfer**","192.168.10.31","192.168.10.30"]
+
+  ["C6HQVsDf8VCu0XTJe","ATTACK::Lateral_Movement_Extracted_File","**Saved a copy of the file written to SMB admin file share**","C6HQVsDf8VCu0XTJe_FtIFnm3ZqI1s96P74l__admin-pc_ADMIN$**PSEXESVC.exe**","192.168.10.31","192.168.10.30"]
+
+  ["CqgZIa4KYnX4cNHJo8","ATTACK::Execution","svcctl::CreateServiceWOW64W","T1569.002 **System Services: Service Execution**","192.168.10.31","192.168.10.30"]
+
+  [null,"ATTACK::Lateral_Movement_and_Execution","**Detected activity against host 192.168.10.30**, total score 1004 within timeframe 10.0 mins",null,null,null]
+
+  ["CqgZIa4KYnX4cNHJo8","ATTACK::Execution","svcctl::StartServiceW","T1569.002 System Services: **Service Execution**","192.168.10.31","192.168.10.30"]
+
+The highlighted fields indicate suspicious or malicious activity. We see
+evidence of lateral tool transfer to ``192.168.10.30`` via SMB of a file named
+:file:`psexecsvc.exe`, then service execution.
+
+:file:`dce_rpc.log`
+-------------------
+
+Let’s see if the :file:`dce_rpc.log` adds any useful details. We saw earlier
+that this log has 20 entries. The first two shows us the pattern that occupies
+all 20 entries.
+
+.. literal-emph::
+
+  {
+    "ts": 1507565599.588936,
+    "uid": "CBFaLB1HJivXnb9Jw2",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 49240,
+    **"id.resp_h": "192.168.10.30",**
+    **"id.resp_p": 135,**
+    "rtt": 0.0002448558807373047,
+    "named_pipe": "135",
+    **"endpoint": "epmapper",**
+    "operation": "ept_map"
+  }
+
+  {
+    "ts": 1507565599.601632,
+    "uid": "CqgZIa4KYnX4cNHJo8",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 49241,
+    **"id.resp_h": "192.168.10.30",**
+    **"id.resp_p": 49155,**
+    "rtt": 0.0003237724304199219,
+    "named_pipe": "49155",
+    "endpoint": "svcctl",
+    "operation": "OpenSCManagerW"
+  }
+
+The first entry shows a call to the Windows endpoint mapper, ``epmapper``, on
+port 135 TCP on ``192.168.10.30``. The response from this service directs the
+client ``192.168.10.31`` to port 49155 TCP on ``192.168.10.30``. The second and
+subsequent :file:`dce_rpc.log` entries involve port 49155 TCP on the target, which is
+offering ``svcctrl``.
+
+We see the target IP address is ``192.168.10.30``, confirming the activity in
+the :file:`notice.log`. As we did with a previous :file:`dce_rpc.log`, we can
+simplify this one into the following entries:
+
+.. code-block:: console
+
+  $ jq -c '[."named_pipe", ."endpoint", ."operation"]' dce_rpc.log | uniq
+
+::
+
+  ["135","epmapper","ept_map"]
+  ["49155","svcctl","OpenSCManagerW"]
+  ["49155","svcctl","CreateServiceWOW64W"]
+  ["49155","svcctl","CloseServiceHandle"]
+  ["49155","svcctl","OpenServiceW"]
+  ["49155","svcctl","StartServiceW"]
+  ["49155","svcctl","QueryServiceStatus"]
+  ["49155","svcctl","CloseServiceHandle"]
+  ["49155","svcctl","OpenSCManagerW"]
+  ["49155","svcctl","OpenServiceW"]
+  ["49155","svcctl","ControlService"]
+  ["49155","svcctl","QueryServiceStatus"]
+  ["49155","svcctl","CloseServiceHandle"]
+  ["49155","svcctl","OpenServiceW"]
+  ["49155","svcctl","DeleteService"]
+  ["49155","svcctl","CloseServiceHandle"]
+
+We see some sort of successful interaction with the ``svcctrl`` service on the target.
+
+Incidentally, we can’t see much more using a protocol analyzer like
+:program:`tshark`, either:
+
+.. code-block:: console
+
+  $ tshark -r 20171220_smb_psexec_mimikatz_ticket_dump.pcap -V -Y frame.number==76 -O svcctl
+
+.. literal-emph::
+
+  Frame 76: 258 bytes on wire (2064 bits), 258 bytes captured (2064 bits)
+  Ethernet II, Src: 08:00:27:7f:b5:8b, Dst: 08:00:27:a1:27:e8
+  Internet Protocol Version 4, Src: 192.168.10.31, Dst: 192.168.10.30
+  Transmission Control Protocol, Src Port: 49241, Dst Port: 49155, Seq: 1945, Ack: 366, Len: 204
+  Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 204, Call: 2, Ctx: 0
+  Microsoft Service Control, OpenSCManagerW
+      Operation: OpenSCManagerW (15)
+      **Encrypted stub data: 02353eb074e7e350b9632e05b550f725c99d41d419165110...**
+
+As Mr. Marx notes in his paper, the content of these exchanges are encrypted
+within the Microsoft Service Control layer.
+
+:file:`kerberos.log`
+--------------------
+
+The :file:`kerberos.log` contains two entries:
+
+.. literal-emph::
+
+  {
+    "ts": 1507565599.590346,
+    "uid": "CT7qITytKtae83Tyi",
+    **"id.orig_h": "192.168.10.31",**
+    "id.orig_p": 49242,
+    **"id.resp_h": "192.168.10.10",**
+    **"id.resp_p": 88,**
+    "request_type": "TGS",
+    **"client": "RonHD/CONTOSO.LOCAL",**
+    **"service": "HOST/admin-pc",**
+    "success": true,
+    "till": 2136422885,
+    "cipher": "aes256-cts-hmac-sha1-96",
+    "forwardable": true,
+    "renewable": true
+  }
+  {
+    "ts": 1507565599.575721,
+    "uid": "C6HQVsDf8VCu0XTJe",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 49239,
+    **"id.resp_h": "192.168.10.30",**
+    "id.resp_p": 445
+  }
+
+The first entry includes the acronym TGS, which means Ticket Granting service.
+The system ``192.168.10.10`` appears to be a domain controller, as we saw in an
+earlier case. We gather some information on the intruder’s system, namely that
+it is ``RonHD`` in the ``CONTOSO.LOCAL`` domain.
+
+The second entry shows that the aggressor ``192.168.10.31`` used Kerberos to
+authenticate to the target ``192.168.10.30``.
+
+:file:`smb_mapping.log`
+-----------------------
+
+The :file:`smb_mapping.log` contains two entries:
+
+.. literal-emph::
+
+  {
+    "ts": 1507565599.576613,
+    "uid": "C6HQVsDf8VCu0XTJe",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 49239,
+    "id.resp_h": "192.168.10.30",
+    "id.resp_p": 445,
+    **"path": "\\\\admin-pc\\ADMIN$",**
+    "share_type": "DISK"
+  }
+  {
+    "ts": 1507565599.729707,
+    "uid": "C6HQVsDf8VCu0XTJe",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 49239,
+    "id.resp_h": "192.168.10.30",
+    "id.resp_p": 445,
+    **"path": "\\\\admin-pc\\IPC$",**
+    "share_type": "PIPE"
+  }
+
+As we learned earlier, connections to the ``ADMIN$`` and ``IPC$`` shares on a
+target system are suspicious or malicious if they are not already authorized.
+
+:file:`smb_files.log`
+---------------------
+
+There are many entries in the :file:`smb_files.log`. The first looks like
+this:
+
+.. literal-emph::
+
+  {
+    "ts": 1507565599.576942,
+    "uid": "C6HQVsDf8VCu0XTJe",
+    **"id.orig_h": "192.168.10.31",**
+    "id.orig_p": 49239,
+    **"id.resp_h": "192.168.10.30",**
+    **"id.resp_p": 445,**
+    "action": "SMB::FILE_OPEN",
+    "path": "\\\\admin-pc\\ADMIN$",
+    **"name": "PSEXESVC.exe",**
+    "size": 0,
+    "times.modified": 1507565599.607777,
+    "times.accessed": 1507565599.607777,
+    "times.created": 1507565599.607777,
+    "times.changed": 1507565599.607777
+  }
+
+As we noted earlier, use of :file:`psexecsvc.exe` is likely malicious as
+intruders use it to run :program:`PsExec` on remote systems.
+
+We can summarize all of the entries in :file:`smb_files.log` with the following
+syntax:
+
+.. code-block:: console
+
+  $ jq -c '[."action", ."path", ."name"]' smb_files.log
+
+::
+
+  ["SMB::FILE_OPEN","\\\\admin-pc\\ADMIN$","PSEXESVC.exe"]
+  ["SMB::FILE_WRITE","\\\\admin-pc\\ADMIN$","PSEXESVC.exe"]
+  ["SMB::FILE_WRITE","\\\\admin-pc\\ADMIN$","PSEXESVC.exe"]
+  ["SMB::FILE_OPEN","\\\\admin-pc\\ADMIN$","PSEXESVC.exe"]
+  ["SMB::FILE_DELETE","\\\\admin-pc\\ADMIN$","PSEXESVC.exe"]
+
+This does not give us any more context but it shows the sorts of data in the
+:file:`smb_files.log`.
+
+:file:`extract_files/`, :file:`files.log`, and :file:`pe.log`, and VirusTotal
+-----------------------------------------------------------------------------
+
+As we did in a previous case, we can look into the files that Zeek and BZAR
+captured for this activity.
+
+The :file:`extract_files/` directory contains one executable file::
+
+  extract_files/C6HQVsDf8VCu0XTJe_FtIFnm3ZqI1s96P74l__admin-pc_ADMIN$PSEXESVC.exe: PE32 executable (console) Intel 80386, for MS Windows
+
+Zeek’s :file:`files.log` says the following about it:
+
+.. literal-emph::
+
+  {
+    "ts": 1507565599.578328,
+    "fuid": "FtIFnm3ZqI1s96P74l",
+    "uid": "C6HQVsDf8VCu0XTJe",
+    "id.orig_h": "192.168.10.31",
+    "id.orig_p": 49239,
+    "id.resp_h": "192.168.10.30",
+    "id.resp_p": 445,
+    "source": "SMB",
+    "depth": 0,
+    "analyzers": [
+      "MD5",
+      "SHA1",
+      "PE",
+      "EXTRACT",
+      "SHA256"
+    ],
+    "mime_type": "application/x-dosexec",
+    **"filename": "PSEXESVC.exe",**
+    "duration": 0.0006651878356933594,
+    "is_orig": true,
+    "seen_bytes": 145568,
+    "missing_bytes": 0,
+    "overflow_bytes": 0,
+    "timedout": false,
+    "md5": "75b55bb34dac9d02740b9ad6b6820360",
+    "sha1": "a17c21b909c56d93d978014e63fb06926eaea8e7",
+    "sha256": "141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944",
+    "extracted": "C6HQVsDf8VCu0XTJe_FtIFnm3ZqI1s96P74l__admin-pc_ADMIN$PSEXESVC.exe",
+    "extracted_cutoff": false
+  }
+
+Zeek’s :file:`pe.log` says the following:
+
+.. literal-emph::
+
+  {
+    "ts": 1507565599.578328,
+    "id": "FtIFnm3ZqI1s96P74l",
+    "machine": "I386",
+    **"compile_ts": 1467139314,**
+    "os": "Windows XP",
+    "subsystem": "WINDOWS_CUI",
+    "is_exe": true,
+    "is_64bit": false,
+    "uses_aslr": true,
+    "uses_dep": true,
+    "uses_code_integrity": false,
+    "uses_seh": true,
+    "has_import_table": true,
+    "has_export_table": false,
+    "has_cert_table": true,
+    "has_debug_data": false,
+    "section_names": [
+      ".text",
+      ".rdata",
+      ".data",
+      ".rsrc",
+      ".reloc"
+    ]
+  }
+
+The compile time translates to human readable format as this:
+
+.. code-block:: console
+
+  $ date -d @1467139314
+
+::
+
+  Tue Jun 28 18:41:54 UTC 2016
+
+We can also check VirusTotal using the MD5 hash:
+
+.. code-block:: console
+
+  $ vt file "75b55bb34dac9d02740b9ad6b6820360"
+
+.. literal-emph::
+
+  - _id: "141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944"
+    _type: "file"
+    authentihash: "62287971b29db5858ceaf92e9db310862e9082608f9dd3ac7f5ed3f71c7cfc38"
+    **creation_date: 1467139314  # 2016-06-28 18:41:54 +0000 UTC**
+    **first_seen_itw_date: 1463443155  # 2016-05-16 23:59:15 +0000 UTC**
+    **first_submission_date: 1467293310  # 2016-06-30 13:28:30 +0000 UTC**
+    **last_analysis_date: 1606108041  # 2020-11-23 05:07:21 +0000 UTC**
+    last_analysis_results:
+      ALYac:
+        category: "undetected"
+        engine_name: "ALYac"
+        engine_update: "20201123"
+        engine_version: "1.1.1.5"
+        method: "blacklist"
+  ...truncated…
+
+The various dates for this copy of :program:`PsExecSvc` are interesting.
+
+I am not sure how to account for a first seen in the wild date that precedes
+the creation date. I think it’s interesting that only a few hours before I
+worked with this sample, someone else was doing the same thing, but via
+uploading the executable!
+
+After this analysis, all we know is that :program:`PsExecSvc` is being used
+successfully against ``192.168.10.31``. Mr. Marx’s paper notes that his
+activity involved retrieving a file from the target. We cannot tell that from
+these logs. This is an example of using Zeek logs to identify suspicious or
+malicious activity, and then pivoting to host-centric data to determine exactly
+what is happening.
+
+:file:`ntlm.log`
+----------------
+
+One log we have not seen in any of these cases is the :file:`ntlm.log`. This
+log captures old-style Windows NT Lan Manager (NTLM) authentication details.
+The packet capture :file:`smb-on-windows-10.pcapng` provided by the Wireshark
+project produces a :file:`ntlm.log` when Zeek processes it.
+
+Ref: https://wiki.wireshark.org/SMB2
+
+.. literal-emph::
+
+  {
+    "ts": 1476605364.033848,
+    "uid": "CNicnvp8Qdqbqm96a",
+    "id.orig_h": "192.168.199.133",
+    "id.orig_p": 49672,
+    "id.resp_h": "192.168.199.1",
+    "id.resp_p": 139,
+    "hostname": "DESKTOP-V1FA0UQ",
+    "server_nb_computer_name": "SCV",
+    "server_dns_computer_name": "SCV",
+    **"success": true**
+  }
+  {
+    "ts": 1476605590.442053,
+    "uid": "CLVEN87g2bfZgXqP5",
+    "id.orig_h": "192.168.199.132",
+    "id.orig_p": 49670,
+    "id.resp_h": "192.168.199.133",
+    "id.resp_p": 445,
+    "username": "user",
+    "hostname": "DESKTOP-2AEFM7G",
+    "domainname": "DESKTOP-2AEFM7G",
+    "server_nb_computer_name": "DESKTOP-V1FA0UQ",
+    "server_dns_computer_name": "DESKTOP-V1FA0UQ"
+  }
+  {
+    "ts": 1476605590.474118,
+    "uid": "C74tDzQl0ttE8v813",
+    "id.orig_h": "192.168.199.132",
+    "id.orig_p": 49671,
+    "id.resp_h": "192.168.199.133",
+    "id.resp_p": 445,
+    "username": "user",
+    "hostname": "DESKTOP-2AEFM7G",
+    "domainname": "DESKTOP-2AEFM7G",
+    "server_nb_computer_name": "DESKTOP-V1FA0UQ",
+    "server_dns_computer_name": "DESKTOP-V1FA0UQ"
+  }
+  {
+    "ts": 1476605590.484196,
+    "uid": "CzLJgJ2nrXGMxvnXze",
+    "id.orig_h": "192.168.199.132",
+    "id.orig_p": 49672,
+    "id.resp_h": "192.168.199.133",
+    "id.resp_p": 445,
+    "username": "user",
+    "hostname": "DESKTOP-2AEFM7G",
+    "domainname": "DESKTOP-2AEFM7G",
+    "server_nb_computer_name": "DESKTOP-V1FA0UQ",
+    "server_dns_computer_name": "DESKTOP-V1FA0UQ"
+  }
+  {
+    "ts": 1476605590.496004,
+    "uid": "Ct46uQ2dOQuqnp5YPj",
+    "id.orig_h": "192.168.199.132",
+    "id.orig_p": 49673,
+    "id.resp_h": "192.168.199.133",
+    "id.resp_p": 445,
+    "username": "user",
+    "hostname": "DESKTOP-2AEFM7G",
+    "domainname": "DESKTOP-2AEFM7G",
+    "server_nb_computer_name": "DESKTOP-V1FA0UQ",
+    "server_dns_computer_name": "DESKTOP-V1FA0UQ"
+  }
+  {
+    "ts": 1476605609.93236,
+    "uid": "CQorcF2L5fLEA4EImh",
+    "id.orig_h": "192.168.199.132",
+    "id.orig_p": 49674,
+    "id.resp_h": "192.168.199.133",
+    "id.resp_p": 445,
+    "username": "Tim Tester",
+    "hostname": "DESKTOP-2AEFM7G",
+    "domainname": "DESKTOP-2AEFM7G",
+    "server_nb_computer_name": "DESKTOP-V1FA0UQ",
+    "server_dns_computer_name": "DESKTOP-V1FA0UQ"
+  }
+  {
+    "ts": 1476605761.4297,
+    "uid": "CBbRT6X875vQPAgJj",
+    "id.orig_h": "192.168.199.132",
+    "id.orig_p": 49675,
+    "id.resp_h": "192.168.199.133",
+    "id.resp_p": 445,
+    "username": "Willi Wireshark",
+    "hostname": "DESKTOP-2AEFM7G",
+    "domainname": "DESKTOP-2AEFM7G",
+    "server_nb_computer_name": "DESKTOP-V1FA0UQ",
+    "server_dns_computer_name": "DESKTOP-V1FA0UQ",
+    **"success": true**
+  }
+
+This pcap produces a lot of Zeek logs, so I wanted to only show these entries.
+Analysts would probably take two investigative steps. First, should
+``192.168.199.132`` be trying to access these other systems? Second, should the
+authentication have succeeded, as denoted by the two “true” results?
+
+Conclusion
+==========
+
+This has been a large section, but the goal was to present a set of cases and
+show how Zeek and BZAR (when available) made sense of them. I recommend reading
+Mr. Marx’s paper for more details as well.
diff --git a/doc/logs/smtp.rst b/doc/logs/smtp.rst
new file mode 100644
index 0000000000..1e190480c0
--- /dev/null
+++ b/doc/logs/smtp.rst
@@ -0,0 +1,847 @@
+========
+smtp.log
+========
+
+In the section discussing the :file:`http.log`, we noted that most HTTP traffic
+is now encrypted and transmitted as HTTPS. We face a similar situation with
+Simple Mail Transfer Protocol (SMTP). For a protocol with “simple” in its name,
+modern instantiations of SMTP are surprisingly complex.
+
+For the purpose of this article, it’s sufficient to recognize that a mail user
+agent (MUA) seeking to submit email via SMTP will contact a mail submission
+agent (MSA). Modern implementations will use ports 587 or 465 TCP, which is
+encrypted using TLS. Unencrypted implementations will use port 25 TCP.
+
+Because SMTP traffic on ports 587 or 465 TCP is encrypted, we will not see
+individual emails when observing traffic using those protocols. This section
+will demonstrate how Zeek reports on email traffic using ports 25, 465, and 587
+TCP.
+
+Remember that to see the meaning of each field in the :file:`smtp.log`, check
+:zeek:see:`SMTP::Info`.
+
+Inspecting SMTP Traffic
+=======================
+
+The following is a capture of an SMTP session retrieved from an online packet
+capture database. I have reconstructed the session using :program:`tcpflow` and
+edited it to remove material not necessary to make my point.
+
+.. literal-emph::
+
+  SMTP server: 220-xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500
+  220-We do not authorize the use of this system to transport unsolicited,
+  220 and/or bulk e-mail.
+
+  SMTP client: **EHLO GP**
+
+  SMTP server: 250-xc90.websitewelcome.com Hello GP [122.162.143.157]
+  250-SIZE 52428800
+  250-PIPELINING
+  250-AUTH PLAIN LOGIN
+  250-STARTTLS
+  250 HELP
+
+  SMTP client: **AUTH LOGIN**
+
+  SMTP server: 334 VXNlcm5hbWU6
+
+  SMTP client: **Z3VycGFydGFwQHBhdHJpb3RzLmlu**
+
+  SMTP server: 334 UGFzc3dvcmQ6
+
+  SMTP client: **cHVuamFiQDEyMw==**
+
+  SMTP server: 235 Authentication succeeded
+
+  SMTP client: **MAIL FROM: <gurpartap@patriots.in>**
+
+  SMTP server: 250 OK
+
+  SMTP client: **RCPT TO: <raj_deol2002in@yahoo.co.in>**
+
+  SMTP server: 250 Accepted
+
+  SMTP client: **DATA**
+
+  SMTP server: 354 Enter message, ending with "." on a line by itself
+
+  SMTP client: **From: "Gurpartap Singh" <gurpartap@patriots.in>**
+  **To: <raj_deol2002in@yahoo.co.in>**
+  **Subject: SMTP**
+  **Date: Mon, 5 Oct 2009 11:36:07 +0530**
+  **Message-ID: <000301ca4581$ef9e57f0$cedb07d0$@in>**
+  **MIME-Version: 1.0**
+  **Content-Type: multipart/mixed;**
+  **.boundary="----=_NextPart_000_0004_01CA45B0.095693F0"**
+  **X-Mailer: Microsoft Office Outlook 12.0**
+  **Thread-Index: AcpFgem9BvjjZEDeR1Kh8i+hUyVo0A==**
+  **Content-Language: en-us**
+  **x-cr-hashedpuzzle: SeA= AAR2 ADaH BpiO C4G1 D1gW FNB1 FPkR Fn+W HFCP HnYJ JO7s Kum6 KytW LFcI LjUt;1;cgBhAGoAXwBkAGUAbwBsADIAMAAwADIAaQBuAEAAeQBhAGgAbwBvAC4AYwBvAC4AaQBuAA==;Sosha1_v1;7;{CAA37F59-1850-45C7-8540-AA27696B5398};ZwB1AHIAcABhAHIAdABhAHAAQABwAGEAdAByAGkAbwB0AHMALgBpAG4A;Mon, 05 Oct 2009 06:06:01 GMT;UwBNAFQAUAA=**
+  **x-cr-puzzleid: {CAA37F59-1850-45C7-8540-AA27696B5398}**
+
+  **This is a multipart message in MIME format.**
+
+  **------=_NextPart_000_0004_01CA45B0.095693F0**
+  **Content-Type: multipart/alternative;**
+  **.boundary="----=_NextPart_001_0005_01CA45B0.095693F0"**
+
+
+  **------=_NextPart_001_0005_01CA45B0.095693F0**
+  **Content-Type: text/plain;**
+  **.charset="us-ascii"**
+  **Content-Transfer-Encoding: 7bit**
+
+  **Hello**
+
+
+
+  **I send u smtp pcap file**
+
+  **Find the attachment**
+
+
+
+  **GPS**
+
+
+  **------=_NextPart_001_0005_01CA45B0.095693F0**
+  **Content-Type: text/html;**
+  **.charset="us-ascii"**
+  **Content-Transfer-Encoding: quoted-printable**
+
+  **<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =**
+  **xmlns:o=3D"urn:schemas-microsoft-com:office:office" =**
+  **xmlns:w=3D"urn:schemas-microso**
+  **SMTP client: ft-com:office:word" =**
+  **xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =**
+  **xmlns=3D"http://www.w3.org/TR/REC-html40">**
+
+  **<head>**
+  **<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =**
+  **charset=3Dus-ascii">**
+  **<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">**
+  **<style>**
+  **<!--**
+  ** /* Font Definitions */**
+  ** @font-face**
+  **...edited...**
+  **  <o:idmap v:ext=3D"edit" data=3D"1" />**
+  ** </o:shapelayout></xml><![endif]-->**
+  **</head>**
+
+  **<body lang=3DEN-US link=3Dblue vlink=3Dpurple>**
+
+  **<div class=3DSection1>**
+  SMTP client:
+
+  **<p class=3DMsoNormal>Hello<o:p></o:p></p>**
+
+  **<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>**
+
+  **<p class=3DMsoNormal>I send u smtp pcap file <o:p></o:p></p>**
+
+  **<p class=3DMsoNormal>Find the attachment<o:p></o:p></p>**
+
+  **<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>**
+
+  **<p class=3DMsoNormal>GPS<o:p></o:p></p>**
+
+  **</div>**
+
+  **</body>**
+
+  **</html>**
+
+  **------=_NextPart_001_0005_01CA45B0.095693F0--**
+
+  **------=_NextPart_000_0004_01CA45B0.095693F0**
+  **Content-Type: text/plain;**
+  **.name="NEWS.txt"**
+  **Content-Transfer-Encoding: quoted-printable**
+  **Content-Disposition: attachment;**
+  **.filename="NEWS.txt"**
+
+  **Version 4.9.9.1**
+  *** Many bug fixes**
+  *** Improved editor**
+  **...edited...**
+  SMTP client: **From: "Gurpartap Singh" <gurpartap@patriots.in>**
+  **To: <raj_deol2002in@yahoo.co.in>**
+  **Subject: SMTP**
+  **Date: Mon, 5 Oct 2009 11:36:07 +0530**
+  **Message-ID: <000301ca4581$ef9e57f0$cedb07d0$@in>**
+  **MIME-Version: 1.0**
+  **Content-Type: multipart/mixed;**
+  **.boundary="----=_NextPart_000_0004_01CA45B0.095693F0"**
+  **X-Mailer: Microsoft Office Outlook 12.0**
+  **Thread-Index: AcpFgem9BvjjZEDeR1Kh8i+hUyVo0A==**
+  **Content-Language: en-us**
+  **x-cr-hashedpuzzle: SeA= AAR2 ADaH BpiO C4G1 D1gW FNB1 FPkR Fn+W HFCP HnYJ JO7s Kum6 KytW LFcI LjUt;1;cgBhAGoAXwBkAGUAbwBsADIAMAAwADIAaQBuAEAAeQBhAGgAbwBvAC4AYwBvAC4AaQBuAA==;Sosha1_v1;7;{CAA37F59-1850-45C7-8540-AA27696B5398};ZwB1AHIAcABhAHIAdABhAHAAQABwAGEAdAByAGkAbwB0AHMALgBpAG4A;Mon, 05 Oct 2009 06:06:01 GMT;UwBNAFQAUAA=**
+  **x-cr-puzzleid: {CAA37F59-1850-45C7-8540-AA27696B5398}**
+
+  **This is a multipart message in MIME format.**
+
+  **------=_NextPart_000_0004_01CA45B0.095693F0**
+  **Content-Type: multipart/alternative;**
+  **.boundary="----=_NextPart_001_0005_01CA45B0.095693F0"**
+
+
+  **------=_NextPart_001_0005_01CA45B0.095693F0**
+  **Content-Type: text/plain;**
+  **.charset="us-ascii"**
+  **Content-Transfer-Encoding: 7bit**
+
+  **Hello**
+
+
+
+  **I send u smtp pcap file**
+
+  **Find the attachment**
+
+
+
+  **GPS**
+
+
+  **------=_NextPart_001_0005_01CA45B0.095693F0**
+  **Content-Type: text/html;**
+  **.charset="us-ascii"**
+  **Content-Transfer-Encoding: quoted-printable**
+
+  **<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =**
+  **xmlns:o=3D"urn:schemas-microsoft-com:office:office" =**
+  **xmlns:w=3D"urn:schemas**
+  **SMTP client: -microsoft-com:office:word" =**
+  **xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =**
+  **xmlns=3D"http://www.w3.org/TR/REC-html40">**
+
+  **<head>**
+  **<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =**
+  **charset=3Dus-ascii">**
+  **<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">**
+  **<style>**
+  **...edited...**
+  **  <o:idmap v:ext=3D"edit" data=3D"1" />**
+  ** </o:shapelayout></xml><![endif]-->**
+  **</head>**
+
+  **<body lang=3DEN-US link=3Dblue vlink=3Dpurple>**
+
+  **<div cl**
+  SMTP client: **ass=3DSection1>**
+
+  **<p class=3DMsoNormal>Hello<o:p></o:p></p>**
+
+  **<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>**
+
+  **<p class=3DMsoNormal>I send u smtp pcap file <o:p></o:p></p>**
+
+  **<p class=3DMsoNormal>Find the attachment<o:p></o:p></p>**
+
+  **<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>**
+
+  **<p class=3DMsoNormal>GPS<o:p></o:p></p>**
+
+  **</div>**
+
+  **</body>**
+
+  **</html>**
+
+  **------=_NextPart_001_0005_01CA45B0.095693F0--**
+
+  **------=_NextPart_000_0004_01CA45B0.095693F0**
+  **Content-Type: text/plain;**
+  **.name="NEWS.txt"**
+  **Content-Transfer-Encoding: quoted-printable**
+  **Content-Disposition: attachment;**
+  **.filename="NEWS.txt"**
+
+  **Version 4.9.9.1**
+  *** Many bug fixes**
+  *** Improved editor**
+  **...edited...**
+  *** Allow user to specify an alternate configuration file in Environment =**
+  **Options=20**
+  **...edited...**
+  **Version 4.9.4.1 (5.0 beta 4.1):**
+
+  *** back to gcc 2.95.3**
+  *** Profiling support**
+  *** new update/packages checker (vUpdate)**
+  *** Lots of bugfixes**
+
+  **------=_NextPart_000_00**
+  SMTP client: **04_01CA45B0.095693F0--**
+
+  .
+
+  SMTP server: 250 OK id=1Mugho-0003Dg-Un
+
+  SMTP client: **QUIT**
+
+  SMTP server: 221 xc90.websitewelcome.com closing connection
+
+Looking at these transcripts, it looks like a single message in text and HTML
+formats, sent with ``Message-ID: <000301ca4581$ef9e57f0$cedb07d0$@in>``, was
+transmitted. It included an attachment that looks like the release notes for
+software. Let’s see what Zeek can make of this.
+
+Inspecting the :file:`smtp.log`
+===============================
+
+One of the best aspects of Zeek is making sense of all of the information
+present in a protocol that Zeek understands. Here is the entry from the
+:file:`smtp.log` for the email shown above.
+
+::
+
+  {
+    "ts": 1254722768.219663,
+    "uid": "C1qe8w3QHRF2N5tVV5",
+    "id.orig_h": "10.10.1.4",
+    "id.orig_p": 1470,
+    "id.resp_h": "74.53.140.153",
+    "id.resp_p": 25,
+    "trans_depth": 1,
+    "helo": "GP",
+    "mailfrom": "gurpartap@patriots.in",
+    "rcptto": [
+      "raj_deol2002in@yahoo.co.in"
+    ],
+    "date": "Mon, 5 Oct 2009 11:36:07 +0530",
+    "from": "\"Gurpartap Singh\" <gurpartap@patriots.in>",
+    "to": [
+      "<raj_deol2002in@yahoo.co.in>"
+    ],
+    "msg_id": "<000301ca4581$ef9e57f0$cedb07d0$@in>",
+    "subject": "SMTP",
+    "last_reply": "250 OK id=1Mugho-0003Dg-Un",
+    "path": [
+      "74.53.140.153",
+      "10.10.1.4"
+    ],
+    "user_agent": "Microsoft Office Outlook 12.0",
+    "tls": false,
+    "fuids": [
+      "Fel9gs4OtNEV6gUJZ5",
+      "Ft4M3f2yMvLlmwtbq9",
+      "FL9Y0d45OI4LpS6fmh"
+    ]
+  }
+
+Fields like the ``mailfrom``, ``rcptto``, ``from``, and ``to`` fields are also
+easy to see in this log output. The ``user_agent``, IP addresses involved in
+transmission (``path``), and the ``msg_id`` are also easy to find. Finally,
+Zeek provides three file identifiers that we can use to find associated
+extracted files, if any are present.
+
+Inspecting Extracted Files
+==========================
+
+A look into the :file:`extracted_files/` directory yields the following
+entries:
+
+.. code-block:: console
+
+  $ file extract_files/*
+
+::
+
+  extract_files/SMTP-Fel9gs4OtNEV6gUJZ5.txt: ASCII text, with CRLF line terminators
+  extract_files/SMTP-FL9Y0d45OI4LpS6fmh.txt: ASCII text, with CRLF line terminators
+
+We see two files here, both in ASCII text format. They have two of the three
+file identifiers seen in the :file:`smtp.log` entry. The third is likely not
+present because this instance of Zeek was configured to only extract files in
+text format.
+
+Let’s look at the two files using the head application, which by default only
+provides the first 10 lines.
+
+.. code-block:: console
+
+  $ head extract_files/SMTP-Fel9gs4OtNEV6gUJZ5.txt
+
+::
+
+  Hello
+
+
+
+  I send u smtp pcap file
+
+  Find the attachment
+
+.. code-block:: console
+
+  $ head extract_files/SMTP-FL9Y0d45OI4LpS6fmh.txt
+
+::
+
+  Version 4.9.9.1
+  * Many bug fixes
+  * Improved editor
+
+  Version 4.9.9.0
+  * Support for latest Mingw compiler system builds
+  * Bug fixes
+
+  Version 4.9.8.9
+  * New code tooltip display
+
+The first file is the content of the email message. The second file is the
+beginning of the attachment.
+
+Inspecting Zeek Logs for Traffic to Port 465 TCP
+================================================
+
+Analysts are more likely to find encrypted SMTP traffic in modern environments.
+Encrypted SMTP traffic will likely use either port 465 TCP or 587 TCP. In this
+example, we will look at Zeek logs for SMTP traffic using port 465 TCP.
+
+You may see port 465 TCP as “SMTPS,” meaning “SMTP Secure.” This is a defacto
+standard, although it was not officially ratified by the Internet Assigned
+Numbers Authority (IANA). In fact, IANA has assigned port 465 TCP to the “URL
+Rendezvous Directory for SSM,” where SSM probably means Source-Specific
+Multicast (SSM). However, IANA’s Service Name and Transport Protocol Port
+Number Registry also lists “Message Submission over TLS” for port 465 TCP,
+which is the encrypted version of its entry for port 25 TCP and SMTP.
+
+http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
+
+In any case, for a sample SMTPS of port 465 TCP traffic for SMTP connection,
+Zeek produced the following logs.
+
+First is a :file:`conn.log` entry, where SSL is seen as the service:
+
+.. literal-emph::
+
+  {
+    "ts": "2020-08-15T13:14:33.101858Z",
+    "uid": "CZ4iBM3vh98hH5GmV",
+    "id.orig_h": "192.168.4.43",
+    "id.orig_p": 61329,
+    "id.resp_h": "74.125.192.108",
+    **"id.resp_p": 465,**
+    "proto": "tcp",
+    **"service": "ssl",**
+    "duration": 0.08411312103271484,
+    "orig_bytes": 348,
+    "resp_bytes": 3257,
+    "conn_state": "SF",
+    "local_orig": true,
+    "local_resp": false,
+    "missed_bytes": 0,
+    "history": "ShADdafF",
+    "orig_pkts": 11,
+    "orig_ip_bytes": 800,
+    "resp_pkts": 10,
+    "resp_ip_bytes": 3669,
+    "community_id": "1:NArgsDn5hgq6xjy6xTiMPZCgDKE="
+  }
+
+Zeek created two :file:`files.log` entries for observed x509 certificates:
+
+.. literal-emph::
+
+  {
+    "ts": "2020-08-15T13:14:33.157292Z",
+    "fuid": "F2cHKgS8RS2OyLdI4",
+    "uid": "CZ4iBM3vh98hH5GmV",
+    "id.orig_h": "192.168.4.43",
+    "id.orig_p": 61329,
+    "id.resp_h": "74.125.192.108",
+    "id.resp_p": 465,
+    "source": "SSL",
+    "depth": 0,
+    "analyzers": [
+      "X509",
+      "MD5",
+      "SHA1"
+    ],
+    **"mime_type": "application/x-x509-user-cert",**
+    "duration": 0,
+    "local_orig": false,
+    "is_orig": false,
+    "seen_bytes": 1228,
+    "missing_bytes": 0,
+    "overflow_bytes": 0,
+    "timedout": false,
+    "md5": "772f22ceaa7d6e285a9068718e8251af",
+    "sha1": "5849d577c3f434125724459e3b32025247fda56d"
+  }
+
+  {
+    "ts": "2020-08-15T13:14:33.157292Z",
+    "fuid": "Fl9EEK26t5qzDVW3vf",
+    "uid": "CZ4iBM3vh98hH5GmV",
+    "id.orig_h": "192.168.4.43",
+    "id.orig_p": 61329,
+    "id.resp_h": "74.125.192.108",
+    "id.resp_p": 465,
+    "source": "SSL",
+    "depth": 0,
+    "analyzers": [
+      "X509",
+      "MD5",
+      "SHA1"
+    ],
+    **"mime_type": "application/x-x509-ca-cert",**
+    "duration": 0,
+    "local_orig": false,
+    "is_orig": false,
+    "seen_bytes": 1102,
+    "missing_bytes": 0,
+    "overflow_bytes": 0,
+    "timedout": false,
+    "md5": "dbb23c939236012e71d5f44dbc2acea0",
+    "sha1": "dfe2070c79e7ff36a925ffa327ffe3deecf8f9c2"
+  }
+
+Finally Zeek created a :file:`ssl.log` entry with a ``server_name`` field that
+helps us see that the encrypted traffic was probably SMTP:
+
+.. literal-emph::
+
+  {
+    "ts": "2020-08-15T13:14:33.157292Z",
+    "uid": "CZ4iBM3vh98hH5GmV",
+    "id.orig_h": "192.168.4.43",
+    "id.orig_p": 61329,
+    "id.resp_h": "74.125.192.108",
+    "id.resp_p": 465,
+    "version": "TLSv12",
+    "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+    "curve": "x25519",
+    **"server_name": "smtp.gmail.com",**
+    "resumed": false,
+    "established": true,
+    "cert_chain_fuids": [
+      "F2cHKgS8RS2OyLdI4",
+      "Fl9EEK26t5qzDVW3vf"
+    ],
+    "client_cert_chain_fuids": [],
+    "validation_status": "ok"
+  }
+
+Inspecting Zeek Logs for Traffic to Port 587 TCP
+================================================
+
+The default server port for encrypted SMTP message submission is port 587 TCP.
+
+For a sample SMTPS of port 587 TCP traffic for SMTP connection, Zeek produced
+the following logs.
+
+First is a :file:`conn.log` entry, where SSL and SMTP are seen as the services:
+
+.. literal-emph::
+
+  {
+    "ts": "2020-08-09T23:31:46.626484Z",
+    "uid": "CCqmLfIrqQeWvXol4",
+    "id.orig_h": "192.168.4.41",
+    "id.orig_p": 49334,
+    **"id.resp_h": "17.42.251.41",**
+    "id.resp_p": 587,
+    "proto": "tcp",
+    "**service": "ssl,smtp",**
+    "duration": 61.12906002998352,
+    "orig_bytes": 1659,
+    "resp_bytes": 7198,
+    "conn_state": "SF",
+    "local_orig": true,
+    "local_resp": false,
+    "missed_bytes": 0,
+    "history": "ShAdDafFr",
+    "orig_pkts": 29,
+    "orig_ip_bytes": 3179,
+    "resp_pkts": 26,
+    "resp_ip_bytes": 8534,
+    "community_id": "1:wM+UdwdNy9VK/LEhFBTcQCtAqo8="
+  }
+
+Note that is different from the port 465 TCP session, where only SSL was noted.
+
+Next are three :file:`files.log` entries for x509 certificates.
+
+.. literal-emph::
+
+  {
+    "ts": "2020-08-09T23:31:46.800843Z",
+    "fuid": "FmLTdUtlSHFynFf4j",
+    "uid": "CCqmLfIrqQeWvXol4",
+    "id.orig_h": "192.168.4.41",
+    "id.orig_p": 49334,
+    "id.resp_h": "17.42.251.41",
+    "id.resp_p": 587,
+    "source": "SSL",
+    "depth": 0,
+    "analyzers": [
+      "X509",
+      "SHA1",
+      "MD5"
+    ],
+    **"mime_type": "application/x-x509-user-cert",**
+    "duration": 0,
+    "local_orig": false,
+    "is_orig": false,
+    "seen_bytes": 3939,
+    "missing_bytes": 0,
+    "overflow_bytes": 0,
+    "timedout": false,
+    "md5": "484d47f1b847d67981eade5b2b1f5618",
+    "sha1": "c262f01e83d6ce0c361e8b049e5be8fe6e55806b"
+  }
+  {
+    "ts": "2020-08-09T23:31:46.800843Z",
+    "fuid": "F5ITBU2e5kcvYpOZJd",
+    "uid": "CCqmLfIrqQeWvXol4",
+    "id.orig_h": "192.168.4.41",
+    "id.orig_p": 49334,
+    "id.resp_h": "17.42.251.41",
+    "id.resp_p": 587,
+    "source": "SSL",
+    "depth": 0,
+    "analyzers": [
+      "X509",
+      "SHA1",
+      "MD5"
+    ],
+    **"mime_type": "application/x-x509-ca-cert",**
+    "duration": 0,
+    "local_orig": false,
+    "is_orig": false,
+    "seen_bytes": 1092,
+    "missing_bytes": 0,
+    "overflow_bytes": 0,
+    "timedout": false,
+    "md5": "48f0e38385112eeca5fc9ffd402eaecd",
+    "sha1": "8e8321ca08b08e3726fe1d82996884eeb5f0d655"
+  }
+  {
+    "ts": "2020-08-09T23:31:46.800843Z",
+    "fuid": "F453Xk1oZcMiI6X3a7",
+    "uid": "CCqmLfIrqQeWvXol4",
+    "id.orig_h": "192.168.4.41",
+    "id.orig_p": 49334,
+    "id.resp_h": "17.42.251.41",
+    "id.resp_p": 587,
+    "source": "SSL",
+    "depth": 0,
+    "analyzers": [
+      "X509",
+      "SHA1",
+      "MD5"
+    ],
+    **"mime_type": "application/x-x509-ca-cert",**
+    "duration": 0,
+    "local_orig": false,
+    "is_orig": false,
+    "seen_bytes": 856,
+    "missing_bytes": 0,
+    "overflow_bytes": 0,
+    "timedout": false,
+    "md5": "f775ab29fb514eb7775eff053c998ef5",
+    "sha1": "de28f4a4ffe5b92fa3c503d1a349a7f9962a8212"
+  }
+
+Next we have a :file:`smtp.log` entry that shows the clear text fields Zeek
+could extract prior to the negotiation of encryption:
+
+.. literal-emph::
+
+  {
+    "ts": "2020-08-09T23:31:46.696892Z",
+    "uid": "CCqmLfIrqQeWvXol4",
+    "id.orig_h": "192.168.4.41",
+    "id.orig_p": 49334,
+    "id.resp_h": "17.42.251.41",
+    **"id.resp_p": 587,**
+    "trans_depth": 1,
+    **"helo": "[192.168.4.41]",**
+    **"last_reply": "220 2.0.0 Ready to start TLS",**
+    "path": [
+      "17.42.251.41",
+      "192.168.4.41"
+    ],
+    "tls": true,
+    "fuids": [],
+    "is_webmail": false
+  }
+
+Finally we have a :file:`ssl.log` entry with a helpful ``server_name`` implying
+that this SMTP traffic.
+
+.. literal-emph::
+
+  {
+    "ts": "2020-08-09T23:31:46.800843Z",
+    "uid": "CCqmLfIrqQeWvXol4",
+    "id.orig_h": "192.168.4.41",
+    "id.orig_p": 49334,
+    "id.resp_h": "17.42.251.41",
+    **"id.resp_p": 587,**
+    "version": "TLSv12",
+    "cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    "curve": "secp256r1",
+    **"server_name": "p71-smtp.mail.me.com",**
+    "resumed": false,
+    "established": true,
+    "cert_chain_fuids": [
+      "FmLTdUtlSHFynFf4j",
+      "F5ITBU2e5kcvYpOZJd",
+      "F453Xk1oZcMiI6X3a7"
+    ],
+    "client_cert_chain_fuids": [],
+    "validation_status": "ok"
+  }
+
+It is helpful that the more standardized protocol running on port 587 TCP has
+more SMTP-related coverage, despite being encrypted.
+
+Other Email Protocols: IMAP over TLS
+====================================
+
+Before finishing this section, it might be helpful to look at two other email
+protocols and what Zeek makes of them.
+
+Internet Message Access Protocol (IMAP) is a protocol that clients use to
+retrieve email from mail servers. The server for the clear-text variant listens
+on port 143 TCP. The encrypted variant, IMAP over TLS (referred to earlier as
+IMAP over SSL), listens on port 993 TCP.
+
+There is currently no :file:`imap.log` created by Zeek for the unencrypted or
+encrypted variants.
+
+The following example shows what Zeek sees when IMAP over TLS is active on port
+993 TCP.
+
+Zeek creates a :file:`conn.log` entry, as per usual, with the next service
+identified as SSL:
+
+.. literal-emph::
+
+  {
+    "ts": "2020-08-17T03:01:16.752745Z",
+    "uid": "CZzvVe1KOD9D1TewCk",
+    "id.orig_h": "192.168.4.23",
+    "id.orig_p": 61579,
+    "id.resp_h": "172.253.122.108",
+    **"id.resp_p": 993,**
+    "proto": "tcp",
+    **"service": "ssl",**
+    "duration": 0.8354301452636719,
+    "orig_bytes": 1582,
+    "resp_bytes": 2499,
+    "conn_state": "SF",
+    "local_orig": true,
+    "local_resp": false,
+    "missed_bytes": 0,
+    "history": "ShADadFfR",
+    "orig_pkts": 37,
+    "orig_ip_bytes": 3482,
+    "resp_pkts": 35,
+    "resp_ip_bytes": 4327,
+    "community_id": "1:Ug0SOBN+9zdqsSiesc5zQf9mr+I="
+  }
+
+The ``server_name`` in the :file:`ssl.log` entry indicates that this is a IMAP
+session.
+
+.. literal-emph::
+
+  {
+    "ts": "2020-08-17T03:01:16.865252Z",
+    "uid": "CZzvVe1KOD9D1TewCk",
+    "id.orig_h": "192.168.4.23",
+    "id.orig_p": 61579,
+    "id.resp_h": "172.253.122.108",
+    **"id.resp_p": 993,**
+    **"version": "TLSv13",**
+    "cipher": "TLS_AES_128_GCM_SHA256",
+    "curve": "x25519",
+    **"server_name": "imap.gmail.com",**
+    "resumed": true,
+    "established": true
+  }
+
+Note the use of TLS 1.3. Because this protocol is used, we do not have
+certificate details, i.e., there are no :file:`files.log` or :file:`x509.log`
+details.
+
+Other Email Protocols: POP over TLS
+===================================
+
+A protocol similar to IMAP using a different port is Post Office Protocol
+(POP). The traditional unencrypted server listens on port 110 TCP. The
+encrypted variant listens on port 995 TCP. As before, here are two entries.
+
+There is currently no :file:`pop.log` created by Zeek for the unencrypted or
+encrypted variants.
+
+The following example shows what Zeek sees when POP over TLS is active on port
+995 TCP.
+
+Zeek creates a :file:`conn.log` entry, as per usual, with the next service
+identified as SSL:
+
+.. literal-emph::
+
+  {
+    "ts": "2020-07-02T21:19:34.048427Z",
+    "uid": "CzhwYd95h2GWh9bD8",
+    "id.orig_h": "192.168.4.42",
+    "id.orig_p": 50938,
+    "id.resp_h": "142.250.31.109",
+    **"id.resp_p": 995,**
+    "proto": "tcp",
+    **"service": "ssl",**
+    "duration": 11.121870994567871,
+    "orig_bytes": 2056,
+    "resp_bytes": 1034478,
+    "conn_state": "SF",
+    "local_orig": true,
+    "local_resp": false,
+    "missed_bytes": 0,
+    "history": "ShADadtfFr",
+    "orig_pkts": 226,
+    "orig_ip_bytes": 11156,
+    "resp_pkts": 865,
+    "resp_ip_bytes": 1075618,
+    "community_id": "1:41G4TR4OvkRdEhCPft5bqJWyJVc="
+  }
+
+The ``server_name`` in the :file:`ssl.log` entry indicates that this is a IMAP
+session.
+
+.. literal-emph::
+
+  {
+    "ts": "2020-07-02T21:19:34.067004Z",
+    "uid": "CzhwYd95h2GWh9bD8",
+    "id.orig_h": "192.168.4.42",
+    "id.orig_p": 50938,
+    "id.resp_h": "142.250.31.109",
+    **"id.resp_p": 995,**
+    **"version": "TLSv13",**
+    "cipher": "TLS_AES_128_GCM_SHA256",
+    "curve": "x25519",
+    **"server_name": "pop.gmail.com",**
+    "resumed": true,
+    "established": true
+  }
+
+Again note the use of TLS 1.3. Because this protocol is used, we do not have
+certificate details, i.e., there are no :file:`files.log` or :file:`x509.log`
+details.
+
+Conclusion
+==========
+
+This section showed how Zeek renders logs for SMTP traffic, whether using an
+older clear text or modern encrypted version. It is helpful to query Zeek logs
+periodically to determine what sorts of SMTP traffic is present in your
+environment.
diff --git a/doc/logs/ssh.rst b/doc/logs/ssh.rst
new file mode 100644
index 0000000000..22668cf80e
--- /dev/null
+++ b/doc/logs/ssh.rst
@@ -0,0 +1,232 @@
+=======
+ssh.log
+=======
+
+Secure Shell (SSH) is one of the fundamental protocols of the Internet age.
+System administrators use SSH to securely access systems, typically running a
+SSH has always been encrypted, so security analysts have never examined its
+contents as they may have done with Telnet or other clear text system
+administration protocols.
+
+Zeek seeks to provide a variety of details about SSH sessions.
+
+For more detail on each field, please see :zeek:see:`SSH::Info`.
+
+Lateral Movement
+================
+
+In the first example we will look at lateral movement. This term refers to a
+connection between two systems on the same subnet, or at least within the same
+network or organization.
+
+.. literal-emph::
+
+  {
+    "ts": "2020-09-16T13:39:18.425492Z",
+    "uid": "C72qTo2v3FBhwysEIc",
+    "id.orig_h": "192.168.4.142",
+    "id.orig_p": 54161,
+    "id.resp_h": "192.168.4.1",
+    "id.resp_p": 22,
+    "version": 2,
+    **"auth_success": true,**
+    **"auth_attempts": 1,**
+    "client": "SSH-2.0-SecureBlackbox",
+    "server": "SSH-2.0-OpenSSH_6.6.1p1 Debian-4~bpo70+1",
+    "cipher_alg": "aes128-ctr",
+    "mac_alg": "umac-64@openssh.com",
+    "compression_alg": "none",
+    "kex_alg": "diffie-hellman-group1-sha1",
+    "host_key_alg": "ssh-rsa",
+    "host_key": "f9:1f:45:88:dd:da:82:c5:7c:9d:75:c3:ac:e6:f4:f6",
+    "hasshVersion": "1.0",
+    "hassh": "3f0109679e469fced2c82384f0fa3917",
+    "hasshServer": "b003da101c8caf37ce9e3ca3cd9d049b",
+    "cshka": "ssh-rsa,ssh-dss",
+    "hasshAlgorithms": "diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1;aes128-ctr,aes192-ctr,aes256-ctr;umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,umac-128@openssh.com,hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-ripemd160@openssh.com,hmac-ripemd160;none,zlib,zlib@openssh.com",
+    "sshka": "ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519",
+    "hasshServerAlgorithms": "curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com;hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96;none,zlib@openssh.com"
+  }
+
+There’s a lot to this log. I’ve bolded the central elements as these are
+probably the most immediately actionable elements. They indicate that a client
+(``192.168.4.142``) successfully logged into a SSH server (``192.168.4.1``).
+
+The rest of the data generally profiles the nature of the client and server and
+the encryption they used for the session. For example, the various ``hassh``
+fields come from the `HASSH Zeek package
+<https://github.com/corelight/hassh>`_ and are similar to the JA3 and JA3S
+packages mentioned in the :file:`ssl.log` chapter.
+
+The ``hassh`` field provides a hash characterizing the encryption offered by
+the SSH client. The hasshServer field characterizes the encryption offered by
+the SSH server.
+
+Failed Lateral Movement
+=======================
+
+In the following example, I created failed logins to generate Zeek logs. Here I
+entered a wrong password, then hit the return key twice.
+
+.. code-block:: console
+
+  $ ssh me@192.168.4.1
+
+::
+
+  Welcome to MyServer
+
+  me@192.168.4.1's password: **[wrong password entered]**
+  me@192.168.4.1's password: **[no password, return]**
+  me@192.168.4.1's password: **[no password, return]**
+  Permission denied (publickey,password).
+
+Zeek produced the following log:
+
+.. literal-emph::
+
+  {
+    "ts": "2020-09-16T14:23:41.005323Z",
+    "uid": "COfRkd4UVXYwu1GTqh",
+    "id.orig_h": "192.168.4.142",
+    "id.orig_p": 57442,
+    "id.resp_h": "192.168.4.1",
+    "id.resp_p": 22,
+    "version": 2,
+    **"auth_attempts": 0,**
+    "client": "SSH-2.0-OpenSSH_7.5",
+    "server": "SSH-2.0-OpenSSH_6.6.1p1 Debian-4~bpo70+1",
+    "cipher_alg": "aes128-ctr",
+    "mac_alg": "hmac-md5",
+    "compression_alg": "zlib@openssh.com",
+    "kex_alg": "curve25519-sha256@libssh.org",
+    "host_key_alg": "ssh-rsa",
+    "host_key": "f9:1f:45:88:dd:da:82:c5:7c:9d:75:c3:ac:e6:f4:f6",
+    "hasshVersion": "1.0",
+    "hassh": "0d7f08c427fb41f68ec40fbe8fb7b5cb",
+    "hasshServer": "b003da101c8caf37ce9e3ca3cd9d049b",
+    "cshka": "ssh-rsa-cert-v01@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519",
+    "hasshAlgorithms": "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,arcfour,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se;hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160@openssh.com;zlib@openssh.com,zlib,none",
+    "sshka": "ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519",
+    "hasshServerAlgorithms": "curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com;hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96;none,zlib@openssh.com"
+  }
+
+Notice there is no entry like this from the successful login::
+
+  "auth_success": true,
+
+That is helpful. However, there is the following entry, which is odd::
+
+  "auth_attempts": 0,
+
+There was definitely at least one authentication attempt. I cannot explain this
+result.
+
+Outbound Movement
+=================
+
+One aspect of Zeek’s :file:`ssh.log` that I find useful is the determination if
+the SSH login was “inbound” or “outbound”. In the following example, we see a
+login from the enterprise using the ``192.168.4.0/24`` network, to a host on the
+Internet:
+
+.. literal-emph::
+
+  {
+    "ts": "2020-09-16T13:08:58.933098Z",
+    "uid": "Cjmfpo49s3lei7CBla",
+    **"id.orig_h": "192.168.4.49",**
+    "id.orig_p": 39550,
+    **"id.resp_h": "205.166.94.16",**
+    **"id.resp_p": 22,**
+    "version": 2,
+    **"auth_success": true,**
+    "auth_attempts": 2,
+    **"direction": "OUTBOUND",**
+    "client": "SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u7",
+    "server": "SSH-2.0-OpenSSH_8.0",
+    "cipher_alg": "chacha20-poly1305@openssh.com",
+    "mac_alg": "umac-64-etm@openssh.com",
+    "compression_alg": "none",
+    "kex_alg": "curve25519-sha256",
+    "host_key_alg": "ssh-ed25519",
+    "host_key": "e4:ff:65:d7:be:5d:c8:44:1d:89:6b:50:f5:50:a0:ce",
+    "hasshVersion": "1.0",
+    "hassh": "0df0d56bb50c6b2426d8d40234bf1826",
+    "hasshServer": "b12d2871a1189eff20364cf5333619ee",
+    "cshka": "ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa",
+    "hasshAlgorithms": "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc;umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,zlib@openssh.com,zlib",
+    "sshka": "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-ed25519",
+    "hasshServerAlgorithms": "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com;umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,zlib@openssh.com"
+  }
+
+Analysts can use this sort of log entry to identify when systems for which they
+are responsible are connecting to SSH servers outside their organization.
+
+Inbound Movement
+================
+
+In the following example, Zeek notices an inbound SSH connection:
+
+.. literal-emph::
+
+  {
+    "ts": "2020-09-16T13:29:23.245216Z",
+    "uid": "CzEmsljW9ooL0WnBd",
+    **"id.orig_h": "35.196.195.158",**
+    "id.orig_p": 53160,
+    **"id.resp_h": "192.168.4.37",**
+    **"id.resp_p": 22,**
+    "version": 2,
+    **"auth_success": true,**
+    "auth_attempts": 1,
+    **"direction": "INBOUND",**
+    "client": "SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2",
+    "server": "SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3",
+    "cipher_alg": "chacha20-poly1305@openssh.com",
+    "mac_alg": "umac-64-etm@openssh.com",
+    "compression_alg": "none",
+    "kex_alg": "curve25519-sha256",
+    "host_key_alg": "ecdsa-sha2-nistp256",
+    "host_key": "a3:41:03:32:1f:8c:8e:82:92:9f:62:8c:38:82:d3:74",
+    "hasshVersion": "1.0",
+    "hassh": "ec7378c1a92f5a8dde7e8b7a1ddf33d1",
+    "hasshServer": "b12d2871a1189eff20364cf5333619ee",
+    "cshka": "ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa",
+    "hasshAlgorithms": "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com;umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,zlib@openssh.com,zlib",
+    "sshka": "ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519",
+    "hasshServerAlgorithms": "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com;umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,zlib@openssh.com"
+  }
+
+If an analyst does not expect this sort of activity, then it could indicate a
+problem.
+
+Failed Movement
+===============
+
+In the following example, we see something a bit different:
+
+.. literal-emph::
+
+  {
+    "ts": "2020-09-16T13:29:08.560780Z",
+    "uid": "CFb8DZ1DLzStfZaERb",
+    **"id.orig_h": "205.166.94.9",**
+    "id.orig_p": 55699,
+    **"id.resp_h": "192.168.4.37",**
+    **"id.resp_p": 22,**
+    **"auth_attempts": 0,**
+    **"direction": "INBOUND",**
+    **"server": "SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3"**
+  }
+
+Notice that there is no successful authentication message. There is also no
+client identification string. We only see the server’s message. I generated
+this activity using Netcat. I connected to port 22 TCP and did not send any
+data.
+
+Conclusion
+==========
+
+This section has provided some details on the elements of the :file:`ssh.log`
+that could be of use to analysts.
diff --git a/doc/logs/ssl.rst b/doc/logs/ssl.rst
new file mode 100644
index 0000000000..2715087c66
--- /dev/null
+++ b/doc/logs/ssl.rst
@@ -0,0 +1,459 @@
+=======
+ssl.log
+=======
+
+In the section discussing the :file:`http.log`, we noted that most HTTP traffic
+is now encrypted and transmitted as HTTPS. Zeek does not create a
+:file:`https.log`, because Zeek (or other network inspection tools, for that
+matter) does not natively recognize HTTP when it is encrypted as HTTPS.
+
+HTTPS is most often encrypted using Transport Layer Security (TLS), which
+presents many variants in live traffic. Zeek parses TLS traffic and records its
+findings in the :file:`ssl.log`. SSL refers to Secure Sockets Layer, an
+obsolete predecessor to TLS.
+
+TLS is not restricted to encrypting HTTPS, however. Many other protocols use
+TLS to encrypt their contents, including Simple Mail Transfer Protocol (SMTP).
+
+Remember that to see the meaning of each field in the :file:`ssl.log`, check
+:zeek:see:`SSL::Info`.
+
+Reviewing TLS Versions Seen on the Network
+==========================================
+
+To get an idea of the sorts of TLS traffic running in my network, I ran the
+following command to search hundreds of days of Zeek :file:`ssl.log` entries:
+
+.. code-block:: console
+
+  $ for i in $(find . -name ssl*.log.gz); do zcat $i; done | jq '[."version"]' | grep -v "\]" | grep -v "\[" | sort -n | uniq -c | sort -rn
+
+::
+
+  11279341   "TLSv12"
+  2877117   "TLSv13"
+   303084   "unknown-64282"
+   198154   null
+    23181   "TLSv10"
+     5756   "TLSv11"
+      348   "DTLSv12"
+       78   "DTLSv10"
+
+TLS 1.0 and 1.1 are obsolete. TLS 1.2 and 1.3 are common, with 1.3 gaining
+ground on 1.2 DTLS is a variant used to encrypt UDP traffic. ``unknown-64282``
+is apparently a Facebook-created variant of TLS 1.3. Almost 20,000 connections
+advertised no TLS version, but were recognized by Zeek as some form of TLS.
+
+To try to see what protocols the TLS might be encrypting, I ran the following
+command to search 10 days of Zeek :file:`ssl.log` entries:
+
+.. code-block:: console
+
+  $ for i in $(find ./2020-08-1* -name ssl*.log.gz); do zcat $i; done | jq -c '[."version", ."next_protocol"]' | sort -n | uniq -c | sort -rn
+
+::
+
+   246868 ["TLSv12",null]
+   144291 ["TLSv13",null]
+    86708 ["TLSv12","http/1.1"]
+    85082 ["TLSv12","h2"]
+     8450 ["unknown-64282",null]
+     1966 [null,null]
+      722 ["TLSv12","apns-pack-v1:4096:4096"]
+      504 ["TLSv10",null]
+      234 ["TLSv10","http/1.1"]
+      154 ["TLSv12","grpc-exp"]
+       83 ["TLSv11",null]
+       13 ["DTLSv12",null]
+
+``HTTP/1.1`` is obviously HTTP. The ``h2`` entry refers to the newer HTTP/2
+protocol. The ``apns-pack-v1:4096:4096`` entry appears to refer to Apple Push
+Notification Service, which utilizes Application Layer Protocol Negotiation
+(ALPN), a TLS extension. The ``grpc-exp`` entry appears to refer to another
+ALPN method that uses the gRPC remote procedure call (RPC) library.
+
+With this brief look at the types of TLS traffic one might find in a network
+done, it’s time to look at a sample connection that generates a :file:`ssl.log` entry.
+
+Preparing to Inspect the :file:`ssl.log`
+========================================
+
+To generate network traffic that uses TLS encryption, I retrieved the index
+page of the https://www.taosecurity.com using :program:`curl`.
+
+After processing the traffic with Zeek, I had several log files to analyze.
+First let’s look at the :file:`conn.log`. We will focus on the Web session
+itself, and not related traffic like any DNS lookups required to resolve the
+hostname to an IP address.
+
+::
+
+  {
+    "ts": 1598377391.716515,
+    "uid": "CsukF91Bx9mrqdEaH9",
+    "id.orig_h": "192.168.4.49",
+    "id.orig_p": 56718,
+    "id.resp_h": "13.32.202.10",
+    "id.resp_p": 443,
+    "proto": "tcp",
+    "service": "ssl",
+    "duration": 0.497269868850708,
+    "orig_bytes": 929,
+    "resp_bytes": 31113,
+    "conn_state": "SF",
+    "missed_bytes": 0,
+    "history": "ShADadfF",
+    "orig_pkts": 37,
+    "orig_ip_bytes": 2861,
+    "resp_pkts": 34,
+    "resp_ip_bytes": 32889
+  }
+
+We have a client, ``192.168.4.49``, interacting with a server,
+``13.32.202.10``, offering an encrypted service on port 443 TCP. Zeek reports
+this as ``ssl``, but that is a generic term that applies to TLS as well. We can
+use the connection identifier, ``CsukF91Bx9mrqdEaH9``, to find associated Zeek
+logs.
+
+Inspecting the :file:`ssl.log` When TLS 1.2 Applies
+===================================================
+
+Using the connection identifier, we find the associated :file:`ssl.log` entry
+for this conversation.
+
+::
+
+  {
+    "ts": 1598377391.921726,
+    "uid": "CsukF91Bx9mrqdEaH9",
+    "id.orig_h": "192.168.4.49",
+    "id.orig_p": 56718,
+    "id.resp_h": "13.32.202.10",
+    "id.resp_p": 443,
+    "version": "TLSv12",
+    "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+    "curve": "secp256r1",
+    "server_name": "www.taosecurity.com",
+    "resumed": false,
+    "next_protocol": "h2",
+    "established": true,
+    "cert_chain_fuids": [
+      "F2XEvj1CahhdhtfvT4",
+      "FZ7ygD3ERPfEVVohG9",
+      "F7vklpOKI4yX9wmvh",
+      "FAnbnR32nIIr2j9XV"
+    ],
+    "client_cert_chain_fuids": [],
+    "subject": "CN=www.taosecurity.com",
+    "issuer": "CN=Amazon,OU=Server CA 1B,O=Amazon,C=US"
+  }
+
+This is a rich log entry that tells us a lot about the connection. We see that
+the server and client agree to speak TLS 1.2, with the designated cipher suite
+and elliptic curve. The server name, ``www.taosecurity.com`` appears, which
+matches the subject of the certificate presented by the Web server. We can see
+that Amazon issued the certificate. The next protocol involved was HTTP/2, as
+the ``next_protocol`` field lists ``h2``. Zeek provides file identifiers for
+the four certificates that the server presented to the client. The client did
+not present any certificates to the server.
+
+We will use the certificate information when we look at the next log in our
+series, the :file:`x509.log`.
+
+Inspecting the :file:`ssl.log` When TLS 1.3 Applies
+===================================================
+
+The last section showed Zeek’s :file:`ssl.log` when visiting a server that
+negotiated a TLS 1.2 connection. The following example shows how the situation
+changes when the parties use TLS 1.3.
+
+To generate the traffic, I used :program:`curl` with a switch to try TLS 1.3
+encryption.
+
+.. code-block:: console
+
+  $ curl -v --tlsv1.3 https://www.taosecurity.com
+
+:program:`curl` provided the following, in addition to the content of the Web
+site:
+
+::
+
+  * Connected to www.taosecurity.com (13.32.202.2) port 443 (#0)
+  * ALPN, offering h2
+  * ALPN, offering http/1.1
+  * successfully set certificate verify locations:
+  *   CAfile: C:\ProgramData\chocolatey\lib\curl\tools\curl-7.72.0-win64-mingw\bin\curl-ca-bundle.crt
+    CApath: none
+  } [5 bytes data]
+  * TLSv1.3 (OUT), TLS handshake, Client hello (1):
+  } [512 bytes data]
+  * TLSv1.3 (IN), TLS handshake, Server hello (2):
+  { [122 bytes data]
+  * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
+  { [19 bytes data]
+  * TLSv1.3 (IN), TLS handshake, Certificate (11):
+  { [4880 bytes data]
+  * TLSv1.3 (IN), TLS handshake, CERT verify (15):
+  { [264 bytes data]
+  * TLSv1.3 (IN), TLS handshake, Finished (20):
+  { [36 bytes data]
+  * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
+  } [1 bytes data]
+  * TLSv1.3 (OUT), TLS handshake, Finished (20):
+  } [36 bytes data]
+  * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
+  * ALPN, server accepted to use h2
+  * Server certificate:
+  *  subject: CN=www.taosecurity.com
+  *  start date: Jun  1 00:00:00 2020 GMT
+  *  expire date: Jul  1 12:00:00 2021 GMT
+  *  subjectAltName: host "www.taosecurity.com" matched cert's "www.taosecurity.com"
+  *  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
+  *  SSL certificate verify ok.
+  * Using HTTP2, server supports multi-use
+  * Connection state changed (HTTP/2 confirmed)
+  * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
+  } [5 bytes data]
+  * Using Stream ID: 1 (easy handle 0x1f9ff0c7600)
+  } [5 bytes data]
+  > GET / HTTP/2
+  > Host: www.taosecurity.com
+  > user-agent: curl/7.72.0
+  > accept: */*
+  >
+  { [5 bytes data]
+  * Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
+  } [5 bytes data]
+  < HTTP/2 200
+  < content-type: text/html
+  < content-length: 28708
+  < date: Tue, 01 Sep 2020 18:07:59 GMT
+  < last-modified: Tue, 01 Sep 2020 14:36:01 GMT
+  < etag: "9a6a530f507d79ba54daa5872b3cad22"
+  < accept-ranges: bytes
+  < server: AmazonS3
+  < vary: Accept-Encoding
+  < x-cache: Miss from cloudfront
+  < via: 1.1 c09a013ad199e52fd50ddc5543a72f45.cloudfront.net (CloudFront)
+  < x-amz-cf-pop: IAD66-C1
+  < x-amz-cf-id: wXc1bcKla5qIePZ29LBk1fgATzgf1jLYiRvSmnyZcb7Q1eB_ZJSbaA==
+  <
+  { [16032 bytes data]
+
+Note that the certificate details are visible here, because we are looking from
+the perspective of the Web client, not a passive network observation system.
+
+Here is the :file:`conn.log`:
+
+::
+
+  {
+    "ts": 1598983678.546522,
+    "uid": "CcJfBs3hXLJn7oHVu7",
+    "id.orig_h": "192.168.4.142",
+    "id.orig_p": 58802,
+    "id.resp_h": "13.32.202.2",
+    "id.resp_p": 443,
+    "proto": "tcp",
+    "service": "ssl",
+    "duration": 0.13053107261657715,
+    "orig_bytes": 831,
+    "resp_bytes": 34650,
+    "conn_state": "SF",
+    "missed_bytes": 0,
+    "history": "ShADadFf",
+    "orig_pkts": 17,
+    "orig_ip_bytes": 1523,
+    "resp_pkts": 30,
+    "resp_ip_bytes": 35862
+  }
+
+Here is the :file:`ssl.log`:
+
+::
+
+  {
+    "ts": 1598983678.585087,
+    "uid": "CcJfBs3hXLJn7oHVu7",
+    "id.orig_h": "192.168.4.142",
+    "id.orig_p": 58802,
+    "id.resp_h": "13.32.202.2",
+    "id.resp_p": 443,
+    "version": "TLSv13",
+    "cipher": "TLS_AES_128_GCM_SHA256",
+    "curve": "x25519",
+    "server_name": "www.taosecurity.com",
+    "resumed": true,
+    "established": true
+  }
+
+Note that there is no mention of certificates in the :file:`ssl.log`. TLS 1.3
+hides these from passive observation systems. We are able to see the server
+name, ``www.taosecurity.com``, however, as well as some information about the
+encryption used. These include the TLS version, the cipher, and the elliptic
+curve.
+
+Inspecting the :file:`ssl.log` When ESNI/ECH Applies
+====================================================
+
+There is one more concern for an analyst working with the :file:`ssl.log`.
+
+Encrypted Server Name Indication (ESNI) or Encrypted Client Hello (ECH) are
+methods by which the Server Name Identification field is no longer sent as
+plain text. The mechanics of this process are less important than the effects
+on Zeek :file:`ssl.log` entries.
+
+To generate traffic for this example, I used a modern version of Firefox,
+configured to support ESNI, and visited a Web site,
+``https://only.esni.defo.ie/``, that only accepts connections from systems
+supporting ESNI.
+
+After processing the traffic with Zeek, I had the following logs.
+
+First, I had two :file:`conn.log` entries::
+
+  {"ts":1598631659.652789,"uid":"Cg9oVc87cdxWf5Dla","id.orig_h":"192.168.4.142","id.orig_p":63213,"id.resp_h":"185.24.233.103","id.resp_p":443,"proto":"tcp","service":"ssl","duration":5.702061891555786,"orig_bytes":1467,"resp_bytes":3160,"conn_state":"SF","missed_bytes":0,"history":"ShADadTtFf","orig_pkts":11,"orig_ip_bytes":2347,"resp_pkts":8,"resp_ip_bytes":4645}
+
+  {"ts":1598631659.331871,"uid":"Cixuvq2LQrbqxU4Y17","id.orig_h":"192.168.4.142","id.orig_p":63210,"id.resp_h":"185.24.233.103","id.resp_p":443,"proto":"tcp","service":"ssl","duration":6.023154020309448,"orig_bytes":2193,"resp_bytes":45269,"conn_state":"SF","missed_bytes":0,"history":"ShADadFf","orig_pkts":14,"orig_ip_bytes":2765,"resp_pkts":37,"resp_ip_bytes":46761}
+
+Second, I had two :file:`ssl.log` entries::
+
+  {
+    "ts": 1598631659.431907,
+    "uid": "Cixuvq2LQrbqxU4Y17",
+    "id.orig_h": "192.168.4.142",
+    "id.orig_p": 63210,
+    "id.resp_h": "185.24.233.103",
+    "id.resp_p": 443,
+    "version": "TLSv13",
+    "cipher": "TLS_AES_256_GCM_SHA384",
+    "curve": "x25519",
+    "resumed": true,
+    "established": true
+  }
+  {
+    "ts": 1598631659.752715,
+    "uid": "Cg9oVc87cdxWf5Dla",
+    "id.orig_h": "192.168.4.142",
+    "id.orig_p": 63213,
+    "id.resp_h": "185.24.233.103",
+    "id.resp_p": 443,
+    "version": "TLSv13",
+    "cipher": "TLS_AES_256_GCM_SHA384",
+    "curve": "x25519",
+    "resumed": true,
+    "established": true
+  }
+
+As you can see, there is no identifying information in the :file:`ssl.log`
+here. There are no certificate identifier entries either, although we will talk
+about that log type in the next section. As the visit to
+``https://only.esni.defo.ie/`` also used DNS over HTTPs (DoH), there is no DNS
+record showing the identity of the remote server, as might be revealed in a
+conventional DNS request and response.
+
+As you might expect, this situation has some network security monitoring
+practitioners concerned by the loss of visibility, and the opportunity for
+intruders to leverage ESNI-enabled servers and Doh-enabled clients to evade
+inspection.
+
+Leveraging JA3 and JA3S
+=======================
+
+JA3 and JA3S are mechanisms to profile the TLS implementations on clients and
+servers, respectively. These are clever tools to tell analysts more about each
+end of a connection. To learn more, see the following project page:
+
+https://github.com/salesforce/ja3
+
+When running Zeek with the JA3 and JA3S packages, the scripts will append data
+to the :file:`ssl.log` as follows.
+
+In the first example, a Web client (curl) connects to the Google Web site using
+TLS 1.3. The :file:`ssl.log` shows the following entry.
+
+.. literal-emph::
+
+  {
+    "ts": "2020-09-16T14:01:26.194646Z",
+    "uid": "CH3QeG4kCxFL8eZrs1",
+    "id.orig_h": "192.168.4.37",
+    "id.orig_p": 58842,
+    "id.resp_h": "172.217.15.100",
+    "id.resp_p": 443,
+    "version": "TLSv13",
+    "cipher": "TLS_AES_256_GCM_SHA384",
+    "curve": "x25519",
+    "server_name": "www.google.com",
+    "resumed": true,
+    "established": true,
+    **"ja3": "3830b2a4fbcea64e74db382e467f5b3b",**
+    **"ja3s": "907bf3ecef1c987c889946b737b43de8"**
+  }
+
+Zeek computes the JA3 (client) and JA3S (server) hashes as shown.
+
+In the second example, the same Web client connects to the Corelight Web site.
+
+.. literal-emph::
+
+  {
+    "ts": "2020-09-16T13:58:21.878466Z",
+    "uid": "CtbyI4sDwTIPROUv6",
+    "id.orig_h": "192.168.4.37",
+    "id.orig_p": 49572,
+    "id.resp_h": "99.86.230.78",
+    "id.resp_p": 443,
+    "version": "TLSv13",
+    "cipher": "TLS_AES_128_GCM_SHA256",
+    "curve": "x25519",
+    "server_name": "www.corelight.com",
+    "resumed": true,
+    "established": true,
+    **"ja3": "3830b2a4fbcea64e74db382e467f5b3b",**
+    **"ja3s": "f4febc55ea12b31ae17cfb7e614afda8"**
+  }
+
+The JA3 (client) hash has stayed the same, but the JA3S (server) hash has
+changed.
+
+In the third example, the same Web client connects to the TaoSecurity Web site.
+
+.. literal-emph::
+
+  {
+    "ts": "2020-09-16T13:54:57.033503Z",
+    "uid": "CXc63QyS40XspAmcd",
+    "id.orig_h": "192.168.4.37",
+    "id.orig_p": 41608,
+    "id.resp_h": "99.84.222.6",
+    "id.resp_p": 443,
+    "version": "TLSv13",
+    "cipher": "TLS_AES_128_GCM_SHA256",
+    "curve": "x25519",
+    "server_name": "www.taosecurity.com",
+    "resumed": true,
+    "established": true,
+    **"ja3": "0bae189478c11bed9d6259ae0ffc9493",**
+    **"ja3s": "f4febc55ea12b31ae17cfb7e614afda8"**
+  }
+
+This is an odd result. The JA3 (client) hash has changed, but the JA3S (server)
+hash has stayed the same. I can explain the server hash staying the same by
+noting that both the Corelight and TaoSecurity Web sites appear to be hosted by
+Amazon, meaning the Web servers providing each site are offering the same TLS
+parameters.
+
+However, I would have expected the JA3 (client) hash to have been the same as
+the previous two examples. I repeated the connection and got the same JA3 and
+JA3S hashes.
+
+Conclusion
+==========
+
+This section showed that the default :file:`ssl.log` provides several details
+of interest to defenders, even when inspecting encrypted traffic. As
+administrators and intruders deploy newer encryption technologies, however,
+defenders will find it increasingly difficult to differentiate among normal,
+suspicious, and malicious traffic.
diff --git a/doc/logs/traceroute.rst b/doc/logs/traceroute.rst
new file mode 100644
index 0000000000..152466ce06
--- /dev/null
+++ b/doc/logs/traceroute.rst
@@ -0,0 +1,44 @@
+==============
+traceroute.log
+==============
+
+Traceroute is a network diagnostic method by which a system can try to
+determine the intermediate routing devices between it and a remote system.
+Implementations exist for all operating systems. The method generally relies on
+sending Internet Control Message Protocol (ICMP) messages or User Datagram
+Protocol (UDP) datagrams with incrementing Internet Protocol (IP) time to live
+(TTL) values. Some custom implementations use TCP, as it is the IP TTL value
+which is the key to the method. For more on how traceroute works, please
+consult a networking book.
+
+Zeek ships with a script that tries to identify traceroute activity. The script
+tracks ICMP time exceeded messages indicating low TTL values.
+
+For full details on each field in the :file:`traceroute.log` file, please refer
+to :zeek:see:`Traceroute::Info`.
+
+:file:`traceroute.log`
+======================
+
+The :file:`traceroute.log` only contains four fields. Here is an example
+excerpt:
+
+.. literal-emph::
+
+  {"ts":"2020-12-07T05:14:54.202099Z","src":"192.168.4.48","dst":"213.133.109.134",**"proto":"udp"**}
+  {"ts":"2020-12-07T05:14:54.367071Z","src":"192.168.4.48","dst":"131.72.76.118",**"proto":"icmp"**}
+  {"ts":"2020-12-07T05:25:13.222095Z","src":"192.168.4.48","dst":"216.113.20.1","proto":"udp"}
+  {"ts":"2020-12-07T05:30:58.502092Z","src":"192.168.4.48","dst":"193.0.14.129","proto":"udp"}
+
+Beyond the timestamp, source IP address, and destination IP address, the only
+remaining field is the protocol, ``proto``. This field indicates the protocol
+that was used by the :program:`traceroute` program. In the second entry,
+:program:`traceroute` used ICMP. In the other three cases,
+:program:`traceroute` used UDP.
+
+Conclusion
+==========
+
+The :file:`traceroute.log` may not be enabled by default on your Zeek
+installation. It is useful if you want to identify systems using the method to
+try to enumerate routing devices between the initiator and the target.
diff --git a/doc/logs/tunnel.rst b/doc/logs/tunnel.rst
new file mode 100644
index 0000000000..1c040b2422
--- /dev/null
+++ b/doc/logs/tunnel.rst
@@ -0,0 +1,947 @@
+==========
+tunnel.log
+==========
+
+The purpose of Zeek’s :file:`tunnel.log` is to identify encapsulated traffic. A
+common use case in modern networks involves encapsulating IPv6 traffic within
+IPv4. It’s also entirely possible to tunnel IPv4 over IPv6. This document will
+provide a few examples of how Zeek interprets tunneled traffic. The author
+captured the first example on his home network. The remainder appear courtesy
+of the PacketLife Web site operated by Jeremy Stretch:
+
+https://packetlife.net/captures/category/tunneling/
+
+For full details on each field in the :file:`tunnel.log` file, please refer to
+:zeek:see:`Tunnel::Info`.
+
+Teredo
+======
+
+The following example demonstrates Teredo traffic generated by a Microsoft game
+console. Teredo is an encapsulation protocol whereby IPv4 carries IPv6 traffic.
+
+https://docs.microsoft.com/en-us/windows/win32/teredo/portal
+
+:program:`tcpdump` and :program:`tshark`
+----------------------------------------
+
+Here is :program:`tcpdump` output for the traffic in question::
+
+  00:55:58.290539 IP 192.168.4.31.3074 > 40.84.25.61.65444: UDP, length 61
+  00:55:59.321945 IP 192.168.4.31.3074 > 40.84.25.61.3544: UDP, length 61
+  00:55:59.337323 IP 40.84.25.61.3544 > 192.168.4.31.3074: UDP, length 109
+
+Here is :program:`tshark` output for the traffic in question::
+
+    1 192.168.4.31 3074 40.84.25.61  65444 UDP 103 3074 → 65444 Len=61
+    2 fe80::ffff:ffff:fffe 3074 ff02::2      3544 ICMPv6 103 Router Solicitation
+    3 fe80::8000:f227:d7ab:e6c3 3544 fe80::ffff:ffff:fffe 3074 ICMPv6 151 Router Advertisement
+
+Notice that :program:`tshark` shows frames 2 and 3 as IPv6, whereas
+:program:`tcpdump` shows them as IPv4.
+
+Let’s take a closer look at frame 2 to see the encapsulation in detail:
+
+.. literal-emph::
+
+  Frame 2: 103 bytes on wire (824 bits), 103 bytes captured (824 bits)
+      Encapsulation type: Ethernet (1)
+      Arrival Time: Dec 15, 2020 00:55:59.321945000 UTC
+      [Time shift for this packet: 0.000000000 seconds]
+      Epoch Time: 1607993759.321945000 seconds
+      [Time delta from previous captured frame: 1.031406000 seconds]
+      [Time delta from previous displayed frame: 1.031406000 seconds]
+      [Time since reference or first frame: 1.031406000 seconds]
+      Frame Number: 2
+      Frame Length: 103 bytes (824 bits)
+      Capture Length: 103 bytes (824 bits)
+      [Frame is marked: False]
+      [Frame is ignored: False]
+      [Protocols in frame: eth:ethertype:ip:udp:teredo:ipv6:icmpv6]
+  Ethernet II, Src: bc:83:85:56:2f:67, Dst: fc:ec:da:49:e0:10
+      Destination: fc:ec:da:49:e0:10
+          Address: fc:ec:da:49:e0:10
+          .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
+          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+      Source: bc:83:85:56:2f:67
+          Address: bc:83:85:56:2f:67
+          .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
+          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+      Type: IPv4 (0x0800)
+  **Internet Protocol Version 4, Src: 192.168.4.31, Dst: 40.84.25.61**
+      0100 .... = Version: 4
+      .... 0101 = Header Length: 20 bytes (5)
+      Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
+          0000 00.. = Differentiated Services Codepoint: Default (0)
+          .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
+      Total Length: 89
+      Identification: 0xbb91 (48017)
+      Flags: 0x0000
+          0... .... .... .... = Reserved bit: Not set
+          .0.. .... .... .... = Don't fragment: Not set
+          ..0. .... .... .... = More fragments: Not set
+          ...0 0000 0000 0000 = Fragment offset: 0
+      Time to live: 128
+      Protocol: UDP (17)
+      Header checksum: 0x78aa [validation disabled]
+      [Header checksum status: Unverified]
+      Source: 192.168.4.31
+      Destination: 40.84.25.61
+  **User Datagram Protocol, Src Port: 3074, Dst Port: 3544**
+      Source Port: 3074
+      Destination Port: 3544
+      Length: 69
+      Checksum: 0x7fdc [unverified]
+      [Checksum Status: Unverified]
+      [Stream index: 1]
+  **Teredo IPv6 over UDP tunneling**
+      Teredo Authentication header
+          Client identifier length: 0
+          Authentication value length: 0
+          Nonce value: 6aeec3b128884291
+          Confirmation byte: 00
+  **Internet Protocol Version 6, Src: fe80::ffff:ffff:fffe, Dst: ff02::2**
+      **0110 .... = Version: 6**
+      .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
+          .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
+          .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)
+      .... .... .... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
+      Payload Length: 8
+      Next Header: ICMPv6 (58)
+      Hop Limit: 255
+      Source: fe80::ffff:ffff:fffe
+      Destination: ff02::2
+  **Internet Control Message Protocol v6**
+      Type: Router Solicitation (133)
+      Code: 0
+      Checksum: 0x7d38 [correct]
+      [Checksum Status: Good]
+      Reserved: 00000000
+
+The bolded elements show an ICMPv6 message inside an IPv6 packet, inside a UDP
+datagram, inside a IPv4 packet. Frame 3 is similar.
+
+:file:`conn.log`
+----------------
+
+The :file:`conn.log` for this traffic contains the following:
+
+.. literal-emph::
+
+  {
+    "ts": 1607993759.321945,
+    **"uid": "CO9T0A3FPac5ig4hud",**
+    **"id.orig_h": "192.168.4.31",**
+    "id.orig_p": 3074,
+    **"id.resp_h": "40.84.25.61",**
+    **"id.resp_p": 3544,**
+    **"proto": "udp",**
+    **"service": "teredo",**
+    "duration": 0.015377998352050781,
+    "orig_bytes": 61,
+    "resp_bytes": 109,
+    "conn_state": "SF",
+    "missed_bytes": 0,
+    "history": "Dd",
+    "orig_pkts": 1,
+    "orig_ip_bytes": 89,
+    "resp_pkts": 1,
+    "resp_ip_bytes": 137,
+    "ip_proto": 17
+  }
+
+This first :file:`conn.log` entry addresses frames 2 and 3 in the original packet
+capture. Zeek identifies Teredo as the service within a UDP datagram. Port 3544
+UDP appears to be associated with Teredo per Microsoft’s documentation. Port
+3074 UDP appears to be associated with Microsoft game consoles as well, perhaps
+due to NAT traversal. Note the ``uid`` field. It will appear again
+shortly.
+
+.. literal-emph::
+
+  {
+    "ts": 1607993758.290539,
+    **"uid": "CUqiKk4m6VpWwcaJ4l",**
+    **"id.orig_h": "192.168.4.31",**
+    "id.orig_p": 3074,
+    **"id.resp_h": "40.84.25.61",**
+    **"id.resp_p": 65444,**
+    **"proto": "udp",**
+    "conn_state": "S0",
+    "missed_bytes": 0,
+    "history": "D",
+    "orig_pkts": 1,
+    "orig_ip_bytes": 89,
+    "resp_pkts": 0,
+    "resp_ip_bytes": 0,
+    "ip_proto": 17
+  }
+
+This second :file:`conn.log` entry refers to frame 1 in the packet capture.
+Note the ``uid`` field. It will appear again shortly as well.
+
+.. literal-emph::
+
+  {
+    "ts": 1607993759.321945,
+    "uid": "CoiibpW4Ov0n1xvj",
+    **"id.orig_h": "fe80::ffff:ffff:fffe",**
+    "id.orig_p": 133,
+    **"id.resp_h": "ff02::2",**
+    "id.resp_p": 134,
+    **"proto": "icmp",**
+    "conn_state": "OTH",
+    "missed_bytes": 0,
+    "orig_pkts": 1,
+    "orig_ip_bytes": 48,
+    "resp_pkts": 0,
+    "resp_ip_bytes": 0,
+    "tunnel_parents": [
+      **"CO9T0A3FPac5ig4hud"**
+    ],
+    "ip_proto": 1
+  }
+
+Here Zeek has created a new :file:`conn.log` entry for the ICMPv6 traffic
+carried within a tunnel. The UID of the original connection carrying this
+traffic appears in the ``tunnel_parents`` field. It refers to the first entry
+in the :file:`conn.log`.
+
+.. literal-emph::
+
+  {
+    "ts": 1607993758.290539,
+    "uid": "C6Gikx4eC6wXR3xOqg",
+    **"id.orig_h": "fe80::8000:ffff:ffff:fffe",**
+    "id.orig_p": 133,
+    **"id.resp_h": "ff02::2",**
+    "id.resp_p": 134,
+    **"proto": "icmp",**
+    "conn_state": "OTH",
+    "missed_bytes": 0,
+    "orig_pkts": 1,
+    "orig_ip_bytes": 48,
+    "resp_pkts": 0,
+    "resp_ip_bytes": 0,
+    "tunnel_parents": [
+      "CUqiKk4m6VpWwcaJ4l"
+    ]
+  }
+
+Similar to the previous :file:`conn.log` entry, here is another tunneled ICMPv6
+message. This corresponds to the second :file:`conn.log` entry reviewed earlier.
+
+.. literal-emph::
+
+  {
+    "ts": 1607993759.337323,
+    "uid": "C8h2gZ3EjWUW5xKh2",
+    **"id.orig_h": "fe80::8000:f227:d7ab:e6c3",**
+    "id.orig_p": 134,
+    **"id.resp_h": "fe80::ffff:ffff:fffe",**
+    "id.resp_p": 133,
+    **"proto": "icmp",**
+    "conn_state": "OTH",
+    "missed_bytes": 0,
+    "orig_pkts": 1,
+    "orig_ip_bytes": 88,
+    "resp_pkts": 0,
+    "resp_ip_bytes": 0,
+    "tunnel_parents": [
+      **"CO9T0A3FPac5ig4hud"**
+    ]
+  }
+
+Zeek creates a final :file:`conn.log` entry for tunneled traffic. This also
+corresponds to the first :file:`conn.log` entry by virtue of its
+``tunnel_parent`` value.
+
+:file:`tunnel.log`
+------------------
+
+Zeek’s :file:`tunnel.log` offers the following entries for this encapsulated
+traffic.
+
+.. literal-emph::
+
+  {
+    "ts": 1607993758.290539,
+    "uid": "CUqiKk4m6VpWwcaJ4l",
+    "id.orig_h": "192.168.4.31",
+    "id.orig_p": 3074,
+    "id.resp_h": "40.84.25.61",
+    "id.resp_p": 65444,
+    **"tunnel_type": "Tunnel::TEREDO",**
+    **"action": "Tunnel::DISCOVER"**
+  }
+  {
+    "ts": 1607993759.321945,
+    "uid": "CO9T0A3FPac5ig4hud",
+    "id.orig_h": "192.168.4.31",
+    "id.orig_p": 3074,
+    "id.resp_h": "40.84.25.61",
+    "id.resp_p": 3544,
+    **"tunnel_type": "Tunnel::TEREDO",**
+    **"action": "Tunnel::DISCOVER"**
+  }
+  {
+    "ts": 1607993759.337323,
+    "uid": "CO9T0A3FPac5ig4hud",
+    "id.orig_h": "192.168.4.31",
+    "id.orig_p": 3074,
+    "id.resp_h": "40.84.25.61",
+    "id.resp_p": 3544,
+    **"tunnel_type": "Tunnel::TEREDO",**
+    **"action": "Tunnel::CLOSE"**
+  }
+  {
+    "ts": 1607993759.337323,
+    "uid": "CUqiKk4m6VpWwcaJ4l",
+    "id.orig_h": "192.168.4.31",
+    "id.orig_p": 3074,
+    "id.resp_h": "40.84.25.61",
+    "id.resp_p": 65444,
+    **"tunnel_type": "Tunnel::TEREDO",**
+    **"action": "Tunnel::CLOSE"**
+  }
+
+The ``action`` messages indicate how Zeek is tracking the connections. When it
+first identifies a tunnel, it reports ``DISCOVER``. When it assesses that the
+tunnel is no longer used, Zeek reports ``CLOSE``.
+
+The take-away from this activity is that Zeek has identified Teredo traffic.
+The :file:`tunnel.log` entries abstract the somewhat complicated detailed logs
+and produce results that are a bit
+friendlier to the analyst. Here we see that the systems involved are opening
+and closing Teredo tunnels. If this is not authorized traffic, it is enough to
+begin a more detailed investigation.
+
+IP in IP
+========
+
+The next example shows transporting IPv4 inside IPv4 traffic. :rfc:`1853` states:
+
+  “The IP in IP encapsulation Protocol/Payload number 4 :rfc:`1700` has long
+  been used to bridge portions of the Internet which have disjoint capabilities
+  or policies.”
+
+This is another encapsulation method that might surprise an analyst
+or network administrator, assuming it is not authorized for use.
+
+:program:`tcpdump` and :program:`tshark`
+----------------------------------------
+
+Here is :program:`tcpdump`’s view of the sample traffic:
+
+.. literal-emph::
+
+  12:12:06.059907 **IP 10.0.0.1 > 10.0.0.2: IP 1.1.1.1 > 2.2.2.2: ICMP echo request**, id 4, seq 0, length 80 (ipip-proto-4)
+  12:12:06.067958 **IP 10.0.0.2 > 10.0.0.1: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply**, id 4, seq 0, length 80 (ipip-proto-4)
+  12:12:06.075906 IP 10.0.0.1 > 10.0.0.2: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 4, seq 1, length 80 (ipip-proto-4)
+  12:12:06.083920 IP 10.0.0.2 > 10.0.0.1: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 4, seq 1, length 80 (ipip-proto-4)
+  12:12:06.091909 IP 10.0.0.1 > 10.0.0.2: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 4, seq 2, length 80 (ipip-proto-4)
+  12:12:06.099922 IP 10.0.0.2 > 10.0.0.1: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 4, seq 2, length 80 (ipip-proto-4)
+  12:12:06.107906 IP 10.0.0.1 > 10.0.0.2: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 4, seq 3, length 80 (ipip-proto-4)
+  12:12:06.116057 IP 10.0.0.2 > 10.0.0.1: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 4, seq 3, length 80 (ipip-proto-4)
+  12:12:06.123910 IP 10.0.0.1 > 10.0.0.2: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 4, seq 4, length 80 (ipip-proto-4)
+  12:12:06.131919 IP 10.0.0.2 > 10.0.0.1: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 4, seq 4, length 80 (ipip-proto-4)
+
+Here is :program:`tshark`’s view of the first packet:
+
+.. literal-emph::
+
+  Frame 1: 134 bytes on wire (1072 bits), 134 bytes captured (1072 bits)
+      Encapsulation type: Ethernet (1)
+      Arrival Time: Jun 21, 2008 12:12:06.059907000 UTC
+      [Time shift for this packet: 0.000000000 seconds]
+      Epoch Time: 1214050326.059907000 seconds
+      [Time delta from previous captured frame: 0.000000000 seconds]
+      [Time delta from previous displayed frame: 0.000000000 seconds]
+      [Time since reference or first frame: 0.000000000 seconds]
+      Frame Number: 1
+      Frame Length: 134 bytes (1072 bits)
+      Capture Length: 134 bytes (1072 bits)
+      [Frame is marked: False]
+      [Frame is ignored: False]
+      [Protocols in frame: eth:ethertype:ip:ip:icmp:data]
+  Ethernet II, Src: c2:00:57:75:00:00, Dst: c2:01:57:75:00:00
+      Destination: c2:01:57:75:00:00
+          Address: c2:01:57:75:00:00
+          .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
+          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+      Source: c2:00:57:75:00:00
+          Address: c2:00:57:75:00:00
+          .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
+          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+      Type: IPv4 (0x0800)
+  **Internet Protocol Version 4, Src: 10.0.0.1, Dst: 10.0.0.2**
+      0100 .... = Version: 4
+      .... 0101 = Header Length: 20 bytes (5)
+      Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
+          0000 00.. = Differentiated Services Codepoint: Default (0)
+          .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
+      Total Length: 120
+      Identification: 0x0014 (20)
+      Flags: 0x0000
+          0... .... .... .... = Reserved bit: Not set
+          .0.. .... .... .... = Don't fragment: Not set
+          ..0. .... .... .... = More fragments: Not set
+          ...0 0000 0000 0000 = Fragment offset: 0
+      Time to live: 255
+      Protocol: IPIP (4)
+      Header checksum: 0xa76b [validation disabled]
+      [Header checksum status: Unverified]
+      Source: 10.0.0.1
+      Destination: 10.0.0.2
+  **Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2**
+      0100 .... = Version: 4
+      .... 0101 = Header Length: 20 bytes (5)
+      Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
+          0000 00.. = Differentiated Services Codepoint: Default (0)
+          .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
+      Total Length: 100
+      Identification: 0x0014 (20)
+      Flags: 0x0000
+          0... .... .... .... = Reserved bit: Not set
+          .0.. .... .... .... = Don't fragment: Not set
+          ..0. .... .... .... = More fragments: Not set
+          ...0 0000 0000 0000 = Fragment offset: 0
+      Time to live: 255
+      **Protocol: ICMP (1)**
+      Header checksum: 0xb57f [validation disabled]
+      [Header checksum status: Unverified]
+      Source: 1.1.1.1
+      Destination: 2.2.2.2
+  **Internet Control Message Protocol**
+      Type: 8 (Echo (ping) request)
+      Code: 0
+      Checksum: 0x4305 [correct]
+      [Checksum Status: Good]
+      Identifier (BE): 4 (0x0004)
+      Identifier (LE): 1024 (0x0400)
+      Sequence number (BE): 0 (0x0000)
+      Sequence number (LE): 0 (0x0000)
+      Data (72 bytes)
+
+  0000  00 00 00 00 00 09 3b 38 ab cd ab cd ab cd ab cd   ......;8........
+  0010  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
+  0020  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
+  0030  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
+  0040  ab cd ab cd ab cd ab cd                           ........
+          Data: 0000000000093b38abcdabcdabcdabcdabcdabcdabcdabcd...
+          [Length: 72]
+
+Note that both renditions depict the outer and inner IP addresses in use, as
+well as the encapsulated ICMP traffic.
+
+:file:`conn.log`
+----------------
+
+Zeek creates a single :file:`conn.log` entry for this traffic.
+
+.. literal-emph::
+
+  {
+    "ts": 1214050326.059907,
+    "uid": "CaG4lb2HwGhNGLo1d2",
+    **"id.orig_h": "1.1.1.1",**
+    "id.orig_p": 8,
+    **"id.resp_h": "2.2.2.2",**
+    "id.resp_p": 0,
+    **"proto": "icmp",**
+    "duration": 0.07201194763183594,
+    "orig_bytes": 360,
+    "resp_bytes": 360,
+    "conn_state": "OTH",
+    "missed_bytes": 0,
+    "orig_pkts": 5,
+    "orig_ip_bytes": 500,
+    "resp_pkts": 5,
+    "resp_ip_bytes": 500,
+    **"tunnel_parents": [**
+      **"CllZAw139PBBVBawlj"**
+    ]
+  }
+
+Notice the only :file:`conn.log` entry lists the encapsulated source and
+destination IP addresses for the traffic, i.e., ``1.1.1.1`` and ``2.2.2.2``. To
+see the outer IP addresses, we need to look for the ``tunnel_parents``
+connection in the :file:`tunnel.log`.
+
+:file:`tunnel.log`
+------------------
+
+The :file:`tunnel.log` also contains a single entry:
+
+.. literal-emph::
+
+  {
+    "ts": 1214050326.059907,
+    "uid": "CllZAw139PBBVBawlj",
+    **"id.orig_h": "10.0.0.1",**
+    "id.orig_p": 0,
+    **"id.resp_h": "10.0.0.2",**
+    "id.resp_p": 0,
+    **"tunnel_type": "Tunnel::IP",**
+    **"action": "Tunnel::DISCOVER"**
+  }
+
+Here we learn that the outer IP addresses are ``10.0.0.1`` and ``10.0.0.2``.
+The tunnel type is ``IP``. The action of ``Tunnel::DISCOVER`` means that Zeek
+has identified a new tunnel or encapsulation.
+
+IP over IP via GRE
+==================
+
+Let’s look at a more common variation of IP within IP. This method uses Generic
+Routing Encapsulation, or GRE.
+
+:program:`tcpdump` and :program:`tshark`
+----------------------------------------
+
+Here is :program:`tcpdump`’s view of the traffic:
+
+.. literal-emph::
+
+  12:06:06.434897 **IP 10.0.0.1 > 10.0.0.2: GREv0, length 104: IP 1.1.1.1 > 2.2.2.2: ICMP echo request**, id 2, seq 0, length 80
+  12:06:06.442931 **IP 10.0.0.2 > 10.0.0.1: GREv0, length 104: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply**, id 2, seq 0, length 80
+  12:06:06.450900 IP 10.0.0.1 > 10.0.0.2: GREv0, length 104: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 2, seq 1, length 80
+  12:06:06.498938 IP 10.0.0.2 > 10.0.0.1: GREv0, length 104: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 2, seq 1, length 80
+  12:06:06.506904 IP 10.0.0.1 > 10.0.0.2: GREv0, length 104: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 2, seq 2, length 80
+  12:06:06.514914 IP 10.0.0.2 > 10.0.0.1: GREv0, length 104: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 2, seq 2, length 80
+  12:06:06.522905 IP 10.0.0.1 > 10.0.0.2: GREv0, length 104: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 2, seq 3, length 80
+  12:06:06.570925 IP 10.0.0.2 > 10.0.0.1: GREv0, length 104: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 2, seq 3, length 80
+  12:06:06.578905 IP 10.0.0.1 > 10.0.0.2: GREv0, length 104: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 2, seq 4, length 80
+  12:06:06.586923 IP 10.0.0.2 > 10.0.0.1: GREv0, length 104: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 2, seq 4, length 80
+
+Here is :program:`tshark`’s view of the first packet:
+
+.. literal-emph::
+
+  Frame 1: 138 bytes on wire (1104 bits), 138 bytes captured (1104 bits)
+      Encapsulation type: Ethernet (1)
+      Arrival Time: Jun 21, 2008 12:06:06.434897000 UTC
+      [Time shift for this packet: 0.000000000 seconds]
+      Epoch Time: 1214049966.434897000 seconds
+      [Time delta from previous captured frame: 0.000000000 seconds]
+      [Time delta from previous displayed frame: 0.000000000 seconds]
+      [Time since reference or first frame: 0.000000000 seconds]
+      Frame Number: 1
+      Frame Length: 138 bytes (1104 bits)
+      Capture Length: 138 bytes (1104 bits)
+      [Frame is marked: False]
+      [Frame is ignored: False]
+      [Protocols in frame: eth:ethertype:ip:gre:ip:icmp:data]
+  Ethernet II, Src: c2:00:57:75:00:00, Dst: c2:01:57:75:00:00
+      Destination: c2:01:57:75:00:00
+          Address: c2:01:57:75:00:00
+          .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
+          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+      Source: c2:00:57:75:00:00
+          Address: c2:00:57:75:00:00
+          .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
+          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+      Type: IPv4 (0x0800)
+  **Internet Protocol Version 4, Src: 10.0.0.1, Dst: 10.0.0.2**
+      0100 .... = Version: 4
+      .... 0101 = Header Length: 20 bytes (5)
+      Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
+          0000 00.. = Differentiated Services Codepoint: Default (0)
+          .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
+      Total Length: 124
+      Identification: 0x000a (10)
+      Flags: 0x0000
+          0... .... .... .... = Reserved bit: Not set
+          .0.. .... .... .... = Don't fragment: Not set
+          ..0. .... .... .... = More fragments: Not set
+          ...0 0000 0000 0000 = Fragment offset: 0
+      Time to live: 255
+      Protocol: Generic Routing Encapsulation (47)
+      Header checksum: 0xa746 [validation disabled]
+      [Header checksum status: Unverified]
+      Source: 10.0.0.1
+      Destination: 10.0.0.2
+  **Generic Routing Encapsulation (IP)**
+      Flags and Version: 0x0000
+          0... .... .... .... = Checksum Bit: No
+          .0.. .... .... .... = Routing Bit: No
+          ..0. .... .... .... = Key Bit: No
+          ...0 .... .... .... = Sequence Number Bit: No
+          .... 0... .... .... = Strict Source Route Bit: No
+          .... .000 .... .... = Recursion control: 0
+          .... .... 0000 0... = Flags (Reserved): 0
+          .... .... .... .000 = Version: GRE (0)
+      Protocol Type: IP (0x0800)
+  **Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2**
+      0100 .... = Version: 4
+      .... 0101 = Header Length: 20 bytes (5)
+      Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
+          0000 00.. = Differentiated Services Codepoint: Default (0)
+          .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
+      Total Length: 100
+      Identification: 0x000a (10)
+      Flags: 0x0000
+          0... .... .... .... = Reserved bit: Not set
+          .0.. .... .... .... = Don't fragment: Not set
+          ..0. .... .... .... = More fragments: Not set
+          ...0 0000 0000 0000 = Fragment offset: 0
+      Time to live: 255
+      Protocol: ICMP (1)
+      Header checksum: 0xb589 [validation disabled]
+      [Header checksum status: Unverified]
+      Source: 1.1.1.1
+      Destination: 2.2.2.2
+  **Internet Control Message Protocol**
+      Type: 8 (Echo (ping) request)
+      Code: 0
+      Checksum: 0xbfd4 [correct]
+      [Checksum Status: Good]
+      Identifier (BE): 2 (0x0002)
+      Identifier (LE): 512 (0x0200)
+      Sequence number (BE): 0 (0x0000)
+      Sequence number (LE): 0 (0x0000)
+      Data (72 bytes)
+
+  0000  00 00 00 00 00 03 be 70 ab cd ab cd ab cd ab cd   .......p........
+  0010  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
+  0020  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
+  0030  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
+  0040  ab cd ab cd ab cd ab cd                           ........
+          Data: 000000000003be70abcdabcdabcdabcdabcdabcdabcdabcd...
+          [Length: 72]
+
+Note that both renditions depict the outer and inner IP addresses in use, as
+well as the encapsulated ICMP traffic. This time, in contrast with the previous
+example, the inner traffic follows a GRE header.
+
+:file:`conn.log`
+----------------
+
+Zeek creates a single :file:`conn.log` entry for this traffic:
+
+.. literal-emph::
+
+  {
+    "ts": 1214049966.434897,
+    "uid": "Cxg76d2N73I9DhmZ5l",
+    **"id.orig_h": "1.1.1.1",**
+    "id.orig_p": 8,
+    **"id.resp_h": "2.2.2.2",**
+    "id.resp_p": 0,
+    **"proto": "icmp",**
+    "duration": 0.15202593803405762,
+    "orig_bytes": 360,
+    "resp_bytes": 360,
+    "conn_state": "OTH",
+    "missed_bytes": 0,
+    "orig_pkts": 5,
+    "orig_ip_bytes": 500,
+    "resp_pkts": 5,
+    "resp_ip_bytes": 500,
+    "tunnel_parents": [
+      **"C2ELkSIprfG0oMEae"**
+    ]
+  }
+
+As with the previous example, the only :file:`conn.log` entry lists the encapsulated
+source and destination IP addresses for the traffic, i.e., ``1.1.1.1`` and
+``2.2.2.2``.  To see the outer IP addresses, we need to look for the
+``tunnel_parents`` connection in the :file:`tunnel.log`.
+
+:file:`tunnel.log`
+------------------
+
+The :file:`tunnel.log` also contains a single entry:
+
+.. literal-emph::
+
+  {
+    "ts": 1214049966.434897,
+    "uid": "C2ELkSIprfG0oMEae",
+    **"id.orig_h": "10.0.0.1",**
+    "id.orig_p": 0,
+    **"id.resp_h": "10.0.0.2",**
+    "id.resp_p": 0,
+    **"tunnel_type": "Tunnel::GRE",**
+    **"action": "Tunnel::DISCOVER"**
+  }
+
+We see again that the outer IP addresses are ``10.0.0.1`` and ``10.0.0.2``. The
+tunnel type is ``GRE``, unlike the previous ``IP``. The action of
+``Tunnel::DISCOVER`` means that Zeek has identified a new tunnel or
+encapsulation.
+
+IPv4 in PPP in GRE in IPv4 in IPv6
+==================================
+
+We’ve saved the most complicated example for last.
+
+In this example, we see the following very complicated protocol stack::
+
+  Ethernet II
+  802.1Q virtual LAN (VLAN)
+  IPv6
+  IPv4
+  GRE
+  Point-to-Point Protocol (PPP)
+  IPv4
+  UDP
+  Domain Name System
+
+I am not sure what created this trace, although I suspect it may be from a
+mobile asset.
+
+:program:`tcpdump` and :program:`tshark`
+----------------------------------------
+
+Here is :program:`tcpdump`’s view of the sample traffic::
+
+  03:35:03.821897 IP6 2402:f000:1:8e01::5555 > 2607:fcd0:100:2300::b108:2a6b: IP 16.0.0.200 > 192.52.166.154: GREv1, call 6016, seq 430001, ack 539254, length 119: IP 172.16.44.3.40768 > 8.8.8.8.53: 42540+ AAAA? xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678. (71)
+
+  03:35:04.035791 IP6 2607:fcd0:100:2300::b108:2a6b > 2402:f000:1:8e01::5555: IP 192.52.166.154 > 16.0.0.200: GREv1, call 17, seq 539320, length 190: IP 8.8.8.8.53 > 172.16.44.3.40768: 42540 NXDomain 0/1/0 (146)
+
+Here is :program:`tshark`’s view of the first packet:
+
+.. literal-emph::
+
+  Frame 1: 197 bytes on wire (1576 bits), 197 bytes captured (1576 bits)
+      Encapsulation type: Ethernet (1)
+      Arrival Time: Dec  3, 2014 03:35:03.821897000 UTC
+      [Time shift for this packet: 0.000000000 seconds]
+      Epoch Time: 1417577703.821897000 seconds
+      [Time delta from previous captured frame: 0.000000000 seconds]
+      [Time delta from previous displayed frame: 0.000000000 seconds]
+      [Time since reference or first frame: 0.000000000 seconds]
+      Frame Number: 1
+      Frame Length: 197 bytes (1576 bits)
+      Capture Length: 197 bytes (1576 bits)
+      [Frame is marked: False]
+      [Frame is ignored: False]
+      [Protocols in frame: eth:ethertype:vlan:ethertype:ipv6:ip:gre:ppp:ip:udp:dns]
+  **Ethernet II, Src: 00:12:1e:f2:61:3d, Dst: c5:00:00:00:82:c4**
+      Destination: c5:00:00:00:82:c4
+          Address: c5:00:00:00:82:c4
+          .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
+          .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
+      Source: 00:12:1e:f2:61:3d
+          Address: 00:12:1e:f2:61:3d
+          .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
+          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+      Type: 802.1Q Virtual LAN (0x8100)
+  **802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 100**
+      000. .... .... .... = Priority: Best Effort (default) (0)
+      ...0 .... .... .... = DEI: Ineligible
+      .... 0000 0110 0100 = ID: 100
+      Type: IPv6 (0x86dd)
+  **Internet Protocol Version 6, Src: 2402:f000:1:8e01::5555, Dst: 2607:fcd0:100:2300::b108:2a6b**
+      0110 .... = Version: 6
+      .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
+          .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
+          .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)
+      .... .... .... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
+      Payload Length: 139
+      Next Header: IPIP (4)
+      Hop Limit: 246
+      Source: 2402:f000:1:8e01::5555
+      Destination: 2607:fcd0:100:2300::b108:2a6b
+  **Internet Protocol Version 4, Src: 16.0.0.200, Dst: 192.52.166.154**
+      0100 .... = Version: 4
+      .... 0101 = Header Length: 20 bytes (5)
+      Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
+          0000 00.. = Differentiated Services Codepoint: Default (0)
+          .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
+      Total Length: 139
+      Identification: 0x8caf (36015)
+      Flags: 0x0000
+          0... .... .... .... = Reserved bit: Not set
+          .0.. .... .... .... = Don't fragment: Not set
+          ..0. .... .... .... = More fragments: Not set
+          ...0 0000 0000 0000 = Fragment offset: 0
+      Time to live: 64
+      **Protocol: Generic Routing Encapsulation (47)**
+      Header checksum: 0x75fe [validation disabled]
+      [Header checksum status: Unverified]
+      Source: 16.0.0.200
+      Destination: 192.52.166.154
+  Generic Routing Encapsulation (PPP)
+      Flags and Version: 0x3081
+          0... .... .... .... = Checksum Bit: No
+          .0.. .... .... .... = Routing Bit: No
+          ..1. .... .... .... = Key Bit: Yes
+          ...1 .... .... .... = Sequence Number Bit: Yes
+          .... 0... .... .... = Strict Source Route Bit: No
+          .... .000 .... .... = Recursion control: 0
+          .... .... 1... .... = Acknowledgment: Yes
+          .... .... .000 0... = Flags (Reserved): 0
+          .... .... .... .001 = Version: Enhanced GRE (1)
+      Protocol Type: PPP (0x880b)
+      Payload Length: 103
+      Call ID: 6016
+      Sequence Number: 430001
+      Acknowledgment Number: 539254
+  **Point-to-Point Protocol**
+      Address: 0xff
+      Control: 0x03
+      Protocol: Internet Protocol version 4 (0x0021)
+  **Internet Protocol Version 4, Src: 172.16.44.3, Dst: 8.8.8.8**
+      0100 .... = Version: 4
+      .... 0101 = Header Length: 20 bytes (5)
+      Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
+          0000 00.. = Differentiated Services Codepoint: Default (0)
+          .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
+      Total Length: 99
+      Identification: 0x0000 (0)
+      Flags: 0x4000, Don't fragment
+          0... .... .... .... = Reserved bit: Not set
+          .1.. .... .... .... = Don't fragment: Set
+          ..0. .... .... .... = More fragments: Not set
+          ...0 0000 0000 0000 = Fragment offset: 0
+      Time to live: 60
+      Protocol: UDP (17)
+      Header checksum: 0x5667 [validation disabled]
+      [Header checksum status: Unverified]
+      Source: 172.16.44.3
+      Destination: 8.8.8.8
+  **User Datagram Protocol, Src Port: 40768, Dst Port: 53**
+      Source Port: 40768
+      Destination Port: 53
+      Length: 79
+      Checksum: 0x2d23 [unverified]
+      [Checksum Status: Unverified]
+      [Stream index: 0]
+  **Domain Name System (query)**
+      Transaction ID: 0xa62c
+      Flags: 0x0100 Standard query
+          0... .... .... .... = Response: Message is a query
+          .000 0... .... .... = Opcode: Standard query (0)
+          .... ..0. .... .... = Truncated: Message is not truncated
+          .... ...1 .... .... = Recursion desired: Do query recursively
+          .... .... .0.. .... = Z: reserved (0)
+          .... .... ...0 .... = Non-authenticated data: Unacceptable
+      Questions: 1
+      Answer RRs: 0
+      Authority RRs: 0
+      Additional RRs: 0
+      Queries
+          xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678: type AAAA, class IN
+              Name: xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678
+              [Name Length: 53]
+              [Label Count: 1]
+              Type: AAAA (IPv6 Address) (28)
+              Class: IN (0x0001)
+
+Both :program:`tcpdump` and :program:`tshark` show the three levels of IP
+addresses used in this complicated frame.
+
+:file:`conn.log`
+----------------
+
+Let’s see what Zeek makes of this complicated exchange.
+
+.. literal-emph::
+
+  {
+    "ts": 1417577703.821897,
+    "uid": "CiJXLc43tlknoHbXH9",
+    **"id.orig_h": "172.16.44.3",**
+    "id.orig_p": 40768,
+    **"id.resp_h": "8.8.8.8",**
+    "id.resp_p": 53,
+    "proto": "udp",
+    "service": "dns",
+    "duration": 0.21389389038085938,
+    "orig_bytes": 71,
+    "resp_bytes": 146,
+    "conn_state": "SF",
+    "missed_bytes": 0,
+    "history": "Dd",
+    "orig_pkts": 1,
+    "orig_ip_bytes": 99,
+    "resp_pkts": 1,
+    "resp_ip_bytes": 174,
+    **"tunnel_parents": [**
+      **"CBvCtfO5sjjyQb2V4"**
+    ]
+  }
+
+We see Zeek has burrowed all the way down to the innermost IP address,
+``172.16.44.3``, making a DNS request to ``8.8.8.8``.
+
+:file:`tunnel.log`
+------------------
+
+Zeek’s :file:`tunnel.log` contains two entries for this session.
+
+.. literal-emph::
+
+  {
+    "ts": 1417577703.821897,
+    "uid": "CPnYZx2edh7O2ueTm4",
+    **"id.orig_h": "2402:f000:1:8e01::5555",**
+    "id.orig_p": 0,
+    **"id.resp_h": "2607:fcd0:100:2300::b108:2a6b",**
+    "id.resp_p": 0,
+    **"tunnel_type": "Tunnel::IP",**
+    **"action": "Tunnel::DISCOVER"**
+  }
+  {
+    "ts": 1417577703.821897,
+    "uid": "CBvCtfO5sjjyQb2V4",
+    **"id.orig_h": "16.0.0.200",**
+    "id.orig_p": 0,
+    **"id.resp_h": "192.52.166.154",**
+    "id.resp_p": 0,
+    **"tunnel_type": "Tunnel::GRE",**
+    **"action": "Tunnel::DISCOVER"**
+  }
+
+Zeek displays the two outer IP addresses, and ties them to the inner address
+using the ``uid`` field. The ``uid`` matches the ``tunnel_parents`` field in
+the :file:`conn.log`.
+
+:file:`dns.log`
+---------------
+
+For completeness, let’s take a look at the :file:`dns.log` Zeek created for
+this activity.
+
+.. literal-emph::
+
+  {
+    "ts": 1417577703.821897,
+    "uid": "CiJXLc43tlknoHbXH9",
+    **"id.orig_h": "172.16.44.3",**
+    "id.orig_p": 40768,
+    **"id.resp_h": "8.8.8.8",**
+    **"id.resp_p": 53,**
+    "proto": "udp",
+    "trans_id": 42540,
+    "query": "xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678",
+    "qclass": 1,
+    "qclass_name": "C_INTERNET",
+    "qtype": 28,
+    **"qtype_name": "AAAA",**
+    "rcode": 3,
+    "rcode_name": "NXDOMAIN",
+    "AA": false,
+    "TC": false,
+    "RD": true,
+    "RA": false,
+    "Z": 0,
+    "rejected": false
+  }
+
+Here is a AAAA query, meaning the client wants the IPv6 address for the domain
+listed in the query. As you might guess, the DNS server reply (not shown here)
+is for a root name server.
+
+Conclusion
+==========
+
+Zeek’s :file:`tunnel.log` is a useful way to accomplish two tasks. First, the
+presence of a :file:`tunnel.log` in your collection of Zeek outputs means Zeek
+has detected and reported on encapsulated traffic. If you do not expect to see
+such activity in your environment, it is worth investigating. Second, the
+:file:`tunnel.log` provides a means to show the outermost IP addresses
+associated with the activity reported in the :file:`conn.log` when
+encapsulation is present.
diff --git a/doc/logs/weird-and-notice.rst b/doc/logs/weird-and-notice.rst
new file mode 100644
index 0000000000..a1953013d9
--- /dev/null
+++ b/doc/logs/weird-and-notice.rst
@@ -0,0 +1,151 @@
+========================
+weird.log and notice.log
+========================
+
+Zeek offers two logs for activities that seem out of the ordinary:
+:file:`weird.log` and :file:`notice.log`.
+
+There's a distinction between them:
+
+* :file:`weird.log` is various random stuff where analyzers
+  ran into trouble understanding the traffic in terms of their protocols;
+  basically whenever there's something unexpected at the protocol level, that's a
+  weird (for a lack of anything better to do with it). That means that "weirds"
+  are also essentially hardcoded by whoever wrote that analyzer.  They
+  can also be generated by scripts, but that's rarer.
+
+* :file:`notice.log` on the other hand are situations explicitly detected and
+  reported by Zeek scripts as inspection-worthy. It's usually not protocol
+  errors, but something semantically higher (like a self-signed cert). Notices
+  are part of the script-level analysis and can be raised by Zeek packages as
+  well.
+
+Weirds can often be ignored because of volume, but notices are much more
+interesting, they are the closest Zeek is coming to IDS alerts.
+
+For details on the fields, please refer to :zeek:see:`Weird::Info` and
+:zeek:see:`Notice::Info`.
+
+:file:`weird.log`
+=================
+
+The best references on the contents of the weird.log appear in the briefings
+and writings by Fatema Bannat Wala, such as What Is Weird in Zeek, published 13
+November 2019.
+
+https://zeek.org/2019/11/13/what-is-weird-in-zeek/
+
+She spoke on the topic in 2018:
+
+https://www.youtube.com/watch?v=XeJcBBZjaVA
+
+She spoke on the topic in 2020 as well:
+
+https://www.youtube.com/watch?v=s4VSYwfHP0s
+
+For example, the following is a count of individual :file:`weird.log` entries
+over a 24 hour period on a home network::
+
+    553 ["window_recision",false]
+    129 ["unknown_protocol",false]
+      1 ["truncated_IP",false]
+      5 ["TCP_seq_underflow_or_misorder",false]
+      4 ["TCP_ack_underflow_or_misorder",false]
+      2 ["SYN_seq_jump",false]
+      1 ["SYN_inside_connection",false]
+      1 ["SYN_after_close",false]
+    128 ["non_ip_packet_in_ethernet",false]
+     23 ["line_terminated_with_single_CR",false]
+      1 ["DNS_RR_unknown_type",false]
+      3 ["data_after_reset",false]
+      1 ["bad_TCP_header_len",false]
+     21 ["bad_HTTP_request",false]
+      2 ["above_hole_data_without_any_acks",false]
+
+We will look at one of these entries below.
+
+:file:`notice.log`
+==================
+
+The :file:`notice.log` does not have as much documentation as
+:file:`weird.log`. For an example of :file:`notice.log` entries over a 24 hour
+period from a home network, consider the following::
+
+    654 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (unable to get local issuer certificate)"]
+     48 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (self signed certificate in certificate chain)"]
+     13 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (self signed certificate)"]
+
+We will look at one of these entries below.
+
+Investigating a :file:`weird.log` and :file:`notice.log` Entry
+==============================================================
+
+Taking a look at two entries in the :file:`weird.log`, we see they reference
+the same connection:
+
+.. literal-emph::
+
+  {
+    "ts": "2021-01-04T04:59:21.582639Z",
+    "uid": "**CxdbSa2KGTlMl3PPB2**",
+    "id.orig_h": "192.168.4.129",
+    "id.orig_p": 51020,
+    "id.resp_h": "40.71.25.43",
+    "id.resp_p": 8080,
+    **"name": "bad_HTTP_request",**
+    "notice": false,
+    "peer": "so16-enp0s8-1"
+  }
+  {
+    "ts": "2021-01-04T04:59:21.582639Z",
+    "uid": "**CxdbSa2KGTlMl3PPB2**",
+    "id.orig_h": "192.168.4.129",
+    "id.orig_p": 51020,
+    "id.resp_h": "40.71.25.43",
+    "id.resp_p": 8080,
+    **"name": "line_terminated_with_single_CR",**
+    "notice": false,
+    "peer": "so16-enp0s8-1"
+  }
+
+We see a ``bad_HTTP_request`` and a ``line_terminated_with_single_CR``. We
+happen to also have an entry for this connection in the :file:`notice.log`:
+
+.. literal-emph::
+
+  {
+    "ts": "2021-01-04T04:59:23.038713Z",
+    "uid": "CxdbSa2KGTlMl3PPB2",
+    "id.orig_h": "192.168.4.129",
+    "id.orig_p": 51020,
+    "id.resp_h": "40.71.25.43",
+    "id.resp_p": 8080,
+    "fuid": "FtEE2txjFBxLDbffi",
+    "proto": "tcp",
+    **"note": "SSL::Invalid_Server_Cert",**
+    **"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",**
+    "sub": "CN=*.cloudapp.net,OU=Smart Controller Development,O=GTO Access Systems\\, LLC,DC=smartcontroller,DC=local",
+    "src": "192.168.4.129",
+    "dst": "40.71.25.43",
+    "p": 8080,
+    "peer_descr": "so16-enp0s8-1",
+    "actions": [
+      "Notice::ACTION_LOG"
+    ],
+    "suppress_for": 3600
+  }
+
+We see a ``SSL::Invalid_Server_Cert`` message here.
+
+This is truly an odd connection. It appears to involve an IoT device. There is
+no :file:`conn.log` entry for the activity, which could indicate it is a
+long-running connection that did not terminate during the period for which we
+have logs.
+
+Conclusion
+==========
+
+The :file:`weird.log` and :file:`notice.log` files can be used for more than
+just odd behavior, but that is one of their main uses in current Zeek
+implementations. Analysts can find activity that may reveal something
+suspicious, malicious, or simply software/devices operating oddly.
diff --git a/doc/logs/x509.rst b/doc/logs/x509.rst
new file mode 100644
index 0000000000..c94e85a254
--- /dev/null
+++ b/doc/logs/x509.rst
@@ -0,0 +1,166 @@
+========
+x509.log
+========
+
+In the last section we looked at Zeek’s :file:`ssl.log`, a source which offered
+details on TLS connections. In this section we will look an associated source,
+Zeek’s :file:`x509.log`. The :file:`x509.log` captures details on certificates
+exchanged during certain TLS negotiations. We will compare sessions using TLS
+1.2 and TLS 1.3
+
+For details on all of the fields in the :file:`x509.log`, please refer to
+:zeek:see:`X509::Info`.
+
+Inspecting the :file:`x509.log` When TLS 1.2 Applies
+====================================================
+
+In the following example, we return to the traffic generated by Curl using TLS
+1.2. For reference, here is the :file:`ssl.log` entry for that activity.
+
+::
+
+  {
+    "ts": 1598377391.921726,
+    "uid": "CsukF91Bx9mrqdEaH9",
+    "id.orig_h": "192.168.4.49",
+    "id.orig_p": 56718,
+    "id.resp_h": "13.32.202.10",
+    "id.resp_p": 443,
+    "version": "TLSv12",
+    "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+    "curve": "secp256r1",
+    "server_name": "www.taosecurity.com",
+    "resumed": false,
+    "next_protocol": "h2",
+    "established": true,
+    "cert_chain_fuids": [
+      "F2XEvj1CahhdhtfvT4",
+      "FZ7ygD3ERPfEVVohG9",
+      "F7vklpOKI4yX9wmvh",
+      "FAnbnR32nIIr2j9XV"
+    ],
+    "client_cert_chain_fuids": [],
+    "subject": "CN=www.taosecurity.com",
+    "issuer": "CN=Amazon,OU=Server CA 1B,O=Amazon,C=US"
+  }
+
+This :file:`ssl.log` entry mentions four ``cert_chain_fuids``, or certificate
+identifiers. We see each of them in the following entries in the corresponding
+:file:`x509.log` data:
+
+::
+
+  {
+    "ts": 1598377391.938343,
+    "id": "F2XEvj1CahhdhtfvT4",
+    "certificate.version": 3,
+    "certificate.serial": "0B58BC3898391F36592BA1BE1F6B03EF",
+    "certificate.subject": "CN=www.taosecurity.com",
+    "certificate.issuer": "CN=Amazon,OU=Server CA 1B,O=Amazon,C=US",
+    "certificate.not_valid_before": 1590969600,
+    "certificate.not_valid_after": 1625140800,
+    "certificate.key_alg": "rsaEncryption",
+    "certificate.sig_alg": "sha256WithRSAEncryption",
+    "certificate.key_type": "rsa",
+    "certificate.key_length": 2048,
+    "certificate.exponent": "65537",
+    "san.dns": [
+      "www.taosecurity.com",
+      "taosecurity.com",
+      "*.taosecurity.com"
+    ],
+    "basic_constraints.ca": false
+  }
+  {
+    "ts": 1598377391.938343,
+    "id": "FZ7ygD3ERPfEVVohG9",
+    "certificate.version": 3,
+    "certificate.serial": "067F94578587E8AC77DEB253325BBC998B560D",
+    "certificate.subject": "CN=Amazon,OU=Server CA 1B,O=Amazon,C=US",
+    "certificate.issuer": "CN=Amazon Root CA 1,O=Amazon,C=US",
+    "certificate.not_valid_before": 1445472000,
+    "certificate.not_valid_after": 1760832000,
+    "certificate.key_alg": "rsaEncryption",
+    "certificate.sig_alg": "sha256WithRSAEncryption",
+    "certificate.key_type": "rsa",
+    "certificate.key_length": 2048,
+    "certificate.exponent": "65537",
+    "basic_constraints.ca": true,
+    "basic_constraints.path_len": 0
+  }
+  {
+    "ts": 1598377391.938343,
+    "id": "F7vklpOKI4yX9wmvh",
+    "certificate.version": 3,
+    "certificate.serial": "067F944A2A27CDF3FAC2AE2B01F908EEB9C4C6",
+    "certificate.subject": "CN=Amazon Root CA 1,O=Amazon,C=US",
+    "certificate.issuer": "CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\\, Inc.,L=Scottsdale,ST=Arizona,C=US",
+    "certificate.not_valid_before": 1432555200,
+    "certificate.not_valid_after": 2145834000,
+    "certificate.key_alg": "rsaEncryption",
+    "certificate.sig_alg": "sha256WithRSAEncryption",
+    "certificate.key_type": "rsa",
+    "certificate.key_length": 2048,
+    "certificate.exponent": "65537",
+    "basic_constraints.ca": true
+  }
+  {
+    "ts": 1598377391.938343,
+    "id": "FAnbnR32nIIr2j9XV",
+    "certificate.version": 3,
+    "certificate.serial": "A70E4A4C3482B77F",
+    "certificate.subject": "CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\\, Inc.,L=Scottsdale,ST=Arizona,C=US",
+    "certificate.issuer": "OU=Starfield Class 2 Certification Authority,O=Starfield Technologies\\, Inc.,C=US",
+    "certificate.not_valid_before": 1251849600,
+    "certificate.not_valid_after": 2035129156,
+    "certificate.key_alg": "rsaEncryption",
+    "certificate.sig_alg": "sha256WithRSAEncryption",
+    "certificate.key_type": "rsa",
+    "certificate.key_length": 2048,
+    "certificate.exponent": "65537",
+    "basic_constraints.ca": true
+  }
+
+These four certificates offer a lot of detail for defensive teams. Defenders
+can search their data repositories for values that appear in other
+certificates, perhaps identifying associations among intruder activity
+patterns.
+
+Inspecting the :file:`x509.log` When TLS 1.3 Applies
+====================================================
+
+In the following example, we return to the traffic generated by Curl using TLS
+1.3. For reference, here is the :file:`ssl.log` entry for that activity.
+
+::
+
+  {
+    "ts": 1598983678.585087,
+    "uid": "CcJfBs3hXLJn7oHVu7",
+    "id.orig_h": "192.168.4.142",
+    "id.orig_p": 58802,
+    "id.resp_h": "13.32.202.2",
+    "id.resp_p": 443,
+    "version": "TLSv13",
+    "cipher": "TLS_AES_128_GCM_SHA256",
+    "curve": "x25519",
+    "server_name": "www.taosecurity.com",
+    "resumed": true,
+    "established": true
+  }
+
+Notice that we see no reference to file identifies for certificates. That means
+there is no :file:`x509.log` for TLS 1.3! (The section title was a bit of a trick
+question.)
+
+Remember from the previous material that when ESNI or ECH are in play, the
+server name field in the :file:`ssl.log` is also missing.
+
+Conclusion
+==========
+
+This section showed that the default :file:`x509.log` provides several details of
+interest to defenders, even when inspecting encrypted traffic. As
+administrators and intruders deploy newer encryption technologies, however,
+defenders will find it increasingly difficult to differentiate among normal,
+suspicious, and malicious traffic.
diff --git a/doc/monitoring.rst b/doc/monitoring.rst
new file mode 100644
index 0000000000..ab74cd8cf7
--- /dev/null
+++ b/doc/monitoring.rst
@@ -0,0 +1,270 @@
+====================
+Monitoring With Zeek
+====================
+
+Detection and Response Workflow
+===============================
+
+As noted in the previous sections, Zeek is optimized, more or less “out of the
+box,” to provide two of the four types of network security monitoring data.
+Without any major configuration, Zeek offers transaction data and extracted
+content data, in the form of logs summarizing protocols and files seen
+traversing the wire. Zeek can also provide some degree of alert data in the
+form of notices, and analysts can modify Zeek to create custom alerts if
+desired. A dedicated intrusion detection engine like Suricata or Snort might be
+more appropriate, however. Finally, Zeek does not collect full content data in
+pcap format, although other open source projects do provide that functionality.
+
+Broadly speaking, incident detection and response begins with the collection of
+security data, followed by its analysis. In the analysis phase, in the absence
+of an explicit alert of malicious activity, investigators can work two broad
+investigative categories: “matching” and “hunting.” Matching means querying and
+reviewing security data for signs of known indicators of compromise. Hunting
+means working without indicators of compromise, relying instead on creating a
+hypothesis of how adversary activity might manifest in security data. Matching
+is the sort of activity that can be easily automated. Hunting is an activity
+that is difficult to automate because it relies upon the creation of a cyber
+security “experiment” to yield results and often a little bit of human
+intuition.
+
+In the common vernacular, some security teams believe hunting involves querying
+data for indicators of compromise. That is really just a search function, i.e.,
+looking for matches of “expected bad” in collected data. True hunting involves
+more of a scientific method that requires formulating a hypothesis, testing the
+hypothesis in sample and production data, and then refining the process until
+it yields results or is disproved. Investigative methods which yield results
+Zeek data plays a role in matching or hunting operations. Analysts may query a
+store of Zeek transaction logs for indicators of compromise, and begin a
+security investigation when they see a match on an IP address, or username, or
+HTTP user-agent string, or any single or combination of the hundreds of
+elements Zeek derives from network traffic. Analysts can also pose a hypothesis
+of how certain adversary behavior may appear in Zeek data, and then query that
+data for signs that prove or disprove their hypothesis.
+
+Beyond the matching and hunting paradigms, analysts can use Zeek within an
+“incident detection alert” workflow. In this scenario, an IDS creates an alert
+that catches the attention of a security team member. Because IDS alerts are
+often light on details, analysts require corroborating data to decide if the
+alert represents normal, suspicious, or malicious activity. Analysts can
+“pivot” from the IDS alert to a variety of logs generated by Zeek. If the IDS
+alert provides the community identification (community ID) supported by Zeek,
+the analyst can easily tie the IDS alert to specific Zeek logs. Based on the
+data provided by Zeek, analysts may be able to resolve the incident. At the
+very least, the analyst can accelerate the alert validation and verification
+process by having access to data beyond the initial IDS notification.
+
+Finally, analysts can use Zeek data to improve the validation process when
+prompted by any other external stimulus. For example, an analyst might notice
+an odd process running on a system, as reported by their endpoint detection and
+response (EDR) or anti-virus agent. Alternatively, an analyst might receive a
+report from a user or a peer involving suspicious activity on an
+Internet-facing Web server. In either case, the analyst with access to Zeek
+data can seek to learn all they can about the systems in question, simply by
+querying the repository storing their Zeek logs. This security design pattern
+has immense benefits, as it does not affect the end state of the suspicious
+asset. Not touching a system that may be compromised has two benefits. First,
+an intruder who has compromised the asset remains unawares that the security
+team is investigating it. Second, the forensic integrity of the asset remains
+intact, as the analyst is working with logs stored off-device.
+
+Instrumentation and Collection
+==============================
+
+Zeek is designed to watch live network traffic. Although Zeek can process
+packet captures saved in PCAP format, most users deploy Zeek to gain
+near-real-time insights into network usage patterns. Administrators run Zeek
+by telling it to “sniff” one or more network interfaces, generating
+transaction logs, insights, and extracted file contents, based on the network
+traffic seen on those network interfaces.
+
+Some users may choose to run Zeek on a single computer used for general
+computing purposes, watching network traffic to and from that single
+computer. That system might be an office laptop used for business purposes,
+chosen for experimentation with Zeek. This is a simple way to become familiar
+with the logs that Zeek creates. This approach is similar to running Tcpdump
+or Wireshark on one’s computer for the same educational purposes.
+
+Most users, however, run Zeek on a computer selected solely for the purpose
+of network security monitoring. Security personnel call that computer a
+“sensor” and they select, configure, and deploy it specifically to watch
+network traffic. They select a location in an environment that offers
+visibility to multiple computers, and deploy the sensor with Zeek to
+instrument that network segment.
+
+When choosing a place to deploy a sensor, users will likely prioritize a
+requirement like the following:
+
+Identify a single location in the network to instrument with a network tap or
+switch span port that provides the maximum visibility. This means seeing
+traffic from all devices on the network, with a strong preference for
+identifying devices by observing them with their original source IP address.
+
+Users new to Zeek may choose to try Zeek in their home or in a small office
+environment. Figure 1 depicts the standard SOHO network architecture. Letters
+A-D are possible monitoring locations, to be discussed below.
+
+.. figure:: /images/collection-figure1.png
+
+   Figure 1: Standard SOHO Architecture
+
+Most home users and many small office environments are connected to the
+Internet via customer premise equipment (CPE) provided by their Internet
+service provider (ISP). This box may or may not be available or visible to
+the customer. In the context of a system like Verizon FIOS, for example, the
+ISP CPE is the box attached to the outside of a residence, with a warning
+that only Verizon technicians should open it. For fiber connectivity, the ISP
+might call this device an Optical Network Terminal or ONT.
+
+The ISP also provides a gateway device that provides routing and wireless
+access point (WAP) functionality. This is the piece of equipment familiar to
+most home and small office users. It typically has a gigabit copper Ethernet
+connection that connects to the ISP CPE, on its wide area network (WAN) side,
+and four gigabit copper Ethernet ports for devices on its local area network
+(LAN) side. Customer devices gain network access via WiFi to the ISP WAP or
+via copper Ethernet cables to the embedded switch on the same device.
+
+On the WAN side of the router, the device usually has a public IP address
+provided by the ISP. This may not necessarily be the case, however. On the
+LAN side of the router, the device provides RFC 1918 private addresses, often
+in the 192.168.0.0/16 subnet. The router acts as a gateway, using network
+address translation (NAT), or for the more strictly minded, network port
+address translation (NPAT), so that client devices share a single IP address
+provided by the ISP. (Note that in some situations, multiple residences even
+share the same public IP address, and differentiate between each other via
+the port range. We'll not consider this further for now, as it is extraneous
+to the discussion.)
+
+Where does one monitor, given this architecture?
+
+Location A is off limits to the customer. It is likely a cable exiting the
+ISP CPE and entering the ground.
+
+Location B is a possibility, assuming the cable between the ISP CPE and
+router is a copper Ethernet cable. One could insert a reliable network tap
+(typically outside the home user’s budget) or a decent small managed switch
+with a span port (like a Netgear GS30Xe model).
+
+However, and this is crucial: because of the NAT done by the router, all
+traffic will appear to originate from a single IP address. Whether the
+customer has 100 devices or 1 device, they will all share the single IP
+address. This reality makes it much more difficult for a security analyst to
+track down the originator of suspicious or malicious network traffic.
+
+Location C is essentially not possible. Yes, there are various penetration
+testing tools and wireless network troubleshooting tools that can try to
+access WiFi traffic. However, they do not expose the traffic in a form usable
+to security analysts, assuming that the WiFi protocols in use are at all
+modern.
+
+Location D is a possibility, assuming that the user installs a network tap or
+switch span port as in location B. However, monitoring only at location D
+would ignore WiFi traffic.
+
+In other words, the standard SOHO network architecture is not well-suited for
+network security monitoring, because there isn’t a good place, by default, to
+see the originating IP addresses, which are generally needed to investigate
+suspicious and malicious activity.
+
+In contrast, the Visible Network Architecture shown in Figure 2 depicts the
+sort of setup one needs if visibility is designed into the architecture,
+rather than added as an afterthought.
+
+.. figure:: /images/collection-figure2.png
+
+   Figure 2: Visible Network Architecture
+
+The major changes include the following:
+
+The ISP router is no longer also acting as a WAP. The WiFi capability is
+disabled. No other changes are required on the router. Strictly speaking,
+WiFi need not be disabled, so long as no one uses it.
+
+The customer has purchased her own router. That device may or may not also
+provide NAT.
+
+The customer explicitly owns a switch, to which wired devices may connect.
+That switch has a span port.
+
+The customer explicitly owns her own wireless access point, acting as a
+bridge, and not offering NAT.
+
+Don’t be fooled into thinking that one need only buy a new combination
+router/WAP. It’s essential to split these functions. Consumer-grade customer
+routers do not offer span ports, which cheap consumer-grade network switches
+do. This architecture takes advantage of that fact in order to provide
+suitable monitoring locations.
+
+Let’s review the options.
+
+Location A is still off-limits.
+
+Location B is still a bad idea.
+
+Location C is a good option, if one places a network tap here, or another
+small switch with a span port, and neither the customer router nor customer
+WAP is doing NAT.
+
+Location D is a better option. Now one need only ensure that the customer WAP
+is not doing NAT. In fact, one need not introduce another switch or tap here,
+assuming one can span the uplink port on the customer switch.
+
+Location E would only see wired devices, and is not a good option because it
+ignores WiFi devices.
+
+Location F would only see WiFi devices, and is not a good option because it
+ignores wired devices.
+
+Location G is essentially impossible, as with Figure 1.
+
+The bottom line is that the location D is the best monitoring location,
+assuming that the customer WAP is not doing NAT. If the customer WAP is
+acting as a router with NAT, then all of the wireless devices will have the
+same source IP address as seen in location D.
+
+In an architecture designed for visibility, introducing a network tap, or
+simply spanning the uplink from the network switch, at point D, satisfies the
+visibility requirement.
+
+It is possible to simplify the architecture shown in figure 2 to that which
+follows:
+
+.. figure:: /images/collection-figure3.png
+
+   Figure 3: Simplified Visible Network Architecture
+
+The customer router between monitoring points C and D is gone, as one can
+rely upon the ISP router if so desired.
+
+In summary, one could deploy a Zeek sensor at location D, or C, if the
+simplified architecture is in place, as C and D are logically similar. Going
+forward, we'll discuss monitoring at location D.
+
+Gaining access to traffic at point D requires either a span port to be
+enabled on the customer switch, or a network tap to be deployed at location
+D. Professional Zeek users prefer high-quality, powered network taps wherever
+possible, for a variety of reasons. When they are not available, as in the
+case of a SOHO or test environment, then a span port on a managed switch is
+an acceptable alternative.
+
+Once the network tap or span port is providing network traffic to the Zeek
+sensor, one can turn to matters beyond instrumentation and collection.
+
+Storage and Review
+==================
+
+As Zeek ingests network traffic, either by monitoring one or more live
+network interfaces or by processing stored traffic in a capture file, it
+creates a variety of logs and other artifacts. By default Zeek writes that
+data to a storage location designated via its configuration files. Zeek
+possesses the capability to write the logs in several formats and perform
+certain log management processes like compression and archiving.
+
+Analysts make use of Zeek data by reviewing the logs it generates. Review
+methods can be as simple as using text processing tools packaged with the
+underlying operating system. Depending on the format of the logs, users may
+apply more specialized processing tools, some of which are available with
+Zeek. In many cases, Zeek administrators ship logs to specialized storage and
+review applications. These are usually referred to collectively as Security
+and Information Event Management (SIEM) platforms. Some of these log
+management and SIEM platforms are available as open source offerings, while
+others are commercially available.
diff --git a/doc/quickstart.rst b/doc/quickstart.rst
new file mode 100644
index 0000000000..0db0931cbf
--- /dev/null
+++ b/doc/quickstart.rst
@@ -0,0 +1,407 @@
+.. _ZeekControl documentation: https://github.com/zeek/zeekctl
+.. _FAQ: https://zeek.org/faq/
+.. _Get Zeek: https://zeek.org/get-zeek/
+.. _Zeek source code: https://github.com/zeek/zeek
+.. _gzip: https://www.gzip.org/
+
+.. _quickstart:
+
+=================
+Quick Start Guide
+=================
+
+Zeek is a network traffic analyzer. Zeek works on most modern Unix-based
+systems and does not require custom hardware. See :doc:`install` in order to
+install from pre-built binary packages, or :doc:`building-from-source` in order
+to build Zeek from source.
+
+We will first analyze previously captured network traffic from a ``pcap`` file -
+:download:`quickstart.pcap <traces/quickstart.pcap>`. Later, we will use Zeek to
+monitor live traffic. Each section builds on the previous section.
+
+Running Zeek
+============
+
+Open a terminal, navigate to a clean directory, and run zeek on the
+:file:`quickstart.pcap` file:
+
+   .. code-block:: console
+
+     zeek -r quickstart.pcap LogAscii::use_json=T
+
+Zeek should not produce any output, but it will create a few log files:
+
+ * :file:`conn.log`
+ * :file:`http.log`
+ * :file:`weird.log`
+
+The connection log, or :file:`conn.log`, records each connection that Zeek
+detects. The created :file:`conn.log` has two entries. Here are those entries
+(some fields are cut for brevity with "..."):
+
+   .. code-block:: console
+
+
+     {
+        "ts": 1747147647.668533,
+        "uid": "CmgO6f3ddanrRjiCoc",
+        ...
+     },
+     {
+        "ts": 1747147654.27566,
+        "uid": "CQuwSY2FD0NsLn9CJj",
+        ...
+     }
+
+Now to find out more about both of these connections. Looking at the HTTP log,
+it also has two entries. Take note of the ``uid`` field, short for unique
+identifier. You can use that field to pivot from :file:`conn.log` to
+:file:`http.log` - the UIDs in one should correlate to entries in the other. The
+abbreviated logs for these two requests are:
+
+   .. code-block:: console
+
+     {
+         "ts": 1747147647.702181,
+         "uid": "CmgO6f3ddanrRjiCoc",
+         "method": "GET",
+         "host": "zeek.org",
+         "uri": "/",
+         ...
+     },
+     {
+         "ts": 1747147654.311012,
+         "uid": "CQuwSY2FD0NsLn9CJj",
+         "method": "WEIRD",
+         "host": "zeek.org",
+         "uri": "/",
+         ...
+     }
+
+The first entry is a simple ``GET`` request to zeek.org. The second entry used
+a non-standard HTTP method: ``WEIRD``. Zeek also records unusual or unexpected
+behavior in :file:`weird.log`, such as this invalid HTTP method. Now, pivot
+from :file:`http.log` to :file:`weird.log`, where there will be a "weird" for
+the second entry's UID:
+
+   .. code-block:: console
+
+     {
+       "ts": 1747147654.311012,
+       "uid": "CQuwSY2FD0NsLn9CJj",
+       "name": "unknown_HTTP_method",
+       "addl": "WEIRD",
+       ...
+     }
+
+The UID for this entry is the same as the second entry in :file:`conn.log` and
+:file:`http.log`. Therefore, there were two HTTP requests, one with a ``GET``
+request and one with a ``WEIRD`` request. The ``WEIRD`` request was rightfully
+classified as a "weird" by Zeek.
+
+More information on the various logs and what they report can be found in the
+:doc:`logs/index` section. More information on working with logs can be found in
+the :doc:`log-formats` section.
+
+
+.. note::
+
+  This section used ``LogAscii::use_json=T`` in the Zeek invocation, which
+  outputs JSON format logs. The remaining invocations in this guide will not
+  provide that argument, so Zeek will output tab-separated (TSV) logs. You may
+  add ``LogAscii::use_json=T`` to future Zeek invocations if you want JSON
+  format logs.
+
+Live Traffic
+============
+
+Zeek is often used to monitor live network traffic, not just previously captured
+traffic. You can provide Zeek with a network interface to monitor traffic. Any
+traffic on that interface will be analyzed in order to create logs. For example,
+you may run Zeek on the ``en0`` network device (change ``en0`` to the device you
+want to monitor traffic on):
+
+.. code-block:: console
+
+     $ zeek -i en0 -C
+
+Root access is typically required to run commands which monitor a network
+device.
+
+In another terminal, create the same two HTTP requests we saw earlier via
+``curl``:
+
+.. code-block:: console
+
+     $ curl -X GET http://zeek.org
+     $ curl -X WEIRD http://zeek.org
+
+Return to the terminal running Zeek and use Ctrl+C to exit. The logs may have
+more than just the two entries found before since Zeek will analyze all traffic
+on that network device. Entries should still appear in :file:`conn.log`,
+:file:`http.log`, and :file:`weird.log` for these commands.
+
+.. note::
+
+  The ``zeek`` invocation above adds a ``-C`` flag. By default, Zeek discards
+  network packets with checksum errors. This flag tells Zeek to ignore
+  checksums. Modern operating systems and network devices use checksum
+  offloading, which leaves the checksums uninitialized. Since Zeek discards
+  packets with checksum errors, checksum offloading necessitates the ``-C``
+  flag for local network monitoring via Zeek.
+
+Scripting
+=========
+
+You can also use Zeek's own scripting language in order to modify and extend
+its behavior:
+
+.. code-block:: zeek
+
+     # example.zeek
+     event http_request(c: connection, method: string, original_URI: string,
+         unescaped_URI: string, version: string)
+         {
+         print fmt("HTTP request: %s %s (%s->%s)", method, original_URI, c$id$orig_h,
+             c$id$resp_h);
+         }
+
+This script defines an event handler that will run whenever Zeek sees an HTTP
+request. You can run it through Zeek with the data from the pcap you used
+earlier:
+
+.. code-block:: console
+
+     $ zeek example.zeek -r quickstart.pcap
+     HTTP request: GET / (192.168.1.8->192.0.78.212)
+     HTTP request: WEIRD / (192.168.1.8->192.0.78.212)
+
+Or on live traffic:
+
+.. code-block:: console
+
+     $ zeek example.zeek -i en0 -C
+
+In another terminal, run the two ``curl`` commands from before:
+
+.. code-block:: console
+
+     $ curl -X GET http://zeek.org
+     $ curl -X WEIRD http://zeek.org
+
+The terminal running Zeek will print each command as it gets processed.
+
+More information on how to use Zeek’s scripting language can be found in the
+:doc:`scripting/index` section. Experiment with Zeek scripting at
+`try.zeek.org <https://try.zeek.org>`_.
+
+Managing Zeek
+=============
+
+Zeek comes packaged with ZeekControl (``zeekctl``) to manage more complex
+deployments.
+
+The same network device used in the Zeek command line can be used with
+``zeekctl``. This will go in a configuration file. For the following example,
+``$PREFIX`` will refer to the installation directory. This is likely
+``/usr/local/zeek`` if built from source or ``/opt/zeek`` if installed from a
+pre-built package.
+
+First, update the configuration’s network interface in
+``$PREFIX/etc/node.cfg``. If the device is ``en0``, that would look like:
+
+.. code-block:: console
+
+     [zeek]
+     type=standalone
+     host=localhost
+     interface=en0
+
+You can further configure the ``local.zeek`` script found in
+``$PREFIX/share/zeek/site/local.zeek``. ``zeekctl`` loads this script by 
+default. It is not overwritten by Zeek upgrades.
+
+Run ``zeekctl`` in order to start an interactive prompt and manage your Zeek
+deployment:
+
+.. code-block:: console
+
+     $ zeekctl
+     Hint: Run the zeekctl "deploy" command to get started.
+
+     Welcome to ZeekControl 2.5.0-76
+
+     Type "help" for help.
+
+     [ZeekControl] >
+
+Then run ``deploy`` to get started:
+
+.. code-block:: console
+
+     [ZeekControl] > deploy
+
+In another terminal, run the same two curl commands from before:
+
+.. code-block:: console
+
+     $ curl -X GET http://zeek.org
+     $ curl -X WEIRD http://zeek.org
+
+Then return to the ZeekControl prompt and stop it:
+
+.. code-block:: console
+
+     [ZeekControl] > stop
+     stopping zeek ...
+
+And exit from ``zeekctl``:
+
+.. code-block:: console
+
+     [ZeekControl] > exit
+
+The logs from ZeekControl will not appear in your current directory. Instead,
+they will appear in ``$PREFIX/logs/current`` when running. Since the process was
+stopped, they will appear in a directory with the current date within 
+``$PREFIX/logs/`` - such as ``$PREFIX/logs/2025-01-01/``.
+
+These logs are compressed as ``.log.gz`` files from gzip_. You may decompress
+these via ``gunzip`` then read them, or use gzip’s packaged ``zcat`` command.
+On Mac, this looks like:
+
+.. code-block:: console
+
+     $ zcat < $PREFIX/logs/2025-01-08/weird.11:03:38-11:03:43.log.gz
+     <...>
+     1736352218.157077       CFvENWVlkwVHhLL35       2603:6081:18f0:99e0:7da2:6b81:9a83:cb4e 57823   2606:2800:21f:cb07:6820:80da:af6b:8b2c   80      unknown_HTTP_method     WEIRD   F       zeek    -
+
+The logs contain the ``WEIRD`` HTTP request.
+
+More information on using ZeekControl can be found in the
+`ZeekControl documentation`_. More information on setting up a cluster can be
+found in the :doc:`cluster-setup` section.
+
+Clusters
+========
+
+ZeekControl is also used to manage a cluster of Zeek processes. A cluster
+contains many processes which analyze traffic together. For this example, all
+nodes will be local, but they may also be split among multiple hosts.
+
+First, return to the ``$PREFIX/etc/node.cfg`` configuration file. It currently
+contains one "standalone" node: 
+
+.. code-block:: console
+
+     [zeek]
+     type=standalone
+     host=localhost
+     interface=en0
+
+
+A standalone node is not in a cluster. Instead, this will change to multiple
+nodes which work together. The following configuration is commented out in the
+``node.cfg`` file by default. Remove the ``[zeek]`` node from above and paste
+this into the file:
+
+.. code-block:: console
+
+     [logger]
+     type=logger
+     host=localhost
+
+     [manager]
+     type=manager
+     host=localhost
+
+     [proxy]
+     type=proxy
+     host=localhost
+
+     [worker]
+     type=worker
+     host=localhost
+     interface=en0
+
+Now start ``zeekctl`` again with the ``zeekctl`` console command and run it
+with ``deploy``:
+
+.. code-block:: console
+
+     $ zeekctl
+     Hint: Run the zeekctl "deploy" command to get started.
+
+     Welcome to ZeekControl 2.5.0-76
+
+     Type "help" for help.
+
+     [ZeekControl] > deploy
+
+Now check the status of the cluster with the ``top`` command:
+
+.. code-block:: console
+
+     [ZeekControl] > top
+
+     Name         Type    Host             Pid     VSize  Rss  Cpu   Cmd
+     logger       logger  localhost        XXXX     83M    83M   0%  zeek
+     manager      manager localhost        XXXX     82M    82M   0%  zeek
+     proxy        proxy   localhost        XXXX     82M    82M   0%  zeek
+     worker       worker  localhost        XXXX     84M    84M   0%  zeek
+
+This is how you can easily check the status of the running cluster. As before,
+run the two ``curl`` commands in another terminal:
+
+.. code-block:: console
+
+     $ curl -X GET http://zeek.org
+     $ curl -X WEIRD http://zeek.org
+
+Then interrupt the ``top`` command with Ctrl+C and stop the cluster:
+
+.. code-block:: console
+
+     [ZeekControl] > stop
+     stopping workers ...
+     stopping proxy ...
+     stopping manager ...
+     stopping logger ...
+     [ZeekControl] > exit
+
+As before, the logs will be in the ``$PREFIX/logs/`` directory. Check for the
+weird the same way as before:
+
+.. code-block:: console
+
+     $ zcat < $PREFIX/logs/2025-05-14/weird.08:58:26-08:58:31.log.gz
+     <...>
+     1747227503.828889       C3aXMM2AC3jzZbKl6i      192.168.1.8     60818   192.0.78.150    80 unknown_HTTP_method      WEIRD   F       worker  -
+
+Users can distribute work across multiple processes or machines with clusters.
+See the `ZeekControl documentation`_ for more information on managing clusters
+and :doc:`cluster-setup` for more information on cluster setup.
+
+Next Steps
+==========
+
+By this point, we’ve built up from Zeek's simplest use case to clusters.
+Each section has links to guide further discovery. Here are some extra
+considerations:
+
+* Follow the interactive Zeek tutorial at
+  `try.zeek.org <https://try.zeek.org>`_.
+* Read more of the documentation: the documentation can be read sequentially.
+  Documentation for Zeek's out-of-the-box logs can be found in the
+  :doc:`logs/index` section.
+* Browse scripts from :samp:`{$PREFIX}/share/zeek/policy` that may be useful to
+  load. Their documentation is found in the 
+  :ref:`overview of script packages <script-packages>`.
+* Review the FAQ_.
+* Join the Zeek community :slacklink:`Slack workspace <>` or
+  :discourselink:`forum <>` to interact with fellow Zeekers and Zeek core
+  developers.
+* Track Zeek code releases on the `Get Zeek`_ page. Find the release notes
+  under each release. These release notes reference the :file:`NEWS` file found
+  in the `Zeek source code`_. The :file:`CHANGES` file gives a more granular
+  view of each change.
diff --git a/doc/redirects.yml b/doc/redirects.yml
new file mode 100644
index 0000000000..a990ae59b1
--- /dev/null
+++ b/doc/redirects.yml
@@ -0,0 +1,58 @@
+# WARNING: New redirects cannot be added, since RTD introduced a cap of 100
+# redirects. You can, however, manually edit and remove redirects in the UI.
+# When doing so, modify this file as well for documentation.
+#
+# These are all the Page Redirects required for RTD project at docs.zeek.org.
+# A nice thing about RTD redirects is that they are only utilized if a page
+# 404s, so redirects can be added as soon as a broken link needs to be fixed in
+# latest/master and it won't automatically try to redirect the still-working
+# page in stable/release.
+#
+# RTD doesn't have an official API to add all the redirects defined here, but
+# this tool uses its HTML interface:
+#
+#     https://github.com/honzajavorek/rtd-redirects
+
+redirects:
+  # "Book of Zeek" revisions.
+  "/configuration/index.html": "/cluster-setup.html#cluster-configuration"
+  "/configuration/": "/cluster-setup.html#cluster-configuration"
+  "/install/guidelines.html": "/install.html"
+  "/install/NEWS.html": "https://github.com/zeek/zeek/blob/master/NEWS"
+  "/install/release-notes.html": "https://github.com/zeek/zeek/blob/master/NEWS"
+  "/install/changes.html": "https://github.com/zeek/zeek/blob/master/CHANGES"
+  "/install/install.html": "/install.html"
+  "/install/upgrade.html": "/install.html"
+  "/install/cross-compiling.html": "/building-from-source.html#cross-compiling"
+  "/install/index.html": "/install.html"
+  "/install/": "/install.html"
+  "/examples/index.html": "/index.html"
+  "/examples/": "/index.html"
+  "/examples/ids/index.html": "/scripting/index.html"
+  "/examples/ids/": "/scripting/index.html"
+  "/examples/mimestats/index.html": "/scripting/index.html"
+  "/examples/mimestats/": "/scripting/index.html"
+  "/examples/scripting/index.html": "/scripting/index.html"
+  "/examples/scripting/": "/scripting/index.html"
+  "/examples/httpmonitor/index.html": "/logs/http.html"
+  "/examples/httpmonitor/": "/logs/http.html"
+  "/examples/logs/index.html": "/log-formats.html"
+  "/examples/logs/": "/log-formats.html"
+  "/cluster/index.html": "/cluster-setup.html"
+  "/cluster/": "/cluster-setup.html"
+  "/quickstart/index.html": "/quickstart.html"
+  "/quickstart/": "/quickstart.html"
+  "/devel/maintainers/index.html": "/devel/maintainers.html"
+  "/devel/maintainers/": "/devel/maintainers.html"
+  "/devel/maintainers/release-process.html": "/devel/maintainers.html"
+  "/devel/contributors/coding-style.html": "/devel/contributors.html"
+  "/devel/contributors/index.html": "/devel/contributors.html"
+  "/devel/contributors/": "/devel/contributors.html"
+  "/devel/contributors/documentation-style.html": "/devel/contributors.html"
+  "/devel/contributors/memory-checks.html": "/devel/contributors.html"
+  "/intro/index.html": "/about.html"
+  "/intro/": "/about.html"
+  # Revamped geolocation docs
+  "/frameworks/geoip.html": "/customizations.html#address-geolocation-and-as-lookups"
+  # Moved coding style doc when re-organizing maintainer/contributor guides.
+  "/devel/style_guide.html": "/devel/contributors/coding-style.html"
diff --git a/doc/requirements.txt b/doc/requirements.txt
new file mode 100644
index 0000000000..4f112c471f
--- /dev/null
+++ b/doc/requirements.txt
@@ -0,0 +1,7 @@
+Jinja2==3.1.6
+Pygments==2.19.2
+sphinx-rtd-theme==3.0.2
+# This version is the last version that supports Python 3.9.
+# 8.1.x is the last version series that supports Python 3.10.
+Sphinx==7.4.7
+GitPython==3.1.45
diff --git a/doc/ruff.toml b/doc/ruff.toml
new file mode 100644
index 0000000000..819c726815
--- /dev/null
+++ b/doc/ruff.toml
@@ -0,0 +1,4 @@
+target-version = "py39"
+
+[lint]
+select = ["C4", "F", "I", "ISC", "UP"]
\ No newline at end of file
diff --git a/doc/script-reference/assert_1.zeek b/doc/script-reference/assert_1.zeek
new file mode 100644
index 0000000000..dff0dee558
--- /dev/null
+++ b/doc/script-reference/assert_1.zeek
@@ -0,0 +1,18 @@
+event test_1() {
+	assert 3 == 3;
+	local x = 37;
+	assert x > 40;
+	print "not reached";
+}
+
+event test_2() {
+	assert 2 == 2;
+	local x = 37;
+	assert x > 40, fmt("%s is not greater than 40", x);
+	print "not reached";
+}
+
+event zeek_init() {
+	schedule 0.01sec { test_1() };
+	schedule 0.02sec { test_2() };
+}
diff --git a/doc/script-reference/attributes.rst b/doc/script-reference/attributes.rst
new file mode 100644
index 0000000000..afc883ccc5
--- /dev/null
+++ b/doc/script-reference/attributes.rst
@@ -0,0 +1,791 @@
+Attributes
+==========
+
+The Zeek scripting language supports customization of many language elements via
+*attributes*. For example, attributes can ensure that a function gets invoked
+whenever you modify a table, automatically expire elements from a set, or tell
+the :ref:`logging framework <framework-logging>` which record fields you'd like
+it to write. Zeek features the following attributes:
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Description
+
+  * - :zeek:attr:`&redef`
+    - Redefine a global constant or extend a type.
+
+  * - :zeek:attr:`&priority`
+    - Specify priority for event handler or hook.
+
+  * - :zeek:attr:`&log`
+    - Mark a record field as to be written to a log.
+
+  * - :zeek:attr:`&optional`
+    - Allow a record field value to be missing.
+
+  * - :zeek:attr:`&default`
+    - Specify a default value.
+
+  * - :zeek:attr:`&default_insert`
+    - Specify a default value for tables with insert behavior.
+
+  * - :zeek:attr:`&add_func`
+    - Specify a function to call for each ``redef +=``.
+
+  * - :zeek:attr:`&delete_func`
+    - Same as ``&add_func``, except for ``redef -=``.
+
+  * - :zeek:attr:`&expire_func`
+    - Specify a function to call when container element expires.
+
+  * - :zeek:attr:`&read_expire`
+    - Specify a read timeout interval.
+
+  * - :zeek:attr:`&write_expire`
+    - Specify a write timeout interval.
+
+  * - :zeek:attr:`&create_expire`
+    - Specify a creation timeout interval.
+
+  * - :zeek:attr:`&on_change`
+    - Specify a function to call on set/table changes
+
+  * - :zeek:attr:`&raw_output`
+    - Open file in raw mode (chars. are not escaped).
+
+  * - :zeek:attr:`&error_handler`
+    - Used internally for reporter framework events.
+
+  * - :zeek:attr:`&type_column`
+    - Used by input framework for :zeek:type:`port` type.
+
+  * - :zeek:attr:`&backend`
+    - Used for table persistence/synchronization.
+
+  * - :zeek:attr:`&broker_store`
+    - Used for table persistence/synchronization.
+
+  * - :zeek:attr:`&broker_allow_complex_type`
+    - Used for table persistence/synchronization.
+
+  * - :zeek:attr:`&ordered`
+    - Used for predictable member iteration of tables and sets.
+
+  * - :zeek:attr:`&deprecated`
+    - Marks an identifier as deprecated.
+
+  * - :zeek:attr:`&is_assigned`
+    - Suppress "used before defined" warnings from ``zeek -u`` analysis.
+
+  * - :zeek:attr:`&is_used`
+    - Suppress lack-of-use warnings from ``zeek -u`` analysis.
+
+  * - :zeek:attr:`&group`
+    - Annotates event handlers and hooks with event groups.
+
+.. _attribute-propagation-pitfalls:
+
+.. warning::
+
+    A confusing pitfall can be mistaking that attributes bind to a *variable*
+    or a *type*, where in reality they bind to a *value*.  Example:
+
+    .. code-block:: zeek
+
+        global my_table: table[count] of string &create_expire=1sec;
+
+        event zeek_init()
+            {
+            my_table = table();
+            my_table[1] = "foo";
+            }
+
+    In the above, the re-assignment of ``my_table`` will also drop the original
+    *value*'s :zeek:attr:`&create_expire` and no entries will ever be expired
+    from ``my_table``.  The alternate way of re-assignment that creates a new
+    table *value* with the expected attribute would be:
+
+    .. code-block:: zeek
+
+        my_table = table() &create_expire=1sec;
+
+Here is a more detailed explanation of each attribute:
+
+.. zeek:attr:: &redef
+
+&redef
+------
+
+Allows use of a :zeek:keyword:`redef` to redefine initial values of
+global variables (i.e., variables declared either :zeek:keyword:`global`
+or :zeek:keyword:`const`).  Example:
+
+.. code-block:: zeek
+
+    const clever = T &redef;
+    global cache_size = 256 &redef;
+
+Note that a variable declared ``global`` can also have its value changed
+with assignment statements (doesn't matter if it has the :zeek:attr:`&redef`
+attribute or not).
+
+.. zeek:attr:: &priority
+
+&priority
+---------
+
+Specifies the execution priority (as a signed integer) of a hook or
+event handler. Higher values are executed before lower ones. The
+default value is ``0``.  Example:
+
+.. code-block:: zeek
+
+    event zeek_init() &priority=10
+        {
+        print "high priority";
+        }
+
+.. zeek:attr:: &log
+
+&log
+----
+
+When a :zeek:type:`record` field has the ``&log`` attribute, this field is
+included as a column in the log stream associated with the record type. This
+association happens with :zeek:see:`Log::create_stream` and commonly looks as
+follows:
+
+.. code-block:: zeek
+
+    redef enum Log::ID += { LOG };
+
+    type Info: record {
+        ts: time &log &default=network_time();
+        id: conn_id &log;
+        msg: string &log;
+        hidden: count &default=0;  # This is not logged.
+    };
+
+    event zeek_init() {
+        Log::create_stream(LOG, [$columns=Info, $path="example"]);
+    }
+
+The log stream above will have the columns ``ts``, ``id`` and ``msg``.
+
+When ``&log`` is placed at the end of a record type declaration, all fields
+listed in the declaration will have the ``&log`` attribute implicitly.
+
+.. code-block:: zeek
+
+    type conn_id: record {
+        orig_h: addr;
+        orig_p: port;
+        resp_h: addr;
+        resp_p: port;
+    } &log;
+
+Fields added to such a record types later on using :zeek:see:`redef` need to
+explicitly specify ``&log`` again, however.
+
+.. zeek:attr:: &optional
+
+&optional
+---------
+
+Allows a record field value to be missing. Zeek allows such fields to remain
+uninitialized and unassigned, and to have assigned values removed via
+:zeek:keyword:`delete`.
+
+In this example, the record could be instantiated with either
+``myrec($a=127.0.0.1)`` or ``myrec($a=127.0.0.1, $b=80/tcp)``:
+
+.. code-block:: zeek
+
+    type myrec: record { a: addr; b: port &optional; };
+
+The ``?$`` operator can be used to check if a record field has a value or
+not (it returns a ``bool`` value of ``T`` if the field has a value,
+and ``F`` if not).
+
+.. zeek:attr:: &default
+
+&default
+--------
+
+Specifies a default value for a record field, container element, or a
+function/hook/event parameter.
+
+In this example, the record could be instantiated with either
+``myrec($a=5, $c=3.14)`` or ``myrec($a=5, $b=53/udp, $c=3.14)``:
+
+.. code-block:: zeek
+
+    type myrec: record { a: count; b: port &default=80/tcp; c: double; };
+
+In this example, the table will return the string ``"foo"`` for any
+attempted access to a non-existing index:
+
+.. code-block:: zeek
+
+    global mytable: table[count] of string &default="foo";
+
+In addition to constant values as shown above, the :zeek:attr:`&default` attribute
+also accepts arbitrary Zeek expressions. For example, arithmetic expressions and
+function calls are possible:
+
+.. code-block:: zeek
+
+   type Info: record {
+       ts: time &log &default=network_time();
+       ts_ms: double &log &default=time_to_double(network_time()) * 1000;
+   };
+
+The expressions are evaluated whenever a new record is instantiated.
+
+On tables, the :zeek:attr:`&default` attribute can further be set to a function
+(including an anonymous lambda function), which will be invoked for any read access
+to a non-existing index to generate a substitute result. The signature of such a default function
+has to match with the index and value types of the given table. Below, a default
+function for a table with a composite index and value type of :zeek:type:`string` is shown.
+The arguments for the function call, ``c`` and ``s`` below, are populated with
+the values used for the index:
+
+.. code-block:: zeek
+
+    function table_default(c: count, s: string): string {
+        return fmt("unknown-%s-%s", c, s);
+    }
+
+    global mytable: table[count, string] of string &default=table_default;
+
+    print mytable[0, "a"];
+
+Using an anonymous function instead looks as follows:
+
+.. code-block:: zeek
+
+    global mytable: table[count, string] of string &default=function(c: count, s: string): string {
+        return fmt("unknown-%s-%s", c, s);
+    };
+
+    print mytable[0, "a"];
+
+The output of both these examples is ``unknown-0-a``.
+
+A common usage pattern of the :zeek:attr:`&default` attribute in Zeek's base
+scripts is to format a default textual representation for unknown protocol
+values that are otherwise mapped to textual descriptions.
+The following excerpt is from :doc:`/scripts/base/protocols/dns/consts.zeek`
+mapping numeric DNS query types to their textual representation. A default
+function is used to produce a string containing the numeric value of query types:
+
+.. code-block:: zeek
+
+    ## Mapping of DNS query type codes to human readable string
+    ## representation.
+    const query_types = {
+        [1] = "A",
+        [2] = "NS",
+        [3] = "MD",
+        [4] = "MF",
+        [5] = "CNAME",
+        # many many more ...
+        [65422] = "XPF",
+        [65521] = "INTEGRITY",
+    } &default = function(n: count): string { return fmt("query-%d", n); };
+
+
+Note that when accessing a non-existing index, the created default value will
+not be inserted into the table. The following script will output ``foo``,
+but the table remains empty. The second print statement outputs ``0``:
+
+.. code-block:: zeek
+
+    global mytable: table[count] of string &default="foo";
+    print mytable[0];
+    print |mytable|;
+
+For inserting the created default value into a table, the :zeek:attr:`&default_insert`
+attribute can be used instead.
+
+When used with function/hook/event parameters, all of the parameters
+with the :zeek:attr:`&default` attribute must come after all other parameters.
+For example, the following function could be called either as ``myfunc(5)``
+or as ``myfunc(5, 53/udp)``:
+
+.. code-block:: zeek
+
+    function myfunc(a: count, b: port &default=80/tcp)
+        {
+        print a, b;
+        }
+
+.. zeek:attr:: &default_insert
+
+&default_insert
+---------------
+
+.. versionadded:: 6.1
+
+This attribute is only applicable to tables. :zeek:attr:`&default_insert`
+provides the same functionality as table's :zeek:attr:`&default` but with the addition
+that upon access to a non-existing index, the created value will be inserted
+into the table. For complex value types like tables or record types used for
+tracking further state, :zeek:attr:`&default_insert` is often more useful and
+efficient than :zeek:attr:`&default`.
+
+.. zeek:attr:: &add_func
+
+&add_func
+---------
+
+Can be applied to an identifier with &redef to specify a function to
+be called any time a ``redef <id> += ...`` declaration is parsed.  The
+function takes two arguments of the same type as the identifier, the first
+being the old value of the variable and the second being the new
+value given after the ``+=`` operator in the :zeek:keyword:`redef` declaration.  The
+return value of the function will be the actual new value of the
+variable after the "redef" declaration is parsed.
+
+.. zeek:attr:: &delete_func
+
+&delete_func
+------------
+
+Same as :zeek:attr:`&add_func`, except for :zeek:keyword:`redef` declarations
+that use the ``-=`` operator.
+
+.. zeek:attr:: &expire_func
+
+&expire_func
+------------
+
+Called right before a container element expires. The function's first
+argument is of the same type as the container it is associated with.
+The function then takes a variable number of arguments equal to the
+number of indexes in the container. For example, for a
+``table[string,string] of count`` the expire function signature is:
+
+.. code-block:: zeek
+
+    function(t: table[string, string] of count, s: string, s2: string): interval
+
+The return value is an :zeek:type:`interval` indicating the amount of
+additional time to wait before expiring the container element at the
+given index (which will trigger another execution of this function).
+
+.. zeek:attr:: &read_expire
+
+&read_expire
+------------
+
+Specifies a read expiration timeout for container elements. That is,
+the element expires after the given amount of time since the last
+time it has been read. Note that a write also counts as a read.
+
+.. zeek:attr:: &write_expire
+
+&write_expire
+-------------
+
+Specifies a write expiration timeout for container elements. That
+is, the element expires after the given amount of time since the
+last time it has been written.
+
+.. zeek:attr:: &create_expire
+
+&create_expire
+--------------
+
+Specifies a creation expiration timeout for container elements. That
+is, the element expires after the given amount of time since it has
+been inserted into the container, regardless of any reads or writes.
+
+.. note::
+
+   In order to support expiration timeouts, Zeek associates a timer
+   with each container that weeds out stale entries. For containers with many members,
+   Zeek needs to keep an eye on the amount of effort spent expiring
+   elements. It does this via three configurable properties:
+
+   * :zeek:see:`table_expire_interval` specifies how frequently Zeek checks a
+     container's members. The interval establishes an upper bound on how long it
+     may take Zeek to react to an element's expiration.
+
+   * :zeek:see:`table_incremental_step` specifies how many members Zeek
+     checks in one batch.
+
+   * :zeek:see:`table_expire_delay` interval specifies how long Zeek
+     waits until it processes the next batch of members.
+
+.. zeek:attr:: &on_change
+
+&on_change
+----------
+
+Called right after a change has been applied to a container. The function's
+first argument is of the same type as the container it is associated with,
+followed by a :zeek:see:`TableChange` record which specifies the type of change
+that happened. The function then takes a variable number of arguments equal to
+the number of indexes in the container, followed by an argument for the value
+of the container (if the container has a value) For example, for a
+``table[string,string] of count`` the ``&on_change`` function signature is:
+
+.. code-block:: zeek
+
+    function(t: table[string, string] of count, tpe: TableChange,
+             s: string, s2: string, val: count)
+
+For a ``set[count]`` the function signature is:
+
+.. code-block:: zeek
+
+    function(s: set[count], tpe: TableChange, c: count)
+
+The passed value specifies the state of a value before the change, where this
+makes sense. In case a element is changed, removed, or expired, the passed
+value will be the value before the change, removal, or expiration. When an
+element is added, the passed value will be the value of the added element
+(since no old element existed).
+
+Note that the ``&on_change`` function is only called when the container itself
+is modified (due to an assignment, delete operation, or expiry). When a
+container contains a complex element (like a record, set, or vector), changes
+to these complex elements are not propagated back to the parent.  For example,
+in this example the ``change_function`` for the table will only be called once,
+when ``s`` is inserted,  but it will not be called when ``s`` is changed:
+
+.. code-block:: zeek
+
+    local t: table[string] of set[string] &on_change=change_function;
+    local s: set[string] = set();
+    t["s"] = s; # change_function of t is called
+    add s["a"]; # change_function of t is _not_ called.
+
+Also note that the ``&on_change`` function of a container will not be called
+when the container is already executing its ``&on_change`` function. Thus,
+writing an ``&on_change`` function like this is supported and will not lead to
+a infinite loop:
+
+.. code-block:: zeek
+
+    local t: table[string] of set[string] &on_change=change_function;
+
+    function change_function(t: table[string, int] of count, tpe: TableChange,
+                             idxa: string, idxb: int, val: count)
+        {
+        t[idxa, idxb] = val+1;
+        }
+
+.. zeek:attr:: &raw_output
+
+&raw_output
+-----------
+
+Opens a file in raw mode, i.e., non-ASCII characters are not escaped.
+
+.. zeek:attr:: &error_handler
+
+&error_handler
+--------------
+
+Internally set on the events that are associated with the reporter
+framework: :zeek:id:`reporter_info`, :zeek:id:`reporter_warning`, and
+:zeek:id:`reporter_error`.  It prevents any handlers of those events
+from being able to generate reporter messages that go through any of
+those events (i.e., it prevents an infinite event recursion).  Instead,
+such nested reporter messages are output to stderr.
+
+.. zeek:attr:: &type_column
+
+&type_column
+------------
+
+Used by the input framework. It can be used on columns of type
+:zeek:type:`port` (such a column only contains the port number) and
+specifies the name of an additional column in
+the input file which specifies the protocol of the port (tcp/udp/icmp).
+
+In the following example, the input file would contain four columns
+named ``ip``, ``srcp``, ``proto``, and ``msg``:
+
+.. code-block:: zeek
+
+    type Idx: record {
+        ip: addr;
+    };
+
+
+    type Val: record {
+        srcp: port &type_column = "proto";
+        msg: string;
+    };
+
+.. zeek:attr:: &backend
+
+&backend
+--------
+
+Used for persisting tables/sets and/or synchronizing them over a cluster.
+
+This attribute binds a table to a Broker store. Changes to the table
+are sent to the Broker store, and changes to the Broker store are applied
+back to the table.
+
+Since Broker stores are synchronized over a cluster, this sends
+table changes to all other nodes in the cluster. When using a persistent Broker
+store backend, the content of the tables/sets will be restored on startup.
+
+This attribute expects the type of backend you want to use for the table. For
+example, to bind a table to a memory-backed Broker store, use:
+
+.. code-block:: zeek
+
+    global t: table[string] of count &backend=Broker::MEMORY;
+
+.. zeek:attr:: &broker_store
+
+&broker_store
+-------------
+
+This attribute is similar to :zeek:attr:`&backend` in allowing a Zeek table to
+bind to a Broker store. It differs from :zeek:attr:`&backend` as this attribute
+allows you to specify the Broker store you want to bind, without creating it.
+
+Use this if you want to bind a table to a Broker store with special options.
+
+Example:
+
+.. code-block:: zeek
+
+     global teststore: opaque of Broker::Store;
+
+     global t: table[string] of count &broker_store="teststore";
+
+     event zeek_init()
+         {
+         teststore = Broker::create_master("teststore");
+         }
+
+.. zeek:attr:: &broker_allow_complex_type
+
+&broker_allow_complex_type
+--------------------------
+
+By default only tables containing atomic types can be bound to Broker stores.
+Specifying this attribute before :zeek:attr:`&backend` or :zeek:attr:`&broker_store`
+disables this safety feature and allows complex types to be stored in a Broker backed
+table.
+
+.. warning::
+
+    Storing complex types in Broker backed store comes with severe restrictions.
+    When you modify a stored complex type after inserting it into a table, that change in a stored complex type
+    will *not propagate* to Broker. Hence to send out the new value, so that it will be persisted/synchronized
+    over the cluster, you will have to re-insert the complex type into the local zeek table.
+
+    For example:
+
+    .. code-block:: zeek
+
+            type testrec: record {
+                a: count;
+            };
+
+            global t: table[string] of testrec &broker_allow_complex_type &backend=Broker::MEMORY;
+
+            event zeek_init()
+                {
+                local rec = testrec($a=5);
+                t["test"] = rec;
+                rec$a = 6; # This will not propagate to Broker! You have to re-insert.
+                # Propagate new value to Broker:
+                t["test"] = rec;
+                }
+
+.. zeek:attr:: &ordered
+
+&ordered
+--------
+
+Used on tables and sets, this attribute ensures that iteration yields members in
+the order they were inserted. Without this attribute, the iteration order remains
+undefined. The following is guaranteed to print "foo", "bar", and "baz", in that
+order:
+
+.. code-block:: zeek
+
+    global sset: set[string] &ordered;
+
+    event zeek_init()
+        {
+        add sset["foo"];
+        add sset["bar"];
+        add sset["baz"];
+
+        for ( s in sset )
+            print s;
+        }
+
+.. zeek:attr:: &deprecated
+
+&deprecated
+-----------
+
+The associated identifier is marked as deprecated and will be
+removed in a future version of Zeek.  Look in the :file:`NEWS` file for more
+instructions to migrate code that uses deprecated functionality.
+This attribute can be assigned an optional string literal value to
+print along with the deprecation warning. The preferred format of
+this warning message should include the version number in which
+the identifier will be removed:
+
+.. code-block:: zeek
+
+    type warned: string &deprecated="Remove in vX.Y.  This type is deprecated because of reasons, use 'foo' instead.";
+
+.. zeek:attr:: &is_assigned
+
+&is_assigned
+------------
+
+Zeek has static analysis capabilities
+for detecting locations in a script that attempt to use a
+local variable before it is necessarily defined/assigned.  You activate
+this using the ``-u`` command-line flag.
+
+However the static analysis lacks sufficient power to tell that some
+values are being used safely (guaranteed to have been assigned).  In order to
+enable users to employ ``-u`` on their own scripts without being
+distracted by these false positives, the ``&is_assigned`` attribute can be
+associated with a variable to inform Zeek's analysis that the
+script writer asserts the value will be set, suppressing the associated
+warnings.
+
+.. code-block:: zeek
+  :caption: test1.zeek
+  :linenos:
+
+    event zeek_init()
+        {
+        local a: count;
+        print a;
+        }
+
+.. code-block:: console
+
+  $ zeek -b -u test1.zeek
+
+::
+
+  warning in ./test1.zeek, line 4: possibly used without definition (a)
+  expression error in ./test1.zeek, line 4: value used but not set (a)
+
+.. code-block:: zeek
+  :caption: test2.zeek
+  :linenos:
+
+    event zeek_init()
+        {
+        # Note this is not a real place to want to use &is_assigned since it's
+        # clearly a bug, but it demonstrates suppression of warning.
+        local a: count &is_assigned;
+        print a;
+        }
+
+.. code-block:: console
+
+  $ zeek -b -u test2.zeek
+
+::
+
+  expression error in ./test2.zeek, line 6: value used but not set (a)
+
+.. zeek:attr:: &is_used
+
+&is_used
+--------
+
+Zeek has static analysis capabilities for detecting locations in a script where
+local variables are assigned values that are not subsequently used (i.e. "dead
+code").
+
+It can also warn about unused functions, hooks, and event handlers.  The intent
+behind these checks is to catch instances where the script writer has introduced
+typos in names, or has forgotten to remove code that's no longer needed.  For
+functions and hooks, "unused" means the function/hook is neither exported nor in the
+global scope, and no "live" (i.e., not "unused") function/hook/event handler
+calls it.  For event handlers, "unused" means that the event engine does not
+generate the event, nor do any "live" functions/hooks/event handlers generate it.
+
+Zeek never reports any functions/hooks/event handlers that are marked deprecated
+(via :zeek:attr:`&deprecated`) as unused.
+
+For cases where it's desirable to suppress the warning, the
+``&is_used`` attribute may be applied, for example:
+
+.. code-block:: zeek
+  :caption: test.zeek
+  :linenos:
+
+    module Test;
+
+    export {
+        global baz: function();
+    }
+
+    function foo()
+        {
+        }
+
+    function bar() &is_used
+        {
+        }
+
+    function baz()
+        {
+        }
+
+    event zeek_init()
+        {
+        local please_warn: string = "test";
+        local please_no_warning: string = "test" &is_used;
+        }
+
+.. code-block:: console
+
+  $ zeek -a -b -u test.zeek
+
+::
+
+  warning in ./test.zeek, line 7: non-exported function does not have any callers (Test::foo)
+  warning: Test::please_warn assignment unused: Test::please_warn = test; ./test.zeek, line 21
+
+.. zeek:attr:: &group
+
+&group
+------
+
+The ``&group`` attribute can be used on event handlers and hooks to add them
+into event groups.
+By default, all event groups are enabled. Disabling an event group disables
+all event handlers and hooks with a matching ``&group`` attribute. When an
+event handler or hook is part of multiple groups it is enabled only if all
+groups are enabled.
+
+.. code-block:: zeek
+
+     event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) &group="my-http-group"
+         {
+         ...
+         }
+
+     event zeek_init()
+         {
+         disable_event_group("my-http-group");
+         }
+
+See also the documentation for the functions :zeek:see:`enable_event_group`
+and :zeek:see:`disable_event_group`.
diff --git a/doc/script-reference/autogenerated-file-analyzer-index.rst b/doc/script-reference/autogenerated-file-analyzer-index.rst
new file mode 100644
index 0000000000..4d0b406e17
--- /dev/null
+++ b/doc/script-reference/autogenerated-file-analyzer-index.rst
@@ -0,0 +1,1051 @@
+File Analyzers
+==============
+
+.. zeek:type:: Files::Tag
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Files::ANALYZER_DATA_EVENT Files::Tag
+
+      .. zeek:enum:: Files::ANALYZER_ENTROPY Files::Tag
+
+      .. zeek:enum:: Files::ANALYZER_EXTRACT Files::Tag
+
+      .. zeek:enum:: Files::ANALYZER_MD5 Files::Tag
+
+      .. zeek:enum:: Files::ANALYZER_SHA1 Files::Tag
+
+      .. zeek:enum:: Files::ANALYZER_SHA256 Files::Tag
+
+      .. zeek:enum:: Files::ANALYZER_PE Files::Tag
+
+      .. zeek:enum:: Files::ANALYZER_OCSP_REPLY Files::Tag
+
+      .. zeek:enum:: Files::ANALYZER_OCSP_REQUEST Files::Tag
+
+      .. zeek:enum:: Files::ANALYZER_X509 Files::Tag
+
+.. _plugin-zeek-filedataevent:
+
+Zeek::FileDataEvent
+-------------------
+
+Delivers file content
+
+Components
+++++++++++
+
+:zeek:enum:`Files::ANALYZER_DATA_EVENT`
+
+.. _plugin-zeek-fileentropy:
+
+Zeek::FileEntropy
+-----------------
+
+Entropy test file content
+
+Components
+++++++++++
+
+:zeek:enum:`Files::ANALYZER_ENTROPY`
+
+Events
+++++++
+
+.. zeek:id:: file_entropy
+   :source-code: policy/frameworks/files/entropy-test-all-files.zeek 16 19
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, ent: :zeek:type:`entropy_test_result`)
+
+   This event is generated each time file analysis performs
+   entropy testing on a file.
+   
+
+   :param f: The file.
+   
+
+   :param ent: The results of the entropy testing.
+   
+
+.. _plugin-zeek-fileextract:
+
+Zeek::FileExtract
+-----------------
+
+Extract file content
+
+Components
+++++++++++
+
+:zeek:enum:`Files::ANALYZER_EXTRACT`
+
+Events
+++++++
+
+.. zeek:id:: file_extraction_limit
+   :source-code: base/files/extract/main.zeek 89 93
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, args: :zeek:type:`Files::AnalyzerArgs`, limit: :zeek:type:`count`, len: :zeek:type:`count`)
+
+   This event is generated when a file extraction analyzer is about
+   to exceed the maximum permitted file size allowed by the
+   *extract_limit* field of :zeek:see:`Files::AnalyzerArgs`.
+   The analyzer is automatically removed from file *f*.
+   
+
+   :param f: The file.
+   
+
+   :param args: Arguments that identify a particular file extraction analyzer.
+         This is only provided to be able to pass along to
+         :zeek:see:`FileExtract::set_limit`.
+   
+
+   :param limit: The limit, in bytes, the extracted file is about to breach.
+   
+
+   :param len: The length of the file chunk about to be written.
+   
+   .. zeek:see:: Files::add_analyzer Files::ANALYZER_EXTRACT
+
+Functions
++++++++++
+
+.. zeek:id:: FileExtract::__set_limit
+   :source-code: base/bif/plugins/Zeek_FileExtract.functions.bif.zeek 12 12
+
+   :Type: :zeek:type:`function` (file_id: :zeek:type:`string`, args: :zeek:type:`any`, n: :zeek:type:`count`) : :zeek:type:`bool`
+
+   :zeek:see:`FileExtract::set_limit`.
+
+.. _plugin-zeek-filehash:
+
+Zeek::FileHash
+--------------
+
+Hash file content
+
+Components
+++++++++++
+
+:zeek:enum:`Files::ANALYZER_MD5`
+
+:zeek:enum:`Files::ANALYZER_SHA1`
+
+:zeek:enum:`Files::ANALYZER_SHA256`
+
+Events
+++++++
+
+.. zeek:id:: file_hash
+   :source-code: base/bif/plugins/Zeek_FileHash.events.bif.zeek 15 15
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, kind: :zeek:type:`string`, hash: :zeek:type:`string`)
+
+   This event is generated each time file analysis generates a digest of the
+   file contents.
+   
+
+   :param f: The file.
+   
+
+   :param kind: The type of digest algorithm.
+   
+
+   :param hash: The result of the hashing.
+   
+   .. zeek:see:: Files::add_analyzer Files::ANALYZER_MD5
+      Files::ANALYZER_SHA1 Files::ANALYZER_SHA256
+
+.. _plugin-zeek-pe:
+
+Zeek::PE
+--------
+
+Portable Executable analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Files::ANALYZER_PE`
+
+Events
+++++++
+
+.. zeek:id:: pe_dos_header
+   :source-code: base/files/pe/main.zeek 72 75
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, h: :zeek:type:`PE::DOSHeader`)
+
+   A :abbr:`PE (Portable Executable)` file DOS header was parsed.
+   This is the top-level header and contains information like the
+   size of the file, initial value of registers, etc.
+   
+
+   :param f: The file.
+   
+
+   :param h: The parsed DOS header information.
+   
+   .. zeek:see:: pe_dos_code pe_file_header pe_optional_header pe_section_header
+
+.. zeek:id:: pe_dos_code
+   :source-code: base/bif/plugins/Zeek_PE.events.bif.zeek 25 25
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, code: :zeek:type:`string`)
+
+   A :abbr:`PE (Portable Executable)` file DOS stub was parsed.
+   The stub is a valid application that runs under MS-DOS, by default
+   to inform the user that the program can't be run in DOS mode.
+   
+
+   :param f: The file.
+   
+
+   :param code: The DOS stub
+   
+   .. zeek:see:: pe_dos_header pe_file_header pe_optional_header pe_section_header
+
+.. zeek:id:: pe_file_header
+   :source-code: base/files/pe/main.zeek 77 90
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, h: :zeek:type:`PE::FileHeader`)
+
+   A :abbr:`PE (Portable Executable)` file file header was parsed.
+   This header contains information like the target machine,
+   the timestamp when the file was created, the number of sections, and
+   pointers to other parts of the file.
+   
+
+   :param f: The file.
+   
+
+   :param h: The parsed file header information.
+   
+   .. zeek:see:: pe_dos_header pe_dos_code pe_optional_header pe_section_header
+
+.. zeek:id:: pe_optional_header
+   :source-code: base/files/pe/main.zeek 92 119
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, h: :zeek:type:`PE::OptionalHeader`)
+
+   A :abbr:`PE (Portable Executable)` file optional header was parsed.
+   This header is required for executable files, but not for object files.
+   It contains information like OS requirements to execute the file, the
+   original entry point address, and information needed to load the file
+   into memory.
+   
+
+   :param f: The file.
+   
+
+   :param h: The parsed optional header information.
+   
+   .. zeek:see:: pe_dos_header pe_dos_code pe_file_header pe_section_header
+
+.. zeek:id:: pe_section_header
+   :source-code: base/files/pe/main.zeek 121 132
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, h: :zeek:type:`PE::SectionHeader`)
+
+   A :abbr:`PE (Portable Executable)` file section header was parsed.
+   This header contains information like the section name, size, address,
+   and characteristics.
+   
+
+   :param f: The file.
+   
+
+   :param h: The parsed section header information.
+   
+   .. zeek:see:: pe_dos_header pe_dos_code pe_file_header pe_optional_header
+
+.. _plugin-zeek-x509:
+
+Zeek::X509
+----------
+
+X509 and OCSP analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Files::ANALYZER_OCSP_REPLY`
+
+:zeek:enum:`Files::ANALYZER_OCSP_REQUEST`
+
+:zeek:enum:`Files::ANALYZER_X509`
+
+Types
++++++
+
+.. zeek:type:: X509::Certificate
+   :source-code: base/init-bare.zeek 5087 5102
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: version :zeek:type:`count` :zeek:attr:`&log`
+
+      Version number.
+
+
+   .. zeek:field:: serial :zeek:type:`string` :zeek:attr:`&log`
+
+      Serial number.
+
+
+   .. zeek:field:: subject :zeek:type:`string` :zeek:attr:`&log`
+
+      Subject.
+
+
+   .. zeek:field:: issuer :zeek:type:`string` :zeek:attr:`&log`
+
+      Issuer.
+
+
+   .. zeek:field:: cn :zeek:type:`string` :zeek:attr:`&optional`
+
+      Last (most specific) common name.
+
+
+   .. zeek:field:: not_valid_before :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp before when certificate is not valid.
+
+
+   .. zeek:field:: not_valid_after :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp after when certificate is not valid.
+
+
+   .. zeek:field:: key_alg :zeek:type:`string` :zeek:attr:`&log`
+
+      Name of the key algorithm
+
+
+   .. zeek:field:: sig_alg :zeek:type:`string` :zeek:attr:`&log`
+
+      Name of the signature algorithm
+
+
+   .. zeek:field:: key_type :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Key type, if key parseable by openssl (either rsa, dsa or ec)
+
+
+   .. zeek:field:: key_length :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Key length in bits
+
+
+   .. zeek:field:: exponent :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Exponent, if RSA-certificate
+
+
+   .. zeek:field:: curve :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Curve, if EC-certificate
+
+
+   .. zeek:field:: tbs_sig_alg :zeek:type:`string`
+
+      Name of the signature algorithm given inside the tbsCertificate. Should be equivalent to `sig_alg`.
+
+
+
+.. zeek:type:: X509::Extension
+   :source-code: base/init-bare.zeek 5104 5110
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      Long name of extension. oid if name not known
+
+
+   .. zeek:field:: short_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      Short name of extension if known
+
+
+   .. zeek:field:: oid :zeek:type:`string`
+
+      Oid of extension
+
+
+   .. zeek:field:: critical :zeek:type:`bool`
+
+      True if extension is critical
+
+
+   .. zeek:field:: value :zeek:type:`string`
+
+      Extension content parsed to string for known extensions. Raw data otherwise.
+
+
+
+.. zeek:type:: X509::BasicConstraints
+   :source-code: base/init-bare.zeek 5112 5115
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ca :zeek:type:`bool` :zeek:attr:`&log`
+
+      CA flag set?
+
+
+   .. zeek:field:: path_len :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Maximum path length
+
+   :Attributes: :zeek:attr:`&log`
+
+
+.. zeek:type:: X509::SubjectAlternativeName
+   :source-code: base/init-bare.zeek 5117 5123
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: dns :zeek:type:`string_vec` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      List of DNS entries in SAN
+
+
+   .. zeek:field:: uri :zeek:type:`string_vec` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      List of URI entries in SAN
+
+
+   .. zeek:field:: email :zeek:type:`string_vec` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      List of email entries in SAN
+
+
+   .. zeek:field:: ip :zeek:type:`addr_vec` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      List of IP entries in SAN
+
+
+   .. zeek:field:: other_fields :zeek:type:`bool`
+
+      True if the certificate contained other, not recognized or parsed name fields
+
+
+
+.. zeek:type:: X509::Result
+   :source-code: base/init-bare.zeek 5126 5133
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: result :zeek:type:`int`
+
+      OpenSSL result code
+
+
+   .. zeek:field:: result_string :zeek:type:`string`
+
+      Result as string
+
+
+   .. zeek:field:: chain_certs :zeek:type:`vector` of :zeek:type:`opaque` of x509 :zeek:attr:`&optional`
+
+      References to the final certificate chain, if verification successful. End-host certificate is first.
+
+
+   Result of an X509 certificate chain verification
+
+Events
+++++++
+
+.. zeek:id:: x509_certificate
+   :source-code: base/bif/plugins/Zeek_X509.events.bif.zeek 20 20
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, cert_ref: :zeek:type:`opaque` of x509, cert: :zeek:type:`X509::Certificate`)
+
+   Generated for encountered X509 certificates, e.g., in the clear SSL/TLS
+   connection handshake.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
+   about the X.509 format.
+   
+
+   :param f: The file.
+   
+
+   :param cert_ref: An opaque pointer to the underlying OpenSSL data structure of the
+             certificate.
+   
+
+   :param cert: The parsed certificate information.
+   
+   .. zeek:see:: x509_extension x509_ext_basic_constraints
+                x509_ext_subject_alternative_name x509_parse x509_verify
+                x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: x509_extension
+   :source-code: base/files/x509/main.zeek 205 212
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, ext: :zeek:type:`X509::Extension`)
+
+   Generated for X509 extensions seen in a certificate.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
+   about the X.509 format.
+   
+
+   :param f: The file.
+   
+
+   :param ext: The parsed extension.
+   
+   .. zeek:see:: x509_certificate x509_ext_basic_constraints
+                x509_ext_subject_alternative_name x509_parse x509_verify
+                x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: x509_ext_basic_constraints
+   :source-code: base/files/x509/main.zeek 214 221
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, ext: :zeek:type:`X509::BasicConstraints`)
+
+   Generated for the X509 basic constraints extension seen in a certificate.
+   This extension can be used to identify the subject of a certificate as a CA.
+   
+
+   :param f: The file.
+   
+
+   :param ext: The parsed basic constraints extension.
+   
+   .. zeek:see:: x509_certificate x509_extension
+                x509_ext_subject_alternative_name x509_parse x509_verify
+                x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: x509_ext_subject_alternative_name
+   :source-code: base/bif/plugins/Zeek_X509.events.bif.zeek 63 63
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, ext: :zeek:type:`X509::SubjectAlternativeName`)
+
+   Generated for the X509 subject alternative name extension seen in a certificate.
+   This extension can be used to allow additional entities to be bound to the
+   subject of the certificate. Usually it is used to specify one or multiple DNS
+   names for which a certificate is valid.
+   
+
+   :param f: The file.
+   
+
+   :param ext: The parsed subject alternative name extension.
+   
+   .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints
+                x509_parse x509_verify x509_ocsp_ext_signed_certificate_timestamp
+                x509_get_certificate_string
+
+.. zeek:id:: x509_ocsp_ext_signed_certificate_timestamp
+   :source-code: base/bif/plugins/Zeek_X509.events.bif.zeek 92 92
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, version: :zeek:type:`count`, logid: :zeek:type:`string`, timestamp: :zeek:type:`count`, hash_algorithm: :zeek:type:`count`, signature_algorithm: :zeek:type:`count`, signature: :zeek:type:`string`)
+
+   Generated for the signed_certificate_timestamp X509 extension as defined in
+   :rfc:`6962`. The extension is used to transmit signed proofs that are
+   used for Certificate Transparency. Raised when the extension is encountered
+   in an X.509 certificate or in an OCSP reply.
+   
+
+   :param f: The file.
+   
+
+   :param version: the version of the protocol to which the SCT conforms. Always
+            should be 0 (representing version 1)
+   
+
+   :param logid: 32 bit key id
+   
+
+   :param timestamp: the NTP Time when the entry was logged measured since
+              the epoch, ignoring leap seconds, in milliseconds.
+   
+
+   :param signature_and_hashalgorithm: signature and hash algorithm used for the
+                                digitally_signed struct
+   
+
+   :param signature: signature part of the digitally_signed struct
+   
+   .. zeek:see:: ssl_extension_signed_certificate_timestamp x509_extension x509_ext_basic_constraints
+                x509_parse x509_verify x509_ext_subject_alternative_name
+                x509_get_certificate_string ssl_extension_signed_certificate_timestamp
+                sct_verify ocsp_request ocsp_request_certificate ocsp_response_status
+                ocsp_response_bytes ocsp_response_certificate
+                x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: ocsp_request
+   :source-code: base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek 16 16
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, version: :zeek:type:`count`)
+
+   Event that is raised when encountering an OCSP request, e.g. in an HTTP
+   connection. See :rfc:`6960` for more details.
+   
+   This event is raised exactly once for each OCSP Request.
+   
+
+   :param f: The file.
+   
+
+   :param req: version: the version of the OCSP request. Typically 0 (Version 1).
+   
+   .. zeek:see:: ocsp_request_certificate ocsp_response_status
+                ocsp_response_bytes ocsp_response_certificate ocsp_extension
+                x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: ocsp_request_certificate
+   :source-code: base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek 37 37
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, hashAlgorithm: :zeek:type:`string`, issuerNameHash: :zeek:type:`string`, issuerKeyHash: :zeek:type:`string`, serialNumber: :zeek:type:`string`)
+
+   Event that is raised when encountering an OCSP request for a certificate,
+   e.g. in an HTTP connection. See :rfc:`6960` for more details.
+   
+   Note that a single OCSP request can contain requests for several certificates.
+   Thus this event can fire several times for one OCSP request, each time
+   requesting information for a different (or in theory even the same) certificate.
+   
+
+   :param f: The file.
+   
+
+   :param hashAlgorithm: The hash algorithm used for the issuerKeyHash.
+   
+
+   :param issuerKeyHash: Hash of the issuers public key.
+   
+
+   :param serialNumber: Serial number of the certificate for which the status is requested.
+   
+   .. zeek:see:: ocsp_request ocsp_response_status
+                ocsp_response_bytes ocsp_response_certificate ocsp_extension
+                x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: ocsp_response_status
+   :source-code: base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek 52 52
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, status: :zeek:type:`string`)
+
+   This event is raised when encountering an OCSP reply, e.g. in an HTTP
+   connection or a TLS extension. See :rfc:`6960` for more details.
+   
+   This event is raised exactly once for each OCSP reply.
+   
+
+   :param f: The file.
+   
+
+   :param status: The status of the OCSP response (e.g. successful, malformedRequest, tryLater).
+   
+   .. zeek:see:: ocsp_request ocsp_request_certificate
+                ocsp_response_bytes ocsp_response_certificate ocsp_extension
+                x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: ocsp_response_bytes
+   :source-code: base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek 77 77
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, status: :zeek:type:`string`, version: :zeek:type:`count`, responderId: :zeek:type:`string`, producedAt: :zeek:type:`time`, signatureAlgorithm: :zeek:type:`string`, certs: :zeek:type:`x509_opaque_vector`)
+
+   This event is raised when encountering an OCSP response that contains response information.
+   An OCSP reply can be encountered, for example, in an HTTP connection or
+   a TLS extension. See :rfc:`6960` for more details on OCSP.
+   
+
+   :param f: The file.
+   
+
+   :param status: The status of the OCSP response (e.g. successful, malformedRequest, tryLater).
+   
+
+   :param version: Version of the OCSP response (typically - for version 1).
+   
+
+   :param responderId: The id of the OCSP responder; either a public key hash or a distinguished name.
+   
+
+   :param producedAt: Time at which the reply was produced.
+   
+
+   :param signatureAlgorithm: Algorithm used for the OCSP signature.
+   
+
+   :param certs: Optional list of certificates that are sent with the OCSP response; these typically
+          are needed to perform validation of the reply.
+   
+   .. zeek:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+                ocsp_response_certificate ocsp_extension
+                x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: ocsp_response_certificate
+   :source-code: base/files/x509/log-ocsp.zeek 47 61
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, hashAlgorithm: :zeek:type:`string`, issuerNameHash: :zeek:type:`string`, issuerKeyHash: :zeek:type:`string`, serialNumber: :zeek:type:`string`, certStatus: :zeek:type:`string`, revokeTime: :zeek:type:`time`, revokeReason: :zeek:type:`string`, thisUpdate: :zeek:type:`time`, nextUpdate: :zeek:type:`time`)
+
+   This event is raised for each SingleResponse contained in an OCSP response.
+   See :rfc:`6960` for more details on OCSP.
+   
+
+   :param f: The file.
+   
+
+   :param hashAlgorithm: The hash algorithm used for issuerNameHash and issuerKeyHash.
+   
+
+   :param issuerNameHash: Hash of the issuer's distinguished name.
+   
+
+   :param issuerKeyHash: Hash of the issuer's public key.
+   
+
+   :param serialNumber: Serial number of the affected certificate.
+   
+
+   :param certStatus: Status of the certificate.
+   
+
+   :param revokeTime: Time the certificate was revoked, 0 if not revoked.
+   
+
+   :param revokeReason: Reason certificate was revoked; empty string if not revoked or not specified.
+   
+
+   :param thisUpdate: Time this response was generated.
+   
+
+   :param nextUpdate: Time next response will be ready; 0 if not supplied.
+   
+   .. zeek:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+                ocsp_response_bytes ocsp_extension
+                x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: ocsp_extension
+   :source-code: base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek 122 122
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, ext: :zeek:type:`X509::Extension`, global_resp: :zeek:type:`bool`)
+
+   This event is raised when an OCSP extension is encountered in an OCSP response.
+   See :rfc:`6960` for more details on OCSP.
+   
+
+   :param f: The file.
+   
+
+   :param ext: The parsed extension (same format as X.509 extensions).
+   
+
+   :param global_resp: T if extension encountered in the global response (in ResponseData),
+                F when encountered in a SingleResponse.
+   
+   .. zeek:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+                ocsp_response_bytes ocsp_response_certificate
+                x509_ocsp_ext_signed_certificate_timestamp
+
+Functions
++++++++++
+
+.. zeek:id:: x509_parse
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 15 15
+
+   :Type: :zeek:type:`function` (cert: :zeek:type:`opaque` of x509) : :zeek:type:`X509::Certificate`
+
+   Parses a certificate into an X509::Certificate structure.
+   
+
+   :param cert: The X509 certificate opaque handle.
+   
+
+   :returns: A X509::Certificate structure.
+   
+   .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints
+                x509_ext_subject_alternative_name x509_verify
+                x509_get_certificate_string
+
+.. zeek:id:: x509_from_der
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 25 25
+
+   :Type: :zeek:type:`function` (der: :zeek:type:`string`) : :zeek:type:`opaque` of x509
+
+   Constructs an opaque of X509 from a der-formatted string.
+   
+
+   :param Note: this function is mostly meant for testing purposes
+   
+   .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints
+                x509_ext_subject_alternative_name x509_verify
+                x509_get_certificate_string x509_parse
+
+.. zeek:id:: x509_get_certificate_string
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 40 40
+
+   :Type: :zeek:type:`function` (cert: :zeek:type:`opaque` of x509, pem: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Returns the string form of a certificate.
+   
+
+   :param cert: The X509 certificate opaque handle.
+   
+
+   :param pem: A boolean that specifies if the certificate is returned
+        in pem-form (true), or as the raw ASN1 encoded binary
+        (false).
+   
+
+   :returns: X509 certificate as a string.
+   
+   .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints
+                x509_ext_subject_alternative_name x509_parse x509_verify
+
+.. zeek:id:: x509_ocsp_verify
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 59 59
+
+   :Type: :zeek:type:`function` (certs: :zeek:type:`x509_opaque_vector`, ocsp_reply: :zeek:type:`string`, root_certs: :zeek:type:`table_string_of_string`, verify_time: :zeek:type:`time` :zeek:attr:`&default` = ``0.0`` :zeek:attr:`&optional`) : :zeek:type:`X509::Result`
+
+   Verifies an OCSP reply.
+   
+
+   :param certs: Specifies the certificate chain to use. Server certificate first.
+   
+
+   :param ocsp_reply: the ocsp reply to validate.
+   
+
+   :param root_certs: A list of root certificates to validate the certificate chain.
+   
+
+   :param verify_time: Time for the validity check of the certificates.
+   
+
+   :returns: A record of type X509::Result containing the result code of the
+            verify operation.
+   
+   .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints
+                x509_ext_subject_alternative_name x509_parse
+                x509_get_certificate_string x509_verify
+
+.. zeek:id:: x509_verify
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 79 79
+
+   :Type: :zeek:type:`function` (certs: :zeek:type:`x509_opaque_vector`, root_certs: :zeek:type:`table_string_of_string`, verify_time: :zeek:type:`time` :zeek:attr:`&default` = ``0.0`` :zeek:attr:`&optional`) : :zeek:type:`X509::Result`
+
+   Verifies a certificate.
+   
+
+   :param certs: Specifies a certificate chain that is being used to validate
+          the given certificate against the root store given in *root_certs*.
+          The host certificate has to be at index 0.
+   
+
+   :param root_certs: A list of root certificates to validate the certificate chain.
+   
+
+   :param verify_time: Time for the validity check of the certificates.
+   
+
+   :returns: A record of type X509::Result containing the result code of the
+            verify operation. In case of success also returns the full
+            certificate chain.
+   
+   .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints
+                x509_ext_subject_alternative_name x509_parse
+                x509_get_certificate_string x509_ocsp_verify sct_verify
+
+.. zeek:id:: sct_verify
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 104 104
+
+   :Type: :zeek:type:`function` (cert: :zeek:type:`opaque` of x509, logid: :zeek:type:`string`, log_key: :zeek:type:`string`, signature: :zeek:type:`string`, timestamp: :zeek:type:`count`, hash_algorithm: :zeek:type:`count`, issuer_key_hash: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Verifies a Signed Certificate Timestamp as used for Certificate Transparency.
+   See RFC6962 for more details.
+   
+
+   :param cert: Certificate against which the SCT should be validated.
+   
+
+   :param logid: Log id of the SCT.
+   
+
+   :param log_key: Public key of the Log that issued the SCT proof.
+   
+
+   :param timestamp: Timestamp at which the proof was generated.
+   
+
+   :param hash_algorithm: Hash algorithm that was used for the SCT proof.
+   
+
+   :param issuer_key_hash: The SHA-256 hash of the certificate issuer's public key.
+                    This only has to be provided if the SCT was encountered in an X.509
+                    certificate extension; in that case, it is necessary for validation.
+   
+
+   :returns: T if the validation could be performed successfully, F otherwise.
+   
+   .. zeek:see:: ssl_extension_signed_certificate_timestamp
+                x509_ocsp_ext_signed_certificate_timestamp
+                x509_verify
+
+.. zeek:id:: x509_subject_name_hash
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 121 121
+
+   :Type: :zeek:type:`function` (cert: :zeek:type:`opaque` of x509, hash_alg: :zeek:type:`count`) : :zeek:type:`string`
+
+   Get the hash of the subject's distinguished name.
+   
+
+   :param cert: The X509 certificate opaque handle.
+   
+
+   :param hash_alg: the hash algorithm to use, according to the IANA mapping at
+
+             :param https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+   
+
+   :returns: The hash as a string.
+   
+   .. zeek:see:: x509_issuer_name_hash x509_spki_hash
+                x509_verify sct_verify
+
+.. zeek:id:: x509_issuer_name_hash
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 135 135
+
+   :Type: :zeek:type:`function` (cert: :zeek:type:`opaque` of x509, hash_alg: :zeek:type:`count`) : :zeek:type:`string`
+
+   Get the hash of the issuer's distinguished name.
+   
+
+   :param cert: The X509 certificate opaque handle.
+   
+
+   :param hash_alg: the hash algorithm to use, according to the IANA mapping at
+
+             :param https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+   
+
+   :returns: The hash as a string.
+   
+   .. zeek:see:: x509_subject_name_hash x509_spki_hash
+                x509_verify sct_verify
+
+.. zeek:id:: x509_spki_hash
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 149 149
+
+   :Type: :zeek:type:`function` (cert: :zeek:type:`opaque` of x509, hash_alg: :zeek:type:`count`) : :zeek:type:`string`
+
+   Get the hash of the Subject Public Key Information of the certificate.
+   
+
+   :param cert: The X509 certificate opaque handle.
+   
+
+   :param hash_alg: the hash algorithm to use, according to the IANA mapping at
+
+             :param https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+   
+
+   :returns: The hash as a string.
+   
+   .. zeek:see:: x509_subject_name_hash x509_issuer_name_hash
+                x509_verify sct_verify
+
+.. zeek:id:: x509_set_certificate_cache
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 168 168
+
+   :Type: :zeek:type:`function` (tbl: :zeek:type:`string_any_table`) : :zeek:type:`bool`
+
+   This function can be used to set up certificate caching. It has to be passed a table[string] which
+   can contain any type.
+   
+   After this is set up, for each certificate encountered, the X509 analyzer will check if the entry
+   tbl[sha256 of certificate] is set. If this is the case, the X509 analyzer will skip all further
+   processing, and instead just call the callback that is set with
+
+   :param zeek:id:`x509_set_certificate_cache_hit_callback`.
+   
+
+   :param tbl: Table to use as the certificate cache.
+   
+
+   :returns: Always returns true.
+   
+   .. note:: The base scripts use this function to set up certificate caching. You should only change the
+             cache table if you are sure you will not conflict with the base scripts.
+   
+   .. zeek:see:: x509_set_certificate_cache_hit_callback
+
+.. zeek:id:: x509_set_certificate_cache_hit_callback
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 182 182
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`string_any_file_hook`) : :zeek:type:`bool`
+
+   This function sets up the callback that is called when an entry is matched against the table set
+   by :zeek:id:`x509_set_certificate_cache`.
+   
+
+   :param f: The callback that will be called when encountering a certificate in the cache table.
+   
+
+   :returns: Always returns true.
+   
+   .. note:: The base scripts use this function to set up certificate caching. You should only change the
+             callback function if you are sure you will not conflict with the base scripts.
+   
+   .. zeek:see:: x509_set_certificate_cache
+
+.. zeek:id:: x509_check_hostname
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 198 198
+
+   :Type: :zeek:type:`function` (hostname: :zeek:type:`string`, certname: :zeek:type:`string`) : :zeek:type:`bool`
+
+   This function checks a hostname against the name given in a certificate subject/SAN, including
+   our interpretation of RFC6128 wildcard expansions. This specifically means that wildcards are
+   only allowed in the leftmost label, wildcards only span one label, the wildcard has to be the
+   last character before the label-separator, but additional characters are allowed before it, and
+   the wildcard has to be at least at the third level (so \*.a.b).
+   
+
+   :param hostname: Hostname to test
+   
+
+   :param certname: Name given in the CN/SAN of a certificate; wildcards will be expanded
+   
+
+   :returns: True if the hostname matches.
+   
+   .. zeek:see:: x509_check_cert_hostname
+
+.. zeek:id:: x509_check_cert_hostname
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 216 216
+
+   :Type: :zeek:type:`function` (cert_opaque: :zeek:type:`opaque` of x509, hostname: :zeek:type:`string`) : :zeek:type:`string`
+
+   This function checks if a hostname matches one of the hostnames given in the certificate.
+   
+   For our matching we adhere to RFC6128 for the labels (see :zeek:id:`x509_check_hostname`).
+   Furthermore we adhere to RFC2818 and check only the names given in the SAN, if a SAN is present,
+   ignoring CNs in the Subject. If no SAN is present, we will use the last CN in the subject
+   for our tests.
+   
+
+   :param cert: The X509 certificate opaque handle.
+   
+
+   :param hostname: Hostname to check
+   
+
+   :returns: empty string if the hostname does not match; matched name (which can contain wildcards)
+            if it did.
+   
+   .. zeek:see:: x509_check_hostname
+
diff --git a/doc/script-reference/autogenerated-package-index.rst b/doc/script-reference/autogenerated-package-index.rst
new file mode 100644
index 0000000000..986b16a939
--- /dev/null
+++ b/doc/script-reference/autogenerated-package-index.rst
@@ -0,0 +1,447 @@
+:doc:`base/packet-protocols </scripts/base/packet-protocols/index>`
+
+
+:doc:`base/packet-protocols/root </scripts/base/packet-protocols/root/index>`
+
+
+:doc:`base/packet-protocols/ip </scripts/base/packet-protocols/ip/index>`
+
+
+:doc:`base/packet-protocols/skip </scripts/base/packet-protocols/skip/index>`
+
+
+:doc:`base/packet-protocols/ethernet </scripts/base/packet-protocols/ethernet/index>`
+
+
+:doc:`base/packet-protocols/fddi </scripts/base/packet-protocols/fddi/index>`
+
+
+:doc:`base/packet-protocols/ieee802_11 </scripts/base/packet-protocols/ieee802_11/index>`
+
+
+:doc:`base/packet-protocols/ieee802_11_radio </scripts/base/packet-protocols/ieee802_11_radio/index>`
+
+
+:doc:`base/packet-protocols/linux_sll </scripts/base/packet-protocols/linux_sll/index>`
+
+
+:doc:`base/packet-protocols/linux_sll2 </scripts/base/packet-protocols/linux_sll2/index>`
+
+
+:doc:`base/packet-protocols/nflog </scripts/base/packet-protocols/nflog/index>`
+
+
+:doc:`base/packet-protocols/null </scripts/base/packet-protocols/null/index>`
+
+
+:doc:`base/packet-protocols/ppp </scripts/base/packet-protocols/ppp/index>`
+
+
+:doc:`base/packet-protocols/ppp_serial </scripts/base/packet-protocols/ppp_serial/index>`
+
+
+:doc:`base/packet-protocols/pppoe </scripts/base/packet-protocols/pppoe/index>`
+
+
+:doc:`base/packet-protocols/vlan </scripts/base/packet-protocols/vlan/index>`
+
+
+:doc:`base/packet-protocols/mpls </scripts/base/packet-protocols/mpls/index>`
+
+
+:doc:`base/packet-protocols/pbb </scripts/base/packet-protocols/pbb/index>`
+
+
+:doc:`base/packet-protocols/vntag </scripts/base/packet-protocols/vntag/index>`
+
+
+:doc:`base/packet-protocols/udp </scripts/base/packet-protocols/udp/index>`
+
+
+:doc:`base/packet-protocols/tcp </scripts/base/packet-protocols/tcp/index>`
+
+
+:doc:`base/packet-protocols/icmp </scripts/base/packet-protocols/icmp/index>`
+
+
+:doc:`base/packet-protocols/llc </scripts/base/packet-protocols/llc/index>`
+
+
+:doc:`base/packet-protocols/novell_802_3 </scripts/base/packet-protocols/novell_802_3/index>`
+
+
+:doc:`base/packet-protocols/snap </scripts/base/packet-protocols/snap/index>`
+
+
+:doc:`base/packet-protocols/gre </scripts/base/packet-protocols/gre/index>`
+
+
+:doc:`base/packet-protocols/iptunnel </scripts/base/packet-protocols/iptunnel/index>`
+
+
+:doc:`base/packet-protocols/ayiya </scripts/base/packet-protocols/ayiya/index>`
+
+
+:doc:`base/packet-protocols/geneve </scripts/base/packet-protocols/geneve/index>`
+
+
+:doc:`base/packet-protocols/vxlan </scripts/base/packet-protocols/vxlan/index>`
+
+
+:doc:`base/packet-protocols/teredo </scripts/base/packet-protocols/teredo/index>`
+
+
+:doc:`base/packet-protocols/gtpv1 </scripts/base/packet-protocols/gtpv1/index>`
+
+
+:doc:`base/frameworks/logging </scripts/base/frameworks/logging/index>`
+
+   The logging framework provides a flexible key-value based logging interface.
+
+:doc:`base/frameworks/logging/postprocessors </scripts/base/frameworks/logging/postprocessors/index>`
+
+   Support for postprocessors in the logging framework.
+
+:doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`
+
+   The Broker communication framework facilitates connecting to remote Zeek
+   instances to share state and transfer events.
+
+:doc:`base/frameworks/supervisor </scripts/base/frameworks/supervisor/index>`
+
+
+:doc:`base/frameworks/input </scripts/base/frameworks/input/index>`
+
+   The input framework provides a way to read previously stored data either as
+   an event stream or into a Zeek table.
+
+:doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`
+
+   The cluster framework provides for establishing and controlling a cluster
+   of Zeek instances.
+
+:doc:`base/frameworks/control </scripts/base/frameworks/control/index>`
+
+   The control framework provides the foundation for providing "commands"
+   that can be taken remotely at runtime to modify a running Zeek instance
+   or collect information from the running instance.
+
+:doc:`base/frameworks/config </scripts/base/frameworks/config/index>`
+
+   The configuration framework provides a way to change the Zeek configuration
+   in "option" values at run-time.
+
+:doc:`base/frameworks/analyzer </scripts/base/frameworks/analyzer/index>`
+
+   The analyzer framework allows to dynamically enable or disable Zeek's
+   protocol analyzers, as well as to manage the well-known ports which
+   automatically activate a particular analyzer for new connections.
+
+:doc:`base/frameworks/files </scripts/base/frameworks/files/index>`
+
+   The file analysis framework provides an interface for driving the analysis
+   of files, possibly independent of any network protocol over which they're
+   transported.
+
+:doc:`base/frameworks/files/magic </scripts/base/frameworks/files/magic/index>`
+
+
+:doc:`base/bif </scripts/base/bif/index>`
+
+
+:doc:`base/bif/plugins </scripts/base/bif/plugins/index>`
+
+
+:doc:`base/frameworks/reporter </scripts/base/frameworks/reporter/index>`
+
+   This framework is intended to create an output and filtering path for
+   internally generated messages/warnings/errors.
+
+:doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
+
+   The notice framework enables Zeek to "notice" things which are odd or
+   potentially bad, leaving it to the local configuration to define which
+   of them are actionable.  This decoupling of detection and reporting allows
+   Zeek to be customized to the different needs that sites have.
+
+:doc:`base/frameworks/signatures </scripts/base/frameworks/signatures/index>`
+
+   The signature framework provides for doing low-level pattern matching.  While
+   signatures are not Zeek's preferred detection tool, they sometimes come in
+   handy and are closer to what many people are familiar with from using
+   other NIDS.
+
+:doc:`base/frameworks/packet-filter </scripts/base/frameworks/packet-filter/index>`
+
+   The packet filter framework supports how Zeek sets its BPF capture filter.
+
+:doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
+
+   The software framework provides infrastructure for maintaining a table
+   of software versions seen on the network. The version parsing itself
+   is carried out by external protocol-specific scripts that feed into
+   this framework.
+
+:doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`
+
+   The intelligence framework provides a way to store and query intelligence
+   data (such as IP addresses or strings). Metadata can also be associated
+   with the intelligence.
+
+:doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`
+
+   The summary statistics framework provides a way to summarize large streams
+   of data into simple reduced measurements.
+
+:doc:`base/frameworks/sumstats/plugins </scripts/base/frameworks/sumstats/plugins/index>`
+
+   Plugins for the summary statistics framework.
+
+:doc:`base/frameworks/tunnels </scripts/base/frameworks/tunnels/index>`
+
+   The tunnels framework handles the tracking/logging of tunnels (e.g. Teredo,
+   AYIYA, or IP-in-IP such as 6to4 where "IP" is either IPv4 or IPv6).
+
+:doc:`base/frameworks/openflow </scripts/base/frameworks/openflow/index>`
+
+   The OpenFlow framework exposes the data structures and functions
+   necessary to interface to OpenFlow capable hardware.
+
+:doc:`base/frameworks/openflow/plugins </scripts/base/frameworks/openflow/plugins/index>`
+
+   Plugins for the OpenFlow framework.
+
+:doc:`base/frameworks/netcontrol </scripts/base/frameworks/netcontrol/index>`
+
+   The NetControl framework provides a way for Zeek to interact with networking
+   hard- and software, e.g. for dropping and shunting IP addresses/connections,
+   etc.
+
+:doc:`base/frameworks/netcontrol/plugins </scripts/base/frameworks/netcontrol/plugins/index>`
+
+   Plugins for the NetControl framework.
+
+:doc:`base/frameworks/telemetry </scripts/base/frameworks/telemetry/index>`
+
+
+:doc:`base/frameworks/storage </scripts/base/frameworks/storage/index>`
+
+
+:doc:`base/frameworks/spicy </scripts/base/frameworks/spicy/index>`
+
+
+:doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
+
+   Support for connection (TCP, UDP, or ICMP) analysis.
+
+:doc:`base/protocols/dce-rpc </scripts/base/protocols/dce-rpc/index>`
+
+   Support for DCE/RPC (Distributed Computing Environment/Remote Procedure
+   Calls) protocol analysis.
+
+:doc:`base/protocols/dhcp </scripts/base/protocols/dhcp/index>`
+
+   Support for Dynamic Host Configuration Protocol (DHCP) analysis.
+
+:doc:`base/protocols/dnp3 </scripts/base/protocols/dnp3/index>`
+
+   Support for Distributed Network Protocol (DNP3) analysis.
+
+:doc:`base/protocols/dns </scripts/base/protocols/dns/index>`
+
+   Support for Domain Name System (DNS) protocol analysis.
+
+:doc:`base/protocols/finger </scripts/base/protocols/finger/index>`
+
+
+:doc:`base/protocols/ftp </scripts/base/protocols/ftp/index>`
+
+   Support for File Transfer Protocol (FTP) analysis.
+
+:doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
+
+   Support for Secure Sockets Layer (SSL)/Transport Layer Security(TLS) protocol analysis.
+
+:doc:`base/files/x509 </scripts/base/files/x509/index>`
+
+   Support for X509 certificates with the file analysis framework.
+   Also supports parsing OCSP requests and responses.
+
+:doc:`base/files/hash </scripts/base/files/hash/index>`
+
+   Support for file hashes with the file analysis framework.
+
+:doc:`base/protocols/http </scripts/base/protocols/http/index>`
+
+   Support for Hypertext Transfer Protocol (HTTP) analysis.
+
+:doc:`base/protocols/imap </scripts/base/protocols/imap/index>`
+
+   Support for the Internet Message Access Protocol (IMAP).
+   
+   Note that currently the IMAP analyzer only supports analyzing IMAP sessions
+   until they do or do not switch to TLS using StartTLS. Hence, we do not get
+   mails from IMAP sessions, only X509 certificates.
+
+:doc:`base/protocols/irc </scripts/base/protocols/irc/index>`
+
+   Support for Internet Relay Chat (IRC) protocol analysis.
+
+:doc:`base/protocols/krb </scripts/base/protocols/krb/index>`
+
+   Support for Kerberos protocol analysis.
+
+:doc:`base/protocols/ldap </scripts/base/protocols/ldap/index>`
+
+
+:doc:`base/protocols/modbus </scripts/base/protocols/modbus/index>`
+
+   Support for Modbus protocol analysis.
+
+:doc:`base/protocols/mqtt </scripts/base/protocols/mqtt/index>`
+
+   Support for MQTT protocol analysis.
+
+:doc:`base/protocols/mysql </scripts/base/protocols/mysql/index>`
+
+   Support for MySQL protocol analysis.
+
+:doc:`base/protocols/ntlm </scripts/base/protocols/ntlm/index>`
+
+   Support for NT LAN Manager (NTLM) protocol analysis.
+
+:doc:`base/protocols/ntp </scripts/base/protocols/ntp/index>`
+
+
+:doc:`base/protocols/pop3 </scripts/base/protocols/pop3/index>`
+
+   Support for POP3 (Post Office Protocol) protocol analysis.
+
+:doc:`base/protocols/postgresql </scripts/base/protocols/postgresql/index>`
+
+
+:doc:`base/protocols/quic </scripts/base/protocols/quic/index>`
+
+
+:doc:`base/protocols/radius </scripts/base/protocols/radius/index>`
+
+   Support for RADIUS protocol analysis.
+
+:doc:`base/protocols/rdp </scripts/base/protocols/rdp/index>`
+
+   Support for Remote Desktop Protocol (RDP) analysis.
+
+:doc:`base/protocols/redis </scripts/base/protocols/redis/index>`
+
+
+:doc:`base/protocols/rfb </scripts/base/protocols/rfb/index>`
+
+   Support for Remote FrameBuffer analysis.  This includes all VNC servers.
+
+:doc:`base/protocols/sip </scripts/base/protocols/sip/index>`
+
+   Support for Session Initiation Protocol (SIP) analysis.
+
+:doc:`base/protocols/snmp </scripts/base/protocols/snmp/index>`
+
+   Support for Simple Network Management Protocol (SNMP) analysis.
+
+:doc:`base/protocols/smb </scripts/base/protocols/smb/index>`
+
+   Support for SMB protocol analysis.
+
+:doc:`base/protocols/smtp </scripts/base/protocols/smtp/index>`
+
+   Support for Simple Mail Transfer Protocol (SMTP) analysis.
+
+:doc:`base/protocols/socks </scripts/base/protocols/socks/index>`
+
+   Support for Socket Secure (SOCKS) protocol analysis.
+
+:doc:`base/protocols/ssh </scripts/base/protocols/ssh/index>`
+
+   Support for SSH protocol analysis.
+
+:doc:`base/protocols/syslog </scripts/base/protocols/syslog/index>`
+
+   Support for Syslog protocol analysis.
+
+:doc:`base/protocols/websocket </scripts/base/protocols/websocket/index>`
+
+
+:doc:`base/protocols/tunnels </scripts/base/protocols/tunnels/index>`
+
+   Provides DPD signatures for tunneling protocols that otherwise
+   wouldn't be detected at all.
+
+:doc:`base/protocols/xmpp </scripts/base/protocols/xmpp/index>`
+
+   Support for the Extensible Messaging and Presence Protocol (XMPP).
+   
+   Note that currently the XMPP analyzer only supports analyzing XMPP sessions
+   until they do or do not switch to TLS using StartTLS. Hence, we do not get
+   actual chat information from XMPP sessions, only X509 certificates.
+
+:doc:`base/files/pe </scripts/base/files/pe/index>`
+
+   Support for Portable Executable (PE) file analysis.
+
+:doc:`base/files/extract </scripts/base/files/extract/index>`
+
+   Support for extracting files with the file analysis framework.
+
+:doc:`builtin-plugins </scripts/builtin-plugins/index>`
+
+
+:doc:`builtin-plugins/Zeek_JavaScript </scripts/builtin-plugins/Zeek_JavaScript/index>`
+
+
+:doc:`zeekygen </scripts/zeekygen/index>`
+
+   This package is loaded during the process which automatically generates
+   reference documentation for all Zeek scripts (i.e. "Zeekygen").  Its only
+   purpose is to provide an easy way to load all known Zeek scripts plus any
+   extra scripts needed or used by the documentation process.
+
+:doc:`policy/frameworks/cluster/backend/zeromq </scripts/policy/frameworks/cluster/backend/zeromq/index>`
+
+
+:doc:`policy/frameworks/management/agent </scripts/policy/frameworks/management/agent/index>`
+
+
+:doc:`policy/frameworks/management </scripts/policy/frameworks/management/index>`
+
+
+:doc:`policy/frameworks/management/controller </scripts/policy/frameworks/management/controller/index>`
+
+
+:doc:`policy/frameworks/management/supervisor </scripts/policy/frameworks/management/supervisor/index>`
+
+
+:doc:`policy/frameworks/intel/seen </scripts/policy/frameworks/intel/seen/index>`
+
+   Scripts that send data to the intelligence framework.
+
+:doc:`policy/frameworks/notice </scripts/policy/frameworks/notice/index>`
+
+
+:doc:`policy/frameworks/storage/backend/redis </scripts/policy/frameworks/storage/backend/redis/index>`
+
+
+:doc:`policy/frameworks/storage/backend/sqlite </scripts/policy/frameworks/storage/backend/sqlite/index>`
+
+
+:doc:`policy/integration/collective-intel </scripts/policy/integration/collective-intel/index>`
+
+   The scripts in this module are for deeper integration with the
+   Collective Intelligence Framework (CIF) since Zeek's Intel framework
+   doesn't natively behave the same as CIF nor does it store and maintain
+   the same data in all cases.
+
+:doc:`policy/misc/detect-traceroute </scripts/policy/misc/detect-traceroute/index>`
+
+   Detect hosts that are running traceroute.
+
+:doc:`policy/frameworks/management/node </scripts/policy/frameworks/management/node/index>`
+
+
diff --git a/doc/script-reference/autogenerated-packet-analyzer-index.rst b/doc/script-reference/autogenerated-packet-analyzer-index.rst
new file mode 100644
index 0000000000..7c0e433e58
--- /dev/null
+++ b/doc/script-reference/autogenerated-packet-analyzer-index.rst
@@ -0,0 +1,850 @@
+Packet Analyzers
+================
+
+.. zeek:type:: PacketAnalyzer::Tag
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_ARP PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_AYIYA PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_ETHERNET PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_FDDI PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_GENEVE PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_GRE PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_GTPV1 PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_ICMP PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_IEEE802_11 PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_IEEE802_11_RADIO PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_IP PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_IPTUNNEL PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_LINUXSLL PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_LINUXSLL2 PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_LLC PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_MPLS PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_NFLOG PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_NOVELL_802_3 PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_NULL PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_PBB PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_PPP PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_PPPOE PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_PPPSERIAL PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_ROOT PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_SKIP PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_SNAP PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_TCP PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_TEREDO PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_UDP PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_UNKNOWN_IP_TRANSPORT PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_VLAN PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_VNTAG PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_VXLAN PacketAnalyzer::Tag
+
+.. _plugin-zeek-arp:
+
+Zeek::ARP
+---------
+
+ARP packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_ARP`
+
+Events
+++++++
+
+.. zeek:id:: arp_request
+   :source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 22 22
+
+   :Type: :zeek:type:`event` (mac_src: :zeek:type:`string`, mac_dst: :zeek:type:`string`, SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`)
+
+   Generated for ARP requests.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
+   for more information about the ARP protocol.
+   
+
+   :param mac_src: The request's source MAC address.
+   
+
+   :param mac_dst: The request's destination MAC address.
+   
+
+   :param SPA: The sender protocol address.
+   
+
+   :param SHA: The sender hardware address.
+   
+
+   :param TPA: The target protocol address.
+   
+
+   :param THA: The target hardware address.
+   
+   .. zeek:see:: arp_reply  bad_arp
+
+.. zeek:id:: arp_reply
+   :source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 43 43
+
+   :Type: :zeek:type:`event` (mac_src: :zeek:type:`string`, mac_dst: :zeek:type:`string`, SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`)
+
+   Generated for ARP replies.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
+   for more information about the ARP protocol.
+   
+
+   :param mac_src: The reply's source MAC address.
+   
+
+   :param mac_dst: The reply's destination MAC address.
+   
+
+   :param SPA: The sender protocol address.
+   
+
+   :param SHA: The sender hardware address.
+   
+
+   :param TPA: The target protocol address.
+   
+
+   :param THA: The target hardware address.
+   
+   .. zeek:see::  arp_request bad_arp
+
+.. zeek:id:: bad_arp
+   :source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 66 66
+
+   :Type: :zeek:type:`event` (SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`, explanation: :zeek:type:`string`)
+
+   Generated for ARP packets that Zeek cannot interpret. Examples are packets
+   with non-standard hardware address formats or hardware addresses that do not
+   match the originator of the packet.
+   
+
+   :param SPA: The sender protocol address.
+   
+
+   :param SHA: The sender hardware address.
+   
+
+   :param TPA: The target protocol address.
+   
+
+   :param THA: The target hardware address.
+   
+
+   :param explanation: A short description of why the ARP packet is considered "bad".
+   
+   .. zeek:see:: arp_reply arp_request
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. _plugin-zeek-ayiya:
+
+Zeek::AYIYA
+-----------
+
+AYIYA packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_AYIYA`
+
+.. _plugin-zeek-ethernet:
+
+Zeek::Ethernet
+--------------
+
+Ethernet packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_ETHERNET`
+
+.. _plugin-zeek-fddi:
+
+Zeek::FDDI
+----------
+
+FDDI packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_FDDI`
+
+.. _plugin-zeek-geneve:
+
+Zeek::Geneve
+------------
+
+Geneve packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_GENEVE`
+
+Events
+++++++
+
+.. zeek:id:: geneve_packet
+   :source-code: base/bif/plugins/Zeek_Geneve.events.bif.zeek 15 15
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`pkt_hdr`, vni: :zeek:type:`count`)
+
+   Generated for any packet encapsulated in a Geneve tunnel.
+   See :rfc:`8926` for more information about the Geneve protocol.
+   
+
+   :param outer: The Geneve tunnel connection.
+   
+
+   :param inner: The Geneve-encapsulated Ethernet packet header and transport header.
+   
+
+   :param vni: Geneve Network Identifier.
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+Functions
++++++++++
+
+.. zeek:id:: PacketAnalyzer::Geneve::get_options
+   :source-code: base/bif/plugins/Zeek_Geneve.functions.bif.zeek 15 15
+
+   :Type: :zeek:type:`function` () : :zeek:type:`geneve_options_vec_vec`
+
+   Returns all Geneve options from all layers of the current packet.
+   
+   The last entry in the outer vector are the options of the most
+   inner Geneve header.
+   
+   Returns a vector of vector of :zeek:see:`PacketAnalyzer::Geneve::Option` records.
+
+.. _plugin-zeek-gre:
+
+Zeek::GRE
+---------
+
+GRE packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_GRE`
+
+.. _plugin-zeek-gtpv1:
+
+Zeek::GTPv1
+-----------
+
+GTPv1 analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_GTPV1`
+
+Events
+++++++
+
+.. zeek:id:: new_gtpv1_state
+   :source-code: base/packet-protocols/gtpv1/main.zeek 35 38
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when a new GTP analyzer is instantiated for a connection.
+   
+   This event exists to install a connection removal hook to clear
+   internal per-connection GTPv1 state.
+   
+
+   :param c: The connection for which the analyzer is instantiated.
+
+.. zeek:id:: gtpv1_message
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 21 21
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`)
+
+   Generated for any GTP message with a GTPv1 header.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+
+.. zeek:id:: gtpv1_g_pdu_packet
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 35 35
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner_gtp: :zeek:type:`gtpv1_hdr`, inner_ip: :zeek:type:`pkt_hdr`)
+
+   Generated for GTPv1 G-PDU packets.  That is, packets with a UDP payload
+   that includes a GTP header followed by an IPv4 or IPv6 packet.
+   
+
+   :param outer: The GTP outer tunnel connection.
+   
+
+   :param inner_gtp: The GTP header.
+   
+
+   :param inner_ip: The inner IP and transport layer packet headers.
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+.. zeek:id:: gtpv1_create_pdp_ctx_request
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 45 45
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_create_pdp_ctx_request_elements`)
+
+   Generated for GTPv1-C Create PDP Context Request messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+.. zeek:id:: gtpv1_create_pdp_ctx_response
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 55 55
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_create_pdp_ctx_response_elements`)
+
+   Generated for GTPv1-C Create PDP Context Response messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+.. zeek:id:: gtpv1_update_pdp_ctx_request
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 65 65
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_update_pdp_ctx_request_elements`)
+
+   Generated for GTPv1-C Update PDP Context Request messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+.. zeek:id:: gtpv1_update_pdp_ctx_response
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 75 75
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_update_pdp_ctx_response_elements`)
+
+   Generated for GTPv1-C Update PDP Context Response messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+.. zeek:id:: gtpv1_delete_pdp_ctx_request
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 85 85
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_delete_pdp_ctx_request_elements`)
+
+   Generated for GTPv1-C Delete PDP Context Request messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+.. zeek:id:: gtpv1_delete_pdp_ctx_response
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 95 95
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_delete_pdp_ctx_response_elements`)
+
+   Generated for GTPv1-C Delete PDP Context Response messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+Functions
++++++++++
+
+.. zeek:id:: PacketAnalyzer::GTPV1::remove_gtpv1_connection
+   :source-code: base/bif/plugins/Zeek_GTPv1.functions.bif.zeek 9 9
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`bool`
+
+
+.. _plugin-zeek-ieee802-11:
+
+Zeek::IEEE802_11
+----------------
+
+IEEE 802.11 packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_IEEE802_11`
+
+.. _plugin-zeek-ieee802-11-radio:
+
+Zeek::IEEE802_11_Radio
+----------------------
+
+IEEE 802.11 Radiotap packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_IEEE802_11_RADIO`
+
+.. _plugin-zeek-ip:
+
+Zeek::IP
+--------
+
+Packet analyzer for IP fallback (v4 or v6)
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_IP`
+
+.. _plugin-zeek-iptunnel:
+
+Zeek::IPTunnel
+--------------
+
+IPTunnel packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_IPTUNNEL`
+
+.. _plugin-zeek-linuxsll:
+
+Zeek::LinuxSLL
+--------------
+
+Linux cooked capture (SLL) packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_LINUXSLL`
+
+.. _plugin-zeek-linuxsll2:
+
+Zeek::LinuxSLL2
+---------------
+
+Linux cooked capture version 2 (SLL2) packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_LINUXSLL2`
+
+.. _plugin-zeek-llc:
+
+Zeek::LLC
+---------
+
+LLC packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_LLC`
+
+.. _plugin-zeek-mpls:
+
+Zeek::MPLS
+----------
+
+MPLS packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_MPLS`
+
+.. _plugin-zeek-nflog:
+
+Zeek::NFLog
+-----------
+
+NFLog packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_NFLOG`
+
+.. _plugin-zeek-novell-802-3:
+
+Zeek::NOVELL_802_3
+------------------
+
+Novell 802.3 variantx packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_NOVELL_802_3`
+
+.. _plugin-zeek-null:
+
+Zeek::Null
+----------
+
+Null packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_NULL`
+
+.. _plugin-zeek-pbb:
+
+Zeek::PBB
+---------
+
+PBB packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_PBB`
+
+.. _plugin-zeek-ppp:
+
+Zeek::PPP
+---------
+
+PPP packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_PPP`
+
+.. _plugin-zeek-pppoe:
+
+Zeek::PPPoE
+-----------
+
+PPPoE packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_PPPOE`
+
+Functions
++++++++++
+
+.. zeek:id:: PacketAnalyzer::PPPoE::session_id
+   :source-code: base/bif/plugins/Zeek_PPPoE.functions.bif.zeek 15 15
+
+   :Type: :zeek:type:`function` () : :zeek:type:`count`
+
+   Returns the PPPoE Session ID of the current packet, if present.
+   
+   If no PPPoE Session ID is present, 0xFFFFFFFF is returned, which
+   is out of range of the session ID.
+   
+
+   :returns: The PPPoE session ID if present, 0xFFFFFFFF otherwise.
+
+.. _plugin-zeek-pppserial:
+
+Zeek::PPPSerial
+---------------
+
+PPPSerial packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_PPPSERIAL`
+
+.. _plugin-zeek-root:
+
+Zeek::Root
+----------
+
+Root packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_ROOT`
+
+.. _plugin-zeek-skip:
+
+Zeek::Skip
+----------
+
+Skip packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_SKIP`
+
+.. _plugin-zeek-snap:
+
+Zeek::SNAP
+----------
+
+SNAP packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_SNAP`
+
+.. _plugin-zeek-teredo:
+
+Zeek::Teredo
+------------
+
+Teredo packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_TEREDO`
+
+Events
+++++++
+
+.. zeek:id:: teredo_packet
+   :source-code: base/bif/plugins/Zeek_Teredo.events.bif.zeek 18 18
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`teredo_hdr`)
+
+   Generated for any IPv6 packet encapsulated in a Teredo tunnel.
+   See :rfc:`4380` for more information about the Teredo protocol.
+   
+
+   :param outer: The Teredo tunnel connection.
+   
+
+   :param inner: The Teredo-encapsulated IPv6 packet header and transport header.
+   
+   .. zeek:see:: teredo_authentication teredo_origin_indication teredo_bubble
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+.. zeek:id:: new_teredo_state
+   :source-code: base/packet-protocols/teredo/main.zeek 36 39
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when per connection Teredo state is created.
+   
+   This is primarily useful to install a connection removal hook to clear
+   internal per-connection Teredo state.
+   
+
+   :param c: The Teredo tunnel connection.
+
+.. zeek:id:: teredo_authentication
+   :source-code: base/bif/plugins/Zeek_Teredo.events.bif.zeek 42 42
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`teredo_hdr`)
+
+   Generated for IPv6 packets encapsulated in a Teredo tunnel that
+   use the Teredo authentication encapsulation method.
+   See :rfc:`4380` for more information about the Teredo protocol.
+   
+
+   :param outer: The Teredo tunnel connection.
+   
+
+   :param inner: The Teredo-encapsulated IPv6 packet header and transport header.
+   
+   .. zeek:see:: teredo_packet teredo_origin_indication teredo_bubble
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+.. zeek:id:: teredo_origin_indication
+   :source-code: base/bif/plugins/Zeek_Teredo.events.bif.zeek 57 57
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`teredo_hdr`)
+
+   Generated for IPv6 packets encapsulated in a Teredo tunnel that
+   use the Teredo origin indication encapsulation method.
+   See :rfc:`4380` for more information about the Teredo protocol.
+   
+
+   :param outer: The Teredo tunnel connection.
+   
+
+   :param inner: The Teredo-encapsulated IPv6 packet header and transport header.
+   
+   .. zeek:see:: teredo_packet teredo_authentication teredo_bubble
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+.. zeek:id:: teredo_bubble
+   :source-code: base/bif/plugins/Zeek_Teredo.events.bif.zeek 72 72
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`teredo_hdr`)
+
+   Generated for Teredo bubble packets.  That is, IPv6 packets encapsulated
+   in a Teredo tunnel that have a Next Header value of :zeek:id:`IPPROTO_NONE`.
+   See :rfc:`4380` for more information about the Teredo protocol.
+   
+
+   :param outer: The Teredo tunnel connection.
+   
+
+   :param inner: The Teredo-encapsulated IPv6 packet header and transport header.
+   
+   .. zeek:see:: teredo_packet teredo_authentication teredo_origin_indication
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+Functions
++++++++++
+
+.. zeek:id:: PacketAnalyzer::TEREDO::remove_teredo_connection
+   :source-code: base/bif/plugins/Zeek_Teredo.functions.bif.zeek 9 9
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`bool`
+
+
+.. _plugin-zeek-vlan:
+
+Zeek::VLAN
+----------
+
+VLAN packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_VLAN`
+
+.. _plugin-zeek-vntag:
+
+Zeek::VNTag
+-----------
+
+VNTag packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_VNTAG`
+
+.. _plugin-zeek-vxlan:
+
+Zeek::VXLAN
+-----------
+
+VXLAN packet analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_VXLAN`
+
+Events
+++++++
+
+.. zeek:id:: vxlan_packet
+   :source-code: base/bif/plugins/Zeek_VXLAN.events.bif.zeek 15 15
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`pkt_hdr`, vni: :zeek:type:`count`)
+
+   Generated for any packet encapsulated in a VXLAN tunnel.
+   See :rfc:`7348` for more information about the VXLAN protocol.
+   
+
+   :param outer: The VXLAN tunnel connection.
+   
+
+   :param inner: The VXLAN-encapsulated Ethernet packet header and transport header.
+   
+
+   :param vni: VXLAN Network Identifier.
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
diff --git a/doc/script-reference/autogenerated-protocol-analyzer-index.rst b/doc/script-reference/autogenerated-protocol-analyzer-index.rst
new file mode 100644
index 0000000000..95c22347bb
--- /dev/null
+++ b/doc/script-reference/autogenerated-protocol-analyzer-index.rst
@@ -0,0 +1,19358 @@
+Protocol Analyzers
+==================
+
+.. zeek:type:: Analyzer::Tag
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Analyzer::ANALYZER_BITTORRENT Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_BITTORRENTTRACKER Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_CONNSIZE Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_DCE_RPC Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_DHCP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_DNP3_TCP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_DNP3_UDP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_CONTENTS_DNS Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_DNS Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_FTP_DATA Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_FTP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_FTP_ADAT Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_GNUTELLA Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_GSSAPI Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_HTTP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_ICMP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_IDENT Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_IMAP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_IRC Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_IRC_DATA Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_KRB Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_KRB_TCP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_CONTENTS_RLOGIN Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_CONTENTS_RSH Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_LOGIN Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_NVT Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_RLOGIN Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_RSH Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_TELNET Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_MODBUS Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_MQTT Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_MYSQL Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_CONTENTS_NCP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_NCP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_CONTENTS_NETBIOSSSN Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_NETBIOSSSN Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_NTLM Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_NTP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_PIA_TCP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_PIA_UDP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_POP3 Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_RADIUS Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_RDP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_RDPEUDP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_RFB Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_CONTENTS_NFS Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_CONTENTS_RPC Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_MOUNT Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_NFS Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_PORTMAPPER Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_SIP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_CONTENTS_SMB Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_SMB Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_SMTP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_SMTP_BDAT Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_SNMP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_SOCKS Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_FINGER Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_LDAP_TCP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_LDAP_UDP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_POSTGRESQL Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_QUIC Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_REDIS Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_SYSLOG Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_SPICY_WEBSOCKET Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_SSH Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_DTLS Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_SSL Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_STREAM_EVENT Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_CONTENTLINE Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_CONTENTS Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_TCPSTATS Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_TCP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_UDP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_UNKNOWN_IP_TRANSPORT Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_WEBSOCKET Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_XMPP Analyzer::Tag
+
+      .. zeek:enum:: Analyzer::ANALYZER_ZIP Analyzer::Tag
+
+.. zeek:type:: AllAnalyzers::Tag
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_ARP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_AYIYA AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_BITTORRENT AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_BITTORRENTTRACKER AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_CONNSIZE AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_DCE_RPC AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_DHCP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_DNP3_TCP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_DNP3_UDP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_DNS AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_DNS AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_ETHERNET AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_FDDI AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_FTP_DATA AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::FILES_ANALYZER_DATA_EVENT AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::FILES_ANALYZER_ENTROPY AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::FILES_ANALYZER_EXTRACT AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::FILES_ANALYZER_MD5 AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::FILES_ANALYZER_SHA1 AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::FILES_ANALYZER_SHA256 AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_FTP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_FTP_ADAT AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_GENEVE AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_GNUTELLA AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_GRE AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_GSSAPI AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_GTPV1 AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_HTTP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_ICMP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_ICMP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_IDENT AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_IEEE802_11 AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_IEEE802_11_RADIO AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_IMAP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_IP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_IPTUNNEL AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_IRC AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_IRC_DATA AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_KRB AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_KRB_TCP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_LINUXSLL AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_LINUXSLL2 AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_LLC AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RLOGIN AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RSH AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_LOGIN AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_NVT AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_RLOGIN AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_RSH AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_TELNET AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_MODBUS AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_MPLS AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_MQTT AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_MYSQL AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NCP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_NCP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NETBIOSSSN AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_NETBIOSSSN AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_NFLOG AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_NOVELL_802_3 AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_NTLM AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_NTP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_NULL AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_PBB AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::FILES_ANALYZER_PE AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_PIA_TCP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_PIA_UDP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_POP3 AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_PPP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_PPPOE AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_PPPSERIAL AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_RADIUS AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_RDP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_RDPEUDP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_RFB AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_ROOT AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NFS AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RPC AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_MOUNT AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_NFS AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_PORTMAPPER AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_SIP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_SKIP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_SMB AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_SMB AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_SMTP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_SMTP_BDAT AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_SNAP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_SNMP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_SOCKS AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_FINGER AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_LDAP_TCP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_LDAP_UDP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_POSTGRESQL AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_QUIC AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_REDIS AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_SYSLOG AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_SPICY_WEBSOCKET AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_SSH AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_DTLS AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_SSL AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_STREAM_EVENT AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_CONTENTLINE AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_CONTENTS AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_TCP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_TCP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_TEREDO AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_UDP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_UDP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_UNKNOWN_IP_TRANSPORT AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_UNKNOWN_IP_TRANSPORT AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_VLAN AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_VNTAG AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::PACKETANALYZER_ANALYZER_VXLAN AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_WEBSOCKET AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::FILES_ANALYZER_OCSP_REPLY AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::FILES_ANALYZER_OCSP_REQUEST AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::FILES_ANALYZER_X509 AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_XMPP AllAnalyzers::Tag
+
+      .. zeek:enum:: AllAnalyzers::ANALYZER_ANALYZER_ZIP AllAnalyzers::Tag
+
+.. _plugin-zeek-bittorrent:
+
+Zeek::BitTorrent
+----------------
+
+BitTorrent Analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_BITTORRENT`
+
+:zeek:enum:`Analyzer::ANALYZER_BITTORRENTTRACKER`
+
+Events
+++++++
+
+.. zeek:id:: bittorrent_peer_handshake
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 14 14
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, reserved: :zeek:type:`string`, info_hash: :zeek:type:`string`, peer_id: :zeek:type:`string`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
+      bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+      bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_keep_alive
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 27 27
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+      bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_choke
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 40 40
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+      bittorrent_peer_unknown bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_unchoke
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 53 53
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request
+      bittorrent_peer_unknown bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_interested
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 66 66
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive
+      bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+      bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_not_interested
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 79 79
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive  bittorrent_peer_piece bittorrent_peer_port
+      bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_have
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 92 92
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, piece_index: :zeek:type:`count`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake  bittorrent_peer_interested bittorrent_peer_keep_alive
+      bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+      bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_bitfield
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 105 105
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, bitfield: :zeek:type:`string`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see::  bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake
+      bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
+      bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+      bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_request
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 118 118
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, index: :zeek:type:`count`, begin: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port  bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_piece
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 131 131
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, index: :zeek:type:`count`, begin: :zeek:type:`count`, piece_length: :zeek:type:`count`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port
+      bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_cancel
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 144 144
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, index: :zeek:type:`count`, begin: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield  bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+      bittorrent_peer_unknown bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_port
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 157 157
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, listen_port: :zeek:type:`port`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_unknown
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 170 170
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, message_id: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_weird
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 183 183
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+      bittorrent_peer_unknown
+
+.. zeek:id:: bt_tracker_request
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 196 196
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, uri: :zeek:type:`string`, headers: :zeek:type:`bt_tracker_headers`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+      bittorrent_peer_unknown bittorrent_peer_weird
+
+.. zeek:id:: bt_tracker_response
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 209 209
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, status: :zeek:type:`count`, headers: :zeek:type:`bt_tracker_headers`, peers: :zeek:type:`bittorrent_peer_set`, benc: :zeek:type:`bittorrent_benc_dir`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+      bittorrent_peer_unknown bittorrent_peer_weird
+
+.. zeek:id:: bt_tracker_response_not_ok
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 222 222
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, status: :zeek:type:`count`, headers: :zeek:type:`bt_tracker_headers`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+      bittorrent_peer_unknown bittorrent_peer_weird
+
+.. zeek:id:: bt_tracker_weird
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 235 235
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+      bittorrent_peer_unknown bittorrent_peer_weird
+
+.. _plugin-zeek-cluster-websocket:
+
+Zeek::Cluster_WebSocket
+-----------------------
+
+Provides WebSocket access to a Zeek cluster
+
+Components
+++++++++++
+
+Events
+++++++
+
+.. zeek:id:: Cluster::websocket_client_added
+   :source-code: base/frameworks/cluster/main.zeek 700 705
+
+   :Type: :zeek:type:`event` (endpoint: :zeek:type:`Cluster::EndpointInfo`, subscriptions: :zeek:type:`string_vec`)
+
+   Generated when a new WebSocket client has connected.
+   
+
+   :param endpoint: Various information about the WebSocket client.
+   
+
+   :param subscriptions: The WebSocket client's subscriptions as provided in the handshake.
+
+.. zeek:id:: Cluster::websocket_client_lost
+   :source-code: base/frameworks/cluster/main.zeek 707 713
+
+   :Type: :zeek:type:`event` (endpoint: :zeek:type:`Cluster::EndpointInfo`, code: :zeek:type:`count`, reason: :zeek:type:`string`)
+
+   Generated when a WebSocket client was lost.
+   
+
+   :param endpoint: Various information about the WebSocket client.
+
+   :param code: The code sent by the client in its CLOSE frame, or a code generated
+         internally if the server disconnected the client.
+
+   :param reason: The reason sent by the client in its CLOSE frame, or a reason generated
+           internally if the server disconnected the client.
+
+.. _plugin-zeek-connsize:
+
+Zeek::ConnSize
+--------------
+
+Connection size analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_CONNSIZE`
+
+Events
+++++++
+
+.. zeek:id:: conn_bytes_threshold_crossed
+   :source-code: base/protocols/conn/thresholds.zeek 320 337
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`)
+
+   Generated for a connection that crossed a set byte threshold. Note that this
+   is a low level event that should usually be avoided for user code. Use
+   :zeek:see:`ConnThreshold::bytes_threshold_crossed` instead.
+   
+
+   :param c: the connection
+   
+
+   :param threshold: the threshold that was set
+   
+
+   :param is_orig: true if the threshold was crossed by the originator of the connection
+   
+   .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_packets_threshold_crossed
+                 get_current_conn_bytes_threshold get_current_conn_packets_threshold conn_duration_threshold_crossed
+                 set_current_conn_duration_threshold get_current_conn_duration_threshold
+
+.. zeek:id:: conn_packets_threshold_crossed
+   :source-code: base/protocols/conn/thresholds.zeek 339 356
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`)
+
+   Generated for a connection that crossed a set packet threshold. Note that this
+   is a low level event that should usually be avoided for user code. Use
+   :zeek:see:`ConnThreshold::packets_threshold_crossed` instead.
+   
+
+   :param c: the connection
+   
+
+   :param threshold: the threshold that was set
+   
+
+   :param is_orig: true if the threshold was crossed by the originator of the connection
+   
+   .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
+                 get_current_conn_bytes_threshold get_current_conn_packets_threshold conn_duration_threshold_crossed
+                 set_current_conn_duration_threshold get_current_conn_duration_threshold
+
+.. zeek:id:: conn_duration_threshold_crossed
+   :source-code: base/protocols/conn/thresholds.zeek 358 370
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`interval`, is_orig: :zeek:type:`bool`)
+
+   Generated for a connection that crossed a set duration threshold. Note that this
+   is a low level event that should usually be avoided for user code. Use
+   :zeek:see:`ConnThreshold::duration_threshold_crossed` instead.
+   
+   Note that this event is not raised at the exact moment that a duration threshold is crossed; instead
+   it is raised when the next packet is seen after the threshold has been crossed. On a connection that is
+   idle, this can be raised significantly later.
+   
+
+   :param c: the connection
+   
+
+   :param threshold: the threshold that was set
+   
+
+   :param is_orig: true if the threshold was crossed by the originator of the connection
+   
+   .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
+                 get_current_conn_bytes_threshold get_current_conn_packets_threshold
+                 set_current_conn_duration_threshold get_current_conn_duration_threshold
+
+.. zeek:id:: conn_generic_packet_threshold_crossed
+   :source-code: base/bif/plugins/Zeek_ConnSize.events.bif.zeek 63 63
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`)
+
+   Generated for any IP-based session once :zeek:id:`ConnThreshold::generic_packet_thresholds` packets have been
+   observed. Only one endpoint sending traffic is sufficient to trigger the event. This allows to handle new
+   connections, while short interactions, like scans consisting of only a few packets, are ignored.
+   
+
+   :param c: the connection.
+   
+
+   :param threshold: the threshold that was set
+
+Functions
++++++++++
+
+.. zeek:id:: set_current_conn_bytes_threshold
+   :source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 19 19
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
+
+   Sets the current byte threshold for connection sizes, overwriting any potential old
+   threshold. Be aware that in nearly any case you will want to use the high level API
+   instead (:zeek:see:`ConnThreshold::set_bytes_threshold`).
+   
+
+   :param cid: The connection id.
+   
+
+   :param threshold: Threshold in bytes.
+   
+
+   :param is_orig: If true, threshold is set for bytes from originator, otherwise for bytes from responder.
+   
+   .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
+                 get_current_conn_bytes_threshold get_current_conn_packets_threshold
+                 set_current_conn_duration_threshold get_current_conn_duration_threshold
+
+.. zeek:id:: set_current_conn_packets_threshold
+   :source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 35 35
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
+
+   Sets a threshold for connection packets, overwriting any potential old thresholds.
+   Be aware that in nearly any case you will want to use the high level API
+   instead (:zeek:see:`ConnThreshold::set_packets_threshold`).
+   
+
+   :param cid: The connection id.
+   
+
+   :param threshold: Threshold in packets.
+   
+
+   :param is_orig: If true, threshold is set for packets from originator, otherwise for packets from responder.
+   
+   .. zeek:see:: set_current_conn_bytes_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
+                 get_current_conn_bytes_threshold get_current_conn_packets_threshold
+                 set_current_conn_duration_threshold get_current_conn_duration_threshold
+
+.. zeek:id:: set_current_conn_duration_threshold
+   :source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 49 49
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, threshold: :zeek:type:`interval`) : :zeek:type:`bool`
+
+   Sets the current duration threshold for connection, overwriting any potential old
+   threshold. Be aware that in nearly any case you will want to use the high level API
+   instead (:zeek:see:`ConnThreshold::set_duration_threshold`).
+   
+
+   :param cid: The connection id.
+   
+
+   :param threshold: Threshold in seconds.
+   
+   .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
+                 get_current_conn_bytes_threshold get_current_conn_packets_threshold
+                 get_current_conn_duration_threshold
+
+.. zeek:id:: get_current_conn_bytes_threshold
+   :source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 63 63
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, is_orig: :zeek:type:`bool`) : :zeek:type:`count`
+
+   
+
+   :param cid: The connection id.
+   
+
+   :param is_orig: If true, threshold of originator, otherwise threshold of responder.
+   
+
+   :returns: 0 if no threshold is set or the threshold in bytes
+   
+   .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
+                 get_current_conn_packets_threshold set_current_conn_duration_threshold
+                 get_current_conn_duration_threshold
+
+.. zeek:id:: get_current_conn_packets_threshold
+   :source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 76 76
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, is_orig: :zeek:type:`bool`) : :zeek:type:`count`
+
+   Gets the current packet threshold size for a connection.
+   
+
+   :param cid: The connection id.
+   
+
+   :param is_orig: If true, threshold of originator, otherwise threshold of responder.
+   
+
+   :returns: 0 if no threshold is set or the threshold in packets
+   
+   .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
+                 get_current_conn_bytes_threshold set_current_conn_duration_threshold get_current_conn_duration_threshold
+
+.. zeek:id:: get_current_conn_duration_threshold
+   :source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 87 87
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`interval`
+
+   Gets the current duration threshold size for a connection.
+   
+
+   :param cid: The connection id.
+   
+
+   :returns: 0 if no threshold is set or the threshold in seconds
+   
+   .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
+                 get_current_conn_packets_threshold set_current_conn_duration_threshold
+
+.. _plugin-zeek-dce-rpc:
+
+Zeek::DCE_RPC
+-------------
+
+DCE-RPC analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_DCE_RPC`
+
+Options/Constants
++++++++++++++++++
+
+.. zeek:id:: DCE_RPC::max_cmd_reassembly
+   :source-code: base/init-bare.zeek 5743 5743
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``20``
+
+   The maximum number of simultaneous fragmented commands that
+   the DCE_RPC analyzer will tolerate before the it will generate
+   a weird and skip further input.
+
+.. zeek:id:: DCE_RPC::max_frag_data
+   :source-code: base/init-bare.zeek 5748 5748
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``30000``
+
+   The maximum number of fragmented bytes that the DCE_RPC analyzer
+   will tolerate on a command before the analyzer will generate a weird
+   and skip further input.
+
+Types
++++++
+
+.. zeek:type:: DCE_RPC::PType
+   :source-code: base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek 8 8
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: DCE_RPC::REQUEST DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::PING DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::RESPONSE DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::FAULT DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::WORKING DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::NOCALL DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::REJECT DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::ACK DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::CL_CANCEL DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::FACK DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::CANCEL_ACK DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::BIND DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::BIND_ACK DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::BIND_NAK DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::ALTER_CONTEXT DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::ALTER_CONTEXT_RESP DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::AUTH3 DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::SHUTDOWN DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::CO_CANCEL DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::ORPHANED DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::RTS DCE_RPC::PType
+
+
+.. zeek:type:: DCE_RPC::IfID
+   :source-code: base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek 33 33
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: DCE_RPC::unknown_if DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::epmapper DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::lsarpc DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::lsa_ds DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::mgmt DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::netlogon DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::samr DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::srvsvc DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::spoolss DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::drs DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::winspipe DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::wkssvc DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::oxid DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::ISCMActivator DCE_RPC::IfID
+
+
+Events
+++++++
+
+.. zeek:id:: dce_rpc_message
+   :source-code: base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek 19 19
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, fid: :zeek:type:`count`, ptype_id: :zeek:type:`count`, ptype: :zeek:type:`DCE_RPC::PType`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` message.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the message was sent by the originator of the TCP connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+
+   :param ptype_id: Numeric representation of the procedure type of the message.
+   
+
+   :param ptype: Enum representation of the procedure type of the message.
+   
+   .. zeek:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response
+
+.. zeek:id:: dce_rpc_bind
+   :source-code: base/protocols/dce-rpc/main.zeek 123 135
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, uuid: :zeek:type:`string`, ver_major: :zeek:type:`count`, ver_minor: :zeek:type:`count`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message.
+   Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur
+   multiple times for a single RPC message.
+   
+
+   :param c: The connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+
+   :param ctx_id: The context identifier of the data representation.
+   
+
+   :param uuid: The string interpreted uuid of the endpoint being requested.
+   
+
+   :param ver_major: The major version of the endpoint being requested.
+   
+
+   :param ver_minor: The minor version of the endpoint being requested.
+   
+   .. zeek:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response
+
+.. zeek:id:: dce_rpc_alter_context
+   :source-code: base/protocols/dce-rpc/main.zeek 137 149
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, uuid: :zeek:type:`string`, ver_major: :zeek:type:`count`, ver_minor: :zeek:type:`count`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context request message.
+   Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur
+   multiple times for a single RPC message.
+   
+
+   :param c: The connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+
+   :param ctx_id: The context identifier of the data representation.
+   
+
+   :param uuid: The string interpreted uuid of the endpoint being requested.
+   
+
+   :param ver_major: The major version of the endpoint being requested.
+   
+
+   :param ver_minor: The minor version of the endpoint being requested.
+   
+   .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context_resp
+
+.. zeek:id:: dce_rpc_bind_ack
+   :source-code: base/protocols/dce-rpc/main.zeek 151 160
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, sec_addr: :zeek:type:`string`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message.
+   
+
+   :param c: The connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+
+   :param sec_addr: Secondary address for the ack.
+   
+   .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response
+
+.. zeek:id:: dce_rpc_alter_context_resp
+   :source-code: base/protocols/dce-rpc/main.zeek 162 165
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context response message.
+   
+
+   :param c: The connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+   .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context
+
+.. zeek:id:: dce_rpc_request
+   :source-code: base/protocols/dce-rpc/main.zeek 167 175
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, opnum: :zeek:type:`count`, stub_len: :zeek:type:`count`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
+   
+
+   :param c: The connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+
+   :param ctx_id: The context identifier of the data representation.
+   
+
+   :param opnum: Number of the RPC operation.
+   
+
+   :param stub_len: Length of the data for the request.
+   
+   .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response dce_rpc_request_stub
+
+.. zeek:id:: dce_rpc_response
+   :source-code: base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek 125 125
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, opnum: :zeek:type:`count`, stub_len: :zeek:type:`count`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
+   
+
+   :param c: The connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+
+   :param ctx_id: The context identifier of the data representation.
+
+   :param opnum: Number of the RPC operation.
+   
+
+   :param stub_len: Length of the data for the response.
+   
+   .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response_stub
+
+.. zeek:id:: dce_rpc_request_stub
+   :source-code: base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek 143 143
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, opnum: :zeek:type:`count`, stub: :zeek:type:`string`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
+   
+
+   :param c: The connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+
+   :param ctx_id: The context identifier of the data representation.
+   
+
+   :param opnum: Number of the RPC operation.
+   
+
+   :param stub: The data for the request.
+   
+   .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response_stub dce_rpc_request
+
+.. zeek:id:: dce_rpc_response_stub
+   :source-code: base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek 161 161
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, opnum: :zeek:type:`count`, stub: :zeek:type:`string`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
+   
+
+   :param c: The connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+
+   :param ctx_id: The context identifier of the data representation.
+
+   :param opnum: Number of the RPC operation.
+   
+
+   :param stub: The data for the response.
+   
+   .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request_stub dce_rpc_response
+
+.. _plugin-zeek-dhcp:
+
+Zeek::DHCP
+----------
+
+DHCP analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_DHCP`
+
+Types
++++++
+
+.. zeek:type:: DHCP::Msg
+   :source-code: base/init-bare.zeek 4757 4772
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: op :zeek:type:`count`
+
+      Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
+
+
+   .. zeek:field:: m_type :zeek:type:`count`
+
+      The type of DHCP message.
+
+
+   .. zeek:field:: xid :zeek:type:`count`
+
+      Transaction ID of a DHCP session.
+
+
+   .. zeek:field:: secs :zeek:type:`interval`
+
+      Number of seconds since client began address acquisition
+      or renewal process
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+
+   .. zeek:field:: ciaddr :zeek:type:`addr`
+
+      Original IP address of the client.
+
+
+   .. zeek:field:: yiaddr :zeek:type:`addr`
+
+      IP address assigned to the client.
+
+
+   .. zeek:field:: siaddr :zeek:type:`addr`
+
+      IP address of the server.
+
+
+   .. zeek:field:: giaddr :zeek:type:`addr`
+
+      IP address of the relaying gateway.
+
+
+   .. zeek:field:: chaddr :zeek:type:`string`
+
+      Client hardware address.
+
+
+   .. zeek:field:: sname :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      Server host name.
+
+
+   .. zeek:field:: file_n :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      Boot file name.
+
+
+   A DHCP message.
+   
+   .. zeek:see:: dhcp_message
+
+.. zeek:type:: DHCP::Addrs
+   :source-code: base/init-bare.zeek 4752 4752
+
+   :Type: :zeek:type:`vector` of :zeek:type:`addr`
+
+   A list of addresses offered by a DHCP server.  Could be routers,
+   DNS servers, or other.
+   
+   .. zeek:see:: dhcp_message
+
+.. zeek:type:: DHCP::SubOpt
+   :source-code: base/init-bare.zeek 4798 4801
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: code :zeek:type:`count`
+
+
+   .. zeek:field:: value :zeek:type:`string`
+
+
+   DHCP Relay Agent Information Option (Option 82)
+   
+   .. zeek:see:: dhcp_message
+
+.. zeek:type:: DHCP::SubOpts
+   :source-code: base/init-bare.zeek 4803 4803
+
+   :Type: :zeek:type:`vector` of :zeek:type:`DHCP::SubOpt`
+
+
+.. zeek:type:: DHCP::ClientFQDN
+   :source-code: base/init-bare.zeek 4783 4793
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+      An unparsed bitfield of flags (refer to RFC 4702).
+
+
+   .. zeek:field:: rcode1 :zeek:type:`count`
+
+      This field is deprecated in the standard.
+
+
+   .. zeek:field:: rcode2 :zeek:type:`count`
+
+      This field is deprecated in the standard.
+
+
+   .. zeek:field:: domain_name :zeek:type:`string`
+
+      The Domain Name part of the option carries all or part of the FQDN
+      of a DHCP client.
+
+
+   DHCP Client FQDN Option information (Option 81)
+
+.. zeek:type:: DHCP::ClientID
+   :source-code: base/init-bare.zeek 4777 4780
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: hwtype :zeek:type:`count`
+
+
+   .. zeek:field:: hwaddr :zeek:type:`string`
+
+
+   DHCP Client Identifier (Option 61)
+   
+   .. zeek:see:: dhcp_message
+
+.. zeek:type:: DHCP::Options
+   :source-code: base/init-bare.zeek 4805 4903
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: options :zeek:type:`index_vec` :zeek:attr:`&optional`
+
+      The ordered list of all DHCP option numbers.
+
+
+   .. zeek:field:: subnet_mask :zeek:type:`addr` :zeek:attr:`&optional`
+
+      Subnet Mask Value (option 1)
+
+
+   .. zeek:field:: routers :zeek:type:`DHCP::Addrs` :zeek:attr:`&optional`
+
+      Router addresses (option 3)
+
+
+   .. zeek:field:: dns_servers :zeek:type:`DHCP::Addrs` :zeek:attr:`&optional`
+
+      DNS Server addresses (option 6)
+
+
+   .. zeek:field:: host_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The Hostname of the client (option 12)
+
+
+   .. zeek:field:: domain_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The DNS domain name of the client (option 15)
+
+
+   .. zeek:field:: forwarding :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Enable/Disable IP Forwarding (option 19)
+
+
+   .. zeek:field:: broadcast :zeek:type:`addr` :zeek:attr:`&optional`
+
+      Broadcast Address (option 28)
+
+
+   .. zeek:field:: vendor :zeek:type:`string` :zeek:attr:`&optional`
+
+      Vendor specific data. This can frequently
+      be unparsed binary data. (option 43)
+
+
+   .. zeek:field:: nbns :zeek:type:`DHCP::Addrs` :zeek:attr:`&optional`
+
+      NETBIOS name server list (option 44)
+
+
+   .. zeek:field:: addr_request :zeek:type:`addr` :zeek:attr:`&optional`
+
+      Address requested by the client (option 50)
+
+
+   .. zeek:field:: lease :zeek:type:`interval` :zeek:attr:`&optional`
+
+      Lease time offered by the server. (option 51)
+
+
+   .. zeek:field:: serv_addr :zeek:type:`addr` :zeek:attr:`&optional`
+
+      Server address to allow clients to distinguish
+      between lease offers. (option 54)
+
+
+   .. zeek:field:: param_list :zeek:type:`index_vec` :zeek:attr:`&optional`
+
+      DHCP Parameter Request list (option 55)
+
+
+   .. zeek:field:: message :zeek:type:`string` :zeek:attr:`&optional`
+
+      Textual error message (option 56)
+
+
+   .. zeek:field:: max_msg_size :zeek:type:`count` :zeek:attr:`&optional`
+
+      Maximum Message Size (option 57)
+
+
+   .. zeek:field:: renewal_time :zeek:type:`interval` :zeek:attr:`&optional`
+
+      This option specifies the time interval from address
+      assignment until the client transitions to the
+      RENEWING state. (option 58)
+
+
+   .. zeek:field:: rebinding_time :zeek:type:`interval` :zeek:attr:`&optional`
+
+      This option specifies the time interval from address
+      assignment until the client transitions to the
+      REBINDING state. (option 59)
+
+
+   .. zeek:field:: vendor_class :zeek:type:`string` :zeek:attr:`&optional`
+
+      This option is used by DHCP clients to optionally
+      identify the vendor type and configuration of a DHCP
+      client. (option 60)
+
+
+   .. zeek:field:: client_id :zeek:type:`DHCP::ClientID` :zeek:attr:`&optional`
+
+      DHCP Client Identifier (Option 61)
+
+
+   .. zeek:field:: user_class :zeek:type:`string` :zeek:attr:`&optional`
+
+      User Class opaque value (Option 77)
+
+
+   .. zeek:field:: client_fqdn :zeek:type:`DHCP::ClientFQDN` :zeek:attr:`&optional`
+
+      DHCP Client FQDN (Option 81)
+
+
+   .. zeek:field:: sub_opt :zeek:type:`DHCP::SubOpts` :zeek:attr:`&optional`
+
+      DHCP Relay Agent Information Option (Option 82)
+
+
+   .. zeek:field:: auto_config :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Auto Config option to let host know if it's allowed to
+      auto assign an IP address. (Option 116)
+
+
+   .. zeek:field:: auto_proxy_config :zeek:type:`string` :zeek:attr:`&optional`
+
+      URL to find a proxy.pac for auto proxy config (Option 252)
+
+
+   .. zeek:field:: time_offset :zeek:type:`int` :zeek:attr:`&optional`
+
+      The offset of the client's subnet in seconds from UTC. (Option 2)
+
+
+   .. zeek:field:: time_servers :zeek:type:`DHCP::Addrs` :zeek:attr:`&optional`
+
+      A list of :rfc:`868` time servers available to the client.
+      (Option 4)
+
+
+   .. zeek:field:: name_servers :zeek:type:`DHCP::Addrs` :zeek:attr:`&optional`
+
+      A list of IEN 116 name servers available to the client. (Option 5)
+
+
+   .. zeek:field:: ntp_servers :zeek:type:`DHCP::Addrs` :zeek:attr:`&optional`
+
+      A list of IP addresses indicating NTP servers available to the
+      client. (Option 42)
+
+
+
+Events
+++++++
+
+.. zeek:id:: dhcp_message
+   :source-code: base/protocols/dhcp/main.zeek 301 308
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`DHCP::Msg`, options: :zeek:type:`DHCP::Options`)
+
+   Generated for all DHCP messages.
+   
+
+   :param c: The connection record describing the underlying UDP flow.
+   
+
+   :param is_orig: Indicate if the message came in a packet from the
+           originator/client of the udp flow or the responder/server.
+   
+
+   :param msg: The parsed type-independent part of the DHCP message. The message
+        type is indicated in this record.
+   
+
+   :param options: The full set of supported and parsed DHCP options.
+
+.. _plugin-zeek-dnp3:
+
+Zeek::DNP3
+----------
+
+DNP3 UDP/TCP analyzers
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_DNP3_TCP`
+
+:zeek:enum:`Analyzer::ANALYZER_DNP3_UDP`
+
+Events
+++++++
+
+.. zeek:id:: dnp3_application_request_header
+   :source-code: base/protocols/dnp3/main.zeek 49 59
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, application: :zeek:type:`count`, fc: :zeek:type:`count`)
+
+   Generated for a DNP3 request header.
+   
+
+   :param c: The connection the DNP3 communication is part of.
+   
+
+   :param is_orig: True if this reflects originator-side activity.
+   
+
+   :param fc: function code.
+   
+
+.. zeek:id:: dnp3_application_response_header
+   :source-code: base/protocols/dnp3/main.zeek 61 76
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, application: :zeek:type:`count`, fc: :zeek:type:`count`, iin: :zeek:type:`count`)
+
+   Generated for a DNP3 response header.
+   
+
+   :param c: The connection the DNP3 communication is part of.
+   
+
+   :param is_orig: True if this reflects originator-side activity.
+   
+
+   :param fc: function code.
+   
+
+   :param iin: internal indication number.
+   
+
+.. zeek:id:: dnp3_object_header
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 50 50
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, obj_type: :zeek:type:`count`, qua_field: :zeek:type:`count`, number: :zeek:type:`count`, rf_low: :zeek:type:`count`, rf_high: :zeek:type:`count`)
+
+   Generated for the object header found in both DNP3 requests and responses.
+   
+
+   :param c: The connection the DNP3 communication is part of.
+   
+
+   :param is_orig: True if this reflects originator-side activity.
+   
+
+   :param obj_type: type of object, which is classified based on an 8-bit group number
+             and an 8-bit variation number.
+   
+
+   :param qua_field: qualifier field.
+   
+
+   :param number: TODO.
+   
+
+   :param rf_low: the structure of the range field depends on the qualified field.
+           In some cases, the range field contains only one logic part, e.g.,
+           number of objects, so only *rf_low* contains useful values.
+   
+
+   :param rf_high: in some cases, the range field contains two logic parts, e.g., start
+            index and stop index, so *rf_low* contains the start index
+            while *rf_high* contains the stop index.
+   
+
+.. zeek:id:: dnp3_object_prefix
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 62 62
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix_value: :zeek:type:`count`)
+
+   Generated for the prefix before a DNP3 object. The structure and the meaning
+   of the prefix are defined by the qualifier field.
+   
+
+   :param c: The connection the DNP3 communication is part of.
+   
+
+   :param is_orig: True if this reflects originator-side activity.
+   
+
+   :param prefix_value: The prefix.
+   
+
+.. zeek:id:: dnp3_header_block
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 82 82
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, len: :zeek:type:`count`, ctrl: :zeek:type:`count`, dest_addr: :zeek:type:`count`, src_addr: :zeek:type:`count`)
+
+   Generated for an additional header that the DNP3 analyzer passes to the
+   script-level. This header mimics the DNP3 transport-layer yet is only passed
+   once for each sequence of DNP3 records (which are otherwise reassembled and
+   treated as a single entity).
+   
+
+   :param c: The connection the DNP3 communication is part of.
+   
+
+   :param is_orig: True if this reflects originator-side activity.
+   
+
+   :param len:   the "length" field in the DNP3 Pseudo Link Layer.
+   
+
+   :param ctrl:  the "control" field in the DNP3 Pseudo Link Layer.
+   
+
+   :param dest_addr: the "destination" field in the DNP3 Pseudo Link Layer.
+   
+
+   :param src_addr: the "source" field in the DNP3 Pseudo Link Layer.
+   
+
+.. zeek:id:: dnp3_response_data_object
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 99 99
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data_value: :zeek:type:`count`)
+
+   Generated for a DNP3 "Response_Data_Object".
+   The "Response_Data_Object" contains two parts: object prefix and object
+   data. In most cases, object data are defined by new record types. But
+   in a few cases, object data are directly basic types, such as int16_t, or
+   int8_t; thus we use an additional *data_value* to record the values of those
+   object data.
+   
+
+   :param c: The connection the DNP3 communication is part of.
+   
+
+   :param is_orig: True if this reflects originator-side activity.
+   
+
+   :param data_value: The value for those objects that carry their information here
+               directly.
+   
+
+.. zeek:id:: dnp3_attribute_common
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 103 103
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data_type_code: :zeek:type:`count`, leng: :zeek:type:`count`, attribute_obj: :zeek:type:`string`)
+
+   Generated for DNP3 attributes.
+
+.. zeek:id:: dnp3_crob
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 108 108
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, control_code: :zeek:type:`count`, count8: :zeek:type:`count`, on_time: :zeek:type:`count`, off_time: :zeek:type:`count`, status_code: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 12 and variation number 1
+
+   :param CROB: control relay output block
+
+.. zeek:id:: dnp3_pcb
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 113 113
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, control_code: :zeek:type:`count`, count8: :zeek:type:`count`, on_time: :zeek:type:`count`, off_time: :zeek:type:`count`, status_code: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 12 and variation number 2
+
+   :param PCB: Pattern Control Block
+
+.. zeek:id:: dnp3_counter_32wFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 118 118
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 20 and variation number 1
+   counter 32 bit with flag
+
+.. zeek:id:: dnp3_counter_16wFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 123 123
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 20 and variation number 2
+   counter 16 bit with flag
+
+.. zeek:id:: dnp3_counter_32woFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 128 128
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, count_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 20 and variation number 5
+   counter 32 bit without flag
+
+.. zeek:id:: dnp3_counter_16woFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 133 133
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, count_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 20 and variation number 6
+   counter 16 bit without flag
+
+.. zeek:id:: dnp3_frozen_counter_32wFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 138 138
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 21 and variation number 1
+   frozen counter 32 bit with flag
+
+.. zeek:id:: dnp3_frozen_counter_16wFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 143 143
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 21 and variation number 2
+   frozen counter 16 bit with flag
+
+.. zeek:id:: dnp3_frozen_counter_32wFlagTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 148 148
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 21 and variation number 5
+   frozen counter 32 bit with flag and time
+
+.. zeek:id:: dnp3_frozen_counter_16wFlagTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 153 153
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 21 and variation number 6
+   frozen counter 16 bit with flag and time
+
+.. zeek:id:: dnp3_frozen_counter_32woFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 158 158
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, count_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 21 and variation number 9
+   frozen counter 32 bit without flag
+
+.. zeek:id:: dnp3_frozen_counter_16woFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 163 163
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, count_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 21 and variation number 10
+   frozen counter 16 bit without flag
+
+.. zeek:id:: dnp3_analog_input_32wFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 168 168
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 30 and variation number 1
+   analog input 32 bit with flag
+
+.. zeek:id:: dnp3_analog_input_16wFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 173 173
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 30 and variation number 2
+   analog input 16 bit with flag
+
+.. zeek:id:: dnp3_analog_input_32woFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 178 178
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 30 and variation number 3
+   analog input 32 bit without flag
+
+.. zeek:id:: dnp3_analog_input_16woFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 183 183
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 30 and variation number 4
+   analog input 16 bit without flag
+
+.. zeek:id:: dnp3_analog_input_SPwFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 188 188
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 30 and variation number 5
+   analog input single precision, float point with flag
+
+.. zeek:id:: dnp3_analog_input_DPwFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 193 193
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value_low: :zeek:type:`count`, value_high: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 30 and variation number 6
+   analog input double precision, float point with flag
+
+.. zeek:id:: dnp3_frozen_analog_input_32wFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 198 198
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 31 and variation number 1
+   frozen analog input 32 bit with flag
+
+.. zeek:id:: dnp3_frozen_analog_input_16wFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 203 203
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 31 and variation number 2
+   frozen analog input 16 bit with flag
+
+.. zeek:id:: dnp3_frozen_analog_input_32wTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 208 208
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 31 and variation number 3
+   frozen analog input 32 bit with time-of-freeze
+
+.. zeek:id:: dnp3_frozen_analog_input_16wTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 213 213
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 31 and variation number 4
+   frozen analog input 16 bit with time-of-freeze
+
+.. zeek:id:: dnp3_frozen_analog_input_32woFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 218 218
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, frozen_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 31 and variation number 5
+   frozen analog input 32 bit without flag
+
+.. zeek:id:: dnp3_frozen_analog_input_16woFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 223 223
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, frozen_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 31 and variation number 6
+   frozen analog input 16 bit without flag
+
+.. zeek:id:: dnp3_frozen_analog_input_SPwFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 228 228
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 31 and variation number 7
+   frozen analog input single-precision, float point with flag
+
+.. zeek:id:: dnp3_frozen_analog_input_DPwFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 233 233
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value_low: :zeek:type:`count`, frozen_value_high: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 31 and variation number 8
+   frozen analog input double-precision, float point with flag
+
+.. zeek:id:: dnp3_analog_input_event_32woTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 238 238
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 32 and variation number 1
+   analog input event 32 bit without time
+
+.. zeek:id:: dnp3_analog_input_event_16woTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 243 243
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 32 and variation number 2
+   analog input event 16 bit without time
+
+.. zeek:id:: dnp3_analog_input_event_32wTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 248 248
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 32 and variation number 3
+   analog input event 32 bit with time
+
+.. zeek:id:: dnp3_analog_input_event_16wTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 253 253
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 32 and variation number 4
+   analog input event 16 bit with time
+
+.. zeek:id:: dnp3_analog_input_event_SPwoTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 258 258
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 32 and variation number 5
+   analog input event single-precision float point without time
+
+.. zeek:id:: dnp3_analog_input_event_DPwoTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 263 263
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value_low: :zeek:type:`count`, value_high: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 32 and variation number 6
+   analog input event double-precision float point without time
+
+.. zeek:id:: dnp3_analog_input_event_SPwTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 268 268
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 32 and variation number 7
+   analog input event single-precision float point with time
+
+.. zeek:id:: dnp3_analog_input_event_DPwTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 273 273
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value_low: :zeek:type:`count`, value_high: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 32 and variation number 8
+   analog input event double-precision float point with time
+
+.. zeek:id:: dnp3_frozen_analog_input_event_32woTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 278 278
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 33 and variation number 1
+   frozen analog input event 32 bit without time
+
+.. zeek:id:: dnp3_frozen_analog_input_event_16woTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 283 283
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 33 and variation number 2
+   frozen analog input event 16 bit without time
+
+.. zeek:id:: dnp3_frozen_analog_input_event_32wTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 288 288
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 33 and variation number 3
+   frozen analog input event 32 bit with time
+
+.. zeek:id:: dnp3_frozen_analog_input_event_16wTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 293 293
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 33 and variation number 4
+   frozen analog input event 16 bit with time
+
+.. zeek:id:: dnp3_frozen_analog_input_event_SPwoTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 298 298
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 33 and variation number 5
+   frozen analog input event single-precision float point without time
+
+.. zeek:id:: dnp3_frozen_analog_input_event_DPwoTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 303 303
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value_low: :zeek:type:`count`, frozen_value_high: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 33 and variation number 6
+   frozen analog input event double-precision float point without time
+
+.. zeek:id:: dnp3_frozen_analog_input_event_SPwTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 308 308
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 33 and variation number 7
+   frozen analog input event single-precision float point with time
+
+.. zeek:id:: dnp3_frozen_analog_input_event_DPwTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 313 313
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value_low: :zeek:type:`count`, frozen_value_high: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 34 and variation number 8
+   frozen analog input event double-precision float point with time
+
+.. zeek:id:: dnp3_file_transport
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 317 317
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, file_handle: :zeek:type:`count`, block_num: :zeek:type:`count`, file_data: :zeek:type:`string`)
+
+   g70
+
+.. zeek:id:: dnp3_debug_byte
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 323 323
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, debug: :zeek:type:`string`)
+
+   Debugging event generated by the DNP3 analyzer. The "Debug_Byte" binpac unit
+   generates this for unknown "cases". The user can use it to debug the byte
+   string to check what caused the malformed network packets.
+
+.. _plugin-zeek-dns:
+
+Zeek::DNS
+---------
+
+DNS analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_CONTENTS_DNS`
+
+:zeek:enum:`Analyzer::ANALYZER_DNS`
+
+Events
+++++++
+
+.. zeek:id:: dns_message
+   :source-code: base/protocols/dns/main.zeek 348 355
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`dns_msg`, len: :zeek:type:`count`)
+
+   Generated for all DNS messages.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param is_orig:  True if the message was sent by the originator of the connection.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param len: The length of the message's raw representation (i.e., the DNS payload).
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid  dns_query_reply dns_rejected
+      dns_request dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_request
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 56 56
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, query: :zeek:type:`string`, qtype: :zeek:type:`count`, qclass: :zeek:type:`count`, original_query: :zeek:type:`string`)
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, query: :zeek:type:`string`, qtype: :zeek:type:`count`, qclass: :zeek:type:`count`)
+
+   Generated for DNS requests. For requests with multiple queries, this event
+   is raised once for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param query: The queried name (normalized to all lowercase).
+   
+
+   :param qtype: The queried resource record type.
+   
+
+   :param qclass: The queried resource record class.
+   
+
+   :param original_query: The queried name, with the original case kept intact
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_rejected
+   :source-code: base/protocols/dns/main.zeek 637 641
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, query: :zeek:type:`string`, qtype: :zeek:type:`count`, qclass: :zeek:type:`count`, original_query: :zeek:type:`string`)
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, query: :zeek:type:`string`, qtype: :zeek:type:`count`, qclass: :zeek:type:`count`)
+
+   Generated for DNS replies that reject a query. This event is raised if a DNS
+   reply indicates failure because it does not pass on any
+   answers to a query. Note that all of the event's parameters are parsed out of
+   the reply; there's no stateful correlation with the query.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param query: The queried name (normalized to all lowercase).
+   
+
+   :param qtype: The queried resource record type.
+   
+
+   :param qclass: The queried resource record class.
+   
+
+   :param original_query: The queried name, with the original case kept intact
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_request dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_query_reply
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 121 121
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, query: :zeek:type:`string`, qtype: :zeek:type:`count`, qclass: :zeek:type:`count`, original_query: :zeek:type:`string`)
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, query: :zeek:type:`string`, qtype: :zeek:type:`count`, qclass: :zeek:type:`count`)
+
+   Generated for each entry in the Question section of a DNS reply.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param query: The queried name.
+   
+
+   :param qtype: The queried resource record type.
+   
+
+   :param qclass: The queried resource record class.
+   
+
+   :param original_query: The queried name, with the original case kept intact
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_rejected
+      dns_request dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_A_reply
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 149 149
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, a: :zeek:type:`addr`)
+
+   Generated for DNS replies of type *A*. For replies with multiple answers, an
+   individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param a: The address returned by the reply.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply
+      dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
+      dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_AAAA_reply
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 175 175
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, a: :zeek:type:`addr`)
+
+   Generated for DNS replies of type *AAAA*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param a: The address returned by the reply.
+   
+   .. zeek:see::  dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
+      dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+      dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
+      dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+      dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_A6_reply
+   :source-code: base/protocols/dns/main.zeek 499 502
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, a: :zeek:type:`addr`)
+
+   Generated for DNS replies of type *A6*. For replies with multiple answers, an
+   individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param a: The address returned by the reply.
+   
+   .. zeek:see::  dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
+      dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+      dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
+      dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+      dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_NS_reply
+   :source-code: base/protocols/dns/main.zeek 504 507
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, name: :zeek:type:`string`)
+
+   Generated for DNS replies of type *NS*. For replies with multiple answers, an
+   individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param name: The name returned by the reply.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply  dns_PTR_reply dns_SOA_reply dns_SRV_reply
+      dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_CNAME_reply
+   :source-code: base/protocols/dns/main.zeek 509 512
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, name: :zeek:type:`string`)
+
+   Generated for DNS replies of type *CNAME*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param name: The name returned by the reply.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply  dns_EDNS_addl dns_HINFO_reply dns_MX_reply
+      dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+      dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
+      dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+      dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_PTR_reply
+   :source-code: base/protocols/dns/main.zeek 520 523
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, name: :zeek:type:`string`)
+
+   Generated for DNS replies of type *PTR*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param name: The name returned by the reply.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply  dns_SOA_reply dns_SRV_reply
+      dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_SOA_reply
+   :source-code: base/protocols/dns/main.zeek 525 528
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, soa: :zeek:type:`dns_soa`)
+
+   Generated for DNS replies of type *CNAME*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param soa: The parsed SOA value.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply
+      dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_WKS_reply
+   :source-code: base/protocols/dns/main.zeek 530 533
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`)
+
+   Generated for DNS replies of type *WKS*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply  dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_HINFO_reply
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 353 353
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, cpu: :zeek:type:`string`, os: :zeek:type:`string`)
+
+   Generated for DNS replies of type *HINFO*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply
+      dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+      dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
+      dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+      dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_MX_reply
+   :source-code: base/protocols/dns/main.zeek 515 518
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, name: :zeek:type:`string`, preference: :zeek:type:`count`)
+
+   Generated for DNS replies of type *MX*. For replies with multiple answers, an
+   individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param name: The name returned by the reply.
+   
+
+   :param preference: The preference for *name* specified by the reply.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply  dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
+      dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_TXT_reply
+   :source-code: base/protocols/dns/main.zeek 464 477
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, strs: :zeek:type:`string_vec`)
+
+   Generated for DNS replies of type *TXT*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param strs: The textual information returned by the reply.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl  dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_SPF_reply
+   :source-code: base/protocols/dns/main.zeek 479 492
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, strs: :zeek:type:`string_vec`)
+
+   Generated for DNS replies of type *SPF*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param strs: The textual information returned by the reply.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl  dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_CAA_reply
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 453 453
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, flags: :zeek:type:`count`, tag: :zeek:type:`string`, value: :zeek:type:`string`)
+
+   Generated for DNS replies of type *CAA* (Certification Authority Authorization).
+   For replies with multiple answers, an individual event of the corresponding type
+   is raised for each.
+   See `RFC 6844 <https://tools.ietf.org/html/rfc6844>`__ for more details.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param flags: The flags byte of the CAA reply.
+   
+
+   :param tag: The property identifier of the CAA reply.
+   
+
+   :param value: The property value of the CAA reply.
+
+.. zeek:id:: dns_SRV_reply
+   :source-code: base/protocols/dns/main.zeek 535 538
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, target: :zeek:type:`string`, priority: :zeek:type:`count`, weight: :zeek:type:`count`, p: :zeek:type:`count`)
+
+   Generated for DNS replies of type *SRV*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param target: Target of the SRV response -- the canonical hostname of the
+           machine providing the service, ending in a dot.
+   
+
+   :param priority: Priority of the SRV response -- the priority of the target
+             host, lower value means more preferred.
+   
+
+   :param weight: Weight of the SRV response -- a relative weight for records
+           with the same priority, higher value means more preferred.
+   
+
+   :param p: Port of the SRV response -- the TCP or UDP port on which the
+      service is to be found.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_NAPTR_reply
+   :source-code: base/protocols/dns/main.zeek 540 559
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, naptr: :zeek:type:`dns_naptr_rr`)
+
+   Generated for DNS replies of type *NAPTR*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param naptr: The parsed RDATA of NAPTR type record.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_SRV_reply dns_end
+
+.. zeek:id:: dns_unknown_reply
+   :source-code: base/protocols/dns/main.zeek 454 457
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`)
+
+   Generated on DNS reply resource records when the type of record is not one
+   that Zeek knows how to parse and generate another more specific event.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_SRV_reply dns_end
+
+.. zeek:id:: dns_EDNS_addl
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 552 552
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_edns_additional`)
+
+   Generated for DNS replies of type *EDNS*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The parsed EDNS reply.
+   
+   .. note::
+   
+        Note that this event will only be raised if :zeek:see:`dns_skip_all_addl`
+        is set to false.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
+      dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+      dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
+      dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+      dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_EDNS_ecs
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 581 581
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, opt: :zeek:type:`dns_edns_ecs`)
+
+   Generated for DNS replies of type *EDNS*. For replies with multiple options,
+   an individual event is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param opt: The parsed EDNS option.
+   
+   .. note::
+   
+        Note that this event will only be raised if :zeek:see:`dns_skip_all_addl`
+        is set to false.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
+      dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+      dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
+      dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+      dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_EDNS_tcp_keepalive
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 612 612
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, opt: :zeek:type:`dns_edns_tcp_keepalive`)
+
+   Generated for DNS replies of type *EDNS*, and an option field in this *EDNS* record has
+   an opt-type of 11. For replies with multiple option fields, an individual event is
+   raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. See `RFC7828 <https://tools.ietf.org/html/rfc7828>`__ for
+   more information about EDNS0 TCP keepalive. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param opt: The parsed EDNS Keepalive option.
+   
+   .. note::
+   
+        Note that this event will only be raised if :zeek:see:`dns_skip_all_addl`
+        is set to false.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
+      dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+      dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
+      dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+      dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_EDNS_cookie
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 643 643
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, opt: :zeek:type:`dns_edns_cookie`)
+
+   Generated for DNS replies of type *EDNS*, and an option field in this *EDNS* record has
+   an opt-type of 10. For replies with multiple options fields, an individual event
+   is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. See `RFC7873 <https://tools.ietf.org/html/rfc7873>`__ for
+   more information about EDNS0 cookie. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param opt: The parsed EDNS Cookie option.
+   
+   .. note::
+   
+        Note that this event will only be raised if :zeek:see:`dns_skip_all_addl`
+        is set to false.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
+      dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+      dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
+      dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+      dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_TKEY
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 666 666
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_tkey`)
+
+   Generated for DNS replies of type *TKEY*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. See `RFC2930 <https://tools.ietf.org/html/rfc2930>`__
+   for more information about TKEY. Zeek analyzes both UDP and TCP DNS sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The parsed TKEY reply.
+   
+   .. note::
+   
+        Note that ``ans`` will only be populated if :zeek:see:`dns_skip_all_addl`
+        is set to false.
+   
+   .. zeek:see:: dns_TSIG_addl
+
+.. zeek:id:: dns_TSIG_addl
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 695 695
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_tsig_additional`)
+
+   Generated for DNS replies of type *TSIG*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The parsed TSIG reply.
+   
+   .. note::
+   
+        Note that this event will only be raised if :zeek:see:`dns_skip_all_addl`
+        is set to false.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply  dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_RRSIG
+   :source-code: base/protocols/dns/main.zeek 581 587
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, rrsig: :zeek:type:`dns_rrsig_rr`)
+
+   Generated for DNS replies of type *RRSIG*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param rrsig: The parsed RRSIG record.
+
+.. zeek:id:: dns_DNSKEY
+   :source-code: base/protocols/dns/main.zeek 589 594
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, dnskey: :zeek:type:`dns_dnskey_rr`)
+
+   Generated for DNS replies of type *DNSKEY*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param dnskey: The parsed DNSKEY record.
+
+.. zeek:id:: dns_NSEC
+   :source-code: base/protocols/dns/main.zeek 596 599
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, next_name: :zeek:type:`string`, bitmaps: :zeek:type:`string_vec`)
+
+   Generated for DNS replies of type *NSEC*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param next_name: The parsed next secure domain name.
+   
+
+   :param bitmaps: vector of strings in hex for the bit maps present.
+
+.. zeek:id:: dns_NSEC3
+   :source-code: base/protocols/dns/main.zeek 601 604
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, nsec3: :zeek:type:`dns_nsec3_rr`)
+
+   Generated for DNS replies of type *NSEC3*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param nsec3: The parsed RDATA of Nsec3 record.
+
+.. zeek:id:: dns_NSEC3PARAM
+   :source-code: base/protocols/dns/main.zeek 606 609
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, nsec3param: :zeek:type:`dns_nsec3param_rr`)
+
+   Generated for DNS replies of type *NSEC3PARAM*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param nsec3param: The parsed RDATA of NSEC3PARAM record.
+
+.. zeek:id:: dns_DS
+   :source-code: base/protocols/dns/main.zeek 611 616
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, ds: :zeek:type:`dns_ds_rr`)
+
+   Generated for DNS replies of type *DS*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param ds: The parsed RDATA of DS record.
+
+.. zeek:id:: dns_BINDS
+   :source-code: base/protocols/dns/main.zeek 618 621
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, binds: :zeek:type:`dns_binds_rr`)
+
+   Generated for DNS replies of type *BINDS*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param binds: The parsed RDATA of BIND-Signing state record.
+
+.. zeek:id:: dns_SSHFP
+   :source-code: base/protocols/dns/main.zeek 623 628
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, algo: :zeek:type:`count`, fptype: :zeek:type:`count`, fingerprint: :zeek:type:`string`)
+
+   Generated for DNS replies of type *BINDS*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param binds: The parsed RDATA of BIND-Signing state record.
+
+.. zeek:id:: dns_LOC
+   :source-code: base/protocols/dns/main.zeek 630 635
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, loc: :zeek:type:`dns_loc_rr`)
+
+   Generated for DNS replies of type *LOC*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param loc: The parsed RDATA of LOC type record.
+
+.. zeek:id:: dns_SVCB
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 839 839
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, svcb: :zeek:type:`dns_svcb_rr`)
+
+   Generated for DNS replies of type *SVCB* (General Purpose Service Endpoints).
+   See `RFC draft for DNS SVCB/HTTPS <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07>`__
+   for more information about DNS SVCB/HTTPS resource records.
+   For replies with multiple answers, an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param svcb: The parsed RDATA of SVCB type record.
+
+.. zeek:id:: dns_HTTPS
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 856 856
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, https: :zeek:type:`dns_svcb_rr`)
+
+   Generated for DNS replies of type *HTTPS* (HTTPS Specific Service Endpoints).
+   See `RFC draft for DNS SVCB/HTTPS <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07>`__
+   for more information about DNS SVCB/HTTPS resource records.
+   Since SVCB and HTTPS records share the same wire format layout, the argument https is dns_svcb_rr.
+   For replies with multiple answers, an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param https: The parsed RDATA of HTTPS type record.
+
+.. zeek:id:: dns_end
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 879 879
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`)
+
+   Generated at the end of processing a DNS packet. This event is the last
+   ``dns_*`` event that will be raised for a DNS query/reply and signals that
+   all resource records have been passed on.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. _plugin-zeek-file:
+
+Zeek::File
+----------
+
+Generic file analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_FTP_DATA`
+
+Events
+++++++
+
+.. zeek:id:: file_transferred
+   :source-code: base/protocols/ftp/main.zeek 450 458
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, prefix: :zeek:type:`string`, descr: :zeek:type:`string`, mime_type: :zeek:type:`string`)
+
+   Generated when a TCP connection associated w/ file data transfer is seen
+   (e.g. as happens w/ FTP or IRC).
+   
+
+   :param c: The connection over which file data is transferred.
+   
+
+   :param prefix: Up to 1024 bytes of the file data.
+   
+
+   :param descr: Deprecated/unused argument.
+   
+
+   :param mime_type: MIME type of the file or "<unknown>" if no file magic signatures
+              matched.
+
+.. _plugin-zeek-finger:
+
+Zeek::Finger
+------------
+
+Finger analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_FINGER`
+
+Types
++++++
+
+.. zeek:type:: spicy::AddressFamily
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: spicy::AddressFamily_IPv4 spicy::AddressFamily
+
+      .. zeek:enum:: spicy::AddressFamily_IPv6 spicy::AddressFamily
+
+      .. zeek:enum:: spicy::AddressFamily_Undef spicy::AddressFamily
+
+
+.. zeek:type:: spicy::BitOrder
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: spicy::BitOrder_LSB0 spicy::BitOrder
+
+      .. zeek:enum:: spicy::BitOrder_MSB0 spicy::BitOrder
+
+      .. zeek:enum:: spicy::BitOrder_Undef spicy::BitOrder
+
+
+.. zeek:type:: spicy::ByteOrder
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: spicy::ByteOrder_Little spicy::ByteOrder
+
+      .. zeek:enum:: spicy::ByteOrder_Big spicy::ByteOrder
+
+      .. zeek:enum:: spicy::ByteOrder_Network spicy::ByteOrder
+
+      .. zeek:enum:: spicy::ByteOrder_Host spicy::ByteOrder
+
+      .. zeek:enum:: spicy::ByteOrder_Undef spicy::ByteOrder
+
+
+.. zeek:type:: spicy::Charset
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: spicy::Charset_ASCII spicy::Charset
+
+      .. zeek:enum:: spicy::Charset_UTF8 spicy::Charset
+
+      .. zeek:enum:: spicy::Charset_UTF16LE spicy::Charset
+
+      .. zeek:enum:: spicy::Charset_UTF16BE spicy::Charset
+
+      .. zeek:enum:: spicy::Charset_Undef spicy::Charset
+
+
+.. zeek:type:: spicy::DecodeErrorStrategy
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: spicy::DecodeErrorStrategy_IGNORE spicy::DecodeErrorStrategy
+
+      .. zeek:enum:: spicy::DecodeErrorStrategy_REPLACE spicy::DecodeErrorStrategy
+
+      .. zeek:enum:: spicy::DecodeErrorStrategy_STRICT spicy::DecodeErrorStrategy
+
+      .. zeek:enum:: spicy::DecodeErrorStrategy_Undef spicy::DecodeErrorStrategy
+
+
+.. zeek:type:: spicy::Protocol
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: spicy::Protocol_TCP spicy::Protocol
+
+      .. zeek:enum:: spicy::Protocol_UDP spicy::Protocol
+
+      .. zeek:enum:: spicy::Protocol_ICMP spicy::Protocol
+
+      .. zeek:enum:: spicy::Protocol_Undef spicy::Protocol
+
+
+.. zeek:type:: spicy::RealType
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: spicy::RealType_IEEE754_Single spicy::RealType
+
+      .. zeek:enum:: spicy::RealType_IEEE754_Double spicy::RealType
+
+      .. zeek:enum:: spicy::RealType_Undef spicy::RealType
+
+
+.. zeek:type:: spicy::ReassemblerPolicy
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: spicy::ReassemblerPolicy_First spicy::ReassemblerPolicy
+
+      .. zeek:enum:: spicy::ReassemblerPolicy_Undef spicy::ReassemblerPolicy
+
+
+.. zeek:type:: spicy::Side
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: spicy::Side_Left spicy::Side
+
+      .. zeek:enum:: spicy::Side_Right spicy::Side
+
+      .. zeek:enum:: spicy::Side_Both spicy::Side
+
+      .. zeek:enum:: spicy::Side_Undef spicy::Side
+
+
+.. zeek:type:: spicy::Direction
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: spicy::Direction_Forward spicy::Direction
+
+      .. zeek:enum:: spicy::Direction_Backward spicy::Direction
+
+      .. zeek:enum:: spicy::Direction_Undef spicy::Direction
+
+
+Events
+++++++
+
+.. zeek:id:: finger_request
+   :source-code: base/protocols/finger/spicy-events.zeek 19 19
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, full: :zeek:type:`bool`, username: :zeek:type:`string`, hostname: :zeek:type:`string`)
+
+   Generated for Finger requests.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
+   information about the Finger protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param full: True if verbose information is requested (``/W`` switch).
+   
+
+   :param username: The request's user name.
+   
+
+   :param hostname: The request's host name.
+   
+   .. zeek:see:: finger_reply
+
+.. zeek:id:: finger_reply
+   :source-code: base/protocols/finger/spicy-events.zeek 31 31
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, reply_line: :zeek:type:`string`)
+
+   Generated for Finger replies.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
+   information about the Finger protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param reply_line: The reply as returned by the server
+   
+   .. zeek:see:: finger_request
+
+.. _plugin-zeek-ftp:
+
+Zeek::FTP
+---------
+
+FTP analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_FTP`
+
+:zeek:enum:`Analyzer::ANALYZER_FTP_ADAT`
+
+Types
++++++
+
+.. zeek:type:: ftp_port
+   :source-code: base/init-bare.zeek 363 367
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: h :zeek:type:`addr`
+
+      The host's address.
+
+
+   .. zeek:field:: p :zeek:type:`port`
+
+      The host's port.
+
+
+   .. zeek:field:: valid :zeek:type:`bool`
+
+      True if format was right. Only then are *h* and *p* valid.
+
+
+   A parsed host/port combination describing server endpoint for an upcoming
+   data transfer.
+   
+   .. zeek:see:: fmt_ftp_port parse_eftp_port parse_ftp_epsv parse_ftp_pasv
+      parse_ftp_port
+
+Events
+++++++
+
+.. zeek:id:: ftp_request
+   :source-code: base/bif/plugins/Zeek_FTP.events.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, command: :zeek:type:`string`, arg: :zeek:type:`string`)
+
+   Generated for client-side FTP commands.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for
+   more information about the FTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param command: The FTP command issued by the client (without any arguments).
+   
+
+   :param arg: The arguments going with the command.
+   
+   .. zeek:see:: ftp_reply fmt_ftp_port parse_eftp_port
+      parse_ftp_epsv parse_ftp_pasv parse_ftp_port
+
+.. zeek:id:: ftp_reply
+   :source-code: base/bif/plugins/Zeek_FTP.events.bif.zeek 38 38
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, code: :zeek:type:`count`, msg: :zeek:type:`string`, cont_resp: :zeek:type:`bool`)
+
+   Generated for server-side FTP replies.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for
+   more information about the FTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param code: The numerical response code the server responded with.
+   
+
+   :param msg:  The textual message of the response.
+   
+
+   :param cont_resp: True if the reply line is tagged as being continued to the next
+              line. If so, further events will be raised and a handler may want
+              to reassemble the pieces before processing the response any
+              further.
+   
+   .. zeek:see:: ftp_request fmt_ftp_port parse_eftp_port
+      parse_ftp_epsv parse_ftp_pasv parse_ftp_port
+
+.. zeek:id:: ftp_starttls
+   :source-code: base/bif/plugins/Zeek_FTP.events.bif.zeek 46 46
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated if an FTP connection switched to TLS using AUTH TLS. After this
+   event no more FTP events will be raised for the connection. See the SSL
+   analyzer for related SSL events, which will now be generated.
+   
+
+   :param c: The connection.
+
+Functions
++++++++++
+
+.. zeek:id:: parse_ftp_port
+   :source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 17 17
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`ftp_port`
+
+   Converts a string representation of the FTP PORT command to an
+   :zeek:type:`ftp_port`.
+   
+
+   :param s: The string of the FTP PORT command, e.g., ``"10,0,0,1,4,31"``.
+   
+
+   :returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
+   
+   .. zeek:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port
+
+.. zeek:id:: parse_eftp_port
+   :source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 30 30
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`ftp_port`
+
+   Converts a string representation of the FTP EPRT command (see :rfc:`2428`)
+   to an :zeek:type:`ftp_port`.  The format is
+   ``"EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>"``,
+   where ``<d>`` is a delimiter in the ASCII range 33-126 (usually ``|``).
+   
+
+   :param s: The string of the FTP EPRT command, e.g., ``"|1|10.0.0.1|1055|"``.
+   
+
+   :returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
+   
+   .. zeek:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port
+
+.. zeek:id:: parse_ftp_pasv
+   :source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 40 40
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`ftp_port`
+
+   Converts the result of the FTP PASV command to an :zeek:type:`ftp_port`.
+   
+
+   :param str: The string containing the result of the FTP PASV command.
+   
+
+   :returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
+   
+   .. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port
+
+.. zeek:id:: parse_ftp_epsv
+   :source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 52 52
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`ftp_port`
+
+   Converts the result of the FTP EPSV command (see :rfc:`2428`) to an
+   :zeek:type:`ftp_port`.  The format is ``"<text> (<d><d><d><tcp-port><d>)"``,
+   where ``<d>`` is a delimiter in the ASCII range 33-126 (usually ``|``).
+   
+
+   :param str: The string containing the result of the FTP EPSV command.
+   
+
+   :returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
+   
+   .. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port
+
+.. zeek:id:: fmt_ftp_port
+   :source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 65 65
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`, p: :zeek:type:`port`) : :zeek:type:`string`
+
+   Formats an IP address and TCP port as an FTP PORT command. For example,
+   ``10.0.0.1`` and ``1055/tcp`` yields ``"10,0,0,1,4,31"``.
+   
+
+   :param a: The IP address.
+   
+
+   :param p: The TCP port.
+   
+
+   :returns: The FTP PORT string.
+   
+   .. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv
+
+.. _plugin-zeek-gnutella:
+
+Zeek::Gnutella
+--------------
+
+Gnutella analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_GNUTELLA`
+
+Events
+++++++
+
+.. zeek:id:: gnutella_text_msg
+   :source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, headers: :zeek:type:`string`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+   information about the Gnutella protocol.
+   
+   .. zeek:see::  gnutella_binary_msg gnutella_establish gnutella_http_notify
+      gnutella_not_establish gnutella_partial_binary_msg
+   
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: gnutella_binary_msg
+   :source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 32 32
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, msg_type: :zeek:type:`count`, ttl: :zeek:type:`count`, hops: :zeek:type:`count`, msg_len: :zeek:type:`count`, payload: :zeek:type:`string`, payload_len: :zeek:type:`count`, trunc: :zeek:type:`bool`, complete: :zeek:type:`bool`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+   information about the Gnutella protocol.
+   
+   .. zeek:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
+      gnutella_partial_binary_msg gnutella_text_msg
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: gnutella_partial_binary_msg
+   :source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 47 47
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, msg: :zeek:type:`string`, len: :zeek:type:`count`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+   information about the Gnutella protocol.
+   
+   .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
+      gnutella_not_establish  gnutella_text_msg
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: gnutella_establish
+   :source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 62 62
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+   information about the Gnutella protocol.
+   
+   .. zeek:see:: gnutella_binary_msg  gnutella_http_notify gnutella_not_establish
+      gnutella_partial_binary_msg gnutella_text_msg
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: gnutella_not_establish
+   :source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 77 77
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+   information about the Gnutella protocol.
+   
+   .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
+      gnutella_partial_binary_msg gnutella_text_msg
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: gnutella_http_notify
+   :source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 92 92
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+   information about the Gnutella protocol.
+   
+   .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
+      gnutella_partial_binary_msg gnutella_text_msg
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. _plugin-zeek-gssapi:
+
+Zeek::GSSAPI
+------------
+
+GSSAPI analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_GSSAPI`
+
+Events
+++++++
+
+.. zeek:id:: gssapi_neg_result
+   :source-code: base/bif/plugins/Zeek_GSSAPI.events.bif.zeek 10 10
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, state: :zeek:type:`count`)
+
+   Generated for GSSAPI negotiation results.
+   
+
+   :param c: The connection.
+   
+
+   :param state: The resulting state of the negotiation.
+   
+
+.. _plugin-zeek-http:
+
+Zeek::HTTP
+----------
+
+HTTP analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_HTTP`
+
+Events
+++++++
+
+.. zeek:id:: http_request
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 26 26
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, method: :zeek:type:`string`, original_URI: :zeek:type:`string`, unescaped_URI: :zeek:type:`string`, version: :zeek:type:`string`)
+
+   Generated for HTTP requests. Zeek supports persistent and pipelined HTTP
+   sessions and raises corresponding events as it parses client/server
+   dialogues. This event is generated as soon as a request's initial line has
+   been parsed, and before any :zeek:id:`http_header` events are raised.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param method: The HTTP method extracted from the request (e.g., ``GET``, ``POST``).
+   
+
+   :param original_URI: The unprocessed URI as specified in the request.
+   
+
+   :param unescaped_URI: The URI with all percent-encodings decoded.
+   
+
+   :param version: The version number specified in the request (e.g., ``1.1``).
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+      http_entity_data http_event http_header http_message_done http_reply http_stats
+      truncate_http_URI http_connection_upgrade
+
+.. zeek:id:: http_reply
+   :source-code: base/protocols/http/main.zeek 274 313
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`string`, code: :zeek:type:`count`, reason: :zeek:type:`string`)
+
+   Generated for HTTP replies. Zeek supports persistent and pipelined HTTP
+   sessions and raises corresponding events as it parses client/server
+   dialogues. This event is generated as soon as a reply's initial line has
+   been parsed, and before any :zeek:id:`http_header` events are raised.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param version: The version number specified in the reply (e.g., ``1.1``).
+   
+
+   :param code: The numerical response code returned by the server.
+   
+
+   :param reason: The textual description returned by the server along with *code*.
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+      http_entity_data http_event http_header http_message_done http_request
+      http_stats http_connection_upgrade
+
+.. zeek:id:: http_header
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 74 74
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, original_name: :zeek:type:`string`, name: :zeek:type:`string`, value: :zeek:type:`string`)
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, name: :zeek:type:`string`, value: :zeek:type:`string`)
+
+   Generated for HTTP headers. Zeek supports persistent and pipelined HTTP
+   sessions and raises corresponding events as it parses client/server
+   dialogues.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the header was sent by the originator of the TCP connection.
+   
+
+   :param original_name: The name of the header (unaltered).
+   
+
+   :param name: The name of the header (converted to all uppercase).
+   
+
+   :param value: The value of the header.
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+      http_entity_data http_event  http_message_done http_reply http_request
+      http_stats http_connection_upgrade
+   
+   .. note:: This event is also raised for headers found in nested body
+      entities.
+
+.. zeek:id:: http_all_headers
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 100 100
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, hlist: :zeek:type:`mime_header_list`)
+
+   Generated for HTTP headers, passing on all headers of an HTTP message at
+   once. Zeek supports persistent and pipelined HTTP sessions and raises
+   corresponding events as it parses client/server dialogues.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the header was sent by the originator of the TCP connection.
+   
+
+   :param hlist: A *table* containing all headers extracted from the current entity.
+          The table is indexed by the position of the header (1 for the first,
+          2 for the second, etc.).
+   
+   .. zeek:see::  http_begin_entity http_content_type http_end_entity http_entity_data
+      http_event http_header http_message_done http_reply http_request http_stats
+      http_connection_upgrade
+   
+   .. note:: This event is also raised for headers found in nested body
+      entities.
+
+.. zeek:id:: http_begin_entity
+   :source-code: base/protocols/http/entities.zeek 73 83
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Generated when starting to parse an HTTP body entity. This event is generated
+   at least once for each non-empty (client or server) HTTP body; and
+   potentially more than once if the body contains further nested MIME
+   entities. Zeek raises this event just before it starts parsing each entity's
+   content.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the entity was sent by the originator of the TCP
+            connection.
+   
+   .. zeek:see:: http_all_headers  http_content_type http_end_entity http_entity_data
+      http_event http_header http_message_done http_reply http_request http_stats
+      mime_begin_entity http_connection_upgrade
+
+.. zeek:id:: http_end_entity
+   :source-code: base/protocols/http/entities.zeek 214 218
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Generated when finishing parsing an HTTP body entity. This event is generated
+   at least once for each non-empty (client or server) HTTP body; and
+   potentially more than once if the body contains further nested MIME
+   entities. Zeek raises this event at the point when it has finished parsing an
+   entity's content.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the entity was sent by the originator of the TCP
+            connection.
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_entity_data
+      http_event http_header http_message_done http_reply http_request
+      http_stats mime_end_entity http_connection_upgrade
+
+.. zeek:id:: http_entity_data
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 170 170
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, length: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated when parsing an HTTP body entity, passing on the data. This event
+   can potentially be raised many times for each entity, each time passing a
+   chunk of the data of not further defined size.
+   
+   A common idiom for using this event is to first *reassemble* the data
+   at the scripting layer by concatenating it to a successively growing
+   string; and only perform further content analysis once the corresponding
+   :zeek:id:`http_end_entity` event has been raised. Note, however, that doing so
+   can be quite expensive for HTTP tranders. At the very least, one should
+   impose an upper size limit on how much data is being buffered.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the entity was sent by the originator of the TCP
+            connection.
+   
+
+   :param length: The length of *data*.
+   
+
+   :param data: One chunk of raw entity data.
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+      http_event http_header http_message_done http_reply http_request http_stats
+      mime_entity_data http_entity_data_delivery_size skip_http_data
+      http_connection_upgrade
+
+.. zeek:id:: http_content_type
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 196 196
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, ty: :zeek:type:`string`, subty: :zeek:type:`string`)
+
+   Generated for reporting an HTTP body's content type.  This event is
+   generated at the end of parsing an HTTP header, passing on the MIME
+   type as specified by the ``Content-Type`` header. If that header is
+   missing, this event is still raised with a default value of ``text/plain``.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the entity was sent by the originator of the TCP
+            connection.
+   
+
+   :param ty: The main type.
+   
+
+   :param subty: The subtype.
+   
+   .. zeek:see:: http_all_headers http_begin_entity  http_end_entity http_entity_data
+      http_event http_header http_message_done http_reply http_request http_stats
+      http_connection_upgrade
+   
+   .. note:: This event is also raised for headers found in nested body
+      entities.
+
+.. zeek:id:: http_message_done
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 220 220
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, stat: :zeek:type:`http_message_stat`)
+
+   Generated once at the end of parsing an HTTP message. Zeek supports persistent
+   and pipelined HTTP sessions and raises corresponding events as it parses
+   client/server dialogues. A "message" is one top-level HTTP entity, such as a
+   complete request or reply. Each message can have further nested sub-entities
+   inside. This event is raised once all sub-entities belonging to a top-level
+   message have been processed (and their corresponding ``http_entity_*`` events
+   generated).
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the entity was sent by the originator of the TCP
+            connection.
+   
+
+   :param stat: Further meta information about the message.
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+      http_entity_data http_event http_header  http_reply http_request http_stats
+      http_connection_upgrade
+
+.. zeek:id:: http_event
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 238 238
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, event_type: :zeek:type:`string`, detail: :zeek:type:`string`)
+
+   Generated for errors found when decoding HTTP requests or replies.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param event_type: A string describing the general category of the problem found
+               (e.g., ``illegal format``).
+   
+
+   :param detail: Further more detailed description of the error.
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+      http_entity_data  http_header http_message_done http_reply http_request
+      http_stats mime_event http_connection_upgrade
+
+.. zeek:id:: http_stats
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 253 253
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, stats: :zeek:type:`http_stats_rec`)
+
+   Generated at the end of an HTTP session to report statistics about it. This
+   event is raised after all of an HTTP session's requests and replies have been
+   fully processed.
+   
+
+   :param c: The connection.
+   
+
+   :param stats: Statistics summarizing HTTP-level properties of the finished
+          connection.
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+      http_entity_data http_event http_header http_message_done http_reply
+      http_request http_connection_upgrade
+
+.. zeek:id:: http_connection_upgrade
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 267 267
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, protocol: :zeek:type:`string`)
+
+   Generated when a HTTP session is upgraded to a different protocol (e.g. websocket).
+   This event is raised when a server replies with a HTTP 101 reply. No more HTTP events
+   will be raised after this event.
+   
+
+   :param c: The connection.
+   
+
+   :param protocol: The protocol to which the connection is switching.
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+      http_entity_data http_event http_header http_message_done http_reply
+      http_request
+
+Functions
++++++++++
+
+.. zeek:id:: skip_http_entity_data
+   :source-code: base/bif/plugins/Zeek_HTTP.functions.bif.zeek 14 14
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`any`
+
+   Skips the data of the HTTP entity.
+   
+
+   :param c: The HTTP connection.
+   
+
+   :param is_orig: If true, the client data is skipped, and the server data otherwise.
+   
+   .. zeek:see:: skip_smtp_data
+
+.. zeek:id:: unescape_URI
+   :source-code: base/bif/plugins/Zeek_HTTP.functions.bif.zeek 30 30
+
+   :Type: :zeek:type:`function` (URI: :zeek:type:`string`) : :zeek:type:`string`
+
+   Unescapes all characters in a URI (decode every ``%xx`` group).
+   
+
+   :param URI: The URI to unescape.
+   
+
+   :returns: The unescaped URI with all ``%xx`` groups decoded.
+   
+   .. note::
+   
+        Unescaping reserved characters may cause loss of information.
+        :rfc:`2396`: A URI is always in an "escaped" form, since escaping or
+        unescaping a completed URI might change its semantics.  Normally, the
+        only time escape encodings can safely be made is when the URI is
+        being created from its component parts.
+
+.. _plugin-zeek-ident:
+
+Zeek::Ident
+-----------
+
+Ident analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_IDENT`
+
+Events
+++++++
+
+.. zeek:id:: ident_request
+   :source-code: base/bif/plugins/Zeek_Ident.events.bif.zeek 21 21
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, lport: :zeek:type:`port`, rport: :zeek:type:`port`)
+
+   Generated for Ident requests.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
+   information about the Ident protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param lport: The request's local port.
+   
+
+   :param rport: The request's remote port.
+   
+   .. zeek:see:: ident_error ident_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: ident_reply
+   :source-code: base/bif/plugins/Zeek_Ident.events.bif.zeek 45 45
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, lport: :zeek:type:`port`, rport: :zeek:type:`port`, user_id: :zeek:type:`string`, system: :zeek:type:`string`)
+
+   Generated for Ident replies.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
+   information about the Ident protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param lport: The corresponding request's local port.
+   
+
+   :param rport: The corresponding request's remote port.
+   
+
+   :param user_id: The user id returned by the reply.
+   
+
+   :param system: The operating system returned by the reply.
+   
+   .. zeek:see:: ident_error  ident_request
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: ident_error
+   :source-code: base/bif/plugins/Zeek_Ident.events.bif.zeek 67 67
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, lport: :zeek:type:`port`, rport: :zeek:type:`port`, line: :zeek:type:`string`)
+
+   Generated for Ident error replies.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
+   information about the Ident protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param lport: The corresponding request's local port.
+   
+
+   :param rport: The corresponding request's remote port.
+   
+
+   :param line: The error description returned by the reply.
+   
+   .. zeek:see:: ident_reply ident_request
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. _plugin-zeek-imap:
+
+Zeek::IMAP
+----------
+
+IMAP analyzer (StartTLS only)
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_IMAP`
+
+Events
+++++++
+
+.. zeek:id:: imap_capabilities
+   :source-code: base/bif/plugins/Zeek_IMAP.events.bif.zeek 10 10
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, capabilities: :zeek:type:`string_vec`)
+
+   Generated when a server sends a capability list to the client,
+   after being queried using the CAPABILITY command.
+   
+
+   :param c: The connection.
+   
+
+   :param capabilities: The list of IMAP capabilities as sent by the server.
+
+.. zeek:id:: imap_starttls
+   :source-code: base/bif/plugins/Zeek_IMAP.events.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when a IMAP connection goes encrypted after a successful
+   StartTLS exchange between the client and the server.
+   
+
+   :param c: The connection.
+
+.. _plugin-zeek-irc:
+
+Zeek::IRC
+---------
+
+IRC analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_IRC`
+
+:zeek:enum:`Analyzer::ANALYZER_IRC_DATA`
+
+Events
+++++++
+
+.. zeek:id:: irc_request
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 30 30
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, command: :zeek:type:`string`, arguments: :zeek:type:`string`)
+
+   Generated for all client-side IRC commands.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Always true.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param command: The command.
+   
+
+   :param arguments: The arguments for the command.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+   
+   .. note:: This event is generated only for messages that originate
+      at the client-side. Commands coming in from remote trigger
+      the :zeek:id:`irc_message` event instead.
+
+.. zeek:id:: irc_reply
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 56 56
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, code: :zeek:type:`count`, params: :zeek:type:`string`)
+
+   Generated for all IRC replies. IRC replies are sent in response to a
+   request and come with a reply code.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param prefix: The optional prefix coming with the reply. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param code: The reply code, as specified by the protocol.
+   
+
+   :param params: The reply's parameters.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 86 86
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, command: :zeek:type:`string`, message: :zeek:type:`string`)
+
+   Generated for IRC commands forwarded from the server to the client.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Always false.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param command: The command.
+   
+
+   :param message: TODO.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message  irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+   
+   .. note::
+   
+      This event is generated only for messages that are forwarded by the server
+      to the client. Commands coming from client trigger the
+      :zeek:id:`irc_request` event instead.
+
+.. zeek:id:: irc_quit_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 109 109
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, nick: :zeek:type:`string`, message: :zeek:type:`string`)
+
+   Generated for IRC messages of type *quit*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param nick: The nickname coming with the message.
+   
+
+   :param message: The text included with the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_privmsg_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 134 134
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, source: :zeek:type:`string`, target: :zeek:type:`string`, message: :zeek:type:`string`)
+
+   Generated for IRC messages of type *privmsg*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param source: The source of the private communication.
+   
+
+   :param target: The target of the private communication.
+   
+
+   :param message: The text of communication.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_notice_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 159 159
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, source: :zeek:type:`string`, target: :zeek:type:`string`, message: :zeek:type:`string`)
+
+   Generated for IRC messages of type *notice*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param source: The source of the private communication.
+   
+
+   :param target: The target of the private communication.
+   
+
+   :param message: The text of communication.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message  irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_squery_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 184 184
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, source: :zeek:type:`string`, target: :zeek:type:`string`, message: :zeek:type:`string`)
+
+   Generated for IRC messages of type *squery*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param source: The source of the private communication.
+   
+
+   :param target: The target of the private communication.
+   
+
+   :param message: The text of communication.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_join_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 205 205
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, info_list: :zeek:type:`irc_join_list`)
+
+   Generated for IRC messages of type *join*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param info_list: The user information coming with the command.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_kick_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_part_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 230 230
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, nick: :zeek:type:`string`, chans: :zeek:type:`string_set`, message: :zeek:type:`string`)
+
+   Generated for IRC messages of type *part*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param nick: The nickname coming with the message.
+   
+
+   :param chans: The set of channels affected.
+   
+
+   :param message: The text coming with the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_nick_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 253 253
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, who: :zeek:type:`string`, newnick: :zeek:type:`string`)
+
+   Generated for IRC messages of type *nick*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param who: The user changing its nickname.
+   
+
+   :param newnick: The new nickname.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_invalid_nick
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 271 271
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Generated when a server rejects an IRC nickname.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users  irc_invite_message irc_join_message irc_kick_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_network_info
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 295 295
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, users: :zeek:type:`count`, services: :zeek:type:`count`, servers: :zeek:type:`count`)
+
+   Generated for an IRC reply of type *luserclient*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param users: The number of users as returned in the reply.
+   
+
+   :param services: The number of services as returned in the reply.
+   
+
+   :param servers: The number of servers as returned in the reply.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_server_info
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 319 319
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, users: :zeek:type:`count`, services: :zeek:type:`count`, servers: :zeek:type:`count`)
+
+   Generated for an IRC reply of type *luserme*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param users: The number of users as returned in the reply.
+   
+
+   :param services: The number of services as returned in the reply.
+   
+
+   :param servers: The number of servers as returned in the reply.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_channel_info
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 339 339
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, chans: :zeek:type:`count`)
+
+   Generated for an IRC reply of type *luserchannels*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param chans: The number of channels as returned in the reply.
+   
+   .. zeek:see::  irc_channel_topic irc_dcc_message irc_error_message irc_global_users
+      irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_who_line
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 375 375
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, target_nick: :zeek:type:`string`, channel: :zeek:type:`string`, user: :zeek:type:`string`, host: :zeek:type:`string`, server: :zeek:type:`string`, nick: :zeek:type:`string`, params: :zeek:type:`string`, hops: :zeek:type:`count`, real_name: :zeek:type:`string`)
+
+   Generated for an IRC reply of type *whoreply*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param target_nick: The target nickname.
+   
+
+   :param channel: The channel.
+   
+
+   :param user: The user.
+   
+
+   :param host: The host.
+   
+
+   :param server: The server.
+   
+
+   :param nick: The nickname.
+   
+
+   :param params: The parameters.
+   
+
+   :param hops: The hop count.
+   
+
+   :param real_name: The real name.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_names_info
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 400 400
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, c_type: :zeek:type:`string`, channel: :zeek:type:`string`, users: :zeek:type:`string_set`)
+
+   Generated for an IRC reply of type *namereply*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param c_type: The channel type.
+   
+
+   :param channel: The channel.
+   
+
+   :param users: The set of users.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message  irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_whois_operator_line
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 420 420
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, nick: :zeek:type:`string`)
+
+   Generated for an IRC reply of type *whoisoperator*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param nick: The nickname specified in the reply.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_whois_channel_line
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 442 442
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, nick: :zeek:type:`string`, chans: :zeek:type:`string_set`)
+
+   Generated for an IRC reply of type *whoischannels*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param nick: The nickname specified in the reply.
+   
+
+   :param chans: The set of channels returned.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_whois_user_line
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 468 468
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, nick: :zeek:type:`string`, user: :zeek:type:`string`, host: :zeek:type:`string`, real_name: :zeek:type:`string`)
+
+   Generated for an IRC reply of type *whoisuser*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param nick: The nickname specified in the reply.
+   
+
+   :param user: The user name specified in the reply.
+   
+
+   :param host: The host name specified in the reply.
+   
+
+   :param real_name: The real name specified in the reply.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_oper_response
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 489 489
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, got_oper: :zeek:type:`bool`)
+
+   Generated for IRC replies of type *youreoper* and *nooperhost*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param got_oper: True if the *oper* command was executed successfully
+             (*youreport*) and false otherwise (*nooperhost*).
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_global_users
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 512 512
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, msg: :zeek:type:`string`)
+
+   Generated for an IRC reply of type *globalusers*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param msg: The message coming with the reply.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_channel_topic
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 534 534
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, channel: :zeek:type:`string`, topic: :zeek:type:`string`)
+
+   Generated for an IRC reply of type *topic*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param channel: The channel name specified in the reply.
+   
+
+   :param topic: The topic specified in the reply.
+   
+   .. zeek:see:: irc_channel_info  irc_dcc_message irc_error_message irc_global_users
+      irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_who_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 557 557
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, mask: :zeek:type:`string`, oper: :zeek:type:`bool`)
+
+   Generated for IRC messages of type *who*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param mask: The mask specified in the message.
+   
+
+   :param oper: True if the operator flag was set.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_whois_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 580 580
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, server: :zeek:type:`string`, users: :zeek:type:`string`)
+
+   Generated for IRC messages of type *whois*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param server: TODO.
+   
+
+   :param users: TODO.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_oper_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 603 603
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, user: :zeek:type:`string`, password: :zeek:type:`string`)
+
+   Generated for IRC messages of type *oper*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param user: The user specified in the message.
+   
+
+   :param password: The password specified in the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message  irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_kick_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 631 631
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, chans: :zeek:type:`string`, users: :zeek:type:`string`, comment: :zeek:type:`string`)
+
+   Generated for IRC messages of type *kick*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param chans: The channels specified in the message.
+   
+
+   :param users: The users specified in the message.
+   
+
+   :param comment: The comment specified in the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_error_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 655 655
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, message: :zeek:type:`string`)
+
+   Generated for IRC messages of type *error*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param message: The textual description specified in the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users
+      irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_invite_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 681 681
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, nickname: :zeek:type:`string`, channel: :zeek:type:`string`)
+
+   Generated for IRC messages of type *invite*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param nickname: The nickname specified in the message.
+   
+
+   :param channel: The channel specified in the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick  irc_join_message irc_kick_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_mode_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 705 705
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, params: :zeek:type:`string`)
+
+   Generated for IRC messages of type *mode*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param params: The parameters coming with the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message  irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_squit_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 731 731
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, server: :zeek:type:`string`, message: :zeek:type:`string`)
+
+   Generated for IRC messages of type *squit*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param server: The server specified in the message.
+   
+
+   :param message: The textual description specified in the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_dcc_message
+   :source-code: base/protocols/irc/dcc-send.zeek 109 123
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, target: :zeek:type:`string`, dcc_type: :zeek:type:`string`, argument: :zeek:type:`string`, address: :zeek:type:`addr`, dest_port: :zeek:type:`count`, size: :zeek:type:`count`)
+
+   Generated for IRC messages of type *dcc*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+   See `Wikipedia <https://en.wikipedia.org/wiki/Direct_Client-to-Client>`__ for more
+   information about the DCC.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param target: The target specified in the message.
+   
+
+   :param dcc_type: The DCC type specified in the message.
+   
+
+   :param argument:  The argument specified in the message.
+   
+
+   :param address: The address specified in the message.
+   
+
+   :param dest_port: The destination port specified in the message.
+   
+
+   :param size: The size specified in the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic  irc_error_message irc_global_users
+      irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_dcc_send_ack
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 789 789
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, bytes_received: :zeek:type:`count`)
+
+   Generated for IRC messages of type *dcc*. This event is generated for
+   DCC SEND acknowledge message.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+   See `Wikipedia <https://en.wikipedia.org/wiki/Direct_Client-to-Client>`__ for more
+   information about the DCC.
+   
+
+   :param c: The connection.
+   
+
+   :param bytes_received: The number of bytes received as reported by the recipient.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message
+
+.. zeek:id:: irc_user_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 816 816
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, user: :zeek:type:`string`, host: :zeek:type:`string`, server: :zeek:type:`string`, real_name: :zeek:type:`string`)
+
+   Generated for IRC messages of type *user*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param user: The user specified in the message.
+   
+
+   :param host: The host name specified in the message.
+   
+
+   :param server: The server name specified in the message.
+   
+
+   :param real_name: The real name specified in the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_password_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 837 837
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, password: :zeek:type:`string`)
+
+   Generated for IRC messages of type *password*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param password: The password specified in the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_dcc_send_ack
+
+.. zeek:id:: irc_starttls
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 845 845
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated if an IRC connection switched to TLS using STARTTLS. After this
+   event no more IRC events will be raised for the connection. See the SSL
+   analyzer for related SSL events, which will now be generated.
+   
+
+   :param c: The connection.
+
+.. _plugin-zeek-javascript:
+
+Zeek::JavaScript
+----------------
+
+Experimental JavaScript support for Zeek
+
+Components
+++++++++++
+
+.. _plugin-zeek-krb:
+
+Zeek::KRB
+---------
+
+Kerberos analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_KRB`
+
+:zeek:enum:`Analyzer::ANALYZER_KRB_TCP`
+
+Options/Constants
++++++++++++++++++
+
+.. zeek:id:: KRB::keytab
+   :source-code: base/init-bare.zeek 5407 5407
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Kerberos keytab file name. Used to decrypt tickets encountered on the wire.
+
+Types
++++++
+
+.. zeek:type:: KRB::Error_Msg
+   :source-code: base/init-bare.zeek 5502 5525
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: pvno :zeek:type:`count` :zeek:attr:`&optional`
+
+      Protocol version number (5 for KRB5)
+
+
+   .. zeek:field:: msg_type :zeek:type:`count` :zeek:attr:`&optional`
+
+      The message type (30 for ERROR_MSG)
+
+
+   .. zeek:field:: client_time :zeek:type:`time` :zeek:attr:`&optional`
+
+      Current time on the client
+
+
+   .. zeek:field:: server_time :zeek:type:`time` :zeek:attr:`&optional`
+
+      Current time on the server
+
+
+   .. zeek:field:: error_code :zeek:type:`count`
+
+      The specific error code
+
+
+   .. zeek:field:: client_realm :zeek:type:`string` :zeek:attr:`&optional`
+
+      Realm of the ticket
+
+
+   .. zeek:field:: client_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      Name on the ticket
+
+
+   .. zeek:field:: service_realm :zeek:type:`string` :zeek:attr:`&optional`
+
+      Realm of the service
+
+
+   .. zeek:field:: service_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      Name of the service
+
+
+   .. zeek:field:: error_text :zeek:type:`string` :zeek:attr:`&optional`
+
+      Additional text to explain the error
+
+
+   .. zeek:field:: pa_data :zeek:type:`vector` of :zeek:type:`KRB::Type_Value` :zeek:attr:`&optional`
+
+      Optional pre-authentication data
+
+
+   The data from the ERROR_MSG message. See :rfc:`4120`.
+
+.. zeek:type:: KRB::SAFE_Msg
+   :source-code: base/init-bare.zeek 5483 5499
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: pvno :zeek:type:`count`
+
+      Protocol version number (5 for KRB5)
+
+
+   .. zeek:field:: msg_type :zeek:type:`count`
+
+      The message type (20 for SAFE_MSG)
+
+
+   .. zeek:field:: data :zeek:type:`string`
+
+      The application-specific data that is being passed
+      from the sender to the receiver
+
+
+   .. zeek:field:: timestamp :zeek:type:`time` :zeek:attr:`&optional`
+
+      Current time from the sender of the message
+
+
+   .. zeek:field:: seq :zeek:type:`count` :zeek:attr:`&optional`
+
+      Sequence number used to detect replays
+
+
+   .. zeek:field:: sender :zeek:type:`KRB::Host_Address` :zeek:attr:`&optional`
+
+      Sender address
+
+
+   .. zeek:field:: recipient :zeek:type:`KRB::Host_Address` :zeek:attr:`&optional`
+
+      Recipient address
+
+
+   The data from the SAFE message. See :rfc:`4120`.
+
+.. zeek:type:: KRB::KDC_Options
+   :source-code: base/init-bare.zeek 5409 5440
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: forwardable :zeek:type:`bool`
+
+      The ticket to be issued should have its forwardable flag set.
+
+
+   .. zeek:field:: forwarded :zeek:type:`bool`
+
+      A (TGT) request for forwarding.
+
+
+   .. zeek:field:: proxiable :zeek:type:`bool`
+
+      The ticket to be issued should have its proxiable flag set.
+
+
+   .. zeek:field:: proxy :zeek:type:`bool`
+
+      A request for a proxy.
+
+
+   .. zeek:field:: allow_postdate :zeek:type:`bool`
+
+      The ticket to be issued should have its may-postdate flag set.
+
+
+   .. zeek:field:: postdated :zeek:type:`bool`
+
+      A request for a postdated ticket.
+
+
+   .. zeek:field:: renewable :zeek:type:`bool`
+
+      The ticket to be issued should have its renewable  flag set.
+
+
+   .. zeek:field:: opt_hardware_auth :zeek:type:`bool`
+
+      Reserved for opt_hardware_auth
+
+
+   .. zeek:field:: disable_transited_check :zeek:type:`bool`
+
+      Request that the KDC not check the transited field of a TGT against
+      the policy of the local realm before it will issue derivative tickets
+      based on the TGT.
+
+
+   .. zeek:field:: renewable_ok :zeek:type:`bool`
+
+      If a ticket with the requested lifetime cannot be issued, a renewable
+      ticket is acceptable
+
+
+   .. zeek:field:: enc_tkt_in_skey :zeek:type:`bool`
+
+      The ticket for the end server is to be encrypted in the session key
+      from the additional TGT provided
+
+
+   .. zeek:field:: renew :zeek:type:`bool`
+
+      The request is for a renewal
+
+
+   .. zeek:field:: validate :zeek:type:`bool`
+
+      The request is to validate a postdated ticket.
+
+
+   KDC Options. See :rfc:`4120`
+
+.. zeek:type:: KRB::AP_Options
+   :source-code: base/init-bare.zeek 5443 5448
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: use_session_key :zeek:type:`bool`
+
+      Indicates that user-to-user-authentication is in use
+
+
+   .. zeek:field:: mutual_required :zeek:type:`bool`
+
+      Mutual authentication is required
+
+
+   AP Options. See :rfc:`4120`
+
+.. zeek:type:: KRB::Type_Value
+   :source-code: base/init-bare.zeek 5452 5457
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: data_type :zeek:type:`count`
+
+      The data type
+
+
+   .. zeek:field:: val :zeek:type:`string`
+
+      The data value
+
+
+   Used in a few places in the Kerberos analyzer for elements
+   that have a type and a string value.
+
+.. zeek:type:: KRB::Encrypted_Data
+   :source-code: base/init-bare.zeek 5461 5468
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: kvno :zeek:type:`count` :zeek:attr:`&optional`
+
+      The key version number
+
+
+   .. zeek:field:: cipher :zeek:type:`count`
+
+      The cipher the data was encrypted with
+
+
+   .. zeek:field:: ciphertext :zeek:type:`string`
+
+      The encrypted data
+
+
+
+.. zeek:type:: KRB::Ticket
+   :source-code: base/init-bare.zeek 5528 5541
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: pvno :zeek:type:`count`
+
+      Protocol version number (5 for KRB5)
+
+
+   .. zeek:field:: realm :zeek:type:`string`
+
+      Realm
+
+
+   .. zeek:field:: service_name :zeek:type:`string`
+
+      Name of the service
+
+
+   .. zeek:field:: cipher :zeek:type:`count`
+
+      Cipher the ticket was encrypted with
+
+
+   .. zeek:field:: ciphertext :zeek:type:`string` :zeek:attr:`&optional`
+
+      Cipher text of the ticket
+
+
+   .. zeek:field:: authenticationinfo :zeek:type:`string` :zeek:attr:`&optional`
+
+      Authentication info
+
+
+   A Kerberos ticket. See :rfc:`4120`.
+
+.. zeek:type:: KRB::Ticket_Vector
+   :source-code: base/init-bare.zeek 5543 5543
+
+   :Type: :zeek:type:`vector` of :zeek:type:`KRB::Ticket`
+
+
+.. zeek:type:: KRB::Host_Address
+   :source-code: base/init-bare.zeek 5471 5478
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ip :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      IPv4 or IPv6 address
+
+
+   .. zeek:field:: netbios :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      NetBIOS address
+
+
+   .. zeek:field:: unknown :zeek:type:`KRB::Type_Value` :zeek:attr:`&optional`
+
+      Some other type that we don't support yet
+
+
+   A Kerberos host address See :rfc:`4120`.
+
+.. zeek:type:: KRB::KDC_Request
+   :source-code: base/init-bare.zeek 5546 5577
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: pvno :zeek:type:`count`
+
+      Protocol version number (5 for KRB5)
+
+
+   .. zeek:field:: msg_type :zeek:type:`count`
+
+      The message type (10 for AS_REQ, 12 for TGS_REQ)
+
+
+   .. zeek:field:: pa_data :zeek:type:`vector` of :zeek:type:`KRB::Type_Value` :zeek:attr:`&optional`
+
+      Optional pre-authentication data
+
+
+   .. zeek:field:: kdc_options :zeek:type:`KRB::KDC_Options` :zeek:attr:`&optional`
+
+      Options specified in the request
+
+
+   .. zeek:field:: client_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      Name on the ticket
+
+
+   .. zeek:field:: service_realm :zeek:type:`string` :zeek:attr:`&optional`
+
+      Realm of the service
+
+
+   .. zeek:field:: service_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      Name of the service
+
+
+   .. zeek:field:: from :zeek:type:`time` :zeek:attr:`&optional`
+
+      Time the ticket is good from
+
+
+   .. zeek:field:: till :zeek:type:`time` :zeek:attr:`&optional`
+
+      Time the ticket is good till
+
+
+   .. zeek:field:: rtime :zeek:type:`time` :zeek:attr:`&optional`
+
+      The requested renew-till time
+
+
+   .. zeek:field:: nonce :zeek:type:`count` :zeek:attr:`&optional`
+
+      A random nonce generated by the client
+
+
+   .. zeek:field:: encryption_types :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&optional`
+
+      The desired encryption algorithms, in order of preference
+
+
+   .. zeek:field:: host_addrs :zeek:type:`vector` of :zeek:type:`KRB::Host_Address` :zeek:attr:`&optional`
+
+      Any additional addresses the ticket should be valid for
+
+
+   .. zeek:field:: additional_tickets :zeek:type:`vector` of :zeek:type:`KRB::Ticket` :zeek:attr:`&optional`
+
+      Additional tickets may be included for certain transactions
+
+
+   The data from the AS_REQ and TGS_REQ messages. See :rfc:`4120`.
+
+.. zeek:type:: KRB::KDC_Response
+   :source-code: base/init-bare.zeek 5580 5596
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: pvno :zeek:type:`count`
+
+      Protocol version number (5 for KRB5)
+
+
+   .. zeek:field:: msg_type :zeek:type:`count`
+
+      The message type (11 for AS_REP, 13 for TGS_REP)
+
+
+   .. zeek:field:: pa_data :zeek:type:`vector` of :zeek:type:`KRB::Type_Value` :zeek:attr:`&optional`
+
+      Optional pre-authentication data
+
+
+   .. zeek:field:: client_realm :zeek:type:`string` :zeek:attr:`&optional`
+
+      Realm on the ticket
+
+
+   .. zeek:field:: client_name :zeek:type:`string`
+
+      Name on the service
+
+
+   .. zeek:field:: ticket :zeek:type:`KRB::Ticket`
+
+      The ticket that was issued
+
+
+   .. zeek:field:: enc_part :zeek:type:`KRB::Encrypted_Data`
+
+      The encrypted session key for the client
+
+
+   The data from the AS_REQ and TGS_REQ messages. See :rfc:`4120`.
+
+Events
+++++++
+
+.. zeek:id:: krb_as_request
+   :source-code: base/protocols/krb/main.zeek 145 168
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::KDC_Request`)
+
+   A Kerberos 5 ``Authentication Server (AS) Request`` as defined
+   in :rfc:`4120`. The AS request contains a username of the client
+   requesting authentication, and returns an AS reply with an
+   encrypted Ticket Granting Ticket (TGT) for that user. The TGT
+   can then be used to request further tickets for other services.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param msg: A Kerberos KDC request message data structure.
+   
+   .. zeek:see:: krb_as_response krb_tgs_request krb_tgs_response krb_ap_request
+      krb_ap_response krb_priv krb_safe krb_cred krb_error
+
+.. zeek:id:: krb_as_response
+   :source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 36 36
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::KDC_Response`)
+
+   A Kerberos 5 ``Authentication Server (AS) Response`` as defined
+   in :rfc:`4120`. Following the AS request for a user, an AS reply
+   contains an encrypted Ticket Granting Ticket (TGT) for that user.
+   The TGT can then be used to request further tickets for other services.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param msg: A Kerberos KDC reply message data structure.
+   
+   .. zeek:see:: krb_as_request krb_tgs_request krb_tgs_response krb_ap_request
+      krb_ap_response krb_priv krb_safe krb_cred krb_error
+
+.. zeek:id:: krb_tgs_request
+   :source-code: base/protocols/krb/main.zeek 196 214
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::KDC_Request`)
+
+   A Kerberos 5 ``Ticket Granting Service (TGS) Request`` as defined
+   in :rfc:`4120`. Following the Authentication Server exchange, if
+   successful, the client now has a Ticket Granting Ticket (TGT). To
+   authenticate to a Kerberized service, the client requests a Service
+   Ticket, which will be returned in the TGS reply.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param msg: A Kerberos KDC request message data structure.
+   
+   .. zeek:see:: krb_as_request krb_as_response krb_tgs_response krb_ap_request
+      krb_ap_response krb_priv krb_safe krb_cred krb_error
+
+.. zeek:id:: krb_tgs_response
+   :source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 71 71
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::KDC_Response`)
+
+   A Kerberos 5 ``Ticket Granting Service (TGS) Response`` as defined
+   in :rfc:`4120`. This message returns a Service Ticket to the client,
+   which is encrypted with the service's long-term key, and which the
+   client can use to authenticate to that service.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param msg: A Kerberos KDC reply message data structure.
+   
+   .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_ap_request
+      krb_ap_response krb_priv krb_safe krb_cred krb_error
+
+.. zeek:id:: krb_ap_request
+   :source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 90 90
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, ticket: :zeek:type:`KRB::Ticket`, opts: :zeek:type:`KRB::AP_Options`)
+
+   A Kerberos 5 ``Authentication Header (AP) Request`` as defined
+   in :rfc:`4120`. This message contains authentication information
+   that should be part of the first message in an authenticated
+   transaction.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param ticket: The Kerberos ticket being used for authentication.
+   
+
+   :param opts: A Kerberos AP options data structure.
+   
+   .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+      krb_ap_response krb_priv krb_safe krb_cred krb_error
+
+.. zeek:id:: krb_ap_response
+   :source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 106 106
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   A Kerberos 5 ``Authentication Header (AP) Response`` as defined
+   in :rfc:`4120`. This is used if mutual authentication is desired.
+   All of the interesting information in here is encrypted, so the event
+   doesn't have much useful data, but it's provided in case it's important
+   to know that this message was sent.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+   .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+      krb_ap_request krb_priv krb_safe krb_cred krb_error
+
+.. zeek:id:: krb_priv
+   :source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 123 123
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   A Kerberos 5 ``Private Message`` as defined in :rfc:`4120`. This
+   is a private (encrypted) application message, so the event doesn't
+   have much useful data, but it's provided in case it's important to
+   know that this message was sent.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param is_orig: Whether the originator of the connection sent this message.
+   
+   .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+      krb_ap_request krb_ap_response krb_safe krb_cred krb_error
+
+.. zeek:id:: krb_safe
+   :source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 140 140
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`KRB::SAFE_Msg`)
+
+   A Kerberos 5 ``Safe Message`` as defined in :rfc:`4120`. This is a
+   safe (checksummed) application message.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param is_orig: Whether the originator of the connection sent this message.
+   
+
+   :param msg: A Kerberos SAFE message data structure.
+   
+   .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+      krb_ap_request krb_ap_response krb_priv krb_cred krb_error
+
+.. zeek:id:: krb_cred
+   :source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 157 157
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, tickets: :zeek:type:`KRB::Ticket_Vector`)
+
+   A Kerberos 5 ``Credential Message`` as defined in :rfc:`4120`. This is
+   a private (encrypted) message to forward credentials.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param is_orig: Whether the originator of the connection sent this message.
+   
+
+   :param tickets: Tickets obtained from the KDC that are being forwarded.
+   
+   .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+      krb_ap_request krb_ap_response krb_priv krb_safe krb_error
+
+.. zeek:id:: krb_error
+   :source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 171 171
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::Error_Msg`)
+
+   A Kerberos 5 ``Error Message`` as defined in :rfc:`4120`.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param msg: A Kerberos error message data structure.
+   
+   .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+      krb_ap_request krb_ap_response krb_priv krb_safe krb_cred
+
+.. _plugin-zeek-ldap:
+
+Zeek::LDAP
+----------
+
+LDAP analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_LDAP_TCP`
+
+:zeek:enum:`Analyzer::ANALYZER_LDAP_UDP`
+
+Types
++++++
+
+.. zeek:type:: LDAP::ProtocolOpcode
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_BIND_REQUEST LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_BIND_RESPONSE LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_UNBIND_REQUEST LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_SEARCH_REQUEST LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_SEARCH_RESULT_ENTRY LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_SEARCH_RESULT_DONE LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_MODIFY_REQUEST LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_MODIFY_RESPONSE LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_ADD_REQUEST LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_ADD_RESPONSE LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_DEL_REQUEST LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_DEL_RESPONSE LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_MOD_DN_REQUEST LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_MOD_DN_RESPONSE LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_COMPARE_REQUEST LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_COMPARE_RESPONSE LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_ABANDON_REQUEST LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_SEARCH_RESULT_REFERENCE LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_EXTENDED_REQUEST LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_EXTENDED_RESPONSE LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_INTERMEDIATE_RESPONSE LDAP::ProtocolOpcode
+
+      .. zeek:enum:: LDAP::ProtocolOpcode_Undef LDAP::ProtocolOpcode
+
+
+.. zeek:type:: LDAP::ResultCode
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: LDAP::ResultCode_SUCCESS LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_OPERATIONS_ERROR LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_PROTOCOL_ERROR LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_TIME_LIMIT_EXCEEDED LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_SIZE_LIMIT_EXCEEDED LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_COMPARE_FALSE LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_COMPARE_TRUE LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_AUTH_METHOD_NOT_SUPPORTED LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_STRONGER_AUTH_REQUIRED LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_PARTIAL_RESULTS LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_REFERRAL LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_ADMIN_LIMIT_EXCEEDED LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_UNAVAILABLE_CRITICAL_EXTENSION LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_CONFIDENTIALITY_REQUIRED LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_SASL_BIND_IN_PROGRESS LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_NO_SUCH_ATTRIBUTE LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_UNDEFINED_ATTRIBUTE_TYPE LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_INAPPROPRIATE_MATCHING LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_CONSTRAINT_VIOLATION LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_ATTRIBUTE_OR_VALUE_EXISTS LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_INVALID_ATTRIBUTE_SYNTAX LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_NO_SUCH_OBJECT LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_ALIAS_PROBLEM LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_INVALID_DNSYNTAX LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_ALIAS_DEREFERENCING_PROBLEM LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_INAPPROPRIATE_AUTHENTICATION LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_INVALID_CREDENTIALS LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_INSUFFICIENT_ACCESS_RIGHTS LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_BUSY LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_UNAVAILABLE LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_UNWILLING_TO_PERFORM LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_LOOP_DETECT LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_SORT_CONTROL_MISSING LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_OFFSET_RANGE_ERROR LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_NAMING_VIOLATION LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_OBJECT_CLASS_VIOLATION LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_NOT_ALLOWED_ON_NON_LEAF LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_NOT_ALLOWED_ON_RDN LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_ENTRY_ALREADY_EXISTS LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_OBJECT_CLASS_MODS_PROHIBITED LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_RESULTS_TOO_LARGE LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_AFFECTS_MULTIPLE_DSAS LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_CONTROL_ERROR LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_OTHER LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_SERVER_DOWN LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_LOCAL_ERROR LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_ENCODING_ERROR LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_DECODING_ERROR LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_TIMEOUT LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_AUTH_UNKNOWN LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_FILTER_ERROR LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_USER_CANCELED LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_PARAM_ERROR LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_NO_MEMORY LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_CONNECT_ERROR LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_NOT_SUPPORTED LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_CONTROL_NOT_FOUND LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_NO_RESULTS_RETURNED LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_MORE_RESULTS_TO_RETURN LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_CLIENT_LOOP LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_REFERRAL_LIMIT_EXCEEDED LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_INVALID_RESPONSE LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_AMBIGUOUS_RESPONSE LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_TLS_NOT_SUPPORTED LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_INTERMEDIATE_RESPONSE LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_UNKNOWN_TYPE LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_LCUP_INVALID_DATA LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_LCUP_UNSUPPORTED_SCHEME LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_LCUP_RELOAD_REQUIRED LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_CANCELED LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_NO_SUCH_OPERATION LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_TOO_LATE LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_CANNOT_CANCEL LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_ASSERTION_FAILED LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_AUTHORIZATION_DENIED LDAP::ResultCode
+
+      .. zeek:enum:: LDAP::ResultCode_Undef LDAP::ResultCode
+
+
+.. zeek:type:: LDAP::BindAuthType
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: LDAP::BindAuthType_BIND_AUTH_SIMPLE LDAP::BindAuthType
+
+      .. zeek:enum:: LDAP::BindAuthType_BIND_AUTH_SASL LDAP::BindAuthType
+
+      .. zeek:enum:: LDAP::BindAuthType_SICILY_PACKAGE_DISCOVERY LDAP::BindAuthType
+
+      .. zeek:enum:: LDAP::BindAuthType_SICILY_NEGOTIATE LDAP::BindAuthType
+
+      .. zeek:enum:: LDAP::BindAuthType_SICILY_RESPONSE LDAP::BindAuthType
+
+      .. zeek:enum:: LDAP::BindAuthType_Undef LDAP::BindAuthType
+
+
+.. zeek:type:: LDAP::SearchScope
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: LDAP::SearchScope_SEARCH_BASE LDAP::SearchScope
+
+      .. zeek:enum:: LDAP::SearchScope_SEARCH_SINGLE LDAP::SearchScope
+
+      .. zeek:enum:: LDAP::SearchScope_SEARCH_TREE LDAP::SearchScope
+
+      .. zeek:enum:: LDAP::SearchScope_Undef LDAP::SearchScope
+
+
+.. zeek:type:: LDAP::SearchDerefAlias
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: LDAP::SearchDerefAlias_DEREF_NEVER LDAP::SearchDerefAlias
+
+      .. zeek:enum:: LDAP::SearchDerefAlias_DEREF_IN_SEARCHING LDAP::SearchDerefAlias
+
+      .. zeek:enum:: LDAP::SearchDerefAlias_DEREF_FINDING_BASE LDAP::SearchDerefAlias
+
+      .. zeek:enum:: LDAP::SearchDerefAlias_DEREF_ALWAYS LDAP::SearchDerefAlias
+
+      .. zeek:enum:: LDAP::SearchDerefAlias_Undef LDAP::SearchDerefAlias
+
+
+.. zeek:type:: ASN1::ASN1Type
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: ASN1::ASN1Type_Boolean ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_Integer ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_BitString ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_OctetString ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_NullVal ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_ObjectIdentifier ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_ObjectDescriptor ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_InstanceOf ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_Real ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_Enumerated ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_EmbeddedPDV ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_UTF8String ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_RelativeOID ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_Sequence ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_Set ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_NumericString ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_PrintableString ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_TeletextString ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_VideotextString ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_IA5String ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_UTCTime ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_GeneralizedTime ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_GraphicString ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_VisibleString ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_GeneralString ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_UniversalString ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_CharacterString ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_BMPString ASN1::ASN1Type
+
+      .. zeek:enum:: ASN1::ASN1Type_Undef ASN1::ASN1Type
+
+
+.. zeek:type:: ASN1::ASN1Class
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: ASN1::ASN1Class_Universal ASN1::ASN1Class
+
+      .. zeek:enum:: ASN1::ASN1Class_Application ASN1::ASN1Class
+
+      .. zeek:enum:: ASN1::ASN1Class_ContextSpecific ASN1::ASN1Class
+
+      .. zeek:enum:: ASN1::ASN1Class_Private ASN1::ASN1Class
+
+      .. zeek:enum:: ASN1::ASN1Class_Undef ASN1::ASN1Class
+
+
+Events
+++++++
+
+.. zeek:id:: LDAP::message
+   :source-code: base/protocols/ldap/main.zeek 188 287
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, opcode: :zeek:type:`LDAP::ProtocolOpcode`, result: :zeek:type:`LDAP::ResultCode`, matched_dn: :zeek:type:`string`, diagnostic_message: :zeek:type:`string`, object: :zeek:type:`string`, argument: :zeek:type:`string`)
+
+   Event generated for each LDAPMessage (either direction).
+   
+
+   :param c: The connection.
+   
+
+   :param message_id: The messageID element.
+   
+
+   :param opcode: The protocolOp field in the message.
+   
+
+   :param result: The result code if the message contains a result.
+   
+
+   :param matched_dn: The DN if the message contains a result.
+   
+
+   :param diagnostic_message: Diagnostic message if the LDAP message contains a result.
+   
+
+   :param object: The object name this message refers to.
+   
+
+   :param argument: Additional arguments this message includes.
+
+.. zeek:id:: LDAP::bind_request
+   :source-code: base/protocols/ldap/main.zeek 366 397
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, version: :zeek:type:`int`, name: :zeek:type:`string`, auth_type: :zeek:type:`LDAP::BindAuthType`, auth_info: :zeek:type:`string`)
+
+   Event generated for each LDAPMessage containing a BindRequest.
+   
+
+   :param c: The connection.
+   
+
+   :param message_id: The messageID element.
+   
+
+   :param version: The version field in the BindRequest.
+   
+
+   :param name: The name field in the BindRequest.
+   
+
+   :param auth_type: The auth type field in the BindRequest.
+   
+
+   :param auth_info: Additional information related to the used auth type.
+
+.. zeek:id:: LDAP::search_request
+   :source-code: base/protocols/ldap/main.zeek 299 348
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, base_object: :zeek:type:`string`, scope: :zeek:type:`LDAP::SearchScope`, deref: :zeek:type:`LDAP::SearchDerefAlias`, size_limit: :zeek:type:`int`, time_limit: :zeek:type:`int`, types_only: :zeek:type:`bool`, filter: :zeek:type:`string`, attributes: :zeek:type:`vector` of :zeek:type:`string`)
+
+   Event generated for each LDAPMessage containing a SearchRequest.
+   
+
+   :param c: The connection.
+   
+
+   :param message_id: The messageID element.
+   
+
+   :param base_object: The baseObject field in the SearchRequest.
+   
+
+   :param scope: The scope field in the SearchRequest.
+   
+
+   :param deref_alias: The derefAlias field in the SearchRequest
+   
+
+   :param size_limit: The sizeLimit field in the SearchRequest.
+   
+
+   :param time_limit: The timeLimit field in the SearchRequest.
+   
+
+   :param types_only: The typesOnly field in the SearchRequest.
+   
+
+   :param filter: The string representation of the filter field in the SearchRequest.
+   
+
+   :param attributes: Additional attributes of the SearchRequest.
+
+.. zeek:id:: LDAP::search_result_entry
+   :source-code: base/protocols/ldap/main.zeek 353 358
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, object_name: :zeek:type:`string`)
+
+   Event generated for each SearchResultEntry in LDAP messages.
+   
+
+   :param c: The connection.
+   
+
+   :param message_id: The messageID element.
+   
+
+   :param object_name: The object name in the SearchResultEntry.
+
+.. zeek:id:: LDAP::extended_request
+   :source-code: base/protocols/ldap/spicy-events.zeek 111 111
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, request_name: :zeek:type:`string`, request_value: :zeek:type:`string`)
+
+   Event generated for each ExtendedRequest in LDAP messages.
+   
+
+   :param c: The connection.
+   
+
+   :param message_id: The messageID element.
+   
+
+   :param request_name: The name of the extended request.
+   
+
+   :param request_value: The value of the extended request (empty if missing).
+
+.. zeek:id:: LDAP::extended_response
+   :source-code: base/protocols/ldap/spicy-events.zeek 129 129
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, result: :zeek:type:`LDAP::ResultCode`, response_name: :zeek:type:`string`, response_value: :zeek:type:`string`)
+
+   Event generated for each ExtendedResponse in LDAP messages.
+   
+
+   :param c: The connection.
+   
+
+   :param message_id: The messageID element.
+   
+
+   :param result: The result code of the response.
+   
+
+   :param response_name: The name of the extended response (empty if missing).
+   
+
+   :param response_value: The value of the extended response (empty if missing).
+
+.. zeek:id:: LDAP::starttls
+   :source-code: base/protocols/ldap/spicy-events.zeek 141 141
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Event generated when a plaintext LDAP connection switched to TLS.
+   
+
+   :param c: The connection.
+   
+
+.. _plugin-zeek-login:
+
+Zeek::Login
+-----------
+
+Telnet/Rsh/Rlogin analyzers
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_CONTENTS_RLOGIN`
+
+:zeek:enum:`Analyzer::ANALYZER_CONTENTS_RSH`
+
+:zeek:enum:`Analyzer::ANALYZER_LOGIN`
+
+:zeek:enum:`Analyzer::ANALYZER_NVT`
+
+:zeek:enum:`Analyzer::ANALYZER_RLOGIN`
+
+:zeek:enum:`Analyzer::ANALYZER_RSH`
+
+:zeek:enum:`Analyzer::ANALYZER_TELNET`
+
+Events
+++++++
+
+.. zeek:id:: rsh_request
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 31 31
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, client_user: :zeek:type:`string`, server_user: :zeek:type:`string`, line: :zeek:type:`string`, new_session: :zeek:type:`bool`)
+
+   Generated for client side commands on an RSH connection.
+   
+   See :rfc:`1258` for more information about the Rlogin/Rsh protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param client_user: The client-side user name as sent in the initial protocol
+         handshake.
+   
+
+   :param server_user: The server-side user name as sent in the initial protocol
+         handshake.
+   
+
+   :param line: The command line sent in the request.
+   
+
+   :param new_session: True if this is the first command of the Rsh session.
+   
+   .. zeek:see:: rsh_reply login_confused login_confused_text login_display
+      login_failure login_input_line login_output_line login_prompt login_success
+      login_terminal
+   
+   .. note:: For historical reasons, these events are separate from the
+      ``login_`` events. Ideally, they would all be handled uniquely.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: rsh_reply
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 59 59
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, client_user: :zeek:type:`string`, server_user: :zeek:type:`string`, line: :zeek:type:`string`)
+
+   Generated for client side commands on an RSH connection.
+   
+   See :rfc:`1258` for more information about the Rlogin/Rsh protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param client_user: The client-side user name as sent in the initial protocol
+         handshake.
+   
+
+   :param server_user: The server-side user name as sent in the initial protocol
+         handshake.
+   
+
+   :param line: The command line sent in the request.
+   
+   .. zeek:see:: rsh_request login_confused login_confused_text login_display
+      login_failure login_input_line login_output_line login_prompt login_success
+      login_terminal
+   
+   .. note:: For historical reasons, these events are separate from the
+      ``login_`` events. Ideally, they would all be handled uniquely.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: login_failure
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 95 95
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, user: :zeek:type:`string`, client_user: :zeek:type:`string`, password: :zeek:type:`string`, line: :zeek:type:`string`)
+
+   Generated for Telnet/Rlogin login failures. The *login* analyzer inspects
+   Telnet/Rlogin sessions to heuristically extract username and password
+   information as well as the text returned by the login server. This event is
+   raised if a login attempt appears to have been unsuccessful.
+   
+
+   :param c: The connection.
+   
+
+   :param user: The user name tried.
+   
+
+   :param client_user: For Telnet connections, this is an empty string, but for Rlogin
+         connections, it is the client name passed in the initial authentication
+         information (to check against .rhosts).
+   
+
+   :param password:  The password tried.
+   
+
+   :param line:  The line of text that led the analyzer to conclude that the
+          authentication had failed.
+   
+   .. zeek:see:: login_confused login_confused_text login_display login_input_line
+      login_output_line login_prompt login_success login_terminal direct_login_prompts
+      get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
+      login_timeouts set_login_state
+   
+   .. note:: The login analyzer depends on a set of script-level variables that
+      need to be configured with patterns identifying login attempts. This
+      configuration has not yet been ported, and
+      the analyzer is therefore not directly usable at the moment.
+   
+   .. todo:: Zeeks's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: login_success
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 131 131
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, user: :zeek:type:`string`, client_user: :zeek:type:`string`, password: :zeek:type:`string`, line: :zeek:type:`string`)
+
+   Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects
+   Telnet/Rlogin sessions to heuristically extract username and password
+   information as well as the text returned by the login server. This event is
+   raised if a login attempt appears to have been successful.
+   
+
+   :param c: The connection.
+   
+
+   :param user: The user name used.
+   
+
+   :param client_user: For Telnet connections, this is an empty string, but for Rlogin
+         connections, it is the client name passed in the initial authentication
+         information (to check against .rhosts).
+   
+
+   :param password: The password used.
+   
+
+   :param line:  The line of text that led the analyzer to conclude that the
+          authentication had succeeded.
+   
+   .. zeek:see:: login_confused login_confused_text login_display login_failure
+      login_input_line login_output_line login_prompt login_terminal
+      direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs
+      login_prompts login_success_msgs login_timeouts set_login_state
+   
+   .. note:: The login analyzer depends on a set of script-level variables that
+      need to be configured with patterns identifying login attempts. This
+      configuration has not yet been ported, and
+      the analyzer is therefore not directly usable at the moment.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: login_input_line
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 149 149
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, line: :zeek:type:`string`)
+
+   Generated for lines of input on Telnet/Rlogin sessions. The line will have
+   control characters (such as in-band Telnet options) removed.
+   
+
+   :param c: The connection.
+   
+
+   :param line: The input line.
+   
+   .. zeek:see:: login_confused login_confused_text login_display login_failure
+      login_output_line login_prompt login_success login_terminal    rsh_request
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: login_output_line
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 167 167
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, line: :zeek:type:`string`)
+
+   Generated for lines of output on Telnet/Rlogin sessions. The line will have
+   control characters (such as in-band Telnet options) removed.
+   
+
+   :param c: The connection.
+   
+
+   :param line: The output line.
+   
+   .. zeek:see:: login_confused login_confused_text login_display login_failure
+      login_input_line  login_prompt login_success login_terminal rsh_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: login_confused
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 195 195
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`, line: :zeek:type:`string`)
+
+   Generated when tracking of Telnet/Rlogin authentication failed. As Zeek's
+   *login* analyzer uses a number of heuristics to extract authentication
+   information, it may become confused. If it can no longer correctly track
+   the authentication dialog, it raises this event.
+   
+
+   :param c: The connection.
+   
+
+   :param msg: Gives the particular problem the heuristics detected (for example,
+        ``multiple_login_prompts`` means that the engine saw several login
+        prompts in a row, without the type-ahead from the client side presumed
+        necessary to cause them)
+   
+
+   :param line: The line of text that caused the heuristics to conclude they were
+         confused.
+   
+   .. zeek:see::  login_confused_text login_display login_failure login_input_line login_output_line
+      login_prompt login_success login_terminal direct_login_prompts get_login_state
+      login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
+      login_timeouts set_login_state
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: login_confused_text
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 217 217
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, line: :zeek:type:`string`)
+
+   Generated after getting confused while tracking a Telnet/Rlogin
+   authentication dialog. The *login* analyzer generates this even for every
+   line of user input after it has reported :zeek:id:`login_confused` for a
+   connection.
+   
+
+   :param c: The connection.
+   
+
+   :param line: The line the user typed.
+   
+   .. zeek:see:: login_confused  login_display login_failure login_input_line
+      login_output_line login_prompt login_success login_terminal direct_login_prompts
+      get_login_state login_failure_msgs login_non_failure_msgs login_prompts
+      login_success_msgs login_timeouts set_login_state
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: login_terminal
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 235 235
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, terminal: :zeek:type:`string`)
+
+   Generated for clients transmitting a terminal type in a Telnet session.  This
+   information is extracted out of environment variables sent as Telnet options.
+   
+
+   :param c: The connection.
+   
+
+   :param terminal: The TERM value transmitted.
+   
+   .. zeek:see:: login_confused login_confused_text login_display login_failure
+      login_input_line login_output_line login_prompt login_success
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: login_display
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 253 253
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, display: :zeek:type:`string`)
+
+   Generated for clients transmitting an X11 DISPLAY in a Telnet session. This
+   information is extracted out of environment variables sent as Telnet options.
+   
+
+   :param c: The connection.
+   
+
+   :param display: The DISPLAY transmitted.
+   
+   .. zeek:see:: login_confused login_confused_text  login_failure login_input_line
+      login_output_line login_prompt login_success login_terminal
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: authentication_accepted
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 279 279
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, c: :zeek:type:`connection`)
+
+   Generated when a Telnet authentication has been successful. The Telnet
+   protocol includes options for negotiating authentication. When such an
+   option is sent from client to server and the server replies that it accepts
+   the authentication, then the event engine generates this event.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+   about the Telnet protocol.
+   
+
+   :param name: The authenticated name.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see::  authentication_rejected authentication_skipped login_success
+   
+   .. note::  This event inspects the corresponding Telnet option
+      while :zeek:id:`login_success` heuristically determines success by watching
+      session data.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: authentication_rejected
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 305 305
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, c: :zeek:type:`connection`)
+
+   Generated when a Telnet authentication has been unsuccessful. The Telnet
+   protocol includes options for negotiating authentication. When such an option
+   is sent from client to server and the server replies that it did not accept
+   the authentication, then the event engine generates this event.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+   about the Telnet protocol.
+   
+
+   :param name: The attempted authentication name.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: authentication_accepted authentication_skipped login_failure
+   
+   .. note::  This event inspects the corresponding Telnet option
+      while :zeek:id:`login_success` heuristically determines failure by watching
+      session data.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: authentication_skipped
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 330 330
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for Telnet/Rlogin sessions when a pattern match indicates
+   that no authentication is performed.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+   about the Telnet protocol.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: authentication_accepted authentication_rejected direct_login_prompts
+      get_login_state login_failure_msgs login_non_failure_msgs login_prompts
+      login_success_msgs login_timeouts set_login_state
+   
+   .. note:: The login analyzer depends on a set of script-level variables that
+      need to be configured with patterns identifying activity. This
+      configuration has not yet been ported, and
+      the analyzer is therefore not directly usable at the moment.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: login_prompt
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 352 352
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, prompt: :zeek:type:`string`)
+
+   Generated for clients transmitting a terminal prompt in a Telnet session.
+   This information is extracted out of environment variables sent as Telnet
+   options.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+   about the Telnet protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param prompt: The TTYPROMPT transmitted.
+   
+   .. zeek:see:: login_confused login_confused_text login_display login_failure
+      login_input_line login_output_line  login_success login_terminal
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: activating_encryption
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 367 367
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for Telnet sessions when encryption is activated. The Telnet
+   protocol includes options for negotiating encryption. When such a series of
+   options is successfully negotiated, the event engine generates this event.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+   about the Telnet protocol.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: authentication_accepted authentication_rejected authentication_skipped
+      login_confused login_confused_text login_display login_failure login_input_line
+      login_output_line login_prompt login_success login_terminal
+
+.. zeek:id:: inconsistent_option
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 387 387
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for an inconsistent Telnet option. Telnet options are specified
+   by the client and server stating which options they are willing to
+   support vs. which they are not, and then instructing one another which in
+   fact they should or should not use for the current connection. If the event
+   engine sees a peer violate either what the other peer has instructed it to
+   do, or what it itself offered in terms of options in the past, then the
+   engine generates this event.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+   about the Telnet protocol.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: bad_option bad_option_termination  authentication_accepted
+      authentication_rejected authentication_skipped login_confused
+      login_confused_text login_display login_failure login_input_line
+      login_output_line login_prompt login_success login_terminal
+
+.. zeek:id:: bad_option
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 407 407
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for an ill-formed or unrecognized Telnet option.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+   about the Telnet protocol.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: inconsistent_option bad_option_termination authentication_accepted
+      authentication_rejected authentication_skipped login_confused
+      login_confused_text login_display login_failure login_input_line
+      login_output_line login_prompt login_success login_terminal
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: bad_option_termination
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 427 427
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for a Telnet option that's incorrectly terminated.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+   about the Telnet protocol.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: inconsistent_option bad_option authentication_accepted
+      authentication_rejected authentication_skipped login_confused
+      login_confused_text login_display login_failure login_input_line
+      login_output_line login_prompt login_success login_terminal
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+Functions
++++++++++
+
+.. zeek:id:: get_login_state
+   :source-code: base/bif/plugins/Zeek_Login.functions.bif.zeek 26 26
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`count`
+
+   Returns the state of the given login (Telnet or Rlogin) connection.
+   
+
+   :param cid: The connection ID.
+   
+
+   :returns: False if the connection is not active or is not tagged as a
+            login analyzer. Otherwise the function returns the state, which can
+            be one of:
+   
+                - ``LOGIN_STATE_AUTHENTICATE``: The connection is in its
+                  initial authentication dialog.
+                - ``LOGIN_STATE_LOGGED_IN``: The analyzer believes the user has
+                  successfully authenticated.
+                - ``LOGIN_STATE_SKIP``: The analyzer has skipped any further
+                  processing of the connection.
+                - ``LOGIN_STATE_CONFUSED``: The analyzer has concluded that it
+                  does not correctly know the state of the connection, and/or
+                  the username associated with it.
+   
+   .. zeek:see:: set_login_state
+
+.. zeek:id:: set_login_state
+   :source-code: base/bif/plugins/Zeek_Login.functions.bif.zeek 40 40
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, new_state: :zeek:type:`count`) : :zeek:type:`bool`
+
+   Sets the login state of a connection with a login analyzer.
+   
+
+   :param cid: The connection ID.
+   
+
+   :param new_state: The new state of the login analyzer. See
+              :zeek:id:`get_login_state` for possible values.
+   
+
+   :returns: Returns false if *cid* is not an active connection
+            or is not tagged as a login analyzer, and true otherwise.
+   
+   .. zeek:see:: get_login_state
+
+.. _plugin-zeek-mime:
+
+Zeek::MIME
+----------
+
+MIME parsing
+
+Components
+++++++++++
+
+Options/Constants
++++++++++++++++++
+
+.. zeek:id:: MIME::max_depth
+   :source-code: base/init-bare.zeek 3663 3663
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100``
+
+   Stop analysis of nested multipart MIME entities if this depth is
+   reached. Setting this value to 0 removes the limit.
+
+Events
+++++++
+
+.. zeek:id:: mime_begin_entity
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 21 21
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when starting to parse an email MIME entity. MIME is a
+   protocol-independent data format for encoding text and files, along with
+   corresponding metadata, for transmission. Zeek raises this event when it
+   begins parsing a MIME entity extracted from an email protocol.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: mime_all_data mime_all_headers  mime_content_hash mime_end_entity
+      mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
+      http_begin_entity
+   
+   .. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
+      however, it raises :zeek:id:`http_begin_entity` instead.
+
+.. zeek:id:: mime_end_entity
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 41 41
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when finishing parsing an email MIME entity.  MIME is a
+   protocol-independent data format for encoding text and files, along with
+   corresponding metadata, for transmission. Zeek raises this event when it
+   finished parsing a MIME entity extracted from an email protocol.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+      mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
+      http_end_entity
+   
+   .. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
+      however, it raises :zeek:id:`http_end_entity` instead.
+
+.. zeek:id:: mime_one_header
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 62 62
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, h: :zeek:type:`mime_header_rec`)
+
+   Generated for individual MIME headers extracted from email MIME
+   entities.  MIME is a protocol-independent data format for encoding text and
+   files, along with corresponding metadata, for transmission.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+
+   :param h: The parsed MIME header.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+      mime_end_entity mime_entity_data mime_event  mime_segment_data
+      http_header  http_all_headers
+   
+   .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
+      however, it raises :zeek:id:`http_header` instead.
+
+.. zeek:id:: mime_all_headers
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 85 85
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hlist: :zeek:type:`mime_header_list`)
+
+   Generated for MIME headers extracted from email MIME entities, passing all
+   headers at once.  MIME is a protocol-independent data format for encoding
+   text and files, along with corresponding metadata, for transmission.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+
+   :param hlist: A *table* containing all headers extracted from the current entity.
+          The table is indexed by the position of the header (1 for the first,
+          2 for the second, etc.).
+   
+   .. zeek:see:: mime_all_data  mime_begin_entity mime_content_hash mime_end_entity
+      mime_entity_data mime_event mime_one_header mime_segment_data
+      http_header  http_all_headers
+   
+   .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
+      however, it raises :zeek:id:`http_header` instead.
+
+.. zeek:id:: mime_segment_data
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 114 114
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, length: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for chunks of decoded MIME data from email MIME entities.  MIME
+   is a protocol-independent data format for encoding text and files, along with
+   corresponding metadata, for transmission. As Zeek parses the data of an
+   entity, it raises a sequence of these events, each coming as soon as a new
+   chunk of data is available. In contrast, there is also
+   :zeek:id:`mime_entity_data`, which passes all of an entities data at once
+   in a single block. While the latter is more convenient to handle,
+   ``mime_segment_data`` is more efficient as Zeek does not need to buffer
+   the data. Thus, if possible, this event should be preferred.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+
+   :param length: The length of *data*.
+   
+
+   :param data: The raw data of one segment of the current entity.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+      mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data
+      mime_segment_length mime_segment_overlap_length
+   
+   .. note:: Zeek also extracts MIME data from HTTP sessions. For those,
+      however, it raises :zeek:id:`http_entity_data` (sic!) instead.
+
+.. zeek:id:: mime_entity_data
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 140 140
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, length: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for data decoded from an email MIME entity. This event delivers
+   the complete content of a single MIME entity with the quoted-printable and
+   and base64 data decoded. In contrast, there is also :zeek:id:`mime_segment_data`,
+   which passes on a sequence of data chunks as they come in. While
+   ``mime_entity_data`` is more convenient to handle, ``mime_segment_data`` is
+   more efficient as Zeek does not need to buffer the data. Thus, if possible,
+   the latter should be preferred.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+
+   :param length: The length of *data*.
+   
+
+   :param data: The raw data of the complete entity.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+      mime_end_entity  mime_event mime_one_header mime_segment_data
+   
+   .. note:: While Zeek also decodes MIME entities extracted from HTTP
+      sessions, there's no corresponding event for that currently.
+
+.. zeek:id:: mime_all_data
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 164 164
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, length: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for passing on all data decoded from a single email MIME
+   message. If an email message has more than one MIME entity, this event
+   combines all their data into a single value for analysis. Note that because
+   of the potentially significant buffering necessary, using this event can be
+   expensive.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+
+   :param length: The length of *data*.
+   
+
+   :param data: The raw data of all MIME entities concatenated.
+   
+   .. zeek:see::  mime_all_headers mime_begin_entity mime_content_hash mime_end_entity
+      mime_entity_data mime_event mime_one_header mime_segment_data
+   
+   .. note:: While Zeek also decodes MIME entities extracted from HTTP
+      sessions, there's no corresponding event for that currently.
+
+.. zeek:id:: mime_event
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 185 185
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, event_type: :zeek:type:`string`, detail: :zeek:type:`string`)
+
+   Generated for errors found when decoding email MIME entities.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+
+   :param event_type: A string describing the general category of the problem found
+      (e.g., ``illegal format``).
+   
+
+   :param detail: Further more detailed description of the error.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+      mime_end_entity mime_entity_data  mime_one_header mime_segment_data http_event
+   
+   .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
+      however, it raises :zeek:id:`http_event` instead.
+
+.. zeek:id:: mime_content_hash
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 207 207
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, content_len: :zeek:type:`count`, hash_value: :zeek:type:`string`)
+
+   Generated for decoded MIME entities extracted from email messages, passing on
+   their MD5 checksums. Zeek computes the MD5 over the complete decoded data of
+   each MIME entity.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+
+   :param content_len: The length of the entity being hashed.
+   
+
+   :param hash_value: The MD5 hash.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity
+      mime_entity_data mime_event mime_one_header mime_segment_data
+   
+   .. note:: While Zeek also decodes MIME entities extracted from HTTP
+      sessions, there's no corresponding event for that currently.
+
+.. _plugin-zeek-modbus:
+
+Zeek::Modbus
+------------
+
+Modbus analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_MODBUS`
+
+Events
+++++++
+
+.. zeek:id:: modbus_message
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 12 12
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, is_orig: :zeek:type:`bool`)
+
+   Generated for any Modbus message regardless if the particular function
+   is further supported or not.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param is_orig: True if the event is raised for the originator side.
+
+.. zeek:id:: modbus_exception
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 22 22
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, code: :zeek:type:`count`)
+
+   Generated for any Modbus exception message.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param code: The exception code.
+
+.. zeek:id:: modbus_read_coils_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 34 34
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
+
+   Generated for a Modbus read coils request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The memory address of the first coil to be read.
+   
+
+   :param quantity: The number of coils to be read.
+
+.. zeek:id:: modbus_read_coils_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 44 44
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, coils: :zeek:type:`ModbusCoils`)
+
+   Generated for a Modbus read coils response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param coils: The coil values returned from the device.
+
+.. zeek:id:: modbus_read_discrete_inputs_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 56 56
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
+
+   Generated for a Modbus read discrete inputs request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The memory address of the first coil to be read.
+   
+
+   :param quantity: The number of coils to be read.
+
+.. zeek:id:: modbus_read_discrete_inputs_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 66 66
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, coils: :zeek:type:`ModbusCoils`)
+
+   Generated for a Modbus read discrete inputs response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param coils: The coil values returned from the device.
+
+.. zeek:id:: modbus_read_holding_registers_request
+   :source-code: policy/protocols/modbus/track-memmap.zeek 62 65
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
+
+   Generated for a Modbus read holding registers request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The memory address of the first register to be read.
+   
+
+   :param quantity: The number of registers to be read.
+
+.. zeek:id:: modbus_read_holding_registers_response
+   :source-code: policy/protocols/modbus/track-memmap.zeek 67 101
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, registers: :zeek:type:`ModbusRegisters`)
+
+   Generated for a Modbus read holding registers response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param registers: The register values returned from the device.
+
+.. zeek:id:: modbus_read_input_registers_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 100 100
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
+
+   Generated for a Modbus read input registers request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The memory address of the first register to be read.
+   
+
+   :param quantity: The number of registers to be read.
+
+.. zeek:id:: modbus_read_input_registers_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 110 110
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, registers: :zeek:type:`ModbusRegisters`)
+
+   Generated for a Modbus read input registers response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param registers: The register values returned from the device.
+
+.. zeek:id:: modbus_write_single_coil_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 122 122
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, value: :zeek:type:`bool`)
+
+   Generated for a Modbus write single coil request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param address: The memory address of the coil to be written.
+   
+
+   :param value: The value to be written to the coil.
+
+.. zeek:id:: modbus_write_single_coil_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 134 134
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, value: :zeek:type:`bool`)
+
+   Generated for a Modbus write single coil response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param address: The memory address of the coil that was written.
+   
+
+   :param value: The value that was written to the coil.
+
+.. zeek:id:: modbus_write_single_register_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 146 146
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, value: :zeek:type:`count`)
+
+   Generated for a Modbus write single register request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param address: The memory address of the register to be written.
+   
+
+   :param value: The value to be written to the register.
+
+.. zeek:id:: modbus_write_single_register_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 158 158
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, value: :zeek:type:`count`)
+
+   Generated for a Modbus write single register response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param address: The memory address of the register that was written.
+   
+
+   :param value: The value that was written to the register.
+
+.. zeek:id:: modbus_write_multiple_coils_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 170 170
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, coils: :zeek:type:`ModbusCoils`)
+
+   Generated for a Modbus write multiple coils request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The memory address of the first coil to be written.
+   
+
+   :param coils: The values to be written to the coils.
+
+.. zeek:id:: modbus_write_multiple_coils_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 182 182
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
+
+   Generated for a Modbus write multiple coils response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The memory address of the first coil that was written.
+   
+
+   :param quantity: The quantity of coils that were written.
+
+.. zeek:id:: modbus_write_multiple_registers_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 194 194
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, registers: :zeek:type:`ModbusRegisters`)
+
+   Generated for a Modbus write multiple registers request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The memory address of the first register to be written.
+   
+
+   :param registers: The values to be written to the registers.
+
+.. zeek:id:: modbus_write_multiple_registers_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 206 206
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
+
+   Generated for a Modbus write multiple registers response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The memory address of the first register that was written.
+   
+
+   :param quantity: The quantity of registers that were written.
+
+.. zeek:id:: modbus_read_file_record_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 218 218
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, byte_count: :zeek:type:`count`, refs: :zeek:type:`ModbusFileRecordRequests`)
+
+   Generated for a Modbus read file record request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param byte_count: The full byte count for all of the reference records that follow.
+   
+
+   :param refs: A vector of reference records.
+
+.. zeek:id:: modbus_read_file_record_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 230 230
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, byte_count: :zeek:type:`count`, refs: :zeek:type:`ModbusFileRecordResponses`)
+
+   Generated for a Modbus read file record response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param byte_count: The full byte count for all of the reference records that follow.
+   
+
+   :param refs: A vector of reference records.
+
+.. zeek:id:: modbus_write_file_record_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 242 242
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, byte_count: :zeek:type:`count`, refs: :zeek:type:`ModbusFileReferences`)
+
+   Generated for a Modbus write file record request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param byte_count: The full byte count for all of the reference records that follow.
+   
+
+   :param refs: A vector of reference records.
+
+.. zeek:id:: modbus_write_file_record_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 254 254
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, byte_count: :zeek:type:`count`, refs: :zeek:type:`ModbusFileReferences`)
+
+   Generated for a Modbus write file record response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param byte_count: The full byte count for all of the reference records that follow.
+   
+
+   :param refs: A vector of reference records.
+
+.. zeek:id:: modbus_mask_write_register_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 268 268
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, and_mask: :zeek:type:`count`, or_mask: :zeek:type:`count`)
+
+   Generated for a Modbus mask write register request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param address: The memory address of the register where the masks should be applied.
+   
+
+   :param and_mask: The value of the logical AND mask to apply to the register.
+   
+
+   :param or_mask: The value of the logical OR mask to apply to the register.
+
+.. zeek:id:: modbus_mask_write_register_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 282 282
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, and_mask: :zeek:type:`count`, or_mask: :zeek:type:`count`)
+
+   Generated for a Modbus mask write register request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param address: The memory address of the register where the masks were applied.
+   
+
+   :param and_mask: The value of the logical AND mask applied register.
+   
+
+   :param or_mask: The value of the logical OR mask applied to the register.
+
+.. zeek:id:: modbus_read_write_multiple_registers_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 298 298
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, read_start_address: :zeek:type:`count`, read_quantity: :zeek:type:`count`, write_start_address: :zeek:type:`count`, write_registers: :zeek:type:`ModbusRegisters`)
+
+   Generated for a Modbus read/write multiple registers request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param read_start_address: The memory address of the first register to be read.
+   
+
+   :param read_quantity: The number of registers to read.
+   
+
+   :param write_start_address: The memory address of the first register to be written.
+   
+
+   :param write_registers: The values to be written to the registers.
+
+.. zeek:id:: modbus_read_write_multiple_registers_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 309 309
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, written_registers: :zeek:type:`ModbusRegisters`)
+
+   Generated for a Modbus read/write multiple registers response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param written_registers: The register values read from the registers specified in
+                      the request.
+
+.. zeek:id:: modbus_read_fifo_queue_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 319 319
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`)
+
+   Generated for a Modbus read FIFO queue request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The address of the FIFO queue to read.
+
+.. zeek:id:: modbus_read_fifo_queue_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 329 329
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, fifos: :zeek:type:`ModbusRegisters`)
+
+   Generated for a Modbus read FIFO queue response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param fifos: The register values read from the FIFO queue on the device.
+
+.. zeek:id:: modbus_diagnostics_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 341 341
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, subfunction: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for a Modbus Diagnostics request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param subfunction: The subfunction for the diagnostics request.
+   
+
+   :param data: The data passed in the diagnostics request.
+
+.. zeek:id:: modbus_diagnostics_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 353 353
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, subfunction: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for a Modbus Diagnostics response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param subfunction: The subfunction for the diagnostics response.
+   
+
+   :param data: The data passed in the diagnostics response.
+
+.. zeek:id:: modbus_encap_interface_transport_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 365 365
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, mei_type: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for a Modbus Encapsulated Interface Transport request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param mei_type: The MEI type for the request.
+   
+
+   :param data: The MEI type specific data passed in the request.
+
+.. zeek:id:: modbus_encap_interface_transport_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 377 377
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, mei_type: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for a Modbus Encapsulated Interface Transport response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param mei_type: The MEI type for the response.
+   
+
+   :param data: The MEI type specific data passed in the response.
+
+.. _plugin-zeek-mqtt:
+
+Zeek::MQTT
+----------
+
+Message Queuing Telemetry Transport v3.1.1 Protocol analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_MQTT`
+
+Types
++++++
+
+.. zeek:type:: MQTT::ConnectMsg
+   :source-code: base/init-bare.zeek 5936 5966
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: protocol_name :zeek:type:`string`
+
+      Protocol name
+
+
+   .. zeek:field:: protocol_version :zeek:type:`count`
+
+      Protocol version
+
+
+   .. zeek:field:: client_id :zeek:type:`string`
+
+      Identifies the Client to the Server.
+
+
+   .. zeek:field:: keep_alive :zeek:type:`interval`
+
+      The maximum time interval that is permitted to elapse between the
+      point at which the Client finishes transmitting one Control Packet
+      and the point it starts sending the next.
+
+
+   .. zeek:field:: clean_session :zeek:type:`bool`
+
+      The clean_session flag indicates if the server should or shouldn't
+      use a clean session or use existing previous session state.
+
+
+   .. zeek:field:: will_retain :zeek:type:`bool`
+
+      Specifies if the Will Message is to be retained when it is published.
+
+
+   .. zeek:field:: will_qos :zeek:type:`count`
+
+      Specifies the QoS level to be used when publishing the Will Message.
+
+
+   .. zeek:field:: will_topic :zeek:type:`string` :zeek:attr:`&optional`
+
+      Topic to publish the Will message to.
+
+
+   .. zeek:field:: will_msg :zeek:type:`string` :zeek:attr:`&optional`
+
+      The actual Will message to publish.
+
+
+   .. zeek:field:: username :zeek:type:`string` :zeek:attr:`&optional`
+
+      Username to use for authentication to the server.
+
+
+   .. zeek:field:: password :zeek:type:`string` :zeek:attr:`&optional`
+
+      Pass to use for authentication to the server.
+
+
+
+.. zeek:type:: MQTT::ConnectAckMsg
+   :source-code: base/init-bare.zeek 5968 5977
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: return_code :zeek:type:`count`
+
+      Return code from the connack message
+
+
+   .. zeek:field:: session_present :zeek:type:`bool`
+
+      The Session present flag helps the client
+      establish whether the Client and Server
+      have a consistent view about whether there
+      is already stored Session state.
+
+
+
+.. zeek:type:: MQTT::PublishMsg
+   :source-code: base/init-bare.zeek 5979 6001
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: dup :zeek:type:`bool`
+
+      Indicates if this is the first attempt at publishing the message.
+
+
+   .. zeek:field:: qos :zeek:type:`count`
+
+      Indicates what level of QoS is enabled for this message.
+
+
+   .. zeek:field:: retain :zeek:type:`bool`
+
+      Indicates if the server should retain this message so that clients
+      subscribing to the topic in the future will receive this message
+      automatically.
+
+
+   .. zeek:field:: topic :zeek:type:`string`
+
+      Name of the topic the published message is directed into.
+
+
+   .. zeek:field:: payload :zeek:type:`string`
+
+      Payload of the published message.
+
+
+   .. zeek:field:: payload_len :zeek:type:`count`
+
+      The actual length of the payload in the case the *payload*
+      field's contents were truncated according to
+      :zeek:see:`MQTT::max_payload_size`.
+
+
+
+Events
+++++++
+
+.. zeek:id:: mqtt_connect
+   :source-code: base/protocols/mqtt/main.zeek 177 188
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`MQTT::ConnectMsg`)
+
+   Generated for MQTT "client requests a connection" messages
+   
+
+   :param c: The connection
+   
+
+   :param msg: MQTT connect message fields.
+
+.. zeek:id:: mqtt_connack
+   :source-code: base/protocols/mqtt/main.zeek 190 197
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`MQTT::ConnectAckMsg`)
+
+   Generated for MQTT acknowledge connection messages
+   
+
+   :param c: The connection
+   
+
+   :param msg: MQTT connect ack message fields.
+
+.. zeek:id:: mqtt_publish
+   :source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 27 27
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`, msg: :zeek:type:`MQTT::PublishMsg`)
+
+   Generated for MQTT publish messages
+   
+
+   :param c: The connection
+   
+
+   :param is_orig: Direction in which the message was sent
+   
+
+   :param msg: The MQTT publish message record.
+
+.. zeek:id:: mqtt_puback
+   :source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 37 37
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`)
+
+   Generated for MQTT publish acknowledgement messages
+   
+
+   :param c: The connection
+   
+
+   :param is_orig: Direction in which the message was sent
+   
+
+   :param msg_id: The id value for the message.
+
+.. zeek:id:: mqtt_pubrec
+   :source-code: base/protocols/mqtt/main.zeek 257 266
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`)
+
+   Generated for MQTT publish received messages (QoS 2 publish received, part 1)
+   
+
+   :param c: The connection
+   
+
+   :param is_orig: Direction in which the message was sent
+   
+
+   :param msg_id: The id value for the message.
+
+.. zeek:id:: mqtt_pubrel
+   :source-code: base/protocols/mqtt/main.zeek 268 277
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`)
+
+   Generated for MQTT publish release messages (QoS 2 publish received, part 2)
+   
+
+   :param c: The connection
+   
+
+   :param is_orig: Direction in which the message was sent
+   
+
+   :param msg_id: The id value for the message.
+
+.. zeek:id:: mqtt_pubcomp
+   :source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 67 67
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`)
+
+   Generated for MQTT publish complete messages (QoS 2 publish received, part 3)
+   
+
+   :param c: The connection
+   
+
+   :param is_orig: Direction in which the message was sent
+   
+
+   :param msg_id: The id value for the message.
+
+.. zeek:id:: mqtt_subscribe
+   :source-code: base/protocols/mqtt/main.zeek 306 318
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg_id: :zeek:type:`count`, topics: :zeek:type:`string_vec`, requested_qos: :zeek:type:`index_vec`)
+
+   Generated for MQTT subscribe messages
+   
+
+   :param c: The connection
+   
+
+   :param is_orig: Direction in which the message was sent
+   
+
+   :param msg_id: The id value for the message.
+   
+
+   :param topics: The topics being subscribed to
+   
+
+   :param requested_qos: The desired QoS option associated with each topic.
+
+.. zeek:id:: mqtt_suback
+   :source-code: base/protocols/mqtt/main.zeek 320 333
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg_id: :zeek:type:`count`, granted_qos: :zeek:type:`count`)
+
+   Generated for MQTT subscribe messages
+   
+
+   :param c: The connection
+   
+
+   :param is_orig: Direction in which the message was sent
+   
+
+   :param msg_id: The id value for the message.
+
+.. zeek:id:: mqtt_unsubscribe
+   :source-code: base/protocols/mqtt/main.zeek 335 346
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg_id: :zeek:type:`count`, topics: :zeek:type:`string_vec`)
+
+   Generated for MQTT unsubscribe messages sent by the client
+   
+
+   :param c: The connection
+   
+
+   :param msg_id: The id value for the message.
+   
+
+   :param topics: The topics being unsubscribed from
+
+.. zeek:id:: mqtt_unsuback
+   :source-code: base/protocols/mqtt/main.zeek 348 360
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg_id: :zeek:type:`count`)
+
+   Generated for MQTT unsubscribe acknowledgements sent by the server
+   
+
+   :param c: The connection
+   
+
+   :param msg_id: The id value for the message.
+
+.. zeek:id:: mqtt_pingreq
+   :source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 115 115
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for MQTT ping requests sent by the client.
+   
+
+   :param c: The connection
+
+.. zeek:id:: mqtt_pingresp
+   :source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 121 121
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for MQTT ping responses sent by the server.
+   
+
+   :param c: The connection
+
+.. zeek:id:: mqtt_disconnect
+   :source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 127 127
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for MQTT disconnect messages sent by the client when it is disconnecting cleanly.
+   
+
+   :param c: The connection
+
+.. _plugin-zeek-mysql:
+
+Zeek::MySQL
+-----------
+
+MySQL analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_MYSQL`
+
+Events
+++++++
+
+.. zeek:id:: mysql_command_request
+   :source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 16 16
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, command: :zeek:type:`count`, arg: :zeek:type:`string`)
+
+   Generated for a command request from a MySQL client.
+   
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param command: The numerical code of the command issued.
+   
+
+   :param arg: The argument for the command (empty string if not provided).
+   
+   .. zeek:see:: mysql_error mysql_ok mysql_server_version mysql_handshake
+
+.. zeek:id:: mysql_change_user
+   :source-code: base/protocols/mysql/main.zeek 87 90
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, username: :zeek:type:`string`)
+
+   Generated for a change user command from a MySQL client.
+   
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param username: The username supplied by the client
+   
+   .. zeek:see:: mysql_error mysql_ok mysql_server_version mysql_handshake
+
+.. zeek:id:: mysql_error
+   :source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 44 44
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, code: :zeek:type:`count`, msg: :zeek:type:`string`)
+
+   Generated for an unsuccessful MySQL response.
+   
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param code: The error code.
+   
+
+   :param msg: Any extra details about the error (empty string if not provided).
+   
+   .. zeek:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake
+
+.. zeek:id:: mysql_ok
+   :source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 57 57
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, affected_rows: :zeek:type:`count`)
+
+   Generated for a successful MySQL response.
+   
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param affected_rows: The number of rows that were affected.
+   
+   .. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake
+
+.. zeek:id:: mysql_eof
+   :source-code: base/protocols/mysql/main.zeek 120 137
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_intermediate: :zeek:type:`bool`)
+
+   Generated for a MySQL EOF packet.
+   
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_intermediate: True if this is an EOF packet between the column definition and the rows, false if a final EOF.
+   
+   .. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake
+
+.. zeek:id:: mysql_result_row
+   :source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 83 83
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, row: :zeek:type:`string_vec`)
+
+   Generated for each MySQL ResultsetRow response packet.
+   
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param row: The result row data.
+   
+   .. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake mysql_ok
+
+.. zeek:id:: mysql_server_version
+   :source-code: policy/protocols/mysql/software.zeek 14 20
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, ver: :zeek:type:`string`)
+
+   Generated for the initial server handshake packet, which includes the MySQL server version.
+   
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param ver: The server version string.
+   
+   .. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_handshake
+
+.. zeek:id:: mysql_handshake
+   :source-code: base/protocols/mysql/main.zeek 52 65
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, username: :zeek:type:`string`)
+
+   Generated for a client handshake response packet, which includes the username the client is attempting
+   to connect as.
+   
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param username: The username supplied by the client
+   
+   .. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_server_version mysql_ssl_request
+
+.. zeek:id:: mysql_ssl_request
+   :source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 122 122
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for a short client handshake response packet with the CLIENT_SSL
+   flag set. Usually the client will initiate a TLS handshake afterwards.
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: mysql_handshake
+
+.. zeek:id:: mysql_auth_plugin
+   :source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 138 138
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, name: :zeek:type:`string`, data: :zeek:type:`string`)
+
+   Generated for information about plugin authentication within handshake packets.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if this is from the client, false if from the server.
+   
+
+   :param name: Name of the authentication plugin.
+   
+
+   :param data: The initial auth data. From the server, it is the concatenation of
+         auth_plugin_data_part_1 and auth_plugin_data_part_2 in the handshake.
+         For the client it is the auth_response in the handshake response.
+   
+   .. zeek:see:: mysql_handshake mysql_auth_switch_request mysql_auth_more_data
+
+.. zeek:id:: mysql_auth_switch_request
+   :source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 150 150
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, name: :zeek:type:`string`, data: :zeek:type:`string`)
+
+   Generated for a server packet with an auth switch request.
+   
+
+   :param c: The connection.
+   
+
+   :param name: The plugin name.
+   
+
+   :param data: Initial authentication data for the plugin.
+   
+   .. zeek:see:: mysql_handshake mysql_auth_more_data
+
+.. zeek:id:: mysql_auth_more_data
+   :source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 166 166
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data: :zeek:type:`string`)
+
+   Generated for opaque authentication data exchanged between client and server
+   after the client's handshake packet, but before the server replied with
+   an OK_Packet
+   
+   Data is specific to the plugin auth mechanism used by client and server.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if this is from the client, false if from the server.
+   
+
+   :param data: More authentication data.
+   
+   .. zeek:see:: mysql_handshake mysql_auth_switch_request
+
+.. _plugin-zeek-ncp:
+
+Zeek::NCP
+---------
+
+NCP analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_CONTENTS_NCP`
+
+:zeek:enum:`Analyzer::ANALYZER_NCP`
+
+Options/Constants
++++++++++++++++++
+
+.. zeek:id:: NCP::max_frame_size
+   :source-code: base/init-bare.zeek 5755 5755
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``65536``
+
+   The maximum number of bytes to allocate when parsing NCP frames.
+
+Events
+++++++
+
+.. zeek:id:: ncp_request
+   :source-code: base/bif/plugins/Zeek_NCP.events.bif.zeek 23 23
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, frame_type: :zeek:type:`count`, length: :zeek:type:`count`, func: :zeek:type:`count`)
+
+   Generated for NCP requests (Netware Core Protocol).
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetWare_Core_Protocol>`__ for
+   more information about the NCP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param frame_type: The frame type, as specified by the protocol.
+   
+
+   :param length: The length of the request body, excluding the frame header.
+   
+
+   :param func: The requested function, as specified by the protocol.
+   
+   .. zeek:see:: ncp_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: ncp_reply
+   :source-code: base/bif/plugins/Zeek_NCP.events.bif.zeek 49 49
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, frame_type: :zeek:type:`count`, length: :zeek:type:`count`, req_frame: :zeek:type:`count`, req_func: :zeek:type:`count`, completion_code: :zeek:type:`count`)
+
+   Generated for NCP replies (Netware Core Protocol).
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetWare_Core_Protocol>`__ for
+   more information about the NCP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param frame_type: The frame type, as specified by the protocol.
+   
+
+   :param length: The length of the request body, excluding the frame header.
+   
+
+   :param req_frame: The frame type from the corresponding request.
+   
+
+   :param req_func: The function code from the corresponding request.
+   
+
+   :param completion_code: The reply's completion code, as specified by the protocol.
+   
+   .. zeek:see:: ncp_request
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. _plugin-zeek-netbios:
+
+Zeek::NetBIOS
+-------------
+
+NetBIOS analyzer support
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_CONTENTS_NETBIOSSSN`
+
+:zeek:enum:`Analyzer::ANALYZER_NETBIOSSSN`
+
+Events
+++++++
+
+.. zeek:id:: netbios_session_message
+   :source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 34 34
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_type: :zeek:type:`count`, data_len: :zeek:type:`count`)
+
+   Generated for all NetBIOS SSN and DGM messages. Zeek's NetBIOS analyzer
+   processes the NetBIOS session service running on TCP port 139, and (despite
+   its name!) the NetBIOS datagram service on UDP port 138.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+   about NetBIOS.  :rfc:`1002` describes
+   the packet format for NetBIOS over TCP/IP, which Zeek parses.
+   
+
+   :param c: The connection, which may be TCP or UDP, depending on the type of the
+      NetBIOS session.
+   
+
+   :param is_orig:  True if the message was sent by the originator of the connection.
+   
+
+   :param msg_type: The general type of message, as defined in Section 4.3.1 of
+             :rfc:`1002`.
+   
+
+   :param data_len: The length of the message's payload.
+   
+   .. zeek:see:: netbios_session_accepted netbios_session_keepalive
+      netbios_session_raw_message netbios_session_rejected netbios_session_request
+      netbios_session_ret_arg_resp  decode_netbios_name decode_netbios_name_type
+   
+   .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+      `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
+      SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: netbios_session_request
+   :source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 63 63
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
+
+   Generated for NetBIOS messages of type *session request*. Zeek's NetBIOS
+   analyzer processes the NetBIOS session service running on TCP port 139, and
+   (despite its name!) the NetBIOS datagram service on UDP port 138.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+   about NetBIOS.  :rfc:`1002` describes
+   the packet format for NetBIOS over TCP/IP, which Zeek parses.
+   
+
+   :param c: The connection, which may be TCP or UDP, depending on the type of the
+      NetBIOS session.
+   
+
+   :param msg: The raw payload of the message sent, excluding the common NetBIOS
+        header.
+   
+   .. zeek:see:: netbios_session_accepted netbios_session_keepalive
+      netbios_session_message netbios_session_raw_message netbios_session_rejected
+      netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
+   
+   .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+      `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
+      SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: netbios_session_accepted
+   :source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 92 92
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
+
+   Generated for NetBIOS messages of type *positive session response*. Zeek's
+   NetBIOS analyzer processes the NetBIOS session service running on TCP port
+   139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+   about NetBIOS.  :rfc:`1002` describes
+   the packet format for NetBIOS over TCP/IP, which Zeek parses.
+   
+
+   :param c: The connection, which may be TCP or UDP, depending on the type of the
+      NetBIOS session.
+   
+
+   :param msg: The raw payload of the message sent, excluding the common NetBIOS
+        header.
+   
+   .. zeek:see::  netbios_session_keepalive netbios_session_message
+      netbios_session_raw_message netbios_session_rejected netbios_session_request
+      netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
+   
+   .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+      `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
+      SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: netbios_session_rejected
+   :source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 121 121
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
+
+   Generated for NetBIOS messages of type *negative session response*. Zeek's
+   NetBIOS analyzer processes the NetBIOS session service running on TCP port
+   139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+   about NetBIOS.  :rfc:`1002` describes
+   the packet format for NetBIOS over TCP/IP, which Zeek parses.
+   
+
+   :param c: The connection, which may be TCP or UDP, depending on the type of the
+      NetBIOS session.
+   
+
+   :param msg: The raw payload of the message sent, excluding the common NetBIOS
+        header.
+   
+   .. zeek:see:: netbios_session_accepted netbios_session_keepalive
+      netbios_session_message netbios_session_raw_message netbios_session_request
+      netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
+   
+   .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+      `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
+      SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: netbios_session_raw_message
+   :source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 157 157
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`)
+
+   Generated for NetBIOS messages of type *session message* that are not
+   carrying an SMB payload.
+   
+   NetBIOS analyzer processes the NetBIOS session service running on TCP port
+   139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+   about NetBIOS.  :rfc:`1002` describes
+   the packet format for NetBIOS over TCP/IP, which Zeek parses.
+   
+
+   :param c: The connection, which may be TCP or UDP, depending on the type of the
+      NetBIOS session.
+   
+
+   :param is_orig: True if the message was sent by the originator of the connection.
+   
+
+   :param msg: The raw payload of the message sent, excluding the common NetBIOS
+        header (i.e., the ``user_data``).
+   
+   .. zeek:see:: netbios_session_accepted netbios_session_keepalive
+      netbios_session_message netbios_session_rejected netbios_session_request
+      netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
+   
+   .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+      `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
+      SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+   
+   .. todo:: This is an oddly named event. In fact, it's probably an odd event
+      to have to begin with.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: netbios_session_ret_arg_resp
+   :source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 188 188
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
+
+   Generated for NetBIOS messages of type *retarget response*. Zeek's NetBIOS
+   analyzer processes the NetBIOS session service running on TCP port 139, and
+   (despite its name!) the NetBIOS datagram service on UDP port 138.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+   about NetBIOS.  :rfc:`1002` describes
+   the packet format for NetBIOS over TCP/IP, which Zeek parses.
+   
+
+   :param c: The connection, which may be TCP or UDP, depending on the type of the
+      NetBIOS session.
+   
+
+   :param msg: The raw payload of the message sent, excluding the common NetBIOS
+        header.
+   
+   .. zeek:see:: netbios_session_accepted netbios_session_keepalive
+      netbios_session_message netbios_session_raw_message netbios_session_rejected
+      netbios_session_request decode_netbios_name decode_netbios_name_type
+   
+   .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+      `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
+      SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+   
+   .. todo:: This is an oddly named event.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: netbios_session_keepalive
+   :source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 217 217
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
+
+   Generated for NetBIOS messages of type *keep-alive*. Zeek's NetBIOS analyzer
+   processes the NetBIOS session service running on TCP port 139, and (despite
+   its name!) the NetBIOS datagram service on UDP port 138.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+   about NetBIOS.  :rfc:`1002` describes
+   the packet format for NetBIOS over TCP/IP, which Zeek parses.
+   
+
+   :param c: The connection, which may be TCP or UDP, depending on the type of the
+      NetBIOS session.
+   
+
+   :param msg: The raw payload of the message sent, excluding the common NetBIOS
+        header.
+   
+   .. zeek:see:: netbios_session_accepted netbios_session_message
+      netbios_session_raw_message netbios_session_rejected netbios_session_request
+      netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
+   
+   .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+      `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
+      SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+Functions
++++++++++
+
+.. zeek:id:: decode_netbios_name
+   :source-code: base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek 16 16
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`string`
+
+   Decode a NetBIOS name.  See https://jeffpar.github.io/kbarchive/kb/194/Q194203/.
+   
+
+   :param name: The encoded NetBIOS name, e.g., ``"FEEIEFCAEOEFFEECEJEPFDCAEOEBENEF"``.
+   
+
+   :returns: The decoded NetBIOS name, e.g., ``"THE NETBIOS NAM"``.  An empty
+            string is returned if the argument is not a valid NetBIOS encoding
+            (though an encoding that would decode to something that includes
+            only null-bytes or space-characters also yields an empty string).
+   
+   .. zeek:see:: decode_netbios_name_type
+
+.. zeek:id:: decode_netbios_name_type
+   :source-code: base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek 27 27
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`count`
+
+   Converts a NetBIOS name type to its corresponding numeric value.
+   See https://en.wikipedia.org/wiki/NetBIOS#NetBIOS_Suffixes.
+   
+
+   :param name: An encoded NetBIOS name.
+   
+
+   :returns: The numeric value of *name* or 256 if it's not a valid encoding.
+   
+   .. zeek:see:: decode_netbios_name
+
+.. _plugin-zeek-ntlm:
+
+Zeek::NTLM
+----------
+
+NTLM analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_NTLM`
+
+Types
++++++
+
+.. zeek:type:: NTLM::Negotiate
+   :source-code: base/init-bare.zeek 3921 3930
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: flags :zeek:type:`NTLM::NegotiateFlags`
+
+      The negotiate flags
+
+
+   .. zeek:field:: domain_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The domain name of the client, if known
+
+
+   .. zeek:field:: workstation :zeek:type:`string` :zeek:attr:`&optional`
+
+      The machine name of the client, if known
+
+
+   .. zeek:field:: version :zeek:type:`NTLM::Version` :zeek:attr:`&optional`
+
+      The Windows version information, if supplied
+
+
+
+.. zeek:type:: NTLM::Challenge
+   :source-code: base/init-bare.zeek 3958 3972
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: flags :zeek:type:`NTLM::NegotiateFlags`
+
+      The negotiate flags
+
+
+   .. zeek:field:: challenge :zeek:type:`count`
+
+      A 64-bit value that contains the NTLM challenge.
+
+
+   .. zeek:field:: target_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The server authentication realm. If the server is
+      domain-joined, the name of the domain. Otherwise
+      the server name. See flags.target_type_domain
+      and flags.target_type_server
+
+
+   .. zeek:field:: version :zeek:type:`NTLM::Version` :zeek:attr:`&optional`
+
+      The Windows version information, if supplied
+
+
+   .. zeek:field:: target_info :zeek:type:`NTLM::AVs` :zeek:attr:`&optional`
+
+      Attribute-value pairs specified by the server
+
+
+
+.. zeek:type:: NTLM::Authenticate
+   :source-code: base/init-bare.zeek 3974 3989
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: flags :zeek:type:`NTLM::NegotiateFlags`
+
+      The negotiate flags
+
+
+   .. zeek:field:: domain_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The domain or computer name hosting the account
+
+
+   .. zeek:field:: user_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The name of the user to be authenticated.
+
+
+   .. zeek:field:: workstation :zeek:type:`string` :zeek:attr:`&optional`
+
+      The name of the computer to which the user was logged on.
+
+
+   .. zeek:field:: session_key :zeek:type:`string` :zeek:attr:`&optional`
+
+      The session key
+
+
+   .. zeek:field:: version :zeek:type:`NTLM::Version` :zeek:attr:`&optional`
+
+      The Windows version information, if supplied
+
+
+   .. zeek:field:: response :zeek:type:`string` :zeek:attr:`&optional`
+
+      The client's response for the challenge
+
+
+
+.. zeek:type:: NTLM::NegotiateFlags
+   :source-code: base/init-bare.zeek 3866 3919
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: negotiate_56 :zeek:type:`bool`
+
+      If set, requires 56-bit encryption
+
+
+   .. zeek:field:: negotiate_key_exch :zeek:type:`bool`
+
+      If set, requests an explicit key exchange
+
+
+   .. zeek:field:: negotiate_128 :zeek:type:`bool`
+
+      If set, requests 128-bit session key negotiation
+
+
+   .. zeek:field:: negotiate_version :zeek:type:`bool`
+
+      If set, requests the protocol version number
+
+
+   .. zeek:field:: negotiate_target_info :zeek:type:`bool`
+
+      If set, indicates that the TargetInfo fields in the
+      CHALLENGE_MESSAGE are populated
+
+
+   .. zeek:field:: request_non_nt_session_key :zeek:type:`bool`
+
+      If set, requests the usage of the LMOWF function
+
+
+   .. zeek:field:: negotiate_identify :zeek:type:`bool`
+
+      If set, requests and identify level token
+
+
+   .. zeek:field:: negotiate_extended_sessionsecurity :zeek:type:`bool`
+
+      If set, requests usage of NTLM v2 session security
+      Note: NTLM v2 session security is actually NTLM v1
+
+
+   .. zeek:field:: target_type_server :zeek:type:`bool`
+
+      If set, TargetName must be a server name
+
+
+   .. zeek:field:: target_type_domain :zeek:type:`bool`
+
+      If set, TargetName must be a domain name
+
+
+   .. zeek:field:: negotiate_always_sign :zeek:type:`bool`
+
+      If set, requests the presence of a signature block
+      on all messages
+
+
+   .. zeek:field:: negotiate_oem_workstation_supplied :zeek:type:`bool`
+
+      If set, the workstation name is provided
+
+
+   .. zeek:field:: negotiate_oem_domain_supplied :zeek:type:`bool`
+
+      If set, the domain name is provided
+
+
+   .. zeek:field:: negotiate_anonymous_connection :zeek:type:`bool`
+
+      If set, the connection should be anonymous
+
+
+   .. zeek:field:: negotiate_ntlm :zeek:type:`bool`
+
+      If set, requests usage of NTLM v1
+
+
+   .. zeek:field:: negotiate_lm_key :zeek:type:`bool`
+
+      If set, requests LAN Manager session key computation
+
+
+   .. zeek:field:: negotiate_datagram :zeek:type:`bool`
+
+      If set, requests connectionless authentication
+
+
+   .. zeek:field:: negotiate_seal :zeek:type:`bool`
+
+      If set, requests session key negotiation for message
+      confidentiality
+
+
+   .. zeek:field:: negotiate_sign :zeek:type:`bool`
+
+      If set, requests session key negotiation for message
+      signatures
+
+
+   .. zeek:field:: request_target :zeek:type:`bool`
+
+      If set, the TargetName field is present
+
+
+   .. zeek:field:: negotiate_oem :zeek:type:`bool`
+
+      If set, requests OEM character set encoding
+
+
+   .. zeek:field:: negotiate_unicode :zeek:type:`bool`
+
+      If set, requests Unicode character set encoding
+
+
+
+.. zeek:type:: NTLM::Version
+   :source-code: base/init-bare.zeek 3855 3864
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: major :zeek:type:`count`
+
+      The major version of the Windows operating system in use
+
+
+   .. zeek:field:: minor :zeek:type:`count`
+
+      The minor version of the Windows operating system in use
+
+
+   .. zeek:field:: build :zeek:type:`count`
+
+      The build number of the Windows operating system in use
+
+
+   .. zeek:field:: ntlmssp :zeek:type:`count`
+
+      The current revision of NTLMSSP in use
+
+
+
+.. zeek:type:: NTLM::AVs
+   :source-code: base/init-bare.zeek 3932 3956
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: nb_computer_name :zeek:type:`string`
+
+      The server's NetBIOS computer name
+
+
+   .. zeek:field:: nb_domain_name :zeek:type:`string`
+
+      The server's NetBIOS domain name
+
+
+   .. zeek:field:: dns_computer_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The FQDN of the computer
+
+
+   .. zeek:field:: dns_domain_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The FQDN of the domain
+
+
+   .. zeek:field:: dns_tree_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The FQDN of the forest
+
+
+   .. zeek:field:: constrained_auth :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Indicates to the client that the account
+      authentication is constrained
+
+
+   .. zeek:field:: timestamp :zeek:type:`time` :zeek:attr:`&optional`
+
+      The associated timestamp, if present
+
+
+   .. zeek:field:: single_host_id :zeek:type:`count` :zeek:attr:`&optional`
+
+      Indicates that the client is providing
+      a machine ID created at computer startup to
+      identify the calling machine
+
+
+   .. zeek:field:: target_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The SPN of the target server
+
+
+
+Events
+++++++
+
+.. zeek:id:: ntlm_negotiate
+   :source-code: base/protocols/ntlm/main.zeek 64 67
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, negotiate: :zeek:type:`NTLM::Negotiate`)
+
+   Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *negotiate*.
+   
+
+   :param c: The connection.
+   
+
+   :param negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
+   
+   .. zeek:see:: ntlm_challenge ntlm_authenticate
+
+.. zeek:id:: ntlm_challenge
+   :source-code: base/protocols/ntlm/main.zeek 69 83
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, challenge: :zeek:type:`NTLM::Challenge`)
+
+   Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *challenge*.
+   
+
+   :param c: The connection.
+   
+
+   :param negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
+   
+   .. zeek:see:: ntlm_negotiate ntlm_authenticate
+
+.. zeek:id:: ntlm_authenticate
+   :source-code: base/protocols/ntlm/main.zeek 85 95
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, request: :zeek:type:`NTLM::Authenticate`)
+
+   Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *authenticate*.
+   
+
+   :param c: The connection.
+   
+
+   :param request: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
+   
+   .. zeek:see:: ntlm_negotiate ntlm_challenge
+
+.. _plugin-zeek-ntp:
+
+Zeek::NTP
+---------
+
+NTP analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_NTP`
+
+Types
++++++
+
+.. zeek:type:: NTP::StandardMessage
+   :source-code: base/init-bare.zeek 5764 5817
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: stratum :zeek:type:`count`
+
+      This value mainly identifies the type of server (primary server,
+      secondary server, etc.). Possible values, as in :rfc:`5905`, are:
+      
+        * 0 -> unspecified or invalid
+        * 1 -> primary server (e.g., equipped with a GPS receiver)
+        * 2-15 -> secondary server (via NTP)
+        * 16 -> unsynchronized
+        * 17-255 -> reserved
+      
+      For stratum 0, a *kiss_code* can be given for debugging and
+      monitoring.
+
+
+   .. zeek:field:: poll :zeek:type:`interval`
+
+      The maximum interval between successive messages.
+
+
+   .. zeek:field:: precision :zeek:type:`interval`
+
+      The precision of the system clock.
+
+
+   .. zeek:field:: root_delay :zeek:type:`interval`
+
+      Root delay. The total round-trip delay to the reference clock.
+
+
+   .. zeek:field:: root_disp :zeek:type:`interval`
+
+      Root Dispersion. The total dispersion to the reference clock.
+
+
+   .. zeek:field:: kiss_code :zeek:type:`string` :zeek:attr:`&optional`
+
+      For stratum 0, four-character ASCII string used for debugging and
+      monitoring. Values are defined in :rfc:`1345`.
+
+
+   .. zeek:field:: ref_id :zeek:type:`string` :zeek:attr:`&optional`
+
+      Reference ID. For stratum 1, this is the ID assigned to the
+      reference clock by IANA.
+      For example: GOES, GPS, GAL, etc. (see :rfc:`5905`)
+
+
+   .. zeek:field:: ref_addr :zeek:type:`addr` :zeek:attr:`&optional`
+
+      Above stratum 1, when using IPv4, the IP address of the reference
+      clock.  Note that the NTP protocol did not originally specify a
+      large enough field to represent IPv6 addresses, so they use
+      the first four bytes of the MD5 hash of the reference clock's
+      IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).
+
+
+   .. zeek:field:: ref_time :zeek:type:`time`
+
+      Reference timestamp. Time when the system clock was last set or
+      correct.
+
+
+   .. zeek:field:: org_time :zeek:type:`time`
+
+      Origin timestamp. Time at the client when the request departed for
+      the NTP server.
+
+
+   .. zeek:field:: rec_time :zeek:type:`time`
+
+      Receive timestamp. Time at the server when the request arrived from
+      the NTP client.
+
+
+   .. zeek:field:: xmt_time :zeek:type:`time`
+
+      Transmit timestamp. Time at the server when the response departed
+
+
+   .. zeek:field:: key_id :zeek:type:`count` :zeek:attr:`&optional`
+
+      Key used to designate a secret MD5 key.
+
+
+   .. zeek:field:: digest :zeek:type:`string` :zeek:attr:`&optional`
+
+      MD5 hash computed over the key followed by the NTP packet header and
+      extension fields.
+
+
+   .. zeek:field:: num_exts :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Number of extension fields (which are not currently parsed).
+
+
+   NTP standard message as defined in :rfc:`5905` for modes 1-5
+   This record contains the standard fields used by the NTP protocol
+   for standard synchronization operations.
+
+.. zeek:type:: NTP::ControlMessage
+   :source-code: base/init-bare.zeek 5822 5856
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: op_code :zeek:type:`count`
+
+      An integer specifying the command function. Values currently defined:
+      
+      * 1 read status command/response
+      * 2 read variables command/response
+      * 3 write variables command/response
+      * 4 read clock variables command/response
+      * 5 write clock variables command/response
+      * 6 set trap address/port command/response
+      * 7 trap response
+      
+      Other values are reserved.
+
+
+   .. zeek:field:: resp_bit :zeek:type:`bool`
+
+      The response bit. Set to zero for commands, one for responses.
+
+
+   .. zeek:field:: err_bit :zeek:type:`bool`
+
+      The error bit. Set to zero for normal response, one for error
+      response.
+
+
+   .. zeek:field:: more_bit :zeek:type:`bool`
+
+      The more bit. Set to zero for last fragment, one for all others.
+
+
+   .. zeek:field:: sequence :zeek:type:`count`
+
+      The sequence number of the command or response.
+
+
+   .. zeek:field:: status :zeek:type:`count`
+
+      The current status of the system, peer or clock.
+
+
+   .. zeek:field:: association_id :zeek:type:`count`
+
+      A 16-bit integer identifying a valid association.
+
+
+   .. zeek:field:: data :zeek:type:`string` :zeek:attr:`&optional`
+
+      Message data for the command or response + Authenticator (optional).
+
+
+   .. zeek:field:: key_id :zeek:type:`count` :zeek:attr:`&optional`
+
+      This is an integer identifying the cryptographic
+      key used to generate the message-authentication code.
+
+
+   .. zeek:field:: crypto_checksum :zeek:type:`string` :zeek:attr:`&optional`
+
+      This is a crypto-checksum computed by the encryption procedure.
+
+
+   NTP control message as defined in :rfc:`1119` for mode=6
+   This record contains the fields used by the NTP protocol
+   for control operations.
+
+.. zeek:type:: NTP::Mode7Message
+   :source-code: base/init-bare.zeek 5865 5898
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: req_code :zeek:type:`count`
+
+      An implementation-specific code which specifies the
+      operation to be (which has been) performed and/or the
+      format and semantics of the data included in the packet.
+
+
+   .. zeek:field:: auth_bit :zeek:type:`bool`
+
+      The authenticated bit. If set, this packet is authenticated.
+
+
+   .. zeek:field:: sequence :zeek:type:`count`
+
+      For a multipacket response, contains the sequence
+      number of this packet.  0 is the first in the sequence,
+      127 (or less) is the last.  The More Bit must be set in
+      all packets but the last.
+
+
+   .. zeek:field:: implementation :zeek:type:`count`
+
+      The number of the implementation this request code
+      is defined by.  An implementation number of zero is used
+      for request codes/data formats which all implementations
+      agree on.  Implementation number 255 is reserved (for
+      extensions, in case we run out).
+
+
+   .. zeek:field:: err :zeek:type:`count`
+
+      Must be 0 for a request.  For a response, holds an error
+      code relating to the request.  If nonzero, the operation
+      requested wasn't performed.
+      
+        * 0 - no error
+        * 1 - incompatible implementation number
+        * 2 - unimplemented request code
+        * 3 - format error (wrong data items, data size, packet size etc.)
+        * 4 - no data available (e.g. request for details on unknown peer)
+        * 5 - unknown
+        * 6 - unknown
+        * 7 - authentication failure (i.e. permission denied)
+
+
+   .. zeek:field:: data :zeek:type:`string` :zeek:attr:`&optional`
+
+      Rest of data
+
+
+   NTP mode 7 message. Note that this is not defined in any RFC and is
+   implementation dependent. We used the official implementation from the
+   `NTP official project <https://www.ntp.org>`_.  A mode 7 packet is used
+   exchanging data between an NTP server and a client for purposes other
+   than time synchronization, e.g.  monitoring, statistics gathering and
+   configuration.  For details see the documentation from the `NTP official
+   project <https://www.ntp.org>`_, code v. ntp-4.2.8p13, in include/ntp_request.h.
+
+.. zeek:type:: NTP::Message
+   :source-code: base/init-bare.zeek 5903 5930
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: version :zeek:type:`count`
+
+      The NTP version number (1, 2, 3, 4).
+
+
+   .. zeek:field:: mode :zeek:type:`count`
+
+      The NTP mode being used. Possible values are:
+      
+        * 1 - symmetric active
+        * 2 - symmetric passive
+        * 3 - client
+        * 4 - server
+        * 5 - broadcast
+        * 6 - NTP control message
+        * 7 - reserved for private use
+
+
+   .. zeek:field:: std_msg :zeek:type:`NTP::StandardMessage` :zeek:attr:`&optional`
+
+      If mode 1-5, the standard fields for synchronization operations are
+      here.  See :rfc:`5905`
+
+
+   .. zeek:field:: control_msg :zeek:type:`NTP::ControlMessage` :zeek:attr:`&optional`
+
+      If mode 6, the fields for control operations are here.
+      See :rfc:`1119`
+
+
+   .. zeek:field:: mode7_msg :zeek:type:`NTP::Mode7Message` :zeek:attr:`&optional`
+
+      If mode 7, the fields for extra operations are here.
+      Note that this is not defined in any RFC
+      and is implementation dependent. We used the official implementation
+      from the `NTP official project <https://www.ntp.org>`_.
+      A mode 7 packet is used exchanging data between an NTP server
+      and a client for purposes other than time synchronization, e.g.
+      monitoring, statistics gathering and configuration.
+
+
+   NTP message as defined in :rfc:`5905`.  Does include fields for mode 7,
+   reserved for private use in :rfc:`5905`, but used in some implementation
+   for commands such as "monlist".
+
+Events
+++++++
+
+.. zeek:id:: ntp_message
+   :source-code: base/bif/plugins/Zeek_NTP.events.bif.zeek 15 15
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`NTP::Message`)
+
+   Generated for all NTP messages. Different from many other of Zeek's events,
+   this one is generated for both client-side and server-side messages.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Network_Time_Protocol>`__ for
+   more information about the NTP protocol.
+   
+
+   :param c: The connection record describing the corresponding UDP flow.
+   
+
+   :param is_orig: True if the message was sent by the originator.
+   
+
+   :param msg: The parsed NTP message.
+
+.. _plugin-zeek-pia:
+
+Zeek::PIA
+---------
+
+Analyzers implementing Dynamic Protocol
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_PIA_TCP`
+
+:zeek:enum:`Analyzer::ANALYZER_PIA_UDP`
+
+.. _plugin-zeek-pop3:
+
+Zeek::POP3
+----------
+
+POP3 analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_POP3`
+
+Options/Constants
++++++++++++++++++
+
+.. zeek:id:: POP3::max_pending_commands
+   :source-code: base/init-bare.zeek 3798 3798
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10``
+
+   How many commands a POP3 client may have pending
+   before Zeek forcefully removes the oldest.
+   
+   Setting this value to 0 removes the limit.
+
+.. zeek:id:: POP3::max_unknown_client_commands
+   :source-code: base/init-bare.zeek 3804 3804
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10``
+
+   How many invalid commands a POP3 client may use
+   before Zeek starts raising analyzer violations.
+   
+   Setting this value to 0 removes the limit.
+
+Events
+++++++
+
+.. zeek:id:: pop3_request
+   :source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 25 25
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, command: :zeek:type:`string`, arg: :zeek:type:`string`)
+
+   Generated for client-side commands on POP3 connections.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
+   about the POP3 protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param command: The command sent.
+   
+
+   :param arg: The argument to the command.
+   
+   .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
+      pop3_unexpected
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pop3_reply
+   :source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 52 52
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, cmd: :zeek:type:`string`, msg: :zeek:type:`string`)
+
+   Generated for server-side replies to commands on POP3 connections.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
+   about the POP3 protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param cmd: The success indicator sent by the server. This corresponds to the
+        first token on the line sent, and should be either ``OK`` or ``ERR``.
+   
+
+   :param msg: The textual description the server sent along with *cmd*.
+   
+   .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_request
+      pop3_unexpected
+   
+   .. todo:: This event is receiving odd parameters, should unify.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pop3_data
+   :source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 76 76
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data: :zeek:type:`string`)
+
+   Generated for server-side multi-line responses on POP3 connections. POP3
+   connections use multi-line responses to send bulk data, such as the actual
+   mails. This event is generated once for each line that's part of such a
+   response.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
+   about the POP3 protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the data was sent by the originator of the TCP connection.
+   
+
+   :param data: The data sent.
+   
+   .. zeek:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request
+      pop3_unexpected
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pop3_unexpected
+   :source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 100 100
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`, detail: :zeek:type:`string`)
+
+   Generated for errors encountered on POP3 sessions. If the POP3 analyzer
+   finds state transitions that do not conform to the protocol specification,
+   or other situations it can't handle, it raises this event.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
+   about the POP3 protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the data was sent by the originator of the TCP connection.
+   
+
+   :param msg: A textual description of the situation.
+   
+
+   :param detail: The input that triggered the event.
+   
+   .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pop3_starttls
+   :source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 120 120
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when a POP3 connection goes encrypted. While POP3 is by default a
+   clear-text protocol, extensions exist to switch to encryption. This event is
+   generated if that happens and the analyzer then stops processing the
+   connection.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
+   about the POP3 protocol.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
+      pop3_request pop3_unexpected
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pop3_login_success
+   :source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 144 144
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, user: :zeek:type:`string`, password: :zeek:type:`string`)
+
+   Generated for successful authentications on POP3 connections.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
+   about the POP3 protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Always false.
+   
+
+   :param user: The user name used for authentication. The event is only generated if
+         a non-empty user name was used.
+   
+
+   :param password: The password used for authentication.
+   
+   .. zeek:see:: pop3_data pop3_login_failure pop3_reply pop3_request
+      pop3_unexpected
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pop3_login_failure
+   :source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 168 168
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, user: :zeek:type:`string`, password: :zeek:type:`string`)
+
+   Generated for unsuccessful authentications on POP3 connections.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
+   about the POP3 protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Always false.
+   
+
+   :param user: The user name attempted for authentication. The event is only
+         generated if a non-empty user name was used.
+   
+
+   :param password: The password attempted for authentication.
+   
+   .. zeek:see:: pop3_data pop3_login_success pop3_reply pop3_request
+      pop3_unexpected
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. _plugin-zeek-quic:
+
+Zeek::QUIC
+----------
+
+QUIC analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_QUIC`
+
+Events
+++++++
+
+.. zeek:id:: QUIC::initial_packet
+   :source-code: base/protocols/quic/main.zeek 136 140
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`)
+
+   Generated for a QUIC Initial packet.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+   
+
+.. zeek:id:: QUIC::retry_packet
+   :source-code: base/protocols/quic/main.zeek 155 165
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`, retry_token: :zeek:type:`string`, retry_integrity_tag: :zeek:type:`string`)
+
+   Generated for a QUIC Retry packet.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+   
+
+   :param retry_token: The Retry Token field.
+   
+
+   :param integrity_tag: The Retry Integrity Tag field.
+
+.. zeek:id:: QUIC::handshake_packet
+   :source-code: base/protocols/quic/main.zeek 142 146
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`)
+
+   Generated for a QUIC Handshake packet.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+
+.. zeek:id:: QUIC::zero_rtt_packet
+   :source-code: base/protocols/quic/main.zeek 148 152
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`)
+
+   Generated for a QUIC 0-RTT packet.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+
+.. zeek:id:: QUIC::connection_close_frame
+   :source-code: base/protocols/quic/main.zeek 182 192
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`, error_code: :zeek:type:`count`, reason_phrase: :zeek:type:`string`)
+
+   Generated for a QUIC CONNECTION_CLOSE frame.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+   
+
+   :param error_code: Count indicating the reason for closing this connection.
+   
+
+   :param reason_phrase: Additional diagnostic information for the closure.
+   
+   .. note:: Packets with CONNECTION_CLOSE frames are usually encrypted after connection establishment and not visible to Zeek.
+
+.. zeek:id:: QUIC::unhandled_version
+   :source-code: base/protocols/quic/main.zeek 168 178
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`)
+
+   Generated for an unrecognized QUIC version.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+
+.. _plugin-zeek-radius:
+
+Zeek::RADIUS
+------------
+
+RADIUS analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_RADIUS`
+
+Types
++++++
+
+.. zeek:type:: RADIUS::AttributeList
+   :source-code: base/init-bare.zeek 5150 5150
+
+   :Type: :zeek:type:`vector` of :zeek:type:`string`
+
+
+.. zeek:type:: RADIUS::Attributes
+   :source-code: base/init-bare.zeek 5151 5151
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`RADIUS::AttributeList`
+
+
+.. zeek:type:: RADIUS::Message
+   :source-code: base/init-bare.zeek 5153 5162
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: code :zeek:type:`count`
+
+      The type of message (Access-Request, Access-Accept, etc.).
+
+
+   .. zeek:field:: trans_id :zeek:type:`count`
+
+      The transaction ID.
+
+
+   .. zeek:field:: authenticator :zeek:type:`string`
+
+      The "authenticator" string.
+
+
+   .. zeek:field:: attributes :zeek:type:`RADIUS::Attributes` :zeek:attr:`&optional`
+
+      Any attributes.
+
+
+
+Events
+++++++
+
+.. zeek:id:: radius_message
+   :source-code: base/bif/plugins/Zeek_RADIUS.events.bif.zeek 13 13
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, result: :zeek:type:`RADIUS::Message`)
+
+   Generated for RADIUS messages.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/RADIUS>`__ for more
+   information about RADIUS.
+   
+
+   :param c: The connection.
+   
+
+   :param result: A record containing fields parsed from a RADIUS packet.
+   
+
+.. zeek:id:: radius_attribute
+   :source-code: base/bif/plugins/Zeek_RADIUS.events.bif.zeek 27 27
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, attr_type: :zeek:type:`count`, value: :zeek:type:`string`)
+
+   Generated for each RADIUS attribute.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/RADIUS>`__ for more
+   information about RADIUS.
+   
+
+   :param c: The connection.
+   
+
+   :param attr_type: The value of the code field (1 == User-Name, 2 == User-Password, etc.).
+   
+
+   :param value: The data/value bound to the attribute.
+   
+
+.. _plugin-zeek-rdp:
+
+Zeek::RDP
+---------
+
+RDP analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_RDP`
+
+:zeek:enum:`Analyzer::ANALYZER_RDPEUDP`
+
+Types
++++++
+
+.. zeek:type:: RDP::EarlyCapabilityFlags
+   :source-code: base/init-bare.zeek 5168 5178
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: support_err_info_pdu :zeek:type:`bool`
+
+
+   .. zeek:field:: want_32bpp_session :zeek:type:`bool`
+
+
+   .. zeek:field:: support_statusinfo_pdu :zeek:type:`bool`
+
+
+   .. zeek:field:: strong_asymmetric_keys :zeek:type:`bool`
+
+
+   .. zeek:field:: support_monitor_layout_pdu :zeek:type:`bool`
+
+
+   .. zeek:field:: support_netchar_autodetect :zeek:type:`bool`
+
+
+   .. zeek:field:: support_dynvc_gfx_protocol :zeek:type:`bool`
+
+
+   .. zeek:field:: support_dynamic_time_zone :zeek:type:`bool`
+
+
+   .. zeek:field:: support_heartbeat_pdu :zeek:type:`bool`
+
+
+
+.. zeek:type:: RDP::ClientCoreData
+   :source-code: base/init-bare.zeek 5180 5201
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: version_major :zeek:type:`count`
+
+
+   .. zeek:field:: version_minor :zeek:type:`count`
+
+
+   .. zeek:field:: desktop_width :zeek:type:`count`
+
+
+   .. zeek:field:: desktop_height :zeek:type:`count`
+
+
+   .. zeek:field:: color_depth :zeek:type:`count`
+
+
+   .. zeek:field:: sas_sequence :zeek:type:`count`
+
+
+   .. zeek:field:: keyboard_layout :zeek:type:`count`
+
+
+   .. zeek:field:: client_build :zeek:type:`count`
+
+
+   .. zeek:field:: client_name :zeek:type:`string`
+
+
+   .. zeek:field:: keyboard_type :zeek:type:`count`
+
+
+   .. zeek:field:: keyboard_sub :zeek:type:`count`
+
+
+   .. zeek:field:: keyboard_function_key :zeek:type:`count`
+
+
+   .. zeek:field:: ime_file_name :zeek:type:`string`
+
+
+   .. zeek:field:: post_beta2_color_depth :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: client_product_id :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: serial_number :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: high_color_depth :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: supported_color_depths :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: ec_flags :zeek:type:`RDP::EarlyCapabilityFlags` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: dig_product_id :zeek:type:`string` :zeek:attr:`&optional`
+
+
+
+.. zeek:type:: RDP::ClientSecurityData
+   :source-code: base/init-bare.zeek 5205 5217
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: encryption_methods :zeek:type:`count`
+
+      Cryptographic encryption methods supported by the client and used in
+      conjunction with Standard RDP Security.  Known flags:
+      
+      - 0x00000001: support for 40-bit session encryption keys
+      - 0x00000002: support for 128-bit session encryption keys
+      - 0x00000008: support for 56-bit session encryption keys
+      - 0x00000010: support for FIPS compliant encryption and MAC methods
+
+
+   .. zeek:field:: ext_encryption_methods :zeek:type:`count`
+
+      Only used in French locale and designates the encryption method.  If
+      non-zero, then encryption_methods should be set to 0.
+
+
+   The TS_UD_CS_SEC data block contains security-related information used
+   to advertise client cryptographic support.
+
+.. zeek:type:: RDP::ClientClusterData
+   :source-code: base/init-bare.zeek 5253 5272
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+      Cluster information flags.
+
+
+   .. zeek:field:: redir_session_id :zeek:type:`count`
+
+      If the *redir_sessionid_field_valid* flag is set, this field
+      contains a valid session identifier to which the client requests
+      to connect.
+
+
+   .. zeek:field:: redir_supported :zeek:type:`bool`
+
+      The client can receive server session redirection packets.
+      If this flag is set, the *svr_session_redir_version_mask*
+      field MUST contain the server session redirection version that
+      the client supports.
+
+
+   .. zeek:field:: svr_session_redir_version_mask :zeek:type:`count`
+
+      The server session redirection version that the client supports.
+
+
+   .. zeek:field:: redir_sessionid_field_valid :zeek:type:`bool`
+
+      Whether the *redir_session_id* field identifies a session on
+      the server to associate with the connection.
+
+
+   .. zeek:field:: redir_smartcard :zeek:type:`bool`
+
+      The client logged on with a smart card.
+
+
+   The TS_UD_CS_CLUSTER data block is sent by the client to the server
+   either to advertise that it can support the Server Redirection PDUs
+   or to request a connection to a given session identifier.
+
+.. zeek:type:: RDP::ClientChannelList
+   :source-code: base/init-bare.zeek 5275 5275
+
+   :Type: :zeek:type:`vector` of :zeek:type:`RDP::ClientChannelDef`
+
+   The list of channels requested by the client.
+
+.. zeek:type:: RDP::ClientChannelDef
+   :source-code: base/init-bare.zeek 5220 5248
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      A unique name for the channel
+
+
+   .. zeek:field:: options :zeek:type:`count`
+
+      Channel Def raw options as count
+
+
+   .. zeek:field:: initialized :zeek:type:`bool`
+
+      Absence of this flag indicates that this channel is
+      a placeholder and that the server MUST NOT set it up.
+
+
+   .. zeek:field:: encrypt_rdp :zeek:type:`bool`
+
+      Unused, must be ignored by the server.
+
+
+   .. zeek:field:: encrypt_sc :zeek:type:`bool`
+
+      Unused, must be ignored by the server.
+
+
+   .. zeek:field:: encrypt_cs :zeek:type:`bool`
+
+      Unused, must be ignored by the server.
+
+
+   .. zeek:field:: pri_high :zeek:type:`bool`
+
+      Channel data must be sent with high MCS priority.
+
+
+   .. zeek:field:: pri_med :zeek:type:`bool`
+
+      Channel data must be sent with medium MCS priority.
+
+
+   .. zeek:field:: pri_low :zeek:type:`bool`
+
+      Channel data must be sent with low MCS priority.
+
+
+   .. zeek:field:: compress_rdp :zeek:type:`bool`
+
+      Virtual channel data must be compressed if RDP data is being compressed.
+
+
+   .. zeek:field:: compress :zeek:type:`bool`
+
+      Virtual channel data must be compressed.
+
+
+   .. zeek:field:: show_protocol :zeek:type:`bool`
+
+      Ignored by the server.
+
+
+   .. zeek:field:: persistent :zeek:type:`bool`
+
+      Channel must be persistent across remote control transactions.
+
+
+   Name and flags for a single channel requested by the client.
+
+Events
+++++++
+
+.. zeek:id:: rdpeudp_syn
+   :source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 7 7
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for RDPEUDP SYN UDP Datagram
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+
+.. zeek:id:: rdpeudp_synack
+   :source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 13 13
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for RDPEUDP SYNACK UDP Datagram
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+
+.. zeek:id:: rdpeudp_established
+   :source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 21 21
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`count`)
+
+   Generated when RDPEUDP connections are established (both sides SYN)
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param version: Whether the connection is RDPEUDP1 or RDPEUDP2
+
+.. zeek:id:: rdpeudp_data
+   :source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 33 33
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated when for data messages exchanged after a RDPEUDP connection establishes
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param is_orig: Whether the data was sent by the originator or responder of the connection.
+   
+
+   :param version: Whether the connection is RDPEUDP1 or RDPEUDP2
+   
+
+   :param data: The payload of the packet. This is probably very non-performant.
+
+.. zeek:id:: rdp_native_encrypted_data
+   :source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 43 43
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, len: :zeek:type:`count`)
+
+   Generated for each packet after RDP native encryption begins
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param orig: True if the packet was sent by the originator of the connection.
+   
+
+   :param len: The length of the encrypted data.
+
+.. zeek:id:: rdp_connect_request
+   :source-code: base/protocols/rdp/main.zeek 166 171
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, cookie: :zeek:type:`string`, flags: :zeek:type:`count`)
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, cookie: :zeek:type:`string`)
+
+   Generated for X.224 client requests.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param cookie: The cookie included in the request; empty if no cookie was provided.
+   
+
+   :param flags: The flags set by the client.
+
+.. zeek:id:: rdp_negotiation_response
+   :source-code: base/protocols/rdp/main.zeek 173 178
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, security_protocol: :zeek:type:`count`, flags: :zeek:type:`count`)
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, security_protocol: :zeek:type:`count`)
+
+   Generated for RDP Negotiation Response messages.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param security_protocol: The security protocol selected by the server.
+   
+
+   :param flags: The flags set by the server.
+
+.. zeek:id:: rdp_negotiation_failure
+   :source-code: base/protocols/rdp/main.zeek 180 185
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, failure_code: :zeek:type:`count`, flags: :zeek:type:`count`)
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, failure_code: :zeek:type:`count`)
+
+   Generated for RDP Negotiation Failure messages.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param failure_code: The failure code sent by the server.
+   
+
+   :param flags: The flags set by the server.
+
+.. zeek:id:: rdp_client_core_data
+   :source-code: base/protocols/rdp/main.zeek 187 213
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`RDP::ClientCoreData`)
+
+   Generated for MCS client requests.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param data: The data contained in the client core data structure.
+
+.. zeek:id:: rdp_client_security_data
+   :source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 95 95
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`RDP::ClientSecurityData`)
+
+   Generated for client security data packets.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param data: The data contained in the client security data structure.
+
+.. zeek:id:: rdp_client_network_data
+   :source-code: base/protocols/rdp/main.zeek 215 228
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, channels: :zeek:type:`RDP::ClientChannelList`)
+
+   Generated for Client Network Data (TS_UD_CS_NET) packets
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param channels: The channels that were requested
+
+.. zeek:id:: rdp_client_cluster_data
+   :source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 111 111
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`RDP::ClientClusterData`)
+
+   Generated for client cluster data packets.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param data: The data contained in the client security data structure.
+
+.. zeek:id:: rdp_gcc_server_create_response
+   :source-code: base/protocols/rdp/main.zeek 230 235
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, result: :zeek:type:`count`)
+
+   Generated for MCS server responses.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param result: The 8-bit integer representing the GCC Conference Create Response result.
+
+.. zeek:id:: rdp_server_security
+   :source-code: base/protocols/rdp/main.zeek 237 243
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, encryption_method: :zeek:type:`count`, encryption_level: :zeek:type:`count`)
+
+   Generated for MCS server responses.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param encryption_method: The 32-bit integer representing the encryption method used in the connection.
+   
+
+   :param encryption_level: The 32-bit integer representing the encryption level used in the connection.
+
+.. zeek:id:: rdp_server_certificate
+   :source-code: base/protocols/rdp/main.zeek 245 257
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, cert_type: :zeek:type:`count`, permanently_issued: :zeek:type:`bool`)
+
+   Generated for a server certificate section.  If multiple X.509 
+   certificates are included in chain, this event will still
+   only be generated a single time.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param cert_type: Indicates the type of certificate.
+   
+
+   :param permanently_issued: Value will be true is the certificate(s) is permanent on the server.
+
+.. zeek:id:: rdp_begin_encryption
+   :source-code: base/protocols/rdp/main.zeek 259 269
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, security_protocol: :zeek:type:`count`)
+
+   Generated when an RDP session becomes encrypted.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param security_protocol: The security protocol being used for the session.
+
+.. _plugin-zeek-rfb:
+
+Zeek::RFB
+---------
+
+Parser for rfb (VNC) analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_RFB`
+
+Events
+++++++
+
+.. zeek:id:: rfb_authentication_type
+   :source-code: base/protocols/rfb/main.zeek 131 136
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, authtype: :zeek:type:`count`)
+
+   Generated for RFB event authentication mechanism selection
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param authtype: the value of the chosen authentication mechanism
+
+.. zeek:id:: rfb_auth_result
+   :source-code: base/protocols/rfb/main.zeek 152 155
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, result: :zeek:type:`bool`)
+
+   Generated for RFB event authentication result message
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param result: whether or not authentication was successful
+
+.. zeek:id:: rfb_share_flag
+   :source-code: base/protocols/rfb/main.zeek 157 160
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, flag: :zeek:type:`bool`)
+
+   Generated for RFB event share flag messages
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param flag: whether or not the share flag was set
+
+.. zeek:id:: rfb_client_version
+   :source-code: base/protocols/rfb/main.zeek 117 122
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, major_version: :zeek:type:`string`, minor_version: :zeek:type:`string`)
+
+   Generated for RFB event client banner message
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param version: of the client's rfb library
+
+.. zeek:id:: rfb_server_version
+   :source-code: base/protocols/rfb/main.zeek 124 129
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, major_version: :zeek:type:`string`, minor_version: :zeek:type:`string`)
+
+   Generated for RFB event server banner message
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param version: of the server's rfb library
+
+.. zeek:id:: rfb_server_parameters
+   :source-code: base/bif/plugins/Zeek_RFB.events.bif.zeek 53 53
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, name: :zeek:type:`string`, width: :zeek:type:`count`, height: :zeek:type:`count`)
+
+   Generated for RFB event server parameter message
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param name: name of the shared screen
+   
+
+   :param width: width of the shared screen
+   
+
+   :param height: height of the shared screen
+
+.. _plugin-zeek-rpc:
+
+Zeek::RPC
+---------
+
+Analyzers for RPC-based protocols
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_CONTENTS_NFS`
+
+:zeek:enum:`Analyzer::ANALYZER_CONTENTS_RPC`
+
+:zeek:enum:`Analyzer::ANALYZER_MOUNT`
+
+:zeek:enum:`Analyzer::ANALYZER_NFS`
+
+:zeek:enum:`Analyzer::ANALYZER_PORTMAPPER`
+
+Events
+++++++
+
+.. zeek:id:: nfs_proc_null
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 25 25
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *null*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented  nfs_proc_read nfs_proc_readdir nfs_proc_readlink
+      nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_getattr
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 54 54
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, fh: :zeek:type:`string`, attrs: :zeek:type:`NFS3::fattr_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *getattr*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param fh: TODO.
+   
+
+   :param attrs: The attributes returned in the reply. The values may not be valid if
+         the request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+      rpc_call rpc_dialogue rpc_reply file_mode
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_sattr
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 83 83
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::sattrargs_t`, rep: :zeek:type:`NFS3::sattr_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *sattr*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req:  The arguments passed in the request.
+   
+
+   :param rep: The attributes returned in the reply. The values may not be
+        valid if the request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+      rpc_call rpc_dialogue rpc_reply file_mode
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_lookup
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 112 112
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::diropargs_t`, rep: :zeek:type:`NFS3::lookup_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *lookup*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req:  The arguments passed in the request.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr  nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+      rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_read
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 141 141
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::readargs_t`, rep: :zeek:type:`NFS3::read_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *read*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req:  The arguments passed in the request.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_remove nfs_proc_rmdir
+      nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
+      NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_readlink
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 170 170
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, fh: :zeek:type:`string`, rep: :zeek:type:`NFS3::readlink_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *readlink*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param fh: The file handle passed in the request.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+      nfs_proc_symlink rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_symlink
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 199 199
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::symlinkargs_t`, rep: :zeek:type:`NFS3::newobj_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *symlink*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req:  The arguments passed in the request.
+   
+
+   :param rep: The attributes returned in the reply. The values may not be
+        valid if the request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+      nfs_proc_link rpc_call rpc_dialogue rpc_reply file_mode
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_link
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 228 228
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::linkargs_t`, rep: :zeek:type:`NFS3::link_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *link*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req:  The arguments passed in the request.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
+      nfs_proc_symlink rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_write
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 258 258
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::writeargs_t`, rep: :zeek:type:`NFS3::write_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *write*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req: TODO.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir  nfs_reply_status rpc_call
+      rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only
+      NFS3::return_data_max
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_create
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 287 287
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::diropargs_t`, rep: :zeek:type:`NFS3::newobj_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *create*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req: TODO.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see::  nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+      rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_mkdir
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 316 316
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::diropargs_t`, rep: :zeek:type:`NFS3::newobj_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req: TODO.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+      rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_remove
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 345 345
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::diropargs_t`, rep: :zeek:type:`NFS3::delobj_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *remove*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req: TODO.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink  nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_rmdir
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 374 374
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::diropargs_t`, rep: :zeek:type:`NFS3::delobj_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req: TODO.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove  nfs_proc_write nfs_reply_status rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_rename
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 403 403
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::renameopargs_t`, rep: :zeek:type:`NFS3::renameobj_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *rename*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req: TODO.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rename nfs_proc_write
+      nfs_reply_status rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_readdir
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 432 432
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::readdirargs_t`, rep: :zeek:type:`NFS3::readdir_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *readdir*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req: TODO.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readlink
+      nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_not_implemented
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 456 456
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, proc: :zeek:type:`NFS3::proc_t`)
+
+   Generated for NFSv3 request/reply dialogues of a type that Zeek's NFSv3
+   analyzer does not implement.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param proc: The procedure called that Zeek does not implement.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove
+      nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_reply_status
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 475 475
+
+   :Type: :zeek:type:`event` (n: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`)
+
+   Generated for each NFSv3 reply message received, reporting just the
+   status included.
+   
+
+   :param n: The connection.
+   
+
+   :param info: Reports the status included in the reply.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_request_null
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 495 495
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`)
+
+   Generated for Portmapper requests of type *null*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+   .. zeek:see:: pm_request_set pm_request_unset pm_request_getport
+      pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set
+      pm_attempt_unset pm_attempt_getport pm_attempt_dump
+      pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_request_set
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 521 521
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, m: :zeek:type:`pm_mapping`, success: :zeek:type:`bool`)
+
+   Generated for Portmapper request/reply dialogues of type *set*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param m: The argument to the request.
+   
+
+   :param success: True if the request was successful, according to the corresponding
+            reply. If no reply was seen, this will be false once the request
+            times out.
+   
+   .. zeek:see:: pm_request_null pm_request_unset pm_request_getport
+      pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set
+      pm_attempt_unset pm_attempt_getport pm_attempt_dump
+      pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_request_unset
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 547 547
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, m: :zeek:type:`pm_mapping`, success: :zeek:type:`bool`)
+
+   Generated for Portmapper request/reply dialogues of type *unset*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param m: The argument to the request.
+   
+
+   :param success: True if the request was successful, according to the corresponding
+            reply. If no reply was seen, this will be false once the request
+            times out.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_getport
+      pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set
+      pm_attempt_unset pm_attempt_getport pm_attempt_dump
+      pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_request_getport
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 571 571
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, pr: :zeek:type:`pm_port_request`, p: :zeek:type:`port`)
+
+   Generated for Portmapper request/reply dialogues of type *getport*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param pr: The argument to the request.
+   
+
+   :param p: The port returned by the server.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set
+      pm_attempt_unset pm_attempt_getport pm_attempt_dump
+      pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_request_dump
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 594 594
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, m: :zeek:type:`pm_mappings`)
+
+   Generated for Portmapper request/reply dialogues of type *dump*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param m: The mappings returned by the server.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_callit pm_attempt_null
+      pm_attempt_set pm_attempt_unset pm_attempt_getport
+      pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_request_callit
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 619 619
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, call: :zeek:type:`pm_callit_request`, p: :zeek:type:`port`)
+
+   Generated for Portmapper request/reply dialogues of type *callit*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param call: The argument to the request.
+   
+
+   :param p: The port value returned by the call.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_dump pm_attempt_null
+      pm_attempt_set pm_attempt_unset pm_attempt_getport
+      pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_attempt_null
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 643 643
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, status: :zeek:type:`rpc_status`)
+
+   Generated for failed Portmapper requests of type *null*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param status: The status of the reply, which should be one of the index values of
+           :zeek:id:`RPC_status`.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_dump pm_request_callit
+      pm_attempt_set pm_attempt_unset pm_attempt_getport
+      pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_attempt_set
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 669 669
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, status: :zeek:type:`rpc_status`, m: :zeek:type:`pm_mapping`)
+
+   Generated for failed Portmapper requests of type *set*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param status: The status of the reply, which should be one of the index values of
+           :zeek:id:`RPC_status`.
+   
+
+   :param m: The argument to the original request.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_dump pm_request_callit
+      pm_attempt_null pm_attempt_unset pm_attempt_getport
+      pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_attempt_unset
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 695 695
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, status: :zeek:type:`rpc_status`, m: :zeek:type:`pm_mapping`)
+
+   Generated for failed Portmapper requests of type *unset*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param status: The status of the reply, which should be one of the index values of
+           :zeek:id:`RPC_status`.
+   
+
+   :param m: The argument to the original request.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_dump pm_request_callit
+      pm_attempt_null pm_attempt_set pm_attempt_getport
+      pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_attempt_getport
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 720 720
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, status: :zeek:type:`rpc_status`, pr: :zeek:type:`pm_port_request`)
+
+   Generated for failed Portmapper requests of type *getport*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param status: The status of the reply, which should be one of the index values of
+           :zeek:id:`RPC_status`.
+   
+
+   :param pr: The argument to the original request.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_dump pm_request_callit
+      pm_attempt_null pm_attempt_set pm_attempt_unset pm_attempt_dump
+      pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_attempt_dump
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 744 744
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, status: :zeek:type:`rpc_status`)
+
+   Generated for failed Portmapper requests of type *dump*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param status: The status of the reply, which should be one of the index values of
+           :zeek:id:`RPC_status`.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_dump pm_request_callit
+      pm_attempt_null pm_attempt_set pm_attempt_unset
+      pm_attempt_getport pm_attempt_callit pm_bad_port rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_attempt_callit
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 770 770
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, status: :zeek:type:`rpc_status`, call: :zeek:type:`pm_callit_request`)
+
+   Generated for failed Portmapper requests of type *callit*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param status: The status of the reply, which should be one of the index values of
+           :zeek:id:`RPC_status`.
+   
+
+   :param call: The argument to the original request.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_dump pm_request_callit
+      pm_attempt_null pm_attempt_set pm_attempt_unset
+      pm_attempt_getport pm_attempt_dump pm_bad_port rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_bad_port
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 796 796
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, bad_p: :zeek:type:`count`)
+
+   Generated for Portmapper requests or replies that include an invalid port
+   number. Since ports are represented by unsigned 4-byte integers, they can
+   stray outside the allowed range of 0--65535 by being >= 65536. If so, this
+   event is generated.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param bad_p: The invalid port value.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_dump pm_request_callit
+      pm_attempt_null pm_attempt_set pm_attempt_unset
+      pm_attempt_getport pm_attempt_dump pm_attempt_callit rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: rpc_dialogue
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 833 833
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, prog: :zeek:type:`count`, ver: :zeek:type:`count`, proc: :zeek:type:`count`, status: :zeek:type:`rpc_status`, start_time: :zeek:type:`time`, call_len: :zeek:type:`count`, reply_len: :zeek:type:`count`)
+
+   Generated for RPC request/reply *pairs*. The RPC analyzer associates request
+   and reply by their transaction identifiers and raises this event once both
+   have been seen. If there's not a reply, this event will still be generated
+   eventually on timeout. In that case, *status* will be set to
+   :zeek:enum:`RPC_TIMEOUT`.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/ONC_RPC>`__ for more information
+   about the ONC RPC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param prog: The remote program to call.
+   
+
+   :param ver: The version of the remote program to call.
+   
+
+   :param proc: The procedure of the remote program to call.
+   
+
+   :param status: The status of the reply, which should be one of the index values of
+           :zeek:id:`RPC_status`.
+   
+
+   :param start_time: The time when the *call* was seen.
+   
+
+   :param call_len: The size of the *call_body* PDU.
+   
+
+   :param reply_len: The size of the *reply_body* PDU.
+   
+   .. zeek:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
+      dce_rpc_response rpc_timeout
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: rpc_call
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 861 861
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, xid: :zeek:type:`count`, prog: :zeek:type:`count`, ver: :zeek:type:`count`, proc: :zeek:type:`count`, call_len: :zeek:type:`count`)
+
+   Generated for RPC *call* messages.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/ONC_RPC>`__ for more information
+   about the ONC RPC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param xid: The transaction identifier allowing to match requests with replies.
+   
+
+   :param prog: The remote program to call.
+   
+
+   :param ver: The version of the remote program to call.
+   
+
+   :param proc: The procedure of the remote program to call.
+   
+
+   :param call_len: The size of the *call_body* PDU.
+   
+   .. zeek:see::  rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
+      dce_rpc_response rpc_timeout
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: rpc_reply
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 886 886
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, xid: :zeek:type:`count`, status: :zeek:type:`rpc_status`, reply_len: :zeek:type:`count`)
+
+   Generated for RPC *reply* messages.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/ONC_RPC>`__ for more information
+   about the ONC RPC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param xid: The transaction identifier allowing to match requests with replies.
+   
+
+   :param status: The status of the reply, which should be one of the index values of
+           :zeek:id:`RPC_status`.
+   
+
+   :param reply_len: The size of the *reply_body* PDU.
+   
+   .. zeek:see:: rpc_call rpc_dialogue  dce_rpc_bind dce_rpc_message dce_rpc_request
+      dce_rpc_response rpc_timeout
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: mount_proc_null
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 905 905
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`MOUNT3::info_t`)
+
+   Generated for MOUNT3 request/reply dialogues of type *null*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   MOUNT is a service running on top of RPC.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+   .. zeek:see:: mount_proc_mnt mount_proc_umnt
+      mount_proc_umnt_all mount_proc_not_implemented
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: mount_proc_mnt
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 929 929
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`MOUNT3::info_t`, req: :zeek:type:`MOUNT3::dirmntargs_t`, rep: :zeek:type:`MOUNT3::mnt_reply_t`)
+
+   Generated for MOUNT3 request/reply dialogues of type *mnt*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   MOUNT is a service running on top of RPC.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req:  The arguments passed in the request.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: mount_proc_mnt mount_proc_umnt
+      mount_proc_umnt_all mount_proc_not_implemented
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: mount_proc_umnt
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 950 950
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`MOUNT3::info_t`, req: :zeek:type:`MOUNT3::dirmntargs_t`)
+
+   Generated for MOUNT3 request/reply dialogues of type *umnt*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   MOUNT is a service running on top of RPC.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req:  The arguments passed in the request.
+   
+   .. zeek:see:: mount_proc_mnt mount_proc_umnt
+      mount_proc_umnt_all mount_proc_not_implemented
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: mount_proc_umnt_all
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 971 971
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`MOUNT3::info_t`, req: :zeek:type:`MOUNT3::dirmntargs_t`)
+
+   Generated for MOUNT3 request/reply dialogues of type *umnt_all*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   MOUNT is a service running on top of RPC.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req:  The arguments passed in the request.
+   
+   .. zeek:see:: mount_proc_mnt mount_proc_umnt
+      mount_proc_umnt_all mount_proc_not_implemented
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: mount_proc_not_implemented
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 990 990
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`MOUNT3::info_t`, proc: :zeek:type:`MOUNT3::proc_t`)
+
+   Generated for MOUNT3 request/reply dialogues of a type that Zeek's MOUNTv3
+   analyzer does not implement.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param proc: The procedure called that Zeek does not implement.
+   
+   .. zeek:see:: mount_proc_mnt mount_proc_umnt
+      mount_proc_umnt_all mount_proc_not_implemented
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: mount_reply_status
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 1007 1007
+
+   :Type: :zeek:type:`event` (n: :zeek:type:`connection`, info: :zeek:type:`MOUNT3::info_t`)
+
+   Generated for each MOUNT3 reply message received, reporting just the
+   status included.
+   
+
+   :param n: The connection.
+   
+
+   :param info: Reports the status included in the reply.
+   
+   .. zeek:see:: mount_proc_mnt mount_proc_umnt
+      mount_proc_umnt_all mount_proc_not_implemented
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. _plugin-zeek-sip:
+
+Zeek::SIP
+---------
+
+SIP analyzer UDP-only
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_SIP`
+
+Events
+++++++
+
+.. zeek:id:: sip_request
+   :source-code: base/protocols/sip/main.zeek 170 179
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, method: :zeek:type:`string`, original_URI: :zeek:type:`string`, version: :zeek:type:`string`)
+
+   Generated for :abbr:`SIP (Session Initiation Protocol)` requests, used in Voice over IP (VoIP).
+   
+   This event is generated as soon as a request's initial line has been parsed.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+   for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param method: The :abbr:`SIP (Session Initiation Protocol)` method extracted from the request (e.g., ``REGISTER``, ``NOTIFY``).
+   
+
+   :param original_URI: The unprocessed URI as specified in the request.
+   
+
+   :param version: The version number specified in the request (e.g., ``2.0``).
+   
+   .. zeek:see:: sip_reply sip_header sip_all_headers sip_begin_entity sip_end_entity
+
+.. zeek:id:: sip_reply
+   :source-code: base/protocols/sip/main.zeek 181 191
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`string`, code: :zeek:type:`count`, reason: :zeek:type:`string`)
+
+   Generated for :abbr:`SIP (Session Initiation Protocol)` replies, used in Voice over IP (VoIP).
+   
+   This event is generated as soon as a reply's initial line has been parsed.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+   for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param version: The :abbr:`SIP (Session Initiation Protocol)` version in use.
+   
+
+   :param code: The response code.
+   
+
+   :param reason: Textual details for the response code.
+   
+   .. zeek:see:: sip_request sip_header sip_all_headers sip_begin_entity sip_end_entity
+
+.. zeek:id:: sip_header
+   :source-code: base/protocols/sip/main.zeek 193 273
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, name: :zeek:type:`string`, value: :zeek:type:`string`)
+
+   Generated for each :abbr:`SIP (Session Initiation Protocol)` header.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+   for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Whether the header came from the originator.
+   
+
+   :param name: Header name.
+   
+
+   :param value: Header value.
+   
+   .. zeek:see:: sip_request sip_reply sip_all_headers sip_begin_entity sip_end_entity
+
+.. zeek:id:: sip_all_headers
+   :source-code: base/bif/plugins/Zeek_SIP.events.bif.zeek 71 71
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, hlist: :zeek:type:`mime_header_list`)
+
+   Generated once for all :abbr:`SIP (Session Initiation Protocol)` headers from the originator or responder.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+   for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Whether the headers came from the originator.
+   
+
+   :param hlist: All the headers, and their values
+   
+   .. zeek:see:: sip_request sip_reply sip_header sip_begin_entity sip_end_entity
+
+.. zeek:id:: sip_begin_entity
+   :source-code: base/bif/plugins/Zeek_SIP.events.bif.zeek 86 86
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Generated at the beginning of a :abbr:`SIP (Session Initiation Protocol)` message.
+   
+   This event is generated as soon as a message's initial line has been parsed.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+   for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Whether the message came from the originator.
+   
+   .. zeek:see:: sip_request sip_reply sip_header sip_all_headers sip_end_entity
+
+.. zeek:id:: sip_end_entity
+   :source-code: base/bif/plugins/Zeek_SIP.events.bif.zeek 99 99
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Generated at the end of a :abbr:`SIP (Session Initiation Protocol)` message.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+   for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Whether the message came from the originator.
+   
+   .. zeek:see:: sip_request sip_reply sip_header sip_all_headers sip_begin_entity
+
+.. _plugin-zeek-smb:
+
+Zeek::SMB
+---------
+
+SMB analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_CONTENTS_SMB`
+
+:zeek:enum:`Analyzer::ANALYZER_SMB`
+
+Options/Constants
++++++++++++++++++
+
+.. zeek:id:: SMB::pipe_filenames
+   :source-code: base/init-bare.zeek 4024 4024
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+   :Redefinition: from :doc:`/scripts/base/protocols/smb/consts.zeek`
+
+      ``=``::
+
+         spoolss, winreg, samr, srvsvc, netdfs, lsarpc, wkssvc, MsFteWds
+
+
+   A set of file names used as named pipes over SMB. This
+   only comes into play as a heuristic to identify named
+   pipes when the drive mapping wasn't seen by Zeek.
+   
+   .. zeek:see:: smb_pipe_connect_heuristic
+
+.. zeek:id:: SMB::max_pending_messages
+   :source-code: base/init-bare.zeek 4034 4034
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1000``
+
+   The maximum number of messages for which to retain state
+   about offsets, fids, or tree ids within the parser. When
+   the limit is reached, internal parser state is discarded
+   and :zeek:see:`smb2_discarded_messages_state` raised.
+   
+   Setting this to zero will disable the functionality.
+   
+   .. zeek:see:: smb2_discarded_messages_state
+
+.. zeek:id:: SMB::max_dce_rpc_analyzers
+   :source-code: base/init-bare.zeek 4040 4040
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1000``
+
+   Maximum number of DCE-RPC analyzers per connection
+   before discarding them to avoid unbounded state growth.
+   
+   .. zeek:see:: smb_discarded_dce_rpc_analyzers
+
+Types
++++++
+
+.. zeek:type:: SMB1::NegotiateResponse
+   :source-code: base/init-bare.zeek 4214 4223
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: core :zeek:type:`SMB1::NegotiateResponseCore` :zeek:attr:`&optional`
+
+      If the server does not understand any of the dialect strings, or if
+      PC NETWORK PROGRAM 1.0 is the chosen dialect.
+
+
+   .. zeek:field:: lanman :zeek:type:`SMB1::NegotiateResponseLANMAN` :zeek:attr:`&optional`
+
+      If the chosen dialect is greater than core up to and including
+      LANMAN 2.1.
+
+
+   .. zeek:field:: ntlm :zeek:type:`SMB1::NegotiateResponseNTLM` :zeek:attr:`&optional`
+
+      If the chosen dialect is NT LM 0.12.
+
+
+
+.. zeek:type:: SMB1::NegotiateResponseCore
+   :source-code: base/init-bare.zeek 4143 4146
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: dialect_index :zeek:type:`count`
+
+      Index of selected dialect
+
+
+
+.. zeek:type:: SMB1::NegotiateResponseLANMAN
+   :source-code: base/init-bare.zeek 4148 4174
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: word_count :zeek:type:`count`
+
+      Count of parameter words (should be 13)
+
+
+   .. zeek:field:: dialect_index :zeek:type:`count`
+
+      Index of selected dialect
+
+
+   .. zeek:field:: security_mode :zeek:type:`SMB1::NegotiateResponseSecurity`
+
+      Security mode
+
+
+   .. zeek:field:: max_buffer_size :zeek:type:`count`
+
+      Max transmit buffer size (>= 1024)
+
+
+   .. zeek:field:: max_mpx_count :zeek:type:`count`
+
+      Max pending multiplexed requests
+
+
+   .. zeek:field:: max_number_vcs :zeek:type:`count`
+
+      Max number of virtual circuits (VCs - transport-layer connections)
+      between client and server
+
+
+   .. zeek:field:: raw_mode :zeek:type:`SMB1::NegotiateRawMode`
+
+      Raw mode
+
+
+   .. zeek:field:: session_key :zeek:type:`count`
+
+      Unique token identifying this session
+
+
+   .. zeek:field:: server_time :zeek:type:`time`
+
+      Current date and time at server
+
+
+   .. zeek:field:: encryption_key :zeek:type:`string`
+
+      The challenge encryption key
+
+
+   .. zeek:field:: primary_domain :zeek:type:`string`
+
+      The server's primary domain
+
+
+
+.. zeek:type:: SMB1::NegotiateResponseNTLM
+   :source-code: base/init-bare.zeek 4176 4212
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: word_count :zeek:type:`count`
+
+      Count of parameter words (should be 17)
+
+
+   .. zeek:field:: dialect_index :zeek:type:`count`
+
+      Index of selected dialect
+
+
+   .. zeek:field:: security_mode :zeek:type:`SMB1::NegotiateResponseSecurity`
+
+      Security mode
+
+
+   .. zeek:field:: max_buffer_size :zeek:type:`count`
+
+      Max transmit buffer size
+
+
+   .. zeek:field:: max_mpx_count :zeek:type:`count`
+
+      Max pending multiplexed requests
+
+
+   .. zeek:field:: max_number_vcs :zeek:type:`count`
+
+      Max number of virtual circuits (VCs - transport-layer connections)
+      between client and server
+
+
+   .. zeek:field:: max_raw_size :zeek:type:`count`
+
+      Max raw buffer size
+
+
+   .. zeek:field:: session_key :zeek:type:`count`
+
+      Unique token identifying this session
+
+
+   .. zeek:field:: capabilities :zeek:type:`SMB1::NegotiateCapabilities`
+
+      Server capabilities
+
+
+   .. zeek:field:: server_time :zeek:type:`time`
+
+      Current date and time at server
+
+
+   .. zeek:field:: encryption_key :zeek:type:`string` :zeek:attr:`&optional`
+
+      The challenge encryption key.
+      Present only for non-extended security (i.e. capabilities$extended_security = F)
+
+
+   .. zeek:field:: domain_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The name of the domain.
+      Present only for non-extended security (i.e. capabilities$extended_security = F)
+
+
+   .. zeek:field:: guid :zeek:type:`string` :zeek:attr:`&optional`
+
+      A globally unique identifier assigned to the server.
+      Present only for extended security (i.e. capabilities$extended_security = T)
+
+
+   .. zeek:field:: security_blob :zeek:type:`string`
+
+      Opaque security blob associated with the security package if capabilities$extended_security = T
+      Otherwise, the challenge for challenge/response authentication.
+
+
+
+.. zeek:type:: SMB1::NegotiateResponseSecurity
+   :source-code: base/init-bare.zeek 4126 4141
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: user_level :zeek:type:`bool`
+
+      This indicates whether the server, as a whole, is operating under
+      Share Level or User Level security.
+
+
+   .. zeek:field:: challenge_response :zeek:type:`bool`
+
+      This indicates whether or not the server supports Challenge/Response
+      authentication. If the bit is false, then plaintext passwords must
+      be used.
+
+
+   .. zeek:field:: signatures_enabled :zeek:type:`bool` :zeek:attr:`&optional`
+
+      This indicates if the server is capable of performing MAC message
+      signing. Note: Requires NT LM 0.12 or later.
+
+
+   .. zeek:field:: signatures_required :zeek:type:`bool` :zeek:attr:`&optional`
+
+      This indicates if the server is requiring the use of a MAC in each
+      packet. If false, message signing is optional. Note: Requires NT LM 0.12
+      or later.
+
+
+
+.. zeek:type:: SMB1::NegotiateRawMode
+   :source-code: base/init-bare.zeek 4075 4080
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: read_raw :zeek:type:`bool`
+
+      Read raw supported
+
+
+   .. zeek:field:: write_raw :zeek:type:`bool`
+
+      Write raw supported
+
+
+
+.. zeek:type:: SMB1::NegotiateCapabilities
+   :source-code: base/init-bare.zeek 4082 4124
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: raw_mode :zeek:type:`bool`
+
+      The server supports SMB_COM_READ_RAW and SMB_COM_WRITE_RAW
+
+
+   .. zeek:field:: mpx_mode :zeek:type:`bool`
+
+      The server supports SMB_COM_READ_MPX and SMB_COM_WRITE_MPX
+
+
+   .. zeek:field:: unicode :zeek:type:`bool`
+
+      The server supports unicode strings
+
+
+   .. zeek:field:: large_files :zeek:type:`bool`
+
+      The server supports large files with 64 bit offsets
+
+
+   .. zeek:field:: nt_smbs :zeek:type:`bool`
+
+      The server supports the SMBs particular to the NT LM 0.12 dialect. Implies nt_find.
+
+
+   .. zeek:field:: rpc_remote_apis :zeek:type:`bool`
+
+      The server supports remote admin API requests via DCE-RPC
+
+
+   .. zeek:field:: status32 :zeek:type:`bool`
+
+      The server can respond with 32 bit status codes in Status.Status
+
+
+   .. zeek:field:: level_2_oplocks :zeek:type:`bool`
+
+      The server supports level 2 oplocks
+
+
+   .. zeek:field:: lock_and_read :zeek:type:`bool`
+
+      The server supports SMB_COM_LOCK_AND_READ
+
+
+   .. zeek:field:: nt_find :zeek:type:`bool`
+
+      Reserved
+
+
+   .. zeek:field:: dfs :zeek:type:`bool`
+
+      The server is DFS aware
+
+
+   .. zeek:field:: infolevel_passthru :zeek:type:`bool`
+
+      The server supports NT information level requests passing through
+
+
+   .. zeek:field:: large_readx :zeek:type:`bool`
+
+      The server supports large SMB_COM_READ_ANDX (up to 64k)
+
+
+   .. zeek:field:: large_writex :zeek:type:`bool`
+
+      The server supports large SMB_COM_WRITE_ANDX (up to 64k)
+
+
+   .. zeek:field:: unix :zeek:type:`bool`
+
+      The server supports CIFS Extensions for UNIX
+
+
+   .. zeek:field:: bulk_transfer :zeek:type:`bool`
+
+      The server supports SMB_BULK_READ, SMB_BULK_WRITE
+      Note: No known implementations support this
+
+
+   .. zeek:field:: compressed_data :zeek:type:`bool`
+
+      The server supports compressed data transfer. Requires bulk_transfer.
+      Note: No known implementations support this
+
+
+   .. zeek:field:: extended_security :zeek:type:`bool`
+
+      The server supports extended security exchanges
+
+
+
+.. zeek:type:: SMB1::SessionSetupAndXRequest
+   :source-code: base/init-bare.zeek 4241 4283
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: word_count :zeek:type:`count`
+
+      Count of parameter words
+         - 10 for pre NT LM 0.12
+         - 12 for NT LM 0.12 with extended security
+         - 13 for NT LM 0.12 without extended security
+
+
+   .. zeek:field:: max_buffer_size :zeek:type:`count`
+
+      Client maximum buffer size
+
+
+   .. zeek:field:: max_mpx_count :zeek:type:`count`
+
+      Actual maximum multiplexed pending request
+
+
+   .. zeek:field:: vc_number :zeek:type:`count`
+
+      Virtual circuit number. First VC == 0
+
+
+   .. zeek:field:: session_key :zeek:type:`count`
+
+      Session key (valid iff vc_number > 0)
+
+
+   .. zeek:field:: native_os :zeek:type:`string`
+
+      Client's native operating system
+
+
+   .. zeek:field:: native_lanman :zeek:type:`string`
+
+      Client's native LAN Manager type
+
+
+   .. zeek:field:: account_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      Account name
+      Note: not set for NT LM 0.12 with extended security
+
+
+   .. zeek:field:: account_password :zeek:type:`string` :zeek:attr:`&optional`
+
+      If challenge/response auth is not being used, this is the password.
+      Otherwise, it's the response to the server's challenge.
+      Note: Only set for pre NT LM 0.12
+
+
+   .. zeek:field:: primary_domain :zeek:type:`string` :zeek:attr:`&optional`
+
+      Client's primary domain, if known
+      Note: not set for NT LM 0.12 with extended security
+
+
+   .. zeek:field:: case_insensitive_password :zeek:type:`string` :zeek:attr:`&optional`
+
+      Case insensitive password
+      Note: only set for NT LM 0.12 without extended security
+
+
+   .. zeek:field:: case_sensitive_password :zeek:type:`string` :zeek:attr:`&optional`
+
+      Case sensitive password
+      Note: only set for NT LM 0.12 without extended security
+
+
+   .. zeek:field:: security_blob :zeek:type:`string` :zeek:attr:`&optional`
+
+      Security blob
+      Note: only set for NT LM 0.12 with extended security
+
+
+   .. zeek:field:: capabilities :zeek:type:`SMB1::SessionSetupAndXCapabilities` :zeek:attr:`&optional`
+
+      Client capabilities
+      Note: only set for NT LM 0.12
+
+
+
+.. zeek:type:: SMB1::SessionSetupAndXResponse
+   :source-code: base/init-bare.zeek 4285 4298
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: word_count :zeek:type:`count`
+
+      Count of parameter words (should be 3 for pre NT LM 0.12 and 4 for NT LM 0.12)
+
+
+   .. zeek:field:: is_guest :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Were we logged in as a guest user?
+
+
+   .. zeek:field:: native_os :zeek:type:`string` :zeek:attr:`&optional`
+
+      Server's native operating system
+
+
+   .. zeek:field:: native_lanman :zeek:type:`string` :zeek:attr:`&optional`
+
+      Server's native LAN Manager type
+
+
+   .. zeek:field:: primary_domain :zeek:type:`string` :zeek:attr:`&optional`
+
+      Server's primary domain
+
+
+   .. zeek:field:: security_blob :zeek:type:`string` :zeek:attr:`&optional`
+
+      Security blob if NTLM
+
+
+
+.. zeek:type:: SMB1::SessionSetupAndXCapabilities
+   :source-code: base/init-bare.zeek 4225 4239
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: unicode :zeek:type:`bool`
+
+      The client can use unicode strings
+
+
+   .. zeek:field:: large_files :zeek:type:`bool`
+
+      The client can deal with files having 64 bit offsets
+
+
+   .. zeek:field:: nt_smbs :zeek:type:`bool`
+
+      The client understands the SMBs introduced with NT LM 0.12
+      Implies nt_find
+
+
+   .. zeek:field:: status32 :zeek:type:`bool`
+
+      The client can receive 32 bit errors encoded in Status.Status
+
+
+   .. zeek:field:: level_2_oplocks :zeek:type:`bool`
+
+      The client understands Level II oplocks
+
+
+   .. zeek:field:: nt_find :zeek:type:`bool`
+
+      Reserved. Implied by nt_smbs.
+
+
+
+.. zeek:type:: SMB1::Trans_Sec_Args
+   :source-code: base/init-bare.zeek 4327 4344
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: total_param_count :zeek:type:`count`
+
+      Total parameter count
+
+
+   .. zeek:field:: total_data_count :zeek:type:`count`
+
+      Total data count
+
+
+   .. zeek:field:: param_count :zeek:type:`count`
+
+      Parameter count
+
+
+   .. zeek:field:: param_offset :zeek:type:`count`
+
+      Parameter offset
+
+
+   .. zeek:field:: param_displacement :zeek:type:`count`
+
+      Parameter displacement
+
+
+   .. zeek:field:: data_count :zeek:type:`count`
+
+      Data count
+
+
+   .. zeek:field:: data_offset :zeek:type:`count`
+
+      Data offset
+
+
+   .. zeek:field:: data_displacement :zeek:type:`count`
+
+      Data displacement
+
+
+
+.. zeek:type:: SMB1::Find_First2_Request_Args
+   :source-code: base/init-bare.zeek 4367 4381
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: search_attrs :zeek:type:`count`
+
+      File attributes to apply as a constraint to the search
+
+
+   .. zeek:field:: search_count :zeek:type:`count`
+
+      Max search results
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+      Misc. flags for how the server should manage the transaction
+      once results are returned
+
+
+   .. zeek:field:: info_level :zeek:type:`count`
+
+      How detailed the information returned in the results should be
+
+
+   .. zeek:field:: search_storage_type :zeek:type:`count`
+
+      Specify whether to search for directories or files
+
+
+   .. zeek:field:: file_name :zeek:type:`string`
+
+      The string to search for (note: may contain wildcards)
+
+
+
+.. zeek:type:: SMB1::Find_First2_Response_Args
+   :source-code: base/init-bare.zeek 4383 4393
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: sid :zeek:type:`count`
+
+      The server generated search identifier
+
+
+   .. zeek:field:: search_count :zeek:type:`count`
+
+      Number of results returned by the search
+
+
+   .. zeek:field:: end_of_search :zeek:type:`bool`
+
+      Whether or not the search can be continued using
+      the TRANS2_FIND_NEXT2 transaction
+
+
+   .. zeek:field:: ext_attr_error :zeek:type:`string` :zeek:attr:`&optional`
+
+      An extended attribute name that couldn't be retrieved
+
+
+
+.. zeek:type:: SMB1::Trans2_Args
+   :source-code: base/init-bare.zeek 4300 4325
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: total_param_count :zeek:type:`count`
+
+      Total parameter count
+
+
+   .. zeek:field:: total_data_count :zeek:type:`count`
+
+      Total data count
+
+
+   .. zeek:field:: max_param_count :zeek:type:`count`
+
+      Max parameter count
+
+
+   .. zeek:field:: max_data_count :zeek:type:`count`
+
+      Max data count
+
+
+   .. zeek:field:: max_setup_count :zeek:type:`count`
+
+      Max setup count
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+      Flags
+
+
+   .. zeek:field:: trans_timeout :zeek:type:`count`
+
+      Timeout
+
+
+   .. zeek:field:: param_count :zeek:type:`count`
+
+      Parameter count
+
+
+   .. zeek:field:: param_offset :zeek:type:`count`
+
+      Parameter offset
+
+
+   .. zeek:field:: data_count :zeek:type:`count`
+
+      Data count
+
+
+   .. zeek:field:: data_offset :zeek:type:`count`
+
+      Data offset
+
+
+   .. zeek:field:: setup_count :zeek:type:`count`
+
+      Setup count
+
+
+
+.. zeek:type:: SMB1::Trans2_Sec_Args
+   :source-code: base/init-bare.zeek 4346 4365
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: total_param_count :zeek:type:`count`
+
+      Total parameter count
+
+
+   .. zeek:field:: total_data_count :zeek:type:`count`
+
+      Total data count
+
+
+   .. zeek:field:: param_count :zeek:type:`count`
+
+      Parameter count
+
+
+   .. zeek:field:: param_offset :zeek:type:`count`
+
+      Parameter offset
+
+
+   .. zeek:field:: param_displacement :zeek:type:`count`
+
+      Parameter displacement
+
+
+   .. zeek:field:: data_count :zeek:type:`count`
+
+      Data count
+
+
+   .. zeek:field:: data_offset :zeek:type:`count`
+
+      Data offset
+
+
+   .. zeek:field:: data_displacement :zeek:type:`count`
+
+      Data displacement
+
+
+   .. zeek:field:: FID :zeek:type:`count`
+
+      File ID
+
+
+
+.. zeek:type:: SMB2::CloseResponse
+   :source-code: base/init-bare.zeek 4508 4517
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: alloc_size :zeek:type:`count`
+
+      The size, in bytes of the data that is allocated to the file.
+
+
+   .. zeek:field:: eof :zeek:type:`count`
+
+      The size, in bytes, of the file.
+
+
+   .. zeek:field:: times :zeek:type:`SMB::MACTimes`
+
+      The creation, last access, last write, and change times.
+
+
+   .. zeek:field:: attrs :zeek:type:`SMB2::FileAttrs`
+
+      The attributes of the file.
+
+
+   The response to an SMB2 *close* request, which is used by the client to close an instance
+   of a file that was opened previously.
+   
+   For more information, see MS-SMB2:2.2.16
+   
+   .. zeek:see:: smb2_close_response
+
+.. zeek:type:: SMB2::CreateRequest
+   :source-code: base/init-bare.zeek 4656 4663
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: filename :zeek:type:`string`
+
+      Name of the file
+
+
+   .. zeek:field:: disposition :zeek:type:`count`
+
+      Defines the action the server MUST take if the file that is specified already exists.
+
+
+   .. zeek:field:: create_options :zeek:type:`count`
+
+      Specifies the options to be applied when creating or opening the file.
+
+
+   The request sent by the client to request either creation of or access to a file.
+   
+   For more information, see MS-SMB2:2.2.13
+   
+   .. zeek:see:: smb2_create_request
+
+.. zeek:type:: SMB2::CreateResponse
+   :source-code: base/init-bare.zeek 4671 4682
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: file_id :zeek:type:`SMB2::GUID`
+
+      The SMB2 GUID for the file.
+
+
+   .. zeek:field:: size :zeek:type:`count`
+
+      Size of the file.
+
+
+   .. zeek:field:: times :zeek:type:`SMB::MACTimes`
+
+      Timestamps associated with the file in question.
+
+
+   .. zeek:field:: attrs :zeek:type:`SMB2::FileAttrs`
+
+      File attributes.
+
+
+   .. zeek:field:: create_action :zeek:type:`count`
+
+      The action taken in establishing the open.
+
+
+   The response to an SMB2 *create_request* request, which is sent by the client to request
+   either creation of or access to a file.
+   
+   For more information, see MS-SMB2:2.2.14
+   
+   .. zeek:see:: smb2_create_response
+
+.. zeek:type:: SMB2::NegotiateResponse
+   :source-code: base/init-bare.zeek 4583 4600
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: dialect_revision :zeek:type:`count`
+
+      The preferred common SMB2 Protocol dialect number from the array that was sent in the SMB2
+      NEGOTIATE Request.
+
+
+   .. zeek:field:: security_mode :zeek:type:`count`
+
+      The security mode field specifies whether SMB signing is enabled, required at the server, or both.
+
+
+   .. zeek:field:: server_guid :zeek:type:`SMB2::GUID`
+
+      A globally unique identifier that is generate by the server to uniquely identify the server.
+
+
+   .. zeek:field:: system_time :zeek:type:`time`
+
+      The system time of the SMB2 server when the SMB2 NEGOTIATE Request was processed.
+
+
+   .. zeek:field:: server_start_time :zeek:type:`time`
+
+      The SMB2 server start time.
+
+
+   .. zeek:field:: negotiate_context_count :zeek:type:`count`
+
+      The number of negotiate context values in SMB v. 3.1.1, otherwise reserved to 0.
+
+
+   .. zeek:field:: negotiate_context_values :zeek:type:`SMB2::NegotiateContextValues`
+
+      An array of context values in SMB v. 3.1.1.
+
+
+   The response to an SMB2 *negotiate* request, which is used by the client to notify the server
+   what dialects of the SMB2 protocol the client understands.
+   
+   For more information, see MS-SMB2:2.2.4
+   
+   .. zeek:see:: smb2_negotiate_response
+
+.. zeek:type:: SMB2::SessionSetupRequest
+   :source-code: base/init-bare.zeek 4608 4611
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: security_mode :zeek:type:`count`
+
+      The security mode field specifies whether SMB signing is enabled or required at the client.
+
+
+   The request sent by the client to request a new authenticated session
+   within a new or existing SMB 2 Protocol transport connection to the server.
+   
+   For more information, see MS-SMB2:2.2.5
+   
+   .. zeek:see:: smb2_session_setup_request
+
+.. zeek:type:: SMB2::SessionSetupResponse
+   :source-code: base/init-bare.zeek 4635 4638
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: flags :zeek:type:`SMB2::SessionSetupFlags`
+
+      Additional information about the session
+
+
+   The response to an SMB2 *session_setup* request, which is sent by the client to request a
+   new authenticated session within a new or existing SMB 2 Protocol transport connection
+   to the server.
+   
+   For more information, see MS-SMB2:2.2.6
+   
+   .. zeek:see:: smb2_session_setup_response
+
+.. zeek:type:: SMB2::SessionSetupFlags
+   :source-code: base/init-bare.zeek 4619 4626
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: guest :zeek:type:`bool`
+
+      If set, the client has been authenticated as a guest user.
+
+
+   .. zeek:field:: anonymous :zeek:type:`bool`
+
+      If set, the client has been authenticated as an anonymous user.
+
+
+   .. zeek:field:: encrypt :zeek:type:`bool`
+
+      If set, the server requires encryption of messages on this session.
+
+
+   A flags field that indicates additional information about the session that's sent in the
+   *session_setup* response.
+   
+   For more information, see MS-SMB2:2.2.6
+   
+   .. zeek:see:: smb2_session_setup_response
+
+.. zeek:type:: SMB2::TreeConnectResponse
+   :source-code: base/init-bare.zeek 4646 4649
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: share_type :zeek:type:`count`
+
+      The type of share being accessed. Physical disk, named pipe, or printer.
+
+
+   The response to an SMB2 *tree_connect* request, which is sent by the client to request
+   access to a particular share on the server.
+   
+   For more information, see MS-SMB2:2.2.9
+   
+   .. zeek:see:: smb2_tree_connect_response
+
+.. zeek:type:: SMB2::Transform_header
+   :source-code: base/init-bare.zeek 4731 4742
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: signature :zeek:type:`string`
+
+      The 16-byte signature of the encrypted message, generated by using Session.EncryptionKey.
+
+
+   .. zeek:field:: nonce :zeek:type:`string`
+
+      An implementation specific value assigned for every encrypted message.
+
+
+   .. zeek:field:: orig_msg_size :zeek:type:`count`
+
+      The size, in bytes, of the SMB2 message.
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+      A flags field, interpreted in different ways depending of the SMB2 dialect.
+
+
+   .. zeek:field:: session_id :zeek:type:`count`
+
+      A value that uniquely identifies the established session for the command.
+
+
+   An SMB2 transform header (for SMB 3.x dialects with encryption enabled).
+   
+   For more information, see MS-SMB2:2.2.41
+   
+   .. zeek:see:: smb2_transform_header smb2_message smb2_close_request smb2_close_response
+      smb2_create_request smb2_create_response smb2_negotiate_request
+      smb2_negotiate_response smb2_read_request
+      smb2_session_setup_request smb2_session_setup_response
+      smb2_file_rename smb2_file_delete
+      smb2_tree_connect_request smb2_tree_connect_response
+      smb2_write_request
+
+.. zeek:type:: SMB::MACTimes
+   :source-code: base/init-bare.zeek 4000 4017
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: modified :zeek:type:`time` :zeek:attr:`&log`
+
+      The time when data was last written to the file.
+
+
+   .. zeek:field:: modified_raw :zeek:type:`count`
+
+      Same as `modified` but in SMB's original `FILETIME` integer format.
+
+
+   .. zeek:field:: accessed :zeek:type:`time` :zeek:attr:`&log`
+
+      The time when the file was last accessed.
+
+
+   .. zeek:field:: accessed_raw :zeek:type:`count`
+
+      Same as `accessed` but in SMB's original `FILETIME` integer format.
+
+
+   .. zeek:field:: created :zeek:type:`time` :zeek:attr:`&log`
+
+      The time the file was created.
+
+
+   .. zeek:field:: created_raw :zeek:type:`count`
+
+      Same as `created` but in SMB's original `FILETIME` integer format.
+
+
+   .. zeek:field:: changed :zeek:type:`time` :zeek:attr:`&log`
+
+      The time when the file was last modified.
+
+
+   .. zeek:field:: changed_raw :zeek:type:`count`
+
+      Same as `changed` but in SMB's original `FILETIME` integer format.
+
+
+   MAC times for a file.
+   
+   For more information, see MS-SMB2:2.2.16
+   
+   .. zeek:see:: smb1_nt_create_andx_response smb2_create_response
+
+.. zeek:type:: SMB1::Header
+   :source-code: base/init-bare.zeek 4064 4073
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: command :zeek:type:`count`
+
+      The command number
+
+
+   .. zeek:field:: status :zeek:type:`count`
+
+      The status code
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+      Flag set 1
+
+
+   .. zeek:field:: flags2 :zeek:type:`count`
+
+      Flag set 2
+
+
+   .. zeek:field:: tid :zeek:type:`count`
+
+      Tree ID
+
+
+   .. zeek:field:: pid :zeek:type:`count`
+
+      Process ID
+
+
+   .. zeek:field:: uid :zeek:type:`count`
+
+      User ID
+
+
+   .. zeek:field:: mid :zeek:type:`count`
+
+      Multiplex ID
+
+
+   An SMB1 header.
+   
+   .. zeek:see:: smb1_message smb1_empty_response smb1_error
+      smb1_check_directory_request smb1_check_directory_response
+      smb1_close_request smb1_create_directory_request
+      smb1_create_directory_response smb1_echo_request
+      smb1_echo_response smb1_negotiate_request
+      smb1_negotiate_response smb1_nt_cancel_request
+      smb1_nt_create_andx_request smb1_nt_create_andx_response
+      smb1_query_information_request smb1_read_andx_request
+      smb1_read_andx_response smb1_session_setup_andx_request
+      smb1_session_setup_andx_response smb1_transaction_request
+      smb1_transaction2_request smb1_trans2_find_first2_request
+      smb1_trans2_query_path_info_request
+      smb1_trans2_get_dfs_referral_request
+      smb1_tree_connect_andx_request smb1_tree_connect_andx_response
+      smb1_tree_disconnect smb1_write_andx_request
+      smb1_write_andx_response
+
+.. zeek:type:: SMB2::Header
+   :source-code: base/init-bare.zeek 4412 4437
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: credit_charge :zeek:type:`count`
+
+      The number of credits that this request consumes
+
+
+   .. zeek:field:: status :zeek:type:`count`
+
+      In a request, this is an indication to the server about the client's channel
+      change. In a response, this is the status field
+
+
+   .. zeek:field:: command :zeek:type:`count`
+
+      The command code of the packet
+
+
+   .. zeek:field:: credits :zeek:type:`count`
+
+      The number of credits the client is requesting, or the number of credits
+      granted to the client in a response.
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+      A flags field, which indicates how to process the operation (e.g. asynchronously)
+
+
+   .. zeek:field:: message_id :zeek:type:`count`
+
+      A value that uniquely identifies the message request/response pair across all
+      messages that are sent on the same transport protocol connection
+
+
+   .. zeek:field:: process_id :zeek:type:`count`
+
+      A value that uniquely identifies the process that generated the event.
+
+
+   .. zeek:field:: tree_id :zeek:type:`count`
+
+      A value that uniquely identifies the tree connect for the command.
+
+
+   .. zeek:field:: session_id :zeek:type:`count`
+
+      A value that uniquely identifies the established session for the command.
+
+
+   .. zeek:field:: signature :zeek:type:`string`
+
+      The 16-byte signature of the message, if SMB2_FLAGS_SIGNED is set in the ``flags``
+      field.
+
+
+   An SMB2 header.
+   
+   For more information, see MS-SMB2:2.2.1.1 and MS-SMB2:2.2.1.2
+   
+   .. zeek:see:: smb2_message smb2_close_request smb2_close_response
+      smb2_create_request smb2_create_response smb2_negotiate_request
+      smb2_negotiate_response smb2_read_request
+      smb2_session_setup_request smb2_session_setup_response
+      smb2_file_rename smb2_file_delete
+      smb2_tree_connect_request smb2_tree_connect_response
+      smb2_write_request
+
+.. zeek:type:: SMB2::GUID
+   :source-code: base/init-bare.zeek 4445 4450
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: persistent :zeek:type:`count`
+
+      A file handle that remains persistent when reconnected after a disconnect
+
+
+   .. zeek:field:: volatile :zeek:type:`count`
+
+      A file handle that can be changed when reconnected after a disconnect
+
+
+   An SMB2 globally unique identifier which identifies a file.
+   
+   For more information, see MS-SMB2:2.2.14.1
+   
+   .. zeek:see:: smb2_close_request smb2_create_response smb2_read_request
+      smb2_file_rename smb2_file_delete smb2_write_request
+
+.. zeek:type:: SMB2::FileAttrs
+   :source-code: base/init-bare.zeek 4457 4500
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: read_only :zeek:type:`bool`
+
+      The file is read only. Applications can read the file but cannot
+      write to it or delete it.
+
+
+   .. zeek:field:: hidden :zeek:type:`bool`
+
+      The file is hidden. It is not to be included in an ordinary directory listing.
+
+
+   .. zeek:field:: system :zeek:type:`bool`
+
+      The file is part of or is used exclusively by the operating system.
+
+
+   .. zeek:field:: directory :zeek:type:`bool`
+
+      The file is a directory.
+
+
+   .. zeek:field:: archive :zeek:type:`bool`
+
+      The file has not been archived since it was last modified. Applications use
+      this attribute to mark files for backup or removal.
+
+
+   .. zeek:field:: normal :zeek:type:`bool`
+
+      The file has no other attributes set. This attribute is valid only if used alone.
+
+
+   .. zeek:field:: temporary :zeek:type:`bool`
+
+      The file is temporary. This is a hint to the cache manager that it does not need
+      to flush the file to backing storage.
+
+
+   .. zeek:field:: sparse_file :zeek:type:`bool`
+
+      A file that is a sparse file.
+
+
+   .. zeek:field:: reparse_point :zeek:type:`bool`
+
+      A file or directory that has an associated reparse point.
+
+
+   .. zeek:field:: compressed :zeek:type:`bool`
+
+      The file or directory is compressed. For a file, this means that all of the data
+      in the file is compressed. For a directory, this means that compression is the
+      default for newly created files and subdirectories.
+
+
+   .. zeek:field:: offline :zeek:type:`bool`
+
+      The data in this file is not available immediately. This attribute indicates that
+      the file data is physically moved to offline storage. This attribute is used by
+      Remote Storage, which is hierarchical storage management software.
+
+
+   .. zeek:field:: not_content_indexed :zeek:type:`bool`
+
+      A file or directory that is not indexed by the content indexing service.
+
+
+   .. zeek:field:: encrypted :zeek:type:`bool`
+
+      A file or directory that is encrypted. For a file, all data streams in the file
+      are encrypted. For a directory, encryption is the default for newly created files
+      and subdirectories.
+
+
+   .. zeek:field:: integrity_stream :zeek:type:`bool`
+
+      A file or directory that is configured with integrity support. For a file, all
+      data streams in the file have integrity support. For a directory, integrity support
+      is the default for newly created files and subdirectories, unless the caller
+      specifies otherwise.
+
+
+   .. zeek:field:: no_scrub_data :zeek:type:`bool`
+
+      A file or directory that is configured to be excluded from the data integrity scan.
+
+
+   A series of boolean flags describing basic and extended file attributes for SMB2.
+   
+   For more information, see MS-CIFS:2.2.1.2.3 and MS-FSCC:2.6
+   
+   .. zeek:see:: smb2_create_response
+
+.. zeek:type:: SMB2::Fscontrol
+   :source-code: base/init-bare.zeek 4688 4701
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: free_space_start_filtering :zeek:type:`int`
+
+      minimum amount of free disk space required to begin document filtering
+
+
+   .. zeek:field:: free_space_threshold :zeek:type:`int`
+
+      minimum amount of free disk space required to continue filtering documents and merging word lists
+
+
+   .. zeek:field:: free_space_stop_filtering :zeek:type:`int`
+
+      minimum amount of free disk space required to continue content filtering
+
+
+   .. zeek:field:: delete_quota_threshold :zeek:type:`count`
+
+      default per-user disk quota
+
+
+   .. zeek:field:: default_quota_limit :zeek:type:`count`
+
+      default per-user disk limit
+
+
+   .. zeek:field:: fs_control_flags :zeek:type:`count`
+
+      file systems control flags passed as unsigned int
+
+
+   A series of integers flags used to set quota and content indexing control information for a file system volume in SMB2.
+   
+   For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.5.2
+   
+
+.. zeek:type:: SMB2::FileEA
+   :source-code: base/init-bare.zeek 4707 4712
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ea_name :zeek:type:`string`
+
+      Specifies the extended attribute name
+
+
+   .. zeek:field:: ea_value :zeek:type:`string`
+
+      Contains the extended attribute value
+
+
+   This information class is used to query or set extended attribute (EA) information for a file.
+   
+   For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.4.15
+   
+
+.. zeek:type:: SMB2::FileEAs
+   :source-code: base/init-bare.zeek 4718 4718
+
+   :Type: :zeek:type:`vector` of :zeek:type:`SMB2::FileEA`
+
+   A vector of extended attribute (EA) information for a file.
+   
+   For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.4.15
+   
+
+.. zeek:type:: SMB2::PreAuthIntegrityCapabilities
+   :source-code: base/init-bare.zeek 4523 4532
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: hash_alg_count :zeek:type:`count`
+
+      The number of hash algorithms.
+
+
+   .. zeek:field:: salt_length :zeek:type:`count`
+
+      The salt length.
+
+
+   .. zeek:field:: hash_alg :zeek:type:`vector` of :zeek:type:`count`
+
+      An array of hash algorithms (counts).
+
+
+   .. zeek:field:: salt :zeek:type:`string`
+
+      The salt.
+
+
+   Preauthentication information as defined in SMB v. 3.1.1
+   
+   For more information, see MS-SMB2:2.3.1.1
+   
+
+.. zeek:type:: SMB2::EncryptionCapabilities
+   :source-code: base/init-bare.zeek 4538 4543
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: cipher_count :zeek:type:`count`
+
+      The number of ciphers.
+
+
+   .. zeek:field:: ciphers :zeek:type:`vector` of :zeek:type:`count`
+
+      An array of ciphers.
+
+
+   Encryption information as defined in SMB v. 3.1.1
+   
+   For more information, see MS-SMB2:2.3.1.2
+   
+
+.. zeek:type:: SMB2::CompressionCapabilities
+   :source-code: base/init-bare.zeek 4549 4554
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: alg_count :zeek:type:`count`
+
+      The number of algorithms.
+
+
+   .. zeek:field:: algs :zeek:type:`vector` of :zeek:type:`count`
+
+      An array of compression algorithms.
+
+
+   Compression information as defined in SMB v. 3.1.1
+   
+   For more information, see MS-SMB2:2.3.1.3
+   
+
+.. zeek:type:: SMB2::NegotiateContextValue
+   :source-code: base/init-bare.zeek 4560 4573
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: context_type :zeek:type:`count`
+
+      Specifies the type of context (preauth or encryption).
+
+
+   .. zeek:field:: data_length :zeek:type:`count`
+
+      The length in byte of the data field.
+
+
+   .. zeek:field:: preauth_info :zeek:type:`SMB2::PreAuthIntegrityCapabilities` :zeek:attr:`&optional`
+
+      The preauthentication information.
+
+
+   .. zeek:field:: encryption_info :zeek:type:`SMB2::EncryptionCapabilities` :zeek:attr:`&optional`
+
+      The encryption information.
+
+
+   .. zeek:field:: compression_info :zeek:type:`SMB2::CompressionCapabilities` :zeek:attr:`&optional`
+
+      The compression information.
+
+
+   .. zeek:field:: netname :zeek:type:`string` :zeek:attr:`&optional`
+
+      Indicates the server name the client must connect to.
+
+
+   The context type information as defined in SMB v. 3.1.1
+   
+   For more information, see MS-SMB2:2.3.1
+   
+
+.. zeek:type:: SMB2::NegotiateContextValues
+   :source-code: base/init-bare.zeek 4575 4575
+
+   :Type: :zeek:type:`vector` of :zeek:type:`SMB2::NegotiateContextValue`
+
+
+Events
+++++++
+
+.. zeek:id:: smb1_check_directory_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, directory_name: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *check directory*. This is used by the client to verify that
+   a specified path resolves to a valid directory on the server.
+   
+   For more information, see MS-CIFS:2.2.4.17
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param directory_name: The directory name to check for existence.
+   
+   .. zeek:see:: smb1_message smb1_check_directory_response
+
+.. zeek:id:: smb1_check_directory_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek 31 31
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *check directory*. This is the server response to the
+   *check directory* request.
+   
+   For more information, see MS-CIFS:2.2.4.17
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+   .. zeek:see:: smb1_message smb1_check_directory_request
+
+.. zeek:id:: smb1_close_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_id: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *close*. This is used by the client to close an instance of an object
+   associated with a valid file ID.
+   
+   For more information, see MS-CIFS:2.2.4.5
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param file_id: The file identifier being closed.
+   
+   .. zeek:see:: smb1_message
+
+.. zeek:id:: smb1_create_directory_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek 18 18
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, directory_name: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *create directory*. This is a deprecated command which
+   has been replaced by the *trans2_create_directory* subcommand. This is used by the client to
+   create a new directory on the server, relative to a connected share.
+   
+   For more information, see MS-CIFS:2.2.4.1
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param directory_name: The name of the directory to create.
+   
+   .. zeek:see:: smb1_message smb1_create_directory_response smb1_transaction2_request
+
+.. zeek:id:: smb1_create_directory_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek 33 33
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *create directory*. This is a deprecated command which
+   has been replaced by the *trans2_create_directory* subcommand. This is the server response
+   to the *create directory* request.
+   
+   For more information, see MS-CIFS:2.2.4.1
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+   .. zeek:see:: smb1_message smb1_create_directory_request smb1_transaction2_request
+
+.. zeek:id:: smb1_echo_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek 19 19
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, echo_count: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *echo*. This is sent by the client to test the transport layer
+   connection with the server.
+   
+   For more information, see MS-CIFS:2.2.4.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param echo_count: The number of times the server should echo the data back.
+   
+
+   :param data: The data for the server to echo.
+   
+   .. zeek:see:: smb1_message smb1_echo_response
+
+.. zeek:id:: smb1_echo_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek 36 36
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, seq_num: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *echo*. This is the server response to the *echo* request.
+   
+   For more information, see MS-CIFS:2.2.4.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param seq_num: The sequence number of this echo reply.
+   
+
+   :param data: The data echoed back from the client.
+   
+   .. zeek:see:: smb1_message smb1_echo_request
+
+.. zeek:id:: smb1_logoff_andx
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *logoff andx*. This is used by the client to logoff the user
+   connection represented by UID in the SMB Header. The server releases all locks and closes
+   all files currently open by this user, disconnects all tree connects, cancels any outstanding
+   requests for this UID, and invalidates the UID.
+   
+   For more information, see MS-CIFS:2.2.4.54
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Indicates which host sent the logoff message.
+   
+   .. zeek:see:: smb1_message
+
+.. zeek:id:: smb1_negotiate_request
+   :source-code: base/protocols/smb/smb1-main.zeek 77 80
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, dialects: :zeek:type:`string_vec`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *negotiate*. This is sent by the client to initiate an SMB
+   connection between the client and the server. A *negotiate* exchange MUST be completed
+   before any other SMB messages are sent to the server.
+   
+   For more information, see MS-CIFS:2.2.4.52
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param dialects: The SMB dialects supported by the client.
+   
+   .. zeek:see:: smb1_message smb1_negotiate_response
+
+.. zeek:id:: smb1_negotiate_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek 34 34
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, response: :zeek:type:`SMB1::NegotiateResponse`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *negotiate*. This is the server response to the *negotiate*
+   request.
+   
+   For more information, see MS-CIFS:2.2.4.52
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param response: A record structure containing more information from the response.
+   
+   .. zeek:see:: smb1_message smb1_negotiate_request
+
+.. zeek:id:: smb1_nt_create_andx_request
+   :source-code: base/protocols/smb/smb1-main.zeek 137 146
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_name: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *nt create andx*. This is sent by the client to create and open
+   a new file, or to open an existing file, or to open and truncate an existing file to zero
+   length, or to create a directory, or to create a connection to a named pipe.
+   
+   For more information, see MS-CIFS:2.2.4.64
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param name: The ``name`` attribute  specified in the message.
+   
+   .. zeek:see:: smb1_message smb1_nt_create_andx_response
+
+.. zeek:id:: smb1_nt_create_andx_response
+   :source-code: base/protocols/smb/smb1-main.zeek 148 165
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_id: :zeek:type:`count`, file_size: :zeek:type:`count`, times: :zeek:type:`SMB::MACTimes`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *nt create andx*. This is the server response to the
+   *nt create andx* request.
+   
+   For more information, see MS-CIFS:2.2.4.64
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param file_size: Size of the file.
+   
+
+   :param times: Timestamps associated with the file in question.
+   
+   .. zeek:see:: smb1_message smb1_nt_create_andx_request
+
+.. zeek:id:: smb1_nt_cancel_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek 15 15
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *nt cancel*. This is sent by the client to request that a currently
+   pending request be cancelled.
+   
+   For more information, see MS-CIFS:2.2.4.65
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+   .. zeek:see:: smb1_message
+
+.. zeek:id:: smb1_query_information_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek 18 18
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, filename: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *query information*. This is a deprecated command which
+   has been replaced by the *trans2_query_path_information* subcommand. This is used by the
+   client to obtain attribute information about a file.
+   
+   For more information, see MS-CIFS:2.2.4.9
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param filename: The filename that the client is querying.
+   
+   .. zeek:see:: smb1_message smb1_transaction2_request
+
+.. zeek:id:: smb1_read_andx_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek 22 22
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_id: :zeek:type:`count`, offset: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *read andx*. This is sent by the client to read bytes from a regular
+   file, a named pipe, or a directly accessible device such as a serial port (COM) or printer
+   port (LPT).
+   
+   For more information, see MS-CIFS:2.2.4.42
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param file_id: The file identifier being written to.
+   
+
+   :param offset: The byte offset the requested read begins at.
+   
+
+   :param length: The number of bytes being requested.
+   
+   .. zeek:see:: smb1_message smb1_read_andx_response
+
+.. zeek:id:: smb1_read_andx_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek 37 37
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, data_len: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *read andx*. This is the server response to the *read andx* request.
+   
+   For more information, see MS-CIFS:2.2.4.42
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param data_len: The length of data from the requested file.
+   
+   .. zeek:see:: smb1_message smb1_read_andx_request
+
+.. zeek:id:: smb1_session_setup_andx_request
+   :source-code: base/protocols/smb/smb1-main.zeek 252 253
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, request: :zeek:type:`SMB1::SessionSetupAndXRequest`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *setup andx*. This is sent by the client to configure an SMB session.
+   
+   For more information, see MS-CIFS:2.2.4.53
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param request: The parsed request data of the SMB message. See init-bare for more details.
+   
+   .. zeek:see:: smb1_message smb1_session_setup_andx_response
+
+.. zeek:id:: smb1_session_setup_andx_response
+   :source-code: base/protocols/smb/smb1-main.zeek 257 258
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, response: :zeek:type:`SMB1::SessionSetupAndXResponse`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *setup andx*. This is the server response to the *setup andx* request.
+   
+   For more information, see MS-CIFS:2.2.4.53
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param response: The parsed response data of the SMB message. See init-bare for more details.
+   
+   .. zeek:see:: smb1_message smb1_session_setup_andx_request
+
+.. zeek:id:: smb1_transaction_request
+   :source-code: base/protocols/smb/smb1-main.zeek 262 265
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, name: :zeek:type:`string`, sub_cmd: :zeek:type:`count`, parameters: :zeek:type:`string`, data: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *transaction*. This command serves as the transport for the
+   Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
+   which are interprocess communication endpoints within the CIFS file system.
+   
+   For more information, see MS-CIFS:2.2.4.33.1
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param name: A name string that MAY identify the resource (a specific Mailslot or Named Pipe) 
+         against which the operation is performed.
+   
+
+   :param sub_cmd: The sub command, some may be parsed and have their own events.
+   
+
+   :param parameters: content of the SMB_Data.Trans_Parameters field
+   
+
+   :param data: content of the SMB_Data.Trans_Data field
+   
+   .. zeek:see:: smb1_message smb1_transaction2_request
+
+.. zeek:id:: smb1_transaction_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek 42 42
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, parameters: :zeek:type:`string`, data: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *transaction*. This command serves as the transport for the
+   Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
+   which are interprocess communication endpoints within the CIFS file system.
+   
+   For more information, see MS-CIFS:2.2.4.33.2
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param parameters: content of the SMB_Data.Trans_Parameters field
+   
+
+   :param data: content of the SMB_Data.Trans_Data field
+
+.. zeek:id:: smb1_transaction_secondary_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek 19 19
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, args: :zeek:type:`SMB1::Trans_Sec_Args`, parameters: :zeek:type:`string`, data: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *transaction_secondary*. This command
+   serves as an additional request data container for the
+   Transaction Subprotocol Commands (carried by *transaction* requests).
+   
+   For more information, see MS-CIFS:2.2.4.34
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param parameters: the SMB_Data.Trans_Parameters field content
+   
+
+   :param data: the SMB_Data.Trans_Data field content
+   
+
+.. zeek:id:: smb1_transaction2_request
+   :source-code: base/protocols/smb/smb1-main.zeek 71 74
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, args: :zeek:type:`SMB1::Trans2_Args`, sub_cmd: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *transaction2*. This command serves as the transport for the
+   Transaction2 Subprotocol Commands. These commands operate on mailslots and named pipes,
+   which are interprocess communication endpoints within the CIFS file system. Compared to the
+   Transaction Subprotocol Commands, these commands allow clients to set and retrieve Extended
+   Attribute key/value pairs, make use of long file names (longer than the original 8.3 format
+   names), and perform directory searches, among other tasks.
+   
+   For more information, see MS-CIFS:2.2.4.46
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param sub_cmd: The sub command, some are parsed and have their own events.
+   
+   .. zeek:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request
+      smb1_trans2_get_dfs_referral_request smb1_transaction_request
+
+.. zeek:id:: smb1_trans2_find_first2_request
+   :source-code: base/protocols/smb/smb1-main.zeek 247 250
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, args: :zeek:type:`SMB1::Find_First2_Request_Args`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 *transaction2* requests of subtype *find first2*. This transaction is used to begin
+   a search for file(s) within a directory or for a directory
+   
+   For more information, see MS-CIFS:2.2.6.2
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param args: A record data structure with arguments given to the command.
+   
+   .. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_query_path_info_request
+      smb1_trans2_get_dfs_referral_request
+
+.. zeek:id:: smb1_trans2_query_path_info_request
+   :source-code: base/protocols/smb/smb1-main.zeek 242 245
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_name: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 *transaction2* requests of subtype *query path info*. This transaction is used to
+   get information about a specific file or directory.
+   
+   For more information, see MS-CIFS:2.2.6.6
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param file_name: File name the request is in reference to. 
+   
+   .. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request
+      smb1_trans2_get_dfs_referral_request
+
+.. zeek:id:: smb1_trans2_get_dfs_referral_request
+   :source-code: base/protocols/smb/smb1-main.zeek 237 240
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_name: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 *transaction2* requests of subtype *get DFS referral*. This transaction is used
+   to request a referral for a disk object in DFS.
+   
+   For more information, see MS-CIFS:2.2.6.16
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param file_name: File name the request is in reference to.
+   
+   .. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request
+      smb1_trans2_query_path_info_request
+
+.. zeek:id:: smb1_transaction2_secondary_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek 19 19
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, args: :zeek:type:`SMB1::Trans2_Sec_Args`, parameters: :zeek:type:`string`, data: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *transaction2 secondary*.
+   
+   For more information, see MS-CIFS:2.2.4.47.1
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)`
+        version 1 message.
+   
+
+   :param args: arguments of the message (SMB_Parameters.Words)
+   
+
+   :param parameters: content of the SMB_Data.Trans_Parameters field
+   
+
+   :param data: content of the SMB_Data.Trans_Data field
+
+.. zeek:id:: smb1_tree_connect_andx_request
+   :source-code: base/protocols/smb/smb1-main.zeek 100 106
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, path: :zeek:type:`string`, service: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *tree connect andx*. This is sent by the client to establish a
+   connection to a server share.
+   
+   For more information, see MS-CIFS:2.2.4.55
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param path: The ``path`` attribute specified in the message.
+   
+
+   :param service: The ``service`` attribute specified in the message.
+   
+   .. zeek:see:: smb1_message smb1_tree_connect_andx_response
+
+.. zeek:id:: smb1_tree_connect_andx_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek 37 37
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, service: :zeek:type:`string`, native_file_system: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *tree connect andx*. This is the server reply to the *tree connect andx*
+   request.
+   
+   For more information, see MS-CIFS:2.2.4.55
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param service: The ``service`` attribute specified in the message.
+   
+
+   :param native_file_system: The file system of the remote server as indicate by the server.
+   
+   .. zeek:see:: smb1_message smb1_tree_connect_andx_request
+
+.. zeek:id:: smb1_tree_disconnect
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, is_orig: :zeek:type:`bool`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *tree disconnect*. This is sent by the client to logically disconnect
+   client access to a server resource.
+   
+   For more information, see MS-CIFS:2.2.4.51
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param is_orig: True if the message was from the originator.
+   
+   .. zeek:see:: smb1_message
+
+.. zeek:id:: smb1_write_andx_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek 20 20
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_id: :zeek:type:`count`, offset: :zeek:type:`count`, data_len: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *write andx*. This is sent by the client to write bytes to a
+   regular file, a named pipe, or a directly accessible I/O device such as a serial port (COM)
+   or printer port (LPT).
+   
+   For more information, see MS-CIFS:2.2.4.43
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param offset: The byte offset into the referenced file data is being written.
+   
+
+   :param data: The data being written.
+   
+   .. zeek:see:: smb1_message smb1_write_andx_response
+
+.. zeek:id:: smb1_write_andx_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek 36 36
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, written_bytes: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *write andx*. This is the server response to the *write andx*
+   request.
+   
+   For more information, see MS-CIFS:2.2.4.43
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param written_bytes: The number of bytes the server reported having actually written.
+   
+   .. zeek:see:: smb1_message smb1_write_andx_request
+
+.. zeek:id:: smb1_message
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek 21 21
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, is_orig: :zeek:type:`bool`)
+
+   Generated for all :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` version 1
+   messages.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
+   :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Zeek's
+   :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
+   both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
+   ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param is_orig: True if the message was sent by the originator of the underlying
+            transport-level connection.
+   
+   .. zeek:see:: smb2_message
+
+.. zeek:id:: smb1_empty_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek 31 31
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`)
+
+   Generated when there is an :abbr:`SMB (Server Message Block)` version 1 response with no message body.
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` message.
+   
+   .. zeek:see:: smb1_message
+
+.. zeek:id:: smb1_error
+   :source-code: policy/protocols/smb/log-cmds.zeek 49 64
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, is_orig: :zeek:type:`bool`)
+
+   Generated for :abbr:`SMB (Server Message Block)` version 1 messages
+   that indicate an error. This event is triggered by an :abbr:`SMB (Server Message Block)` header
+   including a status that signals an error.
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` message.
+   
+
+   :param is_orig: True if the message was sent by the originator of the underlying
+            transport-level connection.
+   
+   .. zeek:see:: smb1_message
+
+.. zeek:id:: smb2_close_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *close*. This is used by the client to close an instance of a
+   file that was opened previously with a successful SMB2 CREATE Request.
+   
+   For more information, see MS-SMB2:2.2.15
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_name: The SMB2 GUID of the file being closed.
+   
+   .. zeek:see:: smb2_message smb2_close_response
+
+.. zeek:id:: smb2_close_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek 33 33
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, response: :zeek:type:`SMB2::CloseResponse`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 responses of type *close*. This is sent by the server to indicate that an SMB2 CLOSE
+   request was processed successfully.
+   
+   For more information, see MS-SMB2:2.2.16
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param response: A record of attributes returned from the server from the close.
+   
+   .. zeek:see:: smb2_message smb2_close_request
+
+.. zeek:id:: smb2_create_request
+   :source-code: base/protocols/smb/smb2-main.zeek 129 152
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, request: :zeek:type:`SMB2::CreateRequest`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *create*. This is sent by the client to request either creation
+   of or access to a file.
+   
+   For more information, see MS-SMB2:2.2.13
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param request: A record with more information related to the request.
+   
+   .. zeek:see:: smb2_message smb2_create_response
+
+.. zeek:id:: smb2_create_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek 33 33
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, response: :zeek:type:`SMB2::CreateResponse`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 responses of type *create*. This is sent by the server to notify the client of
+   the status of its SMB2 CREATE request.
+   
+   For more information, see MS-SMB2:2.2.14
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param response: A record with more information related to the response.
+   
+   .. zeek:see:: smb2_message smb2_create_request
+
+.. zeek:id:: smb2_negotiate_request
+   :source-code: base/protocols/smb/smb2-main.zeek 83 86
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, dialects: :zeek:type:`index_vec`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *negotiate*. This is used by the client to notify the server what
+   dialects of the SMB2 Protocol the client understands.
+   
+   For more information, see MS-SMB2:2.2.3
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param dialects: A vector of the client's supported dialects.
+   
+   .. zeek:see:: smb2_message smb2_negotiate_response
+
+.. zeek:id:: smb2_negotiate_response
+   :source-code: base/protocols/smb/smb2-main.zeek 88 102
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, response: :zeek:type:`SMB2::NegotiateResponse`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 responses of type *negotiate*. This is sent by the server to notify the client of
+   the preferred common dialect.
+   
+   For more information, see MS-SMB2:2.2.4
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param response: The negotiate response data structure.
+   
+   .. zeek:see:: smb2_message smb2_negotiate_request
+
+.. zeek:id:: smb2_read_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek 21 21
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, offset: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *read*. This is sent by the client to request a read operation on
+   the specified file.
+   
+   For more information, see MS-SMB2:2.2.19
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The GUID being used for the file.
+   
+
+   :param offset: How far into the file this read should be taking place.
+   
+
+   :param length: The number of bytes of the file being read.
+   
+   .. zeek:see:: smb2_message
+
+.. zeek:id:: smb2_session_setup_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek 18 18
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, request: :zeek:type:`SMB2::SessionSetupRequest`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *session_setup*. This is sent by the client to request a new
+   authenticated session within a new or existing SMB 2 Protocol transport connection to the
+   server.
+   
+   For more information, see MS-SMB2:2.2.5
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param request: A record containing more information related to the request.
+   
+   .. zeek:see:: smb2_message smb2_session_setup_response
+
+.. zeek:id:: smb2_session_setup_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek 34 34
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, response: :zeek:type:`SMB2::SessionSetupResponse`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 responses of type *session_setup*. This is sent by the server in response to a
+   *session_setup* request.
+   
+   For more information, see MS-SMB2:2.2.6
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param response: A record containing more information related to the response.
+   
+   .. zeek:see:: smb2_message smb2_session_setup_request
+
+.. zeek:id:: smb2_file_rename
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 19 19
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, dst_filename: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *rename* subtype.
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: A GUID to identify the file.
+   
+
+   :param dst_filename: The filename to rename the file into.
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_delete
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 38 38
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, delete_pending: :zeek:type:`bool`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *delete* subtype.
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param delete_pending: A boolean value to indicate that a file should be deleted 
+                   when it's closed if set to T.
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_sattr
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 58 58
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, times: :zeek:type:`SMB::MACTimes`, attrs: :zeek:type:`SMB2::FileAttrs`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *file* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param times: Timestamps associated with the file in question.
+   
+
+   :param attrs: File attributes.
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_allocation
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 75 75
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, alloc_size: :zeek:type:`int`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *allocation* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param alloc_size: desired allocation size.
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_endoffile
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 92 92
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, end_of_file: :zeek:type:`int`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *end_of_file* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param end_of_file: the absolute new end of file position as a byte offset from the start of the file
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_mode
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 110 110
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, mode: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *mode* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param mode: specifies how the file will subsequently be accessed.
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_pipe
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 130 130
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, read_mode: :zeek:type:`count`, completion_mode: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *pipe* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param read_mode: specifies if data must be read as a stream of bytes or messages
+   
+
+   :param completion_mode: specifies if blocking mode must be enabled or not
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_position
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 148 148
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, current_byte_offset: :zeek:type:`int`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *position* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param current_byte_offset: specifies the offset, in bytes, of the file pointer from the beginning of the file
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_shortname
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 165 165
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, file_name: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *short_name* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param file_name: specifies the name of the file to be changed
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_validdatalength
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 182 182
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, valid_data_length: :zeek:type:`int`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *valid_data_length* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param valid_data_length: specifies the new valid data length for the file
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_fullea
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 199 199
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, file_eas: :zeek:type:`SMB2::FileEAs`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *full_EA* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param FileEAs: a vector of extended file attributes as defined in MS-FSCC:2.4.15
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_link
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 218 218
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, root_directory: :zeek:type:`count`, file_name: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *link* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param root_directory: contains the file handle for the directory where the link is to be created
+   
+
+   :param file_name: contains the name to be assigned to the newly created link
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_fscontrol
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 235 235
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, fs_control: :zeek:type:`SMB2::Fscontrol`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *fs_control* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param fs_control: contains fs_control info (see MS-FCC 2.5.2)
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_fsobjectid
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 254 254
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, object_id: :zeek:type:`SMB2::GUID`, extended_info: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *fs_object_id* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param object_id: contains a 16-bytes GUID that identifies the file system volume (see MS-FCC 2.5.6)
+   
+
+   :param extended_info: contains extended information on the file system volume
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link
+
+.. zeek:id:: smb2_tree_connect_request
+   :source-code: base/protocols/smb/smb2-main.zeek 104 107
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, path: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *tree_connect*. This is sent by a client to request access to a
+   particular share on the server.
+   
+   For more information, see MS-SMB2:2.2.9
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param path: Path of the requested tree.
+   
+   .. zeek:see:: smb2_message smb2_tree_connect_response
+
+.. zeek:id:: smb2_tree_connect_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek 33 33
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, response: :zeek:type:`SMB2::TreeConnectResponse`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 responses of type *tree_connect*. This is sent by the server when a *tree_connect*
+   request is successfully processed by the server.
+   
+   For more information, see MS-SMB2:2.2.10
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param response: A record with more information related to the response.
+   
+   .. zeek:see:: smb2_message smb2_tree_connect_request
+
+.. zeek:id:: smb2_tree_disconnect_request
+   :source-code: base/protocols/smb/smb2-main.zeek 119 127
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *tree disconnect*. This is sent by the client to logically disconnect
+   client access to a server resource.
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+   .. zeek:see:: smb2_message
+
+.. zeek:id:: smb2_tree_disconnect_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek 26 26
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *tree disconnect*. This is sent by the server to logically disconnect
+   client access to a server resource.
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+   .. zeek:see:: smb2_message
+
+.. zeek:id:: smb2_write_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek 21 21
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, offset: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *write*. This is sent by the client to write data to the file or
+   named pipe on the server.
+   
+   For more information, see MS-SMB2:2.2.21
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The GUID being used for the file.
+   
+
+   :param offset: How far into the file this write should be taking place.
+   
+
+   :param length: The number of bytes of the file being written.
+   
+   .. zeek:see:: smb2_message
+
+.. zeek:id:: smb2_write_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek 37 37
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, length: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *write*. This is sent by the server in response to a write request or
+   named pipe on the server.
+   
+   For more information, see MS-SMB2:2.2.22
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param length: The number of bytes of the file being written.
+   
+   .. zeek:see:: smb2_message
+
+.. zeek:id:: smb2_transform_header
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek 15 15
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Transform_header`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 3.x *transform_header*. This is used by the client or server when sending
+   encrypted messages.
+   
+   For more information, see MS-SMB2:2.2.41
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed transformed header message, which is starting with \xfdSMB and different from SMB1 and SMB2 headers.
+   
+   .. zeek:see:: smb2_message
+
+.. zeek:id:: smb2_message
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek 20 20
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, is_orig: :zeek:type:`bool`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 messages.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
+   :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Zeek's
+   :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
+   both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
+   ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param is_orig: True if the message came from the originator side.
+   
+   .. zeek:see:: smb1_message
+
+.. zeek:id:: smb2_discarded_messages_state
+   :source-code: base/protocols/smb/smb2-main.zeek 350 366
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, state: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 connections for which pending read, ioctl or tree requests exceeds
+   the :zeek:see:`SMB::max_pending_messages` setting. This event indicates either
+   traffic loss, traffic load-balancing issues, or failures to parse or match
+   SMB responses with SMB requests. When this event is raised, internal per-connection
+   parser state has been reset.
+   
+
+   :param c: The affected connection.
+   
+
+   :param state: String describing what kind of state was affected.
+          One of read, ioctl or tree.
+
+.. zeek:id:: smb_pipe_connect_heuristic
+   :source-code: base/protocols/smb/main.zeek 243 247
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for :abbr:`SMB (Server Message Block)` connections when a
+   named pipe has been detected heuristically.  The case when this comes
+   up is when the drive mapping isn't seen so the analyzer is not able
+   to determine whether to send the data to the files framework or to
+   the DCE_RPC analyzer. This heuristic can be tuned by adding or
+   removing "named pipe" names from the :zeek:see:`SMB::pipe_filenames`
+   const.
+   
+
+   :param c: The connection.
+
+.. zeek:id:: smb_discarded_dce_rpc_analyzers
+   :source-code: base/protocols/dce-rpc/main.zeek 231 238
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for :abbr:`SMB (Server Message Block)` when the number of
+   :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+   analyzers exceeds :zeek:see:`SMB::max_dce_rpc_analyzers`.
+   Occurrence of this event may indicate traffic loss, traffic load-balancing
+   issues or abnormal SMB protocol usage.
+   
+
+   :param c: The connection.
+   
+
+.. _plugin-zeek-smtp:
+
+Zeek::SMTP
+----------
+
+SMTP analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_SMTP`
+
+:zeek:enum:`Analyzer::ANALYZER_SMTP_BDAT`
+
+Options/Constants
++++++++++++++++++
+
+.. zeek:id:: SMTP::bdat_max_line_length
+   :source-code: base/init-bare.zeek 669 669
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``4096``
+
+   The maximum line length within a BDAT chunk before a forceful linebreak
+   is introduced and a weird is raised. Conventionally, MIME messages
+   have a maximum line length of 1000 octets when properly encoded.
+
+.. zeek:id:: SMTP::enable_rfc822_msg_file_analysis
+   :source-code: base/init-bare.zeek 677 677
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Whether to send data of individual top-level RFC822 messages
+   in SMTP transactions to the file analysis framework.
+   
+   If this option is enabled, the first :zeek:see:`file_over_new_connection`
+   event for a new SMTP transaction will be for the top-level RFC822
+   message. The file's :zeek:field:`mime_type` will be ``message/rfc822``.
+
+Events
+++++++
+
+.. zeek:id:: smtp_request
+   :source-code: base/protocols/smtp/main.zeek 205 274
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, command: :zeek:type:`string`, arg: :zeek:type:`string`)
+
+   Generated for client-side SMTP commands.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol>`__
+   for more information about the SMTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the sender of the command is the originator of the TCP
+         connection. Note that this is not redundant: the SMTP ``TURN`` command
+         allows client and server to flip roles on established SMTP sessions,
+         and hence a "request" might still come from the TCP-level responder.
+         In practice, however, that will rarely happen as TURN is considered
+         insecure and rarely used.
+   
+
+   :param command: The request's command, without any arguments.
+   
+
+   :param arg: The request command's arguments.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+      mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
+      smtp_data smtp_reply
+   
+   .. note:: Zeek does not support the newer ETRN extension yet.
+
+.. zeek:id:: smtp_reply
+   :source-code: base/bif/plugins/Zeek_SMTP.events.bif.zeek 59 59
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, code: :zeek:type:`count`, cmd: :zeek:type:`string`, msg: :zeek:type:`string`, cont_resp: :zeek:type:`bool`)
+
+   Generated for server-side SMTP commands.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol>`__
+   for more information about the SMTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the sender of the command is the originator of the TCP
+         connection. Note that this is not redundant: the SMTP ``TURN`` command
+         allows client and server to flip roles on established SMTP sessions,
+         and hence a "reply" might still come from the TCP-level originator. In
+         practice, however, that will rarely happen as TURN is considered
+         insecure and rarely used.
+   
+
+   :param code: The reply's numerical code.
+   
+
+   :param cmd: TODO.
+   
+
+   :param msg: The reply's textual description.
+   
+
+   :param cont_resp: True if the reply line is tagged as being continued to the next
+         line. If so, further events will be raised and a handler may want to
+         reassemble the pieces before processing the response any further.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+      mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
+      smtp_data  smtp_request
+   
+   .. note:: Zeek doesn't support the newer ETRN extension yet.
+
+.. zeek:id:: smtp_data
+   :source-code: base/bif/plugins/Zeek_SMTP.events.bif.zeek 85 85
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data: :zeek:type:`string`)
+
+   Generated for DATA transmitted on SMTP sessions. This event is raised for
+   subsequent chunks of raw data following the ``DATA`` SMTP command until the
+   corresponding end marker ``.`` is seen. A handler may want to reassemble
+   the pieces as they come in if stream-analysis is required.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol>`__
+   for more information about the SMTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the sender of the data is the originator of the TCP
+         connection.
+   
+
+   :param data: The raw data. Note that the size of each chunk is undefined and
+         depends on specifics of the underlying TCP connection.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+      mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
+      smtp_reply smtp_request skip_smtp_data
+   
+   .. note:: This event receives the unprocessed raw data. There is a separate
+      set of ``mime_*`` events that strip out the outer MIME-layer of emails and
+      provide structured access to their content.
+
+.. zeek:id:: smtp_unexpected
+   :source-code: base/bif/plugins/Zeek_SMTP.events.bif.zeek 106 106
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`, detail: :zeek:type:`string`)
+
+   Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks
+   the state of SMTP sessions and reports commands and other activity with this
+   event that it sees even though it would not expect so at the current point
+   of the communication.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol>`__
+   for more information about the SMTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the sender of the unexpected activity is the originator of
+         the TCP connection.
+   
+
+   :param msg: A descriptive message of what was unexpected.
+   
+
+   :param detail: The actual SMTP line triggering the event.
+   
+   .. zeek:see:: smtp_data  smtp_request smtp_reply
+
+.. zeek:id:: smtp_starttls
+   :source-code: base/protocols/smtp/main.zeek 407 414
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS.
+   After this event no more SMTP events will be raised for the connection. See the SSL
+   analyzer for related SSL events, which will now be generated.
+   
+
+   :param c: The connection.
+   
+
+Functions
++++++++++
+
+.. zeek:id:: skip_smtp_data
+   :source-code: base/bif/plugins/Zeek_SMTP.functions.bif.zeek 12 12
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`) : :zeek:type:`any`
+
+   Skips SMTP data until the next email in a connection.
+   
+
+   :param c: The SMTP connection.
+   
+   .. zeek:see:: skip_http_entity_data
+
+.. _plugin-zeek-snmp:
+
+Zeek::SNMP
+----------
+
+SNMP analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_SNMP`
+
+Types
++++++
+
+.. zeek:type:: SNMP::Header
+   :source-code: base/init-bare.zeek 5320 5325
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: version :zeek:type:`count`
+
+
+   .. zeek:field:: v1 :zeek:type:`SNMP::HeaderV1` :zeek:attr:`&optional`
+
+      Set when ``version`` is 0.
+
+
+   .. zeek:field:: v2 :zeek:type:`SNMP::HeaderV2` :zeek:attr:`&optional`
+
+      Set when ``version`` is 1.
+
+
+   .. zeek:field:: v3 :zeek:type:`SNMP::HeaderV3` :zeek:attr:`&optional`
+
+      Set when ``version`` is 3.
+
+
+   A generic SNMP header data structure that may include data from
+   any version of SNMP.  The value of the ``version`` field
+   determines what header field is initialized.
+
+.. zeek:type:: SNMP::HeaderV1
+   :source-code: base/init-bare.zeek 5285 5287
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: community :zeek:type:`string`
+
+
+   The top-level message data structure of an SNMPv1 datagram, not
+   including the PDU data.  See :rfc:`1157`.
+
+.. zeek:type:: SNMP::HeaderV2
+   :source-code: base/init-bare.zeek 5291 5293
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: community :zeek:type:`string`
+
+
+   The top-level message data structure of an SNMPv2 datagram, not
+   including the PDU data.  See :rfc:`1901`.
+
+.. zeek:type:: SNMP::HeaderV3
+   :source-code: base/init-bare.zeek 5305 5315
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`count`
+
+
+   .. zeek:field:: max_size :zeek:type:`count`
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+
+   .. zeek:field:: auth_flag :zeek:type:`bool`
+
+
+   .. zeek:field:: priv_flag :zeek:type:`bool`
+
+
+   .. zeek:field:: reportable_flag :zeek:type:`bool`
+
+
+   .. zeek:field:: security_model :zeek:type:`count`
+
+
+   .. zeek:field:: security_params :zeek:type:`string`
+
+
+   .. zeek:field:: pdu_context :zeek:type:`SNMP::ScopedPDU_Context` :zeek:attr:`&optional`
+
+
+   The top-level message data structure of an SNMPv3 datagram, not
+   including the PDU data.  See :rfc:`3412`.
+
+.. zeek:type:: SNMP::PDU
+   :source-code: base/init-bare.zeek 5375 5380
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: request_id :zeek:type:`int`
+
+
+   .. zeek:field:: error_status :zeek:type:`int`
+
+
+   .. zeek:field:: error_index :zeek:type:`int`
+
+
+   .. zeek:field:: bindings :zeek:type:`SNMP::Bindings`
+
+
+   A ``PDU`` data structure from either :rfc:`1157` or :rfc:`3416`.
+
+.. zeek:type:: SNMP::TrapPDU
+   :source-code: base/init-bare.zeek 5383 5390
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: enterprise :zeek:type:`string`
+
+
+   .. zeek:field:: agent :zeek:type:`addr`
+
+
+   .. zeek:field:: generic_trap :zeek:type:`int`
+
+
+   .. zeek:field:: specific_trap :zeek:type:`int`
+
+
+   .. zeek:field:: time_stamp :zeek:type:`count`
+
+
+   .. zeek:field:: bindings :zeek:type:`SNMP::Bindings`
+
+
+   A ``Trap-PDU`` data structure from :rfc:`1157`.
+
+.. zeek:type:: SNMP::BulkPDU
+   :source-code: base/init-bare.zeek 5393 5398
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: request_id :zeek:type:`int`
+
+
+   .. zeek:field:: non_repeaters :zeek:type:`count`
+
+
+   .. zeek:field:: max_repetitions :zeek:type:`count`
+
+
+   .. zeek:field:: bindings :zeek:type:`SNMP::Bindings`
+
+
+   A ``BulkPDU`` data structure from :rfc:`3416`.
+
+.. zeek:type:: SNMP::ScopedPDU_Context
+   :source-code: base/init-bare.zeek 5298 5301
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: engine_id :zeek:type:`string`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+
+   The ``ScopedPduData`` data structure of an SNMPv3 datagram, not
+   including the PDU data (i.e. just the "context" fields).
+   See :rfc:`3412`.
+
+.. zeek:type:: SNMP::ObjectValue
+   :source-code: base/init-bare.zeek 5336 5343
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: tag :zeek:type:`count`
+
+
+   .. zeek:field:: oid :zeek:type:`string` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: signed :zeek:type:`int` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: unsigned :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: address :zeek:type:`addr` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: octets :zeek:type:`string` :zeek:attr:`&optional`
+
+
+   A generic SNMP object value, that may include any of the
+   valid ``ObjectSyntax`` values from :rfc:`1155` or :rfc:`3416`.
+   The value is decoded whenever possible and assigned to
+   the appropriate field, which can be determined from the value
+   of the ``tag`` field.  For tags that can't be mapped to an
+   appropriate type, the ``octets`` field holds the BER encoded
+   ASN.1 content if there is any (though, ``octets`` is may also
+   be used for other tags such as OCTET STRINGS or Opaque).  Null
+   values will only have their corresponding tag value set.
+
+.. zeek:type:: SNMP::Binding
+   :source-code: base/init-bare.zeek 5365 5368
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: oid :zeek:type:`string`
+
+
+   .. zeek:field:: value :zeek:type:`SNMP::ObjectValue`
+
+
+   The ``VarBind`` data structure from either :rfc:`1157` or
+   :rfc:`3416`, which maps an Object Identifier to a value.
+
+.. zeek:type:: SNMP::Bindings
+   :source-code: base/init-bare.zeek 5372 5372
+
+   :Type: :zeek:type:`vector` of :zeek:type:`SNMP::Binding`
+
+   A ``VarBindList`` data structure from either :rfc:`1157` or :rfc:`3416`.
+   A sequences of :zeek:see:`SNMP::Binding`, which maps an OIDs to values.
+
+Events
+++++++
+
+.. zeek:id:: snmp_get_request
+   :source-code: base/protocols/snmp/main.zeek 109 113
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::PDU`)
+
+   An SNMP ``GetRequest-PDU`` message from either :rfc:`1157` or :rfc:`3416`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_get_next_request
+   :source-code: base/protocols/snmp/main.zeek 121 125
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::PDU`)
+
+   An SNMP ``GetNextRequest-PDU`` message from either :rfc:`1157` or
+   :rfc:`3416`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_response
+   :source-code: base/protocols/snmp/main.zeek 127 144
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::PDU`)
+
+   An SNMP ``GetResponse-PDU`` message from :rfc:`1157` or a
+   ``Response-PDU`` from :rfc:`3416`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_set_request
+   :source-code: base/protocols/snmp/main.zeek 146 150
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::PDU`)
+
+   An SNMP ``SetRequest-PDU`` message from either :rfc:`1157` or :rfc:`3416`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_trap
+   :source-code: base/protocols/snmp/main.zeek 152 155
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::TrapPDU`)
+
+   An SNMP ``Trap-PDU`` message from :rfc:`1157`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_get_bulk_request
+   :source-code: base/protocols/snmp/main.zeek 115 119
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::BulkPDU`)
+
+   An SNMP ``GetBulkRequest-PDU`` message from :rfc:`3416`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_inform_request
+   :source-code: base/protocols/snmp/main.zeek 157 160
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::PDU`)
+
+   An SNMP ``InformRequest-PDU`` message from :rfc:`3416`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_trapV2
+   :source-code: base/protocols/snmp/main.zeek 162 165
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::PDU`)
+
+   An SNMP ``SNMPv2-Trap-PDU`` message from :rfc:`1157`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_report
+   :source-code: base/protocols/snmp/main.zeek 167 170
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::PDU`)
+
+   An SNMP ``Report-PDU`` message from :rfc:`3416`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_unknown_pdu
+   :source-code: base/protocols/snmp/main.zeek 172 175
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, tag: :zeek:type:`count`)
+
+   An SNMP PDU message of unknown type.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param tag: The tag of the unknown SNMP PDU.
+
+.. zeek:id:: snmp_unknown_scoped_pdu
+   :source-code: base/protocols/snmp/main.zeek 177 180
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, tag: :zeek:type:`count`)
+
+   An SNMPv3 ``ScopedPDUData`` of unknown type (neither plaintext or
+   an encrypted PDU was in the datagram).
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param tag: The tag of the unknown SNMP PDU scope.
+
+.. zeek:id:: snmp_encrypted_pdu
+   :source-code: base/protocols/snmp/main.zeek 182 185
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`)
+
+   An SNMPv3 encrypted PDU message.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+
+.. zeek:id:: snmp_unknown_header_version
+   :source-code: base/bif/plugins/Zeek_SNMP.events.bif.zeek 168 168
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`)
+
+   A datagram with an unknown SNMP version.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param version: The value of the unknown SNMP version.
+
+.. _plugin-zeek-socks:
+
+Zeek::SOCKS
+-----------
+
+SOCKS analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_SOCKS`
+
+Events
+++++++
+
+.. zeek:id:: socks_request
+   :source-code: base/protocols/socks/main.zeek 76 89
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`count`, request_type: :zeek:type:`count`, sa: :zeek:type:`SOCKS::Address`, p: :zeek:type:`port`, user: :zeek:type:`string`)
+
+   Generated when a SOCKS request is analyzed.
+   
+
+   :param c: The parent connection of the proxy.
+   
+
+   :param version: The version of SOCKS this message used.
+   
+
+   :param request_type: The type of the request.
+   
+
+   :param sa: Address that the tunneled traffic should be sent to.
+   
+
+   :param p: The destination port for the proxied traffic.
+   
+
+   :param user: Username given for the SOCKS connection.  This is not yet implemented
+         for SOCKSv5.
+
+.. zeek:id:: socks_reply
+   :source-code: base/protocols/socks/main.zeek 91 102
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`count`, reply: :zeek:type:`count`, sa: :zeek:type:`SOCKS::Address`, p: :zeek:type:`port`)
+
+   Generated when a SOCKS reply is analyzed.
+   
+
+   :param c: The parent connection of the proxy.
+   
+
+   :param version: The version of SOCKS this message used.
+   
+
+   :param reply: The status reply from the server.
+   
+
+   :param sa: The address that the server sent the traffic to.
+   
+
+   :param p: The destination port for the proxied traffic.
+
+.. zeek:id:: socks_login_userpass_request
+   :source-code: base/protocols/socks/main.zeek 104 113
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, user: :zeek:type:`string`, password: :zeek:type:`string`)
+
+   Generated when a SOCKS client performs username and password based login.
+   
+
+   :param c: The parent connection of the proxy.
+   
+
+   :param user: The given username.
+   
+
+   :param password: The given password.
+
+.. zeek:id:: socks_login_userpass_reply
+   :source-code: base/protocols/socks/main.zeek 115 121
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, code: :zeek:type:`count`)
+
+   Generated when a SOCKS server replies to a username/password login attempt.
+   
+
+   :param c: The parent connection of the proxy.
+   
+
+   :param code: The response code for the attempted login.
+
+.. _plugin-zeek-spicy:
+
+Zeek::Spicy
+-----------
+
+Support for Spicy parsers (.hlto)
+
+Types
++++++
+
+.. zeek:type:: Redis::RedisCommand
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Redis::RedisCommand_APPEND Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_AUTH Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_BITCOUNT Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_BITFIELD Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_BITFIELD_RO Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_BITOP Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_BITPOS Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_BLMPOP Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_BLPOP Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_BRPOP Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_CLIENT Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_COPY Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_DECR Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_DECRBY Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_DEL Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_DUMP Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_EXISTS Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_EXPIRE Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_EXPIREAT Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_EXPIRETIME Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_GET Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_GETBIT Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_GETDEL Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_GETEX Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_GETRANGE Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_GETSET Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_HDEL Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_HELLO Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_HGET Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_HSET Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_INCR Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_INCRBY Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_KEYS Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_MGET Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_MOVE Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_MSET Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_PERSIST Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_PSUBSCRIBE Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_PUNSUBSCRIBE Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_QUIT Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_RENAME Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_RESET Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_SET Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_STRLEN Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_SUBSCRIBE Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_SSUBSCRIBE Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_SUNSUBSCRIBE Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_TTL Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_TYPE Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_UNSUBSCRIBE Redis::RedisCommand
+
+      .. zeek:enum:: Redis::RedisCommand_Undef Redis::RedisCommand
+
+
+.. zeek:type:: Redis::ReplyType
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Redis::ReplyType_Reply Redis::ReplyType
+
+      .. zeek:enum:: Redis::ReplyType_Error Redis::ReplyType
+
+      .. zeek:enum:: Redis::ReplyType_Push Redis::ReplyType
+
+      .. zeek:enum:: Redis::ReplyType_Undef Redis::ReplyType
+
+
+.. _plugin-zeek-ssh:
+
+Zeek::SSH
+---------
+
+Secure Shell analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_SSH`
+
+Types
++++++
+
+.. zeek:type:: SSH::Algorithm_Prefs
+   :source-code: base/init-bare.zeek 3822 3827
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: client_to_server :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional`
+
+      The algorithm preferences for client to server communication
+
+
+   .. zeek:field:: server_to_client :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional`
+
+      The algorithm preferences for server to client communication
+
+
+   The client and server each have some preferences for the algorithms used
+   in each direction.
+
+.. zeek:type:: SSH::Capabilities
+   :source-code: base/init-bare.zeek 3834 3849
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: kex_algorithms :zeek:type:`string_vec`
+
+      Key exchange algorithms
+
+
+   .. zeek:field:: server_host_key_algorithms :zeek:type:`string_vec`
+
+      The algorithms supported for the server host key
+
+
+   .. zeek:field:: encryption_algorithms :zeek:type:`SSH::Algorithm_Prefs`
+
+      Symmetric encryption algorithm preferences
+
+
+   .. zeek:field:: mac_algorithms :zeek:type:`SSH::Algorithm_Prefs`
+
+      Symmetric MAC algorithm preferences
+
+
+   .. zeek:field:: compression_algorithms :zeek:type:`SSH::Algorithm_Prefs`
+
+      Compression algorithm preferences
+
+
+   .. zeek:field:: languages :zeek:type:`SSH::Algorithm_Prefs` :zeek:attr:`&optional`
+
+      Language preferences
+
+
+   .. zeek:field:: is_server :zeek:type:`bool`
+
+      Are these the capabilities of the server?
+
+
+   This record lists the preferences of an SSH endpoint for
+   algorithm selection. During the initial :abbr:`SSH (Secure Shell)`
+   key exchange, each endpoint lists the algorithms
+   that it supports, in order of preference. See
+   :rfc:`4253#section-7.1` for details.
+
+Events
+++++++
+
+.. zeek:id:: ssh_server_version
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 19 19
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`string`)
+
+   An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
+   from the server. This contains an identification string that's used
+   for version identification. See :rfc:`4253#section-4.2` for
+   details.
+   
+
+   :param c: The connection over which the message was sent.
+   
+
+   :param version: The identification string
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret ssh_server_pre_banner_data
+
+.. zeek:id:: ssh_client_version
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 37 37
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`string`)
+
+   An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
+   from the client. This contains an identification string that's used
+   for version identification. See :rfc:`4253#section-4.2` for
+   details.
+   
+
+   :param c: The connection over which the message was sent.
+   
+
+   :param version: The identification string
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh_auth_successful
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 60 60
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, auth_method_none: :zeek:type:`bool`)
+
+   This event is generated when an :abbr:`SSH (Secure Shell)`
+   connection was determined to have had a successful
+   authentication. This determination is based on packet size
+   analysis, and errs on the side of caution - that is, if there's any
+   doubt about the authentication success, this event is *not* raised.
+   
+
+   :param c: The connection over which the :abbr:`SSH (Secure Shell)`
+      connection took place.
+   
+
+   :param auth_method_none: This is true if the analyzer detected a
+      successful connection before any authentication challenge. The
+      :abbr:`SSH (Secure Shell)` protocol provides a mechanism for
+      unauthenticated access, which some servers support.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh_auth_attempted
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 92 92
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, authenticated: :zeek:type:`bool`)
+
+   This event is generated when an :abbr:`SSH (Secure Shell)`
+   connection was determined to have had an authentication attempt.
+   This determination is based on packet size analysis, and errs
+   on the side of caution - that is, if there's any doubt about
+   whether or not an authentication attempt occurred, this event is
+   *not* raised.
+   
+   At this point in the protocol, all we can determine is whether
+   or not the user is authenticated. We don't know if the particular
+   attempt succeeded or failed, since some servers require multiple
+   authentications (e.g. require both a password AND a pubkey), and
+   could return an authentication failed message which is marked
+   as a partial success.
+   
+   This event will often be raised multiple times per connection.
+   In almost all connections, it will be raised once unless
+   
+
+   :param c: The connection over which the :abbr:`SSH (Secure Shell)`
+      connection took place.
+   
+
+   :param authenticated: This is true if the analyzer detected a
+      successful connection from the authentication attempt.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh_capabilities
+   :source-code: base/protocols/ssh/main.zeek 287 310
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, cookie: :zeek:type:`string`, capabilities: :zeek:type:`SSH::Capabilities`)
+
+   During the initial :abbr:`SSH (Secure Shell)` key exchange, each
+   endpoint lists the algorithms that it supports, in order of
+   preference. This event is generated for each endpoint, when the
+   SSH_MSG_KEXINIT message is seen. See :rfc:`4253#section-7.1` for
+   details.
+   
+
+   :param c: The connection over which the :abbr:`SSH (Secure Shell)`
+      connection took place.
+   
+
+   :param cookie: The SSH_MSG_KEXINIT cookie - a random value generated by
+      the sender.
+   
+
+   :param capabilities: The list of algorithms and languages that the sender
+      advertises support for, in order of preference.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh2_server_host_key
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 135 135
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, key: :zeek:type:`string`)
+
+   During the :abbr:`SSH (Secure Shell)` key exchange, the server
+   supplies its public host key. This event is generated when the
+   appropriate key exchange message is seen for SSH2.
+   
+
+   :param c: The connection over which the :abbr:`SSH (Secure Shell)`
+      connection took place.
+   
+
+   :param key: The server's public host key. Note that this is the public key
+      itself, and not just the fingerprint or hash.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_attempted ssh_capabilities
+      ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
+      ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
+      ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init ssh2_gss_init
+      ssh2_rsa_secret
+
+.. zeek:id:: ssh1_server_host_key
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 163 163
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, modulus: :zeek:type:`string`, exponent: :zeek:type:`string`)
+
+   During the :abbr:`SSH (Secure Shell)` key exchange, the server
+   supplies its public host key. This event is generated when the
+   appropriate key exchange message is seen for SSH1.
+   
+
+   :param c: The connection over which the :abbr:`SSH (Secure Shell)`
+      connection took place.
+   
+
+   :param p: The exponent for the server's public host key (note this parameter
+      is truly the exponent even though named *p* and the *exponent* parameter
+      will eventually replace it).
+   
+
+   :param e: The prime modulus for the server's public host key (note this parameter
+      is truly the modulus even though named *e* and the *modulus* parameter
+      will eventually replace it).
+   
+
+   :param modulus: The prime modulus of the server's public host key.
+   
+
+   :param exponent: The exponent of the server's public host key.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh_server_host_key
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 193 193
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hash: :zeek:type:`string`)
+
+   During the :abbr:`SSH (Secure Shell)` key exchange, the server
+   supplies its public host key. This event is generated when the
+   appropriate key exchange message is seen for SSH1 or SSH2 and provides
+   a fingerprint of the server's host key.
+   
+
+   :param c: The connection over which the :abbr:`SSH (Secure Shell)`
+      connection took place.
+   
+
+   :param hash: an MD5 hash fingerprint associated with the server's host key.
+         For SSH2, this is the hash of the "server public host key" string as
+         seen on the wire in the Diffie-Hellman key exchange reply message
+         (the string itself, excluding the 4-byte length associated with it),
+         which is also the *key* parameter of :zeek:see:`ssh2_server_host_key`
+         For SSH1, this is the hash of the combined multiprecision integer
+         strings representing the RSA1 key's prime modulus and public exponent
+         (concatenated in that order) as seen on the wire,
+         which are also the parameters of :zeek:see:`ssh1_server_host_key`.
+         In either case, the hash is the same "fingerprint" string as presented
+         by other traditional tools, ``ssh``, ``ssh-keygen``, etc, and is the
+         hexadecimal representation of all 16 MD5 hash bytes delimited by colons.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh_encrypted_packet
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 217 217
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, len: :zeek:type:`count`)
+
+   This event is generated when an :abbr:`SSH (Secure Shell)`
+   encrypted packet is seen. This event is not handled by default, but
+   is provided for heuristic analysis scripts. Note that you have to set
+   :zeek:id:`SSH::disable_analyzer_after_detection` to false to use this
+   event. This carries a performance penalty.
+   
+
+   :param c: The connection over which the :abbr:`SSH (Secure Shell)`
+      connection took place.
+   
+
+   :param orig: Whether the packet was sent by the originator of the TCP
+      connection.
+   
+
+   :param len: The length of the :abbr:`SSH (Secure Shell)` payload, in
+      bytes. Note that this ignores reassembly, as this is unknown.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh2_dh_server_params
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 237 237
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, p: :zeek:type:`string`, q: :zeek:type:`string`)
+
+   Generated if the connection uses a Diffie-Hellman Group Exchange
+   key exchange method. This event contains the server DH parameters,
+   which are sent in the SSH_MSG_KEY_DH_GEX_GROUP message as defined in
+   :rfc:`4419#section-3`.
+   
+
+   :param c: The connection.
+   
+
+   :param p: The DH prime modulus.
+   
+
+   :param q: The DH generator.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh2_gss_error
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 259 259
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, major_status: :zeek:type:`count`, minor_status: :zeek:type:`count`, err_msg: :zeek:type:`string`)
+
+   In the event of a GSS-API error on the server, the server MAY send
+   send an error message with some additional details. This event is
+   generated when such an error message is seen. For more information,
+   see :rfc:`4462#section-2.1`.
+   
+
+   :param c: The connection.
+   
+
+   :param major_status: GSS-API major status code.
+   
+
+   :param minor_status: GSS-API minor status code.
+   
+
+   :param err_msg: Detailed human-readable error message
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh2_ecc_key
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 281 281
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, q: :zeek:type:`string`)
+
+   The :abbr:`ECDH (Elliptic Curve Diffie-Hellman)` and
+   :abbr:`ECMQV (Elliptic Curve Menezes-Qu-Vanstone)` key exchange
+   algorithms use two ephemeral key pairs to generate a shared
+   secret. This event is generated when either the client's or
+   server's ephemeral public key is seen. For more information, see:
+   :rfc:`5656#section-4`.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Did this message come from the originator?
+   
+
+   :param q: The ephemeral public key
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh2_ecc_init
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 303 303
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   The :abbr:`ECDH (Elliptic Curve Diffie-Hellman)` and
+   :abbr:`ECMQV (Elliptic Curve Menezes-Qu-Vanstone)` key exchange
+   algorithms use two ephemeral key pairs to generate a shared
+   secret. This event is generated when either the SSH_MSG_KEX_ECDH_INIT
+   or SSH_MSG_ECMQV_INIT message is observed. By definition, these need
+   to originate from the client and not from the server.
+   For more information, see:
+   :rfc:`5656#section-4`.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Did this message come from the originator?
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh2_dh_gex_init
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 321 321
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Generated if the connection uses a Diffie-Hellman Group Exchange
+   key exchange method. This event contains the direction of the key
+   exchange setup, which is indicated by the the SSH_MSG_KEX_DH_GEX_INIT
+   message as defined in :rfc:`4419#section-3`.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Did this message come from the originator?
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh2_gss_init
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 338 338
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   In the event of a GSS-API key exchange, this event is raised on
+   SSH_MSG_KEXGSS_INIT message.
+   For more information see :rfc:`4462#section-2.1`.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Did this message come from the originator?
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh2_rsa_secret
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 356 356
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   In the event of a GSS-API key exchange, this event is raised on
+   SSH_MSG_KEXRSA_PUBKEY message. This message is sent first by the server,
+   after which the server will respond with a SSH_MSG_KEXRSA_SECRET message.
+   For more information see :rfc:`4432#section-4`.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Did this message come from the originator?
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh_server_pre_banner_data
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 372 372
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`string`)
+
+   SSH servers can send textual data to the client before sending
+   a banner. The primary use case of this are error messages of TCP
+   wrappers.
+   
+   As this event happens before the SSH banner is exchanged, it is
+   possible that it contains data from different protocols; e.g. if
+   an SSH client connects to a non-SSH-server.
+   
+
+   :param c: The connection.
+   
+
+   :param data: The pre-banner data.
+   
+   .. zeek:see:: ssh_server_version
+
+.. _plugin-zeek-ssl:
+
+Zeek::SSL
+---------
+
+SSL/TLS and DTLS analyzers
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_DTLS`
+
+:zeek:enum:`Analyzer::ANALYZER_SSL`
+
+Options/Constants
++++++++++++++++++
+
+.. zeek:id:: SSL::dtls_max_version_errors
+   :source-code: base/init-bare.zeek 5062 5062
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10``
+
+   Number of non-DTLS frames that can occur in a DTLS connection before
+   parsing of the connection is suspended.
+   DTLS does not immediately stop parsing a connection because other protocols
+   might be interleaved in the same UDP "connection".
+
+.. zeek:id:: SSL::dtls_max_reported_version_errors
+   :source-code: base/init-bare.zeek 5065 5065
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1``
+
+   Maximum number of invalid version errors to report in one DTLS connection.
+
+.. zeek:id:: SSL::max_alerts_per_record
+   :source-code: base/init-bare.zeek 5070 5070
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10``
+
+   Maximum number of Alert messages parsed from an SSL record with
+   content_type alert (21). The remaining alerts are discarded. For
+   TLS 1.3 connections, this is implicitly 1 as defined by RFC 8446.
+
+Types
++++++
+
+.. zeek:type:: SSL::SignatureAndHashAlgorithm
+   :source-code: base/init-bare.zeek 5048 5051
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: HashAlgorithm :zeek:type:`count`
+
+      Hash algorithm number
+
+
+   .. zeek:field:: SignatureAlgorithm :zeek:type:`count`
+
+      Signature algorithm number
+
+
+
+.. zeek:type:: SSL::PSKIdentity
+   :source-code: base/init-bare.zeek 5053 5056
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: identity :zeek:type:`string`
+
+      PSK identity
+
+
+   .. zeek:field:: obfuscated_ticket_age :zeek:type:`count`
+
+
+
+Events
+++++++
+
+.. zeek:id:: ssl_client_hello
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 41 41
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`count`, record_version: :zeek:type:`count`, possible_ts: :zeek:type:`time`, client_random: :zeek:type:`string`, session_id: :zeek:type:`string`, ciphers: :zeek:type:`index_vec`, comp_methods: :zeek:type:`index_vec`)
+
+   Generated for an SSL/TLS client's initial *hello* message.  SSL/TLS sessions
+   start with an unencrypted handshake, and Zeek extracts as much information out
+   of that as it can. This event provides access to the initial information
+   sent by the client.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
+   more information about the SSL/TLS protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param version: The protocol version as extracted from the client's message.  The
+            values are standardized as part of the SSL/TLS protocol. The
+            :zeek:id:`SSL::version_strings` table maps them to descriptive names.
+   
+
+   :param record_version: TLS version given in the record layer of the message.
+                   Set to 0 for SSLv2.
+   
+
+   :param possible_ts: The current time as sent by the client. Note that SSL/TLS does
+                not require clocks to be set correctly, so treat with care.
+   
+
+   :param session_id: The session ID sent by the client (if any).
+   
+
+   :param client_random: The random value sent by the client. For version 2 connections,
+   		  the client challenge is returned.
+   
+
+   :param ciphers: The list of ciphers the client offered to use. The values are
+            standardized as part of the SSL/TLS protocol. The
+            :zeek:id:`SSL::cipher_desc` table maps them to descriptive names.
+   
+
+   :param comp_methods: The list of compression methods that the client offered to use.
+                 This value is not sent in TLSv1.3 or SSLv2.
+   
+   .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
+      ssl_session_ticket_handshake x509_certificate ssl_handshake_message
+      ssl_change_cipher_spec
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_rsa_client_pms ssl_connection_flipped
+
+.. zeek:id:: ssl_server_hello
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 86 86
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`count`, record_version: :zeek:type:`count`, possible_ts: :zeek:type:`time`, server_random: :zeek:type:`string`, session_id: :zeek:type:`string`, cipher: :zeek:type:`count`, comp_method: :zeek:type:`count`)
+
+   Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
+   start with an unencrypted handshake, and Zeek extracts as much information out
+   of that as it can. This event provides access to the initial information
+   sent by the client.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
+   more information about the SSL/TLS protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param version: The protocol version as extracted from the server's message.
+            The values are standardized as part of the SSL/TLS protocol. The
+            :zeek:id:`SSL::version_strings` table maps them to descriptive names.
+   
+
+   :param record_version: TLS version given in the record layer of the message.
+                   Set to 0 for SSLv2.
+   
+
+   :param possible_ts: The current time as sent by the server. Note that SSL/TLS does
+                not require clocks to be set correctly, so treat with care. This value
+                is meaningless in SSLv2 and TLSv1.3.
+   
+
+   :param session_id: The session ID as sent back by the server (if any). This value is not
+               sent in TLSv1.3.
+   
+
+   :param server_random: The random value sent by the server. For version 2 connections,
+   		  the connection-id is returned. Note - the full 32 bytes are included in
+   		  server_random. This means that the 4 bytes present in possible_ts are repeated;
+   		  if you do not want this behavior ignore the first 4 bytes.
+   
+
+   :param cipher: The cipher chosen by the server.  The values are standardized as part
+           of the SSL/TLS protocol. The :zeek:id:`SSL::cipher_desc` table maps
+           them to descriptive names.
+   
+
+   :param comp_method: The compression method chosen by the client. The values are
+                standardized as part of the SSL/TLS protocol. This value is not
+                sent in TLSv1.3 or SSLv2.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
+      ssl_session_ticket_handshake x509_certificate
+      ssl_dh_server_params ssl_handshake_message ssl_change_cipher_spec
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_rsa_client_pms ssl_connection_flipped
+
+.. zeek:id:: ssl_extension
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 115 115
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, code: :zeek:type:`count`, val: :zeek:type:`string`)
+
+   Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
+   sessions start with an unencrypted handshake, and Zeek extracts as much
+   information out of that as it can. This event provides access to any
+   extensions either side sends as part of an extended *hello* message.
+   
+   Note that Zeek offers more specialized events for a few extensions.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param code: The numerical code of the extension.  The values are standardized as
+         part of the SSL/TLS protocol. The :zeek:id:`SSL::extensions` table maps
+         them to descriptive names.
+   
+
+   :param val: The raw extension value that was sent in the message.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension_ec_point_formats
+      ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_connection_flipped ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_elliptic_curves
+   :source-code: policy/protocols/ssl/ssl-log-ext.zeek 103 111
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, curves: :zeek:type:`index_vec`)
+
+   Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is
+   defined in :rfc:`4492` and sent by the client in the initial handshake. It
+   gives the list of elliptic curves supported by the client.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param curves: List of supported elliptic curves.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_server_name ssl_extension_signature_algorithm
+      ssl_extension_key_share ssl_rsa_client_pms ssl_server_signature
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_ec_point_formats
+   :source-code: policy/protocols/ssl/ssl-log-ext.zeek 93 101
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, point_formats: :zeek:type:`index_vec`)
+
+   Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
+   is defined in :rfc:`4492` and sent by the client and/or server in the initial
+   handshake. It gives the list of elliptic curve point formats supported by the
+   client.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param point_formats: List of supported point formats.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_server_name ssl_extension_signature_algorithm
+      ssl_extension_key_share
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_rsa_client_pms ssl_server_signature
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_signature_algorithm
+   :source-code: policy/protocols/ssl/ssl-log-ext.zeek 159 178
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, signature_algorithms: :zeek:type:`signature_and_hashalgorithm_vec`)
+
+   Generated for an Signature Algorithms extension. This TLS extension
+   is defined in :rfc:`5246` and sent by the client in the initial
+   handshake. It gives the list of signature and hash algorithms supported by the
+   client.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param signature_algorithms: List of supported signature and hash algorithm pairs.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_server_name ssl_extension_key_share
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_rsa_client_pms ssl_server_signature
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_key_share
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 214 214
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, curves: :zeek:type:`index_vec`)
+
+   Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16
+   and sent by the client and the server in the initial handshake. It gives the list of
+   named groups supported by the client and chosen by the server.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param curves: List of supported/chosen named groups.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_server_name
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_rsa_client_pms ssl_server_signature
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_pre_shared_key_client_hello
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 240 240
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, identities: :zeek:type:`psk_identity_vec`, binders: :zeek:type:`string_vec`)
+
+   Generated for the pre-shared key extension as it is sent in the TLS 1.3 client hello.
+   
+   The extension lists the identities the client is willing to negotiate with the server;
+   they can either be pre-shared or be based on previous handshakes.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param identities: A list of the identities the client is willing to negotiate with the server.
+   
+
+   :param binders: A series of HMAC values; for computation, see the TLS 1.3 RFC.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_server_name
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_server_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_pre_shared_key_server_hello
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 262 262
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, selected_identity: :zeek:type:`count`)
+
+   Generated for the pre-shared key extension as it is sent in the TLS 1.3 server hello.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param selected_identity: The identity the server chose as a 0-based index into the identities
+                      the client sent.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_server_name
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_ecdh_server_params
+   :source-code: base/protocols/ssl/main.zeek 330 335
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, curve: :zeek:type:`count`, point: :zeek:type:`string`)
+
+   Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve
+   This event contains the named curve name and the server ECDH parameters contained
+   in the ServerKeyExchange message as defined in :rfc:`4492`.
+   
+
+   :param c: The connection.
+   
+
+   :param curve: The curve parameters.
+   
+
+   :param point: The server's ECDH public key.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_server_signature
+      ssl_dh_client_params ssl_ecdh_client_params ssl_rsa_client_pms
+
+.. zeek:id:: ssl_dh_server_params
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 297 297
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, p: :zeek:type:`string`, q: :zeek:type:`string`, Ys: :zeek:type:`string`)
+
+   Generated if a server uses a DH-anon or DHE cipher suite. This event contains
+   the server DH parameters, contained in the ServerKeyExchange message as
+   defined in :rfc:`5246`.
+   
+
+   :param c: The connection.
+   
+
+   :param p: The DH prime modulus.
+   
+
+   :param q: The DH generator.
+   
+
+   :param Ys: The server's DH public key.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_server_signature
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_rsa_client_pms
+
+.. zeek:id:: ssl_server_signature
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 320 320
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, signature_and_hashalgorithm: :zeek:type:`SSL::SignatureAndHashAlgorithm`, signature: :zeek:type:`string`)
+
+   Generated if a server uses a non-anonymous DHE or ECDHE cipher suite. This event
+   contains the server signature over the key exchange parameters contained in
+   the ServerKeyExchange message as defined in :rfc:`4492` and :rfc:`5246`.
+   
+
+   :param c: The connection.
+   
+
+   :param signature_and_hashalgorithm: signature and hash algorithm used for the
+                                digitally_signed struct. This field is only present
+                                starting with TLSv1.2 and DTLSv1.2. Earlier versions
+                                used a hardcoded hash algorithm. For protocol versions
+                                below D(TLS)v1.2 this field is filled with an dummy
+                                value of 256.
+   
+
+   :param signature: Signature part of the digitally_signed struct. The private key
+              corresponding to the certified public key in the server's certificate
+              message is used for signing.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_rsa_client_pms
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+
+.. zeek:id:: ssl_ecdh_client_params
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 334 334
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, point: :zeek:type:`string`)
+
+   Generated if a client uses an ECDH-anon or ECDHE cipher suite. This event
+   contains the client ECDH public value contained in the ClientKeyExchange
+   message as defined in :rfc:`4492`.
+   
+
+   :param c: The connection.
+   
+
+   :param point: The client's ECDH public key.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_server_signature
+      ssl_dh_client_params ssl_ecdh_server_params ssl_rsa_client_pms
+
+.. zeek:id:: ssl_dh_client_params
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 348 348
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, Yc: :zeek:type:`string`)
+
+   Generated if a client uses a DH-anon or DHE cipher suite. This event contains
+   the client DH parameters contained in the ClientKeyExchange message as
+   defined in :rfc:`5246`.
+   
+
+   :param c: The connection.
+   
+
+   :param Yc: The client's DH public key.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_server_signature
+      ssl_ecdh_server_params ssl_ecdh_client_params ssl_rsa_client_pms
+
+.. zeek:id:: ssl_rsa_client_pms
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 362 362
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, pms: :zeek:type:`string`)
+
+   Generated if a client uses RSA key exchange. This event contains the client
+   encrypted pre-master secret which is encrypted using the public key of the
+   server's certificate as defined in :rfc:`5246`.
+   
+
+   :param c: The connection.
+   
+
+   :param pms: The encrypted pre-master secret.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_server_signature
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+
+.. zeek:id:: ssl_extension_application_layer_protocol_negotiation
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 388 388
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, protocols: :zeek:type:`string_vec`)
+
+   Generated for an SSL/TLS Application-Layer Protocol Negotiation extension.
+   This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in
+   the initial handshake. It contains the list of client supported application
+   protocols by the client or the server, respectively.
+   
+   At the moment it is mostly used to negotiate the use of SPDY / HTTP2.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param protocols: List of supported application layer protocols.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+      ssl_extension_server_name ssl_extension_key_share
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_extension_signed_certificate_timestamp
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_server_name
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 414 414
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, names: :zeek:type:`string_vec`)
+
+   Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is
+   defined in :rfc:`3546` and sent by the client in the initial handshake. It
+   contains the name of the server it is contacting. This information can be
+   used by the server to choose the correct certificate for the host the client
+   wants to contact.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param names: A list of server names (DNS hostnames).
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+      ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_key_share
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_extension_signed_certificate_timestamp
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_signed_certificate_timestamp
+   :source-code: policy/protocols/ssl/validate-sct.zeek 77 80
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, version: :zeek:type:`count`, logid: :zeek:type:`string`, timestamp: :zeek:type:`count`, signature_and_hashalgorithm: :zeek:type:`SSL::SignatureAndHashAlgorithm`, signature: :zeek:type:`string`)
+
+   Generated for the signed_certificate_timestamp TLS extension as defined in
+   :rfc:`6962`. The extension is used to transmit signed proofs that are
+   used for Certificate Transparency.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param version: the version of the protocol to which the SCT conforms. Always
+            should be 0 (representing version 1)
+   
+
+   :param logid: 32 bit key id
+   
+
+   :param timestamp: the NTP Time when the entry was logged measured since
+              the epoch, ignoring leap seconds, in milliseconds.
+   
+
+   :param signature_and_hashalgorithm: signature and hash algorithm used for the
+                                digitally_signed struct
+   
+
+   :param signature: signature part of the digitally_signed struct
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+      ssl_extension_server_name ssl_extension_key_share
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_extension_application_layer_protocol_negotiation
+      x509_ocsp_ext_signed_certificate_timestamp sct_verify
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_supported_versions
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 473 473
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, versions: :zeek:type:`index_vec`)
+
+   Generated for an TLS Supported Versions extension. This TLS extension
+   is defined in the TLS 1.3 rfc and sent by the client in the initial handshake.
+   It contains the TLS versions that it supports. This information can be used by
+   the server to choose the best TLS version o use.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param versions: List of supported TLS versions.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+      ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_key_share ssl_extension_server_name
+      ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_psk_key_exchange_modes
+   :source-code: policy/protocols/ssl/ssl-log-ext.zeek 139 147
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, modes: :zeek:type:`index_vec`)
+
+   Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined
+   in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the
+   list of Pre-Shared Key Exchange Modes that it supports.
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param versions: List of supported Pre-Shared Key Exchange Modes.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+      ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_key_share ssl_extension_server_name
+      ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_connection_id
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 517 517
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, cid: :zeek:type:`string`)
+
+   Generated for an DTLS Connection ID extension. This TLS extension is defined
+   in the RFC 9146 and sent by the client or the server to signify that Connection IDs should
+   be used for the connection.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param cid: The connection ID given by the client or the server.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+      ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_key_share ssl_extension_server_name
+      ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+
+.. zeek:id:: ssl_established
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 533 533
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
+   an unencrypted handshake, and Zeek extracts as much information out of that
+   as it can. This event signals the time when an SSL/TLS has finished the
+   handshake and its endpoints consider it as fully established. Typically,
+   everything from now on will be encrypted.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
+   more information about the SSL/TLS protocol.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello  ssl_extension ssl_server_hello
+      ssl_session_ticket_handshake x509_certificate
+
+.. zeek:id:: ssl_alert
+   :source-code: base/protocols/ssl/main.zeek 487 493
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, level: :zeek:type:`count`, desc: :zeek:type:`count`)
+
+   Generated for SSL/TLS alert records. SSL/TLS sessions start with an
+   unencrypted handshake, and Zeek extracts as much information out of that as
+   it can. If during that handshake, an endpoint encounters a fatal error, it
+   sends an *alert* record, that in turn triggers this event. After an *alert*,
+   any endpoint may close the connection immediately.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
+   more information about the SSL/TLS protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param level: The severity level, as sent in the *alert*. The values are defined as
+          part of the SSL/TLS protocol.
+   
+
+   :param desc: A numerical value identifying the cause of the *alert*. The values are
+         defined as part of the SSL/TLS protocol.
+   
+   .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+      ssl_session_ticket_handshake
+
+.. zeek:id:: ssl_session_ticket_handshake
+   :source-code: policy/protocols/ssl/ssl-log-ext.zeek 68 73
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, ticket_lifetime_hint: :zeek:type:`count`, ticket: :zeek:type:`string`)
+
+   Generated for SSL/TLS handshake messages that are a part of the
+   stateless-server session resumption mechanism. SSL/TLS sessions start with
+   an unencrypted handshake, and Zeek extracts as much information out of that
+   as it can. This event is raised when an SSL/TLS server passes a session
+   ticket to the client that can later be used for resuming the session. The
+   mechanism is described in :rfc:`4507`.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
+   more information about the SSL/TLS protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param ticket_lifetime_hint: A hint from the server about how long the ticket
+                         should be stored by the client.
+   
+
+   :param ticket: The raw ticket data.
+   
+   .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+      ssl_alert
+
+.. zeek:id:: ssl_heartbeat
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 606 606
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, length: :zeek:type:`count`, heartbeat_type: :zeek:type:`count`, payload_length: :zeek:type:`count`, payload: :zeek:type:`string`)
+
+   Generated for SSL/TLS heartbeat messages that are sent before session
+   encryption starts. Generally heartbeat messages should rarely be seen in
+   normal TLS traffic. Heartbeats are described in :rfc:`6520`.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param length: length of the entire heartbeat message.
+   
+
+   :param heartbeat_type: type of the heartbeat message. Per RFC, 1 = request, 2 = response.
+   
+
+   :param payload_length: length of the payload of the heartbeat message, according to
+                   packet field.
+   
+
+   :param payload: payload contained in the heartbeat message. Size can differ from
+            payload_length, if payload_length and actual packet length disagree.
+   
+   .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+      ssl_alert ssl_encrypted_data
+
+.. zeek:id:: ssl_plaintext_data
+   :source-code: base/protocols/ssl/main.zeek 538 547
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, record_version: :zeek:type:`count`, content_type: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   Generated for SSL/TLS messages that are sent before full session encryption
+   starts. Note that "full encryption" is a bit fuzzy, especially for TLSv1.3;
+   here this event will be raised for early packets that are already using
+   pre-encryption.  # This event is also used by Zeek internally to determine if
+   the connection has been completely setup. This is necessary as TLS 1.3 does
+   not have CCS anymore.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param record_version: TLS version given in the record layer of the message.
+                   Set to 0 for SSLv2.
+   
+
+   :param content_type: message type as reported by TLS session layer. Not populated for
+                 SSLv2.
+   
+
+   :param length: length of the entire message.
+   
+   .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+      ssl_alert ssl_heartbeat
+
+.. zeek:id:: ssl_encrypted_data
+   :source-code: policy/protocols/ssl/heartbleed.zeek 226 238
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, record_version: :zeek:type:`count`, content_type: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   Generated for SSL/TLS messages that are sent after session encryption
+   started.
+   
+   Note that :zeek:id:`SSL::disable_analyzer_after_detection` has to be changed
+   from its default to false for this event to be generated.
+   
+   Also note that, for DTLS 1.3, it is not always possible to give an exact length for
+   the payload that is transported in the packet. If connection IDs are used, the length
+   provided is the length of the entire packet, without the first byte (for the unified header).
+   If no connection IDs are used, the length given is the actual payload length. Connection IDs
+   are used with the connection ID extension in the client or server hello.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param record_version: TLS version given in the record layer of the message.
+                   Set to 0 for SSLv2.
+   
+
+   :param content_type: message type as reported by TLS session layer. Not populated for
+                 SSLv2.
+   
+
+   :param length: length of the encrypted payload in the record.
+   
+   .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+      ssl_alert ssl_heartbeat ssl_probable_encrypted_handshake_message
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_probable_encrypted_handshake_message
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 700 700
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, length: :zeek:type:`count`)
+
+   This event is generated for application data records of TLS 1.3 connections of which
+   we suspect that they contain handshake messages.
+   
+   In TLS 1.3, large parts of the handshake are encrypted; the only cleartext packets
+   typically exchanged are the client hello and the server hello. The first few packets
+   after the client and server hello, however, are a continuation of the handshake and
+   still include handshake data.
+   
+   This event is raised for these packets of which we suspect that they are handshake records,
+   including the finished record.
+   
+   The heuristic for this is: all application data record after the server hello are
+   handshake records until at least one application data record has been received
+   from both the server and the client. Typically, the server will send more records
+   before the client sends the first application data record; and the first application
+   data record of the client will typically include the finished message.
+   
+   Given the encrypted nature of the protocol, in some cases this determination is
+   not correct; the client can send more handshake packets before the finished message, e.g.,
+   when client certificates are used.
+   
+   Note that :zeek:see:`ssl_encrypted_data` is also raised for these messages.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param length: length of the entire message.
+   
+   .. zeek:see::  ssl_client_hello ssl_established ssl_server_hello
+      ssl_encrypted_data
+
+.. zeek:id:: ssl_stapled_ocsp
+   :source-code: policy/protocols/ssl/validate-ocsp.zeek 34 37
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, response: :zeek:type:`string`)
+
+   This event contains the OCSP response contained in a Certificate Status Request
+   message, when the client requested OCSP stapling and the server supports it.
+   See description in :rfc:`6066`.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param response: OCSP data.
+
+.. zeek:id:: ssl_handshake_message
+   :source-code: base/protocols/ssl/main.zeek 376 458
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, msg_type: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   This event is raised for each unencrypted SSL/TLS handshake message.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param msg_type: Type of the handshake message that was seen.
+   
+
+   :param length: Length of the handshake message that was seen.
+   
+   .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
+      ssl_session_ticket_handshake x509_certificate ssl_client_hello
+      ssl_change_cipher_spec ssl_connection_flipped ssl_certificate_request
+
+.. zeek:id:: ssl_change_cipher_spec
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 747 747
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`)
+
+   This event is raised when a SSL/TLS ChangeCipherSpec message is encountered
+   before encryption begins. Traffic will be encrypted following this message.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+   .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
+      ssl_session_ticket_handshake x509_certificate ssl_client_hello
+      ssl_handshake_message
+
+.. zeek:id:: ssl_connection_flipped
+   :source-code: base/protocols/ssl/main.zeek 369 374
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Zeek typically assumes that the originator of a connection is the client of the SSL/TLS
+   session. In some scenarios this does not hold, and the responder of a connection is the
+   client, and the initiator is the server.
+   
+   In these cases, Zeek raises this event. Connection direction is detected by looking at the
+   server hello, client hello, and hello request handshake messages.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
+      ssl_session_ticket_handshake x509_certificate ssl_client_hello
+      ssl_handshake_message
+
+.. zeek:id:: ssl_certificate_request
+   :source-code: policy/protocols/ssl/certificate-request-info.zeek 13 23
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, certificate_types: :zeek:type:`index_vec`, supported_signature_algorithms: :zeek:type:`signature_and_hashalgorithm_vec`, certificate_authorities: :zeek:type:`string_vec`)
+
+   This event is raised, when a Certificate Request handshake message is encountered. This
+   Message can be used by a TLS server to request a client certificate.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param certificate_types: List of the types of certificates that the client may offer.
+   
+
+   :param supported_signature_algorithms: List of hash/sighature algorithm pairs that the server
+                                   supports, listed in descending order of preferences.
+   
+
+   :param certificate_authorities: List of distinguished names of certificate authorities that are
+                            acceptable to the server. The individual entries are DER encoded.
+                            :zeek:id:`parse_distinguished_name` can be used to decode the strings.
+   
+   .. zeek:see:: ssl_handshake_message x509_certificate ssl_server_hello ssl_client_hello
+                 parse_distinguished_name
+
+Functions
++++++++++
+
+.. zeek:id:: set_ssl_established
+   :source-code: base/bif/plugins/Zeek_SSL.functions.bif.zeek 13 13
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`) : :zeek:type:`bool`
+
+   Sets if the SSL analyzer should consider the connection established (handshake
+   finished successfully).
+   
+
+   :param c: The SSL connection.
+   
+
+   :returns: T on success, F on failure.
+
+.. zeek:id:: set_secret
+   :source-code: base/bif/plugins/Zeek_SSL.functions.bif.zeek 24 24
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, secret: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Set the secret that should be used to derive keys for the connection.
+   (For TLS 1.2 this is the pre-master secret).
+   
+
+   :param c: The affected connection
+   
+
+   :param secret: secret to set
+   
+
+   :returns: T on success, F on failure.
+
+.. zeek:id:: set_keys
+   :source-code: base/bif/plugins/Zeek_SSL.functions.bif.zeek 35 35
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, keys: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Set the decryption keys that should be used to decrypt
+   TLS application data in the connection.
+   
+
+   :param c: The affected connection
+   
+
+   :param keys: The key buffer as derived via TLS PRF.
+   
+
+   :returns: T on success, F on failure.
+
+.. zeek:id:: parse_distinguished_name
+   :source-code: base/bif/plugins/Zeek_SSL.functions.bif.zeek 46 46
+
+   :Type: :zeek:type:`function` (dn: :zeek:type:`string`) : :zeek:type:`string`
+
+   Decodes a DER-encoded distinguished name into an ASCII string,
+   using the RFC2253 representation
+   
+
+   :param dn: DER encoded distinguished name
+   
+
+   :returns: Ascii representation on success, empty string on failure
+   
+   .. zeek:see:: ssl_certificate_request
+
+.. _plugin-zeek-streamevent:
+
+Zeek::StreamEvent
+-----------------
+
+Delivers stream data as events
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_STREAM_EVENT`
+
+Events
+++++++
+
+.. zeek:id:: stream_deliver
+   :source-code: base/bif/plugins/Zeek_StreamEvent.events.bif.zeek 23 23
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data: :zeek:type:`string`)
+
+   Generated for each chunk of reassembled TCP payload.
+   
+   This is a low-level event to inspect stream data from the originator
+   and responder endpoints. This can be useful for debugging purposes, or
+   for logging of plain-text interactive sessions when no more appropriate
+   analyzer is available.
+   
+   Note that this event is potentially expensive if connections that have
+   the stream event analyzer attached carry significant amounts of data.
+   Generally, a native protocol parser will have much less overhead than
+   passing the complete stream data to the scripting layer.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: T if stream data is from the originator-side, else F.
+   
+
+   :param data: The raw payload.
+   
+   .. zeek:see:: stream_undelivered tcp_contents
+
+.. zeek:id:: stream_undelivered
+   :source-code: base/bif/plugins/Zeek_StreamEvent.events.bif.zeek 37 37
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, seq: :zeek:type:`count`, len: :zeek:type:`count`)
+
+   Generated when Zeek detects a gap in a reassembled TCP payload stream.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: T if the gap is in the originator-side input, else F.
+   
+
+   :param seq: The sequence number of the first byte of the gap.
+   
+
+   :param len: The length of the gap.
+   
+   .. zeek:see:: stream_deliver content_gap
+
+.. _plugin-zeek-syslog:
+
+Zeek::Syslog
+------------
+
+Syslog analyzer UDP-only
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_SYSLOG`
+
+Events
+++++++
+
+.. zeek:id:: syslog_message
+   :source-code: base/protocols/syslog/spicy-events.zeek 19 19
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, facility: :zeek:type:`count`, severity: :zeek:type:`count`, msg: :zeek:type:`string`)
+
+   Generated for monitored Syslog messages.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Syslog>`__ for more
+   information about the Syslog protocol.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param facility: The "facility" included in the message.
+   
+
+   :param severity: The "severity" included in the message.
+   
+
+   :param msg: The message logged.
+   
+   .. note:: Zeek currently parses only UDP syslog traffic.
+
+.. _plugin-zeek-tcp:
+
+Zeek::TCP
+---------
+
+TCP analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_CONTENTLINE`
+
+:zeek:enum:`Analyzer::ANALYZER_CONTENTS`
+
+:zeek:enum:`Analyzer::ANALYZER_TCPSTATS`
+
+Types
++++++
+
+.. zeek:type:: TCP::Option
+   :source-code: base/init-bare.zeek 684 711
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: kind :zeek:type:`count`
+
+      The kind number associated with the option.  Other optional fields
+      of this record may be set depending on this value.
+
+
+   .. zeek:field:: length :zeek:type:`count`
+
+      The total length of the option in bytes, including the kind byte and
+      length byte (if present).
+
+
+   .. zeek:field:: data :zeek:type:`string` :zeek:attr:`&optional`
+
+      This field is set to the raw option bytes if the kind is not
+      otherwise known/parsed.  It's also set for known kinds whose length
+      was invalid.
+
+
+   .. zeek:field:: mss :zeek:type:`count` :zeek:attr:`&optional`
+
+      Kind 2: Maximum Segment Size.
+
+
+   .. zeek:field:: window_scale :zeek:type:`count` :zeek:attr:`&optional`
+
+      Kind 3: Window scale.
+
+
+   .. zeek:field:: sack :zeek:type:`index_vec` :zeek:attr:`&optional`
+
+      Kind 5: Selective ACKnowledgement (SACK).  This is a list of 2, 4,
+      6, or 8 numbers with each consecutive pair being a 32-bit
+      begin-pointer and 32-bit end pointer.
+
+
+   .. zeek:field:: send_timestamp :zeek:type:`count` :zeek:attr:`&optional`
+
+      Kind 8: 4-byte sender timestamp value.
+
+
+   .. zeek:field:: echo_timestamp :zeek:type:`count` :zeek:attr:`&optional`
+
+      Kind 8: 4-byte echo reply timestamp value.
+
+
+   .. zeek:field:: rate :zeek:type:`count` :zeek:attr:`&optional`
+
+      Kind 27: TCP Quick Start Response value.
+
+
+   .. zeek:field:: ttl_diff :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: qs_nonce :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   A TCP Option field parsed from a TCP header.
+
+.. zeek:type:: TCP::OptionList
+   :source-code: base/init-bare.zeek 714 714
+
+   :Type: :zeek:type:`vector` of :zeek:type:`TCP::Option`
+
+   The full list of TCP Option fields parsed from a TCP header.
+
+Events
+++++++
+
+.. zeek:id:: new_connection_contents
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when reassembly starts for a TCP connection. This event is raised
+   at the moment when Zeek's TCP analyzer enables stream reassembly for a
+   connection.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_partial_close
+      connection_pending connection_rejected connection_reset connection_reused
+      connection_state_remove connection_status_update connection_timeout
+      scheduled_analyzer_applied new_connection partial_connection
+
+.. zeek:id:: connection_attempt
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 531 535
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for an unsuccessful connection attempt. This event is raised when
+   an originator unsuccessfully attempted to establish a connection.
+   "Unsuccessful" is defined as at least :zeek:id:`tcp_attempt_delay` seconds
+   having elapsed since the originator first sent a connection establishment
+   packet to the destination without seeing a reply.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_established
+      connection_finished connection_first_ACK
+      connection_half_finished connection_partial_close connection_pending
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+
+.. zeek:id:: connection_established
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 53 53
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when seeing a SYN-ACK packet from the responder in a TCP
+   handshake.  An associated SYN packet was not seen from the originator
+   side if its state is not set to :zeek:see:`TCP_ESTABLISHED`.
+   The final ACK of the handshake in response to SYN-ACK may
+   or may not occur later, one way to tell is to check the *history* field of
+   :zeek:type:`connection` to see if the originator sent an ACK, indicated by
+   'A' in the history string.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_finished connection_first_ACK
+      connection_half_finished connection_partial_close connection_pending
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+
+.. zeek:id:: partial_connection
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 525 529
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for a new active TCP connection if Zeek did not see the initial
+   handshake. This event is raised when Zeek has observed traffic from each
+   endpoint, but the activity did not begin with the usual connection
+   establishment.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_partial_close
+      connection_pending connection_rejected connection_reset connection_reused
+      connection_state_remove connection_status_update connection_timeout
+      scheduled_analyzer_applied new_connection new_connection_contents
+   
+
+.. zeek:id:: connection_partial_close
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 87 87
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when a previously inactive endpoint attempts to close a TCP
+   connection via a normal FIN handshake or an abort RST sequence. When the
+   endpoint sent one of these packets, Zeek waits
+   :zeek:id:`tcp_partial_close_delay` prior to generating the event, to give
+   the other endpoint a chance to close the connection normally.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_pending
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+
+.. zeek:id:: connection_finished
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 101 101
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for a TCP connection that finished normally. The event is raised
+   when a regular FIN handshake from both endpoints was observed.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_first_ACK
+      connection_half_finished connection_partial_close connection_pending
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+
+.. zeek:id:: connection_half_finished
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 116 116
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when one endpoint of a TCP connection attempted to gracefully close
+   the connection, but the other endpoint is in the TCP_INACTIVE state. This can
+   happen due to split routing, in which Zeek only sees one side of a connection.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK  connection_partial_close connection_pending
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+
+.. zeek:id:: connection_rejected
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 537 541
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for a rejected TCP connection. This event is raised when an
+   originator attempted to setup a TCP connection but the responder replied
+   with a RST packet denying it.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_partial_close
+      connection_pending  connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+   
+   .. note::
+   
+      If the responder does not respond at all, :zeek:id:`connection_attempt` is
+      raised instead. If the responder initially accepts the connection but
+      aborts it later, Zeek first generates :zeek:id:`connection_established`
+      and then :zeek:id:`connection_reset`.
+
+.. zeek:id:: connection_reset
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 543 547
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when an endpoint aborted a TCP connection. The event is raised
+   when one endpoint of an established TCP connection aborted by sending a RST
+   packet.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_partial_close
+      connection_pending connection_rejected  connection_reused
+      connection_state_remove connection_status_update connection_timeout
+      scheduled_analyzer_applied new_connection new_connection_contents
+      partial_connection
+
+.. zeek:id:: connection_pending
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 549 553
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for each still-open TCP connection when Zeek terminates.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_partial_close
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection zeek_done
+
+.. zeek:id:: connection_SYN_packet
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 192 192
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, pkt: :zeek:type:`SYN_packet`)
+
+   Generated for a SYN packet. Zeek raises this event for every SYN packet seen
+   by its TCP analyzer. This includes packets that have other flags set - like
+   in the case of SYN-ACK packets.
+   
+
+   :param c: The connection.
+   
+
+   :param pkt: Information extracted from the SYN packet.
+   
+   .. zeek:see:: connection_EOF  connection_attempt connection_established
+      connection_finished connection_first_ACK
+      connection_half_finished connection_partial_close connection_pending
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+   
+   .. note::
+   
+      This event has quite low-level semantics and can potentially be expensive
+      to generate. It should only be used if one really needs the specific
+      information passed into the handler via the ``pkt`` argument. If not,
+      handling one of the other ``connection_*`` events is typically the
+      better approach.
+
+.. zeek:id:: connection_first_ACK
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 210 210
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for the first ACK packet seen for a TCP connection from
+   its *originator*.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_half_finished connection_partial_close connection_pending
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+   
+   .. note::
+   
+      This event has quite low-level semantics and should be used only rarely.
+
+.. zeek:id:: connection_EOF
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 227 227
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Generated at the end of reassembled TCP connections. The TCP reassembler
+   raised the event once for each endpoint of a connection when it finished
+   reassembling the corresponding side of the communication.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the event is raised for the originator side.
+   
+   .. zeek:see::  connection_SYN_packet connection_attempt connection_established
+      connection_finished connection_first_ACK
+      connection_half_finished connection_partial_close connection_pending
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+
+.. zeek:id:: tcp_packet
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 256 256
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flags: :zeek:type:`string`, seq: :zeek:type:`count`, ack: :zeek:type:`count`, len: :zeek:type:`count`, payload: :zeek:type:`string`)
+
+   Generated for every TCP packet. This is a very low-level and expensive event
+   that should be avoided when at all possible. It's usually infeasible to
+   handle when processing even medium volumes of traffic in real-time.  It's
+   slightly better than :zeek:id:`new_packet` because it affects only TCP, but
+   not much. That said, if you work from a trace and want to do some
+   packet-level analysis, it may come in handy.
+   
+
+   :param c: The connection the packet is part of.
+   
+
+   :param is_orig: True if the packet was sent by the connection's originator.
+   
+
+   :param flags: A string with the packet's TCP flags. In the string, each character
+          corresponds to one set flag, as follows: ``S`` -> SYN; ``F`` -> FIN;
+          ``R`` -> RST; ``A`` -> ACK; ``P`` -> PUSH; ``U`` -> URGENT.
+   
+
+   :param seq: The packet's relative TCP sequence number.
+   
+
+   :param ack: If the ACK flag is set for the packet, the packet's relative ACK
+        number, else zero.
+   
+
+   :param len: The length of the TCP payload, as specified in the packet header.
+   
+
+   :param payload: The raw TCP payload. Note that this may be shorter than *len* if
+            the packet was not fully captured.
+   
+   .. zeek:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit
+
+.. zeek:id:: tcp_option
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 274 274
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, opt: :zeek:type:`count`, optlen: :zeek:type:`count`)
+
+   Generated for each option found in a TCP header. Like many of the ``tcp_*``
+   events, this is a very low-level event and potentially expensive as it may
+   be raised very often.
+   
+
+   :param c: The connection the packet is part of.
+   
+
+   :param is_orig: True if the packet was sent by the connection's originator.
+   
+
+   :param opt: The numerical option number, as found in the TCP header.
+   
+
+   :param optlen: The length of the options value.
+   
+   .. zeek:see:: tcp_packet tcp_contents tcp_rexmit tcp_options
+   
+   .. note:: To inspect the actual option values, if any, use :zeek:see:`tcp_options`.
+
+.. zeek:id:: tcp_options
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 287 287
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, options: :zeek:type:`TCP::OptionList`)
+
+   Generated for each TCP header that contains TCP options.  This is a very
+   low-level event and potentially expensive as it may be raised very often.
+   
+
+   :param c: The connection the packet is part of.
+   
+
+   :param is_orig: True if the packet was sent by the connection's originator.
+   
+
+   :param options: The list of options parsed out of the TCP header.
+   
+   .. zeek:see:: tcp_packet tcp_contents tcp_rexmit tcp_option
+
+.. zeek:id:: tcp_contents
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 320 320
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, seq: :zeek:type:`count`, contents: :zeek:type:`string`)
+
+   Generated for each chunk of reassembled TCP payload. When content delivery is
+   enabled for a TCP connection (via :zeek:id:`tcp_content_delivery_ports_orig`,
+   :zeek:id:`tcp_content_delivery_ports_resp`,
+   :zeek:id:`tcp_content_deliver_all_orig`,
+   :zeek:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk
+   of in-order payload reconstructed from the packet stream. Note that this
+   event is potentially expensive if many connections carry significant amounts
+   of data as then all that data needs to be passed on to the scripting layer.
+   
+
+   :param c: The connection the payload is part of.
+   
+
+   :param is_orig: True if the packet was sent by the connection's originator.
+   
+
+   :param seq: The sequence number corresponding to the first byte of the payload
+        chunk.
+   
+
+   :param contents: The raw payload, which will be non-empty.
+   
+   .. zeek:see:: tcp_packet tcp_option tcp_rexmit
+      tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp
+      tcp_content_deliver_all_resp tcp_content_deliver_all_orig
+   
+   .. note::
+   
+      The payload received by this event is the same that is also passed into
+      application-layer protocol analyzers internally. Subsequent invocations of
+      this event for the same connection receive non-overlapping in-order chunks
+      of its TCP payload stream. It is however undefined what size each chunk
+      has; while Zeek passes the data on as soon as possible, specifics depend on
+      network-level effects such as latency, acknowledgements, reordering, etc.
+
+.. zeek:id:: tcp_rexmit
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 338 338
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, seq: :zeek:type:`count`, len: :zeek:type:`count`, data_in_flight: :zeek:type:`count`, window: :zeek:type:`count`)
+
+   Generated for each detected TCP segment retransmission.
+   
+
+   :param c: The connection the packet is part of.
+   
+
+   :param is_orig: True if the packet was sent by the connection's originator.
+   
+
+   :param seq: The segment's relative TCP sequence number.
+   
+
+   :param len: The length of the TCP segment, as specified in the packet header.
+   
+
+   :param data_in_flight: The number of bytes corresponding to the difference between
+                   the last sequence number and last acknowledgement number
+                   we've seen for a given endpoint.
+   
+
+   :param window: the TCP window size.
+
+.. zeek:id:: tcp_multiple_checksum_errors
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 352 352
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, threshold: :zeek:type:`count`)
+
+   Generated if a TCP flow crosses a checksum-error threshold, per
+   'C'/'c' history reporting.
+   
+
+   :param c: The connection record for the TCP connection.
+   
+
+   :param is_orig: True if the event is raised for the originator side.
+   
+
+   :param threshold: the threshold that was crossed
+   
+   .. zeek:see::  udp_multiple_checksum_errors
+      tcp_multiple_zero_windows tcp_multiple_retransmissions tcp_multiple_gap
+
+.. zeek:id:: tcp_multiple_zero_windows
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 365 365
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, threshold: :zeek:type:`count`)
+
+   Generated if a TCP flow crosses a zero-window threshold, per
+   'W'/'w' history reporting.
+   
+
+   :param c: The connection record for the TCP connection.
+   
+
+   :param is_orig: True if the event is raised for the originator side.
+   
+
+   :param threshold: the threshold that was crossed
+   
+   .. zeek:see::  tcp_multiple_checksum_errors tcp_multiple_retransmissions tcp_multiple_gap
+
+.. zeek:id:: tcp_multiple_retransmissions
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 378 378
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, threshold: :zeek:type:`count`)
+
+   Generated if a TCP flow crosses a retransmission threshold, per
+   'T'/'t' history reporting.
+   
+
+   :param c: The connection record for the TCP connection.
+   
+
+   :param is_orig: True if the event is raised for the originator side.
+   
+
+   :param threshold: the threshold that was crossed
+   
+   .. zeek:see::  tcp_multiple_checksum_errors tcp_multiple_zero_windows tcp_multiple_gap
+
+.. zeek:id:: tcp_multiple_gap
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 391 391
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, threshold: :zeek:type:`count`)
+
+   Generated if a TCP flow crosses a gap threshold, per 'G'/'g' history
+   reporting.
+   
+
+   :param c: The connection record for the TCP connection.
+   
+
+   :param is_orig: True if the event is raised for the originator side.
+   
+
+   :param threshold: the threshold that was crossed
+   
+   .. zeek:see::  tcp_multiple_checksum_errors tcp_multiple_zero_windows tcp_multiple_retransmissions
+
+.. zeek:id:: contents_file_write_failure
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 403 403
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`)
+
+   Generated when failing to write contents of a TCP stream to a file.
+   
+
+   :param c: The connection whose contents are being recorded.
+   
+
+   :param is_orig: Which side of the connection encountered a failure to write.
+   
+
+   :param msg: A reason or description for the failure.
+   
+   .. zeek:see:: set_contents_file get_contents_file
+
+Functions
++++++++++
+
+.. zeek:id:: get_orig_seq
+   :source-code: base/bif/plugins/Zeek_TCP.functions.bif.zeek 17 17
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`count`
+
+   Get the originator sequence number of a TCP connection. Sequence numbers
+   are absolute (i.e., they reflect the values seen directly in packet headers;
+   they are not relative to the beginning of the connection).
+   
+
+   :param cid: The connection ID.
+   
+
+   :returns: The highest sequence number sent by a connection's originator, or 0
+            if *cid* does not point to an active TCP connection.
+   
+   .. zeek:see:: get_resp_seq
+
+.. zeek:id:: get_resp_seq
+   :source-code: base/bif/plugins/Zeek_TCP.functions.bif.zeek 30 30
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`count`
+
+   Get the responder sequence number of a TCP connection. Sequence numbers
+   are absolute (i.e., they reflect the values seen directly in packet headers;
+   they are not relative to the beginning of the connection).
+   
+
+   :param cid: The connection ID.
+   
+
+   :returns: The highest sequence number sent by a connection's responder, or 0
+            if *cid* does not point to an active TCP connection.
+   
+   .. zeek:see:: get_orig_seq
+
+.. zeek:id:: set_contents_file
+   :source-code: base/bif/plugins/Zeek_TCP.functions.bif.zeek 64 64
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, direction: :zeek:type:`count`, f: :zeek:type:`file`) : :zeek:type:`bool`
+
+   Associates a file handle with a connection for writing TCP byte stream
+   contents.
+   
+
+   :param cid: The connection ID.
+   
+
+   :param direction: Controls what sides of the connection to record. The argument can
+              take one of the four values:
+   
+              - ``CONTENTS_NONE``: Stop recording the connection's content.
+              - ``CONTENTS_ORIG``: Record the data sent by the connection
+                originator (often the client).
+              - ``CONTENTS_RESP``: Record the data sent by the connection
+                responder (often the server).
+              - ``CONTENTS_BOTH``: Record the data sent in both directions.
+                Results in the two directions being intermixed in the file,
+                in the order the data was seen by Zeek.
+   
+
+   :param f: The file handle of the file to write the contents to.
+   
+
+   :returns: Returns false if *cid* does not point to an active connection, and
+            true otherwise.
+   
+   .. note::
+   
+       The data recorded to the file reflects the byte stream, not the
+       contents of individual packets. Reordering and duplicates are
+       removed. If any data is missing, the recording stops at the
+       missing data; this can happen, e.g., due to an
+       :zeek:id:`content_gap` event.
+   
+   .. zeek:see:: get_contents_file set_record_packets contents_file_write_failure
+
+.. zeek:id:: get_contents_file
+   :source-code: base/bif/plugins/Zeek_TCP.functions.bif.zeek 80 80
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, direction: :zeek:type:`count`) : :zeek:type:`file`
+
+   Returns the file handle of the contents file of a connection.
+   
+
+   :param cid: The connection ID.
+   
+
+   :param direction: Controls what sides of the connection to record. See
+              :zeek:id:`set_contents_file` for possible values.
+   
+
+   :returns: The :zeek:type:`file` handle for the contents file of the
+            connection identified by *cid*. If the connection exists
+            but there is no contents file for *direction*, then the function
+            generates an error and returns a file handle to ``stderr``.
+   
+   .. zeek:see:: set_contents_file set_record_packets contents_file_write_failure
+
+.. _plugin-zeek-websocket:
+
+Zeek::WebSocket
+---------------
+
+WebSocket analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_WEBSOCKET`
+
+Options/Constants
++++++++++++++++++
+
+.. zeek:id:: WebSocket::payload_chunk_size
+   :source-code: base/init-bare.zeek 791 791
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``8192``
+
+   The WebSocket analyzer consumes and forwards
+   frame payload in chunks to keep memory usage
+   bounded. There should not be a reason to change
+   this value except for debugging and
+   testing reasons.
+
+Types
++++++
+
+.. zeek:type:: WebSocket::AnalyzerConfig
+   :source-code: base/init-bare.zeek 806 822
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: analyzer :zeek:type:`Analyzer::Tag` :zeek:attr:`&optional`
+
+      The analyzer to attach for analysis of the WebSocket
+      frame payload. See *use_dpd* below for the behavior
+      when unset.
+
+
+   .. zeek:field:: use_dpd :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`WebSocket::use_dpd_default` :zeek:attr:`&optional`
+
+      If *analyzer* is unset, determines whether to attach a
+      PIA_TCP analyzer for dynamic protocol detection with
+      WebSocket payload.
+
+
+   .. zeek:field:: subprotocol :zeek:type:`string` :zeek:attr:`&optional`
+
+      The subprotocol as selected by the server, if any.
+
+
+   .. zeek:field:: server_extensions :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional`
+
+      The WebSocket extensions as selected by the server, if any.
+
+
+   Record type that is passed to :zeek:see:`WebSocket::configure_analyzer`.
+   
+   This record allows to configure the WebSocket analyzer given
+   parameters collected from HTTP headers.
+
+Events
+++++++
+
+.. zeek:id:: websocket_established
+   :source-code: base/bif/plugins/Zeek_WebSocket.events.bif.zeek 11 11
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, aid: :zeek:type:`count`)
+
+   Generated when a WebSocket handshake completed.
+   
+
+   :param c: The WebSocket connection.
+   
+
+   :param aid: The analyzer identifier of the WebSocket analyzer.
+   
+   .. zeek:see:: WebSocket::__configure_analyzer WebSocket::configure_analyzer
+
+.. zeek:id:: websocket_frame
+   :source-code: base/bif/plugins/Zeek_WebSocket.events.bif.zeek 28 28
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, fin: :zeek:type:`bool`, rsv: :zeek:type:`count`, opcode: :zeek:type:`count`, payload_len: :zeek:type:`count`)
+
+   Generated for every WebSocket frame.
+   
+
+   :param c: The WebSocket connection.
+   
+
+   :param is_orig: True if the frame is from the originator, else false.
+   
+
+   :param fin: True if the fin bit is set, else false.
+   
+
+   :param rsv: The value of the RSV1, RSV2 and RSV3 bits.
+   
+
+   :param opcode: The frame's opcode.
+   
+
+   :param payload_len: The frame's payload length.
+   
+
+.. zeek:id:: websocket_frame_data
+   :source-code: base/bif/plugins/Zeek_WebSocket.events.bif.zeek 45 45
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data: :zeek:type:`string`)
+
+   Generated for every chunk of WebSocket frame payload data.
+   
+   Do not use it to extract data from a WebSocket connection unless for testing
+   or experimentation. Consider implementing a proper analyzer instead.
+   
+
+   :param c: The WebSocket connection.
+   
+
+   :param is_orig: True if the frame is from the originator, else false.
+   
+
+   :param data: One data chunk of frame payload. The length of is at most
+         :zeek:see:`WebSocket::payload_chunk_size` bytes. A frame with
+         a longer payload will result in multiple events events.
+   
+   .. zeek:see:: WebSocket::payload_chunk_size
+
+.. zeek:id:: websocket_message
+   :source-code: base/bif/plugins/Zeek_WebSocket.events.bif.zeek 56 56
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, opcode: :zeek:type:`count`)
+
+   Generated for every completed WebSocket message.
+   
+
+   :param c: The WebSocket connection.
+   
+
+   :param is_orig: True if the frame is from the originator, else false.
+   
+
+   :param opcode: The first frame's opcode.
+
+.. zeek:id:: websocket_close
+   :source-code: base/bif/plugins/Zeek_WebSocket.events.bif.zeek 72 72
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, status: :zeek:type:`count`, reason: :zeek:type:`string`)
+
+   Generated for WebSocket Close frames.
+   
+
+   :param c: The WebSocket connection.
+   
+
+   :param is_orig: True if the frame is from the originator, else false.
+   
+
+   :param status: If the CloseFrame had no payload, this is 0, otherwise the value
+           of the first two bytes in the frame's payload.
+   
+
+   :param reason: Remaining payload after *status*. This is capped at
+           2 bytes less than :zeek:see:`WebSocket::payload_chunk_size`.
+   
+   .. zeek:see:: WebSocket::payload_chunk_size
+
+Functions
++++++++++
+
+.. zeek:id:: WebSocket::__configure_analyzer
+   :source-code: base/bif/plugins/Zeek_WebSocket.functions.bif.zeek 24 24
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, aid: :zeek:type:`count`, config: :zeek:type:`WebSocket::AnalyzerConfig`) : :zeek:type:`bool`
+
+   Configure the WebSocket analyzer.
+   
+   Called during :zeek:see:`websocket_established` to configure
+   the WebSocket analyzer given the selected protocol and extension
+   as chosen by the server.
+   
+
+   :param c: The WebSocket connection.
+
+   :param aid: The identifier for the WebSocket analyzer as provided to :zeek:see:`websocket_established`.
+   
+
+   :param server_protocol: The protocol as found in the server's Sec-WebSocket-Protocol HTTP header, or empty.
+   
+
+   :param server_extensions: The extension as selected by the server via the Sec-WebSocket-Extensions HTTP Header.
+   
+   .. zeek:see:: websocket_established
+
+.. _plugin-zeek-xmpp:
+
+Zeek::XMPP
+----------
+
+XMPP analyzer (StartTLS only)
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_XMPP`
+
+Events
+++++++
+
+.. zeek:id:: xmpp_starttls
+   :source-code: base/bif/plugins/Zeek_XMPP.events.bif.zeek 8 8
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when a XMPP connection goes encrypted after a successful
+   StartTLS exchange between the client and the server.
+   
+
+   :param c: The connection.
+
+.. _plugin-zeek-zip:
+
+Zeek::ZIP
+---------
+
+Generic ZIP support analyzer
+
+Components
+++++++++++
+
+:zeek:enum:`Analyzer::ANALYZER_ZIP`
+
diff --git a/doc/script-reference/autogenerated-script-index.rst b/doc/script-reference/autogenerated-script-index.rst
new file mode 100644
index 0000000000..ff5472e353
--- /dev/null
+++ b/doc/script-reference/autogenerated-script-index.rst
@@ -0,0 +1,658 @@
+.. toctree::
+   :maxdepth: 1
+
+   base/init-bare.zeek </scripts/base/init-bare.zeek>
+   base/bif/const.bif.zeek </scripts/base/bif/const.bif.zeek>
+   base/bif/types.bif.zeek </scripts/base/bif/types.bif.zeek>
+   base/bif/zeek.bif.zeek </scripts/base/bif/zeek.bif.zeek>
+   base/bif/communityid.bif.zeek </scripts/base/bif/communityid.bif.zeek>
+   base/bif/stats.bif.zeek </scripts/base/bif/stats.bif.zeek>
+   base/bif/reporter.bif.zeek </scripts/base/bif/reporter.bif.zeek>
+   base/bif/strings.bif.zeek </scripts/base/bif/strings.bif.zeek>
+   base/bif/option.bif.zeek </scripts/base/bif/option.bif.zeek>
+   base/frameworks/supervisor/api.zeek </scripts/base/frameworks/supervisor/api.zeek>
+   base/bif/supervisor.bif.zeek </scripts/base/bif/supervisor.bif.zeek>
+   base/bif/packet_analysis.bif.zeek </scripts/base/bif/packet_analysis.bif.zeek>
+   base/bif/CPP-load.bif.zeek </scripts/base/bif/CPP-load.bif.zeek>
+   base/bif/mmdb.bif.zeek </scripts/base/bif/mmdb.bif.zeek>
+   base/bif/plugins/Zeek_SNMP.types.bif.zeek </scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek>
+   base/bif/plugins/Zeek_KRB.types.bif.zeek </scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek>
+   base/bif/telemetry_functions.bif.zeek </scripts/base/bif/telemetry_functions.bif.zeek>
+   base/bif/telemetry_types.bif.zeek </scripts/base/bif/telemetry_types.bif.zeek>
+   base/bif/event.bif.zeek </scripts/base/bif/event.bif.zeek>
+   base/packet-protocols/__load__.zeek </scripts/base/packet-protocols/__load__.zeek>
+   base/packet-protocols/main.zeek </scripts/base/packet-protocols/main.zeek>
+   base/frameworks/analyzer/main.zeek </scripts/base/frameworks/analyzer/main.zeek>
+   base/frameworks/packet-filter/utils.zeek </scripts/base/frameworks/packet-filter/utils.zeek>
+   base/bif/analyzer.bif.zeek </scripts/base/bif/analyzer.bif.zeek>
+   base/bif/file_analysis.bif.zeek </scripts/base/bif/file_analysis.bif.zeek>
+   base/packet-protocols/root/__load__.zeek </scripts/base/packet-protocols/root/__load__.zeek>
+   base/packet-protocols/root/main.zeek </scripts/base/packet-protocols/root/main.zeek>
+   base/packet-protocols/ip/__load__.zeek </scripts/base/packet-protocols/ip/__load__.zeek>
+   base/packet-protocols/ip/main.zeek </scripts/base/packet-protocols/ip/main.zeek>
+   base/packet-protocols/skip/__load__.zeek </scripts/base/packet-protocols/skip/__load__.zeek>
+   base/packet-protocols/skip/main.zeek </scripts/base/packet-protocols/skip/main.zeek>
+   base/packet-protocols/ethernet/__load__.zeek </scripts/base/packet-protocols/ethernet/__load__.zeek>
+   base/packet-protocols/ethernet/main.zeek </scripts/base/packet-protocols/ethernet/main.zeek>
+   base/packet-protocols/fddi/__load__.zeek </scripts/base/packet-protocols/fddi/__load__.zeek>
+   base/packet-protocols/fddi/main.zeek </scripts/base/packet-protocols/fddi/main.zeek>
+   base/packet-protocols/ieee802_11/__load__.zeek </scripts/base/packet-protocols/ieee802_11/__load__.zeek>
+   base/packet-protocols/ieee802_11/main.zeek </scripts/base/packet-protocols/ieee802_11/main.zeek>
+   base/packet-protocols/ieee802_11_radio/__load__.zeek </scripts/base/packet-protocols/ieee802_11_radio/__load__.zeek>
+   base/packet-protocols/ieee802_11_radio/main.zeek </scripts/base/packet-protocols/ieee802_11_radio/main.zeek>
+   base/packet-protocols/linux_sll/__load__.zeek </scripts/base/packet-protocols/linux_sll/__load__.zeek>
+   base/packet-protocols/linux_sll/main.zeek </scripts/base/packet-protocols/linux_sll/main.zeek>
+   base/packet-protocols/linux_sll2/__load__.zeek </scripts/base/packet-protocols/linux_sll2/__load__.zeek>
+   base/packet-protocols/linux_sll2/main.zeek </scripts/base/packet-protocols/linux_sll2/main.zeek>
+   base/packet-protocols/nflog/__load__.zeek </scripts/base/packet-protocols/nflog/__load__.zeek>
+   base/packet-protocols/nflog/main.zeek </scripts/base/packet-protocols/nflog/main.zeek>
+   base/packet-protocols/null/__load__.zeek </scripts/base/packet-protocols/null/__load__.zeek>
+   base/packet-protocols/null/main.zeek </scripts/base/packet-protocols/null/main.zeek>
+   base/packet-protocols/ppp/__load__.zeek </scripts/base/packet-protocols/ppp/__load__.zeek>
+   base/packet-protocols/ppp/main.zeek </scripts/base/packet-protocols/ppp/main.zeek>
+   base/packet-protocols/ppp_serial/__load__.zeek </scripts/base/packet-protocols/ppp_serial/__load__.zeek>
+   base/packet-protocols/ppp_serial/main.zeek </scripts/base/packet-protocols/ppp_serial/main.zeek>
+   base/packet-protocols/pppoe/__load__.zeek </scripts/base/packet-protocols/pppoe/__load__.zeek>
+   base/packet-protocols/pppoe/main.zeek </scripts/base/packet-protocols/pppoe/main.zeek>
+   base/packet-protocols/vlan/__load__.zeek </scripts/base/packet-protocols/vlan/__load__.zeek>
+   base/packet-protocols/vlan/main.zeek </scripts/base/packet-protocols/vlan/main.zeek>
+   base/packet-protocols/mpls/__load__.zeek </scripts/base/packet-protocols/mpls/__load__.zeek>
+   base/packet-protocols/mpls/main.zeek </scripts/base/packet-protocols/mpls/main.zeek>
+   base/packet-protocols/pbb/__load__.zeek </scripts/base/packet-protocols/pbb/__load__.zeek>
+   base/packet-protocols/pbb/main.zeek </scripts/base/packet-protocols/pbb/main.zeek>
+   base/packet-protocols/vntag/__load__.zeek </scripts/base/packet-protocols/vntag/__load__.zeek>
+   base/packet-protocols/vntag/main.zeek </scripts/base/packet-protocols/vntag/main.zeek>
+   base/packet-protocols/udp/__load__.zeek </scripts/base/packet-protocols/udp/__load__.zeek>
+   base/packet-protocols/udp/main.zeek </scripts/base/packet-protocols/udp/main.zeek>
+   base/packet-protocols/tcp/__load__.zeek </scripts/base/packet-protocols/tcp/__load__.zeek>
+   base/packet-protocols/tcp/main.zeek </scripts/base/packet-protocols/tcp/main.zeek>
+   base/packet-protocols/icmp/__load__.zeek </scripts/base/packet-protocols/icmp/__load__.zeek>
+   base/packet-protocols/icmp/main.zeek </scripts/base/packet-protocols/icmp/main.zeek>
+   base/packet-protocols/llc/__load__.zeek </scripts/base/packet-protocols/llc/__load__.zeek>
+   base/packet-protocols/llc/main.zeek </scripts/base/packet-protocols/llc/main.zeek>
+   base/packet-protocols/novell_802_3/__load__.zeek </scripts/base/packet-protocols/novell_802_3/__load__.zeek>
+   base/packet-protocols/novell_802_3/main.zeek </scripts/base/packet-protocols/novell_802_3/main.zeek>
+   base/packet-protocols/snap/__load__.zeek </scripts/base/packet-protocols/snap/__load__.zeek>
+   base/packet-protocols/snap/main.zeek </scripts/base/packet-protocols/snap/main.zeek>
+   base/packet-protocols/gre/__load__.zeek </scripts/base/packet-protocols/gre/__load__.zeek>
+   base/packet-protocols/gre/main.zeek </scripts/base/packet-protocols/gre/main.zeek>
+   base/packet-protocols/iptunnel/__load__.zeek </scripts/base/packet-protocols/iptunnel/__load__.zeek>
+   base/packet-protocols/iptunnel/main.zeek </scripts/base/packet-protocols/iptunnel/main.zeek>
+   base/packet-protocols/ayiya/__load__.zeek </scripts/base/packet-protocols/ayiya/__load__.zeek>
+   base/packet-protocols/ayiya/main.zeek </scripts/base/packet-protocols/ayiya/main.zeek>
+   base/packet-protocols/geneve/__load__.zeek </scripts/base/packet-protocols/geneve/__load__.zeek>
+   base/packet-protocols/geneve/main.zeek </scripts/base/packet-protocols/geneve/main.zeek>
+   base/packet-protocols/vxlan/__load__.zeek </scripts/base/packet-protocols/vxlan/__load__.zeek>
+   base/packet-protocols/vxlan/main.zeek </scripts/base/packet-protocols/vxlan/main.zeek>
+   base/packet-protocols/teredo/__load__.zeek </scripts/base/packet-protocols/teredo/__load__.zeek>
+   base/packet-protocols/teredo/main.zeek </scripts/base/packet-protocols/teredo/main.zeek>
+   base/bif/plugins/Zeek_Teredo.events.bif.zeek </scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek>
+   base/bif/plugins/Zeek_Teredo.functions.bif.zeek </scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek>
+   base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>
+   base/packet-protocols/gtpv1/__load__.zeek </scripts/base/packet-protocols/gtpv1/__load__.zeek>
+   base/packet-protocols/gtpv1/main.zeek </scripts/base/packet-protocols/gtpv1/main.zeek>
+   base/bif/plugins/Zeek_GTPv1.events.bif.zeek </scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek>
+   base/bif/plugins/Zeek_GTPv1.functions.bif.zeek </scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek>
+   base/frameworks/spicy/init-bare.zeek </scripts/base/frameworks/spicy/init-bare.zeek>
+   builtin-plugins/__preload__.zeek </scripts/builtin-plugins/__preload__.zeek>
+   base/init-frameworks-and-bifs.zeek </scripts/base/init-frameworks-and-bifs.zeek>
+   base/frameworks/logging/__load__.zeek </scripts/base/frameworks/logging/__load__.zeek>
+   base/frameworks/logging/main.zeek </scripts/base/frameworks/logging/main.zeek>
+   base/bif/logging.bif.zeek </scripts/base/bif/logging.bif.zeek>
+   base/frameworks/logging/postprocessors/__load__.zeek </scripts/base/frameworks/logging/postprocessors/__load__.zeek>
+   base/frameworks/logging/postprocessors/scp.zeek </scripts/base/frameworks/logging/postprocessors/scp.zeek>
+   base/frameworks/logging/postprocessors/sftp.zeek </scripts/base/frameworks/logging/postprocessors/sftp.zeek>
+   base/frameworks/logging/writers/ascii.zeek </scripts/base/frameworks/logging/writers/ascii.zeek>
+   base/frameworks/logging/writers/sqlite.zeek </scripts/base/frameworks/logging/writers/sqlite.zeek>
+   base/frameworks/logging/writers/none.zeek </scripts/base/frameworks/logging/writers/none.zeek>
+   base/frameworks/broker/__load__.zeek </scripts/base/frameworks/broker/__load__.zeek>
+   base/frameworks/broker/main.zeek </scripts/base/frameworks/broker/main.zeek>
+   base/bif/comm.bif.zeek </scripts/base/bif/comm.bif.zeek>
+   base/bif/messaging.bif.zeek </scripts/base/bif/messaging.bif.zeek>
+   base/frameworks/broker/store.zeek </scripts/base/frameworks/broker/store.zeek>
+   base/bif/data.bif.zeek </scripts/base/bif/data.bif.zeek>
+   base/bif/store.bif.zeek </scripts/base/bif/store.bif.zeek>
+   base/frameworks/broker/log.zeek </scripts/base/frameworks/broker/log.zeek>
+   base/frameworks/broker/backpressure.zeek </scripts/base/frameworks/broker/backpressure.zeek>
+   base/frameworks/supervisor/__load__.zeek </scripts/base/frameworks/supervisor/__load__.zeek>
+   base/frameworks/supervisor/control.zeek </scripts/base/frameworks/supervisor/control.zeek>
+   base/frameworks/supervisor/main.zeek </scripts/base/frameworks/supervisor/main.zeek>
+   base/frameworks/input/__load__.zeek </scripts/base/frameworks/input/__load__.zeek>
+   base/frameworks/input/main.zeek </scripts/base/frameworks/input/main.zeek>
+   base/bif/input.bif.zeek </scripts/base/bif/input.bif.zeek>
+   base/frameworks/input/readers/ascii.zeek </scripts/base/frameworks/input/readers/ascii.zeek>
+   base/frameworks/input/readers/raw.zeek </scripts/base/frameworks/input/readers/raw.zeek>
+   base/frameworks/input/readers/benchmark.zeek </scripts/base/frameworks/input/readers/benchmark.zeek>
+   base/frameworks/input/readers/binary.zeek </scripts/base/frameworks/input/readers/binary.zeek>
+   base/frameworks/input/readers/config.zeek </scripts/base/frameworks/input/readers/config.zeek>
+   base/frameworks/input/readers/sqlite.zeek </scripts/base/frameworks/input/readers/sqlite.zeek>
+   base/frameworks/cluster/__load__.zeek </scripts/base/frameworks/cluster/__load__.zeek>
+   base/frameworks/cluster/main.zeek </scripts/base/frameworks/cluster/main.zeek>
+   base/frameworks/control/__load__.zeek </scripts/base/frameworks/control/__load__.zeek>
+   base/frameworks/control/main.zeek </scripts/base/frameworks/control/main.zeek>
+   base/bif/cluster.bif.zeek </scripts/base/bif/cluster.bif.zeek>
+   base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek </scripts/base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek>
+   base/frameworks/cluster/pools.zeek </scripts/base/frameworks/cluster/pools.zeek>
+   base/utils/hash_hrw.zeek </scripts/base/utils/hash_hrw.zeek>
+   base/frameworks/cluster/telemetry.zeek </scripts/base/frameworks/cluster/telemetry.zeek>
+   base/frameworks/config/__load__.zeek </scripts/base/frameworks/config/__load__.zeek>
+   base/frameworks/config/main.zeek </scripts/base/frameworks/config/main.zeek>
+   base/frameworks/config/input.zeek </scripts/base/frameworks/config/input.zeek>
+   base/frameworks/config/weird.zeek </scripts/base/frameworks/config/weird.zeek>
+   base/frameworks/analyzer/__load__.zeek </scripts/base/frameworks/analyzer/__load__.zeek>
+   base/frameworks/analyzer/dpd.zeek </scripts/base/frameworks/analyzer/dpd.zeek>
+   base/frameworks/analyzer/logging.zeek </scripts/base/frameworks/analyzer/logging.zeek>
+   base/frameworks/files/__load__.zeek </scripts/base/frameworks/files/__load__.zeek>
+   base/frameworks/files/main.zeek </scripts/base/frameworks/files/main.zeek>
+   base/utils/site.zeek </scripts/base/utils/site.zeek>
+   base/utils/patterns.zeek </scripts/base/utils/patterns.zeek>
+   base/frameworks/files/magic/__load__.zeek </scripts/base/frameworks/files/magic/__load__.zeek>
+   base/frameworks/telemetry/options.zeek </scripts/base/frameworks/telemetry/options.zeek>
+   base/bif/__load__.zeek </scripts/base/bif/__load__.zeek>
+   base/bif/telemetry_consts.bif.zeek </scripts/base/bif/telemetry_consts.bif.zeek>
+   base/bif/zeekygen.bif.zeek </scripts/base/bif/zeekygen.bif.zeek>
+   base/bif/pcap.bif.zeek </scripts/base/bif/pcap.bif.zeek>
+   base/bif/bloom-filter.bif.zeek </scripts/base/bif/bloom-filter.bif.zeek>
+   base/bif/cardinality-counter.bif.zeek </scripts/base/bif/cardinality-counter.bif.zeek>
+   base/bif/top-k.bif.zeek </scripts/base/bif/top-k.bif.zeek>
+   base/bif/storage.bif.zeek </scripts/base/bif/storage.bif.zeek>
+   base/bif/storage-async.bif.zeek </scripts/base/bif/storage-async.bif.zeek>
+   base/bif/storage-events.bif.zeek </scripts/base/bif/storage-events.bif.zeek>
+   base/bif/storage-sync.bif.zeek </scripts/base/bif/storage-sync.bif.zeek>
+   base/bif/spicy.bif.zeek </scripts/base/bif/spicy.bif.zeek>
+   base/bif/plugins/__load__.zeek </scripts/base/bif/plugins/__load__.zeek>
+   base/bif/plugins/Zeek_BitTorrent.events.bif.zeek </scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek>
+   base/bif/plugins/Zeek_ConnSize.events.bif.zeek </scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek>
+   base/bif/plugins/Zeek_ConnSize.functions.bif.zeek </scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek>
+   base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek </scripts/base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek>
+   base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek </scripts/base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek>
+   base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek </scripts/base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek>
+   base/bif/plugins/Zeek_DHCP.events.bif.zeek </scripts/base/bif/plugins/Zeek_DHCP.events.bif.zeek>
+   base/bif/plugins/Zeek_DHCP.types.bif.zeek </scripts/base/bif/plugins/Zeek_DHCP.types.bif.zeek>
+   base/bif/plugins/Zeek_DNP3.events.bif.zeek </scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek>
+   base/bif/plugins/Zeek_DNS.events.bif.zeek </scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek>
+   base/bif/plugins/Zeek_File.events.bif.zeek </scripts/base/bif/plugins/Zeek_File.events.bif.zeek>
+   base/bif/plugins/Zeek_FTP.events.bif.zeek </scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek>
+   base/bif/plugins/Zeek_FTP.functions.bif.zeek </scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek>
+   base/bif/plugins/Zeek_Gnutella.events.bif.zeek </scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek>
+   base/bif/plugins/Zeek_GSSAPI.events.bif.zeek </scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek>
+   base/bif/plugins/Zeek_HTTP.events.bif.zeek </scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek>
+   base/bif/plugins/Zeek_HTTP.functions.bif.zeek </scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek>
+   base/bif/plugins/Zeek_Ident.events.bif.zeek </scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek>
+   base/bif/plugins/Zeek_IMAP.events.bif.zeek </scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek>
+   base/bif/plugins/Zeek_IRC.events.bif.zeek </scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek>
+   base/bif/plugins/Zeek_KRB.events.bif.zeek </scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek>
+   base/bif/plugins/Zeek_Login.events.bif.zeek </scripts/base/bif/plugins/Zeek_Login.events.bif.zeek>
+   base/bif/plugins/Zeek_Login.functions.bif.zeek </scripts/base/bif/plugins/Zeek_Login.functions.bif.zeek>
+   base/bif/plugins/Zeek_MIME.consts.bif.zeek </scripts/base/bif/plugins/Zeek_MIME.consts.bif.zeek>
+   base/bif/plugins/Zeek_MIME.events.bif.zeek </scripts/base/bif/plugins/Zeek_MIME.events.bif.zeek>
+   base/bif/plugins/Zeek_Modbus.events.bif.zeek </scripts/base/bif/plugins/Zeek_Modbus.events.bif.zeek>
+   base/bif/plugins/Zeek_MQTT.types.bif.zeek </scripts/base/bif/plugins/Zeek_MQTT.types.bif.zeek>
+   base/bif/plugins/Zeek_MQTT.events.bif.zeek </scripts/base/bif/plugins/Zeek_MQTT.events.bif.zeek>
+   base/bif/plugins/Zeek_MySQL.events.bif.zeek </scripts/base/bif/plugins/Zeek_MySQL.events.bif.zeek>
+   base/bif/plugins/Zeek_NCP.events.bif.zeek </scripts/base/bif/plugins/Zeek_NCP.events.bif.zeek>
+   base/bif/plugins/Zeek_NCP.consts.bif.zeek </scripts/base/bif/plugins/Zeek_NCP.consts.bif.zeek>
+   base/bif/plugins/Zeek_NetBIOS.events.bif.zeek </scripts/base/bif/plugins/Zeek_NetBIOS.events.bif.zeek>
+   base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek </scripts/base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek>
+   base/bif/plugins/Zeek_NTLM.types.bif.zeek </scripts/base/bif/plugins/Zeek_NTLM.types.bif.zeek>
+   base/bif/plugins/Zeek_NTLM.events.bif.zeek </scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek>
+   base/bif/plugins/Zeek_NTP.types.bif.zeek </scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek>
+   base/bif/plugins/Zeek_NTP.events.bif.zeek </scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek>
+   base/bif/plugins/Zeek_POP3.consts.bif.zeek </scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek>
+   base/bif/plugins/Zeek_POP3.events.bif.zeek </scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek>
+   base/bif/plugins/Zeek_RADIUS.events.bif.zeek </scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek>
+   base/bif/plugins/Zeek_RDP.events.bif.zeek </scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek>
+   base/bif/plugins/Zeek_RDP.types.bif.zeek </scripts/base/bif/plugins/Zeek_RDP.types.bif.zeek>
+   base/bif/plugins/Zeek_RFB.events.bif.zeek </scripts/base/bif/plugins/Zeek_RFB.events.bif.zeek>
+   base/bif/plugins/Zeek_RPC.events.bif.zeek </scripts/base/bif/plugins/Zeek_RPC.events.bif.zeek>
+   base/bif/plugins/Zeek_SIP.events.bif.zeek </scripts/base/bif/plugins/Zeek_SIP.events.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek>
+   base/bif/plugins/Zeek_SMB.events.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.events.bif.zeek>
+   base/bif/plugins/Zeek_SMB.consts.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.consts.bif.zeek>
+   base/bif/plugins/Zeek_SMB.types.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.types.bif.zeek>
+   base/bif/plugins/Zeek_SMTP.consts.bif.zeek </scripts/base/bif/plugins/Zeek_SMTP.consts.bif.zeek>
+   base/bif/plugins/Zeek_SMTP.events.bif.zeek </scripts/base/bif/plugins/Zeek_SMTP.events.bif.zeek>
+   base/bif/plugins/Zeek_SMTP.functions.bif.zeek </scripts/base/bif/plugins/Zeek_SMTP.functions.bif.zeek>
+   base/bif/plugins/Zeek_SNMP.events.bif.zeek </scripts/base/bif/plugins/Zeek_SNMP.events.bif.zeek>
+   base/bif/plugins/Zeek_SOCKS.events.bif.zeek </scripts/base/bif/plugins/Zeek_SOCKS.events.bif.zeek>
+   base/bif/plugins/Zeek_SSH.types.bif.zeek </scripts/base/bif/plugins/Zeek_SSH.types.bif.zeek>
+   base/bif/plugins/Zeek_SSH.events.bif.zeek </scripts/base/bif/plugins/Zeek_SSH.events.bif.zeek>
+   base/bif/plugins/Zeek_SSL.types.bif.zeek </scripts/base/bif/plugins/Zeek_SSL.types.bif.zeek>
+   base/bif/plugins/Zeek_SSL.events.bif.zeek </scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek>
+   base/bif/plugins/Zeek_SSL.functions.bif.zeek </scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek>
+   base/bif/plugins/Zeek_SSL.consts.bif.zeek </scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek>
+   base/bif/plugins/Zeek_StreamEvent.events.bif.zeek </scripts/base/bif/plugins/Zeek_StreamEvent.events.bif.zeek>
+   base/bif/plugins/Zeek_TCP.events.bif.zeek </scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek>
+   base/bif/plugins/Zeek_TCP.types.bif.zeek </scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek>
+   base/bif/plugins/Zeek_TCP.functions.bif.zeek </scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek>
+   base/bif/plugins/Zeek_WebSocket.consts.bif.zeek </scripts/base/bif/plugins/Zeek_WebSocket.consts.bif.zeek>
+   base/bif/plugins/Zeek_WebSocket.events.bif.zeek </scripts/base/bif/plugins/Zeek_WebSocket.events.bif.zeek>
+   base/bif/plugins/Zeek_WebSocket.functions.bif.zeek </scripts/base/bif/plugins/Zeek_WebSocket.functions.bif.zeek>
+   base/bif/plugins/Zeek_WebSocket.types.bif.zeek </scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek>
+   base/bif/plugins/Zeek_XMPP.events.bif.zeek </scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek>
+   base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek </scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek>
+   base/bif/plugins/Zeek_PPPoE.functions.bif.zeek </scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek>
+   base/bif/plugins/Zeek_ARP.events.bif.zeek </scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek>
+   base/bif/plugins/Zeek_UDP.events.bif.zeek </scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek>
+   base/bif/plugins/Zeek_ICMP.events.bif.zeek </scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek>
+   base/bif/plugins/Zeek_Geneve.events.bif.zeek </scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek>
+   base/bif/plugins/Zeek_Geneve.functions.bif.zeek </scripts/base/bif/plugins/Zeek_Geneve.functions.bif.zeek>
+   base/bif/plugins/Zeek_VXLAN.events.bif.zeek </scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek>
+   base/bif/plugins/Zeek_FileEntropy.events.bif.zeek </scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek>
+   base/bif/plugins/Zeek_FileExtract.events.bif.zeek </scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek>
+   base/bif/plugins/Zeek_FileExtract.functions.bif.zeek </scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek>
+   base/bif/plugins/Zeek_FileHash.events.bif.zeek </scripts/base/bif/plugins/Zeek_FileHash.events.bif.zeek>
+   base/bif/plugins/Zeek_PE.events.bif.zeek </scripts/base/bif/plugins/Zeek_PE.events.bif.zeek>
+   base/bif/plugins/Zeek_X509.events.bif.zeek </scripts/base/bif/plugins/Zeek_X509.events.bif.zeek>
+   base/bif/plugins/Zeek_X509.types.bif.zeek </scripts/base/bif/plugins/Zeek_X509.types.bif.zeek>
+   base/bif/plugins/Zeek_X509.functions.bif.zeek </scripts/base/bif/plugins/Zeek_X509.functions.bif.zeek>
+   base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek </scripts/base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek>
+   base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek </scripts/base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek>
+   base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek </scripts/base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek>
+   base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek </scripts/base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek>
+   base/bif/plugins/Zeek_ConfigReader.config.bif.zeek </scripts/base/bif/plugins/Zeek_ConfigReader.config.bif.zeek>
+   base/bif/plugins/Zeek_RawReader.raw.bif.zeek </scripts/base/bif/plugins/Zeek_RawReader.raw.bif.zeek>
+   base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek </scripts/base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek>
+   base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek </scripts/base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek>
+   base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek </scripts/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek>
+   base/bif/plugins/Zeek_NoneWriter.none.bif.zeek </scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek>
+   base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek </scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek>
+   base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek </scripts/base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek>
+   base/frameworks/spicy/init-framework.zeek </scripts/base/frameworks/spicy/init-framework.zeek>
+   base/init-default.zeek </scripts/base/init-default.zeek>
+   base/utils/active-http.zeek </scripts/base/utils/active-http.zeek>
+   base/utils/exec.zeek </scripts/base/utils/exec.zeek>
+   base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>
+   base/utils/backtrace.zeek </scripts/base/utils/backtrace.zeek>
+   base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>
+   base/utils/dir.zeek </scripts/base/utils/dir.zeek>
+   base/frameworks/reporter/__load__.zeek </scripts/base/frameworks/reporter/__load__.zeek>
+   base/frameworks/reporter/main.zeek </scripts/base/frameworks/reporter/main.zeek>
+   base/utils/paths.zeek </scripts/base/utils/paths.zeek>
+   base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>
+   base/utils/email.zeek </scripts/base/utils/email.zeek>
+   base/utils/files.zeek </scripts/base/utils/files.zeek>
+   base/utils/geoip-distance.zeek </scripts/base/utils/geoip-distance.zeek>
+   base/utils/numbers.zeek </scripts/base/utils/numbers.zeek>
+   base/utils/packages.zeek </scripts/base/utils/packages.zeek>
+   base/utils/queue.zeek </scripts/base/utils/queue.zeek>
+   base/utils/strings.zeek </scripts/base/utils/strings.zeek>
+   base/utils/thresholds.zeek </scripts/base/utils/thresholds.zeek>
+   base/utils/time.zeek </scripts/base/utils/time.zeek>
+   base/utils/urls.zeek </scripts/base/utils/urls.zeek>
+   base/frameworks/notice/__load__.zeek </scripts/base/frameworks/notice/__load__.zeek>
+   base/frameworks/notice/main.zeek </scripts/base/frameworks/notice/main.zeek>
+   base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>
+   base/frameworks/notice/actions/email_admin.zeek </scripts/base/frameworks/notice/actions/email_admin.zeek>
+   base/frameworks/notice/actions/page.zeek </scripts/base/frameworks/notice/actions/page.zeek>
+   base/frameworks/notice/actions/add-geodata.zeek </scripts/base/frameworks/notice/actions/add-geodata.zeek>
+   base/frameworks/notice/actions/pp-alarms.zeek </scripts/base/frameworks/notice/actions/pp-alarms.zeek>
+   base/frameworks/signatures/__load__.zeek </scripts/base/frameworks/signatures/__load__.zeek>
+   base/frameworks/signatures/main.zeek </scripts/base/frameworks/signatures/main.zeek>
+   base/frameworks/packet-filter/__load__.zeek </scripts/base/frameworks/packet-filter/__load__.zeek>
+   base/frameworks/packet-filter/main.zeek </scripts/base/frameworks/packet-filter/main.zeek>
+   base/frameworks/packet-filter/netstats.zeek </scripts/base/frameworks/packet-filter/netstats.zeek>
+   base/frameworks/software/__load__.zeek </scripts/base/frameworks/software/__load__.zeek>
+   base/frameworks/software/main.zeek </scripts/base/frameworks/software/main.zeek>
+   base/frameworks/intel/__load__.zeek </scripts/base/frameworks/intel/__load__.zeek>
+   base/frameworks/intel/main.zeek </scripts/base/frameworks/intel/main.zeek>
+   base/frameworks/intel/files.zeek </scripts/base/frameworks/intel/files.zeek>
+   base/frameworks/intel/input.zeek </scripts/base/frameworks/intel/input.zeek>
+   base/frameworks/sumstats/__load__.zeek </scripts/base/frameworks/sumstats/__load__.zeek>
+   base/frameworks/sumstats/main.zeek </scripts/base/frameworks/sumstats/main.zeek>
+   base/frameworks/sumstats/plugins/__load__.zeek </scripts/base/frameworks/sumstats/plugins/__load__.zeek>
+   base/frameworks/sumstats/plugins/average.zeek </scripts/base/frameworks/sumstats/plugins/average.zeek>
+   base/frameworks/sumstats/plugins/hll_unique.zeek </scripts/base/frameworks/sumstats/plugins/hll_unique.zeek>
+   base/frameworks/sumstats/plugins/last.zeek </scripts/base/frameworks/sumstats/plugins/last.zeek>
+   base/frameworks/sumstats/plugins/max.zeek </scripts/base/frameworks/sumstats/plugins/max.zeek>
+   base/frameworks/sumstats/plugins/min.zeek </scripts/base/frameworks/sumstats/plugins/min.zeek>
+   base/frameworks/sumstats/plugins/sample.zeek </scripts/base/frameworks/sumstats/plugins/sample.zeek>
+   base/frameworks/sumstats/plugins/std-dev.zeek </scripts/base/frameworks/sumstats/plugins/std-dev.zeek>
+   base/frameworks/sumstats/plugins/variance.zeek </scripts/base/frameworks/sumstats/plugins/variance.zeek>
+   base/frameworks/sumstats/plugins/sum.zeek </scripts/base/frameworks/sumstats/plugins/sum.zeek>
+   base/frameworks/sumstats/plugins/topk.zeek </scripts/base/frameworks/sumstats/plugins/topk.zeek>
+   base/frameworks/sumstats/plugins/unique.zeek </scripts/base/frameworks/sumstats/plugins/unique.zeek>
+   base/frameworks/sumstats/non-cluster.zeek </scripts/base/frameworks/sumstats/non-cluster.zeek>
+   base/frameworks/tunnels/__load__.zeek </scripts/base/frameworks/tunnels/__load__.zeek>
+   base/frameworks/tunnels/main.zeek </scripts/base/frameworks/tunnels/main.zeek>
+   base/frameworks/openflow/__load__.zeek </scripts/base/frameworks/openflow/__load__.zeek>
+   base/frameworks/openflow/consts.zeek </scripts/base/frameworks/openflow/consts.zeek>
+   base/frameworks/openflow/types.zeek </scripts/base/frameworks/openflow/types.zeek>
+   base/frameworks/openflow/main.zeek </scripts/base/frameworks/openflow/main.zeek>
+   base/frameworks/openflow/plugins/__load__.zeek </scripts/base/frameworks/openflow/plugins/__load__.zeek>
+   base/frameworks/openflow/plugins/ryu.zeek </scripts/base/frameworks/openflow/plugins/ryu.zeek>
+   base/frameworks/openflow/plugins/log.zeek </scripts/base/frameworks/openflow/plugins/log.zeek>
+   base/frameworks/openflow/plugins/broker.zeek </scripts/base/frameworks/openflow/plugins/broker.zeek>
+   base/frameworks/openflow/non-cluster.zeek </scripts/base/frameworks/openflow/non-cluster.zeek>
+   base/frameworks/netcontrol/__load__.zeek </scripts/base/frameworks/netcontrol/__load__.zeek>
+   base/frameworks/netcontrol/types.zeek </scripts/base/frameworks/netcontrol/types.zeek>
+   base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>
+   base/frameworks/netcontrol/plugin.zeek </scripts/base/frameworks/netcontrol/plugin.zeek>
+   base/frameworks/netcontrol/plugins/__load__.zeek </scripts/base/frameworks/netcontrol/plugins/__load__.zeek>
+   base/frameworks/netcontrol/plugins/debug.zeek </scripts/base/frameworks/netcontrol/plugins/debug.zeek>
+   base/frameworks/netcontrol/plugins/openflow.zeek </scripts/base/frameworks/netcontrol/plugins/openflow.zeek>
+   base/frameworks/netcontrol/plugins/packetfilter.zeek </scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek>
+   base/frameworks/netcontrol/plugins/broker.zeek </scripts/base/frameworks/netcontrol/plugins/broker.zeek>
+   base/frameworks/netcontrol/plugins/acld.zeek </scripts/base/frameworks/netcontrol/plugins/acld.zeek>
+   base/frameworks/netcontrol/drop.zeek </scripts/base/frameworks/netcontrol/drop.zeek>
+   base/frameworks/netcontrol/shunt.zeek </scripts/base/frameworks/netcontrol/shunt.zeek>
+   base/frameworks/netcontrol/non-cluster.zeek </scripts/base/frameworks/netcontrol/non-cluster.zeek>
+   base/frameworks/telemetry/__load__.zeek </scripts/base/frameworks/telemetry/__load__.zeek>
+   base/frameworks/telemetry/main.zeek </scripts/base/frameworks/telemetry/main.zeek>
+   base/misc/version.zeek </scripts/base/misc/version.zeek>
+   base/frameworks/storage/__load__.zeek </scripts/base/frameworks/storage/__load__.zeek>
+   base/frameworks/storage/async.zeek </scripts/base/frameworks/storage/async.zeek>
+   base/frameworks/storage/main.zeek </scripts/base/frameworks/storage/main.zeek>
+   base/frameworks/storage/sync.zeek </scripts/base/frameworks/storage/sync.zeek>
+   base/frameworks/spicy/__load__.zeek </scripts/base/frameworks/spicy/__load__.zeek>
+   base/frameworks/spicy/main.zeek </scripts/base/frameworks/spicy/main.zeek>
+   base/protocols/conn/__load__.zeek </scripts/base/protocols/conn/__load__.zeek>
+   base/protocols/conn/main.zeek </scripts/base/protocols/conn/main.zeek>
+   base/protocols/conn/contents.zeek </scripts/base/protocols/conn/contents.zeek>
+   base/protocols/conn/inactivity.zeek </scripts/base/protocols/conn/inactivity.zeek>
+   base/protocols/conn/polling.zeek </scripts/base/protocols/conn/polling.zeek>
+   base/protocols/conn/thresholds.zeek </scripts/base/protocols/conn/thresholds.zeek>
+   base/protocols/dce-rpc/__load__.zeek </scripts/base/protocols/dce-rpc/__load__.zeek>
+   base/protocols/dce-rpc/consts.zeek </scripts/base/protocols/dce-rpc/consts.zeek>
+   base/protocols/dce-rpc/main.zeek </scripts/base/protocols/dce-rpc/main.zeek>
+   base/protocols/dhcp/__load__.zeek </scripts/base/protocols/dhcp/__load__.zeek>
+   base/protocols/dhcp/consts.zeek </scripts/base/protocols/dhcp/consts.zeek>
+   base/protocols/dhcp/main.zeek </scripts/base/protocols/dhcp/main.zeek>
+   base/protocols/dnp3/__load__.zeek </scripts/base/protocols/dnp3/__load__.zeek>
+   base/protocols/dnp3/main.zeek </scripts/base/protocols/dnp3/main.zeek>
+   base/protocols/dnp3/consts.zeek </scripts/base/protocols/dnp3/consts.zeek>
+   base/protocols/dns/__load__.zeek </scripts/base/protocols/dns/__load__.zeek>
+   base/protocols/dns/consts.zeek </scripts/base/protocols/dns/consts.zeek>
+   base/protocols/dns/main.zeek </scripts/base/protocols/dns/main.zeek>
+   base/protocols/dns/check-event-handlers.zeek </scripts/base/protocols/dns/check-event-handlers.zeek>
+   base/protocols/finger/__load__.zeek </scripts/base/protocols/finger/__load__.zeek>
+   base/protocols/finger/spicy-events.zeek </scripts/base/protocols/finger/spicy-events.zeek>
+   base/protocols/finger/main.zeek </scripts/base/protocols/finger/main.zeek>
+   base/protocols/ftp/__load__.zeek </scripts/base/protocols/ftp/__load__.zeek>
+   base/protocols/ftp/utils-commands.zeek </scripts/base/protocols/ftp/utils-commands.zeek>
+   base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>
+   base/protocols/ftp/main.zeek </scripts/base/protocols/ftp/main.zeek>
+   base/protocols/ftp/utils.zeek </scripts/base/protocols/ftp/utils.zeek>
+   base/protocols/ftp/files.zeek </scripts/base/protocols/ftp/files.zeek>
+   base/protocols/ftp/gridftp.zeek </scripts/base/protocols/ftp/gridftp.zeek>
+   base/protocols/ssl/__load__.zeek </scripts/base/protocols/ssl/__load__.zeek>
+   base/protocols/ssl/consts.zeek </scripts/base/protocols/ssl/consts.zeek>
+   base/protocols/ssl/main.zeek </scripts/base/protocols/ssl/main.zeek>
+   base/protocols/ssl/mozilla-ca-list.zeek </scripts/base/protocols/ssl/mozilla-ca-list.zeek>
+   base/protocols/ssl/ct-list.zeek </scripts/base/protocols/ssl/ct-list.zeek>
+   base/protocols/ssl/files.zeek </scripts/base/protocols/ssl/files.zeek>
+   base/files/x509/__load__.zeek </scripts/base/files/x509/__load__.zeek>
+   base/files/x509/main.zeek </scripts/base/files/x509/main.zeek>
+   base/files/hash/__load__.zeek </scripts/base/files/hash/__load__.zeek>
+   base/files/hash/main.zeek </scripts/base/files/hash/main.zeek>
+   base/files/x509/certificate-event-cache.zeek </scripts/base/files/x509/certificate-event-cache.zeek>
+   base/files/x509/log-ocsp.zeek </scripts/base/files/x509/log-ocsp.zeek>
+   base/protocols/http/__load__.zeek </scripts/base/protocols/http/__load__.zeek>
+   base/protocols/http/main.zeek </scripts/base/protocols/http/main.zeek>
+   base/protocols/http/entities.zeek </scripts/base/protocols/http/entities.zeek>
+   base/protocols/http/utils.zeek </scripts/base/protocols/http/utils.zeek>
+   base/protocols/http/files.zeek </scripts/base/protocols/http/files.zeek>
+   base/protocols/imap/__load__.zeek </scripts/base/protocols/imap/__load__.zeek>
+   base/protocols/imap/main.zeek </scripts/base/protocols/imap/main.zeek>
+   base/protocols/irc/__load__.zeek </scripts/base/protocols/irc/__load__.zeek>
+   base/protocols/irc/main.zeek </scripts/base/protocols/irc/main.zeek>
+   base/protocols/irc/dcc-send.zeek </scripts/base/protocols/irc/dcc-send.zeek>
+   base/protocols/irc/files.zeek </scripts/base/protocols/irc/files.zeek>
+   base/protocols/krb/__load__.zeek </scripts/base/protocols/krb/__load__.zeek>
+   base/protocols/krb/main.zeek </scripts/base/protocols/krb/main.zeek>
+   base/protocols/krb/consts.zeek </scripts/base/protocols/krb/consts.zeek>
+   base/protocols/krb/files.zeek </scripts/base/protocols/krb/files.zeek>
+   base/protocols/ldap/__load__.zeek </scripts/base/protocols/ldap/__load__.zeek>
+   base/protocols/ldap/spicy-events.zeek </scripts/base/protocols/ldap/spicy-events.zeek>
+   base/protocols/ldap/consts.zeek </scripts/base/protocols/ldap/consts.zeek>
+   base/protocols/ldap/main.zeek </scripts/base/protocols/ldap/main.zeek>
+   base/protocols/modbus/__load__.zeek </scripts/base/protocols/modbus/__load__.zeek>
+   base/protocols/modbus/consts.zeek </scripts/base/protocols/modbus/consts.zeek>
+   base/protocols/modbus/main.zeek </scripts/base/protocols/modbus/main.zeek>
+   base/protocols/mqtt/__load__.zeek </scripts/base/protocols/mqtt/__load__.zeek>
+   base/protocols/mqtt/consts.zeek </scripts/base/protocols/mqtt/consts.zeek>
+   base/protocols/mqtt/main.zeek </scripts/base/protocols/mqtt/main.zeek>
+   base/protocols/mysql/__load__.zeek </scripts/base/protocols/mysql/__load__.zeek>
+   base/protocols/mysql/main.zeek </scripts/base/protocols/mysql/main.zeek>
+   base/protocols/mysql/consts.zeek </scripts/base/protocols/mysql/consts.zeek>
+   base/protocols/ntlm/__load__.zeek </scripts/base/protocols/ntlm/__load__.zeek>
+   base/protocols/ntlm/main.zeek </scripts/base/protocols/ntlm/main.zeek>
+   base/protocols/ntp/__load__.zeek </scripts/base/protocols/ntp/__load__.zeek>
+   base/protocols/ntp/main.zeek </scripts/base/protocols/ntp/main.zeek>
+   base/protocols/ntp/consts.zeek </scripts/base/protocols/ntp/consts.zeek>
+   base/protocols/pop3/__load__.zeek </scripts/base/protocols/pop3/__load__.zeek>
+   base/protocols/postgresql/__load__.zeek </scripts/base/protocols/postgresql/__load__.zeek>
+   base/protocols/postgresql/consts.zeek </scripts/base/protocols/postgresql/consts.zeek>
+   base/protocols/postgresql/spicy-events.zeek </scripts/base/protocols/postgresql/spicy-events.zeek>
+   base/protocols/postgresql/main.zeek </scripts/base/protocols/postgresql/main.zeek>
+   base/protocols/quic/__load__.zeek </scripts/base/protocols/quic/__load__.zeek>
+   base/protocols/quic/spicy-events.zeek </scripts/base/protocols/quic/spicy-events.zeek>
+   base/protocols/quic/consts.zeek </scripts/base/protocols/quic/consts.zeek>
+   base/protocols/quic/main.zeek </scripts/base/protocols/quic/main.zeek>
+   base/protocols/radius/__load__.zeek </scripts/base/protocols/radius/__load__.zeek>
+   base/protocols/radius/main.zeek </scripts/base/protocols/radius/main.zeek>
+   base/protocols/radius/consts.zeek </scripts/base/protocols/radius/consts.zeek>
+   base/protocols/rdp/__load__.zeek </scripts/base/protocols/rdp/__load__.zeek>
+   base/protocols/rdp/consts.zeek </scripts/base/protocols/rdp/consts.zeek>
+   base/protocols/rdp/main.zeek </scripts/base/protocols/rdp/main.zeek>
+   base/protocols/redis/__load__.zeek </scripts/base/protocols/redis/__load__.zeek>
+   base/protocols/redis/spicy-events.zeek </scripts/base/protocols/redis/spicy-events.zeek>
+   base/protocols/redis/main.zeek </scripts/base/protocols/redis/main.zeek>
+   base/protocols/rfb/__load__.zeek </scripts/base/protocols/rfb/__load__.zeek>
+   base/protocols/rfb/main.zeek </scripts/base/protocols/rfb/main.zeek>
+   base/protocols/sip/__load__.zeek </scripts/base/protocols/sip/__load__.zeek>
+   base/protocols/sip/main.zeek </scripts/base/protocols/sip/main.zeek>
+   base/protocols/snmp/__load__.zeek </scripts/base/protocols/snmp/__load__.zeek>
+   base/protocols/snmp/main.zeek </scripts/base/protocols/snmp/main.zeek>
+   base/protocols/smb/__load__.zeek </scripts/base/protocols/smb/__load__.zeek>
+   base/protocols/smb/consts.zeek </scripts/base/protocols/smb/consts.zeek>
+   base/protocols/smb/const-dos-error.zeek </scripts/base/protocols/smb/const-dos-error.zeek>
+   base/protocols/smb/const-nt-status.zeek </scripts/base/protocols/smb/const-nt-status.zeek>
+   base/protocols/smb/main.zeek </scripts/base/protocols/smb/main.zeek>
+   base/protocols/smb/smb1-main.zeek </scripts/base/protocols/smb/smb1-main.zeek>
+   base/protocols/smb/smb2-main.zeek </scripts/base/protocols/smb/smb2-main.zeek>
+   base/protocols/smb/files.zeek </scripts/base/protocols/smb/files.zeek>
+   base/protocols/smtp/__load__.zeek </scripts/base/protocols/smtp/__load__.zeek>
+   base/protocols/smtp/main.zeek </scripts/base/protocols/smtp/main.zeek>
+   base/protocols/smtp/entities.zeek </scripts/base/protocols/smtp/entities.zeek>
+   base/protocols/smtp/files.zeek </scripts/base/protocols/smtp/files.zeek>
+   base/protocols/socks/__load__.zeek </scripts/base/protocols/socks/__load__.zeek>
+   base/protocols/socks/consts.zeek </scripts/base/protocols/socks/consts.zeek>
+   base/protocols/socks/main.zeek </scripts/base/protocols/socks/main.zeek>
+   base/protocols/ssh/__load__.zeek </scripts/base/protocols/ssh/__load__.zeek>
+   base/protocols/ssh/main.zeek </scripts/base/protocols/ssh/main.zeek>
+   base/protocols/syslog/__load__.zeek </scripts/base/protocols/syslog/__load__.zeek>
+   base/protocols/syslog/spicy-events.zeek </scripts/base/protocols/syslog/spicy-events.zeek>
+   base/protocols/syslog/consts.zeek </scripts/base/protocols/syslog/consts.zeek>
+   base/protocols/syslog/main.zeek </scripts/base/protocols/syslog/main.zeek>
+   base/protocols/websocket/__load__.zeek </scripts/base/protocols/websocket/__load__.zeek>
+   base/protocols/websocket/consts.zeek </scripts/base/protocols/websocket/consts.zeek>
+   base/protocols/websocket/main.zeek </scripts/base/protocols/websocket/main.zeek>
+   base/protocols/tunnels/__load__.zeek </scripts/base/protocols/tunnels/__load__.zeek>
+   base/protocols/xmpp/__load__.zeek </scripts/base/protocols/xmpp/__load__.zeek>
+   base/protocols/xmpp/main.zeek </scripts/base/protocols/xmpp/main.zeek>
+   base/files/pe/__load__.zeek </scripts/base/files/pe/__load__.zeek>
+   base/files/pe/consts.zeek </scripts/base/files/pe/consts.zeek>
+   base/files/pe/main.zeek </scripts/base/files/pe/main.zeek>
+   base/files/extract/__load__.zeek </scripts/base/files/extract/__load__.zeek>
+   base/files/extract/main.zeek </scripts/base/files/extract/main.zeek>
+   base/misc/find-checksum-offloading.zeek </scripts/base/misc/find-checksum-offloading.zeek>
+   base/misc/find-filtered-trace.zeek </scripts/base/misc/find-filtered-trace.zeek>
+   base/misc/installation.zeek </scripts/base/misc/installation.zeek>
+   builtin-plugins/__load__.zeek </scripts/builtin-plugins/__load__.zeek>
+   builtin-plugins/Zeek_JavaScript/__load__.zeek </scripts/builtin-plugins/Zeek_JavaScript/__load__.zeek>
+   zeekygen/__load__.zeek </scripts/zeekygen/__load__.zeek>
+   test-all-policy.zeek </scripts/test-all-policy.zeek>
+   policy/frameworks/analyzer/debug-logging.zeek </scripts/policy/frameworks/analyzer/debug-logging.zeek>
+   policy/frameworks/analyzer/detect-protocols.zeek </scripts/policy/frameworks/analyzer/detect-protocols.zeek>
+   policy/frameworks/analyzer/packet-segment-logging.zeek </scripts/policy/frameworks/analyzer/packet-segment-logging.zeek>
+   policy/frameworks/cluster/backend/zeromq/__load__.zeek </scripts/policy/frameworks/cluster/backend/zeromq/__load__.zeek>
+   policy/frameworks/cluster/backend/zeromq/main.zeek </scripts/policy/frameworks/cluster/backend/zeromq/main.zeek>
+   policy/frameworks/cluster/experimental.zeek </scripts/policy/frameworks/cluster/experimental.zeek>
+   policy/frameworks/management/agent/__load__.zeek </scripts/policy/frameworks/management/agent/__load__.zeek>
+   policy/frameworks/management/agent/api.zeek </scripts/policy/frameworks/management/agent/api.zeek>
+   policy/frameworks/management/types.zeek </scripts/policy/frameworks/management/types.zeek>
+   policy/frameworks/management/agent/boot.zeek </scripts/policy/frameworks/management/agent/boot.zeek>
+   policy/frameworks/management/agent/config.zeek </scripts/policy/frameworks/management/agent/config.zeek>
+   policy/frameworks/management/__load__.zeek </scripts/policy/frameworks/management/__load__.zeek>
+   policy/frameworks/management/config.zeek </scripts/policy/frameworks/management/config.zeek>
+   policy/frameworks/management/log.zeek </scripts/policy/frameworks/management/log.zeek>
+   policy/frameworks/management/persistence.zeek </scripts/policy/frameworks/management/persistence.zeek>
+   policy/frameworks/management/request.zeek </scripts/policy/frameworks/management/request.zeek>
+   policy/frameworks/management/util.zeek </scripts/policy/frameworks/management/util.zeek>
+   policy/frameworks/management/controller/config.zeek </scripts/policy/frameworks/management/controller/config.zeek>
+   policy/frameworks/management/controller/__load__.zeek </scripts/policy/frameworks/management/controller/__load__.zeek>
+   policy/frameworks/management/controller/api.zeek </scripts/policy/frameworks/management/controller/api.zeek>
+   policy/frameworks/management/controller/boot.zeek </scripts/policy/frameworks/management/controller/boot.zeek>
+   policy/frameworks/management/node/api.zeek </scripts/policy/frameworks/management/node/api.zeek>
+   policy/frameworks/management/node/config.zeek </scripts/policy/frameworks/management/node/config.zeek>
+   policy/frameworks/management/supervisor/__load__.zeek </scripts/policy/frameworks/management/supervisor/__load__.zeek>
+   policy/frameworks/management/supervisor/main.zeek </scripts/policy/frameworks/management/supervisor/main.zeek>
+   policy/frameworks/management/supervisor/api.zeek </scripts/policy/frameworks/management/supervisor/api.zeek>
+   policy/frameworks/management/supervisor/config.zeek </scripts/policy/frameworks/management/supervisor/config.zeek>
+   policy/frameworks/intel/do_notice.zeek </scripts/policy/frameworks/intel/do_notice.zeek>
+   policy/frameworks/intel/do_expire.zeek </scripts/policy/frameworks/intel/do_expire.zeek>
+   policy/frameworks/intel/whitelist.zeek </scripts/policy/frameworks/intel/whitelist.zeek>
+   policy/frameworks/intel/removal.zeek </scripts/policy/frameworks/intel/removal.zeek>
+   policy/frameworks/intel/seen/__load__.zeek </scripts/policy/frameworks/intel/seen/__load__.zeek>
+   policy/frameworks/intel/seen/conn-established.zeek </scripts/policy/frameworks/intel/seen/conn-established.zeek>
+   policy/frameworks/intel/seen/where-locations.zeek </scripts/policy/frameworks/intel/seen/where-locations.zeek>
+   policy/frameworks/intel/seen/dns.zeek </scripts/policy/frameworks/intel/seen/dns.zeek>
+   policy/frameworks/intel/seen/file-hashes.zeek </scripts/policy/frameworks/intel/seen/file-hashes.zeek>
+   policy/frameworks/intel/seen/file-names.zeek </scripts/policy/frameworks/intel/seen/file-names.zeek>
+   policy/frameworks/intel/seen/http-headers.zeek </scripts/policy/frameworks/intel/seen/http-headers.zeek>
+   policy/frameworks/intel/seen/http-url.zeek </scripts/policy/frameworks/intel/seen/http-url.zeek>
+   policy/frameworks/intel/seen/pubkey-hashes.zeek </scripts/policy/frameworks/intel/seen/pubkey-hashes.zeek>
+   policy/frameworks/intel/seen/ssl.zeek </scripts/policy/frameworks/intel/seen/ssl.zeek>
+   policy/frameworks/intel/seen/smb-filenames.zeek </scripts/policy/frameworks/intel/seen/smb-filenames.zeek>
+   policy/frameworks/intel/seen/smtp.zeek </scripts/policy/frameworks/intel/seen/smtp.zeek>
+   policy/frameworks/intel/seen/smtp-url-extraction.zeek </scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek>
+   policy/frameworks/intel/seen/x509.zeek </scripts/policy/frameworks/intel/seen/x509.zeek>
+   policy/frameworks/intel/seen/manage-event-groups.zeek </scripts/policy/frameworks/intel/seen/manage-event-groups.zeek>
+   policy/frameworks/netcontrol/catch-and-release.zeek </scripts/policy/frameworks/netcontrol/catch-and-release.zeek>
+   policy/frameworks/files/detect-MHR.zeek </scripts/policy/frameworks/files/detect-MHR.zeek>
+   policy/frameworks/files/hash-all-files.zeek </scripts/policy/frameworks/files/hash-all-files.zeek>
+   policy/frameworks/files/entropy-test-all-files.zeek </scripts/policy/frameworks/files/entropy-test-all-files.zeek>
+   policy/frameworks/notice/__load__.zeek </scripts/policy/frameworks/notice/__load__.zeek>
+   policy/frameworks/notice/extend-email/hostnames.zeek </scripts/policy/frameworks/notice/extend-email/hostnames.zeek>
+   policy/frameworks/notice/actions/drop.zeek </scripts/policy/frameworks/notice/actions/drop.zeek>
+   policy/frameworks/notice/community-id.zeek </scripts/policy/frameworks/notice/community-id.zeek>
+   policy/protocols/conn/community-id-logging.zeek </scripts/policy/protocols/conn/community-id-logging.zeek>
+   policy/files/x509/disable-certificate-events-known-certs.zeek </scripts/policy/files/x509/disable-certificate-events-known-certs.zeek>
+   policy/frameworks/packet-filter/shunt.zeek </scripts/policy/frameworks/packet-filter/shunt.zeek>
+   policy/frameworks/software/version-changes.zeek </scripts/policy/frameworks/software/version-changes.zeek>
+   policy/frameworks/software/vulnerable.zeek </scripts/policy/frameworks/software/vulnerable.zeek>
+   policy/frameworks/software/windows-version-detection.zeek </scripts/policy/frameworks/software/windows-version-detection.zeek>
+   policy/frameworks/storage/backend/redis/__load__.zeek </scripts/policy/frameworks/storage/backend/redis/__load__.zeek>
+   policy/frameworks/storage/backend/redis/main.zeek </scripts/policy/frameworks/storage/backend/redis/main.zeek>
+   policy/frameworks/storage/backend/sqlite/__load__.zeek </scripts/policy/frameworks/storage/backend/sqlite/__load__.zeek>
+   policy/frameworks/storage/backend/sqlite/main.zeek </scripts/policy/frameworks/storage/backend/sqlite/main.zeek>
+   policy/frameworks/telemetry/log.zeek </scripts/policy/frameworks/telemetry/log.zeek>
+   policy/integration/collective-intel/__load__.zeek </scripts/policy/integration/collective-intel/__load__.zeek>
+   policy/integration/collective-intel/main.zeek </scripts/policy/integration/collective-intel/main.zeek>
+   policy/misc/capture-loss.zeek </scripts/policy/misc/capture-loss.zeek>
+   policy/misc/detect-traceroute/__load__.zeek </scripts/policy/misc/detect-traceroute/__load__.zeek>
+   policy/misc/detect-traceroute/main.zeek </scripts/policy/misc/detect-traceroute/main.zeek>
+   policy/misc/loaded-scripts.zeek </scripts/policy/misc/loaded-scripts.zeek>
+   policy/misc/profiling.zeek </scripts/policy/misc/profiling.zeek>
+   policy/misc/stats.zeek </scripts/policy/misc/stats.zeek>
+   policy/misc/weird-stats.zeek </scripts/policy/misc/weird-stats.zeek>
+   policy/misc/trim-trace-file.zeek </scripts/policy/misc/trim-trace-file.zeek>
+   policy/misc/unknown-protocols.zeek </scripts/policy/misc/unknown-protocols.zeek>
+   policy/protocols/conn/disable-unknown-ip-proto-support.zeek </scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek>
+   policy/protocols/conn/failed-service-logging.zeek </scripts/policy/protocols/conn/failed-service-logging.zeek>
+   policy/protocols/conn/ip-proto-name-logging.zeek </scripts/policy/protocols/conn/ip-proto-name-logging.zeek>
+   policy/protocols/conn/known-hosts.zeek </scripts/policy/protocols/conn/known-hosts.zeek>
+   policy/protocols/conn/known-services.zeek </scripts/policy/protocols/conn/known-services.zeek>
+   policy/protocols/conn/mac-logging.zeek </scripts/policy/protocols/conn/mac-logging.zeek>
+   policy/protocols/conn/vlan-logging.zeek </scripts/policy/protocols/conn/vlan-logging.zeek>
+   policy/protocols/conn/pppoe-session-id-logging.zeek </scripts/policy/protocols/conn/pppoe-session-id-logging.zeek>
+   policy/protocols/conn/weirds.zeek </scripts/policy/protocols/conn/weirds.zeek>
+   policy/protocols/dhcp/msg-orig.zeek </scripts/policy/protocols/dhcp/msg-orig.zeek>
+   policy/protocols/dhcp/software.zeek </scripts/policy/protocols/dhcp/software.zeek>
+   policy/protocols/dhcp/sub-opts.zeek </scripts/policy/protocols/dhcp/sub-opts.zeek>
+   policy/protocols/dns/auth-addl.zeek </scripts/policy/protocols/dns/auth-addl.zeek>
+   policy/protocols/dns/detect-external-names.zeek </scripts/policy/protocols/dns/detect-external-names.zeek>
+   policy/protocols/dns/log-original-query-case.zeek </scripts/policy/protocols/dns/log-original-query-case.zeek>
+   policy/protocols/ftp/detect-bruteforcing.zeek </scripts/policy/protocols/ftp/detect-bruteforcing.zeek>
+   policy/protocols/ftp/detect.zeek </scripts/policy/protocols/ftp/detect.zeek>
+   policy/protocols/ftp/software.zeek </scripts/policy/protocols/ftp/software.zeek>
+   policy/protocols/http/detect-sql-injection.zeek </scripts/policy/protocols/http/detect-sql-injection.zeek>
+   policy/protocols/http/detect-webapps.zeek </scripts/policy/protocols/http/detect-webapps.zeek>
+   policy/protocols/http/header-names.zeek </scripts/policy/protocols/http/header-names.zeek>
+   policy/protocols/http/software-browser-plugins.zeek </scripts/policy/protocols/http/software-browser-plugins.zeek>
+   policy/protocols/http/software.zeek </scripts/policy/protocols/http/software.zeek>
+   policy/protocols/http/var-extraction-cookies.zeek </scripts/policy/protocols/http/var-extraction-cookies.zeek>
+   policy/protocols/http/var-extraction-uri.zeek </scripts/policy/protocols/http/var-extraction-uri.zeek>
+   policy/protocols/krb/ticket-logging.zeek </scripts/policy/protocols/krb/ticket-logging.zeek>
+   policy/protocols/modbus/known-masters-slaves.zeek </scripts/policy/protocols/modbus/known-masters-slaves.zeek>
+   policy/protocols/modbus/track-memmap.zeek </scripts/policy/protocols/modbus/track-memmap.zeek>
+   policy/protocols/mysql/software.zeek </scripts/policy/protocols/mysql/software.zeek>
+   policy/protocols/rdp/indicate_ssl.zeek </scripts/policy/protocols/rdp/indicate_ssl.zeek>
+   policy/protocols/smb/log-cmds.zeek </scripts/policy/protocols/smb/log-cmds.zeek>
+   policy/protocols/smtp/blocklists.zeek </scripts/policy/protocols/smtp/blocklists.zeek>
+   policy/protocols/smtp/detect-suspicious-orig.zeek </scripts/policy/protocols/smtp/detect-suspicious-orig.zeek>
+   policy/protocols/smtp/entities-excerpt.zeek </scripts/policy/protocols/smtp/entities-excerpt.zeek>
+   policy/protocols/smtp/software.zeek </scripts/policy/protocols/smtp/software.zeek>
+   policy/protocols/ssh/detect-bruteforcing.zeek </scripts/policy/protocols/ssh/detect-bruteforcing.zeek>
+   policy/protocols/ssh/geo-data.zeek </scripts/policy/protocols/ssh/geo-data.zeek>
+   policy/protocols/ssh/interesting-hostnames.zeek </scripts/policy/protocols/ssh/interesting-hostnames.zeek>
+   policy/protocols/ssh/software.zeek </scripts/policy/protocols/ssh/software.zeek>
+   policy/protocols/ssl/certificate-request-info.zeek </scripts/policy/protocols/ssl/certificate-request-info.zeek>
+   policy/protocols/ssl/decryption.zeek </scripts/policy/protocols/ssl/decryption.zeek>
+   policy/protocols/ssl/expiring-certs.zeek </scripts/policy/protocols/ssl/expiring-certs.zeek>
+   policy/protocols/ssl/heartbleed.zeek </scripts/policy/protocols/ssl/heartbleed.zeek>
+   policy/protocols/ssl/known-certs.zeek </scripts/policy/protocols/ssl/known-certs.zeek>
+   policy/protocols/ssl/log-certs-base64.zeek </scripts/policy/protocols/ssl/log-certs-base64.zeek>
+   policy/protocols/ssl/ssl-log-ext.zeek </scripts/policy/protocols/ssl/ssl-log-ext.zeek>
+   policy/protocols/ssl/log-hostcerts-only.zeek </scripts/policy/protocols/ssl/log-hostcerts-only.zeek>
+   policy/protocols/ssl/validate-certs.zeek </scripts/policy/protocols/ssl/validate-certs.zeek>
+   policy/protocols/ssl/validate-ocsp.zeek </scripts/policy/protocols/ssl/validate-ocsp.zeek>
+   policy/protocols/ssl/validate-sct.zeek </scripts/policy/protocols/ssl/validate-sct.zeek>
+   policy/protocols/ssl/weak-keys.zeek </scripts/policy/protocols/ssl/weak-keys.zeek>
+   policy/tuning/json-logs.zeek </scripts/policy/tuning/json-logs.zeek>
+   policy/tuning/track-all-assets.zeek </scripts/policy/tuning/track-all-assets.zeek>
+   policy/frameworks/conn_key/vlan_fivetuple.zeek </scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek>
+   policy/frameworks/cluster/backend/zeromq/connect.zeek </scripts/policy/frameworks/cluster/backend/zeromq/connect.zeek>
+   policy/frameworks/cluster/nodes-experimental/manager.zeek </scripts/policy/frameworks/cluster/nodes-experimental/manager.zeek>
+   policy/frameworks/control/controllee.zeek </scripts/policy/frameworks/control/controllee.zeek>
+   policy/frameworks/control/controller.zeek </scripts/policy/frameworks/control/controller.zeek>
+   policy/frameworks/management/agent/main.zeek </scripts/policy/frameworks/management/agent/main.zeek>
+   policy/frameworks/management/controller/main.zeek </scripts/policy/frameworks/management/controller/main.zeek>
+   policy/frameworks/management/node/__load__.zeek </scripts/policy/frameworks/management/node/__load__.zeek>
+   policy/frameworks/management/node/main.zeek </scripts/policy/frameworks/management/node/main.zeek>
+   policy/frameworks/files/extract-all-files.zeek </scripts/policy/frameworks/files/extract-all-files.zeek>
+   policy/frameworks/signatures/iso-9660.zeek </scripts/policy/frameworks/signatures/iso-9660.zeek>
+   policy/misc/dump-events.zeek </scripts/policy/misc/dump-events.zeek>
+   policy/protocols/conn/speculative-service.zeek </scripts/policy/protocols/conn/speculative-service.zeek>
+   policy/frameworks/spicy/resource-usage.zeek </scripts/policy/frameworks/spicy/resource-usage.zeek>
+   zeekygen/example.zeek </scripts/zeekygen/example.zeek>
diff --git a/doc/script-reference/directives.rst b/doc/script-reference/directives.rst
new file mode 100644
index 0000000000..9ce2ec448d
--- /dev/null
+++ b/doc/script-reference/directives.rst
@@ -0,0 +1,280 @@
+Directives
+==========
+
+The Zeek scripting language supports a number of directives that can
+affect which scripts will be loaded or which lines in a script will be
+executed.  Directives are evaluated before script execution begins.
+
+
+.. zeek:keyword:: @DIR
+
+@DIR
+----
+
+Expands to the directory pathname where the current script is located.
+
+Example:
+
+.. code-block:: zeek
+
+    print "Directory:", @DIR;
+
+
+.. zeek:keyword:: @FILENAME
+
+@FILENAME
+---------
+
+Expands to the filename of the current script.
+
+Example:
+
+.. code-block:: zeek
+
+    print "File:", @FILENAME;
+
+
+.. zeek:keyword:: @deprecated
+
+@deprecated
+-----------
+
+Marks the current script as deprecated. This can be placed anywhere in
+the script, but a good convention is to put it as the first line.
+You can also supply additional comments.
+
+Example:
+
+.. code-block:: zeek
+
+    @deprecated "Use '@load foo' instead"
+
+
+.. zeek:keyword:: @load
+
+@load
+-----
+
+Loads the specified Zeek script, specified as the relative pathname
+of the file (relative to one of the directories in Zeek's file search path).
+If the Zeek script filename ends with ``.zeek``, then you don't need to
+specify the file extension.  The filename cannot contain any whitespace.
+
+In this example, Zeek will try to load a script
+``policy/misc/capture-loss.zeek`` by looking in each directory in the file
+search path (the file search path can be changed by setting the ``ZEEKPATH``
+environment variable):
+
+.. code-block:: zeek
+
+    @load policy/misc/capture-loss
+
+If you specify the name of a directory instead of a filename, then
+Zeek will try to load a file in that directory called ``__load__.zeek``
+(presumably that file will contain additional ``@load`` directives).
+
+In this example, Zeek will try to load a file ``tuning/defaults/__load__.zeek``
+by looking in each directory in the file search path:
+
+.. code-block:: zeek
+
+    @load tuning/defaults
+
+The purpose of this directive is to ensure that all script dependencies
+are satisfied, and to avoid having to list every needed Zeek script
+on the command-line.  Zeek keeps track of which scripts have been
+loaded, so it is not an error to load a script more than once (once
+a script has been loaded, any subsequent ``load`` directives
+for that script are ignored).
+
+
+.. zeek:keyword:: @load-plugin
+
+@load-plugin
+------------
+
+Activate a dynamic plugin with the specified plugin name.  The specified
+plugin must be located in Zeek's plugin search path.  Example:
+
+.. code-block:: zeek
+
+    @load-plugin Demo::Rot13
+
+By default, Zeek will automatically activate all dynamic plugins found
+in the plugin search path (the search path can be changed by setting
+the environment variable ``ZEEK_PLUGIN_PATH`` to a colon-separated list of
+directories). However, in bare mode (``zeek -b`` dynamic plugins can be
+activated only by using ``load-plugin`` or by specifying the full
+plugin name on the Zeek command-line (e.g., ``zeek Demo::Rot13`` or by
+setting the environment variable ``ZEEK_PLUGIN_ACTIVATE`` to a
+comma-separated list of plugin names.
+
+
+.. zeek:keyword:: @load-sigs
+
+@load-sigs
+----------
+
+This works similarly to ``load`` except that in this case the filename
+represents a signature file (not a Zeek script).  If the signature filename
+ends with ``sig`` then you don't need to specify the file extension
+in the ``load-sigs`` directive.  The filename cannot contain any
+whitespace.
+
+In this example, Zeek will try to load a signature file
+``base/protocols/ssl/dpd.sig``
+
+.. code-block:: zeek
+
+    @load-sigs base/protocols/ssl/dpd
+
+The format for a signature file is explained in the documentation for the
+:doc:`Signature Framework </frameworks/signatures>`.
+
+
+.. zeek:keyword:: @unload
+
+@unload
+-------
+
+This specifies a Zeek script that we don't want to load (so a subsequent
+attempt to load the specified script will be skipped).  However,
+if the specified script has already been loaded, then this directive
+has no affect.
+
+In the following example, if the ``policy/misc/capture-loss.zeek`` script
+has not been loaded yet, then Zeek will not load it:
+
+.. code-block:: zeek
+
+    @unload policy/misc/capture-loss
+
+
+.. zeek:keyword:: @prefixes
+
+@prefixes
+---------
+
+Specifies a filename prefix to use when looking for script files
+to load automatically.  The prefix cannot contain any whitespace.
+
+In the following example, the prefix ``cluster`` is used and all prefixes
+that were previously specified are not used:
+
+.. code-block:: zeek
+
+    @prefixes = cluster
+
+In the following example, the prefix ``cluster-manager`` is used in
+addition to any previously-specified prefixes:
+
+.. code-block:: zeek
+
+    @prefixes += cluster-manager
+
+The way this works is that after Zeek parses all script files, then for each
+loaded script Zeek will take the absolute path of the script and then
+it removes the portion of the directory path that is in Zeek's file
+search path.  Then it replaces each ``/`` character with a period ``.``
+and then prepends the prefix (specified in the ``@prefixes`` directive)
+followed by a period.  The resulting filename is searched for in each
+directory in Zeek's file search path.  If a matching file is found, then
+the file is automatically loaded.
+
+For example, if a script called ``local.zeek`` has been loaded, and a prefix
+of ``test`` was specified, then Zeek will look for a file named
+``test.local.zeek`` in each directory of Zeek's file search path.
+
+An alternative way to specify prefixes is to use the ``-p`` Zeek
+command-line option.
+
+
+.. zeek:keyword:: @if
+
+@if
+---
+
+The specified expression must evaluate to type :zeek:type:`bool`.  If the
+value is true, then the following script lines (up to the next ``@else``
+or ``@endif``) are available to be executed.
+
+Example:
+
+.. code-block:: zeek
+
+    @if ( ver == 2 )
+        print "version 2 detected";
+    @endif
+
+
+.. zeek:keyword:: @ifdef
+
+@ifdef
+------
+
+This works like ``@if``, except that the result is true if the specified
+identifier is defined.
+
+Example:
+
+.. code-block:: zeek
+
+    @ifdef ( pi )
+        print "pi is defined";
+    @endif
+
+
+.. zeek:keyword:: @ifndef
+
+@ifndef
+-------
+
+This works exactly like ``@ifdef``, except that the result is true if the
+specified identifier is not defined.
+
+Example:
+
+.. code-block:: zeek
+
+    @ifndef ( pi )
+        print "pi is not defined";
+    @endif
+
+
+.. zeek:keyword:: @else
+
+@else
+-----
+
+This directive is optional after an ``@if``, ``@ifdef``, or
+``@ifndef``.  If present, it provides an else clause.
+
+Example:
+
+.. code-block:: zeek
+
+    @ifdef ( pi )
+        print "pi is defined";
+    @else
+        print "pi is not defined";
+    @endif
+
+
+.. zeek:keyword:: @endif
+
+@endif
+------
+
+This directive is required to terminate each ``@if``, ``@ifdef``, or
+``@ifndef``.
+
+
+.. zeek:keyword:: @DEBUG
+
+@DEBUG
+------
+
+This directive is not meant to be used directly from user scripts.  Internally,
+it's used by interactive-debugger features (``zeek -d``) that allow arbitrary
+expressions to be parsed and evaluated on their own rather than incorporated
+into the usual Zeek syntax-tree formed from parsing script files.
diff --git a/doc/script-reference/file-analyzers.rst b/doc/script-reference/file-analyzers.rst
new file mode 100644
index 0000000000..36d2b397c3
--- /dev/null
+++ b/doc/script-reference/file-analyzers.rst
@@ -0,0 +1 @@
+.. include:: autogenerated-file-analyzer-index.rst
diff --git a/doc/script-reference/index.rst b/doc/script-reference/index.rst
new file mode 100644
index 0000000000..a8c213e352
--- /dev/null
+++ b/doc/script-reference/index.rst
@@ -0,0 +1,20 @@
+================
+Script Reference
+================
+
+.. toctree::
+   :maxdepth: 1
+
+   operators
+   types
+   attributes
+   statements
+   directives
+   log-files
+   notices
+   packet-analyzers
+   proto-analyzers
+   file-analyzers
+   packages
+   scripts
+   Zeekygen Example Script </scripts/zeekygen/example.zeek>
diff --git a/doc/script-reference/log-files.rst b/doc/script-reference/log-files.rst
new file mode 100644
index 0000000000..4259f5624e
--- /dev/null
+++ b/doc/script-reference/log-files.rst
@@ -0,0 +1,370 @@
+.. _log-files:
+
+=========
+Log Files
+=========
+
+Listed below are the log files generated by Zeek, including a brief description
+of the log file and links to descriptions of the fields for each log
+type.
+
+Network Protocols
+-----------------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Log File
+    - Description
+    - Field Descriptions
+
+  * - :file:`conn.log`
+    - TCP/UDP/ICMP connections
+    - :zeek:type:`Conn::Info`
+
+  * - :file:`dce_rpc.log`
+    - Distributed Computing Environment/RPC
+    - :zeek:type:`DCE_RPC::Info`
+
+  * - :file:`dhcp.log`
+    - DHCP leases
+    - :zeek:type:`DHCP::Info`
+
+  * - :file:`dnp3.log`
+    - DNP3 requests and replies
+    - :zeek:type:`DNP3::Info`
+
+  * - :file:`dns.log`
+    - DNS activity
+    - :zeek:type:`DNS::Info`
+
+  * - :file:`ftp.log`
+    - FTP activity
+    - :zeek:type:`FTP::Info`
+
+  * - :file:`http.log`
+    - HTTP requests and replies
+    - :zeek:type:`HTTP::Info`
+
+  * - :file:`irc.log`
+    - IRC commands and responses
+    - :zeek:type:`IRC::Info`
+
+  * - :file:`kerberos.log`
+    - Kerberos
+    - :zeek:type:`KRB::Info`
+
+  * - :file:`ldap.log`
+    - LDAP Messages
+    - :zeek:type:`LDAP::MessageInfo`
+
+  * - :file:`ldap_search.log`
+    - LDAP Searches
+    - :zeek:type:`LDAP::SearchInfo`
+
+  * - :file:`modbus.log`
+    - Modbus commands and responses
+    - :zeek:type:`Modbus::Info`
+
+  * - :file:`modbus_register_change.log`
+    - Tracks changes to Modbus holding registers
+    - :zeek:type:`Modbus::MemmapInfo`
+
+  * - :file:`mysql.log`
+    - MySQL
+    - :zeek:type:`MySQL::Info`
+
+  * - :file:`ntlm.log`
+    - NT LAN Manager (NTLM)
+    - :zeek:type:`NTLM::Info`
+
+  * - :file:`ntp.log`
+    - Network Time Protocol
+    - :zeek:type:`NTP::Info`
+
+  * - :file:`postgresql.log`
+    - PostgreSQL events
+    - :zeek:type:`PostgreSQL::Info`
+
+  * - :file:`quic.log`
+    - QUIC connections
+    - :zeek:type:`QUIC::Info`
+
+  * - :file:`radius.log`
+    - RADIUS authentication attempts
+    - :zeek:type:`RADIUS::Info`
+
+  * - :file:`redis.log`
+    - Redis commands
+    - :zeek:type:`Redis::Info`
+
+  * - :file:`rdp.log`
+    - RDP
+    - :zeek:type:`RDP::Info`
+
+  * - :file:`rfb.log`
+    - Remote Framebuffer (RFB)
+    - :zeek:type:`RFB::Info`
+
+  * - :file:`sip.log`
+    - SIP
+    - :zeek:type:`SIP::Info`
+
+  * - :file:`smb_cmd.log`
+    - SMB commands
+    - :zeek:type:`SMB::CmdInfo`
+
+  * - :file:`smb_files.log`
+    - SMB files
+    - :zeek:type:`SMB::FileInfo`
+
+  * - :file:`smb_mapping.log`
+    - SMB trees
+    - :zeek:type:`SMB::TreeInfo`
+
+  * - :file:`smtp.log`
+    - SMTP transactions
+    - :zeek:type:`SMTP::Info`
+
+  * - :file:`snmp.log`
+    - SNMP messages
+    - :zeek:type:`SNMP::Info`
+
+  * - :file:`socks.log`
+    - SOCKS proxy requests
+    - :zeek:type:`SOCKS::Info`
+
+  * - :file:`ssh.log`
+    - SSH connections
+    - :zeek:type:`SSH::Info`
+
+  * - :file:`ssl.log`
+    - SSL/TLS handshake info
+    - :zeek:type:`SSL::Info`
+
+  * - :file:`syslog.log`
+    - Syslog messages
+    - :zeek:type:`Syslog::Info`
+
+  * - :file:`tunnel.log`
+    - Tunneling protocol events
+    - :zeek:type:`Tunnel::Info`
+
+  * - :file:`websocket.log`
+    - WebSocket handshakes
+    - :zeek:type:`WebSocket::Info`
+
+
+Files
+-----
+
+.. list-table::
+  :header-rows: 1
+
+  * - Log File
+    - Description
+    - Field Descriptions
+
+  * - :file:`files.log`
+    - File analysis results
+    - :zeek:type:`Files::Info`
+
+  * - :file:`ocsp.log`
+    - Online Certificate Status Protocol (OCSP). Only created if policy script is loaded.
+    - :zeek:type:`OCSP::Info`
+
+  * - :file:`pe.log`
+    - Portable Executable (PE)
+    - :zeek:type:`PE::Info`
+
+  * - :file:`x509.log`
+    - X.509 certificate info
+    - :zeek:type:`X509::Info`
+
+
+NetControl
+----------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Log File
+    - Description
+    - Field Descriptions
+
+  * - :file:`netcontrol.log`
+    - NetControl actions
+    - :zeek:type:`NetControl::Info`
+
+  * - :file:`netcontrol_drop.log`
+    - NetControl actions
+    - :zeek:type:`NetControl::DropInfo`
+
+  * - :file:`netcontrol_shunt.log`
+    - NetControl shunt actions
+    - :zeek:type:`NetControl::ShuntInfo`
+
+  * - :file:`netcontrol_catch_release.log`
+    - NetControl catch and release actions
+    - :zeek:type:`NetControl::CatchReleaseInfo`
+
+  * - :file:`openflow.log`
+    - OpenFlow debug log
+    - :zeek:type:`OpenFlow::Info`
+
+
+Detection
+---------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Log File
+    - Description
+    - Field Descriptions
+
+  * - :file:`intel.log`
+    - Intelligence data matches
+    - :zeek:type:`Intel::Info`
+
+  * - :file:`notice.log`
+    - Zeek notices
+    - :zeek:type:`Notice::Info`
+
+  * - :file:`notice_alarm.log`
+    - The alarm stream
+    - :zeek:type:`Notice::Info`
+
+  * - :file:`signatures.log`
+    - Signature matches
+    - :zeek:type:`Signatures::Info`
+
+  * - :file:`traceroute.log`
+    - Traceroute detection
+    - :zeek:type:`Traceroute::Info`
+
+
+Network Observations
+--------------------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Log File
+    - Description
+    - Field Descriptions
+
+  * - :file:`known_certs.log`
+    - SSL certificates
+    - :zeek:type:`Known::CertsInfo`
+
+  * - :file:`known_hosts.log`
+    - Hosts that have completed TCP handshakes
+    - :zeek:type:`Known::HostsInfo`
+
+  * - :file:`known_modbus.log`
+    - Modbus masters and slaves
+    - :zeek:type:`Known::ModbusInfo`
+
+  * - :file:`known_services.log`
+    - Services running on hosts
+    - :zeek:type:`Known::ServicesInfo`
+
+  * - :file:`software.log`
+    - Software being used on the network
+    - :zeek:type:`Software::Info`
+
+
+Miscellaneous
+-------------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Log File
+    - Description
+    - Field Descriptions
+
+  * - :file:`analyzer.log`
+    - Protocol, packet or file analyzer violations
+    - :zeek:type:`Analyzer::Logging::Info`
+
+  * - :file:`analyzer_debug.log`
+    - Protocol, packet or file analyzer debug information
+    - :zeek:type:`Analyzer::DebugLogging::Info`
+
+  * - :file:`telemetry.log`
+    - Zeek operational telemetry
+    - :zeek:type:`Telemetry::Info`
+
+  * - :file:`unknown_protocols.log`
+    - Information about packet protocols that Zeek doesn't know how to process
+    - :zeek:type:`UnknownProtocol::Info`
+
+  * - :file:`weird.log`
+    - Unexpected network-level activity
+    - :zeek:type:`Weird::Info`
+
+  * - :file:`weird_stats.log`
+    - Statistics about unexpected activity
+    - :zeek:type:`WeirdStats::Info`
+
+
+Zeek Diagnostics
+----------------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Log File
+    - Description
+    - Field Descriptions
+
+  * - :file:`broker.log`
+    - Peering status events between Zeek or Broker-enabled processes
+    - :zeek:type:`Broker::Info`
+
+  * - :file:`capture_loss.log`
+    - Packet loss rate
+    - :zeek:type:`CaptureLoss::Info`
+
+  * - :file:`cluster.log`
+    - Zeek cluster messages
+    - :zeek:type:`Cluster::Info`
+
+  * - :file:`config.log`
+    - Configuration option changes
+    - :zeek:type:`Config::Info`
+
+  * - :file:`loaded_scripts.log`
+    - Shows all scripts loaded by Zeek
+    - :zeek:type:`LoadedScripts::Info`
+
+  * - :file:`packet_filter.log`
+    - List packet filters that were applied
+    - :zeek:type:`PacketFilter::Info`
+
+  * - :file:`print.log`
+    - Print statements that were redirected to a log stream.
+    - :zeek:type:`Log::PrintLogInfo`
+
+  * - :file:`prof.log`
+    - Profiling statistics (to create this log, load
+      :doc:`/scripts/policy/misc/profiling.zeek`)
+    - N/A
+
+  * - :file:`reporter.log`
+    - Internal error/warning/info messages
+    - :zeek:type:`Reporter::Info`
+
+  * - :file:`stats.log`
+    - Memory/event/packet/lag statistics
+    - :zeek:type:`Stats::Info`
+
+  * - :file:`stderr.log`
+    - Captures standard error when Zeek is started from ZeekControl
+    - N/A
+
+  * - :file:`stdout.log`
+    - Captures standard output when Zeek is started from ZeekControl
+    - N/A
diff --git a/doc/script-reference/notices.rst b/doc/script-reference/notices.rst
new file mode 100644
index 0000000000..99ff5e0358
--- /dev/null
+++ b/doc/script-reference/notices.rst
@@ -0,0 +1,8 @@
+
+.. Not nice but I don't find a way to link to the notice index
+.. directly from the upper level TOC tree.
+
+Notices
+=======
+
+See the `Zeek Notice Index <../zeek-noticeindex.html>`_.
diff --git a/doc/script-reference/operators.rst b/doc/script-reference/operators.rst
new file mode 100644
index 0000000000..4d90151244
--- /dev/null
+++ b/doc/script-reference/operators.rst
@@ -0,0 +1,420 @@
+Operators
+=========
+
+The Zeek scripting language supports the following operators.  Note that
+each data type only supports a subset of these operators.  For more
+details, see the documentation about the :doc:`data types <types>`.
+
+.. _relational-operators:
+
+Relational operators
+--------------------
+
+The relational operators evaluate to type :zeek:type:`bool`.
+
+In addition to numeric operands, the relational operators also work with
+operands of type :zeek:type:`interval`, :zeek:type:`time`, :zeek:type:`string`,
+:zeek:type:`port`, :zeek:type:`addr`, and :zeek:type:`set`.
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+
+  * - Equality
+    - ``a == b``
+
+  * - Inquality
+    - ``a != b``
+
+  * - Less than
+    - ``a < b``
+
+  * - Less than or equal
+    - ``a <= b``
+
+  * - Greater than
+    - ``a > b``
+
+  * - Greater than or equal
+    - ``a >= b``
+
+.. _logical-operators:
+
+Logical operators
+-----------------
+
+The logical operators require operands of type :zeek:type:`bool`, and
+evaluate to type :zeek:type:`bool`.
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+
+  * - Logical AND
+    - ``a && b``
+
+  * - Logical OR
+    - ``a || b``
+
+  * - Logical NOT
+    - ``! a``
+
+.. _arithmetic-operators:
+
+Arithmetic operators
+--------------------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+    - Notes
+
+  * - Addition
+    - ``a + b``
+    - For :zeek:type:`string` operands, this performs string concatenation.
+
+  * - Subtraction
+    - ``a - b``
+    -
+
+  * - Multiplication
+    - ``a * b``
+    -
+
+  * - Division
+    - ``a / b``
+    - For :zeek:type:`int` or :zeek:type:`count` operands, the fractional part
+      of the result is dropped.
+
+  * - Modulo
+    - ``a % b``
+    - Operand types cannot be :zeek:type:`double`.
+
+  * - Unary plus
+    - ``+a``
+    -
+
+  * - Unary minus
+    - ``-a``
+    -
+
+  * - Pre-increment
+    - ``++a``
+    - Operand type cannot be :zeek:type:`double`.
+
+  * - Pre-decrement
+    - ``--a``
+    - Operand type cannot be :zeek:type:`double`.
+
+  * - Absolute value
+    - ``|a|``
+    - If operand is  :zeek:type:`string`, :zeek:type:`set`, :zeek:type:`table`,
+      or  :zeek:type:`vector`, this evaluates to number of elements.
+
+.. _bitwise-operators:
+
+Bitwise operators
+-----------------
+
+The bitwise operators work with operands of type :zeek:type:`count` or ``vector
+of count``. The bitwise shift operators can also work with :zeek:type:`int`.
+The bitwise complement operator works with :zeek:type:`count` only.
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+
+  * - Bitwise AND
+    - ``a & b``
+
+  * - Bitwise OR
+    - ``a | b``
+
+  * - Bitwise XOR
+    - ``a ^ b``
+
+  * - Bitwise left shift
+    - ``a << b``
+
+  * - Bitwise right shift
+    - ``a >> b``
+
+  * - Bitwise complement
+    - ``~a``
+
+.. _set-operators:
+
+Set operators
+-------------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+
+  * - Set intersection
+    - ``s1 & s2``
+
+  * - Set union
+    - ``s1 | s2``
+
+  * - Set difference
+    - ``s1 - s2``
+
+.. _assignment-operators:
+
+Assignment operators
+--------------------
+
+The assignment operators evaluate to the result of the assignment.
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+
+  * - Assignment
+    - ``a = b``
+
+  * - Addition assignment (more generally, "add to")
+    - ``a += b``
+
+  * - Subtraction assignment (more generally, "remove from")
+    - ``a -= b``
+
+Along with simple arithmetic, the ``+=`` operator supports adding elements to
+:zeek:type:`table`,
+:zeek:type:`set`,
+:zeek:type:`vector`, and
+:zeek:type:`pattern`
+values, providing the righthand operand (RHS) has the same type.
+For :zeek:type:`table` and :zeek:type:`set` values,
+each of the RHS elements are added to the
+table or set.  For :zeek:type:`vector`, the RHS elements are appended to
+the end of the vector.  For :zeek:type:`pattern` values, the pattern is
+modified to include the RHS pattern as an alternative (regular expression ``|``
+operator).
+
+The ``-=`` operator provides analogous functionality for :zeek:type:`table`
+and :zeek:type:`set` types, removing from the lefthand operand any elements
+it has in common with the RHS value.  (Note that for tables, only the
+indices are used; if the RHS value has an index in common with the lefthand
+operand's value, it's removed even if the "yield" values differ.)
+
+For all assignment operators, you can specify a comma-separated list of
+values within braces (``{`` ... ``}``).  These are treated as *constructor*
+arguments to create a corresponding :zeek:type:`table`, :zeek:type:`set`,
+or :zeek:type:`vector` value, with the type of constructor taken from
+the lefthand operand.  For example:
+
+.. code-block:: zeek
+
+    local t: table[count, string] of double;
+    ...
+    t += { [3, "three"] = 3.0, [9, "nine"] = 9.0 };
+
+will add those two elements to the table ``t``.  For :zeek:type:`table`
+and :zeek:type:`set` constructors, you can embed lists in the constructor
+arguments to produce a cross-product expansion.  For example:
+
+.. code-block:: zeek
+
+    local t: table[count, string] of double;
+    ...
+    t += { [[3, 4], ["three", "four"]] = 3.0, [9, "nine"] = 9.0 };
+
+results in ``t`` having five elements:
+
+.. code-block:: zeek
+
+    [3, three] = 3.0
+    [3, four] = 3.0
+    [4, three] = 3.0
+    [4, four] = 3.0
+    [9, nine] = 9.0
+
+Finally, you can also use the ``+=`` operator to
+append an element to the end of a
+vector.  For example, ``v += e`` is equivalent to ``v[|v|] = e``,
+providing that ``e``'s type corresponds to that of one of ``v``'s elements.
+
+.. _record-field-operators:
+
+Record field operators
+----------------------
+
+The record field operators take a :zeek:type:`record` as the first operand,
+and a field name as the second operand.  For both operators, the specified
+field name must be in the declaration of the record type.
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+    - Notes
+
+  * - Field access
+    - ``a$b``
+    -
+
+  * - Field value existence test
+    - ``a?$b``
+    - Evaluates to type :zeek:type:`bool`.  True if the specified field has
+      been assigned a value, or if not.
+
+.. _pattern-operators:
+
+Pattern operators
+-----------------
+
+In the table below, ``p`` is a pattern, and ``s`` is a string.
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+    - Notes
+
+  * - Exact matching
+    - ``p == s``
+    - Evaluates to a boolean, indicating if the entire string exactly matches
+      the pattern.
+
+  * - Embedded matching
+    - ``p in s``
+    - Evaluates to a boolean, indicating if pattern is found somewhere in the
+      string.
+
+  * - Conjunction
+    - ``p1 & p2``
+    - Evaluates to a pattern that represents matching ``p1`` followed by
+      ``p2``.
+
+  * - Disjunction
+    - ``p1 | p2``
+    - Evaluates to a pattern that represents matching ``p1`` or ``p2``.
+
+Type casting
+------------
+
+The ``as`` operator performs type casting and the ``is`` operator checks if a
+type cast is supported or not.  For both operators, the first operand is a
+value and the second operand is the name of a Zeek script type (either built-in
+or user-defined).
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+    - Notes
+
+  * - Type cast
+    - ``v as t``
+    - Cast value ``v`` into type ``t``. Evaluates to the value as cast to the
+      specified type.  If this is not a supported cast, then a runtime error
+      is triggered.
+
+  * - Check if a cast is supported
+    - ``v is t``
+    - Evaluates to :zeek:type:`bool`. If true,  then ``v as t`` would succeed.
+
+Only the following kinds of type casts are supported currently:
+
+- Broker values (i.e., :zeek:see:`Broker::Data` values returned from
+  functions such as :zeek:id:`Broker::data`) can be cast to their
+  corresponding Zeek script types.
+- A value of declared type :zeek:type:`any` can be cast to its actual
+  underlying type.
+- All values can be cast to their declared types (i.e., this is a no-op).
+- :zeek:type:`set` and :zeek:type:`vector` values can be converted into each
+  other, with the following limitations: (1) A :zeek:type:`set` being converted
+  into a :zeek:type:`vector` can only have a single index type.  Converting a
+  set with multiple index types will return an error. (2) The :zeek:type:`set`
+  and :zeek:type:`vector` types must have the same internal type.
+
+The function in this example tries to cast a value to a string:
+
+.. code-block:: zeek
+
+    function example(a: any)
+        {
+        local s: string;
+
+        if ( a is string )
+            s = (a as string);
+        }
+
+The function in this example converts a set to a vector:
+
+.. code-block:: zeek
+
+    function example()
+        {
+	local s: set[count] = { 1, 2, 3 };
+	local v = s as vector of count;
+        }
+
+Other operators
+---------------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+    - Notes
+
+  * - Membership test
+    - ``a in b``
+    - Evaluates to type :zeek:type:`bool`.  Works with :zeek:type:`string`,
+      :zeek:type:`pattern`, :zeek:type:`subnet`, :zeek:type:`set`,
+      :zeek:type:`table`, or :zeek:type:`vector` operands.  Do not confuse this
+      use of ``in`` with that used in a :zeek:keyword:`for`
+      statement.
+
+  * - Non-membership test
+    - ``a !in b``
+    - This is the logical NOT of the ``in`` operator.  For example:
+      ``a !in b`` is equivalent to ``!(a in b)``.
+
+  * - Table or vector element access
+    - ``a[b]``
+    - This operator can also be used with a :zeek:type:`set`, but only with the
+      :zeek:keyword:`add` or :zeek:keyword:`delete` statement.
+
+  * - Substring extraction
+    - ``a[b:c]``
+    - See the :zeek:type:`string` type for more details.
+
+  * - Create a deep copy
+    - ``copy(a)``
+    - This is relevant only for data types that are assigned by reference, such
+      as :zeek:type:`vector`, :zeek:type:`set`, :zeek:type:`table`, and
+      :zeek:type:`record`.
+
+  * - Module namespace access
+    - ``a::b``
+    - The first operand is the module name, and the second operand is an
+      identifier that refers to a global variable, enumeration constant, or
+      user-defined type that was exported from the module.
+
+  * - Conditional
+    - ``a ? b : c``
+    - The first operand must evaluate to type :zeek:type:`bool`.  If true, then
+      the second expression is evaluated and is the result of the entire
+      expression.  Otherwise, the third expression is evaluated and is the
+      result of the entire expression. The types of the second and third
+      operands must be compatible.  Known as the ternary operator.
diff --git a/doc/script-reference/packages.rst b/doc/script-reference/packages.rst
new file mode 100644
index 0000000000..7b78677b6d
--- /dev/null
+++ b/doc/script-reference/packages.rst
@@ -0,0 +1,14 @@
+.. _script-packages:
+
+Zeek Package Index
+==================
+
+Zeek has the following script packages (e.g. collections of related scripts in
+a common directory).  If the package directory contains a ``__load__.zeek``
+script, it supports being loaded in mass as a whole directory for convenience.
+
+Packages/scripts in the ``base/`` directory are all loaded by default, while
+ones in ``policy/`` provide functionality and customization options that are
+more appropriate for users to decide whether they'd like to load it or not.
+
+.. include:: autogenerated-package-index.rst
diff --git a/doc/script-reference/packet-analyzers.rst b/doc/script-reference/packet-analyzers.rst
new file mode 100644
index 0000000000..445681d57c
--- /dev/null
+++ b/doc/script-reference/packet-analyzers.rst
@@ -0,0 +1 @@
+.. include:: autogenerated-packet-analyzer-index.rst
diff --git a/doc/script-reference/proto-analyzers.rst b/doc/script-reference/proto-analyzers.rst
new file mode 100644
index 0000000000..a87f7ec082
--- /dev/null
+++ b/doc/script-reference/proto-analyzers.rst
@@ -0,0 +1 @@
+.. include:: autogenerated-protocol-analyzer-index.rst
diff --git a/doc/script-reference/scripts.rst b/doc/script-reference/scripts.rst
new file mode 100644
index 0000000000..408ba61e36
--- /dev/null
+++ b/doc/script-reference/scripts.rst
@@ -0,0 +1,5 @@
+=================
+Zeek Script Index
+=================
+
+.. include:: autogenerated-script-index.rst
diff --git a/doc/script-reference/statements.rst b/doc/script-reference/statements.rst
new file mode 100644
index 0000000000..ee11770e4a
--- /dev/null
+++ b/doc/script-reference/statements.rst
@@ -0,0 +1,1237 @@
+Declarations and Statements
+===========================
+
+The Zeek scripting language supports the following declarations_ and
+statements_.
+
+Declarations
+------------
+
+Declarations cannot occur within a function, hook, or event handler.
+
+Declarations must appear before any statements (except those statements
+that are in a function, hook, or event handler) in the concatenation of
+all loaded Zeek scripts.
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Description
+
+  * - :zeek:keyword:`module`
+    - Change the current module
+
+  * - :zeek:keyword:`export`
+    - Export identifiers from the current module
+
+  * - :zeek:keyword:`global`
+    - Declare a global variable
+
+  * - :zeek:keyword:`const`
+    - Declare a constant
+
+  * - :zeek:keyword:`option`
+    - Declare a configuration option
+
+  * - :zeek:keyword:`type`
+    - Declare a user-defined type
+
+  * - :zeek:keyword:`redef`
+    - Redefine a global value or extend a user-defined type
+
+  * - `Callables`_: :zeek:type:`function`, :zeek:type:`event`, :zeek:type:`hook`
+    - Declare a function, event handler, or hook
+
+
+.. zeek:keyword:: module
+
+module
+~~~~~~
+
+The ``module`` keyword is used to change the current module.  This
+affects the scope of any subsequently declared global identifiers.
+
+Example:
+
+.. code-block:: zeek
+
+    module mymodule;
+
+If a global identifier is declared after a ``module`` declaration,
+then its scope ends at the end of the current Zeek script or at the
+next ``module`` declaration, whichever comes first.  However, if a
+global identifier is declared after a ``module`` declaration, but inside
+an :zeek:keyword:`export` block, then its scope ends at the end of the
+last loaded Zeek script, but it must be referenced using the namespace
+operator (``::``) in other modules.
+
+There can be any number of ``module`` declarations in a Zeek script.
+The same ``module`` declaration can appear in any number of different
+Zeek scripts.
+
+The reserved module name ``GLOBAL`` switches to the default global
+namespace. This comes in handy if you're working in a module context but want to
+define something globally, without the module's namespacing. For example, the
+:ref:`Notice Framework <notice-framework>` uses this approach to define the
+``NOTICE()`` function.
+
+.. zeek:keyword:: export
+
+export
+~~~~~~
+
+An ``export`` block contains one or more declarations
+(no statements are allowed in an ``export`` block) that the current
+module is exporting.  This enables these global identifiers to be visible
+in other modules (but not prior to their declaration) via the namespace
+operator (``::``).  See the :zeek:keyword:`module` keyword for a more
+detailed explanation.
+
+Example:
+
+.. code-block:: zeek
+
+    export {
+        redef enum Log::ID += { LOG };
+
+        type Info: record {
+            ts: time &log;
+            uid: string &log;
+        };
+
+        const conntime = 30sec &redef;
+    }
+
+Note that the braces in an ``export`` block are always required
+(they do not indicate a compound statement).  Also, no semicolon is
+needed to terminate an ``export`` block.
+
+
+.. zeek:keyword:: global
+
+global
+~~~~~~
+
+Variables declared with the ``global`` keyword will have global scope.
+
+If a type is not specified, then an initializer is required so that
+the type can be inferred.  Likewise, if an initializer is not supplied,
+then the type must be specified.  In some cases, when the type cannot
+be correctly inferred, the type must be specified even when an
+initializer is present.  Example:
+
+.. code-block:: zeek
+
+    global pi = 3.14;
+    global hosts: set[addr];
+    global ciphers: table[string] of string = table();
+
+Variable declarations outside of any function, hook, or event handler are
+required to use this keyword (unless they are declared with the
+:zeek:keyword:`const` keyword instead).
+
+Definitions of functions, hooks, and event handlers are not allowed
+to use the ``global`` keyword.  However, function declarations (i.e., no
+function body is provided) can use the ``global`` keyword.
+
+The scope of a global variable begins where the declaration is located,
+and extends through all remaining Zeek scripts that are loaded (however,
+see the :zeek:keyword:`module` keyword for an explanation of how modules
+change the visibility of global identifiers).
+
+
+.. zeek:keyword:: const
+
+const
+~~~~~
+
+A variable declared with the ``const`` keyword cannot be changed by
+reassignment.  Variables declared as constant are required to be initialized at
+the time of declaration.  Normally, the type is inferred from the initializer,
+but the type can be explicitly specified.  Example:
+
+.. code-block:: zeek
+
+    const pi = 3.14;
+    const ssh_port: port = 22/tcp;
+
+The value of a constant cannot be changed:
+
+.. code-block:: zeek
+
+    ssh_port = 80/tcp; # "error [...]: const is not a modifiable lvalue (ssh_port)"
+
+The only exception is if the variable is a global constant and has the
+:zeek:attr:`&redef` attribute, but even then its value can be changed only with
+a :zeek:keyword:`redef` declaration:
+
+.. code-block:: zeek
+
+    const ssh_port: port = 22/tcp &redef;
+    # ...
+    redef ssh_port = 2222/tcp; # ok
+
+Const-ness does not apply to members of existing container type instances, which
+can still be modified, added, or removed:
+
+.. code-block:: zeek
+
+    const ssh_ports = vector(22/tcp, 2222/tcp);
+    # ...
+    ssh_ports += 222/tcp; # ok
+    ssh_ports = vector(222/tcp); # error [...]: const is not a modifiable lvalue (ssh_ports)
+
+The scope of a constant is local if the declaration is in a
+function, hook, or event handler, and global otherwise.
+
+Note that the ``const`` keyword cannot be used with either the ``local``
+or ``global`` keywords (i.e., ``const`` is an alternative to either
+``local`` or ``global``).
+
+
+.. zeek:keyword:: option
+
+option
+~~~~~~
+
+A variable declared with the ``option`` keyword is a configuration option.
+
+Options are required to be initialized at the
+time of declaration.  Normally, the type is inferred from the initializer,
+but the type can be explicitly specified.  Example:
+
+.. code-block:: zeek
+
+    option hostname = "host-1";
+    option peers: set[addr] = {};
+
+The initial value can be redefined with a :zeek:keyword:`redef`.
+
+The value of an option cannot be changed by an assignment statement, but
+it can be changed by either the :zeek:id:`Config::set_value` function or
+by changing a config file specified in :zeek:id:`Config::config_files`.
+
+The scope of an option is global.
+
+Note that an ``option`` declaration cannot also use the ``local``,
+``global``, or ``const`` keywords.
+
+
+.. zeek:keyword:: type
+
+type
+~~~~
+
+The ``type`` keyword is used to declare a user-defined type.  The name
+of this new type has global scope and can be used anywhere a built-in
+type name can occur.
+
+The ``type`` keyword is most commonly used when defining a
+:zeek:type:`record` or an :zeek:type:`enum`, but is also useful when
+dealing with more complex types.
+
+Example:
+
+.. code-block:: zeek
+
+   type mytype: table[count] of table[addr, port] of string;
+   global myvar: mytype;
+
+
+.. zeek:keyword:: redef
+
+redef
+~~~~~
+
+There are several ways that ``redef`` can be used:  to redefine the initial
+value of a global variable or runtime option, to extend a record type or
+enum type, to add or remove attributes of record fields, or to specify a
+new event handler body that replaces all those that were previously defined.
+
+Redefining Initial Values
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+If you're using ``redef`` to redefine the initial value of a global variable
+(defined using either :zeek:keyword:`const` or :zeek:keyword:`global`), then
+the variable that you want to change must have the :zeek:attr:`&redef`
+attribute.  You can use ``redef`` to redefine the initial value of a
+runtime option (defined using :zeek:keyword:`option`) even if it doesn't
+have the :zeek:attr:`&redef` attribute.
+
+If the variable you're changing is a table, set, vector, or pattern, you can
+use ``+=`` to add new elements, or you can use ``=`` to specify a new value
+(all previous contents of the object are removed).  If the variable you're
+changing is a set or table, then you can use the ``-=`` operator to remove
+the specified elements (nothing happens for specified elements that don't
+exist).  If the variable you are changing is not a table, set, or pattern,
+then you must use the ``=`` operator.
+
+Examples:
+
+.. code-block:: zeek
+
+    redef pi = 3.14;
+    redef set_of_ports += { 22/tcp, 53/udp };
+
+Extending Records Types or Enums
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+If you're using ``redef`` to extend a record or enum, then you must
+use the ``+=`` assignment operator.
+For an enum, you can add more enumeration constants, and for a record
+you can add more record fields (however, each record field in the ``redef``
+must have either the :zeek:attr:`&optional` or :zeek:attr:`&default`
+attribute).
+
+Examples:
+
+.. code-block:: zeek
+
+    redef enum color += { Blue, Red };
+    redef record MyRecord += { n2:int &optional; s2:string &optional; };
+
+Changing Attributes of Record Fields
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. versionadded:: 5.1
+
+If you're using ``redef`` to change the attributes of a record field, you must
+use either the ``+=`` or ``-=`` assignment operator and specify the record field
+by means of the field access operator ``$`` using the record type's name.
+
+Only the ``&log`` attribute can currently be removed from or added to an
+existing record field. This enables removal of columns from logs that are
+uninteresting for a given deployment or include columns that do not yet have
+the ``&log`` attribute.
+
+.. note::
+
+   The :ref:`logging framework <framework-logging>` provides a separate
+   mechanism to exclude columns from logs by means of the ``exclude`` field
+   on :zeek:see:`Log::Filter` instances.
+
+Examples:
+
+.. code-block:: zeek
+
+    redef record Notice::Info$email_dest -= { &log }
+
+    redef record X509::Certificate$tbs_sig_alg += { &log };
+
+Replacing Event Handlers
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+If you're using ``redef`` to specify a new event handler body that
+replaces all those that were previously defined (i.e., any subsequently
+defined event handler body will not be affected by this ``redef``), then
+the syntax is the same as a regular event handler definition except for
+the presence of the ``redef`` keyword.
+
+Example:
+
+.. code-block:: zeek
+
+    redef event myevent(s:string) { print "Redefined", s; }
+
+
+.. _function/event/hook:
+
+Callables
+~~~~~~~~~
+
+Callable types come in three flavors: :zeek:type:`function`, :zeek:type:`event`
+handler, and :zeek:type:`hook`. All come with associated arguments and
+bodies of statements. The following table compares and contrasts:
+
+.. list-table::
+  :header-rows: 1
+
+  * - **Features**
+    - :zeek:type:`function`
+    - :zeek:type:`hook`
+    - :zeek:type:`event`
+
+  * - **Anonymity**
+    - Yes
+    - No
+    - No
+
+  * - **Multiple bodies and priorities**
+    - No
+    - Yes
+    - Yes
+
+  * - **Immediate invocation**
+    - Yes
+    - Yes
+    - No
+
+  * - **Scheduling**
+    - No
+    - No
+    - Yes
+
+  * - **Default arguments**
+    - Yes
+    - Yes
+    - Yes
+
+  * - **Container argument mutability**
+    - Yes if synchronous, no if :ref:`asynchronous <asynchronous-return>`
+    - Yes
+    - Yes
+
+  * - **Alternate declarations**
+    - No
+    - Yes
+    - Yes
+
+  * - **Return value**
+    - Yes
+    - Yes
+    - No
+
+Anonymity
+^^^^^^^^^
+
+While Zeek does support the concept of :ref:`anonymous functions
+<anonymous-function>` (i.e., lambdas), hooks and events cannot be
+anonymous. They are referenced by their names. As an example, reducer functions
+in the :ref:`SumStats framework <sumstats-framework>` are often implemented as
+lambda functions.
+
+Multiple bodies and priorities
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Functions cannot have multiple bodies, however, hooks and events can. This means
+that different scripts can add additional bodies to a hook or event associated
+with a unique name. When an event or hook is executed, Zeek needs a way to order
+the execution. This is accomplished with the numerical  :zeek:attr:`&priority`
+attribute: by default, a hook’s or event’s body has a priority of zero, but any
+integer-range value is valid.
+
+Immediate invocation
+^^^^^^^^^^^^^^^^^^^^
+
+Functions and hook bodies are executed immediately. That means if a script is
+being interpreted and a line contains a function call, execution flow is
+immediately passed to that function (or hook). This does not happen for
+events. Events are pushed onto an event queue within Zeek and are handled as
+time passes.
+
+Scheduling
+^^^^^^^^^^
+
+Functions and hooks cannot be scheduled like events can. Scheduling places an
+event onto the event queue and is the equivalent to immediately invoking a
+function or hook. Attempting to schedule a function or a hook results in the
+same syntax error: "function invoked as an event".
+
+Default arguments
+^^^^^^^^^^^^^^^^^
+
+Functions, hooks, and events all support :ref:`default values <default-values>`
+for their arguments.
+
+Container argument mutability
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+When argument types are container types (such as records or tables), mutating the
+arguments within the body of a function, hook, or event causes the argument to
+retain that mutation: container types are passed by reference while atomic types
+are passed by value.
+
+Asynchronous functions are an exception: the evaluation of :zeek:keyword:`when`
+statements invokes such functions with copies of their arguments, causing
+modifications made inside the asynchronous function to be lost. Please refer to
+:ref:`asynchronous return <asynchronous-return>` for possible workarounds.
+
+Alternate declarations
+^^^^^^^^^^^^^^^^^^^^^^
+
+Hooks and events do support alternate prototype declarations. This means that a
+set or scripts may define a single event (or hook) name multiple times with
+different argument sets. This is often referred to as overloading in other
+languages. Functions do not support alternate prototype declarations.
+
+Return value
+^^^^^^^^^^^^
+
+All functions must return a value. However, functions with no explicit return
+type implicitly return void. This can seem a bit odd as void isn’t a valid Zeek
+type.  A hook body is allowed to return before it breaks. Hooks may return
+either a boolean type or void, but aren’t required to return any value.  Events
+cannot return a value because they are scheduled through the event loop and
+don’t have a caller to return to.
+
+For further details on how to declare callables, see the  :zeek:type:`function`,
+:zeek:type:`event` handler, and :zeek:type:`hook` documentation.
+
+Statements
+----------
+
+Statements (except those contained within a function, hook, or event
+handler) can appear only after all global declarations in the concatenation
+of all loaded Zeek scripts.
+
+Each statement in a Zeek script must be terminated with a semicolon (with a
+few exceptions noted below).  An individual statement can span multiple
+lines.
+
+Here are the statements that the Zeek scripting language supports.
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Description
+
+  * - :zeek:keyword:`local`
+    - Declare a local variable
+
+  * - :zeek:keyword:`add`, :zeek:keyword:`delete`
+    - Add or delete elements
+
+  * - :zeek:keyword:`assert`
+    - Runtime assertion
+
+  * - :zeek:keyword:`print`
+    - Print to stdout or a file
+
+  * - :zeek:keyword:`for`, :zeek:keyword:`while`,
+      :zeek:keyword:`next`, :zeek:keyword:`break`
+    - Loop over each element in a container object (``for``), or as long as a
+      condition evaluates to true (``while``).
+
+  * - :zeek:keyword:`if`
+    - Evaluate boolean and if true, execute a statement
+
+  * - :zeek:keyword:`switch`, :zeek:keyword:`break`, :zeek:keyword:`fallthrough`
+    - Evaluate expression and execute statement with a matching value
+
+  * - :zeek:keyword:`when`
+    - Asynchronous execution
+
+  * - :zeek:keyword:`event`, :zeek:keyword:`schedule`
+    - Invoke or schedule an event handler
+
+  * - :zeek:keyword:`return`
+    - Return from function, hook, or event handler
+
+
+.. zeek:keyword:: add
+
+add
+~~~
+
+The ``add`` statement is used to add an element to a :zeek:type:`set`.
+Nothing happens if the specified element already exists in the set.
+
+Example:
+
+.. code-block:: zeek
+
+    local myset: set[string];
+    add myset["test"];
+
+
+.. zeek:keyword:: assert
+
+assert
+~~~~~~
+
+.. versionadded:: 6.1
+
+The ``assert`` statement can be used for runtime assertion checks or as a building
+block for a testing framework. It takes an expression ``expr`` of type
+:zeek:see:`bool` and an optional message of type :zeek:see:`string`.
+If ``expr`` at runtime evaluates to ``F``, the string representation
+of the expression and the given message, if any, are logged
+via :zeek:see:`Reporter::error` by default.
+
+Script execution for a given event handler stops with a failing ``assert`` statement
+comparable to a scripting runtime error after generating the log.
+
+Example:
+
+.. literalinclude:: assert_1.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+This script prints the following messages to stderr, as well as logging them to
+:file:`reporter.log`.
+
+.. code-block:: console
+
+   $ zeek assert_1.zeek
+   error in ./assert_1.zeek, line 6: assertion failure: 40 < x
+   error in ./assert_1.zeek, line 12: assertion failure: 40 < x (37 is not greater than 40)
+
+.. note::
+
+   Zeek's exit code in this example will be ``0``, indicating success.
+   Script errors other than those in a ``zeek_init()`` handler are not
+   reflected in Zeek's exit code.
+
+
+The logging behavior of failing assert statements can be customized using the
+:zeek:see:`assertion_failure` or :zeek:see:`assertion_result` hook.
+Using the :zeek:see:`break` statement in either hook allows for suppression
+of the the default log generation.
+The :zeek:see:`assertion_result` hook is targeted for testing frameworks as it
+is likely prohibitively expensive for use in a live production environment due
+to being invoked for every ``assert`` statement execution.
+
+
+.. zeek:keyword:: break
+
+break
+~~~~~
+
+The ``break`` statement is used to break out of a :zeek:keyword:`switch`,
+:zeek:keyword:`for`, or :zeek:keyword:`while` statement.
+
+
+.. zeek:keyword:: delete
+
+delete
+~~~~~~
+
+The ``delete`` statement is used to remove an element from a
+:zeek:type:`set` or :zeek:type:`table`, or to remove a value from
+a :zeek:type:`record` field that has the :zeek:attr:`&optional` attribute.
+When attempting to remove an element from a set or table,
+nothing happens if the specified index does not exist.
+When attempting to remove a value from an ``&optional`` record field,
+nothing happens if that field doesn't have a value.
+
+Example:
+
+.. code-block:: zeek
+
+    local myset = set("this", "test");
+    local mytable = table(["key1"] = 80/tcp, ["key2"] = 53/udp);
+    local myrec = MyRecordType($a = 1, $b = 2);
+
+    delete myset["test"];
+    delete mytable["key1"];
+
+    # In this example, "b" must have the "&optional" attribute
+    delete myrec$b;
+
+.. versionadded:: 7.0
+
+The ``delete`` statement can also be used to remove all elements from
+a :zeek:type:`set`, :zeek:type:`table` or :zeek:type:`vector`.
+
+Example:
+
+.. code-block:: zeek
+
+    local myset = set("this", "test");
+    delete myset;
+
+
+.. zeek:keyword:: event
+
+event
+~~~~~
+
+The ``event`` statement immediately queues invocation of an event handler.
+
+Example:
+
+.. code-block:: zeek
+
+    event myevent("test", 5);
+
+
+.. zeek:keyword:: fallthrough
+
+fallthrough
+~~~~~~~~~~~
+
+The ``fallthrough`` statement can be used within a ``case`` block to
+indicate that execution should continue at the next ``case`` or ``default``
+label.
+
+For an example, see the :zeek:keyword:`switch` statement.
+
+.. zeek:keyword:: for
+
+for
+~~~
+
+A ``for`` loop iterates over each element in a string, set, vector, or
+table and executes a statement for each iteration (note that the order
+in which the loop iterates over the elements in a set or a table is
+nondeterministic).  However, no loop iterations occur if the string,
+set, vector, or table is empty.
+
+For each iteration of the loop, a loop variable will be assigned to an
+element if the expression evaluates to a string or set, or an index if
+the expression evaluates to a vector or table.  Then the statement
+is executed.
+
+If the expression is a table or a set with more than one index, then the
+loop variable must be specified as a comma-separated list of different
+loop variables (one for each index), enclosed in brackets.
+
+If the expression is a table, keys and values can be iterated over at the
+same time by specifying a key and value variable. Similarly, if the expression
+is a vector, indices and values can be iterated over at the same time by
+specifying an index and value variable.
+The core exposes value variables for free, so this should be preferred to
+accessing the values in a separate lookup inside the loop.
+
+Note that the loop variable in a ``for`` statement is not allowed to be
+a global variable, and it does not need to be declared prior to the ``for``
+statement.  The type will be inferred from the elements of the
+expression.
+
+In some scenarios, the loop variable or parts of the table index may be
+unused in the ``for`` loop's body. Zeek reserves ``_``, the blank identifier, as
+an explicitly way to support capturing unused variables.
+
+The blank identifier can be assigned expressions of any type, but it can
+never be referenced.
+For the ``for`` loop, this allows to use the blank identifier to capture
+unused loop variables of differing types---something that isn't possible
+with normal variables.
+As a special case, all index variables of a table or set can be ignored with
+a single blank identifier.
+In fact, in current versions of Zeek, ignoring all index variables allows
+for faster iteration and is therefore recommended to be used when possible.
+
+Currently, modifying a container's membership while iterating over it may
+result in undefined behavior, so do not add or remove elements
+inside the loop.
+
+A :zeek:keyword:`break` statement will immediately terminate the ``for``
+loop, and a :zeek:keyword:`next` statement will skip to the next loop
+iteration.
+
+Example:
+
+.. code-block:: zeek
+
+    local myset = set(80/tcp, 81/tcp);
+    local mytable = table([ 10.0.0.1, 80/tcp ] = "s1", [ 10.0.0.2, 81/tcp ] = "s2");
+    local myvector = vector("zero", "one", "two");
+
+    for ( p in myset )
+        print p;
+
+    for ( [ip, p], val in mytable )
+        {
+        if ( val == "done" )
+            break;
+        if ( val == "skip" )
+            next;
+        print ip, p;
+        }
+
+    for ( _, val in mytable )
+        print val;
+
+    for ( [ip, _], _ in mytable )
+        print ip;
+
+    for ( i, val in myvector )
+        print i, val;
+
+    for ( _, val in myvector )
+        print val;
+
+
+.. zeek:keyword:: if
+
+if
+~~
+
+Evaluates a given expression, which must yield a :zeek:type:`bool` value.
+If true, then a specified statement is executed.  If false, then
+the statement is not executed.  Example:
+
+.. code-block:: zeek
+
+    if ( x == 2 ) print "x is 2";
+
+However, if the expression evaluates to false and if an ``else`` is
+provided, then the statement following the ``else`` is executed.  Example:
+
+.. code-block:: zeek
+
+    if ( x == 2 )
+        print "x is 2";
+    else
+        print "x is not 2";
+
+
+.. zeek:keyword:: local
+
+local
+~~~~~
+
+A variable declared with the ``local`` keyword will be local.  If a type
+is not specified, then an initializer is required so that the type can
+be inferred.  Likewise, if an initializer is not supplied, then the
+type must be specified.
+
+Examples:
+
+.. code-block:: zeek
+
+    local x1 = 5.7;
+    local x2: double;
+    local x3: double = 5.7;
+
+Variable declarations inside a function, hook, or event handler are
+required to use this keyword (the only two exceptions are variables
+declared with :zeek:keyword:`const`, and variables implicitly declared in a
+:zeek:keyword:`for` statement).
+
+The scope of a local variable starts at the location where it is declared
+and persists to the end of the function, hook,
+or event handler in which it is declared (this is true even if the
+local variable was declared within a `compound statement`_ or is the loop
+variable in a ``for`` statement).
+
+
+.. zeek:keyword:: next
+
+next
+~~~~
+
+The ``next`` statement can only appear within a :zeek:keyword:`for` or
+:zeek:keyword:`while` loop.  It causes execution to skip to the next
+iteration.
+
+
+.. zeek:keyword:: print
+
+print
+~~~~~
+
+The ``print`` statement takes a comma-separated list of one or more
+expressions.  Each expression in the list is evaluated and then converted
+to a string.  Then each string is printed, with each string separated by
+a comma in the output.
+
+Examples:
+
+.. code-block:: zeek
+
+    print 3.14;
+    print "Results", x, y;
+
+By default, the ``print`` statement writes to the standard
+output (stdout).  However, if the first expression is of type
+:zeek:type:`file`, then ``print`` writes to that file.
+
+If a string contains non-printable characters (i.e., byte values that are
+not in the range 32 - 126), then the ``print`` statement converts each
+non-printable character to an escape sequence before it is printed.
+
+For more control over how the strings are formatted, see the :zeek:id:`fmt`
+function.
+
+
+.. zeek:keyword:: return
+
+return
+~~~~~~
+
+The ``return`` statement immediately exits the current function, hook, or
+event handler.  For a function, the specified expression (if any) is
+evaluated and returned.  A ``return`` statement in a hook or event handler
+cannot return a value because event handlers and hooks do not have
+return types.
+
+Examples:
+
+.. code-block:: zeek
+
+    function my_func(): string
+        {
+        return "done";
+        }
+
+    event my_event(n: count)
+        {
+        if ( n == 0 ) return;
+
+        print n;
+        }
+
+.. _asynchronous-return:
+
+Asynchronous return
+^^^^^^^^^^^^^^^^^^^
+
+There is a special form of the ``return`` statement that is only allowed
+in functions.  Syntactically, it looks like a :zeek:keyword:`when` statement
+immediately preceded by the ``return`` keyword.  This form of the ``return``
+statement is used to specify a function that delays its result: an
+*asynchronous function*.
+Such functions can only be called in the expression of a :zeek:keyword:`when`
+statement).  The function returns at the time the ``when``
+statement's condition becomes true, and the function returns the value
+that the ``when`` statement's body returns (or if the condition does
+not become true within the specified timeout interval, then the function
+returns the value that the ``timeout`` block returns).
+
+(Note that if you use the deprecated feature of not listing the *captures*
+in your ``return when`` statement, then, in contrast to regular functions, your
+asynchronous functions cannot make lasting modifications to
+arguments that have aggregate types, because those values will be
+deep-copied upon execution of the ``return when``.)
+
+Example:
+
+.. code-block:: zeek
+
+  global X: table[string] of count;
+
+  function a() : count
+        {
+        # This delays until condition becomes true.
+        return when ( "a" in X )
+              {
+              return X["a"];
+              }
+        timeout 30 sec
+              {
+              return 0;
+              }
+        }
+
+  event zeek_init()
+        {
+        # Installs a trigger which fires if a() returns 42.
+        when ( a() == 42 )
+            print "expected result";
+
+        print "Waiting for a() to return...";
+        X["a"] = 42;
+        }
+
+
+.. zeek:keyword:: schedule
+
+schedule
+~~~~~~~~
+
+The ``schedule`` statement is used to raise a specified event with
+specified parameters at a later time specified as an :zeek:type:`interval`.
+
+Example:
+
+.. code-block:: zeek
+
+    schedule 30sec { myevent(x, y, z) };
+
+.. note::
+
+   The braces are always required here (that is, they do not indicate a
+   `compound statement`_). Also, ``schedule`` is actually an expression that
+   returns a value of type ``timer``, but in practice the return value is not
+   used.
+
+.. note::
+
+  Always specify event names with their full module namespace. For example,
+  if the above ``myevent`` lives in the ``MyModule`` module, then say the
+  following even when working inside the module:
+
+  .. code-block:: zeek
+
+     schedule 30sec { MyModule::myevent(x, y, z) };
+
+  See :ref:`event-namespacing-pitfall` for details.
+
+.. note::
+
+  Using ``schedule`` within :zeek:see:`zeek_init` does not usually have the
+  desired behavior -- since :zeek:see:`network_time` is not yet initialized,
+  the scheduled event may be dispatched upon processing the first network
+  packet since that will update network-time from zero to the time associated
+  with capturing that packet.  A typical workaround is to ignore the first
+  time such an event is dispatched and simply re-schedule it or to instead
+  schedule the first event from within the :zeek:see:`network_time_init` event.
+
+.. zeek:keyword:: switch
+
+switch
+~~~~~~
+
+A ``switch`` statement evaluates a given expression and jumps to
+the first ``case`` label which contains a matching value (the result of the
+expression must be type-compatible with all of the values in all of the
+``case`` labels).  If there is no matching value, then execution jumps to
+the ``default`` label instead, and if there is no ``default`` label then
+execution jumps out of the ``switch`` block.
+
+Here is an example (assuming that ``get_day_of_week`` is a
+function that returns a string):
+
+.. code-block:: zeek
+
+    switch get_day_of_week() {
+        case "Sa", "Su":
+            print "weekend";
+            fallthrough;
+        case "Mo", "Tu", "We", "Th", "Fr":
+            print "valid result";
+            break;
+        default:
+            print "invalid result";
+            break;
+    }
+
+A ``switch`` block can have any number of ``case`` labels, and one
+optional ``default`` label.
+
+A ``case`` label can have a comma-separated list of
+more than one value.  A value in a ``case`` label can be an expression,
+but it must be a constant expression (i.e., the expression can consist
+only of constants).
+
+Each ``case`` and the ``default`` block must
+end with either a :zeek:keyword:`break`, :zeek:keyword:`fallthrough`, or
+:zeek:keyword:`return` statement (although ``return`` is allowed only
+if the ``switch`` statement is inside a function, hook, or event handler).
+
+Note that the braces in a ``switch`` statement are always required (these
+do not indicate the presence of a `compound statement`_), and that no
+semicolon is needed at the end of a ``switch`` statement.
+
+There is an alternative form of the switch statement that supports
+switching by type rather than value.  This form of the switch statement
+uses type-based versions of ``case``:
+
+- ``case type t: ...``: Take branch if the value of the switch expression
+  could be casted to type ``t`` (where ``t`` is the name of a Zeek script
+  type, either built-in or user-defined).
+
+- ``case type t as x: ...``: Same as above, but the casted value is
+  available through ID ``x``.
+
+Multiple types can be listed per branch, separated by commas (the ``type``
+keyword must be repeated for each type in the list).
+
+Example:
+
+.. code-block:: zeek
+
+    function example(v: any)
+        {
+        switch (v) {
+        case type count as c:
+                print "It's a count", c;
+                break;
+
+        case type bool, type addr:
+                print "It's a bool or address";
+                break;
+        }
+        }
+
+Note that a single switch statement switches either by type or by value,
+but not both.
+
+Also note that the type-based switch statement will trigger a runtime
+error if any cast in any ``case`` is an unsupported cast (see the
+documentation of the type casting operator ``as``).
+
+A type-casting ``case`` block is also not allowed to use a
+:zeek:keyword:`fallthrough` statement since that could generally mean
+entering another type-casting block. That is, the switched-upon value could
+get cast to at least two different types, which is not a valid possibility.
+
+
+.. _when-statement:
+.. zeek:keyword:: when
+
+when
+~~~~
+
+Evaluates a given expression, which must result in a value of type
+:zeek:type:`bool`.  When the value of the expression becomes available
+and if the result is true, then a specified statement is executed.
+
+In the following example, if the expression evaluates to true, then
+the ``print`` statement is executed:
+
+.. code-block:: zeek
+
+    when ( (local x = foo()) && x == 42 )
+        {
+        print x;
+        }
+
+However, if a timeout is specified, and if the expression does not
+evaluate to true within the specified timeout interval, then the
+statement following the ``timeout`` keyword is executed:
+
+.. code-block:: zeek
+
+    when ( (local x = foo()) && x == 42 )
+        {
+        print x;
+        }
+    timeout 5sec
+        {
+        print "timeout";
+        }
+
+Note that when a timeout is specified the braces are
+always required (these do not indicate a `compound statement`_).
+
+The expression in a ``when`` statement can contain a declaration of a local
+variable but only if the declaration is written in the form
+``local *var* = *init*`` (example: ``local x = myfunction()``).  This form
+of a local declaration is actually an expression, the result of which
+is always a boolean true value.
+
+The expression in a ``when`` statement can contain an asynchronous function
+call such as :zeek:id:`lookup_hostname` (in fact, this is the only place
+such a function can be called), but it can also contain an ordinary
+function call.  When an asynchronous function call is in the expression,
+then Zeek will continue processing statements in the script following
+the ``when`` statement, and when the result of the function call is available
+Zeek will finish evaluating the expression in the ``when`` statement.
+See the :zeek:keyword:`return` statement for an explanation of how to
+create an asynchronous function in a Zeek script.
+
+The elements of a ``when`` statement can include references to the local
+variables of the function/event/hook body in which they appear (as well
+as to global variables).  If they do, then you need to specify the locals
+variables as *captures*, using ``[...]`` in the same manner as done for
+:ref:`anonymous functions <anonymous-function>`.  By default captures are
+done using *shallow-copying*, behaving like an assignment; you can add the
+keyword
+``copy`` to instead make a *deep* copy.
+
+For example:
+
+.. code-block:: zeek
+
+    type r: record { x: int; y: int; };
+    global g = r($x=100, $y=100);
+
+    event zeek_init()
+        {
+        local l = r($x=1, $y=2);
+        local l2 = r($x=3, $y=4);
+
+        when [l, copy l2] ( g$x < 0 )
+            {
+            print l, l2;
+            }
+
+        l$x = 10;
+        l2$x = 20;
+        }
+
+    event zeek_init() &priority=-10
+        {
+        g$x = -999;
+        }
+
+will print ``[x=10, y=2], [x=3, y=4]``, because, as a shallow copy, the
+version of ``l`` inside the ``when`` statement will reflect the changes
+made to its record after execution of the ``when`` statement; while the
+version of ``l2`` will not, since it holds a deep copy of the record
+made upon executing the ``when`` statement.
+
+For the captures you need to list all of local variables used in the
+statement: those in the initial condition, as well as those appearing in
+the body or the ``timeout`` statement.  You do not need to list new
+``local``'s introduce in the expression (such as ``local x = foo()`` in
+the example given earlier above).
+
+It also works, for now, to leave off the captures entirely, but this
+form is deprecated.  It provides old-style semantics, in which every
+local is automatically captured via deep-copy.
+
+.. zeek:keyword:: while
+
+while
+~~~~~
+
+A ``while`` loop iterates over a body statement as long as a given
+condition remains true.
+
+A :zeek:keyword:`break` statement can be used at any time to immediately
+terminate the ``while`` loop, and a :zeek:keyword:`next` statement can be
+used to skip to the next loop iteration.
+
+Example:
+
+.. code-block:: zeek
+
+    local i = 0;
+
+    while ( i < 5 )
+        print ++i;
+
+    while ( some_cond() )
+        {
+        local finish_up = F;
+
+        if ( skip_ahead() )
+            next;
+
+        if ( finish_up )
+            break;
+        }
+
+
+.. _compound statement:
+
+Compound Statement
+~~~~~~~~~~~~~~~~~~
+
+A compound statement is created by wrapping zero or more statements in
+braces ``{ }``.  Individual statements inside the braces need to be
+terminated by a semicolon, but a semicolon is not needed at the end
+(outside of the braces) of a compound statement.
+
+A compound statement is required in order to execute more than one
+statement in the body of a :zeek:keyword:`for`, :zeek:keyword:`while`,
+:zeek:keyword:`if`, or :zeek:keyword:`when` statement.
+
+Example:
+
+.. code-block:: zeek
+
+    if ( x == 2 )
+        {
+        print "x is 2";
+        ++x;
+        }
+
+Note that there are other places in the Zeek scripting language that use
+braces, but that do not indicate the presence of a compound
+statement (these are noted in the documentation).
+
+
+.. _null statement:
+
+Null Statement
+~~~~~~~~~~~~~~
+
+The null statement (executing it has no effect) consists of just a
+semicolon.  This might be useful during testing or debugging a Zeek script
+in places where a statement is required, but it is probably not useful
+otherwise.
+
+Example:
+
+.. code-block:: zeek
+
+    if ( x == 2 )
+        ;
diff --git a/doc/script-reference/types.rst b/doc/script-reference/types.rst
new file mode 100644
index 0000000000..cfa4b60b26
--- /dev/null
+++ b/doc/script-reference/types.rst
@@ -0,0 +1,2116 @@
+Types
+=====
+
+The Zeek scripting language supports the following built-in types:
+
+.. list-table::
+  :header-rows: 1
+
+
+  * - Name(s)
+    - Description
+
+  * - :zeek:type:`bool`
+    - Boolean
+
+  * - :zeek:type:`count`, :zeek:type:`int`, :zeek:type:`double`
+    - Numeric types
+
+  * - :zeek:type:`time`, :zeek:type:`interval`
+    - Time types
+
+  * - :zeek:type:`string`
+    - String
+
+  * - :zeek:type:`pattern`
+    - Regular expression
+
+  * - :zeek:type:`port`, :zeek:type:`addr`, :zeek:type:`subnet`
+    - Network types
+
+  * - :zeek:type:`enum`
+    - Enumeration (user-defined type)
+
+  * - :zeek:type:`table`, :zeek:type:`set`, :zeek:type:`vector`,
+      :zeek:type:`record`
+    - Container types
+
+  * - :zeek:type:`function`, :zeek:type:`event`, :zeek:type:`hook`
+    - Executable types
+
+  * - :zeek:type:`file`
+    - File type (only for writing)
+
+  * - :zeek:type:`opaque`
+    - Opaque type (for some built-in functions)
+
+  * - :zeek:type:`any`
+    - Any type (for functions or containers)
+
+Here is a more detailed description of each type:
+
+
+.. zeek:native-type:: addr
+
+addr
+----
+
+A type representing an IP address.
+
+IPv4 address constants are written in "dotted quad" format,
+``A1.A2.A3.A4``, where ``A1``-``A4`` all lie between 0 and 255.
+
+IPv6 address constants are written as colon-separated hexadecimal form
+as described by :rfc:`2373` (including the mixed notation with embedded
+IPv4 addresses as dotted-quads in the lower 32 bits), but additionally
+encased in square brackets.  Some examples: ``[2001:db8::1]``,
+``[::ffff:192.168.1.100]``, or
+``[aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222]``.
+
+Note that IPv4-mapped IPv6 addresses (i.e., addresses with the first 80
+bits zero, the next 16 bits one, and the remaining 32 bits are the IPv4
+address) are treated internally as IPv4 addresses (for example,
+``[::ffff:192.168.1.100]`` is equal to ``192.168.1.100``).
+
+Addresses can be compared for equality (``==``, ``!=``),
+and also for ordering (``<``, ``<=``, ``>``, ``>=``).  The absolute value
+of an address gives the size in bits (32 for IPv4, and 128 for IPv6).
+Addresses can also be masked with ``/`` to produce a :zeek:type:`subnet`:
+
+.. code-block:: zeek
+
+    local a: addr = 192.168.1.100;
+    local s: subnet = 192.168.0.0/16;
+
+    if ( a/16 == s )
+        print "true";
+
+And checked for inclusion within a :zeek:type:`subnet` using ``in``
+or ``!in``:
+
+.. code-block:: zeek
+
+    local a: addr = 192.168.1.100;
+    local s: subnet = 192.168.0.0/16;
+
+    if ( a in s )
+        print "true";
+
+You can check if a given ``addr`` is IPv4 or IPv6 using
+the :zeek:id:`is_v4_addr` and :zeek:id:`is_v6_addr` built-in functions.
+
+Hostname constants can also be used, but since a hostname can
+correspond to multiple IP addresses, the type of such a variable is
+``set[addr]``. For example:
+
+.. code-block:: zeek
+
+    local a = www.google.com;
+
+.. note::
+
+   This syntax is deprecated and slated for removal in Zeek 8.1.
+   Consider the :zeek:see:`lookup_hostname` and
+   :zeek:see:`blocking_lookup_hostname` functions instead.
+
+Type Conversions
+^^^^^^^^^^^^^^^^
+
+.. list-table::
+   :header-rows: 1
+
+   * - To
+     - Description
+     - Example
+
+   * - :zeek:see:`string`
+     - :zeek:see:`cat` BIF
+     - ``cat(foo)``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`fmt` BIF for additional control over the formatting
+     - ``fmt("%s", foo)``
+
+   * - :zeek:see:`subnet`
+     - :zeek:see:`addr_to_subnet` BIF
+     - ``addr_to_subnet([::1])``
+
+
+.. zeek:native-type:: any
+
+any
+---
+
+Used to bypass strong typing.  For example, a function can take an
+argument of type ``any`` when it may be of different types.
+The only operation allowed on a variable of type ``any`` is assignment.
+
+Note that users aren't expected to use this type.  It's provided mainly
+for use by some built-in functions and scripts included with Zeek. For
+example, passing a vector into a ``.bif`` function is best accomplished by
+taking :zeek:type:`any` as an argument and casting it to a vector.
+
+
+.. zeek:native-type:: bool
+
+bool
+----
+
+Reflects a value with one of two meanings: true or false.  The two
+``bool`` constants are ``T`` and ``F``.
+
+The ``bool`` type supports the following operators: equality/inequality
+(``==``, ``!=``), logical and/or (``&&``, ``||``), logical
+negation (``!``), and absolute value (where ``|T|`` is ``1``, and ``|F|`` is
+``0``, and in both cases the result type is :zeek:type:`count`).
+
+Type Conversions
+^^^^^^^^^^^^^^^^
+
+.. list-table::
+   :header-rows: 1
+
+   * - To
+     - Description
+     - Example
+
+   * - :zeek:see:`count`
+     - Absolute value operator
+     - ``|foo|``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`cat` BIF
+     - ``cat(T)``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`fmt` BIF for additional control over the formatting
+     - ``fmt("%s", F)``
+
+
+.. zeek:native-type:: count
+
+count
+-----
+
+A numeric type representing a 64-bit unsigned integer.  A ``count``
+constant is a string of digits, e.g. ``1234`` or ``0``.  A ``count``
+can also be written in hexadecimal notation (in which case ``0x`` must
+precede the hex digits), e.g. ``0xff`` or ``0xABC123``.
+
+The ``count`` type supports the same operators as the :zeek:type:`int`
+type, but a unary plus or minus applied to a ``count`` results in an
+:zeek:type:`int`.
+
+In addition, ``count`` types support more bitwise operations.  You can use
+``&``, ``|``, ``^``, ``<<``, and ``>>`` for bitwise ``and``, ``or``,
+``xor``, ``left shift``, and ``right shift``.  You can also use ``~``
+for bitwise (one's) complement.
+
+For unsigned arithmetic involving ``count`` types that cause overflows
+(results that exceed the numeric limits of representable value in either
+direction), Zeek's behavior is to wrap the result modulo 2^64 back into
+the range of representable values (the same behavior as defined by C++).
+
+.. note::
+
+   Integer literals in Zeek that are not preceded by a unary ``+`` or ``-``
+   are treated as the unsigned ``count`` type.  This can cause unintentional
+   surprises is some situations, like for an absolute-value operation of
+   ``|5 - 9|`` that results in an unsigned-integer overflow to the large number
+   of ``18446744073709551612`` where ``|+5 - +9|`` results in signed-integer
+   arithmetic and (likely) more expected result of ``4``.
+
+Type Conversions
+^^^^^^^^^^^^^^^^
+
+.. list-table::
+   :header-rows: 1
+
+   * - To
+     - Description
+     - Example
+
+   * - :zeek:see:`addr`
+     - :zeek:see:`count_to_v4_addr` BIF
+     - ``count_to_v4_addr(2130706433)``
+
+   * - :zeek:see:`bool`
+     - Relational operator
+     - ``foo > 0``
+
+   * - :zeek:see:`double`
+     - :zeek:see:`count_to_double` BIF
+     - ``count_to_double(42)``
+
+   * - :zeek:see:`double`
+     - Addition operator
+     - ``foo + 0.0``
+
+   * - :zeek:see:`double`
+     - Division operator
+     - ``foo / 1.0``
+
+   * - :zeek:see:`double`
+     - Multiplication operator
+     - ``foo * 1.0``
+
+   * - :zeek:see:`double`
+     - Subtraction operator
+     - ``foo - 0.0``
+
+   * - :zeek:see:`port`
+     - :zeek:see:`count_to_port` BIF
+     - ``count_to_port(80, tcp)``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`cat` BIF
+     - ``cat(foo)``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`fmt` BIF for additional control over the formatting
+     - ``fmt("%x", 3735928559)``
+
+
+.. zeek:native-type:: double
+
+double
+------
+
+A numeric type representing a double-precision floating-point
+number.  Floating-point constants are written as a string of digits
+with an optional decimal point, optional scale-factor in scientific
+notation, and optional ``+`` or ``-`` sign.  Examples are ``-1234``,
+``-1234e0``, ``3.14159``, and ``.003E-23``.
+
+The ``double`` type supports the following operators:  arithmetic
+operators (``+``, ``-``, ``*``, ``/``), comparison operators
+(``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``), assignment operators
+(``=``, ``+=``, ``-=``), unary plus and minus (``+``, ``-``), and
+absolute value (e.g., ``|-3.14|`` is 3.14).
+
+When using type inferencing use care so that the
+intended type is inferred, e.g. ``local size_difference = 5`` will
+infer :zeek:type:`count`, while ``local size_difference = 5.0``
+will infer ``double``.
+
+Type Conversions
+^^^^^^^^^^^^^^^^
+
+.. list-table::
+   :header-rows: 1
+
+   * - To
+     - Description
+     - Example
+
+   * - :zeek:see:`count`
+     - :zeek:see:`double_to_count` BIF
+     - ``double_to_count(1234.0)``
+
+   * - :zeek:see:`interval`
+     - :zeek:see:`double_to_interval` BIF
+     - ``double_to_interval(86400.0)``
+
+   * - :zeek:see:`time`
+     - :zeek:see:`double_to_time` BIF
+     - ``double_to_time(1626723410.4)``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`cat` BIF
+     - ``cat(foo)``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`fmt` BIF for additional control over the formatting
+     - ``fmt("%.2f", 3.14159265)``
+
+
+.. zeek:native-type:: enum
+
+enum
+----
+
+A type allowing the specification of a set of related values that
+have no further structure.  An example declaration:
+
+.. code-block:: zeek
+
+    type color: enum { Red, White, Blue, };
+
+The last comma after ``Blue`` is optional.  Both the type name ``color``
+and the individual values (``Red``, etc. -- not ``color::Red``) have
+global scope.
+
+Enumerations may assign :zeek:type:`count` values explicitly:
+
+.. code-block:: zeek
+
+    type color: enum { Red = 10, White = 20, Blue = 30 };
+
+Without explicit assignment, Zeek numbers enumerations sequentially starting
+from 0. You may not mix explicit and implicit assignments.
+
+The only operations allowed on enumerations are equality comparisons (``==``,
+``!=``) and assignment (``=``). Enumerations do not automatically yield their
+values or provide ordering (neither ``Red == 10`` nor ``Red < White`` works),
+but the :zeek:see:`enum_to_int` BIF lets you retrieve an enumeration's numeric
+value if you require such logic.
+
+.. note::
+
+   We recommend using explicit value assignment when relying on numeric values,
+   since it avoids sensitivity to :zeek:keyword:`@load` sequencing when
+   enumerations are :zeek:keyword:`redef`'d in multiple scripts.
+
+Type Conversions
+^^^^^^^^^^^^^^^^
+
+.. list-table::
+   :header-rows: 1
+
+   * - To
+     - Description
+     - Example
+
+   * - :zeek:see:`int`
+     - :zeek:see:`enum_to_int` BIF
+     - ``enum_to_int(Intel::ADDR)``
+
+   * - :zeek:see:`int`
+     - Absolute value operator
+     - ``|Intel::ADDR|``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`cat` BIF
+     - ``cat(foo)``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`fmt` BIF for additional control over the formatting
+     - ``fmt("%s", foo)``
+
+
+.. zeek:native-type:: event
+
+event
+-----
+
+Event handlers are nearly identical in both syntax and semantics to
+a :zeek:type:`function`, with the two differences being that event
+handlers have no return type since they never return a value, and
+you cannot call an event handler.
+
+Example:
+
+.. code-block:: zeek
+
+    event my_event(r: bool, s: string)
+        {
+        print "my_event", r, s;
+        }
+
+Instead of directly calling an event handler from a script, event
+handler bodies are executed when they are invoked by one of three
+different methods:
+
+- From the event engine
+
+    When the event engine detects an event for which you have
+    defined a corresponding event handler, it queues an event for
+    that handler.  The handler is invoked as soon as the event
+    engine finishes processing the current packet and flushing the
+    invocation of other event handlers that were queued first.
+
+- With the ``event`` statement from a script
+
+    Immediately queuing invocation of an event handler occurs like:
+
+    .. code-block:: zeek
+
+        event password_exposed(user, password);
+
+    This assumes that ``password_exposed`` was previously declared
+    as an event handler type with compatible arguments.
+
+- Via the :zeek:keyword:`schedule` expression in a script
+
+    This delays the invocation of event handlers until some time in
+    the future.  For example:
+
+    .. code-block:: zeek
+
+        schedule 5 secs { password_exposed(user, password) };
+
+Multiple event handler bodies can be defined for the same event handler
+identifier and the body of each will be executed in turn.  Ordering
+of their execution can be influenced with :zeek:attr:`&priority`.
+
+Multiple alternate event prototype declarations are allowed, but the
+alternates must be some subset of the first, canonical prototype and
+arguments must match by name and type.  This allows users to define
+handlers for any such prototype they may find convenient or for the core
+set of handlers to be extended, changed, or deprecated without breaking
+existing handlers a user may have written.  Example:
+
+.. code-block:: zeek
+
+    # Event Prototype Declarations
+    global my_event: event(s: string, c: count);
+    global my_event: event(c: count);
+    global my_event: event();
+
+    # Event Handler Definitions
+    event my_event(s: string, c: count)
+        {
+        print "my event", s, c;
+        }
+
+    event my_event(c: count)
+        {
+        print "my event", c;
+        }
+
+    event my_event()
+        {
+        print "my event";
+        }
+
+By using alternate event prototypes, handlers are allowed to consume a
+subset of the full argument list as given by the first prototype
+declaration.  It also even allows arguments to be ordered differently
+from the canonical prototype.
+
+To use :zeek:attr:`&default` on event arguments, it must appear on the
+first, canonical prototype.
+
+Employing its static analysis capabilities, Zeek will warn if it cannot
+determine that an event will ever be triggered. In case the warning is not
+appropriate (e.g., the event might be triggered remotely via broker),
+:zeek:attr:`&is_used` can be applied to suppress the warning.
+
+
+.. zeek:native-type:: file
+
+file
+----
+
+Zeek supports writing to files, but not reading from them (to read from
+files see the :doc:`/frameworks/input`).  Files
+can be opened using either the :zeek:id:`open` or :zeek:id:`open_for_append`
+built-in functions, and closed using the :zeek:id:`close` built-in
+function.  For example, declare, open, and write to a file and finally
+close it like:
+
+.. code-block:: zeek
+
+    local f = open("myfile");
+    print f, "hello, world";
+    close(f);
+
+Writing to files like this for logging usually isn't recommended, for better
+logging support see :doc:`/frameworks/logging`.
+
+
+.. zeek:native-type:: function
+
+function
+--------
+
+Function types in Zeek are declared using::
+
+    function( argument*  ): type
+
+where ``argument*`` is a (possibly empty) comma-separated list of
+arguments, and ``type`` is an optional return type.  For example:
+
+.. code-block:: zeek
+
+    global greeting: function(name: string): string;
+
+Here ``greeting`` is an identifier with a certain function type.
+The function body is not defined yet and ``greeting`` could even
+have different function body values at different times.  To define
+a function including a body value, the syntax is like:
+
+.. code-block:: zeek
+
+    function greeting(name: string): string
+        {
+        return "Hello, " + name;
+        }
+
+Note that in the definition above, it's not necessary for us to have
+done the first (forward) declaration of ``greeting`` as a function
+type, but when it is, the return type and argument list (including the
+name of each argument) must match exactly.
+
+Here is an example function that takes no parameters and does not
+return a value:
+
+.. code-block:: zeek
+
+    function my_func()
+        {
+        print "my_func";
+        }
+
+Function types don't need to have a name and can be assigned anonymously:
+
+.. code-block:: zeek
+
+    greeting = function(name: string): string { return "Hi, " + name; };
+
+And finally, the function can be called like:
+
+.. code-block:: zeek
+
+    print greeting("Dave");
+
+.. _anonymous-function:
+
+Anonymous functions and their closures
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Anonymously defined functions (lambdas) capture their closures. This means
+that they can use variables from their enclosing scope at the time of their
+creation.  In older-style deprecated functionality (capture by "reference"),
+closure-capture happens automatically.  The current style
+(capture by "copy") requires explicitly listing the captured variables.
+
+Here is an example of a simple anonymous function that automatically
+captures its closure in Zeek (deprecated functionality):
+
+.. code-block:: zeek
+
+    local make_adder = function(n: count): function(m: count): count
+        {
+        return function (m: count): count
+            {
+            return n + m;
+            };
+        };
+
+    print make_adder(3)(5); # prints 8
+
+    local three = make_adder(3);
+    print three(5); # prints 8
+
+Here ``make_adder`` is generating a function that captures ``n`` in its
+closure.  The same, but in current (non-deprecated, closure-by-copy) form:
+
+.. code-block:: zeek
+
+    local make_adder = function(n: count): function(m: count): count
+        {
+        return function [n] (m: count): count
+            {
+            return n + m;
+            };
+        };
+
+    print make_adder(3)(5); # prints 8
+
+    local three = make_adder(3);
+    print three(5); # prints 8
+
+The only difference is that the inner anonymous function explicitly declares
+that ``n`` is captured, by listing all of the captured variables in ``[...]``
+after the :zeek:type:`function` keyword.  It is a compile-time error to fail to
+list a captured variable (or to list the same variable more than once, or to
+list a global variable).
+
+Old-style capture-by-reference closure semantics means that those
+anonymous functions can modify the variables in their closures. For example:
+
+.. code-block:: zeek
+
+    local n = 3;
+    local f = function() { n += 1; print n; };
+    f();     # prints 4
+    print n; # prints 4
+    n = 0;
+    f();     # prints 1, since n is shared between outer and inner functions
+    print n; # prints 1
+
+The same in capture-by-copy, however, yields different results:
+
+.. code-block:: zeek
+
+    local n = 3;
+    local f = function [n] () { n += 1; print n; };
+    f();     # prints 4
+    print n; # prints 3, since n is not shared
+    n = 0;
+    f();     # prints 5, since n persists for f
+    print n; # prints 0
+
+With capture-by-copy, by default variables are captured using the equivalent
+of ``=`` assignments.  In Zeek, variable assignments use "shallow" copy,
+meaning that assignments of aggregates share the same aggregate rather
+than fully duplicating all of its members.  These semantics allow you to
+get the equivalent of the original "reference" semantics by using record
+fields rather than variables for the sharing.  For example:
+
+.. code-block:: zeek
+
+    type r: record { n: count; };
+    ...
+    local var = r($n=3);
+    local f = function [var] () { var$n += 1; print var$n; };
+    f();         # prints 4
+    print var$n; # prints 4
+    var$n = 0;
+    f();         # prints 1, since n is shared between outer and inner functions
+    print var$n; # prints 1
+
+You can specify that a given variable should instead be captured using
+a *deep* copy by preceding it with the ``copy`` keyword:
+
+.. code-block:: zeek
+
+    type r: record { n: count; };
+    ...
+    local var = r($n=3);
+    local f = function [copy var] () { var$n += 1; print var$n; };
+    f();         # prints 4
+    print var$n; # prints 3, since the var aggregate is not shared
+    var$n = 0;
+    f();         # prints 5, since the function has its own deep copy of var
+    print var$n; # prints 0
+
+Finally, you can intermingle both shallow and deep copying, as shown in
+this fragment:
+
+.. code-block:: zeek
+
+    type r: record { n: count; };
+    ...
+    local var1 = r($n=3);
+    local var2 = r($n=7);
+    local f = function [copy var1, var2] () { ...
+
+where ``var1`` will be captured via deep-copy and ``var2`` via the normal
+shallow-copy.
+
+When anonymous functions are serialized over Broker they keep their closures,
+but they will not continue to mutate the values from the sending script (either
+directly, for reference semantics, or for shallow-copy aggregates, for copy
+semantics).  At the time of serialization they create a copy of their closure.
+Also, anonymous functions do not capture global variables in their closures and
+thus will use the receiver's global variables.
+
+In order to serialize an anonymous function, that function must have been
+already declared on the receiver's end, because Zeek does not serialize the
+function's source code. See :file:`testing/btest/language/closure-sending.zeek`
+for an example of how to serialize anonymous functions over Broker.
+
+.. _default-values:
+
+Default values
+^^^^^^^^^^^^^^
+
+Function parameters may specify default values as long as they appear
+last in the parameter list:
+
+.. code-block:: zeek
+
+    global foo: function(s: string, t: string &default="abc", u: count &default=0);
+
+If a function was previously declared with default parameters, the
+default expressions can be omitted when implementing the function
+body and they will still be used for function calls that lack those
+arguments.
+
+.. code-block:: zeek
+
+    function foo(s: string, t: string, u: count)
+        {
+        print s, t, u;
+        }
+
+And calls to the function may omit the defaults from the argument list:
+
+.. code-block:: zeek
+
+    foo("test");
+
+Asynchronous functions
+^^^^^^^^^^^^^^^^^^^^^^
+
+Use of the ``return when`` construct renders a function *asynchronous*: it
+will return its result at a later time, when an underlying condition becomes
+fulfilled. See :zeek:keyword:`when` and the description of :ref:`asynchronous
+returns <asynchronous-return>` for details.
+
+
+.. zeek:native-type:: hook
+
+hook
+----
+
+A hook is another flavor of function that shares characteristics of
+both a :zeek:type:`function` and an :zeek:type:`event`.  They are like
+events in that many handler bodies can be defined for the same hook
+identifier and the order of execution can be enforced with
+:zeek:attr:`&priority`.  They are more like functions in the way they
+are invoked/called, because, unlike events, their execution is
+immediate and they do not get scheduled through an event queue.
+Also, a unique feature of a hook is that a given hook handler body
+can short-circuit the execution of remaining hook handlers simply by
+exiting from the body as a result of a :zeek:keyword:`break` statement (as
+opposed to a :zeek:keyword:`return` or just reaching the end of the body).
+
+A hook type is declared like::
+
+    hook( argument* )
+
+where ``argument*`` is a (possibly empty) comma-separated list of
+arguments.  For example:
+
+.. code-block:: zeek
+
+    global myhook: hook(s: string, vs: vector of string);
+
+Here ``myhook`` is the hook type identifier and no hook handler
+bodies have been defined for it yet.  To define some hook handler
+bodies the syntax looks like:
+
+.. code-block:: zeek
+
+    hook myhook(s: string, vs: vector of string) &priority=10
+        {
+        print "priority 10 myhook handler", s, vs;
+        s = "bye";
+        vs += "modified";
+        }
+
+    hook myhook(s: string, vs: vector of string)
+        {
+        print "break out of myhook handling", s, vs;
+        break;
+        }
+
+    hook myhook(s: string, vs: vector of string) &priority=-5
+        {
+        print "not going to happen", s, vs;
+        }
+
+Note that the first (forward) declaration of ``myhook`` as a hook
+type isn't strictly required.  Argument types must match for all
+hook handlers and any forward declaration of a given hook.
+
+To invoke immediate execution of all hook handler bodies, they
+are called similarly to a function, except preceded by the ``hook``
+keyword:
+
+.. code-block:: zeek
+
+    hook myhook("hi", vector("foo"));
+
+or
+
+.. code-block:: zeek
+
+    if ( hook myhook("hi", vector("foo")) )
+        print "all handlers ran";
+
+And the output would look like::
+
+    priority 10 myhook handler, hi, [foo]
+    break out of myhook handling, hi, [foo, modified]
+
+Note how the re-assigning of a ``hook`` argument (``s = "bye"`` in the example)
+will not be visible to remaining ``hook`` handlers, but it's still possible
+to modify values of composite/aggregate types like :zeek:type:`vector`,
+:zeek:type:`record`, :zeek:type:`set`, or :zeek:type:`table`.
+
+The return value of a hook call is an implicit :zeek:type:`bool`
+value with ``T`` meaning that all handlers for the hook were
+executed and ``F`` meaning that only some of the handlers may have
+executed due to one handler body exiting as a result of a ``break``
+statement.
+
+Hooks are also allowed to have multiple/alternate prototype declarations,
+just like an :zeek:see:`event`.
+
+
+.. zeek:native-type:: int
+
+int
+---
+
+A numeric type representing a 64-bit signed integer.  An ``int`` constant
+is a string of digits preceded by a ``+`` or ``-`` sign, e.g.
+``-42`` or ``+5`` (the ``+`` sign is optional but see note about type
+inferencing below).  An ``int`` constant can also be written in
+hexadecimal notation (in which case ``0x`` must be between the sign and
+the hex digits), e.g. ``-0xFF`` or ``+0xabc123``.
+
+The ``int`` type supports the following operators:  arithmetic
+operators (``+``, ``-``, ``*``, ``/``, ``%``), comparison operators
+(``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``), assignment operators
+(``=``, ``+=``, ``-=``), pre-increment (``++``), pre-decrement
+(``--``), unary plus and minus (``+``, ``-``), absolute value
+(e.g., ``|-3|`` is 3, but the result type is :zeek:type:`count`), and
+bitwise shift operations (``<<``, ``>>``).
+
+When using type inferencing, use care so that the
+intended type is inferred, e.g. ``local size_difference = 0`` will
+infer :zeek:type:`count`, while ``local size_difference = +0``
+will infer ``int``.
+
+For signed-integer arithmetic involving ``int`` types that cause overflows
+(results that exceed the numeric limits of representable values in either
+direction), Zeek's behavior is generally undefined and one should not rely on
+any observed behavior being consistent across compilers, platforms, time, etc.
+The reason for this is that the C++ standard also deems this as undefined
+behavior and Zeek does not currently attempt to detect such overflows within
+its underlying C++ implementation (some limited cases may try to statically
+determine at parse-time that an overflow will definitely occur and reject them
+an error, but don't rely on that).
+
+Type Conversions
+^^^^^^^^^^^^^^^^
+
+.. list-table::
+   :header-rows: 1
+
+   * - To
+     - Description
+     - Example
+
+   * - :zeek:see:`bool`
+     - Relational operator
+     - ``foo != 0``
+
+   * - :zeek:see:`count`
+     - Absolute value operator
+     - ``|foo|``
+
+   * - :zeek:see:`count`
+     - :zeek:see:`int_to_count` BIF
+     - ``int_to_count(42)``
+
+   * - :zeek:see:`double`
+     - :zeek:see:`int_to_double` BIF
+     - ``int_to_double(foo)``
+
+   * - :zeek:see:`double`
+     - Addition operator
+     - ``foo + 0.0``
+
+   * - :zeek:see:`double`
+     - Division operator
+     - ``foo / 1.0``
+
+   * - :zeek:see:`double`
+     - Multiplication operator
+     - ``foo * 1.0``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`cat` BIF
+     - ``cat(-10)``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`fmt` BIF for additional control over the formatting
+     - ``fmt("%s", 0)``
+
+
+.. zeek:native-type:: interval
+
+interval
+--------
+
+A temporal type representing a relative time.  An ``interval``
+constant can be written as a numeric constant followed by a time
+unit where the time unit is one of ``usec``, ``msec``, ``sec``, ``min``,
+``hr``, or ``day`` which respectively represent microseconds, milliseconds,
+seconds, minutes, hours, and days.  Whitespace between the numeric
+constant and time unit is optional.  Appending the letter ``s`` to the
+time unit in order to pluralize it is also optional (to no semantic
+effect).  Examples of ``interval`` constants are ``3.5 min`` and
+``3.5mins``.  An ``interval`` can also be negated, for example
+``-12 hr`` represents "twelve hours in the past".
+
+Intervals support addition and subtraction, the comparison operators
+(``==``, ``!=``, ``<``, ``<=``, ``>``, ``>=``), the assignment
+operators (``=``, ``+=``, ``-=``), and unary plus and minus (``+``, ``-``).
+
+Intervals also support division (in which case the result is a
+:zeek:type:`double` value).  An ``interval`` can be multiplied or divided
+by an arithmetic type (``count``, ``int``, or ``double``) to produce
+an ``interval`` value.  The absolute value of an ``interval`` is a
+``double`` value equal to the number of seconds in the ``interval``
+(e.g., ``|-1 min|`` is 60.0).
+
+Type Conversions
+^^^^^^^^^^^^^^^^
+
+.. list-table::
+   :header-rows: 1
+
+   * - To
+     - Description
+     - Example
+
+   * - :zeek:see:`double`
+     - :zeek:see:`interval_to_double` BIF
+     - ``interval_to_double(5mins)``
+
+   * - :zeek:see:`double`
+     - Absolute value operator
+     - ``|foo|``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`cat` BIF
+     - ``cat(foo)``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`fmt` BIF for additional control over the formatting
+     - ``fmt("%s", foo)``
+
+   * - :zeek:see:`time`
+     - Addition operator
+     - ``5 mins + start_time``
+
+   * - :zeek:see:`time`
+     - Subtraction operator
+     - ``start_time - 60 secs``
+
+
+.. zeek:native-type:: opaque
+
+opaque
+------
+
+A data type whose actual representation/implementation is
+intentionally hidden, but whose values may be passed to certain
+built-in functions that can actually access the internal/hidden resources.
+Opaque types are differentiated from each other by qualifying them
+like ``opaque of md5`` or ``opaque of sha1``.
+
+An example use of this type is the set of built-in functions which
+perform hashing:
+
+.. code-block:: zeek
+
+    local handle = md5_hash_init();
+    # Explicitly -> local handle : opaque of md5 = ...
+    md5_hash_update(handle, "test");
+    md5_hash_update(handle, "testing");
+    print md5_hash_finish(handle);
+
+Here the opaque type is used to provide a handle to a particular
+resource which is calculating an MD5 hash incrementally over
+time, but the details of that resource aren't relevant, it's only
+necessary to have a handle as a way of identifying it and
+distinguishing it from other such resources.
+
+The scripting layer implementations of these types are found primarily in
+:doc:`/scripts/base/bif/zeek.bif.zeek` and a more granular look at them
+can be found in ``src/OpaqueVal.h/cc`` inside the Zeek repo. Opaque types
+are a good way to integrate functionality into Zeek without needing to
+add an entire new type to the scripting language.
+
+.. zeek:type:: paraglob
+
+  An opaque type for creating and using paraglob data structures inside of
+  Zeek. A paraglob is a data structure for fast string matching against a
+  large set of glob style patterns. It can be loaded with a vector of
+  patterns, and then queried with input strings. Note that these patterns are
+  just strings, and not the pattern type built in to Zeek. For a query it
+  returns all of the patterns that it contains matching that input string.
+
+  Paraglobs offer significant performance advantages over making a pass over
+  a vector of patterns and checking each one. Note though that initializing a
+  paraglob can take some time for very large pattern sets (1,000,000+
+  patterns) and care should be taken to only initialize one with a large
+  pattern set when there is time for the paraglob to compile. Subsequent get
+  operations run very quickly though, even for very large pattern sets.
+
+  .. code-block:: zeek
+
+    local v = vector("*", "d?g", "*og", "d?", "d[!wl]g");
+    local p : opaque of paraglob = paraglob_init(v);
+    print paraglob_match(p, "dog");
+    # out: [*, *og, d?g, d[!wl]g]
+
+  For more documentation on paraglob see :doc:`/components/index`.
+
+.. zeek:see:: md5_hash_init sha1_hash_init sha256_hash_init
+              hll_cardinality_add bloomfilter_basic_init
+
+
+.. zeek:native-type:: pattern
+
+pattern
+-------
+
+A type representing regular-expression patterns that can be used for fast
+text-searching operations.  Pattern constants are created by enclosing text
+within forward slashes (``/``) and support a large subset of the `flex lexical
+analyzer <http://westes.github.io/flex/manual/Patterns.html>`_ syntax.  As in
+other implementations, patterns consist of ordinary and special characters.
+Patterns such as ``/a/`` or ``/A0123/`` match that specific character byte or
+character sequence, case-sensitively. Special characters and modifiers customize
+matching, as follows:
+
+.. list-table::
+  :header-rows: 1
+
+  * - Syntax
+    - Meaning
+
+  * - ``^``
+    - Matches the beginning of the input.
+
+  * - ``$``
+    - Matches the end of the input.
+
+  * - ``.``
+    - Matches any character except newline (but see the ``(?s:`` and ``/s`` modifiers).
+
+  * - ``<expr>*``
+    - Matches zero or more instances of ``expr``.
+
+  * - ``<expr>+``
+    - Matches one or more instances of ``expr``.
+
+  * - ``<expr>?``
+    - Matches zero or one instance of ``expr``.
+
+  * - ``<expr>{n}``
+    - Matches ``expr`` ``n`` times, where ``n`` is a non-negative integer.
+
+  * - ``<expr>{n,}``
+    - Matches ``expr`` ``n`` or more times, where ``n`` is a non-negative integer.
+
+  * - ``<expr>{n,m}``
+    - Matches ``expr`` between ``n`` and ``m`` times, inclusively, where ``n``
+      and ``m`` are non-negative integers and ``m >= n``.
+
+  * - ``<expr1>|<expr2>``
+    - Matches either ``expr1`` or ``expr2``.
+
+  * - ``(<expr>)``
+    - Groups the contained expression to form a building-block of a more complex
+      one.
+
+  * - ``"<chars>"``
+    - Matches literal strings, without the quotation marks. These always match
+      as given, even if case-insensitivity is active.
+
+  * - ``[<chars>]``
+    - Defines a character class, matching any of the contained characters.
+
+  * - ``[^<chars>]``
+    - Defines a negated character class, matching any but the contained
+      characters.
+
+  * - ``<char1>-<char2>``
+    - Inside a character class this specifies a range, matching any character
+      between ``<char1>`` and ``<char2>``, inclusively. Outside a character
+      class it matches the literal string.
+
+  * - ``(?i:<expr>)``
+    - Matches the expression case-insensitively.
+
+  * - ``(?s:<expr>)``
+    - Treats the input as a single line: the ``.`` character also matches
+      newlines.
+
+Zeek supports the following pre-defined character classes:
+
+.. list-table::
+  :header-rows: 1
+  :widths: 20 20 60
+
+  * - Shorthand
+    - Equivalent to
+    - Meaning
+
+  * - ``[:alnum:]``
+    - ``[A-Za-z0-9]``
+    - Upper- and lowercase letters plus digits.
+
+  * - ``[:alpha:]``
+    - ``[A-Za-z]``
+    - Upper- and lowercase letters.
+
+  * - ``[:blank:]``
+    - ``[ \t]``
+    - The space or tab character.
+
+  * - ``[:cntrl:]``
+    -
+    - Non-printable characters, a.k.a. control characters. See
+      `iscntrl() <https://cplusplus.com/reference/cctype/iscntrl/>`_ for details.
+
+  * - ``[:digit:]``
+    - ``[0-9]``
+    - Digits.
+
+  * - ``[:graph:]``
+    - ``[^ [:cntrl:]]``
+    - Characters with graphic representation: everything other than space
+      and control characters.
+
+  * - ``[:print:]``
+    - ``[^[:cntrl:]]``
+    - Printable characters: those with graphic representation, plus the space character.
+
+  * - ``[:punct:]``
+    -
+    - Punctuation: any characters with graphic representation that are not alphanumeric.
+
+  * - ``[:space:]``
+    - ``[ \t\n\r\f\v]``
+    - Whitespace characters.
+
+  * - ``[:xdigit:]``
+    - ``[A-Fa-f0-9]``
+    - Hexadecimal characters.
+
+  * - ``[:lower:]``
+    - ``[a-z]``
+    - Lowercase letters.
+
+  * - ``[:upper:]``
+    - ``[A-Z]``
+    - Uppercase letters.
+
+To match special characters, escape them with a backslash (``\``).
+
+Zeek also supports the following pattern-level operators and modifiers:
+
+.. list-table::
+  :header-rows: 1
+
+  * - Example
+    - Meaning
+
+  * - ``/<expr1>/ | /<expr2>/``
+    - Succeeds when either pattern matches the input.
+
+  * - ``/<expr1>/ & /<expr2>/``
+    - Succeeds when the concatenation of both patterns matches the input. Note
+      that this differs from a logical "AND"; ordering matters.
+
+  * - ``/<expr>/i``
+    - Matches the expression case-insensitively, like ``(?i:<expr>)``. Use the
+      latter when you need it to apply to only a part of a larger expression.
+
+  * - ``/<expr>/s``
+    - Treats the input as a single line, like ``(?s:<expr>)``. Use the
+      latter when you need it to apply to only a part of a larger expression.
+
+The speed of regular expression matching does not depend on the complexity or
+size of the patterns.
+
+Patterns support two types of matching, exact and embedded.
+In exact matching the ``==`` equality relational operator is used
+with one ``pattern`` operand and one :zeek:type:`string`
+operand (order of operands does not matter) to check whether the full
+string exactly matches the pattern.  In exact matching, the ``^``
+beginning-of-line and ``$`` end-of-line anchors are redundant since
+the pattern is implicitly anchored to the beginning and end of the
+line to facilitate an exact match.  For example:
+
+.. code-block:: zeek
+
+    /foo|bar/ == "foo"
+
+yields true, while:
+
+.. code-block:: zeek
+
+    /foo|bar/ == "foobar"
+
+yields false.  The ``!=`` operator would yield the negation of ``==``.
+
+In embedded matching the ``in`` operator is used with one
+``pattern`` operand (which must be on the left-hand side) and
+one :zeek:type:`string` operand, but tests whether the pattern
+appears anywhere within the given string.  For example:
+
+.. code-block:: zeek
+
+    /foo|bar/ in "foobar"
+
+yields true, while:
+
+.. code-block:: zeek
+
+    /^oob/ in "foobar"
+
+is false since ``"oob"`` does not appear at the start of ``"foobar"``.  The
+``!in`` operator would yield the negation of ``in``.
+
+Additional examples:
+
+- ``/foo+bar/`` matches ``"foobar"`` and ``"fooooobar"``, but not ``"fobar"``.
+- ``/foo*bar/`` matches ``"fobar"``, ``"foobar"``, and ``"fooooobar"``.
+- ``/foo?bar/`` matches ``"fobar"`` and ``"foobar"``, but not ``"fooooobar"``.
+- ``/foo[b-d]ar/`` matches ``"foobar"``, ``"foocar"``, and ``"foodar"``.
+- ``/foo/ | /bar/ in "foobar"`` yields true.
+- ``/foo/ & /bar/ in "foobar"`` yields true, since ``/(foo)(bar)/`` appears in ``"foobar"``.
+- ``/foo|bar/`` matches ``"foo"`` and ``"bar"``.
+- ``/fo(o|b)ar/`` matches ``"fooar"`` and ``"fobar"``, but not ``"foo"`` or ``"bar"``.
+- ``/foo|bar/i`` matches ``"foo"``, ``"Foo"``, ``"BaR"``, etc.
+- ``/foo|(?i:bar)/`` matches ``"foo"`` and ``"BaR"``, but *not* ``"Foo"``.
+- ``/"foo"/i`` matches ``"foo"``, but *not* ``"Foo"``.
+- ``/foo.bar/`` doesn't match ``"foo\nbar"``, while ``/foo.bar/s`` does.
+
+The ``i`` and ``s`` modifiers can also be combined in a single pattern
+such as ``/foo/is`` or ``/bar/si``. In this case, both case-insensitivity
+and single-line mode will apply to the pattern.
+
+Type Conversions
+^^^^^^^^^^^^^^^^
+
+.. list-table::
+   :header-rows: 1
+
+   * - To
+     - Description
+     - Example
+
+   * - :zeek:see:`string`
+     - :zeek:see:`cat` BIF
+     - ``cat(foo)``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`fmt` BIF for additional control over the formatting
+     - ``fmt("%s", foo)``
+
+
+.. zeek:native-type:: port
+
+port
+----
+
+A type representing transport-level port numbers (besides TCP and
+UDP ports, there is a concept of an ICMP ``port`` where the source
+port is the ICMP message type and the destination port the ICMP
+message code).  A ``port`` constant is written as an unsigned integer
+followed by one of ``/tcp``, ``/udp``, ``/icmp``, or ``/unknown``.
+
+Ports support the comparison operators (``==``, ``!=``, ``<``, ``<=``,
+``>``, ``>=``).  When comparing order across transport-level protocols,
+``unknown`` < ``tcp`` < ``udp`` < ``icmp``, for example ``65535/tcp``
+is smaller than ``0/udp``.
+
+Note that you can obtain the transport-level protocol type of a ``port``
+with the :zeek:id:`get_port_transport_proto` built-in function, and
+the numeric value of a ``port`` with the :zeek:id:`port_to_count`
+built-in function.
+
+Type Conversions
+^^^^^^^^^^^^^^^^
+
+.. list-table::
+   :header-rows: 1
+
+   * - To
+     - Description
+     - Example
+
+   * - :zeek:see:`count`
+     - :zeek:see:`port_to_count` BIF
+     - ``port_to_count(53/udp)``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`cat` BIF
+     - ``cat(foo)``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`fmt` BIF for additional control over the formatting
+     - ``fmt("%s", foo)``
+
+
+.. zeek:native-type:: record
+
+record
+------
+
+A ``record`` is a collection of values.  Each value has a field name
+and a type.  Values do not need to have the same type and the types
+have no restrictions.  Field names must follow the same syntax as
+regular variable names (except that field names are allowed to be the
+same as local or global variables).  An example record type
+definition:
+
+.. code-block:: zeek
+
+    type MyRecordType: record {
+        c: count;
+        s: string &optional;
+    };
+
+Records can be initialized or assigned as a whole in three different ways.
+When assigning a whole record value, all fields that are not
+:zeek:attr:`&optional` or have a :zeek:attr:`&default` attribute must
+be specified.  First, the constructor can be explicitly named by type,
+which is arguably most readable:
+
+.. code-block:: zeek
+
+    local r = MyRecordType($c = 42);
+
+There's also a plain constructor syntax:
+
+.. code-block:: zeek
+
+    local r: MyRecordType = record($c = 7);
+
+And lastly, a shorthand best reserved for situations such as large, repetitive
+initializer blocks where typing is fairly obvious:
+
+.. code-block:: zeek
+
+    local r: MyRecordType = [$c = 13, $s = "thirteen"];
+
+Access to a record field uses the dollar sign (``$``) operator, and
+record fields can be assigned with this:
+
+.. code-block:: zeek
+
+    local r: MyRecordType;
+    r$c = 13;
+
+To test if a field that is :zeek:attr:`&optional` has been assigned a
+value, use the ``?$`` operator (it returns a :zeek:type:`bool` value of
+``T`` if the field has been assigned a value, or ``F`` if not):
+
+.. code-block:: zeek
+
+    if ( r ?$ s )
+        ...
+
+
+.. zeek:native-type:: set
+
+set
+---
+
+A set is like a :zeek:type:`table`, but it is a collection of indices
+that do not map to any yield value.
+
+Declaration and initialization
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Sets are declared with the syntax::
+
+    set [ type^+ ]
+
+where ``type^+`` is one or more types separated by commas.  The index type
+cannot be any of the following types: :zeek:type:`file`, :zeek:type:`opaque`,
+:zeek:type:`any`.
+
+Sets can be initialized by listing elements enclosed by curly braces:
+
+.. code-block:: zeek
+
+    global s: set[port] = { 21/tcp, 23/tcp, 80/tcp, 443/tcp };
+    global s2: set[port, string] = { [21/tcp, "ftp"], [23/tcp, "telnet"] };
+
+A set constructor (equivalent to above example) can also be used to
+create a set:
+
+.. code-block:: zeek
+
+    global s3 = set(21/tcp, 23/tcp, 80/tcp, 443/tcp);
+
+Set constructors can also be explicitly named by a type, which is
+useful when a more complex index type could otherwise be
+ambiguous:
+
+.. code-block:: zeek
+
+    type MyRec: record {
+        a: count &optional;
+        b: count;
+    };
+
+    type MySet: set[MyRec];
+
+    global s4 = MySet([$b=1], [$b=2]);
+
+Insertion and removal
+^^^^^^^^^^^^^^^^^^^^^
+
+Elements are added with :zeek:keyword:`add`:
+
+.. code-block:: zeek
+
+    add s[22/tcp];
+
+Nothing happens if the element with value ``22/tcp`` was already present in
+the set.
+
+Elements are removed with :zeek:keyword:`delete`:
+
+.. code-block:: zeek
+
+    delete s[21/tcp];
+
+.. versionadded:: 7.0
+
+Removing all set elements can be done with the :zeek:keyword:`delete`, too:
+
+.. code-block:: zeek
+
+    delete s;
+
+
+Nothing happens if the element with value ``21/tcp`` isn't present in
+the set.
+
+Sets behave like tables when it comes to complex member types: indexing happens
+via hashing at access time. See :zeek:type:`table` for details.
+
+Lookup and iteration
+^^^^^^^^^^^^^^^^^^^^
+
+Set membership is tested with ``in`` or ``!in``:
+
+.. code-block:: zeek
+
+    if ( 21/tcp in s )
+        ...
+
+    if ( [21/tcp, "ftp"] !in s2 )
+        ...
+
+See the :zeek:keyword:`for` statement for info on how to iterate over
+the elements in a set.
+
+Set operations
+^^^^^^^^^^^^^^
+
+You can compute the union, intersection, or difference of two sets
+using the ``|``, ``&``, and ``-`` operators.
+
+.. note::
+
+   Use ``+=`` instead of ``|`` to grow an existing set. That is,
+   say ``s += new_s`` instead of ``s = s | new_s``. The latter requires
+   copying both input sets and thus quickly deteriorates runtime. See
+   :ref:`assignment-operators` for details.
+
+You can compare sets for equality (they have exactly the same elements)
+using ``==``.  The ``<`` operator returns ``T`` if the lefthand operand
+is a proper subset of the righthand operand.  Similarly, ``<=``
+returns ``T`` if the lefthand operator is a subset (not necessarily proper,
+i.e., it may be equal to the righthand operand).  The operators ``!=``,
+``>`` and ``>=`` provide the expected complementary operations.
+
+Additional operations
+^^^^^^^^^^^^^^^^^^^^^
+
+The number of elements in a set can be obtained by placing the set
+identifier between vertical pipe characters:
+
+.. code-block:: zeek
+
+    |s|
+
+
+The :ref:`table's special lookups <table-special-lookups>` extend to the
+set ``in`` operator: Using ``in`` with ``addr`` and ``set[subnet]``
+or ``string`` and ``set[pattern]`` yields ``T`` if any of the subnets
+or patterns the set holds contain or match the given value.
+
+
+.. zeek:native-type:: string
+
+string
+------
+
+A type used to hold bytes which represent text and also can hold
+arbitrary binary data.
+
+String constants are created by enclosing text within a pair of double
+quotes (``"``).  A string constant cannot span multiple lines in a Zeek script.
+The backslash character (\\) introduces escape sequences. Zeek recognizes
+the following escape sequences: ``\\``, ``\n``, ``\t``, ``\v``, ``\b``,
+``\r``, ``\f``, ``\a``, ``\ooo`` (where each 'o' is an octal digit),
+``\xhh`` (where each 'h' is a hexadecimal digit).  If Zeek does not
+recognize an escape sequence, Zeek will ignore the backslash
+(``\\g`` becomes ``g``).
+
+Strings support concatenation (``+``), and assignment (``=``, ``+=``).
+Strings also support the comparison operators (``==``, ``!=``, ``<``,
+``<=``, ``>``, ``>=``).  The number of characters in a string can be
+found by enclosing the string within pipe characters (e.g., ``|"abc"|``
+is 3).  Substring searching can be performed using the ``in`` or ``!in``
+operators (e.g., ``"bar" in "foobar"`` yields true).
+
+The subscript operator can extract a substring of a string.  To do this,
+specify the starting index to extract (if the starting index is omitted,
+then zero is assumed), followed by a colon and index
+one past the last character to extract (if the last index is omitted,
+then the extracted substring will go to the end of the original string).
+However, if both the colon and last index are omitted, then a string of
+length one is extracted.  String indexing is zero-based, but an index
+of -1 refers to the last character in the string, and -2 refers to the
+second-to-last character, etc.  Here are a few examples:
+
+.. code-block:: zeek
+
+    local orig = "0123456789";
+    local second_char = orig[1];         # "1"
+    local last_char = orig[-1];          # "9"
+    local first_two_chars = orig[:2];    # "01"
+    local last_two_chars = orig[8:];     # "89"
+    local no_first_and_last = orig[1:9]; # "12345678"
+    local no_first = orig[1:];           # "123456789"
+    local no_last = orig[:-1];           # "012345678"
+    local copy_orig = orig[:];           # "0123456789"
+
+Note that the subscript operator cannot be used to modify a string (i.e.,
+it cannot be on the left side of an assignment operator).
+
+Type Conversions
+^^^^^^^^^^^^^^^^
+
+.. list-table::
+   :header-rows: 1
+
+   * - To
+     - Description
+     - Example
+
+   * - :zeek:see:`addr`
+     - :zeek:see:`to_addr` BIF
+     - ``to_addr("127.0.0.1")``
+
+   * - :zeek:see:`addr`
+     - :zeek:see:`raw_bytes_to_v4_addr` BIF
+     - ``raw_bytes_to_v4_addr("\x7f\x0\x0\x1")``
+
+   * - :zeek:see:`addr`
+     - :zeek:see:`raw_bytes_to_v6_addr` BIF
+     - ``raw_bytes_to_v6_addr("\xda\xda\xbe\xef\x00\x00AAAAAAAAAA")``
+
+   * - :zeek:see:`bool`
+     - Relational operator
+     - ``foo != ""``
+
+   * - :zeek:see:`count`
+     - :zeek:see:`to_count` BIF
+     - ``to_count("42")``
+
+   * - :zeek:see:`count`
+     - :zeek:see:`bytestring_to_count` BIF
+     - ``bytestring_to_count("\xde\xad\xbe\xef")``
+
+   * - :zeek:see:`double`
+     - :zeek:see:`to_double` BIF
+     - ``to_double("0.001")``
+
+   * - :zeek:see:`double`
+     - :zeek:see:`bytestring_to_double` BIF
+     - ``bytestring_to_double("\x43\x26\x4f\xa0\x71\x30\x80\x00")``
+
+   * - :zeek:see:`int`
+     - :zeek:see:`to_int` BIF
+     - ``to_int("-42")``
+
+   * - :zeek:see:`pattern`
+     - :zeek:see:`string_to_pattern` BIF
+     - ``string_to_pattern("rsh .*", F)``
+
+   * - :zeek:see:`port`
+     - :zeek:see:`to_port` BIF
+     - ``to_port("53/udp")``
+
+   * - :zeek:see:`subnet`
+     - :zeek:see:`to_subnet` BIF
+     - ``to_subnet("::1/128")``
+
+
+.. zeek:native-type:: subnet
+
+subnet
+------
+
+A type representing a block of IP addresses in CIDR notation.  A
+``subnet`` constant is written as an :zeek:type:`addr` followed by a
+slash (``/``) and then the network prefix size specified as a decimal
+number.  For example, ``192.168.0.0/16`` or ``[fe80::]/64``.
+
+Subnets can be compared for equality (``==``, ``!=``).  An
+:zeek:type:`addr` can be checked for inclusion in a subnet using
+the ``in`` or ``!in`` operators.
+
+Type Conversions
+^^^^^^^^^^^^^^^^
+
+.. list-table::
+   :header-rows: 1
+
+   * - To
+     - Description
+     - Example
+
+   * - :zeek:see:`addr`
+     - :zeek:see:`subnet_to_addr` BIF
+     - ``subnet_to_addr([::1]/120)``
+
+   * - :zeek:see:`double`
+     - Absolute value operator
+     - ``|1.2.3.0/24|``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`cat` BIF
+     - ``cat(foo)``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`fmt` BIF for additional control over the formatting
+     - ``fmt("%s", foo)``
+
+
+.. zeek:native-type:: table
+
+table
+-----
+
+An associate array that maps from one set of values to another.  The
+values being mapped are termed the *index* or *indices* and the
+result of the mapping is called the *yield*.  Indexing into tables
+is very efficient, and internally it is just a single hash table
+lookup.
+
+Declaration and initialization
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The table declaration syntax is::
+
+    table [ type^+ ] of type
+
+where ``type^+`` is one or more types, separated by commas.  The
+index type cannot be any of the following types:  :zeek:type:`file`,
+:zeek:type:`opaque`, :zeek:type:`any`.
+
+Here is an example of declaring a table indexed by :zeek:type:`count` values
+and yielding :zeek:type:`string` values:
+
+.. code-block:: zeek
+
+    global a: table[count] of string;
+
+The yield type can also be more complex:
+
+.. code-block:: zeek
+
+    global a: table[count] of table[addr, port] of string;
+
+which declares a table indexed by :zeek:type:`count` and yielding
+another ``table`` which is indexed by an :zeek:type:`addr`
+and :zeek:type:`port` to yield a :zeek:type:`string`.
+
+One way to initialize a table is by enclosing a set of initializers within
+braces, for example:
+
+.. code-block:: zeek
+
+    global t: table[count] of string = {
+        [11] = "eleven",
+        [5] = "five",
+    };
+
+A table constructor can also be used to create a table:
+
+.. code-block:: zeek
+
+    global t2 = table(
+        [192.168.0.2, 22/tcp] = "ssh",
+        [192.168.0.3, 80/tcp] = "http"
+    );
+
+Table constructors can also be explicitly named by a type, which is
+useful when a more complex index type could otherwise be
+ambiguous:
+
+.. code-block:: zeek
+
+    type MyRec: record {
+        a: count &optional;
+        b: count;
+    };
+
+    type MyTable: table[MyRec] of string;
+
+    global t3 = MyTable([[$b=5]] = "b5", [[$b=7]] = "b7");
+
+Insertion and removal
+^^^^^^^^^^^^^^^^^^^^^
+
+Add or overwrite individual table elements by assignment:
+
+.. code-block:: zeek
+
+    t[13] = "thirteen";
+
+Remove individual table elements with :zeek:keyword:`delete`:
+
+.. code-block:: zeek
+
+    delete t[13];
+
+Nothing happens if the element with index value ``13`` isn't present in
+the table.
+
+.. versionadded:: 7.0
+
+Removing all table elements can be done with the :zeek:keyword:`delete`, too:
+
+.. code-block:: zeek
+
+    delete t;
+
+.. note::
+
+   Indexing with complex types (such as records or sets) happens via hashing of
+   the provided index value at the time of table access. Subsequent
+   modifications to the index value do not affect the table. For example:
+
+   .. code-block:: zeek
+
+       local t: table[set[port]] of string = table();
+       local s: set[port] = { 80/tcp, 8000/tcp };
+
+       t[s] = "http";
+
+       add s[8080/tcp];
+
+       print t[set(80/tcp, 8000/tcp)]; # prints "http"
+       print t[s]; # error: no such index
+
+Lookup and iteration
+^^^^^^^^^^^^^^^^^^^^
+
+Accessing table elements is provided by enclosing index values within
+square brackets (``[]``), for example:
+
+.. code-block:: zeek
+
+    print t[11];
+
+Membership can be tested with ``in`` or ``!in``:
+
+.. code-block:: zeek
+
+    if ( 13 in t )
+        ...
+    if ( [192.168.0.2, 22/tcp] in t2 )
+        ...
+
+See the :zeek:keyword:`for` statement for information on how to iterate over
+the elements in a table.
+
+.. _table-special-lookups:
+
+Special lookups
+^^^^^^^^^^^^^^^
+
+Zeek supports two forms of special table lookups. The first is for tables
+with an index type of :zeek:type:`subnet`. When indexed with an
+:zeek:type:`addr` value, these tables produce the yield associated with
+the closest (narrowest) subnet. For example:
+
+.. code-block:: zeek
+
+    global st: table[subnet] of count;
+    st[1.2.3.4/24] = 5;
+    st[1.2.3.4/29] = 9;
+    print st[1.2.3.4], st[1.2.3.251];
+
+will print ``9, 5``. Attempting to look up an address that doesn't match
+any of the subnet indices results in a run-time error.
+
+.. versionadded:: 6.2
+
+In addition, :zeek:type:`string` lookups for tables that have an index type of
+:zeek:type:`pattern` return a (possibly empty)
+:zeek:type:`vector` containing the values corresponding to each of the
+patterns matching the given string. The order of entries in the resulting
+vector is non-deterministic. For example:
+
+.. code-block:: zeek
+
+    global pt: table[pattern] of count;
+    pt[/foo/] = 1;
+    pt[/bar/] = 2;
+    pt[/(foo|bletch)/] = 3;
+    print pt["foo"];
+
+will print either ``[1, 3]`` or ``[3, 1]``.
+Indexing with a string that matches only one pattern returns a
+one-element :zeek:type:`vector`, and indexing with a string that no
+pattern matches returns an empty :zeek:type:`vector`.
+
+Note that these pattern matches are all *exact*: the pattern must match
+the entire string. If you want the pattern to match if it's *anywhere*
+in the string, you can use the usual regular expression operators such
+as ``/.*foo.*/``.
+
+.. note::
+
+   The :zeek:attr:`&default` attribute is ignored for this type of lookup.
+   If none of the patterns matches a given string, the result will be an empty
+   :zeek:type:`vector`, regardless of :zeek:attr:`&default`. Neither is the
+   :zeek:attr:`&default_insert` attribute used. It's not an error to have
+   either of these attributes, however. They'll still be in effect when
+   indexing with :zeek:type:`pattern` values.
+
+.. note::
+
+   Internally, Zeek matches a table's patterns in parallel using a lazily
+   constructed deterministic finite automaton (DFA). This means that the nature
+   of patterns in the table *and* the strings looked up in it can lead to
+   varying degrees of runtime memory growth.
+
+   Users are advised to test scripts using this feature with a wide range of
+   input data. Script developers can reset the DFA's state by removal or
+   addition of a single pattern. For observability, the
+   :zeek:see:`table_pattern_matcher_stats` function returns a
+   :zeek:see:`MatcherStats` record with details about a table's DFA state.
+
+
+Additional operations
+^^^^^^^^^^^^^^^^^^^^^
+
+The number of elements in a table can be obtained by placing the table
+identifier between vertical pipe characters:
+
+.. code-block:: zeek
+
+    |t|
+
+It's common to extend the behavior of table lookup and membership lifetimes
+via :doc:`attributes <attributes>` but note that it's also a :ref:`confusing
+pitfall <attribute-propagation-pitfalls>` that attributes bind to initial
+*values* instead of *type* or *variable* and do not currently propagate to
+any new *value* subsequently re-assigned to the table *variable*.
+
+
+.. zeek:native-type:: time
+
+time
+----
+
+A temporal type representing an absolute time.  There is currently
+no way to specify a ``time`` constant, but one can use the
+:zeek:id:`double_to_time`, :zeek:id:`current_time`, or :zeek:id:`network_time`
+built-in functions to assign a value to a ``time``-typed variable.
+
+Time values support the comparison operators (``==``, ``!=``, ``<``,
+``<=``, ``>``, ``>=``).  A ``time`` value can be subtracted from
+another ``time`` value to produce an :zeek:type:`interval` value.  An
+``interval`` value can be added to, or subtracted from, a ``time`` value
+to produce a ``time`` value.  The absolute value of a ``time`` value is
+a :zeek:type:`double` with the same numeric value.
+
+Type Conversions
+^^^^^^^^^^^^^^^^
+
+.. list-table::
+   :header-rows: 1
+
+   * - To
+     - Description
+     - Example
+
+   * - :zeek:see:`double`
+     - :zeek:see:`time_to_double` BIF
+     - ``time_to_double(foo)``
+
+   * - :zeek:see:`double`
+     - Absolute value operator
+     - ``|foo|``
+
+   * - :zeek:see:`interval`
+     - Subtraction operator
+     - ``end_time - start_time``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`cat` BIF
+     - ``cat(foo)``
+
+   * - :zeek:see:`string`
+     - :zeek:see:`fmt` BIF for additional control over the formatting
+     - ``fmt("%s", foo)``
+
+
+.. zeek:native-type:: vector
+
+vector
+------
+
+A vector is like a :zeek:type:`table`, except its indices are non-negative
+integers, starting from zero.
+
+Declaration and initialization
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+A vector is declared as follows:
+
+.. code-block:: zeek
+
+    global v: vector of string;
+
+Vectors can be initialized with the vector constructor:
+
+.. code-block:: zeek
+
+    local v = vector("one", "two", "three");
+
+Vector constructors can also be explicitly named by a type, which
+is useful for when a more complex yield type could otherwise be
+ambiguous.
+
+.. code-block:: zeek
+
+    type MyRec: record {
+        a: count &optional;
+        b: count;
+    };
+
+    type MyVec: vector of MyRec;
+
+    global v2 = MyVec([$b=1], [$b=2], [$b=3]);
+
+Insertion
+^^^^^^^^^
+
+An element can be added to a vector by assigning the value (a value
+that already exists at that index will be overwritten):
+
+.. code-block:: zeek
+
+    v[3] = "four";
+
+A range of elements can be *replaced* by assigning to a vector slice:
+
+.. code-block:: zeek
+
+    # Note that the number of elements in the slice being replaced
+    # may differ from the number of elements being inserted.  This
+    # causes the vector to grow or shrink accordingly.
+    v[0:2] = vector("five", "six", "seven");
+
+A particularly common operation on a vector is to append an element
+to its end.  You can do so using:
+
+.. code-block:: zeek
+
+    v += e;
+
+where if *e*'s type is ``X``, *v*'s type is ``vector of X``.  Note that
+this expression is equivalent to:
+
+.. code-block:: zeek
+
+    v[|v|] = e;
+
+In addition, if *e*'s type is ``vector of X`` and so is *v*'s type, then
+
+.. code-block:: zeek
+
+    v += e;
+
+instead appends each element of *e* to *v*.  (In this case the expression
+is *not* equivalent to ``v[|v|] = e``, which will generate an error because
+*e*'s type is not compatible with ``X``.)
+
+Lookup and iteration
+^^^^^^^^^^^^^^^^^^^^
+
+Access individual vector elements by enclosing index values within
+square brackets (``[]``), for example:
+
+.. code-block:: zeek
+
+    print v[2];
+
+Access a slice of vector elements by enclosing a range of indices,
+delimited by a colon, within square brackets (``[x:y]``).  For example,
+this will print a vector containing the first and second elements:
+
+.. code-block:: zeek
+
+    print v[0:2];
+
+The slicing notation is the same as what is permitted by the
+:zeek:see:`string` substring extraction operations.
+
+The ``in`` operator can be used to check if a value has been assigned at a
+specified index value in the vector.  For example, if a vector has size 4,
+then the expression ``3 in v`` would yield true and ``4 in v`` would yield
+false.
+
+See the :zeek:keyword:`for` statement for info on how to iterate over
+the elements in a vector.
+
+.. versionadded:: 7.0
+
+The :zeek:keyword:`delete` statement can be used to delete all elements
+from a vector.
+
+Vectorized operations
+^^^^^^^^^^^^^^^^^^^^^
+
+Vectors of integral types (:zeek:type:`int` or :zeek:type:`count`) support the pre-increment
+(``++``) and pre-decrement operators (``--``), which will increment or
+decrement each element in the vector.
+
+Vectors of arithmetic types (:zeek:type:`int` or :zeek:type:`count`, or :zeek:type:`double`) can be
+operands of the arithmetic operators (``+``, ``-``, ``*``, ``/``, ``%``),
+but both operands must have the same number of elements (and the modulus
+operator ``%`` cannot be used if either operand is a ``vector of double``).
+The resulting vector contains the result of the operation applied to each
+of the elements in the operand vectors.
+
+Vectors of :zeek:type:`bool` can be operands of the logical "and" (``&&``) and logical
+"or" (``||``) operators (both operands must have the same number of elements).
+The resulting ``vector of bool`` is the logical "and" (or logical "or") of
+each element of the operand vectors.
+
+Vectors of :zeek:type:`count` can also be operands for the bitwise and/or/xor
+operators, ``&``, ``|`` and ``^``.
+
+Vectors of :zeek:type:`string` can be concatenated element-wise through
+the ``+`` operator, yielding a new ``vector of string`` containing the
+resulting values. Both operand vectors must be of the same length. A
+vector of type :zeek:type:`string` can also be paired with a scalar operand
+using any operator that supports string/scalar operations (i.e.,
+concatenation and comparisons). The resulting vector will contain the
+result of the operator applied to each of the elements.
+
+.. note::
+
+   As a quirk of the language, for a string vector ``v`` there is a
+   difference between ``v = v + "foo"`` and ``v += "foo"``: the former
+   extends each element, while the latter appends a new element to the
+   vector.)
+
+Additional operations
+^^^^^^^^^^^^^^^^^^^^^
+
+The size of a vector (this is one greater than the highest index value, and
+is normally equal to the number of elements in the vector) can be obtained
+by placing the vector identifier between vertical pipe characters:
+
+.. code-block:: zeek
+
+    |v|
+
+
+.. zeek:native-type:: void
+
+void
+----
+
+An internal Zeek type (i.e., ``void`` is not a reserved keyword in the Zeek
+scripting language) representing the absence of a return type for a
+function.
diff --git a/doc/scripting/basics.rst b/doc/scripting/basics.rst
new file mode 100644
index 0000000000..a21ddae951
--- /dev/null
+++ b/doc/scripting/basics.rst
@@ -0,0 +1,1817 @@
+
+.. _writing-scripts:
+
+==========
+The Basics
+==========
+
+Understanding Scripts
+=====================
+
+Zeek includes an event-driven scripting language that provides
+the primary means for an organization to extend and customize Zeek's
+functionality. Virtually all of the output generated by Zeek
+is, in fact, generated by Zeek scripts.  It's almost easier to consider
+Zeek to be an entity behind-the-scenes processing connections and
+generating events while Zeek's scripting language is the medium through
+which we mere mortals can achieve communication.  Zeek scripts
+effectively notify Zeek that should there be an event of a type we
+define, then let us have the information about the connection so we
+can perform some function on it.  For example, the :file:`ssl.log` file is
+generated by a Zeek script that walks the entire certificate chain and
+issues notifications if any of the steps along the certificate chain
+are invalid.  This entire process is setup by telling Zeek that should
+it see a server or client issue an SSL ``HELLO`` message, we want to know
+about the information about that connection.
+
+It's often easiest to understand Zeek's scripting language by
+looking at a complete script and breaking it down into its
+identifiable components.  In this example, we'll take a look at how
+Zeek checks the SHA1 hash of various files extracted from network traffic
+against the `Team Cymru Malware hash registry
+<http://www.team-cymru.org/Services/MHR/>`_.  Part of the Team Cymru Malware
+Hash registry includes the ability to do a host lookup on a domain with the format
+``<MALWARE_HASH>.malware.hash.cymru.com`` where ``<MALWARE_HASH>`` is the SHA1 hash of a file.
+Team Cymru also populates the TXT record of their DNS responses with both a "first seen"
+timestamp and a numerical "detection rate".  The important aspect to understand is Zeek already
+generating hashes for files via the Files framework, but it is the
+script :doc:`/scripts/policy/frameworks/files/detect-MHR.zeek`
+that is responsible for generating the
+appropriate DNS lookup, parsing the response, and generating a notice if appropriate.
+
+.. code-block:: zeek
+   :caption: detect-MHR.zeek
+
+   ##! Detect file downloads that have hash values matching files in Team
+   ##! Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).
+
+   @load base/frameworks/files
+   @load base/frameworks/notice
+   @load frameworks/files/hash-all-files
+
+   module TeamCymruMalwareHashRegistry;
+
+   export {
+       redef enum Notice::Type += {
+           ## The hash value of a file transferred over HTTP matched in the
+           ## malware hash registry.
+           Match
+       };
+
+       ## File types to attempt matching against the Malware Hash Registry.
+       option match_file_types = /application\/x-dosexec/ |
+                                /application\/vnd.ms-cab-compressed/ |
+                                /application\/pdf/ |
+                                /application\/x-shockwave-flash/ |
+                                /application\/x-java-applet/ |
+                                /application\/jar/ |
+                                /video\/mp4/;
+
+       ## The Match notice has a sub message with a URL where you can get more
+       ## information about the file. The %s will be replaced with the SHA-1
+       ## hash of the file.
+       option match_sub_url = "https://www.virustotal.com/en/search/?query=%s";
+
+       ## The malware hash registry runs each malware sample through several
+       ## A/V engines.  Team Cymru returns a percentage to indicate how
+       ## many A/V engines flagged the sample as malicious. This threshold
+       ## allows you to require a minimum detection rate.
+       option notice_threshold = 10;
+   }
+
+   function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
+       {
+       local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
+
+       when ( local MHR_result = lookup_hostname_txt(hash_domain) )
+           {
+           # Data is returned as "<dateFirstDetected> <detectionRate>"
+           local MHR_answer = split_string1(MHR_result, / /);
+
+           if ( |MHR_answer| == 2 )
+               {
+               local mhr_detect_rate = to_count(MHR_answer[1]);
+
+               if ( mhr_detect_rate >= notice_threshold )
+                   {
+                   local mhr_first_detected = double_to_time(to_double(MHR_answer[0]));
+                   local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
+                   local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
+                   local virustotal_url = fmt(match_sub_url, hash);
+                   # We don't have the full fa_file record here in order to
+                   # avoid the "when" statement cloning it (expensive!).
+                   local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url);
+                   Notice::populate_file_info2(fi, n);
+                   NOTICE(n);
+                   }
+               }
+           }
+       }
+
+   event file_hash(f: fa_file, kind: string, hash: string)
+       {
+       if ( kind == "sha1" && f?$info && f$info?$mime_type &&
+            match_file_types in f$info$mime_type )
+           do_mhr_lookup(hash, Notice::create_file_info(f));
+       }
+
+Visually, there are three distinct sections of the script.  First, there is a base
+level with no indentation where libraries are included in the script through ``@load``
+and a namespace is defined with ``module``.  This is followed by an indented and formatted
+section explaining the custom variables being provided (``export``) as part of the script's namespace.
+Finally there is a second indented and formatted section describing the instructions to take for a
+specific event (``event file_hash``).  Don't get discouraged if you don't
+understand every section of the script; we'll cover the basics of the
+script and much more in following sections.
+
+.. code-block:: zeek
+   :caption: detect-MHR.zeek
+
+   @load base/frameworks/files
+   @load base/frameworks/notice
+   @load frameworks/files/hash-all-files
+
+The first part of the script consists of ``@load`` directives which
+process the ``__load__.zeek`` script in the
+respective directories being loaded.  The ``@load`` directives are
+often considered good practice or even just good manners when writing
+Zeek scripts to make sure they can be used on their own. While it's unlikely that in a
+full production deployment of Zeek these additional resources wouldn't
+already be loaded, it's not a bad habit to try to get into as you get
+more experienced with Zeek scripting.  If you're just starting out,
+this level of granularity might not be entirely necessary.  The ``@load`` directives
+are ensuring the Files framework, the Notice framework and the script to hash all files has
+been loaded by Zeek.
+
+.. code-block:: zeek
+   :caption: detect-MHR.zeek
+
+   export {
+       redef enum Notice::Type += {
+           ## The hash value of a file transferred over HTTP matched in the
+           ## malware hash registry.
+           Match
+       };
+
+       ## File types to attempt matching against the Malware Hash Registry.
+       option match_file_types = /application\/x-dosexec/ |
+                                /application\/vnd.ms-cab-compressed/ |
+                                /application\/pdf/ |
+                                /application\/x-shockwave-flash/ |
+                                /application\/x-java-applet/ |
+                                /application\/jar/ |
+                                /video\/mp4/;
+
+       ## The Match notice has a sub message with a URL where you can get more
+       ## information about the file. The %s will be replaced with the SHA-1
+       ## hash of the file.
+       option match_sub_url = "https://www.virustotal.com/en/search/?query=%s";
+
+       ## The malware hash registry runs each malware sample through several
+       ## A/V engines.  Team Cymru returns a percentage to indicate how
+       ## many A/V engines flagged the sample as malicious. This threshold
+       ## allows you to require a minimum detection rate.
+       option notice_threshold = 10;
+   }
+
+The export section redefines an enumerable constant that describes the type of
+notice we will generate with the Notice framework.  Zeek allows for
+re-definable constants, which at first, might seem counter-intuitive.  We'll
+get more in-depth with constants in a later chapter, for now, think of them as
+variables that can only be altered before Zeek starts running.  By extending
+the :zeek:see:`Notice::Type` as shown, this allows for the :zeek:see:`NOTICE`
+function to generate notices with a ``$note`` field set as
+``TeamCymruMalwareHashRegistry::Match``.  Notices allow Zeek to generate some
+kind of extra notification beyond its default log types.  Often times, this
+extra notification comes in the form of an email generated and sent to a
+preconfigured address, but can be altered depending on the needs of the
+deployment.  The export section is finished off with the definition of a few
+constants that list the kind of files we want to match against and the minimum
+percentage of detection threshold in which we are interested.
+
+Up until this point, the script has merely done some basic setup.  With
+the next section, the script starts to define instructions to take in
+a given event.
+
+.. code-block:: zeek
+   :caption: detect-MHR.zeek
+
+   function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
+       {
+       local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
+
+       when ( local MHR_result = lookup_hostname_txt(hash_domain) )
+           {
+           # Data is returned as "<dateFirstDetected> <detectionRate>"
+           local MHR_answer = split_string1(MHR_result, / /);
+
+           if ( |MHR_answer| == 2 )
+               {
+               local mhr_detect_rate = to_count(MHR_answer[1]);
+
+               if ( mhr_detect_rate >= notice_threshold )
+                   {
+                   local mhr_first_detected = double_to_time(to_double(MHR_answer[0]));
+                   local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
+                   local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
+                   local virustotal_url = fmt(match_sub_url, hash);
+                   # We don't have the full fa_file record here in order to
+                   # avoid the "when" statement cloning it (expensive!).
+                   local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url);
+                   Notice::populate_file_info2(fi, n);
+                   NOTICE(n);
+                   }
+               }
+           }
+       }
+
+   event file_hash(f: fa_file, kind: string, hash: string)
+       {
+       if ( kind == "sha1" && f?$info && f$info?$mime_type &&
+            match_file_types in f$info$mime_type )
+           do_mhr_lookup(hash, Notice::create_file_info(f));
+       }
+
+The workhorse of the script is contained in the event handler for
+``file_hash``.  The :zeek:see:`file_hash` event allows scripts to access
+the information associated with a file for which Zeek's file analysis
+framework has generated a hash.  The event handler is passed the
+file itself as ``f``, the type of digest algorithm used as ``kind``
+and the hash generated as ``hash``.
+
+In the ``file_hash`` event handler, there is an ``if`` statement that is used
+to check for the correct type of hash, in this case
+a SHA1 hash.  It also checks for a mime type we've defined as
+being of interest as defined in the constant ``match_file_types``.
+The comparison is made against the expression ``f$info$mime_type``, which uses
+the ``$`` dereference operator to check the value ``mime_type``
+inside the variable ``f$info``.  If the entire expression evaluates to true,
+then a helper function is called to do the rest of the work.  In that
+function, a local variable is defined to hold a string comprised of
+the SHA1 hash concatenated with ``.malware.hash.cymru.com``; this
+value will be the domain queried in the malware hash registry.
+
+The rest of the script is contained within a ``when`` block.  In
+short, a ``when`` block is used when Zeek needs to perform asynchronous
+actions, such as a DNS lookup, to ensure that performance isn't effected.
+The ``when`` block performs a DNS TXT lookup and stores the result
+in the local variable ``MHR_result``.  Effectively, processing for
+this event continues and upon receipt of the values returned by
+:zeek:id:`lookup_hostname_txt`, the ``when`` block is executed.  The
+``when`` block splits the string returned into a portion for the date on which
+the malware was first detected, and the detection rate, by splitting the text
+on space and storing the values returned in a local table variable.
+In the ``do_mhr_lookup`` function, if the table
+returned by ``split1`` has two entries, indicating a successful split, we
+store the detection
+date in ``mhr_first_detected`` and the rate in ``mhr_detect_rate``
+using the appropriate conversion functions.  From this point on, Zeek knows it has seen a file
+transmitted which has a hash that has been seen by the Team Cymru Malware Hash Registry, the rest
+of the script is dedicated to producing a notice.
+
+The detection time is processed into a string representation and stored in
+``readable_first_detected``.  The script then compares the detection rate
+against the ``notice_threshold`` that was defined earlier.  If the
+detection rate is high enough, the script creates a concise description
+of the notice and stores it in the ``message`` variable.  It also
+creates a possible URL to check the sample against
+``virustotal.com``'s database, and makes the call to :zeek:id:`NOTICE`
+to hand the relevant information off to the Notice framework.
+
+In approximately a few dozen lines of code, Zeek provides an amazing
+utility that would be incredibly difficult to implement and deploy
+with other products.  In truth, claiming that Zeek does this in such a small
+number of lines is a misdirection; there is a truly massive number of things
+going on behind-the-scenes in Zeek, but it is the inclusion of the
+scripting language that gives analysts access to those underlying
+layers in a succinct and well defined manner.
+
+The Event Queue and Event Handlers
+==================================
+
+Zeek's scripting language is event driven which is a gear change from
+the majority of scripting languages with which most users will have
+previous experience.  Scripting in Zeek depends on handling the events
+generated by Zeek as it processes network traffic, altering the state
+of data structures through those events, and making decisions on the
+information provided.  This approach to scripting can often cause
+confusion to users who come to Zeek from a procedural or functional
+language, but once the initial shock wears off it becomes more clear
+with each exposure.
+
+Zeek's core acts to place events into an ordered "event queue",
+allowing event handlers to process them on a first-come-first-serve
+basis.  In effect, this is Zeek's core functionality as without the
+scripts written to perform discrete actions on events, there would be
+little to no usable output.  As such, a basic understanding of the
+event queue, the events being generated, and the way in which event
+handlers process those events is a basis for not only learning to
+write scripts for Zeek but for understanding Zeek itself.
+
+Gaining familiarity with the specific events generated by Zeek is a big
+step towards building a mind set for working with Zeek scripts.  The
+majority of events generated by Zeek are defined in the
+built-in-function (``*.bif``) files which also act as the basis for
+online event documentation.  These in-line comments are compiled into
+an online documentation system using Zeekygen.  Whether starting a
+script from scratch or reading and maintaining someone else's script,
+having the built-in event definitions available is an excellent
+resource to have on hand.  For the 2.0 release the Zeek developers put
+significant effort into organization and documentation of every event.
+This effort resulted in built-in-function files organized such that
+each entry contains a descriptive event name, the arguments passed to
+the event, and a concise explanation of the functions use.
+
+.. code-block:: zeek
+
+   ## Generated for DNS requests. For requests with multiple queries, this event
+   ## is raised once for each.
+   ##
+   ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   ## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   ## sessions.
+   ##
+   ## c: The connection, which may be UDP or TCP depending on the type of the
+   ##    transport-layer session being analyzed.
+   ##
+   ## msg: The parsed DNS message header.
+   ##
+   ## query: The queried name.
+   ##
+   ## qtype: The queried resource record type.
+   ##
+   ## qclass: The queried resource record class.
+   ##
+   ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+   ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+   ##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+   ##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+   ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+   ##    dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+   ##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+   event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%);
+
+Above is a segment of the documentation for the event
+:zeek:id:`dns_request` (and the preceding link points to the
+documentation generated out of that).  It's organized such that the
+documentation, commentary, and list of arguments precede the actual
+event definition used by Zeek.  As Zeek detects DNS requests being
+issued by an originator, it issues this event and any number of
+scripts then have access to the data Zeek passes along with the event.
+In this example, Zeek passes not only the message, the query, query
+type and query class for the DNS request, but also a record used
+for the connection itself.
+
+.. _writing-scripts-connection-record:
+
+The Connection Record Data Type
+===============================
+
+Of all the events defined by Zeek, an overwhelmingly large number of
+them are passed the :zeek:type:`connection` record data type, in effect,
+making it the backbone of many scripting solutions.  The connection
+record itself, as we will see in a moment, is a mass of nested data
+types used to track state on a connection through its lifetime.  Let's
+walk through the process of selecting an appropriate event, generating
+some output to standard out and dissecting the connection record so as
+to get an overview of it.  We will cover data types in more detail
+later.
+
+While Zeek is capable of packet level processing, its strengths lay in
+the context of a connection between an *originator* and a *responder*.
+
+.. note::
+
+   Zeek's notions of originator and responder aim to capture the
+   natural roles of connection endpoints given the protocol
+   information observed. They differ from the packet-level concepts of
+   source and destination, as well as from higher-level abstractions
+   such as client and server.
+
+   Zeek's protocol analyzers determine originator and responder when
+   establishing connection state, with the sender of the initial
+   packet usually becoming the originator and the recipient becoming
+   the responder. However, analyzers may subsequently *flip* the roles
+   if protocol semantics suggest it. For example, in the presence of
+   packet loss the first observed packet in a DNS transaction may
+   indicate that it is in fact the response to a missing query. Zeek's
+   DNS analyzer will flip the endpoint roles, making the sender of
+   this packet the connection's responder.
+
+Zeek defines events for the primary parts of the connection life-cycle,
+such as the following:
+
+* :zeek:see:`new_connection`
+* :zeek:see:`connection_timeout`
+* :zeek:see:`connection_state_remove`
+
+Of the events listed, the event that will give us the best insight
+into the connection record data type will be
+:zeek:id:`connection_state_remove` .  As detailed in the in-line
+documentation, Zeek generates this event just before it decides to
+remove this event from memory, effectively forgetting about it.  Let's
+take a look at a simple example script, that will output the connection record
+for a single connection.
+
+.. literalinclude:: connection_record_01.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Again, we start with ``@load``, this time importing the
+:doc:`base/protocols/conn </scripts/base/protocols/conn/index>` scripts which
+supply the tracking and logging of general information and state of
+connections.  We handle the :zeek:id:`connection_state_remove` event and simply
+print the contents of the argument passed to it.  For this example we're
+going to run Zeek in "bare mode" which loads only the minimum number of
+scripts to retain operability and leaves the burden of loading
+required scripts to the script being run.  While bare mode is a low
+level functionality incorporated into Zeek, in this case, we're going
+to use it to demonstrate how different features of Zeek add more and
+more layers of information about a connection.  This will give us a
+chance to see the contents of the connection record without it being
+overly populated.
+
+.. code-block:: console
+
+   $ zeek -b -r http/get.trace connection_record_01.zeek
+   [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={
+
+   }, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>]
+
+As you can see from the output, the connection record is something of
+a jumble when printed on its own.  Regularly taking a peek at a
+populated connection record helps to understand the relationship
+between its fields as well as allowing an opportunity to build a frame
+of reference for accessing data in a script.
+
+Zeek makes extensive use of nested data structures to store state and
+information gleaned from the analysis of a connection as a complete
+unit.  To break down this collection of information, you will have to
+make use of Zeek's field delimiter ``$``.  For example, the
+originating host is referenced by ``c$id$orig_h`` which if given a
+narrative relates to ``orig_h`` which is a member of ``id`` which is
+a member of the data structure referred to as ``c`` that was passed
+into the event handler. Given that the responder port
+``c$id$resp_p`` is ``80/tcp``, it's likely that Zeek's base HTTP scripts
+can further populate the connection record.  Let's load the
+``base/protocols/http`` scripts and check the output of our script.
+
+Zeek uses the dollar sign as its field delimiter and a direct
+correlation exists between the output of the connection record and the
+proper format of a dereferenced variable in scripts. In the output of
+the script above, groups of information are collected between
+brackets, which would correspond to the ``$``-delimiter in a Zeek script.
+
+.. literalinclude:: connection_record_02.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek -b -r http/get.trace connection_record_02.zeek
+   [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={
+
+   }, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={
+
+   }, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={
+
+   }, current_request=1, current_response=1, trans_depth=1]]
+
+The addition of the ``base/protocols/http`` scripts populates the
+``http=[]`` member of the connection record.  While Zeek is doing a
+massive amount of work in the background, it is in what is commonly
+called "scriptland" that details are being refined and decisions
+being made. Were we to continue running in "bare mode" we could slowly
+keep adding infrastructure through ``@load`` statements.  For example,
+were we to ``@load base/frameworks/logging``, Zeek would generate a
+:file:`conn.log` and :file:`http.log` for us in the current working directory.
+As mentioned above, including the appropriate ``@load`` statements is
+not only good practice, but can also help to indicate which
+functionalities are being used in a script.  Take a second to run the
+script without the ``-b`` flag and check the output when all of Zeek's
+functionality is applied to the trace file.
+
+Data Types and Data Structures
+==============================
+
+Scope
+-----
+
+Before embarking on a exploration of Zeek's native data types and data
+structures, it's important to have a good grasp of the different
+levels of scope available in Zeek and the appropriate times to use them
+within a script.  The declarations of variables in Zeek come in two
+forms.  Variables can be declared with or without a definition in the
+form ``SCOPE name: TYPE`` or ``SCOPE name = EXPRESSION`` respectively;
+each of which produce the same result if ``EXPRESSION`` evaluates to the
+same type as ``TYPE``.  The decision as to which type of declaration to
+use is likely to be dictated by personal preference and readability.
+
+.. literalinclude:: data_type_declaration.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Global Variables
+~~~~~~~~~~~~~~~~
+
+A global variable is used when the state of variable needs to be
+tracked, not surprisingly, globally.  While there are some caveats,
+when a script declares a variable using the global scope, that script
+is granting access to that variable from other scripts.  However, when
+a script uses the ``module`` keyword to give the script a namespace,
+more care must be given to the declaration of globals to ensure the
+intended result.  When a global is declared in a script with a
+namespace there are two possible outcomes.  First, the variable is
+available only within the context of the namespace.  In this scenario,
+other scripts within the same namespace will have access to the
+variable declared while scripts using a different namespace or no
+namespace altogether will not have access to the variable.
+Alternatively, if a global variable is declared within an ``export { ... }``
+block that variable is available to any other script through the
+naming convention of ``<module name>::<variable name>``, i.e. the variable
+needs to be "scoped" by the name of the module in which it was declared.
+
+When the ``module`` keyword is used in a script, the variables declared
+are said to be in that module's "namespace".  Where as a global variable
+can be accessed by its name alone when it is not declared within a
+module, a global variable declared within a module must be exported and
+then accessed via ``<module name>::<variable name>``.
+
+Constants
+~~~~~~~~~
+
+Zeek also makes use of constants, which are denoted by the ``const``
+keyword.  Unlike globals, constants can only be set or altered at
+parse time if the ``&redef`` attribute has been used.  Afterwards (in
+runtime) the constants are unalterable.  In most cases, re-definable
+constants are used in Zeek scripts as containers for configuration
+options.  For example, the configuration option to log passwords
+decrypted from HTTP streams is stored in
+:zeek:see:`HTTP::default_capture_password` as shown in the stripped down
+excerpt from :doc:`/scripts/base/protocols/http/main.zeek` below.
+
+.. literalinclude:: http_main.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Because the constant was declared with the ``&redef`` attribute, if we
+needed to turn this option on globally, we could do so by adding the
+following line to our ``site/local.zeek`` file before firing up Zeek.
+
+.. literalinclude:: data_type_const_simple.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+While the idea of a re-definable constant might be odd, the constraint
+that constants can only be altered at parse-time remains even with the
+``&redef`` attribute.  In the code snippet below, a table of strings
+indexed by ports is declared as a constant before two values are added
+to the table through ``redef`` statements.  The table is then printed
+in a :zeek:id:`zeek_init` event.  Were we to try to alter the table in
+an event handler, Zeek would notify the user of an error and the script
+would fail.
+
+.. literalinclude:: data_type_const.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek -b data_type_const.zeek
+   {
+   [80/tcp] = WWW,
+   [6666/tcp] = IRC
+   }
+
+Local Variables
+~~~~~~~~~~~~~~~
+
+Whereas globals and constants are widely available in scriptland
+through various means, when a variable is defined with a local scope,
+its availability is restricted to the body of the event or function in
+which it was declared.  Local variables tend to be used for values
+that are only needed within a specific scope and once the processing
+of a script passes beyond that scope and no longer used, the variable
+is deleted. Zeek maintains names of locals separately from globally
+visible ones, an example of which is illustrated below.
+
+.. literalinclude:: data_type_local.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+The script executes the event handler :zeek:id:`zeek_init` which in turn calls
+the function ``add_two(i: count)`` with an argument of ``10``.  Once Zeek
+enters the ``add_two`` function, it provisions a locally scoped
+variable called ``added_two`` to hold the value of ``i+2``, in this
+case, ``12``.  The ``add_two`` function then prints the value of the
+``added_two`` variable and returns its value to the ``zeek_init`` event
+handler.  At this point, the variable ``added_two`` has fallen out of
+scope and no longer exists while the value ``12`` still in use and
+stored in the locally scoped variable ``test``.  When Zeek finishes
+processing the ``zeek_init`` function, the variable called ``test`` is
+no longer in scope and, since there exist no other references to the
+value ``12``, the value is also deleted.
+
+
+Data Structures
+---------------
+
+It's difficult to talk about Zeek's data types in a practical manner
+without first covering the data structures available in Zeek.  Some of
+the more interesting characteristics of data types are revealed when
+used inside of a data structure, but given that data structures are
+made up of data types, it devolves rather quickly into a
+"chicken-and-egg" problem.  As such, we'll introduce data types from
+a bird's eye view before diving into data structures and from there a
+more complete exploration of data types.
+
+The table below shows the atomic types used in Zeek, of which the
+first four should seem familiar if you have some scripting experience,
+while the remaining six are less common in other languages. It should
+come as no surprise that a scripting language for a Network Security
+Monitoring platform has a fairly robust set of network-centric data
+types and taking note of them here may well save you a late night of
+reinventing the wheel.
+
+.. list-table::
+  :header-rows: 1
+
+  * - Data Type
+    - Description
+
+  * - :zeek:see:`int`
+    - 64 bit signed integer
+
+  * - :zeek:see:`count`
+    - 64 bit unsigned integer
+
+  * - :zeek:see:`double`
+    - double precision floating precision
+
+  * - :zeek:see:`bool`
+    - boolean (T/F)
+
+  * - :zeek:see:`addr`
+    - IP address, IPv4 and IPv6
+
+  * - :zeek:see:`port`
+    - transport layer port
+
+  * - :zeek:see:`subnet`
+    - CIDR subnet mask
+
+  * - :zeek:see:`time`
+    - absolute epoch time
+
+  * - :zeek:see:`interval`
+    - a time interval
+
+  * - :zeek:see:`pattern`
+    - regular expression
+
+Sets
+~~~~
+
+Sets in Zeek are used to store unique elements of the same data
+type.  In essence, you can think of them as "a unique set of integers"
+or "a unique set of IP addresses".  While the declaration of a set may
+differ based on the data type being collected, the set will always
+contain unique elements and the elements in the set will always be of
+the same data type.  Such requirements make the set data type perfect
+for information that is already naturally unique such as ports or IP
+addresses.  The code snippet below shows both an explicit and implicit
+declaration of a locally scoped set.
+
+.. literalinclude:: data_struct_set_declaration.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :lines: 1-4,22
+   :tab-width: 4
+
+As you can see, sets are declared using the format ``SCOPE var_name:
+set[TYPE]``.  Adding and removing elements in a set is achieved using
+the ``add`` and ``delete`` statements.  Once you have elements inserted into
+the set, it's likely that you'll need to either iterate over that set
+or test for membership within the set, both of which are covered by
+the ``in`` operator.  In the case of iterating over a set, combining the
+``for`` statement and the ``in`` operator will allow you to sequentially
+process each element of the set as seen below.
+
+.. literalinclude:: data_struct_set_declaration.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :lines: 17-21
+   :lineno-start: 17
+   :tab-width: 4
+
+Here, the ``for`` statement loops over the contents of the set storing
+each element in the temporary variable ``i``.  With each iteration of
+the ``for`` loop, the next element is chosen.  Since sets are not an
+ordered data type, you cannot guarantee the order of the elements as
+the ``for`` loop processes.
+
+To test for membership in a set the ``in`` statement can be combined
+with an ``if`` statement to return a true or false value.  If the
+exact element in the condition is already in the set, the condition
+returns true and the body executes.  The ``in`` statement can also be
+negated by the ``!`` operator to create the inverse of the condition.
+While we could rewrite the corresponding line below as ``if ( !(
+587/tcp in ssl_ports ))`` try to avoid using this construct; instead,
+negate the in operator itself.  While the functionality is the same,
+using the ``!in`` is more efficient as well as a more natural construct
+which will aid in the readability of your script.
+
+.. literalinclude:: data_struct_set_declaration.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :lines: 13-15
+   :lineno-start: 13
+   :tab-width: 4
+
+You can see the full script and its output below.
+
+.. literalinclude:: data_struct_set_declaration.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek data_struct_set_declaration.zeek
+   SSL Port: 22/tcp
+   SSL Port: 443/tcp
+   SSL Port: 587/tcp
+   SSL Port: 993/tcp
+   Non-SSL Port: 80/tcp
+   Non-SSL Port: 25/tcp
+   Non-SSL Port: 143/tcp
+   Non-SSL Port: 23/tcp
+
+Tables
+~~~~~~
+
+A table in Zeek is a mapping of a key to a value or yield.  While the
+values don't have to be unique, each key in the table must be unique
+to preserve a one-to-one mapping of keys to values.
+
+.. literalinclude:: data_struct_table_declaration.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek data_struct_table_declaration.zeek
+   Service Name:  SSH - Common Port: 22/tcp
+   Service Name:  HTTPS - Common Port: 443/tcp
+   Service Name:  SMTPS - Common Port: 587/tcp
+   Service Name:  IMAPS - Common Port: 993/tcp
+
+In this example,
+we've compiled a table of SSL-enabled services and their common
+ports.  The explicit declaration and constructor for the table are on
+two different lines and lay out the data types of the keys (strings) and the
+data types of the values (ports) and then fill in some sample key and
+value pairs.  You can also use a table accessor to insert one
+key-value pair into the table.  When using the ``in``
+operator on a table, you are effectively working with the keys of the table.
+In the case of an ``if`` statement, the ``in`` operator will check for
+membership among the set of keys and return a true or false value.
+The example shows how to check if ``SMTPS`` is not in the set
+of keys for the ``ssl_services`` table and if the condition holds true,
+we add the key-value pair to the table.  Finally, the example shows how
+to use a ``for`` statement to iterate over each key currently in the table.
+
+Simple examples aside, tables can become extremely complex as the keys
+and values for the table become more intricate.  Tables can have keys
+comprised of multiple data types and even a series of elements called
+a "tuple".  The flexibility gained with the use of complex tables in
+Zeek implies a cost in complexity for the person writing the scripts
+but pays off in effectiveness given the power of Zeek as a network
+security platform.
+
+.. literalinclude:: data_struct_table_complex.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek -b data_struct_table_complex.zeek
+   Harakiri was released in 1962 by Shochiku Eiga studios, directed by Masaki Kobayashi and starring Tatsuya Nakadai
+   Goyokin was released in 1969 by Fuji studios, directed by Hideo Gosha and starring Tatsuya Nakadai
+   Tasogare Seibei was released in 2002 by Eisei Gekijo studios, directed by Yoji Yamada and starring Hiroyuki Sanada
+   Kiru was released in 1968 by Toho studios, directed by Kihachi Okamoto and starring Tatsuya Nakadai
+
+This script shows a sample table of strings indexed by two
+strings, a count, and a final string.  With a tuple acting as an
+aggregate key, the order is important as a change in order would
+result in a new key.  Here, we're using the table to track the
+director, studio, year of release, and lead actor in a series of
+samurai flicks.
+
+In the case of the ``for`` statement above, iteration is done over all
+parts of the key. When not all parts of a key are needed within the ``for``
+loop's body, these can be ignored by using the blank identifier ``_``
+instead of a variable.
+It's important to note, however, that the structure of the key needs to
+be reflected: All parts of the key need to be captured within the brackets
+by a variable or the blank identifier.
+As a special case, a single blank identifier allows to ignore the whole key.
+In the previous example, we need squared brackets surrounding four temporary
+variables to act as a collection for our iteration. While this
+is a contrived example, we could easily have had keys containing IP addresses
+(``addr``), ports (``port``) and even a ``string`` calculated as the result
+of a reverse hostname lookup.
+
+The example below continues with the ``samurai_flicks`` table and shows usage
+of the blank identifier in combination with key-value iteration.
+Using key-value iteration short-cuts the table access to lookup the value as
+it provides the respective entry's value directly in addition to the key.
+
+First, iteration is done by capturing the directors and movie names and
+ignoring all other elements of the key. Second, the whole key is ignored
+and only movie names used.
+
+.. literalinclude:: data_struct_table_complex_blank_value.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek data_struct_table_complex_blank_value.zeek
+   Kiru was directed by Kihachi Okamoto
+   Harakiri was directed by Masaki Kobayashi
+   Tasogare Seibei was directed by Yoji Yamada
+   Goyokin was directed by Hideo Gosha
+   Kiru is a movie
+   Harakiri is a movie
+   Tasogare Seibei is a movie
+   Goyokin is a movie
+
+
+Vectors
+~~~~~~~
+
+If you're coming to Zeek with a programming background, you may or may
+not be familiar with a vector data type depending on your language of
+choice.  On the surface, vectors perform much of the same
+functionality as associative arrays with unsigned integers as their
+indices. They are however more efficient than that and they allow for
+ordered access. As such any time you need to sequentially store data of the
+same type, in Zeek you should reach for a vector.  Vectors are a
+collection of objects, all of which are of the same data type, to
+which elements can be dynamically added or removed.  Since Vectors use
+contiguous storage for their elements, the contents of a vector can be
+accessed through a zero-indexed numerical offset.
+
+The format for the declaration of a Vector follows the pattern of
+other declarations, namely, ``SCOPE v: vector of T`` where ``v`` is
+the name of your vector, and ``T`` is the data type of its members.
+For example, the following snippet shows an explicit and implicit
+declaration of two locally scoped vectors.  The script populates the
+first vector by inserting values at the end; it does that by placing
+the vector name between two vertical pipes to get the vector's current
+length before printing the contents of both Vectors and their current
+lengths.
+
+.. literalinclude:: data_struct_vector_declaration.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek data_struct_vector_declaration.zeek
+   contents of v1: [1, 2, 3, 4]
+   length of v1: 4
+   contents of v2: [1, 2, 3, 4]
+   length of v2: 4
+
+In a lot of cases, storing elements in a vector is simply a precursor
+to then iterating over them.  Iterating over a vector is easy with the
+``for`` keyword.  The sample below iterates over a vector of IP
+addresses and for each IP address, masks that address with 18 bits.
+The ``for`` keyword is used to generate a locally scoped variable
+called ``i`` which will hold the index of the current element in the
+vector. Using ``i`` as an index to addr_vector we can access the
+current item in the vector with ``addr_vector[i]``.
+
+.. literalinclude:: data_struct_vector_iter.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek -b data_struct_vector_iter.zeek
+   1.2.0.0/18
+   2.3.0.0/18
+   3.4.0.0/18
+
+Providing a value variable to the ``for`` loop allows skipping the extra
+index operation. As the index variable is now is unused, the script below
+uses ``_``, the blank identifier, to ignore it. This script is semantically
+equivalent to the previous one, but does direct value iteration and therefore
+potentially more performant for very large vectors.
+
+.. literalinclude:: data_struct_vector_iter_value.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Data Types Revisited
+--------------------
+
+addr
+~~~~
+
+The ``addr``, or address, data type manages to cover a surprisingly
+large amount of ground while remaining succinct.  IPv4, IPv6 and even
+hostname constants are included in the ``addr`` data type.  While IPv4
+addresses use the default dotted quad formatting, IPv6 addresses use
+the RFC 2373 defined notation with the addition of squared brackets
+wrapping the entire address.  When you venture into hostname
+constants, Zeek performs a little slight of hand for the benefit of the
+user; a hostname constant is, in fact, a set of addresses.  Zeek will
+issue a DNS request when it sees a hostname constant in use and return
+a set whose elements are the answers to the DNS request.  For example,
+if you were to use ``local google = www.google.com;`` you would end up
+with a locally scoped ``set[addr]`` with elements that represent the
+current set of round robin DNS entries for google.  At first blush,
+this seems trivial, but it is yet another example of Zeek making the
+life of the common Zeek scripter a little easier through abstraction
+applied in a practical manner. (Note however that these IP addresses
+will never get updated during Zeek's processing, so often this
+mechanism most useful for addresses that are expected to remain
+static.).
+
+port
+~~~~
+
+Transport layer port numbers in Zeek are represented in the format of
+``<unsigned integer>/<protocol name>``, e.g., ``22/tcp`` or
+``53/udp``.  Zeek supports TCP(``/tcp``), UDP(``/udp``),
+ICMP(``/icmp``) and UNKNOWN(``/unknown``) as protocol designations.
+While ICMP doesn't have an actual port, Zeek supports the concept of
+ICMP "ports" by using the ICMP message type and ICMP message code as
+the source and destination port respectively.  Ports can be compared
+for equality using the ``==`` or ``!=`` operators and can even be
+compared for ordering.  Zeek gives the protocol designations the
+following "order": ``unknown`` < ``tcp`` < ``udp`` < ``icmp``. For
+example ``65535/tcp`` is smaller than ``0/udp``.
+
+subnet
+~~~~~~
+
+Zeek has full support for CIDR notation subnets as a base data type.
+There is no need to manage the IP and the subnet mask as two separate
+entities when you can provide the same information in CIDR notation in
+your scripts.  The following example below uses a Zeek script to
+determine if a series of IP addresses are within a set of subnets
+using a 20 bit subnet mask.
+
+.. literalinclude:: data_type_subnets.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Because this is a script that doesn't use any kind of network
+analysis, we can handle the event :zeek:id:`zeek_init` which is always
+generated by Zeek's core upon startup.  In the example script, two
+locally scoped vectors are created to hold our lists of subnets and IP
+addresses respectively.  Then, using a set of nested ``for`` loops, we
+iterate over every subnet and every IP address and use an ``if``
+statement to compare an IP address against a subnet using the ``in``
+operator.  The ``in`` operator returns true if the IP address falls
+within a given subnet based on the longest prefix match calculation.
+For example, ``10.0.0.1 in 10.0.0.0/8`` would return true while
+``192.168.2.1 in 192.168.1.0/24`` would return false.  When we run the
+script, we get the output listing the IP address and the subnet in
+which it belongs.
+
+.. code-block:: console
+
+   $ zeek data_type_subnets.zeek
+   172.16.4.56 belongs to subnet 172.16.0.0/20
+   172.16.47.254 belongs to subnet 172.16.32.0/20
+   172.16.22.45 belongs to subnet 172.16.16.0/20
+   172.16.1.1 belongs to subnet 172.16.0.0/20
+
+time
+~~~~
+
+While there is currently no supported way to add a time constant in
+Zeek, two built-in functions exist to make use of the ``time`` data
+type.  Both :zeek:id:`network_time` and :zeek:id:`current_time` return a
+``time`` data type but they each return a time based on different
+criteria.  The ``current_time`` function returns what is called the
+wall-clock time as defined by the operating system.  However,
+``network_time`` returns the timestamp of the last packet processed
+be it from a live data stream or saved packet capture.  Both functions
+return the time in epoch seconds, meaning ``strftime`` must be used to
+turn the output into human readable output.  The script below makes
+use of the :zeek:id:`connection_established` event handler to generate text
+every time a SYN/ACK packet is seen responding to a SYN packet as part
+of a TCP handshake.  The text generated, is in the format of a
+timestamp and an indication of who the originator and responder were.
+We use the ``strftime`` format string of ``%Y-%m-%d %H:%M:%S`` to
+produce a common date time formatted time stamp.
+
+.. literalinclude:: data_type_time.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+When the script is executed we get an output showing the details of
+established connections.
+
+.. code-block:: console
+
+   $ zeek -r wikipedia.trace data_type_time.zeek
+   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.118\x0a
+   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3\x0a
+   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3\x0a
+   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3\x0a
+   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3\x0a
+   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3\x0a
+   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3\x0a
+   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.2\x0a
+   2011/06/18 19:03:09:  New connection established from 141.142.220.235 to 173.192.163.128\x0a
+
+interval
+~~~~~~~~
+
+The ``interval`` data type is another area in Zeek where rational
+application of abstraction makes perfect sense.  As a data type, the
+``interval`` represents a relative time as denoted by a numeric constant
+followed by a unit of time.  For example, 2.2 seconds would be
+``2.2sec`` and thirty-one days would be represented by ``31days``.
+Zeek supports ``usec``, ``msec``, ``sec``, ``min``, ``hr``, or ``day`` which represent
+microseconds, milliseconds, seconds, minutes, hours, and days
+respectively.  In fact, the ``interval`` data type allows for a surprising
+amount of variation in its definitions.  There can be a space between
+the numeric constant or they can be crammed together like a temporal
+portmanteau.  The time unit can be either singular or plural.  All of
+this adds up to to the fact that both ``42hrs`` and ``42 hr`` are
+perfectly valid and logically equivalent in Zeek.  The point, however,
+is to increase the readability and thus maintainability of a script.
+Intervals can even be negated, allowing for ``- 10mins`` to represent
+"ten minutes ago".
+
+Intervals in Zeek can have mathematical operations performed against
+them allowing the user to perform addition, subtraction,
+multiplication, division, and comparison operations. As well, Zeek
+returns an ``interval`` when differencing two ``time`` values using the ``-``
+operator.  The script below amends the script started in the section
+above to include a time delta value printed along with the connection
+establishment report.
+
+.. literalinclude:: data_type_interval.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+When we re-execute the script we see an additional line in the
+output, displaying the time delta since the last fully established
+connection.
+
+.. code-block:: console
+
+   $ zeek -r wikipedia.trace data_type_interval.zeek
+   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.118
+   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+        Time since last connection: 132.0 msecs 97.0 usecs
+   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+        Time since last connection: 177.0 usecs
+   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+        Time since last connection: 2.0 msecs 177.0 usecs
+   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+        Time since last connection: 33.0 msecs 898.0 usecs
+   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+        Time since last connection: 35.0 usecs
+   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+        Time since last connection: 2.0 msecs 532.0 usecs
+   2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.2
+        Time since last connection: 7.0 msecs 866.0 usecs
+   2011/06/18 19:03:09:  New connection established from 141.142.220.235 to 173.192.163.128
+        Time since last connection: 817.0 msecs 703.0 usecs
+
+
+Pattern
+~~~~~~~
+
+Zeek has support for fast text searching operations using regular
+expressions and even goes so far as to declare a native data type for
+the patterns used in regular expressions.  A pattern constant is
+created by enclosing text within the forward slash characters.  Zeek
+supports syntax very similar to the Flex lexical analyzer syntax.  The
+most common use of patterns in Zeek you are likely to come across is
+embedded matching using the ``in`` operator.  Embedded matching
+adheres to a strict format, requiring the regular expression or
+pattern constant to be on the left side of the ``in`` operator and the
+string against which it will be tested to be on the right.
+
+.. literalinclude:: data_type_pattern_01.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+In the sample above, two local variables are declared to hold our
+sample sentence and regular expression.  Our regular expression in
+this case will return true if the string contains either the word
+``quick`` or the word ``lazy``. The ``if`` statement in the script uses
+embedded matching and the ``in`` operator to check for the existence
+of the pattern within the string.  If the statement resolves to true,
+:zeek:id:`split_string` is called to break the string into separate pieces.
+:zeek:id:`split_string` takes a string and a pattern as its arguments and returns a
+vector of strings.  Each element of the vector represents
+segments before and after any matches against the pattern but
+excluding the actual matches.  In this case, our pattern matches
+twice resulting in a vector with three elements.
+
+.. code-block:: console
+
+   $ zeek data_type_pattern_01.zeek
+   The
+    brown fox jumps over the
+    dog.
+
+Patterns can also be used to compare strings using equality and
+inequality operators through the ``==`` and ``!=`` operators
+respectively. When used in this manner however, the string must match
+entirely to resolve to true.  For example, the script below uses two
+ternary conditional statements to illustrate the use of the ``==``
+operator with patterns.  The output is altered based
+on the result of the comparison between the pattern and the string.
+
+.. literalinclude:: data_type_pattern_02.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek data_type_pattern_02.zeek
+   equality and /^?(equal)$?/ are not equal
+   equality and /^?(equality)$?/ are equal
+
+Record Data Type
+----------------
+
+With Zeek's support for a wide array of data types and data structures,
+an obvious extension is to include the ability to create custom
+data types composed of atomic types and further data structures.  To
+accomplish this, Zeek introduces the ``record`` type and the ``type``
+keyword.  Similar to how you would define a new data structure in C
+with the ``typedef`` and ``struct`` keywords, Zeek allows you to cobble
+together new data types to suit the needs of your situation.
+
+When combined with the ``type`` keyword, ``record`` can generate a
+composite type.  We have, in fact, already encountered a complex
+example of the ``record`` data type in the earlier sections, the
+:zeek:type:`connection` record passed to many events. Another one,
+:zeek:type:`Conn::Info`, which corresponds to the fields logged into
+:file:`conn.log`, is shown by the excerpt below.
+
+.. literalinclude:: data_type_record.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Looking at the structure of the definition, a new collection of data
+types is being defined as a type called ``Info``.  Since this type
+definition is within the confines of an export block, what is defined
+is, in fact, ``Conn::Info``.
+
+The formatting for a declaration of a record type in Zeek includes the
+descriptive name of the type being defined and the separate fields
+that make up the record.  The individual fields that make up the new
+record are not limited in type or number as long as the name for each
+field is unique.
+
+.. literalinclude:: data_struct_record_01.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek data_struct_record_01.zeek
+   Service: dns(RFC1035)
+     port: 53/udp
+     port: 53/tcp
+   Service: http(RFC2616)
+     port: 8080/tcp
+     port: 80/tcp
+
+The sample above shows a simple type definition that includes a
+string, a set of ports, and a count to define a service type.  Also
+included is a function to print each field of a record in a formatted
+fashion and a :zeek:id:`zeek_init` event handler to show some
+functionality of working with records.  The definitions of the DNS and
+HTTP services are both done in-line using squared brackets before being
+passed to the ``print_service`` function.  The ``print_service``
+function makes use of the ``$`` dereference operator to access the
+fields within the newly defined Service record type.
+
+As you saw in the definition for the ``Conn::Info`` record, other
+records are even valid as fields within another record.  We can extend
+the example above to include another record that contains a Service
+record.
+
+.. literalinclude:: data_struct_record_02.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek data_struct_record_02.zeek
+   System: morlock
+     Service: http(RFC2616)
+       port: 8080/tcp
+       port: 80/tcp
+     Service: dns(RFC1035)
+       port: 53/udp
+       port: 53/tcp
+
+The example above includes a second record type in which a field is
+used as the data type for a set.  Records can be repeatedly nested
+within other records, their fields reachable through repeated chains
+of the ``$`` dereference operator.
+
+It's also common to see a ``type`` used to simply alias a data
+structure to a more descriptive name.  The example below shows an
+example of this from Zeek's own type definitions file.
+
+.. code-block:: zeek
+   :caption: init-bare.zeek
+
+   type string_array: table[count] of string;
+   type string_set: set[string];
+   type addr_set: set[addr];
+
+The three lines above alias a type of data structure to a descriptive
+name.  Functionally, the operations are the same, however, each of the
+types above are named such that their function is instantly
+identifiable.  This is another place in Zeek scripting where
+consideration can lead to better readability of your code and thus
+easier maintainability in the future.
+
+
+Custom Logging
+==============
+
+Armed with a decent understanding of the data types and data
+structures in Zeek, exploring the various frameworks available is a
+much more rewarding effort.  The framework with which most users are
+likely to have the most interaction is the Logging Framework.
+Designed in such a way to so as to abstract much of the process of
+creating a file and appending ordered and organized data into it, the
+Logging Framework makes use of some potentially unfamiliar
+nomenclature.  Specifically, Log Streams, Filters and Writers are
+simply abstractions of the processes required to manage a high rate of
+incoming logs while maintaining full operability.  If you've seen Zeek
+employed in an environment with a large number of connections, you
+know that logs are produced incredibly quickly; the ability to process
+a large set of data and write it to disk is due to the design of the
+Logging Framework.
+
+Data is written to a Log Stream based on decision making processes in
+Zeek's scriptland.  Log Streams correspond to a single log as defined
+by the set of name/value pairs that make up its fields.  That data can
+then be filtered, modified, or redirected with Logging Filters which,
+by default, are set to log everything.  Filters can be used to break
+log files into subsets or duplicate that information to another
+output.  The final output of the data is defined by the writer.  Zeek's
+default writer is simple tab separated ASCII files but Zeek also
+includes support for `DataSeries <https://github.com/dataseries>`_
+and `Elasticsearch <http://www.elasticsearch.org>`_ outputs as well as
+additional writers currently in development.  While these new terms
+and ideas may give the impression that the Logging Framework is
+difficult to work with, the actual learning curve is, in actuality,
+not very steep at all.  The abstraction built into the Logging
+Framework makes it such that a vast majority of scripts needs not go
+past the basics.  In effect, writing to a log file is as simple as
+defining the format of your data, letting Zeek know that you wish to
+create a new log, and then calling the :zeek:id:`Log::write` method to
+output log records.
+
+The Logging Framework is an area in Zeek where, the more you see it
+used and the more you use it yourself, the more second nature the
+boilerplate parts of the code will become.  As such, let's work
+through a contrived example of simply logging the digits 1 through 10
+and their corresponding factorial to the default ASCII log writer.
+It's always best to work through the problem once, simulating the
+desired output with ``print`` and ``fmt`` before attempting to dive
+into the Logging Framework.
+
+.. literalinclude:: framework_logging_factorial_01.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+.. code-block:: console
+
+   $ zeek framework_logging_factorial_01.zeek
+   1
+   2
+   6
+   24
+   120
+   720
+   5040
+   40320
+   362880
+   3628800
+
+This script defines a factorial function to recursively calculate the
+factorial of a unsigned integer passed as an argument to the function.  Using
+``print`` and  :zeek:id:`fmt` we can ensure that Zeek can perform these
+calculations correctly as well get an idea of the answers ourselves.
+
+The output of the script aligns with what we expect so now it's time
+to integrate the Logging Framework.
+
+.. literalinclude:: framework_logging_factorial_02.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+As mentioned above we have to perform a few steps before we can
+issue the :zeek:id:`Log::write` method and produce a logfile.
+As we are working within a namespace and informing an outside
+entity of workings and data internal to the namespace, we use
+an ``export`` block.  First we need to inform Zeek
+that we are going to be adding another Log Stream by adding a value to
+the :zeek:type:`Log::ID` enumerable.  In this script, we append the
+value ``LOG`` to the ``Log::ID`` enumerable, however due to this being in
+an export block the value appended to ``Log::ID`` is actually
+``Factor::LOG``.  Next, we define the fields
+that make up the data of our logs and dictate its format.  This script
+defines a new record datatype called ``Info`` (actually,
+``Factor::Info``) with two fields, both unsigned integers. Each of the
+fields in the ``Factor::Info`` record type include the ``&log``
+attribute, indicating that these fields should be passed to the
+Logging Framework when ``Log::write`` is called.
+Any record fields without the ``&log`` attribute are ignored by the
+Logging Framework. The next step is to create the logging
+stream with :zeek:id:`Log::create_stream` which takes a ``Log::ID`` and a
+record as its arguments.  In this example, we call the
+``Log::create_stream`` method and pass ``Factor::LOG`` and the
+``Factor::Info`` record as arguments. From here on out, if we issue
+the ``Log::write`` command with the correct ``Log::ID`` and a properly
+formatted ``Factor::Info`` record, a log entry will be generated.
+
+Now, if we run this script, instead of generating
+logging information to stdout, no output is created.  Instead the
+output is all in :file:`factor.log`, properly formatted and organized.
+
+.. code-block:: console
+
+   $ zeek framework_logging_factorial_02.zeek
+   $ cat factor.log
+   #separator \x09
+   #set_separator    ,
+   #empty_field      (empty)
+   #unset_field      -
+   #path     factor
+   #open     2018-12-14-21-47-18
+   #fields   num     factorial_num
+   #types    count   count
+   1 1
+   2 2
+   3 6
+   4 24
+   5 120
+   6 720
+   7 5040
+   8 40320
+   9 362880
+   10        3628800
+   #close    2018-12-14-21-47-18
+
+While the previous example is a simplistic one, it serves to
+demonstrate the small pieces of script code that need to be in place in
+order to generate logs.  For example, it's common to call
+``Log::create_stream`` in :zeek:id:`zeek_init` and while in a live
+example, determining when to call ``Log::write`` would likely be
+done in an event handler, in this case we use :zeek:id:`zeek_done` .
+
+If you've already spent time with a deployment of Zeek, you've likely
+had the opportunity to view, search through, or manipulate the logs
+produced by the Logging Framework.  The log output from a default
+installation of Zeek is substantial to say the least, however, there
+are times in which the way the Logging Framework by default isn't
+ideal for the situation.  This can range from needing to log more or
+less data with each call to ``Log::write`` or even the need to split
+log files based on arbitrary logic.  In the later case, Filters come
+into play along with the Logging Framework.  Filters grant a level of
+customization to Zeek's scriptland, allowing the script writer to
+include or exclude fields in the log and even make alterations to the
+path of the file in which the logs are being placed.  Each stream,
+when created, is given a default filter called, not surprisingly,
+``default``.  When using the ``default`` filter, every key value pair
+with the ``&log`` attribute is written to a single file.  For the
+example we've been using, let's extend it so as to write any factorial
+which is a factor of 5 to an alternate file, while writing the
+remaining logs to :file:`factor.log`.
+
+.. literalinclude:: framework_logging_factorial_03.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+To dynamically alter the file in which a stream writes its logs, a
+filter can specify a function that returns a string to be used as the
+filename for the current call to ``Log::write``. The definition for
+this function has to take as its parameters a ``Log::ID`` called id, a
+string called ``path`` and the appropriate record type for the logs called
+``rec``.  You can see the definition of ``mod5`` used in this example
+conforms to that requirement.  The function simply returns
+``factor-mod5`` if the factorial is divisible evenly by 5, otherwise, it
+returns ``factor-non5``.  In the additional ``zeek_init`` event
+handler, we define a locally scoped ``Log::Filter`` and assign it a
+record that defines the ``name`` and ``path_func`` fields.  We then
+call ``Log::add_filter`` to add the filter to the ``Factor::LOG``
+``Log::ID`` and call ``Log::remove_filter`` to remove the ``default``
+filter for ``Factor::LOG``.  Had we not removed the ``default`` filter,
+we'd have ended up with three log files: :file:`factor-mod5.log` with all the
+factorials that are a factors of 5, :file:`factor-non5.log` with the
+factorials that are not factors of 5, and :file:`factor.log` which would have
+included all factorials.
+
+.. code-block:: console
+
+   $ zeek framework_logging_factorial_03.zeek
+   $ cat factor-mod5.log
+   #separator \x09
+   #set_separator    ,
+   #empty_field      (empty)
+   #unset_field      -
+   #path     factor-mod5
+   #open     2018-12-14-21-47-18
+   #fields   num     factorial_num
+   #types    count   count
+   5 120
+   6 720
+   7 5040
+   8 40320
+   9 362880
+   10        3628800
+   #close    2018-12-14-21-47-1
+
+The ability of Zeek to generate easily customizable and extensible logs
+which remain easily parsable is a big part of the reason Zeek has
+gained a large measure of respect.  In fact, it's difficult at times
+to think of something that Zeek doesn't log and as such, it is often
+advantageous for analysts and systems architects to instead hook into
+the logging framework to be able to perform custom actions based upon
+the data being sent to the Logging Frame.  To that end, every default
+log stream in Zeek generates a custom event that can be handled by
+anyone wishing to act upon the data being sent to the stream.  By
+convention these events are usually in the format ``log_x`` where x is
+the name of the logging stream; as such the event raised for every log
+sent to the Logging Framework by the HTTP parser would be ``log_http``.
+Instead of using an external script to parse the :file:`http.log` file and
+do post-processing for each entry, this can be done in real time inside
+Zeek by defining an event handler for the ``log_http`` event.
+
+Telling Zeek to raise an event in your own Logging stream is as simple
+as exporting that event name and then adding that event in the call to
+``Log::create_stream``.  Going back to our simple example of logging
+the factorial of an integer, we add ``log_factor`` to the ``export``
+block and define the value to be passed to it, in this case the
+``Factor::Info`` record.  We then list the ``log_factor`` function as
+the ``$ev`` field in the call to ``Log::create_stream``
+
+.. literalinclude:: framework_logging_factorial_04.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+
+Raising Notices
+===============
+
+While Zeek's Logging Framework provides an easy and systematic way to
+generate logs, there still exists a need to indicate when a specific
+behavior has been detected and a method to allow that detection to
+come to someone's attention.  To that end, the Notice Framework is in
+place to allow script writers a codified means through which they can
+raise a notice, as well as a system through which an operator can
+opt-in to receive the notice.  Zeek holds to the philosophy that it is
+up to the individual operator to indicate the behaviors in which they
+are interested and as such Zeek ships with a large number of policy
+scripts which detect behavior that may be of interest but it does not
+presume to guess as to which behaviors are "action-able".  In effect,
+Zeek works to separate the act of detection and the responsibility of
+reporting.  With the Notice Framework it's simple to raise a notice
+for any behavior that is detected.
+
+To raise a notice in Zeek, you only need to indicate to Zeek that you
+are provide a specific :zeek:type:`Notice::Type` by exporting it and then
+make a call to :zeek:id:`NOTICE` supplying it with an appropriate
+:zeek:type:`Notice::Info` record.  Often times the call to ``NOTICE``
+includes just the ``Notice::Type``, and a concise message.  There are
+however, significantly more options available when raising notices as
+seen in the definition of :zeek:type:`Notice::Info`.  The only field in
+``Notice::Info`` whose
+attributes make it a required field is the ``note`` field.  Still,
+good manners are always important and including a concise message in
+``$msg`` and, where necessary, the contents of the connection record
+in ``$conn`` along with the ``Notice::Type`` tend to comprise the
+minimum of information required for an notice to be considered useful.
+If the ``$conn`` variable is supplied the Notice Framework will
+auto-populate the ``$id`` and ``$src`` fields as well.  Other fields
+that are commonly included, ``$identifier`` and ``$suppress_for`` are
+built around the automated suppression feature of the Notice Framework
+which we will cover shortly.
+
+One of the default policy scripts raises a notice when an SSH login
+has been heuristically detected and the originating hostname is one
+that would raise suspicion.  Effectively, the script attempts to
+define a list of hosts from which you would never want to see SSH
+traffic originating, like DNS servers, mail servers, etc.  To
+accomplish this, the script adheres to the separation of detection
+and reporting by detecting a behavior and raising a notice.  Whether
+or not that notice is acted upon is decided by the local Notice
+Policy, but the script attempts to supply as much information as
+possible while staying concise.
+
+.. code-block:: zeek
+   :caption: scripts/policy/protocols/ssh/interesting-hostnames.zeek
+
+   ##! This script will generate a notice if an apparent SSH login originates
+   ##! or heads to a host with a reverse hostname that looks suspicious.  By
+   ##! default, the regular expression to match "interesting" hostnames includes
+   ##! names that are typically used for infrastructure hosts like nameservers,
+   ##! mail servers, web servers and ftp servers.
+
+   @load base/frameworks/notice
+
+   module SSH;
+
+   export {
+       redef enum Notice::Type += {
+           ## Generated if a login originates or responds with a host where
+           ## the reverse hostname lookup resolves to a name matched by the
+           ## :zeek:id:`SSH::interesting_hostnames` regular expression.
+           Interesting_Hostname_Login,
+       };
+
+       ## Strange/bad host names to see successful SSH logins from or to.
+       option interesting_hostnames =
+               /^d?ns[0-9]*\./ |
+               /^smtp[0-9]*\./ |
+               /^mail[0-9]*\./ |
+               /^pop[0-9]*\./  |
+               /^imap[0-9]*\./ |
+               /^www[0-9]*\./  |
+               /^ftp[0-9]*\./;
+   }
+
+   function check_ssh_hostname(id: conn_id, uid: string, host: addr)
+       {
+       when ( local hostname = lookup_addr(host) )
+           {
+           if ( interesting_hostnames in hostname )
+               {
+               NOTICE([$note=Interesting_Hostname_Login,
+                       $msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
+                                Site::is_local_addr(host) ? "local" : "remote",
+                                host == id$orig_h ? "client" : "server"),
+                       $sub=hostname, $id=id, $uid=uid]);
+               }
+           }
+       }
+
+   event ssh_auth_successful(c: connection, auth_method_none: bool)
+       {
+       for ( host in set(c$id$orig_h, c$id$resp_h) )
+           {
+           check_ssh_hostname(c$id, c$uid, host);
+           }
+       }
+
+While much of the script relates to the actual detection, the parts
+specific to the Notice Framework are actually quite interesting in
+themselves.  The script's ``export`` block adds the value
+``SSH::Interesting_Hostname_Login`` to the enumerable constant
+``Notice::Type`` to indicate to the Zeek core that a new type of notice
+is being defined.  The script then calls ``NOTICE`` and defines the
+``$note``, ``$msg``, ``$sub``, ``id``, and ``$uid`` fields of the
+:zeek:type:`Notice::Info` record. (More commonly, one would set
+``$conn`` instead, however this script avoids using the connection
+record inside the when-statement for performance reasons.)
+There are two ternary if
+statements that modify the ``$msg`` text depending on whether the
+host is a local address and whether it is the client or the server.
+This use of :zeek:id:`fmt` and ternary operators is a concise way to
+lend readability to the notices that are generated without the need
+for branching ``if`` statements that each raise a specific notice.
+
+The opt-in system for notices is managed through writing
+:zeek:id:`Notice::policy` hooks.  A ``Notice::policy`` hook takes as
+its argument a ``Notice::Info`` record which will hold the same
+information your script provided in its call to ``NOTICE``.  With
+access to the ``Notice::Info`` record for a specific notice you can
+include logic such as in statements in the body of your hook to alter
+the policy for handling notices on your system.  In Zeek, hooks are
+akin to a mix of functions and event handlers: like functions, calls
+to them are synchronous (i.e., run to completion and return); but like
+events, they can have multiple bodies which will all execute. For
+defining a notice policy, you define a hook and Zeek will take care of
+passing in the ``Notice::Info`` record.  The simplest kind of
+``Notice::policy`` hooks simply check the value of ``$note`` in the
+``Notice::Info`` record being passed into the hook and performing an
+action based on the answer.  The hook below adds the
+:zeek:enum:`Notice::ACTION_EMAIL` action for the
+``SSH::Interesting_Hostname_Login`` notice raised in the
+:doc:`/scripts/policy/protocols/ssh/interesting-hostnames.zeek` script.
+
+.. literalinclude:: framework_notice_hook_01.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+In the example above we've added ``Notice::ACTION_EMAIL`` to the
+``n$actions`` set.  This set, defined in the Notice Framework scripts,
+can only have entries from the :zeek:type:`Notice::Action` type, which is
+itself an enumerable that defines the values shown in the table below
+along with their corresponding meanings.  The
+:zeek:enum:`Notice::ACTION_LOG` action writes the notice to the
+``Notice::LOG`` logging stream which, in the default configuration,
+will write each notice to the :file:`notice.log` file and take no further
+action.  The :zeek:enum:`Notice::ACTION_EMAIL` action will send an email
+to the address or addresses defined in the :zeek:id:`Notice::mail_dest`
+variable with the particulars of the notice as the body of the email.
+The last action, :zeek:enum:`Notice::ACTION_ALARM` sends the notice to
+the :zeek:enum:`Notice::ALARM_LOG` logging stream which is then rotated
+hourly and its contents emailed in readable ASCII to the addresses in
+``Notice::mail_dest``.
+
+.. list-table::
+
+  * - :zeek:see:`Notice::ACTION_NONE`
+    - Take no action
+  * - :zeek:see:`Notice::ACTION_LOG`
+    - Send the notice to the Notice::LOG logging stream.
+  * - :zeek:see:`Notice::ACTION_EMAIL`
+    - Send an email with the notice in the body.
+  * - :zeek:see:`Notice::ACTION_ALARM`
+    - Send the notice to the Notice::Alarm_LOG stream.
+
+While actions like the ``Notice::ACTION_EMAIL`` action have appeal for
+quick alerts and response, a caveat of its use is to make sure the
+notices configured with this action also have a suppression.  A
+suppression is a means through which notices can be ignored after they
+are initially raised if the author of the script has set an
+identifier.  An identifier is a unique string of information collected
+from the connection relative to the behavior that has been observed by
+Zeek.
+
+.. code-block:: zeek
+   :caption: scripts/policy/protocols/ssl/expiring-certs.zeek
+
+   NOTICE([$note=Certificate_Expires_Soon,
+           $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
+           $conn=c, $suppress_for=1day,
+           $identifier=cat(c$id$resp_h, c$id$resp_p, hash),
+           $fuid=fuid]);
+
+In the :doc:`/scripts/policy/protocols/ssl/expiring-certs.zeek` script
+which identifies when SSL certificates are set to expire and raises
+notices when it crosses a predefined threshold, the call to
+``NOTICE`` above also sets the ``$identifier`` entry by concatenating
+the responder IP, port, and the hash of the certificate.  The
+selection of responder IP, port and certificate hash fits perfectly
+into an appropriate identifier as it creates a unique identifier with
+which the suppression can be matched. Were we to take out any of the
+entities used for the identifier, for example the certificate hash, we
+could be setting our suppression too broadly, causing an analyst to
+miss a notice that should have been raised.  Depending on the
+available data for the identifier, it can be useful to set the
+``$suppress_for`` variable as well.  The ``expiring-certs.zeek`` script
+sets ``$suppress_for`` to ``1day``, telling the Notice Framework to
+suppress the notice for 24 hours after the first notice is raised.
+Once that time limit has passed, another notice can be raised which
+will again set the ``1day`` suppression time.  Suppressing for a
+specific amount of time has benefits beyond simply not filling up an
+analyst's email inbox; keeping the notice alerts timely and succinct
+helps avoid a case where an analyst might see the notice and, due to
+over exposure, ignore it.
+
+The ``$suppress_for`` variable can also be altered in a
+``Notice::policy`` hook, allowing a deployment to better suit the
+environment in which it is be run.  Using the example of
+``expiring-certs.zeek``, we can write a ``Notice::policy`` hook for
+``SSL::Certificate_Expires_Soon`` to configure the ``$suppress_for``
+variable to a shorter time.
+
+.. literalinclude:: framework_notice_hook_suppression_01.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+While ``Notice::policy`` hooks allow you to build custom
+predicate-based policies for a deployment, there are bound to be times
+where you don't require the full expressiveness that a hook allows.
+In short, there will be notice policy considerations where a broad
+decision can be made based on the ``Notice::Type`` alone.  To
+facilitate these types of decisions, the Notice Framework supports
+Notice Policy shortcuts.  These shortcuts are implemented through the
+means of a group of data structures that map specific, predefined
+details and actions to the effective name of a notice.  Primarily
+implemented as a set or table of enumerables of :zeek:type:`Notice::Type`,
+Notice Policy shortcuts can be placed as a single directive in your
+``local.zeek`` file as a concise readable configuration.  As these
+variables are all constants, it bears mentioning that these variables
+are all set at parse-time before Zeek is fully up and running and not
+set dynamically.
+
++------------------------------------+-----------------------------------------------------+-------------------------------------+
+| Name                               | Description                                         | Data Type                           |
++====================================+=====================================================+=====================================+
+| Notice::ignored_types              | Ignore the Notice::Type entirely                    | set[Notice::Type]                   |
++------------------------------------+-----------------------------------------------------+-------------------------------------+
+| Notice::emailed_types              | Set Notice::ACTION_EMAIL to this Notice::Type       | set[Notice::Type]                   |
++------------------------------------+-----------------------------------------------------+-------------------------------------+
+| Notice::alarmed_types              | Set Notice::ACTION_ALARM to this Notice::Type       | set[Notice::Type]                   |
++------------------------------------+-----------------------------------------------------+-------------------------------------+
+| Notice::not_suppressed_types       | Remove suppression from this Notice::Type           | set[Notice::Type]                   |
++------------------------------------+-----------------------------------------------------+-------------------------------------+
+| Notice::type_suppression_intervals | Alter the $suppress_for value for this Notice::Type | table[Notice::Type] of interval     |
++------------------------------------+-----------------------------------------------------+-------------------------------------+
+
+
+
+The table above details the five Notice Policy shortcuts, their
+meaning and the data type used to implement them.  With the exception
+of ``Notice::type_suppression_intervals`` a ``set`` data type is
+employed to hold the ``Notice::Type`` of the notice upon which a
+shortcut should applied.  The first three shortcuts are fairly self
+explanatory, applying an action to the ``Notice::Type`` elements in
+the set, while the latter two shortcuts alter details of the
+suppression being applied to the Notice.  The shortcut
+``Notice::not_suppressed_types`` can be used to remove the configured
+suppression from a notice while ``Notice::type_suppression_intervals``
+can be used to alter the suppression interval defined by $suppress_for
+in the call to ``NOTICE``.
+
+.. literalinclude:: framework_notice_shortcuts_01.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+The Notice Policy shortcut above adds the ``Notice::Type`` of
+``SSH::Interesting_Hostname_Login`` to the
+``Notice::emailed_types`` set while the shortcut below alters the length
+of time for which those notices will be suppressed.
+
+.. literalinclude:: framework_notice_shortcuts_02.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
diff --git a/doc/scripting/conn-id-ctx.rst b/doc/scripting/conn-id-ctx.rst
new file mode 100644
index 0000000000..2adb52cdd4
--- /dev/null
+++ b/doc/scripting/conn-id-ctx.rst
@@ -0,0 +1,101 @@
+
+.. _script-conn-id-ctx:
+
+==============================
+Use of :zeek:see:`conn_id_ctx`
+==============================
+
+.. versionadded:: 8.0
+
+.. note::
+
+   We’re still iterating on patterns for working with the new pluggable
+   connection keys and :zeek:see:`conn_id_ctx` instances.
+   If you have feedback or run into limitations for your use-cases, please reach out!
+
+In some deployments, Zeek receives traffic from different network
+segments that share overlapping IP ranges.
+Such settings usually provide some additional means of separating
+the ranges, such as VLAN numbers.
+For example, host 10.0.0.37 in VLAN 1 and host 10.0.0.37 in VLAN 2 may share
+the same IP address, but represent different systems.
+In Zeek's terminology, such IP addresses (or their connections) occur in different
+*contexts*. In this case the context is the VLAN ID; in other settings,
+the context could be, say, Virtual Network Identifiers (VNIs) as used with
+UDP-based tunnels like VXLAN or Geneve.
+From Zeek's perspective, the context can be any kind of value that
+it can derive from packet data.
+
+Since version 8.0, Zeek can extract these contexts through
+:ref:`plugin-provided connection key implementations <connkey-plugin>`
+and include them into its core connection tracking. Such plugins will normally also
+:zeek:keyword:`redefine <redef>` :zeek:see:`conn_id_ctx` with additional
+fields to expose this context to the Zeek scripting layer.
+For example, loading :doc:`/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek`
+adds :zeek:field:`vlan` and :zeek:field:`inner_vlan` fields to :zeek:see:`conn_id_ctx`.
+
+Script writers can use the :zeek:field:`conn_id$ctx <conn_id$ctx>` field to
+distinguish :zeek:type:`addr` values observed in different contexts.
+For example, to count the number of connections per originator address in
+a context-aware manner, add the :zeek:see:`conn_id_ctx` to the table index:
+
+.. code-block:: zeek
+
+	global connection_counts: table[conn_id_ctx, addr] of count &default=0;
+
+	event new_connection(c: connection)
+	    {
+	    ++connection_counts[c$id$ctx, c$id$orig_h];
+	    }
+
+
+If, for example, :zeek:field:`ctx` is populated with fields for VLAN tags,
+that table will create individual entries per ``(VLAN, addr)`` pair.
+This will also work correctly if no context has been defined: ``c$id$ctx`` will
+be an empty record with no fields.
+
+Alternatively, users can define their own record type that includes both :zeek:see:`conn_id_ctx` and :zeek:type:`addr`,
+and use instances of such records to index into tables:
+
+.. literalinclude:: conn_id_ctx_my_endpoint.zeek
+   :caption: conn_id_ctx_my_endpoint.zeek
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+This example tracks services that an originator IP address has been observed to interact with.
+When loading the :doc:`/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek`
+script, IP addresses in different VLANs are tracked separately:
+
+.. code-block:: shell
+
+    $ zeek -r vlan-collisions.pcap frameworks/conn_key/vlan_fivetuple conn_id_ctx_my_endpoint.zeek
+    [ctx=[vlan=42, inner_vlan=<uninitialized>], a=141.142.228.5], HTTP
+    [ctx=[vlan=10, inner_vlan=20], a=141.142.228.5], HTTP
+    [ctx=[vlan=<uninitialized>, inner_vlan=<uninitialized>], a=141.142.228.5], HTTP
+
+
+Note that while this script isn't VLAN-specific, it is VLAN-aware. When
+using a different connection key plugin like the one discussed in the
+:ref:`connection key tutorial <connkey-plugin>`, the result becomes the following,
+discriminating entries in the ``talks_with_service`` table by the value of
+``c$id$ctx$vxlan_vni``:
+
+.. code-block:: shell
+
+    $ zeek -C -r vxlan-overlapping-http-get.pcap  ConnKey::factory=ConnKey::CONNKEY_VXLAN_VNI_FIVETUPLE conn_id_ctx_my_endpoint.zeek
+    [ctx=[vxlan_vni=<uninitialized>], a=141.142.228.5], HTTP
+    [ctx=[vxlan_vni=<uninitialized>], a=127.0.0.1], VXLAN
+    [ctx=[vxlan_vni=4711], a=141.142.228.5], HTTP
+    [ctx=[vxlan_vni=4242], a=141.142.228.5], HTTP
+
+
+When using Zeek's default five-tuple connection key, the :zeek:see:`conn_id_ctx`
+record is empty and originator address 141.142.228.5 appears as a single entry
+in the table instead:
+
+.. code-block:: shell
+
+    $ zeek -C -r vxlan-overlapping-http-get.pcap conn_id_ctx_my_endpoint.zeek
+    [ctx=[], a=141.142.228.5], HTTP
+    [ctx=[], a=127.0.0.1], VXLAN
diff --git a/doc/scripting/conn_id_ctx_my_endpoint.zeek b/doc/scripting/conn_id_ctx_my_endpoint.zeek
new file mode 100644
index 0000000000..40dd1227c9
--- /dev/null
+++ b/doc/scripting/conn_id_ctx_my_endpoint.zeek
@@ -0,0 +1,21 @@
+type MyEndpoint: record {
+	ctx: conn_id_ctx;
+	a: addr;
+};
+
+global talks_with_service: table[MyEndpoint] of set[string] &default_insert=set();
+
+event connection_state_remove(c: connection)
+	{
+	local endp = MyEndpoint($ctx=c$id$ctx, $a=c$id$orig_h);
+
+	for ( s in c$service )
+		add talks_with_service[endp][s];
+	}
+
+event zeek_done()
+	{
+	for ( e, es in talks_with_service )
+		print e, join_string_set(es, ", ");
+	}
+
diff --git a/doc/scripting/connection_record_01.zeek b/doc/scripting/connection_record_01.zeek
new file mode 100644
index 0000000000..9800fb0520
--- /dev/null
+++ b/doc/scripting/connection_record_01.zeek
@@ -0,0 +1,6 @@
+@load base/protocols/conn
+
+event connection_state_remove(c: connection)
+    {
+    print c;
+    }
diff --git a/doc/scripting/connection_record_02.zeek b/doc/scripting/connection_record_02.zeek
new file mode 100644
index 0000000000..e4770069a9
--- /dev/null
+++ b/doc/scripting/connection_record_02.zeek
@@ -0,0 +1,7 @@
+@load base/protocols/conn
+@load base/protocols/http
+
+event connection_state_remove(c: connection)
+    {
+    print c;
+    }
diff --git a/doc/scripting/data_struct_record_01.zeek b/doc/scripting/data_struct_record_01.zeek
new file mode 100644
index 0000000000..f2be587aa7
--- /dev/null
+++ b/doc/scripting/data_struct_record_01.zeek
@@ -0,0 +1,22 @@
+type Service: record {
+    name: string;
+    ports: set[port];
+    rfc: count;
+};
+
+function print_service(serv: Service)
+    {
+    print fmt("Service: %s(RFC%d)",serv$name, serv$rfc);
+    
+    for ( p in serv$ports )
+        print fmt("  port: %s", p);
+    }
+
+event zeek_init()
+    {
+    local dns: Service = [$name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035];
+    local http: Service = [$name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616];
+    
+    print_service(dns);
+    print_service(http);
+    }
diff --git a/doc/scripting/data_struct_record_02.zeek b/doc/scripting/data_struct_record_02.zeek
new file mode 100644
index 0000000000..1bc888a8ba
--- /dev/null
+++ b/doc/scripting/data_struct_record_02.zeek
@@ -0,0 +1,41 @@
+type Service: record {
+    name: string;
+    ports: set[port];
+    rfc: count;
+    };
+
+type System: record {
+    name: string;
+    services: set[Service];
+    };
+
+function print_service(serv: Service)
+    {
+    print fmt("  Service: %s(RFC%d)",serv$name, serv$rfc);
+    
+    for ( p in serv$ports )
+        print fmt("    port: %s", p);
+    }
+
+function print_system(sys: System)
+    {
+    print fmt("System: %s", sys$name);
+    
+    for ( s in sys$services )
+        print_service(s);
+    }
+
+event zeek_init()
+    {
+    local server01: System;
+    server01$name = "morlock";
+    add server01$services[[ $name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035]];
+    add server01$services[[ $name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616]];
+    print_system(server01);
+    
+    
+    # local dns: Service = [ $name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035];
+    # local http: Service = [ $name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616];
+    # print_service(dns);
+    # print_service(http);
+    }
diff --git a/doc/scripting/data_struct_set_declaration.zeek b/doc/scripting/data_struct_set_declaration.zeek
new file mode 100644
index 0000000000..519354179f
--- /dev/null
+++ b/doc/scripting/data_struct_set_declaration.zeek
@@ -0,0 +1,22 @@
+event zeek_init()
+    {
+    local ssl_ports: set[port];
+    local non_ssl_ports = set( 23/tcp, 80/tcp, 143/tcp, 25/tcp );
+    
+    # SSH
+    add ssl_ports[22/tcp];
+    # HTTPS
+    add ssl_ports[443/tcp];
+    # IMAPS
+    add ssl_ports[993/tcp];
+    
+    # Check for SMTPS 
+    if ( 587/tcp !in ssl_ports )
+        add ssl_ports[587/tcp];
+    
+    for ( i in ssl_ports )
+        print fmt("SSL Port: %s", i);
+
+    for ( i in non_ssl_ports )
+        print fmt("Non-SSL Port: %s", i);
+    }
diff --git a/doc/scripting/data_struct_table_complex.zeek b/doc/scripting/data_struct_table_complex.zeek
new file mode 100644
index 0000000000..407c80df13
--- /dev/null
+++ b/doc/scripting/data_struct_table_complex.zeek
@@ -0,0 +1,13 @@
+event zeek_init()
+    {
+    local samurai_flicks: table[string, string, count, string] of string;
+    
+    samurai_flicks["Kihachi Okamoto", "Toho", 1968, "Tatsuya Nakadai"] = "Kiru";
+    samurai_flicks["Hideo Gosha", "Fuji", 1969, "Tatsuya Nakadai"] = "Goyokin";
+    samurai_flicks["Masaki Kobayashi", "Shochiku Eiga", 1962, "Tatsuya Nakadai" ] = "Harakiri";
+    samurai_flicks["Yoji Yamada", "Eisei Gekijo", 2002, "Hiroyuki Sanada" ] = "Tasogare Seibei";
+    
+    for ( [d, s, y, a] in samurai_flicks )
+        print fmt("%s was released in %d by %s studios, directed by %s and starring %s", samurai_flicks[d, s, y, a], y, s, d, a);
+    }
+
diff --git a/doc/scripting/data_struct_table_complex_blank_value.zeek b/doc/scripting/data_struct_table_complex_blank_value.zeek
new file mode 100644
index 0000000000..d8c8cc66f4
--- /dev/null
+++ b/doc/scripting/data_struct_table_complex_blank_value.zeek
@@ -0,0 +1,11 @@
+event zeek_init()
+    {
+    # local samurai_flicks: ...
+
+    for ( [d, _, _, _], name in samurai_flicks )
+        print fmt("%s was directed by %s", name, d);
+
+    for ( _, name in samurai_flicks )
+        print fmt("%s is a movie", name);
+    }
+
diff --git a/doc/scripting/data_struct_table_declaration.zeek b/doc/scripting/data_struct_table_declaration.zeek
new file mode 100644
index 0000000000..f992396f1f
--- /dev/null
+++ b/doc/scripting/data_struct_table_declaration.zeek
@@ -0,0 +1,19 @@
+event zeek_init()
+    {
+    # Declaration of the table.
+    local ssl_services: table[string] of port;
+
+    # Initialize the table.
+    ssl_services = table(["SSH"] = 22/tcp, ["HTTPS"] = 443/tcp);
+
+    # Insert one key-value pair into the table.
+    ssl_services["IMAPS"] = 993/tcp;
+
+    # Check if the key "SMTPS" is not in the table.
+    if ( "SMTPS" !in ssl_services )
+        ssl_services["SMTPS"] = 587/tcp;
+
+    # Iterate over each key in the table.
+    for ( k in ssl_services )
+        print fmt("Service Name:  %s - Common Port: %s", k, ssl_services[k]);
+    }
diff --git a/doc/scripting/data_struct_vector.zeek b/doc/scripting/data_struct_vector.zeek
new file mode 100644
index 0000000000..d40169cfb9
--- /dev/null
+++ b/doc/scripting/data_struct_vector.zeek
@@ -0,0 +1,7 @@
+event zeek_init()
+    {
+    local v: vector of count = vector(1, 2, 3, 4);
+    local w = vector(1, 2, 3, 4);
+    print v;
+    print w;
+    }
diff --git a/doc/scripting/data_struct_vector_declaration.zeek b/doc/scripting/data_struct_vector_declaration.zeek
new file mode 100644
index 0000000000..b484329395
--- /dev/null
+++ b/doc/scripting/data_struct_vector_declaration.zeek
@@ -0,0 +1,15 @@
+event zeek_init()
+    {
+    local v1: vector of count;
+    local v2 = vector(1, 2, 3, 4);
+    
+    v1 += 1;
+    v1 += 2;
+    v1 += 3;
+    v1 += 4;
+    
+    print fmt("contents of v1: %s", v1);
+    print fmt("length of v1: %d", |v1|);
+    print fmt("contents of v2: %s", v2);
+    print fmt("length of v2: %d", |v2|);
+    }
diff --git a/doc/scripting/data_struct_vector_iter.zeek b/doc/scripting/data_struct_vector_iter.zeek
new file mode 100644
index 0000000000..32e4229aa4
--- /dev/null
+++ b/doc/scripting/data_struct_vector_iter.zeek
@@ -0,0 +1,7 @@
+event zeek_init()
+    {
+    local addr_vector: vector of addr = vector(1.2.3.4, 2.3.4.5, 3.4.5.6);
+
+    for ( i in addr_vector )
+        print mask_addr(addr_vector[i], 18);
+    }
diff --git a/doc/scripting/data_struct_vector_iter_value.zeek b/doc/scripting/data_struct_vector_iter_value.zeek
new file mode 100644
index 0000000000..ec823b6cdc
--- /dev/null
+++ b/doc/scripting/data_struct_vector_iter_value.zeek
@@ -0,0 +1,7 @@
+event zeek_init()
+    {
+    local addr_vector: vector of addr = vector(1.2.3.4, 2.3.4.5, 3.4.5.6);
+
+    for ( _, a in addr_vector )
+        print mask_addr(a, 18);
+    }
diff --git a/doc/scripting/data_type_const.zeek b/doc/scripting/data_type_const.zeek
new file mode 100644
index 0000000000..7f79fd55f8
--- /dev/null
+++ b/doc/scripting/data_type_const.zeek
@@ -0,0 +1,9 @@
+const port_list: table[port] of string &redef;
+
+redef port_list += { [6666/tcp] = "IRC"};
+redef port_list += { [80/tcp] = "WWW" };
+
+event zeek_init()
+    {
+    print port_list;
+    }
diff --git a/doc/scripting/data_type_const_simple.zeek b/doc/scripting/data_type_const_simple.zeek
new file mode 100644
index 0000000000..4e843fc2ac
--- /dev/null
+++ b/doc/scripting/data_type_const_simple.zeek
@@ -0,0 +1,4 @@
+@load base/protocols/http
+
+redef HTTP::default_capture_password = T;
+
diff --git a/doc/scripting/data_type_declaration.zeek b/doc/scripting/data_type_declaration.zeek
new file mode 100644
index 0000000000..b5db2701c3
--- /dev/null
+++ b/doc/scripting/data_type_declaration.zeek
@@ -0,0 +1,9 @@
+event zeek_init()
+    {
+    local a: int;
+    a = 10;
+    local b = 10;
+
+    if ( a == b )
+        print fmt("A: %d, B: %d", a, b);
+    }
diff --git a/doc/scripting/data_type_interval.zeek b/doc/scripting/data_type_interval.zeek
new file mode 100644
index 0000000000..d5d7ac514a
--- /dev/null
+++ b/doc/scripting/data_type_interval.zeek
@@ -0,0 +1,18 @@
+# Store the time the previous connection was established.
+global last_connection_time: time;
+
+# boolean value to indicate whether we have seen a previous connection.
+global connection_seen: bool = F;
+
+event connection_established(c: connection)
+    {
+    local net_time: time  = network_time();
+
+    print fmt("%s:  New connection established from %s to %s", strftime("%Y/%m/%d %H:%M:%S", net_time), c$id$orig_h, c$id$resp_h);
+
+    if ( connection_seen )
+        print fmt("     Time since last connection: %s", net_time - last_connection_time);
+
+    last_connection_time = net_time;
+    connection_seen = T;
+    }
diff --git a/doc/scripting/data_type_local.zeek b/doc/scripting/data_type_local.zeek
new file mode 100644
index 0000000000..fc235de9c2
--- /dev/null
+++ b/doc/scripting/data_type_local.zeek
@@ -0,0 +1,11 @@
+function add_two(i: count): count
+    {
+    local added_two = i+2;
+    print fmt("i + 2 = %d", added_two);
+    return added_two;
+    }
+
+event zeek_init()
+    {
+    local test = add_two(10);
+    }
diff --git a/doc/scripting/data_type_pattern_01.zeek b/doc/scripting/data_type_pattern_01.zeek
new file mode 100644
index 0000000000..01f34c0ed0
--- /dev/null
+++ b/doc/scripting/data_type_pattern_01.zeek
@@ -0,0 +1,13 @@
+event zeek_init()
+    {
+    local test_string = "The quick brown fox jumps over the lazy dog.";
+    local test_pattern = /quick|lazy/;
+    
+    if ( test_pattern in test_string )
+        {
+        local results = split_string(test_string, test_pattern);
+        print results[0];
+        print results[1];
+        print results[2];
+        }
+    }
diff --git a/doc/scripting/data_type_pattern_02.zeek b/doc/scripting/data_type_pattern_02.zeek
new file mode 100644
index 0000000000..b1fe8ac898
--- /dev/null
+++ b/doc/scripting/data_type_pattern_02.zeek
@@ -0,0 +1,10 @@
+event zeek_init()
+    {
+    local test_string = "equality";
+
+    local test_pattern = /equal/;
+    print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not");
+    
+    test_pattern = /equality/;
+    print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not");
+    }
diff --git a/doc/scripting/data_type_record.zeek b/doc/scripting/data_type_record.zeek
new file mode 100644
index 0000000000..2380137cac
--- /dev/null
+++ b/doc/scripting/data_type_record.zeek
@@ -0,0 +1,25 @@
+module Conn;
+
+export {
+	## The record type which contains column fields of the connection log.
+	type Info: record {
+		ts:           time            &log;
+		uid:          string          &log;
+		id:           conn_id         &log;
+		proto:        transport_proto &log;
+		service:      string          &log &optional;
+		duration:     interval        &log &optional;
+		orig_bytes:   count           &log &optional;
+		resp_bytes:   count           &log &optional;
+		conn_state:   string          &log &optional;
+		local_orig:   bool            &log &optional;
+		local_resp:   bool            &log &optional;
+		missed_bytes: count           &log &default=0;
+		history:      string          &log &optional;
+		orig_pkts:     count      &log &optional;
+		orig_ip_bytes: count      &log &optional;
+		resp_pkts:     count      &log &optional;
+		resp_ip_bytes: count      &log &optional;
+		tunnel_parents: set[string] &log;
+	};
+}
diff --git a/doc/scripting/data_type_subnets.zeek b/doc/scripting/data_type_subnets.zeek
new file mode 100644
index 0000000000..1afb36a33b
--- /dev/null
+++ b/doc/scripting/data_type_subnets.zeek
@@ -0,0 +1,15 @@
+event zeek_init()
+	{
+	local subnets = vector(172.16.0.0/20, 172.16.16.0/20, 172.16.32.0/20, [2001:db8:b120::]/64);
+	local addresses = vector(172.16.4.56, 172.16.47.254, 172.16.1.1, [2001:db8:b120::1]);
+
+	for ( a in addresses )
+		{
+		for ( s in subnets )
+			{
+			if ( addresses[a] in subnets[s] )
+				print fmt("%s belongs to subnet %s", addresses[a], subnets[s]);
+			}
+		}
+
+	}
diff --git a/doc/scripting/data_type_time.zeek b/doc/scripting/data_type_time.zeek
new file mode 100644
index 0000000000..4970dee2e2
--- /dev/null
+++ b/doc/scripting/data_type_time.zeek
@@ -0,0 +1,4 @@
+event connection_established(c: connection)
+    {
+    print fmt("%s:  New connection established from %s to %s\n", strftime("%Y/%m/%d %H:%M:%S", network_time()), c$id$orig_h, c$id$resp_h);
+    }
diff --git a/doc/scripting/event-groups.rst b/doc/scripting/event-groups.rst
new file mode 100644
index 0000000000..f91b50c3d4
--- /dev/null
+++ b/doc/scripting/event-groups.rst
@@ -0,0 +1,115 @@
+
+.. _script-event-groups:
+
+============
+Event Groups
+============
+
+Zeek supports enabling and disabling event and hook handlers at runtime
+through event groups. While named event groups, hook handlers are covered
+due to their structural similarity to event handlers as well.
+
+Event and hook handlers can be part of multiple event groups. An event or
+hook handler is disabled if any of the groups it's part of is disabled.
+Conversely, event and hook handlers are enabled when all groups they
+are part of are enabled. When Zeek starts, all event groups are implicitly
+enabled. An event or hook handler that is not part of any event group is
+always enabled.
+
+Currently, two types of event groups exist: Attribute and module based.
+
+
+Attribute Based Event Group
+===========================
+
+Attribute based event groups come into existence when an event or hook
+handler has a :zeek:attr:`&group` attribute. The value of the group
+attribute is a string identifying the group. There's a single global namespace
+for attribute based event groups. Two event handlers in different files
+or modules, but with the same group attribute value, are part of the same group.
+Event and hook handlers can have more than one group attributes.
+
+.. literalinclude:: event_groups_attr_01.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+This example shows ``http_request``, ``http_header`` and ``http_reply`` event
+handlers, all with a group attribute of ``http-print-debugging``.
+When running Zeek against a pcap containing a single HTTP transaction,
+the output is as follows.
+
+.. code-block:: console
+
+   $ zeek -r traces/get.trace  ./event_groups_attr_01.zeek
+   HTTP request: GET /download/CHANGES.bro-aux.txt (141.142.228.5->192.150.187.43)
+   HTTP header : User-Agent=Wget/1.14 (darwin12.2.0) (141.142.228.5->192.150.187.43)
+   HTTP reply: 200/OK version 1.1 (192.150.187.43->141.142.228.5)
+   HTTP header : Server=Apache/2.4.3 (Fedora) (192.150.187.43->141.142.228.5)
+
+Such debugging functionality would generally only be enabled on demand. Extending
+the above script, we introduce an option and a change handler function from the
+:ref:`configuration framework`<framework-configuration>`
+to enable and disable the ``http-print-debugging`` event group at runtime.
+
+.. literalinclude:: event_groups_attr_02.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+Whenever the option ``Debug::http_print_debugging`` is set to ``T``,
+:zeek:see:`enable_event_group` is invoked to ensure the ``http-print-debugging``
+group is enabled. Conversely, when the option is set to ``F``,
+:zeek:see:`disable_event_group` disables all event handlers in the group
+``http-print-debugging``.
+
+
+The very same behavior can be achieved by testing the ``Debug::http_print_debugging``
+option within the respective event handlers using and ``if`` statement and
+early return. In contrast, event groups work in a more declarative way.
+Further, when disabling event handlers via event groups, their implementation
+is never invoked and is therefore a more performant way to short-circuit
+execution.
+
+
+Module Based Event Group
+========================
+
+Besides attribute based event groups, Zeek supports implicit module based
+event groups. Event and hook handlers are part of an event group that
+represents the module in which they were implemented. The builtin functions
+:zeek:see:`disable_module_events` and :zeek:see:`enable_module_events` can
+be used to disable and enable all event and hook handlers within modules.
+
+An interesting idea here is to implement enabling and disabling of Zeek packages
+at runtime. For example, the `CommunityID <https://github.com/corelight/zeek-community-id>`_
+package implements its functionality in the ``CommunityID`` and
+``CommunityID::Notice`` modules. The `JA3 <https://github.com/salesforce/ja3>`_
+package implements its event handlers in the ``JA3`` and ``JA3_Server`` modules.
+
+.. literalinclude:: event_groups_module_01.zeek
+   :caption:
+   :language: zeek
+   :linenos:
+   :tab-width: 4
+
+The above script implements toggling of Zeek package functionality at
+runtime via the options ``Packages::ja3_enabled`` and ``Packages::community_id_enabled``.
+While for most packages and deployments a Zeek restart is an acceptable
+way to disable or enable a package - generally this isn't a regular operation -
+module based event groups provide a powerful primitive to support runtime
+toggling of scripting functionality.
+
+.. note::
+
+   A caveat around the above example: The JA3 package builds up state based
+   on the :zeek:see:`ssl_extension` events from SSL ClientHello and ServerHello
+   messages. When the JA3 event handlers are enabled right during processing
+   of these events, the resulting JA3 hash might be based on a partial list
+   of extensions only.
+
+   While all :zeek:see:`ssl_extension` handlers are processed jointly
+   for each instance of the event, generally state build up and
+   dynamic enabling and disabling may need careful consideration.
diff --git a/doc/scripting/event_groups_attr_01.zeek b/doc/scripting/event_groups_attr_01.zeek
new file mode 100644
index 0000000000..b90eb14acc
--- /dev/null
+++ b/doc/scripting/event_groups_attr_01.zeek
@@ -0,0 +1,19 @@
+event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) &group="http-print-debugging"
+    {
+        print fmt("HTTP request: %s %s (%s->%s)", method, original_URI, c$id$orig_h, c$id$resp_h);
+    }
+
+event http_header(c: connection, is_orig: bool, original_name: string, name: string, value: string) &group="http-print-debugging"
+    {
+    if ( name != "USER-AGENT" && name != "SERVER" )
+        return;
+
+    local snd = is_orig ? c$id$orig_h : c$id$resp_h;
+    local rcv = is_orig ? c$id$resp_h : c$id$orig_h;
+    print fmt("HTTP header : %s=%s (%s->%s)", original_name, value, snd, rcv);
+    }
+
+event http_reply(c: connection, version: string, code: count, reason: string) &group="http-print-debugging"
+    {
+        print fmt("HTTP reply: %s/%s version %s (%s->%s)", code, reason, version, c$id$resp_h, c$id$orig_h);
+    }
diff --git a/doc/scripting/event_groups_attr_02.zeek b/doc/scripting/event_groups_attr_02.zeek
new file mode 100644
index 0000000000..03a4d75d59
--- /dev/null
+++ b/doc/scripting/event_groups_attr_02.zeek
@@ -0,0 +1,46 @@
+@load base/frameworks/config
+
+redef Config::config_files += { "./myconfig.dat" };
+
+module Debug;
+
+export {
+    option http_print_debugging = F;
+}
+
+event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) &group="http-print-debugging"
+    {
+        print fmt("HTTP request: %s %s (%s->%s)", method, original_URI, c$id$orig_h, c$id$resp_h);
+    }
+
+event http_header(c: connection, is_orig: bool, original_name: string, name: string, value: string) &group="http-print-debugging"
+    {
+    if ( name != "USER-AGENT" && name != "SERVER" )
+        return;
+
+    local snd = is_orig ? c$id$orig_h : c$id$resp_h;
+    local rcv = is_orig ? c$id$resp_h : c$id$orig_h;
+    print fmt("HTTP header : %s=%s (%s->%s)", original_name, value, snd, rcv);
+    }
+
+event http_reply(c: connection, version: string, code: count, reason: string) &group="http-print-debugging"
+    {
+        print fmt("HTTP reply  : %s/%s version %s (%s->%s)", code, reason, version, c$id$resp_h, c$id$orig_h);
+    }
+
+event zeek_init()
+    {
+
+    Option::set_change_handler("Debug::http_print_debugging", function(id: string, new_value: bool): bool {
+        print id, new_value;
+        if ( new_value )
+            enable_event_group("http-print-debugging");
+        else
+            disable_event_group("http-print-debugging");
+
+        return new_value;
+    });
+
+    # Trigger the change handler, once.
+    Config::set_value("Debug::http_print_debugging", http_print_debugging);
+    }
diff --git a/doc/scripting/event_groups_module_01.zeek b/doc/scripting/event_groups_module_01.zeek
new file mode 100644
index 0000000000..f8c1b430cc
--- /dev/null
+++ b/doc/scripting/event_groups_module_01.zeek
@@ -0,0 +1,47 @@
+@load base/frameworks/config
+
+@load ja3
+@load zeek-community-id
+@load zeek-community-id/notice
+
+redef Config::config_files += { "./myconfig.dat" };
+
+module Packages;
+
+export {
+    # All packages off by default.
+    option community_id_enabled = F;
+    option ja3_enabled = F;
+}
+
+event zeek_init()
+    {
+    local package_change_handler = function(id: string, new_value: bool): bool {
+        local modules: set[string];
+
+        if ( id == "Packages::community_id_enabled" )
+            modules = ["CommunityID", "CommunityID::Notice"];
+        else if ( id == "Packages::ja3_enabled" )
+            modules = ["JA3", "JA3_Server"];
+        else
+            {
+            Reporter::error(fmt("Unknown option: %s", id));
+            return new_value;
+            }
+
+        # Toggle the modules.
+        for ( m in modules )
+            if ( new_value )
+                enable_module_events(m);
+            else
+                disable_module_events(m);
+
+        return new_value;
+    };
+
+    Option::set_change_handler("Packages::community_id_enabled", package_change_handler);
+    Option::set_change_handler("Packages::ja3_enabled", package_change_handler);
+
+    Config::set_value("Packages::community_id_enabled", community_id_enabled);
+    Config::set_value("Packages::ja3_enabled", ja3_enabled);
+    }
diff --git a/doc/scripting/framework_logging_factorial_01.zeek b/doc/scripting/framework_logging_factorial_01.zeek
new file mode 100644
index 0000000000..8eaeeb4575
--- /dev/null
+++ b/doc/scripting/framework_logging_factorial_01.zeek
@@ -0,0 +1,19 @@
+module Factor;
+
+function factorial(n: count): count
+    {
+    if ( n == 0 )
+        return 1;
+    else
+        return ( n * factorial(n - 1) );
+    }
+
+event zeek_init()
+    {
+    local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);
+    
+    for ( n in numbers )
+        print fmt("%d", factorial(numbers[n]));
+    }
+
+
diff --git a/doc/scripting/framework_logging_factorial_02.zeek b/doc/scripting/framework_logging_factorial_02.zeek
new file mode 100644
index 0000000000..9f2c83da32
--- /dev/null
+++ b/doc/scripting/framework_logging_factorial_02.zeek
@@ -0,0 +1,35 @@
+module Factor;
+
+export {
+    # Append the value LOG to the Log::ID enumerable.
+    redef enum Log::ID += { LOG };
+
+    # Define a new type called Factor::Info.
+    type Info: record {
+        num:           count &log;
+        factorial_num: count &log;
+        };
+    }
+
+function factorial(n: count): count
+    {
+    if ( n == 0 )
+        return 1;
+    
+    else
+        return ( n * factorial(n - 1) );
+    }
+
+event zeek_init()
+    {
+    # Create the logging stream.
+    Log::create_stream(LOG, [$columns=Info, $path="factor"]);
+    }
+
+event zeek_done()
+    {
+    local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);    
+    for ( n in numbers )
+        Log::write( Factor::LOG, [$num=numbers[n],
+                                  $factorial_num=factorial(numbers[n])]);
+    }
diff --git a/doc/scripting/framework_logging_factorial_03.zeek b/doc/scripting/framework_logging_factorial_03.zeek
new file mode 100644
index 0000000000..b4627b9e92
--- /dev/null
+++ b/doc/scripting/framework_logging_factorial_03.zeek
@@ -0,0 +1,45 @@
+module Factor;
+
+export {
+    redef enum Log::ID += { LOG };
+
+    type Info: record {
+        num:           count &log;
+        factorial_num: count &log;
+        };
+    }
+
+function factorial(n: count): count
+    {
+    if ( n == 0 )
+        return 1;
+    
+    else
+        return (n * factorial(n - 1));
+    }
+
+event zeek_done()
+    {
+    local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);    
+    for ( n in numbers )
+        Log::write( Factor::LOG, [$num=numbers[n],
+                                  $factorial_num=factorial(numbers[n])]);
+    }
+
+function mod5(id: Log::ID, path: string, rec: Factor::Info) : string    
+    {
+    if ( rec$factorial_num % 5 == 0 )
+        return "factor-mod5";
+    
+    else
+        return "factor-non5";
+    }
+
+event zeek_init()
+    {
+    Log::create_stream(LOG, [$columns=Info, $path="factor"]);
+    
+    local filter: Log::Filter = [$name="split-mod5s", $path_func=mod5];
+    Log::add_filter(Factor::LOG, filter);
+    Log::remove_filter(Factor::LOG, "default");
+    }
diff --git a/doc/scripting/framework_logging_factorial_04.zeek b/doc/scripting/framework_logging_factorial_04.zeek
new file mode 100644
index 0000000000..e394b7a436
--- /dev/null
+++ b/doc/scripting/framework_logging_factorial_04.zeek
@@ -0,0 +1,50 @@
+module Factor;
+
+export {
+    redef enum Log::ID += { LOG };
+
+    type Info: record {
+        num:           count &log;
+        factorial_num: count &log;
+        };
+    
+    global log_factor: event(rec: Info);
+    }
+
+function factorial(n: count): count
+    {
+    if ( n == 0 )
+        return 1;
+    
+    else
+        return (n * factorial(n - 1));
+    }
+
+event zeek_init()
+    {
+    Log::create_stream(LOG, [$columns=Info, $ev=log_factor, $path="factor"]);
+    }
+
+event zeek_done()
+    {
+    local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);    
+    for ( n in numbers )
+        Log::write( Factor::LOG, [$num=numbers[n],
+                                  $factorial_num=factorial(numbers[n])]);
+    }
+
+function mod5(id: Log::ID, path: string, rec: Factor::Info) : string    
+    {
+    if ( rec$factorial_num % 5 == 0 )
+        return "factor-mod5";
+    
+    else
+        return "factor-non5";
+    }
+
+event zeek_init()
+    {
+    local filter: Log::Filter = [$name="split-mod5s", $path_func=mod5];
+    Log::add_filter(Factor::LOG, filter);
+    Log::remove_filter(Factor::LOG, "default");
+    }
diff --git a/doc/scripting/framework_notice_hook_01.zeek b/doc/scripting/framework_notice_hook_01.zeek
new file mode 100644
index 0000000000..533b74cdb5
--- /dev/null
+++ b/doc/scripting/framework_notice_hook_01.zeek
@@ -0,0 +1,7 @@
+@load policy/protocols/ssh/interesting-hostnames.zeek
+
+hook Notice::policy(n: Notice::Info)
+  {
+  if ( n$note == SSH::Interesting_Hostname_Login )
+      add n$actions[Notice::ACTION_EMAIL];
+  }
diff --git a/doc/scripting/framework_notice_hook_suppression_01.zeek b/doc/scripting/framework_notice_hook_suppression_01.zeek
new file mode 100644
index 0000000000..b63645d383
--- /dev/null
+++ b/doc/scripting/framework_notice_hook_suppression_01.zeek
@@ -0,0 +1,7 @@
+@load policy/protocols/ssl/expiring-certs.zeek
+
+hook Notice::policy(n: Notice::Info) 
+   {
+   if ( n$note == SSL::Certificate_Expires_Soon )
+       n$suppress_for = 12hrs;
+   }
diff --git a/doc/scripting/framework_notice_shortcuts_01.zeek b/doc/scripting/framework_notice_shortcuts_01.zeek
new file mode 100644
index 0000000000..dae9cf793c
--- /dev/null
+++ b/doc/scripting/framework_notice_shortcuts_01.zeek
@@ -0,0 +1,7 @@
+@load policy/protocols/ssh/interesting-hostnames.zeek
+@load base/protocols/ssh/
+
+redef Notice::emailed_types += {
+    SSH::Interesting_Hostname_Login
+};
+
diff --git a/doc/scripting/framework_notice_shortcuts_02.zeek b/doc/scripting/framework_notice_shortcuts_02.zeek
new file mode 100644
index 0000000000..dd1e081b52
--- /dev/null
+++ b/doc/scripting/framework_notice_shortcuts_02.zeek
@@ -0,0 +1,6 @@
+@load policy/protocols/ssh/interesting-hostnames.zeek
+@load base/protocols/ssh/
+
+redef Notice::type_suppression_intervals += {
+    [SSH::Interesting_Hostname_Login] = 1day,
+};
diff --git a/doc/scripting/http_main.zeek b/doc/scripting/http_main.zeek
new file mode 100644
index 0000000000..5182accb35
--- /dev/null
+++ b/doc/scripting/http_main.zeek
@@ -0,0 +1,7 @@
+module HTTP;
+
+export {
+	## This setting changes if passwords used in Basic-Auth are captured or
+	## not.
+	const default_capture_password = F &redef;
+}
diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
new file mode 100644
index 0000000000..d4b3cde6b6
--- /dev/null
+++ b/doc/scripting/index.rst
@@ -0,0 +1,15 @@
+
+=========================
+Introduction to Scripting
+=========================
+
+.. toctree::
+   :maxdepth: 2
+
+   basics
+   usage
+   event-groups
+   conn-id-ctx
+   tracing-events
+   optimization
+   javascript
diff --git a/doc/scripting/javascript.rst b/doc/scripting/javascript.rst
new file mode 100644
index 0000000000..220e8268e6
--- /dev/null
+++ b/doc/scripting/javascript.rst
@@ -0,0 +1,509 @@
+.. _javascript:
+
+==========
+JavaScript
+==========
+
+.. versionadded:: 6.0
+
+.. note::
+
+   Link to external `ZeekJS documentation`_.
+
+
+.. note::
+
+   The JavaScript integration does not provide Zeek's typical backwards
+   compatibility guarantees at this point. The plugin itself is at semantic
+   version 0.9.1 at the time of writing meaning the API is not stable.
+   That said, we'll avoid unnecessary breakage.
+
+
+Preamble
+========
+
+In the scope of integrating with external systems, Zeek can be extended by
+:ref:`implementing C++ plugins <writing-plugins>` or using the :zeek:see:`system`
+function to call external programs from Zeek scripts. The :ref:`framework-input`
+can be leveraged for data ingestion (with :ref:`raw reader <input-raw-reader>`
+reader providing flexibility to consume input from external programs as events).
+The :ref:`broker-framework` is popular for exchanging events between
+Zeek and an external program using WebSockets.
+The external program sometimes solely acts as a proxy between Zeek and another
+external system.
+
+JavaScript integration adds to the above by enabling Zeek to load JavaScript
+code directly, thereby allowing developers to use its rich ecosystem of
+built-in and third-party libraries directly within Zeek.
+
+If you previously wanted to start a `HTTP server`_ within Zeek, record Zeek
+event data on-the-fly to a `Redis`_ database, got scared at looking at
+:zeek:see:`ActiveHTTP`'s implementation (or annoyed that it eats all newlines
+in HTTP responses), you may want to give JavaScript a go!
+
+Built-in Plugin
+===============
+
+The external `ZeekJS`_ plugin is included with Zeek as an optional built-in plugin.
+When `Node.js`_ development headers and libraries are found when building Zeek
+from source, the plugin is automatically included.
+
+If Node.js is installed in a non-standard location, ``-D NODEJS_ROOT_DIR`` has
+to be provided to ``./configure``.
+Assuming an installation of Node.js in ``/opt/node-19.8``, the command to
+use is as follows. Discovered headers and libraries will be reported in the
+output.
+On Linux distributions providing Node.js development packages
+(Ubuntu 22.10, Fedora, Debian bookworm) the extra ``-D NODEJS_ROOT_DIR``
+is not required.
+
+.. code-block:: console
+
+   $ ./configure -D NODEJS_ROOT_DIR:string=/opt/node-19.8
+   ...
+   -- Looking for __system_property_get
+   -- Looking for __system_property_get - not found
+   -- Found Nodejs: /opt/node-19.8/include (found version "19.8.1")
+   --      version: 19.8.1
+   --    libraries: /opt/node-19.8/lib/libnode.so.111
+   --         uv.h: /opt/node-19.8/include/node
+   --   v8config.h: /opt/node-19.8/include/node
+   --   Building in plugin: zeekjs (/home/user/zeek/auxil/zeekjs)
+   ...
+   $ make -j
+   ...
+   $ sudo make install
+
+To test if the plugin is available on a given Zeek installation, run ``zeek -N Zeek::JavaScript``.
+The ``zeek`` executable will also be dynamically linked against ``libnode.so``.
+
+.. code-block:: console
+
+   $ zeek -NN Zeek::JavaScript
+   Zeek::JavaScript - Experimental JavaScript support for Zeek (built-in)
+       Implements LoadFile (priority 0)
+
+   $ ldd $(which zeek) | grep libnode
+           libnode.so.111 => /opt/node-19.8/lib/libnode.so.111 (0x00007f281aa25000)
+
+The main hooking mechanism used by the plugin is loading files with ``.js`` and ``.cjs`` suffixes.
+
+If no such files are provided on the command-line or via ``@load``, neither
+the Node.js environment nor the V8 JavaScript engine will be initialized and there
+will be no runtime overhead of having the plugin available. When JavaScript
+code is loaded, additional overhead may come from processing JavaScript's IO
+loop or running garbage collection.
+
+
+Hello World
+===========
+
+When JavaScript is executed by Zeek, a ``zeek`` object is added to
+the JavaScript's global namespace.
+This object can be used to register event or hook handlers, raise new Zeek
+events, invoking Zeek side functions, etc. This is similar to the global
+``document`` object in a browser, but for Zeek functionality.
+
+The API documentation for the global ``zeek`` object created is available
+in the `ZeekJS documentation`_.
+
+.. note: External due to requiring npm/jsdoc during building.
+
+The following script calls the :zeek:see:`zeek_version` built-in
+function and uses JavaScript's ``console.log()`` for printing a Hello message
+within a ``zeek_init`` handler:
+
+.. literalinclude:: js/hello.js
+   :caption: hello.js
+   :language: javascript
+
+.. code-block:: console
+
+   $ zeek js/hello.js
+   Hello, Zeek 6.0.0!
+
+
+Execution Model
+===============
+
+There are two ways in which Zeek executes JavaScript code.
+
+First, JavaScript event or hook handlers are added as additional ``Func::Body``
+instances to the respective ``Func`` objects. These extra bodies
+point to instances of a custom ``Stmt`` subclass with tag ``STMT_EXTERN``.
+The ``Stmt::Exec()`` implementation of this class calls the listener function,
+a ``v8::Function``, registered through ``zeek.on()``.
+When Zeek executes all bodies of an event or hook handler during ``Func::Invoke()``,
+some bodies execute JavaScript functions instead of Zeek script statements.
+This approach allows to register JavaScript listener functions using Zeek's priority
+mechanism.  Further, changes done by JavaScript code to global Zeek variables or
+record fields are visible to Zeek script and vice versa. In summary, execution
+of Zeek and JavaScript code is interleaved when executing event or hook handlers.
+
+Second, the Node.js IO loop (`libuv`_) is registered as an ``IOSource`` with
+Zeek's main loop. When there's any IO activity in Node.js, libuv's backend
+file descriptor becomes ready, waking up the Zeek main loop. Zeek then transfers
+control through the registered ``IOsource`` to the JavaScript plugin which
+runs the libuv IO loop until there's no more work to be done. At this point,
+the plugin yields control back to Zeek's main loop, draining any queued events,
+processing timers, or simply waiting for the next network packet to arrive.
+
+From the above it follows that there is no parallel JavaScript code execution
+happening in a separate thread. Zeek script and JavaScript execute interleaved
+on Zeek's main thread, driven by the main loop's logic. This also implies that
+long running JavaScript code will block Zeek's main loop and Zeek script
+execution. This is no different than what would happen in a web browser or an
+asynchronous Node.js network server, however, and the same applies to a long
+running Zeek script event handler.
+
+
+Types
+=====
+
+JavaScript doesn't support types as rich as Zeek and is further dynamically
+typed. As of now, most atomic types like :zeek:see:`addr` or :zeek:see:`subnet` are created as JavaScript strings or another primitive type.
+For example, values of type :zeek:see:`count` become JavaScript `BigInt`_ values.
+:zeek:see:`time` and :zeek:see:`interval` are converted to numbers representing
+seconds with :zeek:see:`time` representing the Unix timestamp.
+
+A list of type conversions implemented is presented in the following table.
+
+.. list-table:: Type Conversions
+
+   * - Zeek
+     - JavaScript
+
+   * - bool
+     - boolean (true, false)
+
+   * - count
+     - `BigInt`_
+
+   * - int
+     - `Number`_
+
+   * - double
+     - `Number`_
+
+   * - interval
+     - `Number`_ as seconds
+
+   * - time
+     - `Number`_ as unix timestamp in seconds
+
+   * - string
+     - string (latin1 encoding assumed)
+
+   * - enum
+     - string
+
+   * - addr
+     - string
+
+   * - subnet
+     - string
+
+   * - port
+     - `Object`_ with ``port`` an ``proto`` properties and a custom ``toJSON()`` method only returning the port
+
+   * - vector
+     - Copied as `Array`_, see :ref:`below <js-set-and-vector>`
+
+   * - set
+     - Copied as `Array`_, see :ref:`below <js-set-and-vector>`
+
+   * - table
+     - `Object`_ holding a reference to a Zeek table value
+
+   * - record
+     - `Object`_ holding a reference to a Zeek record value
+
+Some type conversions are not implemented, they'll cause an error message
+and have a ``null`` value in JavaScript. :zeek:see:`pattern` values is one
+such example.
+
+.. note::
+
+   These type conversions may change in the future or become configurable via
+   callbacks.
+
+Record values
+-------------
+
+Record values are passed by reference from Zeek to JavaScript. That is,
+JavaScript objects keep a pointer to the Zeek record they represent.
+Holding a JavaScript object referencing a Zeek record value
+will keep it alive within Zeek even if Zeek itself does not reference
+it anymore. Updates to fields in Zeek become visible within JavaScript.
+Updates to properties of such objects in JavaScript become visible in Zeek.
+
+On the other hand, normal JavaScript objects (``{}`` or ``Object()``) are passed
+from JavaScript to Zeek as new Zeek record values. Changes
+to the original JavaScript object will not be reflected within Zeek.
+In the example below, the ``intel_item`` JavaScript object will be converted to
+a new :zeek:see:`Intel::Item` Zeek record which is then
+passed to the :zeek:see:`Intel::insert` function. Modifying properties of
+``intel_item`` after it has been inserted to the Intel data store has
+no impact.
+
+.. literalinclude:: js/intel-insert.js
+   :caption: intel-insert.js
+   :language: javascript
+
+.. note::
+
+   The background to this is that Zeek's base has no knowledge of anything
+   JavaScript related, while the ZeekJS plugin does have intimate knowledge
+   about Zeek values and internals.
+
+
+Table values
+------------
+
+Table values are treated very similar to records. JavaScript objects representing
+table values keep a reference to the Zeek value. Accessing multi-index Zeek tables
+from JavaScript is not supported, however, as there's no easy way to translate
+Zeek's multi-value keys to properties or map keys in JavaScript.
+
+Global tables can be modified from JavaScript directly through the ``zeek.global_vars`` object.
+The following script provides an example how to change the content
+of :zeek:see:`Conn::analyzer_inactivity_timeouts` in JavaScript.
+The update to the table becomes visible on the Zeek side and will be
+in effect for future connections.
+
+.. literalinclude:: js/global-vars.js
+   :caption: global-vars.js
+   :language: javascript
+
+.. code-block:: console
+
+   $ zeek global-vars.js -e 'event zeek_init() &priority=-5 { print "zeek", Conn::analyzer_inactivity_timeouts; }'
+   js {
+     [AllAnalyzers::ANALYZER_ANALYZER_SSH]: 42,
+     [AllAnalyzers::ANALYZER_ANALYZER_FTP]: 3600
+   }
+   zeek, {
+   [AllAnalyzers::ANALYZER_ANALYZER_SSH] = 42.0 secs,
+   [AllAnalyzers::ANALYZER_ANALYZER_FTP] = 1.0 hr
+   }
+
+.. _js-set-and-vector:
+
+Set and vector values
+---------------------
+
+The :zeek:see:`set` and :zeek:see:`vector` types are currently copied from
+Zeek to JavaScript as `Array`_ objects. These objects don't reference the
+original set or vector on the Zeek side. This means that mutation of the
+JavaScript side objects via accessors on ``Array`` do not modify the
+Zeek side value. However, objects referencing the Zeek record values within
+these arrays are mutable.
+
+This mainly becomes relevant if you wanted to modify state attached to
+a connection within JavaScript. Re-assigning ``c.service`` below works
+as expected, the ``c.service.push()`` approach on the other had would
+not change the set on the Zeek-side.
+
+.. literalinclude:: js/connection-service.js
+   :caption: connection-service.js
+   :language: javascript
+
+.. code-block:: console
+
+   $ zeek -r ../../traces/get.trace  ./connection-service.js
+   service-from-js,http
+
+.. note::
+
+   The current approach was mostly chosen for implementation simplicity
+   and the assumption that modifying Zeek side vectors or sets from JavaScript
+   is an edge case. This may change in the future.
+
+Any and zeek.as()
+-----------------
+
+Some of Zeek's function take a value of type :zeek:see:`any`. This makes it
+impossible to implicitly convert from a JavaScript type to the appropriate
+Zeek type.
+
+The function ``zeek.as()`` can be leveraged within JavaScript to create an
+object given a JavaScript value and a Zeek type name. That object is then
+referencing a Zeek value and when used to call a function taking an any
+parameter, the plugin directly threads through the referenced Zeek value
+and the call succeeds.
+
+.. literalinclude:: js/zeek-as.js
+   :caption: zeek-as.js
+   :language: javascript
+
+The first call to ``zeek.invoke()`` throws an exception due to the failing
+type conversion, the second one succeeds.
+
+.. code-block:: console
+
+   $ zeek -B plugin-Zeek-JavaScript zeek-as.js
+   error: Unable to convert JS value '192.168.0.0/16' of type string to Zeek type any
+   good: type_name is subnet
+
+
+Debugging
+---------
+
+There might be limitations, surprises and bugs with the type conversions.
+If Zeek was built with debugging enabled, the ``plugin-Zeek-JavaScript``
+debug stream may provide some helpful clues.
+
+.. code-block:: console
+
+   $ ZEEK_DEBUG_LOG_STDERR=1 zeek -B plugin-Zeek-JavaScript hello.js
+            0.000000/1685018723.447965 [plugin Zeek::JavaScript] Hooked .js file=hello.js (./hello.js)
+            0.000000/1685018723.457376 [plugin Zeek::JavaScript] Hooked 1 .js files: Initializing!
+            0.000000/1685018723.457639 [plugin Zeek::JavaScript] Init: Node initialized. Compiled with v19.8.1
+            0.000000/1685018723.458774 [plugin Zeek::JavaScript] Init: V8 initialized. Version 10.8.168.25-node.12
+            0.000000/1685018723.539618 [plugin Zeek::JavaScript] ExecuteAndWaitForInit: init() result=object 1
+            0.000000/1685018723.539644 [plugin Zeek::JavaScript] ExecuteAndWaitForInit: zeek_javascript_init returned promise, state=0 - running JS loop
+            0.000000/1685018723.551058 [plugin Zeek::JavaScript] Registering zeek_init priority=0, js_eh=0x603001cac710
+            0.000000/1685018723.551120 [plugin Zeek::JavaScript] Registered zeek_init
+   1685018723.601898/1685018723.621106 [plugin Zeek::JavaScript] ZeekInvoke: invoke for zeek_version
+   1685018723.601898/1685018723.621177 [plugin Zeek::JavaScript] Invoke zeek_version with 0 args
+   1685018723.601898/1685018723.621212 [plugin Zeek::JavaScript] ZeekInvoke: invoke for zeek_version returned: Hello, Zeek 6.0.0-dev.636-debug!
+   1685018723.644485/1685018723.644726 [plugin Zeek::JavaScript] Done...
+   1685018723.644485/1685018723.644754 [plugin Zeek::JavaScript] Done: uv_loop not alive anymore on iteration 0
+
+
+Examples
+========
+
+HTTP API
+--------
+
+The following JavaScript file provides an HTTP API for generically invoking
+Zeek functions and Zeek events using ``curl``. It's 60 lines of vanilla
+Node.js JavaScript (with limited error handling), but allows for experiments
+and runtime reconfiguration of a Zeek process that's hard to achieve with
+Zeek provided functionality. Essentially, all that is used is ``zeek.event``
+and ``zeek.invoke`` and relying on implicit type conversion to mostly do
+the right thing.
+
+The two supported endpoints are ``/events/<event_name>``
+and ``/functions/<function_name>``. Arguments are passed in an ``args`` array
+as JSON in the POST request's body.
+
+.. literalinclude:: js/api.zeek
+   :caption: api.zeek
+   :language: zeek
+
+.. literalinclude:: js/api.js
+   :caption: api.js
+   :language: javascript
+
+.. code-block:: console
+
+   $ zeek -C -i lo ./api.zeek
+   Listening on 127.0.0.1:8080...
+   listening on lo
+
+
+As a first example, the :zeek:see:`get_net_stats` built-in function is
+invoked and returns the current monitoring statistics in response.
+
+.. code-block:: console
+
+   $ curl -XPOST http://localhost:8080/functions/get_net_stats
+   {
+     "result": {
+       "pkts_recvd": 3558,
+       "pkts_dropped": 0,
+       "pkts_link": 7126,
+       "bytes_recvd": 27982155
+     }
+   }
+
+Posting to ``/events/MyAPI::print_msg`` raises the ``MyAPI::print_msg`` event
+implemented in the ``api.zeek`` file.
+
+.. code-block:: console
+
+   $ curl -4   --data-raw '{"args": ["Hello Zeek!"]}'  http://localhost:8080/events/MyAPI::print_msg
+   {}
+
+   # The Zeek process will output:
+   ZEEK, print_msg, 1685121096.892404, Hello Zeek!
+
+It is possible to runtime disable (and enable) analyzers as well by
+leveraging :zeek:see:`Analyzer::disable_analyzer`. Here shown for the SSL analyzer.
+
+.. code-block:: console
+
+   $ curl -XPOST --data '{"args": ["AllAnalyzers::ANALYZER_ANALYZER_SSL"]}' localhost:8080/functions/Analyzer::disable_analyzer
+   {
+     "result": true
+   }
+
+.. todo::
+
+   Using ``Analyzer::ANALYZER_SSL`` is currently not possible due to
+   :zeek:see:`Analyzer::disable_analyzer` taking an :zeek:see:`AllAnalyzers::Tag`
+   and the enum names are different.
+
+
+As a fairly advanced example, creating a new :zeek:see:`Log::Filter` instance
+for the :zeek:see:`Conn::LOG` stream at runtime using :zeek:see:`Log::add_filter`
+is possible. Removal works, too.
+
+.. code-block:: console
+
+   $ curl -XPOST --data '{"args": ["Conn::LOG", {"name": "my-conn-rotate", "path": "my-conn-rotate", "include": ["ts", "id.orig_h", "id.res_h", "history"], "interv": 10}]}' \
+       localhost:8080/functions/Log::add_filter
+   {
+     "result": true
+   }
+
+   $ curl -XPOST --data '{"args": ["Conn::LOG", "my-conn-rotate"]}' localhost:8080/functions/Log::remove_filter
+   {
+     "result": true
+   }
+
+This API can also be used to invoke :zeek:see:`terminate`, so you want to be
+careful deploying this in an actual production environment:
+
+.. code-block:: console
+
+   $ curl -XPOST --data '{"args": []}' localhost:8080/functions/terminate
+   {
+     "result": true
+   }
+
+   # Zeek is now stopping with:
+   1685121663.854714 <params>, line 1: received termination signal
+   1685121663.854714 <params>, line 1: 53 packets received on interface lo, 0 (0.00%) dropped, 0 (0.00%) not processed
+
+More
+----
+More examples can be found in the `ZeekJS documentation`_
+and `repository <https://github.com/corelight/zeekjs/tree/main/examples>`_.
+
+
+TypeScript
+==========
+
+`TypeScript`_ adds typing to JavaScript. While ZeekJS has no TypeScript awareness,
+there's nothing preventing you from using it. Use ``tsc`` for type checking and
+provide the produced ``.js`` files to Zeek.
+
+You may need a ``zeek.d.ts`` file for the ``zeek`` object. A bare
+`zeek.d.ts <https://github.com/corelight/zeekjs/pull/20/>`_ file has been
+tested, but not integrated with ZeekJS at this point.
+
+
+.. _ZeekJS documentation: https://zeekjs.readthedocs.io/en/latest/
+.. _Node.js: https://nodejs.org/enhttps://nodejs.org/en
+.. _ZeekJS: https://github.com/corelight/zeekjs
+.. _BigInt: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt
+.. _Number: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number
+.. _Array: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array
+.. _Object: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object
+.. _HTTP server: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener
+.. _Redis: https://redis.io/
+.. _TypeScript: https://www.typescriptlang.org/
+.. _libuv: https://github.com/libuv/libuv
diff --git a/doc/scripting/js/api.js b/doc/scripting/js/api.js
new file mode 100644
index 0000000000..0d5f716668
--- /dev/null
+++ b/doc/scripting/js/api.js
@@ -0,0 +1,60 @@
+// api.js
+//
+// HTTP API allowing to invoke any Zeek events and functions using a simple JSON payload.
+//
+// Triggering and intel match (this will log to intel.log)
+//
+//     $ curl --data-raw '{"args": [{"indicator": "50.3.2.1", "indicator_type": "Intel::ADDR", "where":"Intel::IN_ANYWHERE"}, []]}' \
+//         http://localhost:8080/events/Intel::match
+//
+// Calling a Zeek function:
+//
+//     $ curl -XPOST --data '{"args": [1000]}' localhost:8080/functions/rand
+//     {
+//       "result": 730
+//     }
+//
+const http = require('node:http');
+
+// Light-weight safe-json-stringify replacement.
+BigInt.prototype.toJSON = function () { return parseInt(this.toString()); };
+
+const handleCall = (cb, req, res) => {
+  const name = req.url.split('/').at(-1);
+  const body = [];
+  req.on('data', (chunk) => {
+    body.push(chunk);
+  }).on('end', () => {
+    try {
+      const parsed = JSON.parse(Buffer.concat(body).toString() || '{}');
+      const args = parsed.args || [];
+      const result = cb(name, args);
+      res.writeHead(202);
+      return res.end(`${JSON.stringify({ result: result }, null, 2)}\n`);
+    } catch (err) {
+      console.error(`error: ${err}`);
+      res.writeHead(400);
+      return res.end(`${JSON.stringify({ error: err.toString() })}\n`);
+    }
+  });
+};
+
+const server = http.createServer((req, res) => {
+  if (req.method === 'POST') {
+    if (req.url.startsWith('/events/')) {
+      return handleCall(zeek.event, req, res);
+    } else if (req.url.startsWith('/functions/')) {
+      return handleCall(zeek.invoke, req, res);
+    }
+  }
+
+  res.writeHead(404);
+  return res.end();
+});
+
+const host = process.env.API_HOST || '127.0.0.1';
+const port = parseInt(process.env.API_PORT || 8080, 10);
+
+server.listen(port, host, () => {
+  console.log(`Listening on ${host}:${port}...`);
+});
diff --git a/doc/scripting/js/api.zeek b/doc/scripting/js/api.zeek
new file mode 100644
index 0000000000..d955574936
--- /dev/null
+++ b/doc/scripting/js/api.zeek
@@ -0,0 +1,14 @@
+## api.zeek
+##
+## Sample events to be invoked by api.js
+module MyAPI;
+
+export {
+	global print_msg: event(msg: string, ts: time &default=network_time());
+}
+
+event MyAPI::print_msg(msg: string, ts: time) {
+	print "ZEEK", "print_msg", ts, msg;
+}
+
+@load ./api.js
diff --git a/doc/scripting/js/connection-service.js b/doc/scripting/js/connection-service.js
new file mode 100644
index 0000000000..f195001f31
--- /dev/null
+++ b/doc/scripting/js/connection-service.js
@@ -0,0 +1,9 @@
+// connection-service.js
+zeek.on('connection_state_remove', { priority: 10 }, (c) => {
+  // c.service.push('service-from-js'); only modifies JavaScript array
+  c.service = c.service.concat('service-from-js');
+});
+
+zeek.hook('Conn::log_policy', (rec, id, filter) => {
+  console.log(rec.service);
+});
diff --git a/doc/scripting/js/global-vars.js b/doc/scripting/js/global-vars.js
new file mode 100644
index 0000000000..c1b0b8f30f
--- /dev/null
+++ b/doc/scripting/js/global-vars.js
@@ -0,0 +1,9 @@
+// global-vars.js
+const timeouts = zeek.global_vars['Conn::analyzer_inactivity_timeouts'];
+
+// Similar to redef.
+timeouts['AllAnalyzers::ANALYZER_ANALYZER_SSH'] = 42.0;
+
+zeek.on('zeek_init', () => {
+  console.log('js', timeouts);
+});
diff --git a/doc/scripting/js/hello.js b/doc/scripting/js/hello.js
new file mode 100644
index 0000000000..ae54a82100
--- /dev/null
+++ b/doc/scripting/js/hello.js
@@ -0,0 +1,5 @@
+// hello.js
+zeek.on('zeek_init', () => {
+  let version = zeek.invoke('zeek_version');
+  console.log(`Hello, Zeek ${version}!`);
+});
diff --git a/doc/scripting/js/intel-insert.js b/doc/scripting/js/intel-insert.js
new file mode 100644
index 0000000000..cf4b3d0f63
--- /dev/null
+++ b/doc/scripting/js/intel-insert.js
@@ -0,0 +1,10 @@
+// intel-insert.js
+zeek.on('zeek_init', () => {
+  let intel_item = {
+    indicator: '192.168.0.1',
+    indicator_type: 'Intel::ADDR',
+    meta: { source: 'some intel source' },
+  };
+
+  zeek.invoke('Intel::insert', [intel_item]);
+});
diff --git a/doc/scripting/js/zeek-as.js b/doc/scripting/js/zeek-as.js
new file mode 100644
index 0000000000..a4b244c8c1
--- /dev/null
+++ b/doc/scripting/js/zeek-as.js
@@ -0,0 +1,13 @@
+// zeek-as.js
+zeek.on('zeek_init', () => {
+  try {
+    // This throws because type_name takes an any parameter
+    zeek.invoke('type_name', ['192.168.0.0/16']);
+  } catch (e) {
+    console.error(`error: ${e}`);
+  }
+
+  // Explicit conversion of string to addr type.
+  let type_string = zeek.invoke('type_name', [zeek.as('subnet', '192.168.0.0/16')]);
+  console.log(`good: type_name is ${type_string}`);
+});
diff --git a/doc/scripting/optimization.rst b/doc/scripting/optimization.rst
new file mode 100644
index 0000000000..ddcb9d77e8
--- /dev/null
+++ b/doc/scripting/optimization.rst
@@ -0,0 +1,110 @@
+.. _zam:
+
+===================
+Script Optimization
+===================
+
+.. versionadded:: 7.0
+
+.. note::
+
+   ZAM has been available in Zeek for a number of releases, but as of Zeek 7
+   it has matured to a point where we encourage regular users to explore it.
+
+Introduction
+============
+
+The *Zeek Abstract Machine* (ZAM) is an optional script optimization engine
+built into Zeek. Using ZAM changes the basic execution model for Zeek scripts in
+an effort to gain higher performance.  Normally, Zeek parses scripts into
+abstract syntax trees that it then executes by recursively interpreting each
+node in a given tree.  With ZAM's script optimization, Zeek first compiles the
+trees into a low-level form that it can then generally execute more efficiently.
+
+To enable this feature, include ``-O ZAM`` on the command line.
+
+How much faster will your scripts run?  There's no simple answer to that.  It
+depends heavily on several factors:
+
+* What proportion of the processing during execution is spent in the Zeek core's
+  event engine, rather than executing scripts.  ZAM optimization doesn't help
+  with event engine execution.
+
+* What proportion of the script's processing is spent executing built-in
+  functions (BiFs), i.e., functions callable from the script layer but
+  implemented in native code.  ZAM optimization improves execution for some
+  select, simple BiFs, like :zeek:id:`network_time`, but it doesn't help for
+  complex ones.  It might well be that most of your script processing actually
+  occurs in the underpinnings of the :ref:`logging framework
+  <framework-logging>`, for example, and thus you won't see much improvement.
+
+* Those two factors add up to gains very often on the order of only 10-15%,
+  rather than something a lot more dramatic.
+
+.. note::
+
+   At startup, ZAM takes a few seconds to generate the low-level code for the
+   loaded set of scripts, unless you're using Zeek's *bare mode* (via the
+   ``-b`` command-line option), which loads only a minimal set of scripts. Keep
+   this in mind when comparing Zeek runtimes, to ensure you're comparing only
+   actual script execution time.
+
+To isolate ZAM's code generation overhead when running Zeek on a pcap, simply
+leave out the traffic. That is, turn this ...
+
+.. code-block:: sh
+
+   $ zcat 2009-M57-day11-18.trace.gz | zeek -O ZAM -r - <args>
+
+into
+
+.. code-block:: sh
+
+   $ time zeek -O ZAM <args>
+
+and, since Zeek drops into interactive mode when run without arguments,
+
+.. code-block:: sh
+
+   $ time zeek -O ZAM /dev/null
+
+when there are none.
+
+To determine the runtime after ZAM's code generation, you can measure the time
+between :zeek:id:`zeek_init` and :zeek:id:`zeek_done` event handlers:
+
+.. code-block:: zeek
+   :caption: runtime.zeek
+
+   global t0: time;
+
+   event zeek_init()
+       {
+       t0 = current_time();
+       }
+
+   event zeek_done()
+       {
+       print current_time() - t0;
+       }
+
+Here's a quick example of ZAM's effect on Zeek's typical processing of a larger
+packet capture, from one of our testsuites:
+
+.. code-block:: sh
+
+   $ zcat 2009-M57-day11-18.trace.gz | zeek -r - runtime.zeek
+   14.0 secs 252.0 msecs 107.858658 usecs
+   $ zcat 2009-M57-day11-18.trace.gz | zeek -O ZAM -r - runtime.zeek
+   12.0 secs 345.0 msecs 857.990265 usecs
+
+A roughly 13% improvement in runtime.
+
+Other Optimization Features
+===========================
+
+You can tune various features of ZAM via additional options to ``-O``, see the
+output of ``zeek -O help`` for details. For example, you can study the script
+transformations ZAM applies, and use ZAM selectively in certain files (via
+``--optimize-files``) or functions (via ``--optimize-funcs``).  Most users
+won't need to use these.
diff --git a/doc/scripting/tracing-events.rst b/doc/scripting/tracing-events.rst
new file mode 100644
index 0000000000..6edc81acfb
--- /dev/null
+++ b/doc/scripting/tracing-events.rst
@@ -0,0 +1,87 @@
+.. _tracing_events:
+
+==============
+Tracing Events
+==============
+
+Zeek provides a mechanism for recording the events that occur during
+an execution run (on live traffic, or from a pcap) in a manner that you
+can then later replay to get the same effect but without the traffic source.
+You can also edit the recording to introduce differences between the original,
+such as introducing corner-cases to aid in testing, or anonymizing sensitive
+information.
+
+You create a trace using:
+
+.. code-block:: console
+
+  zeek --event-trace=mytrace.zeek <traffic-option> <other-options> <scripts...>
+
+or, equivalently:
+
+.. code-block:: console
+
+  zeek -E mytrace.zeek <traffic-option> <other-options> <scripts...>
+
+Here, the *traffic-option* would be ``-i`` or ``-r`` to arrange for
+a source of network traffic.  The trace will be written to the file
+``mytrace.zeek`` which, as the extension suggests, is itself a Zeek script.
+You can then replay the events using:
+
+.. code-block:: console
+
+  zeek <other-options> <scripts...> mytrace.zeek
+
+One use case for event-tracing is to turn a sensitive PCAP that can't
+be shared into a reflection of that same activity that - with some editing, for
+example to change IP addresses - is safe to share.  To facilitate such
+editing, the generated script includes at the end a summary of all of
+the constants present in the script that might be sensitive and require
+editing (such as addresses and strings), to make it easier to know what
+to search for and edit in the script.  The generated script also includes
+a global ``__base_time`` that's used to make it easy to alter (most of)
+the times in the trace without altering their relative offsets.
+
+The generated script aims to ensure that event values that were related
+during the original run stay related when replayed; re-execution should
+proceed in a manner identical to how it did originally.  There are however
+several considerations:
+
+* Zeek is unable to accurately trace events that include values that cannot
+  be faithfully recreated in a Zeek script, namely those having types of
+  ``opaque``, ``file``, or ``any``.  Upon encountering these, it generates
+  variables reflecting their unsupported nature, such as ``global
+  __UNSUPPORTED21: opaque of x509;``, and initializes them with code like
+  ``__UNSUPPORTED21 = UNSUPPORTED opaque of x509;``.  The generated script
+  is meant to produce syntax errors if run directly, and the names make
+  it easy to search for the elements that need to somehow be addressed.
+
+* Zeek only traces events that reflect traffic processing, i.e., those
+  occurring after :zeek:id:`network_time` is set.  Even if you don't include
+  a network traffic source, it skips the :zeek:id:`zeek_init` event
+  (since it is always automatically generated).
+
+* The trace does *not* include events generated by scripts, only those
+  generated by the "event engine".
+
+* The trace is generated upon Zeek cleanly exiting, so if Zeek crashes,
+  no trace will be produced. Stopping Zeek via *ctrl-c* does trigger a
+  clean exit.
+
+* A subtle issue arises regarding any changes that the scripts in the
+  original execution made to values present in subsequent events.  If
+  you re-run using the event trace script as well as those scripts,
+  the changes the scripts make during the re-run will be discarded and
+  instead replaced with the changes made during the original execution.
+  This generally won't matter if you're using the exact same scripts for
+  replay as originally, but if you've made changes to those scripts, then
+  it could.  If you need the replay script to "respond" to changes made
+  during the re-execution, you can delete from the replay script every
+  line marked with the comment ``# from script``.
+
+.. note::
+
+  It's possible that some timers will behave differently upon replay
+  than originally.  If you encounter this and it creates a problem, we
+  would be interested to hear about it so we can consider whether the
+  problem can be remedied.
diff --git a/doc/scripting/usage.rst b/doc/scripting/usage.rst
new file mode 100644
index 0000000000..1d51f1f192
--- /dev/null
+++ b/doc/scripting/usage.rst
@@ -0,0 +1,26 @@
+
+.. _script-usage-errors:
+
+==============================
+Finding Potential Usage Errors
+==============================
+
+Usage errors concern variables used-but-not-guaranteed-set or
+set-but-not-ever-used.  Zeek generates reports for these if you specify
+the ``-u`` flag.  It exits after producing the report, so if it simply exits
+with no output, then it did not find any usage errors.
+
+Variables reported as "used without definition" appear to have a code path
+to them the could access their value even though it has not been initialized.
+If upon inspection you determine that there is no actual hazard, you can
+mark the definition with an :zeek:attr:`&is_assigned` attribute to assure the optimizer
+that the value will be set.
+
+Variables reported as "assignment unused" have a value assigned to them
+that is meaningless since prior to any use of that value, another value
+is assigned to the same variable.  Such assignments are worth inspecting
+as they sometimes reflect logic errors.  Similar logic applies to unused
+event handlers, hooks, and functions.  You can suppress these reports by
+adding an :zeek:attr:`&is_used` attribute to the original definition.  If the
+determination is indeed incorrect, that represents a bug in Zeek's analysis,
+so something to report via the Issue Tracker.
diff --git a/doc/scripts/base/bif/CPP-load.bif.zeek.rst b/doc/scripts/base/bif/CPP-load.bif.zeek.rst
new file mode 100644
index 0000000000..10697d1272
--- /dev/null
+++ b/doc/scripts/base/bif/CPP-load.bif.zeek.rst
@@ -0,0 +1,39 @@
+:tocdepth: 3
+
+base/bif/CPP-load.bif.zeek
+==========================
+.. zeek:namespace:: GLOBAL
+
+Definitions of built-in functions related to loading compiled-to-C++
+scripts.
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+========================================== ====================================================================
+:zeek:id:`load_CPP`: :zeek:type:`function` Activates the compile-to-C++ scripts associated with the given hash.
+========================================== ====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: load_CPP
+   :source-code: base/bif/CPP-load.bif.zeek 16 16
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`count`) : :zeek:type:`bool`
+
+   Activates the compile-to-C++ scripts associated with the given hash.
+   
+
+   :param h: Hash of the set of C++ scripts.
+   
+
+   :returns: True if it was present and loaded, false if not.
+   
+
+
diff --git a/doc/scripts/base/bif/__load__.zeek.rst b/doc/scripts/base/bif/__load__.zeek.rst
new file mode 100644
index 0000000000..42d60970c7
--- /dev/null
+++ b/doc/scripts/base/bif/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/bif/__load__.zeek
+======================
+
+
+:Imports: :doc:`base/bif/CPP-load.bif.zeek </scripts/base/bif/CPP-load.bif.zeek>`, :doc:`base/bif/analyzer.bif.zeek </scripts/base/bif/analyzer.bif.zeek>`, :doc:`base/bif/bloom-filter.bif.zeek </scripts/base/bif/bloom-filter.bif.zeek>`, :doc:`base/bif/cardinality-counter.bif.zeek </scripts/base/bif/cardinality-counter.bif.zeek>`, :doc:`base/bif/cluster.bif.zeek </scripts/base/bif/cluster.bif.zeek>`, :doc:`base/bif/comm.bif.zeek </scripts/base/bif/comm.bif.zeek>`, :doc:`base/bif/communityid.bif.zeek </scripts/base/bif/communityid.bif.zeek>`, :doc:`base/bif/const.bif.zeek </scripts/base/bif/const.bif.zeek>`, :doc:`base/bif/data.bif.zeek </scripts/base/bif/data.bif.zeek>`, :doc:`base/bif/event.bif.zeek </scripts/base/bif/event.bif.zeek>`, :doc:`base/bif/file_analysis.bif.zeek </scripts/base/bif/file_analysis.bif.zeek>`, :doc:`base/bif/input.bif.zeek </scripts/base/bif/input.bif.zeek>`, :doc:`base/bif/logging.bif.zeek </scripts/base/bif/logging.bif.zeek>`, :doc:`base/bif/messaging.bif.zeek </scripts/base/bif/messaging.bif.zeek>`, :doc:`base/bif/mmdb.bif.zeek </scripts/base/bif/mmdb.bif.zeek>`, :doc:`base/bif/option.bif.zeek </scripts/base/bif/option.bif.zeek>`, :doc:`base/bif/packet_analysis.bif.zeek </scripts/base/bif/packet_analysis.bif.zeek>`, :doc:`base/bif/pcap.bif.zeek </scripts/base/bif/pcap.bif.zeek>`, :doc:`base/bif/reporter.bif.zeek </scripts/base/bif/reporter.bif.zeek>`, :doc:`base/bif/spicy.bif.zeek </scripts/base/bif/spicy.bif.zeek>`, :doc:`base/bif/stats.bif.zeek </scripts/base/bif/stats.bif.zeek>`, :doc:`base/bif/storage-async.bif.zeek </scripts/base/bif/storage-async.bif.zeek>`, :doc:`base/bif/storage-events.bif.zeek </scripts/base/bif/storage-events.bif.zeek>`, :doc:`base/bif/storage-sync.bif.zeek </scripts/base/bif/storage-sync.bif.zeek>`, :doc:`base/bif/storage.bif.zeek </scripts/base/bif/storage.bif.zeek>`, :doc:`base/bif/store.bif.zeek </scripts/base/bif/store.bif.zeek>`, :doc:`base/bif/strings.bif.zeek </scripts/base/bif/strings.bif.zeek>`, :doc:`base/bif/supervisor.bif.zeek </scripts/base/bif/supervisor.bif.zeek>`, :doc:`base/bif/telemetry_consts.bif.zeek </scripts/base/bif/telemetry_consts.bif.zeek>`, :doc:`base/bif/telemetry_functions.bif.zeek </scripts/base/bif/telemetry_functions.bif.zeek>`, :doc:`base/bif/telemetry_types.bif.zeek </scripts/base/bif/telemetry_types.bif.zeek>`, :doc:`base/bif/top-k.bif.zeek </scripts/base/bif/top-k.bif.zeek>`, :doc:`base/bif/types.bif.zeek </scripts/base/bif/types.bif.zeek>`, :doc:`base/bif/zeek.bif.zeek </scripts/base/bif/zeek.bif.zeek>`, :doc:`base/bif/zeekygen.bif.zeek </scripts/base/bif/zeekygen.bif.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/analyzer.bif.zeek.rst b/doc/scripts/base/bif/analyzer.bif.zeek.rst
new file mode 100644
index 0000000000..317fe6dc18
--- /dev/null
+++ b/doc/scripts/base/bif/analyzer.bif.zeek.rst
@@ -0,0 +1,80 @@
+:tocdepth: 3
+
+base/bif/analyzer.bif.zeek
+==========================
+.. zeek:namespace:: Analyzer
+.. zeek:namespace:: GLOBAL
+
+Internal functions and types used by the analyzer framework.
+
+:Namespaces: Analyzer, GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+=================================================================== =
+:zeek:id:`Analyzer::__disable_all_analyzers`: :zeek:type:`function` 
+:zeek:id:`Analyzer::__disable_analyzer`: :zeek:type:`function`      
+:zeek:id:`Analyzer::__enable_analyzer`: :zeek:type:`function`       
+:zeek:id:`Analyzer::__has_tag`: :zeek:type:`function`               
+:zeek:id:`Analyzer::__name`: :zeek:type:`function`                  
+:zeek:id:`Analyzer::__register_for_port`: :zeek:type:`function`     
+:zeek:id:`Analyzer::__schedule_analyzer`: :zeek:type:`function`     
+:zeek:id:`Analyzer::__tag`: :zeek:type:`function`                   
+=================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Analyzer::__disable_all_analyzers
+   :source-code: base/bif/analyzer.bif.zeek 17 17
+
+   :Type: :zeek:type:`function` () : :zeek:type:`any`
+
+
+.. zeek:id:: Analyzer::__disable_analyzer
+   :source-code: base/bif/analyzer.bif.zeek 14 14
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Analyzer::Tag`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Analyzer::__enable_analyzer
+   :source-code: base/bif/analyzer.bif.zeek 11 11
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Analyzer::Tag`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Analyzer::__has_tag
+   :source-code: base/bif/analyzer.bif.zeek 34 34
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Analyzer::__name
+   :source-code: base/bif/analyzer.bif.zeek 26 26
+
+   :Type: :zeek:type:`function` (atype: :zeek:type:`AllAnalyzers::Tag`) : :zeek:type:`string`
+
+
+.. zeek:id:: Analyzer::__register_for_port
+   :source-code: base/bif/analyzer.bif.zeek 20 20
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Analyzer::Tag`, p: :zeek:type:`port`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Analyzer::__schedule_analyzer
+   :source-code: base/bif/analyzer.bif.zeek 23 23
+
+   :Type: :zeek:type:`function` (orig: :zeek:type:`addr`, resp: :zeek:type:`addr`, resp_p: :zeek:type:`port`, analyzer: :zeek:type:`Analyzer::Tag`, tout: :zeek:type:`interval`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Analyzer::__tag
+   :source-code: base/bif/analyzer.bif.zeek 31 31
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`AllAnalyzers::Tag`
+
+
+
diff --git a/doc/scripts/base/bif/bloom-filter.bif.zeek.rst b/doc/scripts/base/bif/bloom-filter.bif.zeek.rst
new file mode 100644
index 0000000000..019345cc43
--- /dev/null
+++ b/doc/scripts/base/bif/bloom-filter.bif.zeek.rst
@@ -0,0 +1,270 @@
+:tocdepth: 3
+
+base/bif/bloom-filter.bif.zeek
+==============================
+.. zeek:namespace:: GLOBAL
+
+Functions to create and manipulate Bloom filters.
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+============================================================ ============================================================================================
+:zeek:id:`bloomfilter_add`: :zeek:type:`function`            Adds an element to a Bloom filter.
+:zeek:id:`bloomfilter_basic_init`: :zeek:type:`function`     Creates a basic Bloom filter.
+:zeek:id:`bloomfilter_basic_init2`: :zeek:type:`function`    Creates a basic Bloom filter.
+:zeek:id:`bloomfilter_clear`: :zeek:type:`function`          Removes all elements from a Bloom filter.
+:zeek:id:`bloomfilter_counting_init`: :zeek:type:`function`  Creates a counting Bloom filter.
+:zeek:id:`bloomfilter_decrement`: :zeek:type:`function`      Decrements the counter for an element that was added to a counting bloom filter in the past.
+:zeek:id:`bloomfilter_internal_state`: :zeek:type:`function` Returns a string with a representation of a Bloom filter's internal
+                                                             state.
+:zeek:id:`bloomfilter_intersect`: :zeek:type:`function`      Intersects two Bloom filters.
+:zeek:id:`bloomfilter_lookup`: :zeek:type:`function`         Retrieves the counter for a given element in a Bloom filter.
+:zeek:id:`bloomfilter_merge`: :zeek:type:`function`          Merges two Bloom filters.
+============================================================ ============================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: bloomfilter_add
+   :source-code: base/bif/bloom-filter.bif.zeek 88 88
+
+   :Type: :zeek:type:`function` (bf: :zeek:type:`opaque` of bloomfilter, x: :zeek:type:`any`) : :zeek:type:`any`
+
+   Adds an element to a Bloom filter. For counting bloom filters, the counter is incremented.
+   
+
+   :param bf: The Bloom filter handle.
+   
+
+   :param x: The element to add.
+   
+   .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2
+      bloomfilter_counting_init bloomfilter_lookup bloomfilter_clear
+      bloomfilter_merge bloomfilter_decrement
+
+.. zeek:id:: bloomfilter_basic_init
+   :source-code: base/bif/bloom-filter.bif.zeek 28 28
+
+   :Type: :zeek:type:`function` (fp: :zeek:type:`double`, capacity: :zeek:type:`count`, name: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`opaque` of bloomfilter
+
+   Creates a basic Bloom filter.
+   
+
+   :param fp: The desired false-positive rate.
+   
+
+   :param capacity: the maximum number of elements that guarantees a false-positive
+             rate of *fp*.
+   
+
+   :param name: A name that uniquely identifies and seeds the Bloom filter. If empty,
+         the filter will use :zeek:id:`global_hash_seed` if that's set, and
+         otherwise use a local seed tied to the current Zeek process. Only
+         filters with the same seed can be merged with
+         :zeek:id:`bloomfilter_merge`.
+   
+
+   :returns: A Bloom filter handle.
+   
+   .. zeek:see:: bloomfilter_basic_init2 bloomfilter_counting_init bloomfilter_add
+      bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed
+
+.. zeek:id:: bloomfilter_basic_init2
+   :source-code: base/bif/bloom-filter.bif.zeek 50 50
+
+   :Type: :zeek:type:`function` (k: :zeek:type:`count`, cells: :zeek:type:`count`, name: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`opaque` of bloomfilter
+
+   Creates a basic Bloom filter. This function serves as a low-level
+   alternative to :zeek:id:`bloomfilter_basic_init` where the user has full
+   control over the number of hash functions and cells in the underlying bit
+   vector.
+   
+
+   :param k: The number of hash functions to use.
+   
+
+   :param cells: The number of cells of the underlying bit vector.
+   
+
+   :param name: A name that uniquely identifies and seeds the Bloom filter. If empty,
+         the filter will use :zeek:id:`global_hash_seed` if that's set, and
+         otherwise use a local seed tied to the current Zeek process. Only
+         filters with the same seed can be merged with
+         :zeek:id:`bloomfilter_merge`.
+   
+
+   :returns: A Bloom filter handle.
+   
+   .. zeek:see:: bloomfilter_basic_init bloomfilter_counting_init  bloomfilter_add
+      bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed
+
+.. zeek:id:: bloomfilter_clear
+   :source-code: base/bif/bloom-filter.bif.zeek 137 137
+
+   :Type: :zeek:type:`function` (bf: :zeek:type:`opaque` of bloomfilter) : :zeek:type:`any`
+
+   Removes all elements from a Bloom filter. This function resets all bits in
+   the underlying bitvector back to 0 but does not change the parameterization
+   of the Bloom filter, such as the element type and the hasher seed.
+   
+
+   :param bf: The Bloom filter handle.
+   
+   .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2
+      bloomfilter_counting_init bloomfilter_add bloomfilter_lookup
+      bloomfilter_merge
+
+.. zeek:id:: bloomfilter_counting_init
+   :source-code: base/bif/bloom-filter.bif.zeek 76 76
+
+   :Type: :zeek:type:`function` (k: :zeek:type:`count`, cells: :zeek:type:`count`, max: :zeek:type:`count`, name: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`opaque` of bloomfilter
+
+   Creates a counting Bloom filter.
+   
+
+   :param k: The number of hash functions to use.
+   
+
+   :param cells: The number of cells of the underlying counter vector. As there's
+          no single answer to what's the best parameterization for a
+          counting Bloom filter, we refer to the Bloom filter literature
+          here for choosing an appropriate value.
+   
+
+   :param max: The maximum counter value associated with each element
+        described by *w = ceil(log_2(max))* bits. Each bit in the underlying
+        counter vector becomes a cell of size *w* bits.
+   
+
+   :param name: A name that uniquely identifies and seeds the Bloom filter. If empty,
+         the filter will use :zeek:id:`global_hash_seed` if that's set, and
+         otherwise use a local seed tied to the current Zeek process. Only
+         filters with the same seed can be merged with
+         :zeek:id:`bloomfilter_merge`.
+   
+
+   :returns: A Bloom filter handle.
+   
+   .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2 bloomfilter_add
+      bloomfilter_lookup bloomfilter_clear bloomfilter_merge global_hash_seed
+
+.. zeek:id:: bloomfilter_decrement
+   :source-code: base/bif/bloom-filter.bif.zeek 105 105
+
+   :Type: :zeek:type:`function` (bf: :zeek:type:`opaque` of bloomfilter, x: :zeek:type:`any`) : :zeek:type:`bool`
+
+   Decrements the counter for an element that was added to a counting bloom filter in the past.
+   
+   Note that decrement operations can lead to false negatives if used on a counting bloom-filter
+   that exceeded the width of its counter.
+   
+
+   :param bf: The counting bloom filter handle.
+   
+
+   :param x: The element to decrement
+   
+
+   :returns: True on success
+   
+   .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2
+      bloomfilter_counting_init bloomfilter_lookup bloomfilter_clear
+      bloomfilter_merge
+
+.. zeek:id:: bloomfilter_internal_state
+   :source-code: base/bif/bloom-filter.bif.zeek 185 185
+
+   :Type: :zeek:type:`function` (bf: :zeek:type:`opaque` of bloomfilter) : :zeek:type:`string`
+
+   Returns a string with a representation of a Bloom filter's internal
+   state. This is for debugging/testing purposes only.
+   
+
+   :param bf: The Bloom filter handle.
+   
+
+   :returns: a string with a representation of a Bloom filter's internal state.
+
+.. zeek:id:: bloomfilter_intersect
+   :source-code: base/bif/bloom-filter.bif.zeek 176 176
+
+   :Type: :zeek:type:`function` (bf1: :zeek:type:`opaque` of bloomfilter, bf2: :zeek:type:`opaque` of bloomfilter) : :zeek:type:`opaque` of bloomfilter
+
+   Intersects two Bloom filters.
+   
+   The resulting Bloom filter returns true when queried for elements
+   that were contained in both bloom filters. Note that intersected Bloom
+   filters have a slightly higher probability of false positives than
+   Bloom filters created from scratch.
+   
+   Please note that, while this function works with basic and with counting
+   bloom filters, the result always is a basic bloom filter. So - intersecting
+   two counting bloom filters will result in a basic bloom filter. The reason
+   for this is that there is no reasonable definition of how to handle counters
+   during intersection.
+   
+
+   :param bf1: The first Bloom filter handle.
+   
+
+   :param bf2: The second Bloom filter handle.
+   
+
+   :returns: The intersection of *bf1* and *bf2*.
+   
+   .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2
+      bloomfilter_counting_init bloomfilter_add bloomfilter_lookup
+      bloomfilter_clear bloomfilter_merge
+
+.. zeek:id:: bloomfilter_lookup
+   :source-code: base/bif/bloom-filter.bif.zeek 125 125
+
+   :Type: :zeek:type:`function` (bf: :zeek:type:`opaque` of bloomfilter, x: :zeek:type:`any`) : :zeek:type:`count`
+
+   Retrieves the counter for a given element in a Bloom filter.
+   
+   For a basic bloom filter, this is 0 when the element is not part of the bloom filter, or 1
+   if it is part of the bloom filter.
+   
+   For a counting bloom filter, this is the estimate of how often an element was added.
+   
+
+   :param bf: The Bloom filter handle.
+   
+
+   :param x: The element to count.
+   
+
+   :returns: the counter associated with *x* in *bf*.
+   
+   .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2
+      bloomfilter_counting_init bloomfilter_add bloomfilter_clear
+      bloomfilter_merge
+
+.. zeek:id:: bloomfilter_merge
+   :source-code: base/bif/bloom-filter.bif.zeek 151 151
+
+   :Type: :zeek:type:`function` (bf1: :zeek:type:`opaque` of bloomfilter, bf2: :zeek:type:`opaque` of bloomfilter) : :zeek:type:`opaque` of bloomfilter
+
+   Merges two Bloom filters.
+   
+
+   :param bf1: The first Bloom filter handle.
+   
+
+   :param bf2: The second Bloom filter handle.
+   
+
+   :returns: The union of *bf1* and *bf2*.
+   
+   .. zeek:see:: bloomfilter_basic_init bloomfilter_basic_init2
+      bloomfilter_counting_init bloomfilter_add bloomfilter_lookup
+      bloomfilter_clear bloomfilter_merge
+
+
diff --git a/doc/scripts/base/bif/cardinality-counter.bif.zeek.rst b/doc/scripts/base/bif/cardinality-counter.bif.zeek.rst
new file mode 100644
index 0000000000..d7702f69c0
--- /dev/null
+++ b/doc/scripts/base/bif/cardinality-counter.bif.zeek.rst
@@ -0,0 +1,122 @@
+:tocdepth: 3
+
+base/bif/cardinality-counter.bif.zeek
+=====================================
+.. zeek:namespace:: GLOBAL
+
+Functions to create and manipulate probabilistic cardinality counters.
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+============================================================ =========================================================================
+:zeek:id:`hll_cardinality_add`: :zeek:type:`function`        Adds an element to a HyperLogLog cardinality counter.
+:zeek:id:`hll_cardinality_copy`: :zeek:type:`function`       Copy a HLL cardinality counter.
+:zeek:id:`hll_cardinality_estimate`: :zeek:type:`function`   Estimate the current cardinality of an HLL cardinality counter.
+:zeek:id:`hll_cardinality_init`: :zeek:type:`function`       Initializes a probabilistic cardinality counter that uses the HyperLogLog
+                                                             algorithm.
+:zeek:id:`hll_cardinality_merge_into`: :zeek:type:`function` Merges a HLL cardinality counter into another.
+============================================================ =========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: hll_cardinality_add
+   :source-code: base/bif/cardinality-counter.bif.zeek 35 35
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of cardinality, elem: :zeek:type:`any`) : :zeek:type:`bool`
+
+   Adds an element to a HyperLogLog cardinality counter.
+   
+
+   :param handle: the HLL handle.
+   
+
+   :param elem: the element to add.
+   
+
+   :returns: true on success.
+   
+   .. zeek:see:: hll_cardinality_estimate hll_cardinality_merge_into
+      hll_cardinality_init hll_cardinality_copy
+
+.. zeek:id:: hll_cardinality_copy
+   :source-code: base/bif/cardinality-counter.bif.zeek 73 73
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of cardinality) : :zeek:type:`opaque` of cardinality
+
+   Copy a HLL cardinality counter.
+   
+
+   :param handle: cardinality counter to copy.
+   
+
+   :returns: copy of handle.
+   
+   .. zeek:see:: hll_cardinality_estimate hll_cardinality_merge_into hll_cardinality_add
+      hll_cardinality_init
+
+.. zeek:id:: hll_cardinality_estimate
+   :source-code: base/bif/cardinality-counter.bif.zeek 62 62
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of cardinality) : :zeek:type:`double`
+
+   Estimate the current cardinality of an HLL cardinality counter.
+   
+
+   :param handle: the HLL handle.
+   
+
+   :returns: the cardinality estimate. Returns -1.0 if the counter is empty.
+   
+   .. zeek:see:: hll_cardinality_merge_into hll_cardinality_add
+      hll_cardinality_init hll_cardinality_copy
+
+.. zeek:id:: hll_cardinality_init
+   :source-code: base/bif/cardinality-counter.bif.zeek 22 22
+
+   :Type: :zeek:type:`function` (err: :zeek:type:`double`, confidence: :zeek:type:`double`) : :zeek:type:`opaque` of cardinality
+
+   Initializes a probabilistic cardinality counter that uses the HyperLogLog
+   algorithm.
+   
+
+   :param err: the desired error rate (e.g. 0.01).
+   
+
+   :param confidence: the desired confidence for the error rate (e.g., 0.95).
+   
+
+   :returns: a HLL cardinality handle.
+   
+   .. zeek:see:: hll_cardinality_estimate hll_cardinality_merge_into hll_cardinality_add
+      hll_cardinality_copy
+
+.. zeek:id:: hll_cardinality_merge_into
+   :source-code: base/bif/cardinality-counter.bif.zeek 51 51
+
+   :Type: :zeek:type:`function` (handle1: :zeek:type:`opaque` of cardinality, handle2: :zeek:type:`opaque` of cardinality) : :zeek:type:`bool`
+
+   Merges a HLL cardinality counter into another.
+   
+   .. note:: The same restrictions as for Bloom filter merging apply,
+      see :zeek:id:`bloomfilter_merge`.
+   
+
+   :param handle1: the first HLL handle, which will contain the merged result.
+   
+
+   :param handle2: the second HLL handle, which will be merged into the first.
+   
+
+   :returns: true on success.
+   
+   .. zeek:see:: hll_cardinality_estimate  hll_cardinality_add
+      hll_cardinality_init hll_cardinality_copy
+
+
diff --git a/doc/scripts/base/bif/cluster.bif.zeek.rst b/doc/scripts/base/bif/cluster.bif.zeek.rst
new file mode 100644
index 0000000000..77e1d080e9
--- /dev/null
+++ b/doc/scripts/base/bif/cluster.bif.zeek.rst
@@ -0,0 +1,169 @@
+:tocdepth: 3
+
+base/bif/cluster.bif.zeek
+=========================
+.. zeek:namespace:: Cluster
+.. zeek:namespace:: Cluster::Backend
+.. zeek:namespace:: GLOBAL
+
+
+:Namespaces: Cluster, Cluster::Backend, GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+====================================================== ===================================
+:zeek:id:`Cluster::Backend::error`: :zeek:type:`event` Generated on cluster backend error.
+====================================================== ===================================
+
+Functions
+#########
+============================================================= ===================================================================
+:zeek:id:`Cluster::Backend::__init`: :zeek:type:`function`    Initialize the global cluster backend.
+:zeek:id:`Cluster::__listen_websocket`: :zeek:type:`function` 
+:zeek:id:`Cluster::__subscribe`: :zeek:type:`function`        
+:zeek:id:`Cluster::__unsubscribe`: :zeek:type:`function`      
+:zeek:id:`Cluster::make_event`: :zeek:type:`function`         Create a data structure that may be used to send a remote event via
+                                                              :zeek:see:`Broker::publish`.
+:zeek:id:`Cluster::publish`: :zeek:type:`function`            Publishes an event to a given topic.
+:zeek:id:`Cluster::publish_hrw`: :zeek:type:`function`        Publishes an event to a node within a pool according to Rendezvous
+                                                              (Highest Random Weight) hashing strategy.
+:zeek:id:`Cluster::publish_rr`: :zeek:type:`function`         Publishes an event to a node within a pool according to Round-Robin
+                                                              distribution strategy.
+============================================================= ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: Cluster::Backend::error
+   :source-code: base/frameworks/cluster/main.zeek 716 720
+
+   :Type: :zeek:type:`event` (tag: :zeek:type:`string`, message: :zeek:type:`string`)
+
+   Generated on cluster backend error.
+   
+
+   :param tag: A structured tag, not further specified.
+   
+
+   :param message: A free form message with more details about the error.
+
+Functions
+#########
+.. zeek:id:: Cluster::Backend::__init
+   :source-code: base/bif/cluster.bif.zeek 48 48
+
+   :Type: :zeek:type:`function` (nid: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Initialize the global cluster backend.
+   
+
+   :returns: true on success.
+
+.. zeek:id:: Cluster::__listen_websocket
+   :source-code: base/bif/cluster.bif.zeek 87 87
+
+   :Type: :zeek:type:`function` (options: :zeek:type:`Cluster::WebSocketServerOptions`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Cluster::__subscribe
+   :source-code: base/bif/cluster.bif.zeek 39 39
+
+   :Type: :zeek:type:`function` (topic_prefix: :zeek:type:`string`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Cluster::__unsubscribe
+   :source-code: base/bif/cluster.bif.zeek 42 42
+
+   :Type: :zeek:type:`function` (topic_prefix: :zeek:type:`string`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Cluster::make_event
+   :source-code: base/bif/cluster.bif.zeek 36 36
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`Cluster::Event`
+
+   Create a data structure that may be used to send a remote event via
+   :zeek:see:`Broker::publish`.
+   
+
+   :param args: an event, followed by a list of argument values that may be used
+         to call it.
+   
+
+   :returns: A :zeek:type:`Cluster::Event` instance that can be published via
+            :zeek:see:`Cluster::publish`, :zeek:see:`Cluster::publish_rr`
+            or :zeek:see:`Cluster::publish_hrw`.
+
+.. zeek:id:: Cluster::publish
+   :source-code: base/bif/cluster.bif.zeek 24 24
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`bool`
+
+   Publishes an event to a given topic.
+   
+
+   :param topic: a topic associated with the event message.
+   
+
+   :param args: Either the event arguments as already made by
+         :zeek:see:`Cluster::make_event` or the argument list to pass along
+         to it.
+   
+
+   :returns: T if the event was accepted for sending. Depending on
+            the selected cluster backend, an event may be dropped
+            when a Zeek cluster is overloadede. This can happen on
+            the sending or receiving node.
+
+.. zeek:id:: Cluster::publish_hrw
+   :source-code: base/bif/cluster.bif.zeek 84 84
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`bool`
+
+   Publishes an event to a node within a pool according to Rendezvous
+   (Highest Random Weight) hashing strategy.
+   
+
+   :param pool: the pool of nodes that are eligible to receive the event.
+   
+
+   :param key: data used for input to the hashing function that will uniformly
+        distribute keys among available nodes.
+   
+
+   :param args: Either the event arguments as already made by
+         :zeek:see:`Broker::make_event` or the argument list to pass along
+         to it.
+   
+
+   :returns: true if the message is sent.
+
+.. zeek:id:: Cluster::publish_rr
+   :source-code: base/bif/cluster.bif.zeek 67 67
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`bool`
+
+   Publishes an event to a node within a pool according to Round-Robin
+   distribution strategy.
+   
+
+   :param pool: the pool of nodes that are eligible to receive the event.
+   
+
+   :param key: an arbitrary string to identify the purpose for which you're
+        distributing the event.  e.g. consider using namespacing of your
+        script like "Intel::cluster_rr_key".
+   
+
+   :param args: Either the event arguments as already made by
+         :zeek:see:`Cluster::make_event` or the argument list to pass along
+         to it.
+   
+
+   :returns: true if the message is sent.
+
+
diff --git a/doc/scripts/base/bif/comm.bif.zeek.rst b/doc/scripts/base/bif/comm.bif.zeek.rst
new file mode 100644
index 0000000000..b579d50402
--- /dev/null
+++ b/doc/scripts/base/bif/comm.bif.zeek.rst
@@ -0,0 +1,252 @@
+:tocdepth: 3
+
+base/bif/comm.bif.zeek
+======================
+.. zeek:namespace:: Broker
+.. zeek:namespace:: GLOBAL
+
+Functions and events regarding broker communication mechanisms.
+
+:Namespaces: Broker, GLOBAL
+
+Summary
+~~~~~~~
+Types
+#####
+====================================================== =
+:zeek:type:`Broker::BrokerProtocol`: :zeek:type:`enum` 
+====================================================== =
+
+Events
+######
+=========================================================== ======================================================================
+:zeek:id:`Broker::endpoint_discovered`: :zeek:type:`event`  Generated when a new Broker endpoint appeared.
+:zeek:id:`Broker::endpoint_unreachable`: :zeek:type:`event` Generated when the last path to a Broker endpoint has been lost.
+:zeek:id:`Broker::error`: :zeek:type:`event`                Generated when an error occurs in the Broker sub-system.
+:zeek:id:`Broker::internal_log_event`: :zeek:type:`event`   Generated when Broker emits an internal logging event.
+:zeek:id:`Broker::peer_added`: :zeek:type:`event`           Generated when a new peering has been established.
+:zeek:id:`Broker::peer_lost`: :zeek:type:`event`            Generated when the local endpoint has lost its peering with another
+                                                            endpoint.
+:zeek:id:`Broker::peer_removed`: :zeek:type:`event`         Generated when the local endpoint has removed its peering with another
+                                                            endpoint.
+:zeek:id:`Broker::status`: :zeek:type:`event`               Generated when an unspecified change occurs in Broker.
+=========================================================== ======================================================================
+
+Functions
+#########
+=============================================================== =
+:zeek:id:`Broker::__is_outbound_peering`: :zeek:type:`function` 
+:zeek:id:`Broker::__listen`: :zeek:type:`function`              
+:zeek:id:`Broker::__node_id`: :zeek:type:`function`             
+:zeek:id:`Broker::__peer`: :zeek:type:`function`                
+:zeek:id:`Broker::__peer_no_retry`: :zeek:type:`function`       
+:zeek:id:`Broker::__peering_stats`: :zeek:type:`function`       
+:zeek:id:`Broker::__peers`: :zeek:type:`function`               
+:zeek:id:`Broker::__unpeer`: :zeek:type:`function`              
+=============================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Broker::BrokerProtocol
+   :source-code: base/bif/comm.bif.zeek 149 149
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Broker::NATIVE Broker::BrokerProtocol
+
+      .. zeek:enum:: Broker::WEBSOCKET Broker::BrokerProtocol
+
+
+Events
+######
+.. zeek:id:: Broker::endpoint_discovered
+   :source-code: base/bif/comm.bif.zeek 78 78
+
+   :Type: :zeek:type:`event` (endpoint: :zeek:type:`Broker::EndpointInfo`, msg: :zeek:type:`string`)
+
+   Generated when a new Broker endpoint appeared.
+
+.. zeek:id:: Broker::endpoint_unreachable
+   :source-code: base/bif/comm.bif.zeek 82 82
+
+   :Type: :zeek:type:`event` (endpoint: :zeek:type:`Broker::EndpointInfo`, msg: :zeek:type:`string`)
+
+   Generated when the last path to a Broker endpoint has been lost.
+
+.. zeek:id:: Broker::error
+   :source-code: base/frameworks/broker/log.zeek 83 96
+
+   :Type: :zeek:type:`event` (code: :zeek:type:`Broker::ErrorCode`, msg: :zeek:type:`string`)
+
+   Generated when an error occurs in the Broker sub-system. This event
+   reports local errors in Broker, as indicated by the provided
+   :zeek:type:`Broker::ErrorCode`.
+   
+
+   :param code: the type of error that triggered this event.
+   
+
+   :param msg: a message providing additional context.
+   
+   .. zeek:see:: Broker::peer_added Broker::peer_removed Broker::peer_lost
+      Broker::endpoint_discovered Broker::endpoint_unreachable Broker::status
+
+.. zeek:id:: Broker::internal_log_event
+   :source-code: base/frameworks/broker/log.zeek 98 122
+
+   :Type: :zeek:type:`event` (lvl: :zeek:type:`Broker::LogSeverityLevel`, id: :zeek:type:`string`, description: :zeek:type:`string`)
+
+   Generated when Broker emits an internal logging event.
+   
+
+   :param lvl: the severity of the event as reported by Broker.
+   
+
+   :param id: an identifier for the event type.
+   
+
+   :param description: a message providing additional context.
+
+.. zeek:id:: Broker::peer_added
+   :source-code: base/bif/comm.bif.zeek 36 36
+
+   :Type: :zeek:type:`event` (endpoint: :zeek:type:`Broker::EndpointInfo`, msg: :zeek:type:`string`)
+
+   Generated when a new peering has been established. Both sides of the peering
+   receive this event, created independently in each endpoint. For the endpoint
+   establishing the peering, the added endpoint's network information will match
+   the address and port provided to :zeek:see:`Broker::peer`; for the listening
+   endpoint it's the peer's TCP client's address and (likely ephemeral) TCP
+   port.
+   
+
+   :param endpoint: the added endpoint's Broker ID and connection information.
+   
+
+   :param msg: a message providing additional context.
+   
+   .. zeek:see:: Broker::peer_removed Broker::peer_lost
+      Broker::endpoint_discovered Broker::endpoint_unreachable
+      Broker::status Broker::error
+
+.. zeek:id:: Broker::peer_lost
+   :source-code: base/bif/comm.bif.zeek 74 74
+
+   :Type: :zeek:type:`event` (endpoint: :zeek:type:`Broker::EndpointInfo`, msg: :zeek:type:`string`)
+
+   Generated when the local endpoint has lost its peering with another
+   endpoint. This event fires when the other endpoint stops or removes the
+   peering for some other reason. This event is independent of the original
+   directionality of connection establishment.
+   
+
+   :param endpoint: the lost endpoint's Broker ID and connection information.
+   
+
+   :param msg: a message providing additional context.
+   
+   .. zeek:see:: Broker::peer_added Broker::peer_removed
+      Broker::endpoint_discovered Broker::endpoint_unreachable
+      Broker::status Broker::error
+
+.. zeek:id:: Broker::peer_removed
+   :source-code: base/bif/comm.bif.zeek 59 59
+
+   :Type: :zeek:type:`event` (endpoint: :zeek:type:`Broker::EndpointInfo`, msg: :zeek:type:`string`)
+
+   Generated when the local endpoint has removed its peering with another
+   endpoint. This event can fire for multiple reasons, such as a local call to
+   :zeek:see:`Broker::unpeer`, or because Broker autonomously decides to
+   unpeer. One reason it might do this is message I/O backpressure overflow,
+   meaning that the remote peer cannot keep up with the stream of messages the
+   local endpoint sends it. Regardless of the cause, the remote endpoint will
+   locally trigger a corresponding :zeek:see:`Broker::peer_lost` event once the
+   peering ends. These events are independent of the original directionality of
+   TCP connection establishment and only reflect which endpoint terminates the
+   peering.
+   
+
+   :param endpoint: the removed endpoint's Broker ID and connection information.
+   
+
+   :param msg: a message providing additional context. If backpressure overflow
+        caused this unpeering, the message contains the string
+        *caf::sec::backpressure_overflow*.
+   
+   .. zeek:see:: Broker::peer_added Broker::peer_lost
+      Broker::endpoint_discovered Broker::endpoint_unreachable
+      Broker::status Broker::error
+
+.. zeek:id:: Broker::status
+   :source-code: base/bif/comm.bif.zeek 96 96
+
+   :Type: :zeek:type:`event` (endpoint: :zeek:type:`Broker::EndpointInfo`, msg: :zeek:type:`string`)
+
+   Generated when an unspecified change occurs in Broker. This event only fires
+   when the status change isn't covered by more specific Broker events. The
+   provided message string may be empty.
+   
+
+   :param endpoint: the Broker ID and connection information, if available,
+             of the endpoint the update relates to.
+   
+
+   :param msg: a message providing additional context.
+   
+   .. zeek:see:: Broker::peer_added Broker::peer_removed Broker::peer_lost
+      Broker::endpoint_discovered Broker::endpoint_unreachable Broker::error
+
+Functions
+#########
+.. zeek:id:: Broker::__is_outbound_peering
+   :source-code: base/bif/comm.bif.zeek 167 167
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`string`, p: :zeek:type:`port`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__listen
+   :source-code: base/bif/comm.bif.zeek 155 155
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`string`, p: :zeek:type:`port`, proto: :zeek:type:`Broker::BrokerProtocol`) : :zeek:type:`port`
+
+
+.. zeek:id:: Broker::__node_id
+   :source-code: base/bif/comm.bif.zeek 173 173
+
+   :Type: :zeek:type:`function` () : :zeek:type:`string`
+
+
+.. zeek:id:: Broker::__peer
+   :source-code: base/bif/comm.bif.zeek 158 158
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`string`, p: :zeek:type:`port`, retry: :zeek:type:`interval`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__peer_no_retry
+   :source-code: base/bif/comm.bif.zeek 161 161
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`string`, p: :zeek:type:`port`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__peering_stats
+   :source-code: base/bif/comm.bif.zeek 176 176
+
+   :Type: :zeek:type:`function` () : :zeek:type:`BrokerPeeringStatsTable`
+
+
+.. zeek:id:: Broker::__peers
+   :source-code: base/bif/comm.bif.zeek 170 170
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Broker::PeerInfos`
+
+
+.. zeek:id:: Broker::__unpeer
+   :source-code: base/bif/comm.bif.zeek 164 164
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`string`, p: :zeek:type:`port`) : :zeek:type:`bool`
+
+
+
diff --git a/doc/scripts/base/bif/communityid.bif.zeek.rst b/doc/scripts/base/bif/communityid.bif.zeek.rst
new file mode 100644
index 0000000000..0bc30215d0
--- /dev/null
+++ b/doc/scripts/base/bif/communityid.bif.zeek.rst
@@ -0,0 +1,37 @@
+:tocdepth: 3
+
+base/bif/communityid.bif.zeek
+=============================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================= ================================================================
+:zeek:id:`community_id_v1`: :zeek:type:`function` Compute the Community ID hash (v1) from a connection identifier.
+================================================= ================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: community_id_v1
+   :source-code: base/bif/communityid.bif.zeek 12 12
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, seed: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`, do_base64: :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Compute the Community ID hash (v1) from a connection identifier.
+   
+
+   :param cid: The identifier of the connection for which to compute the community-id.
+   
+
+   :returns: The Community ID hash of the connection identifier as string.
+   
+
+
diff --git a/doc/scripts/base/bif/const.bif.zeek.rst b/doc/scripts/base/bif/const.bif.zeek.rst
new file mode 100644
index 0000000000..b0567bd019
--- /dev/null
+++ b/doc/scripts/base/bif/const.bif.zeek.rst
@@ -0,0 +1,18 @@
+:tocdepth: 3
+
+base/bif/const.bif.zeek
+=======================
+.. zeek:namespace:: GLOBAL
+
+Declaration of various scripting-layer constants that the Zeek core uses
+internally.  Documentation and default values for the scripting-layer
+variables themselves are found in :doc:`/scripts/base/init-bare.zeek`.
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/data.bif.zeek.rst b/doc/scripts/base/bif/data.bif.zeek.rst
new file mode 100644
index 0000000000..0f3bcbaa8e
--- /dev/null
+++ b/doc/scripts/base/bif/data.bif.zeek.rst
@@ -0,0 +1,372 @@
+:tocdepth: 3
+
+base/bif/data.bif.zeek
+======================
+.. zeek:namespace:: Broker
+.. zeek:namespace:: GLOBAL
+
+Functions for inspecting and manipulating broker data.
+
+:Namespaces: Broker, GLOBAL
+
+Summary
+~~~~~~~
+Types
+#####
+================================================ =====================================================================
+:zeek:type:`Broker::DataType`: :zeek:type:`enum` Enumerates the possible types that :zeek:see:`Broker::Data` may be in
+                                                 terms of Zeek data types.
+================================================ =====================================================================
+
+Functions
+#########
+============================================================================== =
+:zeek:id:`Broker::__data`: :zeek:type:`function`                               
+:zeek:id:`Broker::__data_type`: :zeek:type:`function`                          
+:zeek:id:`Broker::__opaque_clone_through_serialization`: :zeek:type:`function` 
+:zeek:id:`Broker::__record_assign`: :zeek:type:`function`                      
+:zeek:id:`Broker::__record_create`: :zeek:type:`function`                      
+:zeek:id:`Broker::__record_iterator`: :zeek:type:`function`                    
+:zeek:id:`Broker::__record_iterator_last`: :zeek:type:`function`               
+:zeek:id:`Broker::__record_iterator_next`: :zeek:type:`function`               
+:zeek:id:`Broker::__record_iterator_value`: :zeek:type:`function`              
+:zeek:id:`Broker::__record_lookup`: :zeek:type:`function`                      
+:zeek:id:`Broker::__record_size`: :zeek:type:`function`                        
+:zeek:id:`Broker::__set_clear`: :zeek:type:`function`                          
+:zeek:id:`Broker::__set_contains`: :zeek:type:`function`                       
+:zeek:id:`Broker::__set_create`: :zeek:type:`function`                         
+:zeek:id:`Broker::__set_insert`: :zeek:type:`function`                         
+:zeek:id:`Broker::__set_iterator`: :zeek:type:`function`                       
+:zeek:id:`Broker::__set_iterator_last`: :zeek:type:`function`                  
+:zeek:id:`Broker::__set_iterator_next`: :zeek:type:`function`                  
+:zeek:id:`Broker::__set_iterator_value`: :zeek:type:`function`                 
+:zeek:id:`Broker::__set_remove`: :zeek:type:`function`                         
+:zeek:id:`Broker::__set_size`: :zeek:type:`function`                           
+:zeek:id:`Broker::__table_clear`: :zeek:type:`function`                        
+:zeek:id:`Broker::__table_contains`: :zeek:type:`function`                     
+:zeek:id:`Broker::__table_create`: :zeek:type:`function`                       
+:zeek:id:`Broker::__table_insert`: :zeek:type:`function`                       
+:zeek:id:`Broker::__table_iterator`: :zeek:type:`function`                     
+:zeek:id:`Broker::__table_iterator_last`: :zeek:type:`function`                
+:zeek:id:`Broker::__table_iterator_next`: :zeek:type:`function`                
+:zeek:id:`Broker::__table_iterator_value`: :zeek:type:`function`               
+:zeek:id:`Broker::__table_lookup`: :zeek:type:`function`                       
+:zeek:id:`Broker::__table_remove`: :zeek:type:`function`                       
+:zeek:id:`Broker::__table_size`: :zeek:type:`function`                         
+:zeek:id:`Broker::__vector_clear`: :zeek:type:`function`                       
+:zeek:id:`Broker::__vector_create`: :zeek:type:`function`                      
+:zeek:id:`Broker::__vector_insert`: :zeek:type:`function`                      
+:zeek:id:`Broker::__vector_iterator`: :zeek:type:`function`                    
+:zeek:id:`Broker::__vector_iterator_last`: :zeek:type:`function`               
+:zeek:id:`Broker::__vector_iterator_next`: :zeek:type:`function`               
+:zeek:id:`Broker::__vector_iterator_value`: :zeek:type:`function`              
+:zeek:id:`Broker::__vector_lookup`: :zeek:type:`function`                      
+:zeek:id:`Broker::__vector_remove`: :zeek:type:`function`                      
+:zeek:id:`Broker::__vector_replace`: :zeek:type:`function`                     
+:zeek:id:`Broker::__vector_size`: :zeek:type:`function`                        
+============================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Broker::DataType
+   :source-code: base/bif/data.bif.zeek 14 14
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Broker::NONE Broker::DataType
+
+      .. zeek:enum:: Broker::BOOL Broker::DataType
+
+      .. zeek:enum:: Broker::INT Broker::DataType
+
+      .. zeek:enum:: Broker::COUNT Broker::DataType
+
+      .. zeek:enum:: Broker::DOUBLE Broker::DataType
+
+      .. zeek:enum:: Broker::STRING Broker::DataType
+
+      .. zeek:enum:: Broker::ADDR Broker::DataType
+
+      .. zeek:enum:: Broker::SUBNET Broker::DataType
+
+      .. zeek:enum:: Broker::PORT Broker::DataType
+
+      .. zeek:enum:: Broker::TIME Broker::DataType
+
+      .. zeek:enum:: Broker::INTERVAL Broker::DataType
+
+      .. zeek:enum:: Broker::ENUM Broker::DataType
+
+      .. zeek:enum:: Broker::SET Broker::DataType
+
+      .. zeek:enum:: Broker::TABLE Broker::DataType
+
+      .. zeek:enum:: Broker::VECTOR Broker::DataType
+
+   Enumerates the possible types that :zeek:see:`Broker::Data` may be in
+   terms of Zeek data types.
+
+Functions
+#########
+.. zeek:id:: Broker::__data
+   :source-code: base/bif/data.bif.zeek 37 37
+
+   :Type: :zeek:type:`function` (d: :zeek:type:`any`) : :zeek:type:`Broker::Data`
+
+
+.. zeek:id:: Broker::__data_type
+   :source-code: base/bif/data.bif.zeek 40 40
+
+   :Type: :zeek:type:`function` (d: :zeek:type:`Broker::Data`) : :zeek:type:`Broker::DataType`
+
+
+.. zeek:id:: Broker::__opaque_clone_through_serialization
+   :source-code: base/bif/data.bif.zeek 44 44
+
+   :Type: :zeek:type:`function` (d: :zeek:type:`any`) : :zeek:type:`any`
+
+
+.. zeek:id:: Broker::__record_assign
+   :source-code: base/bif/data.bif.zeek 149 149
+
+   :Type: :zeek:type:`function` (r: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`, d: :zeek:type:`any`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__record_create
+   :source-code: base/bif/data.bif.zeek 143 143
+
+   :Type: :zeek:type:`function` (sz: :zeek:type:`count`) : :zeek:type:`Broker::Data`
+
+
+.. zeek:id:: Broker::__record_iterator
+   :source-code: base/bif/data.bif.zeek 155 155
+
+   :Type: :zeek:type:`function` (r: :zeek:type:`Broker::Data`) : :zeek:type:`opaque` of Broker::RecordIterator
+
+
+.. zeek:id:: Broker::__record_iterator_last
+   :source-code: base/bif/data.bif.zeek 158 158
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::RecordIterator) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__record_iterator_next
+   :source-code: base/bif/data.bif.zeek 161 161
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::RecordIterator) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__record_iterator_value
+   :source-code: base/bif/data.bif.zeek 164 164
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::RecordIterator) : :zeek:type:`Broker::Data`
+
+
+.. zeek:id:: Broker::__record_lookup
+   :source-code: base/bif/data.bif.zeek 152 152
+
+   :Type: :zeek:type:`function` (r: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`) : :zeek:type:`Broker::Data`
+
+
+.. zeek:id:: Broker::__record_size
+   :source-code: base/bif/data.bif.zeek 146 146
+
+   :Type: :zeek:type:`function` (r: :zeek:type:`Broker::Data`) : :zeek:type:`count`
+
+
+.. zeek:id:: Broker::__set_clear
+   :source-code: base/bif/data.bif.zeek 50 50
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__set_contains
+   :source-code: base/bif/data.bif.zeek 56 56
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__set_create
+   :source-code: base/bif/data.bif.zeek 47 47
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Broker::Data`
+
+
+.. zeek:id:: Broker::__set_insert
+   :source-code: base/bif/data.bif.zeek 59 59
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__set_iterator
+   :source-code: base/bif/data.bif.zeek 65 65
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`) : :zeek:type:`opaque` of Broker::SetIterator
+
+
+.. zeek:id:: Broker::__set_iterator_last
+   :source-code: base/bif/data.bif.zeek 68 68
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::SetIterator) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__set_iterator_next
+   :source-code: base/bif/data.bif.zeek 71 71
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::SetIterator) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__set_iterator_value
+   :source-code: base/bif/data.bif.zeek 74 74
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::SetIterator) : :zeek:type:`Broker::Data`
+
+
+.. zeek:id:: Broker::__set_remove
+   :source-code: base/bif/data.bif.zeek 62 62
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__set_size
+   :source-code: base/bif/data.bif.zeek 53 53
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`) : :zeek:type:`count`
+
+
+.. zeek:id:: Broker::__table_clear
+   :source-code: base/bif/data.bif.zeek 80 80
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__table_contains
+   :source-code: base/bif/data.bif.zeek 86 86
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__table_create
+   :source-code: base/bif/data.bif.zeek 77 77
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Broker::Data`
+
+
+.. zeek:id:: Broker::__table_insert
+   :source-code: base/bif/data.bif.zeek 89 89
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`, key: :zeek:type:`any`, val: :zeek:type:`any`) : :zeek:type:`Broker::Data`
+
+
+.. zeek:id:: Broker::__table_iterator
+   :source-code: base/bif/data.bif.zeek 98 98
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`) : :zeek:type:`opaque` of Broker::TableIterator
+
+
+.. zeek:id:: Broker::__table_iterator_last
+   :source-code: base/bif/data.bif.zeek 101 101
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::TableIterator) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__table_iterator_next
+   :source-code: base/bif/data.bif.zeek 104 104
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::TableIterator) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__table_iterator_value
+   :source-code: base/bif/data.bif.zeek 107 107
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::TableIterator) : :zeek:type:`Broker::TableItem`
+
+
+.. zeek:id:: Broker::__table_lookup
+   :source-code: base/bif/data.bif.zeek 95 95
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`Broker::Data`
+
+
+.. zeek:id:: Broker::__table_remove
+   :source-code: base/bif/data.bif.zeek 92 92
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`Broker::Data`
+
+
+.. zeek:id:: Broker::__table_size
+   :source-code: base/bif/data.bif.zeek 83 83
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`) : :zeek:type:`count`
+
+
+.. zeek:id:: Broker::__vector_clear
+   :source-code: base/bif/data.bif.zeek 113 113
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__vector_create
+   :source-code: base/bif/data.bif.zeek 110 110
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Broker::Data`
+
+
+.. zeek:id:: Broker::__vector_insert
+   :source-code: base/bif/data.bif.zeek 119 119
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`, d: :zeek:type:`any`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__vector_iterator
+   :source-code: base/bif/data.bif.zeek 131 131
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`) : :zeek:type:`opaque` of Broker::VectorIterator
+
+
+.. zeek:id:: Broker::__vector_iterator_last
+   :source-code: base/bif/data.bif.zeek 134 134
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::VectorIterator) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__vector_iterator_next
+   :source-code: base/bif/data.bif.zeek 137 137
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::VectorIterator) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__vector_iterator_value
+   :source-code: base/bif/data.bif.zeek 140 140
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::VectorIterator) : :zeek:type:`Broker::Data`
+
+
+.. zeek:id:: Broker::__vector_lookup
+   :source-code: base/bif/data.bif.zeek 128 128
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`) : :zeek:type:`Broker::Data`
+
+
+.. zeek:id:: Broker::__vector_remove
+   :source-code: base/bif/data.bif.zeek 125 125
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`) : :zeek:type:`Broker::Data`
+
+
+.. zeek:id:: Broker::__vector_replace
+   :source-code: base/bif/data.bif.zeek 122 122
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`, d: :zeek:type:`any`) : :zeek:type:`Broker::Data`
+
+
+.. zeek:id:: Broker::__vector_size
+   :source-code: base/bif/data.bif.zeek 116 116
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`) : :zeek:type:`count`
+
+
+
diff --git a/doc/scripts/base/bif/event.bif.zeek.rst b/doc/scripts/base/bif/event.bif.zeek.rst
new file mode 100644
index 0000000000..80b8c90d35
--- /dev/null
+++ b/doc/scripts/base/bif/event.bif.zeek.rst
@@ -0,0 +1,1332 @@
+:tocdepth: 3
+
+base/bif/event.bif.zeek
+=======================
+.. zeek:namespace:: GLOBAL
+
+The protocol-independent events that the C/C++ core of Zeek can generate.
+
+This is mostly events not related to a specific transport- or
+application-layer protocol, but also includes a few that may be generated
+by more than one protocols analyzer (like events generated by both UDP and
+TCP analysis.)
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=========================================================================== =======================================================================================
+:zeek:id:`Pcap::file_done`: :zeek:type:`event`                              An event that signals a pcap file is done being processed.
+:zeek:id:`analyzer_confirmation_info`: :zeek:type:`event`                   Generated when an analyzer confirms successful parsing of a protocol, file, or packets.
+:zeek:id:`analyzer_violation_info`: :zeek:type:`event`                      Generated for analyzer violations when parsing of a protocol, file, or packet.
+:zeek:id:`anonymization_mapping`: :zeek:type:`event`                        Shows an IP address anonymization mapping.
+:zeek:id:`conn_stats`: :zeek:type:`event`                                   Generated when a TCP connection terminated, passing on statistics about the
+                                                                            two endpoints.
+:zeek:id:`conn_weird`: :zeek:type:`event`                                   Generated for unexpected activity related to a specific connection.
+:zeek:id:`connection_flipped`: :zeek:type:`event`                           Generated for a connection when the direction was flipped by Zeek's
+                                                                            heuristics and originator and responder roles were reversed.
+:zeek:id:`connection_flow_label_changed`: :zeek:type:`event`                Generated for a connection over IPv6 when one direction has changed
+                                                                            the flow label that it's using.
+:zeek:id:`connection_reused`: :zeek:type:`event`                            Generated when a connection 4-tuple is reused.
+:zeek:id:`connection_state_remove`: :zeek:type:`event`                      Generated when a connection's internal state is about to be removed from
+                                                                            memory.
+:zeek:id:`connection_status_update`: :zeek:type:`event`                     Generated in regular intervals during the lifetime of a connection.
+:zeek:id:`connection_timeout`: :zeek:type:`event`                           Generated when a TCP connection timed out.
+:zeek:id:`content_gap`: :zeek:type:`event`                                  Generated when Zeek detects a gap in a reassembled TCP payload stream.
+:zeek:id:`dns_mapping_altered`: :zeek:type:`event`                          Generated when an internal DNS lookup produced a different result than in
+                                                                            the past.
+:zeek:id:`dns_mapping_lost_name`: :zeek:type:`event`                        Generated when an internal DNS lookup returned zero answers even though it
+                                                                            had succeeded in the past.
+:zeek:id:`dns_mapping_name_changed`: :zeek:type:`event`                     Generated when an internal DNS lookup returns a different host name than
+                                                                            in the past.
+:zeek:id:`dns_mapping_new_name`: :zeek:type:`event`                         Generated when an internal DNS lookup succeeded but an earlier attempt
+                                                                            did not.
+:zeek:id:`dns_mapping_unverified`: :zeek:type:`event`                       Generated when an internal DNS lookup got no answer even though it had
+                                                                            succeeded in the past.
+:zeek:id:`dns_mapping_valid`: :zeek:type:`event`                            Generated when an internal DNS lookup produces the same result as last time.
+:zeek:id:`esp_packet`: :zeek:type:`event`                                   Generated for any packets using the IPv6 Encapsulating Security Payload (ESP)
+                                                                            extension header.
+:zeek:id:`event_queue_flush_point`: :zeek:type:`event`                      Marks a point in the event stream at which the event queue started flushing.
+:zeek:id:`expired_conn_weird`: :zeek:type:`event`                           Generated for unexpected activity related to a specific connection whose
+                                                                            internal state has already been expired.
+:zeek:id:`file_gap`: :zeek:type:`event`                                     Indicates that a chunk of the file is missing.
+:zeek:id:`file_new`: :zeek:type:`event`                                     Indicates that analysis of a new file has begun.
+:zeek:id:`file_opened`: :zeek:type:`event`                                  Generated each time Zeek's script interpreter opens a file.
+:zeek:id:`file_over_new_connection`: :zeek:type:`event`                     Indicates that Zeek has begun to observe a file for the first time on the
+                                                                            given connection.
+:zeek:id:`file_reassembly_overflow`: :zeek:type:`event`                     Indicates that the file had an overflow of the reassembly buffer.
+:zeek:id:`file_sniff`: :zeek:type:`event`                                   Provide all metadata that has been inferred about a particular file
+                                                                            from inspection of the initial content that been seen at the beginning
+                                                                            of the file.
+:zeek:id:`file_state_remove`: :zeek:type:`event`                            This event is generated each time file analysis is ending for a given file.
+:zeek:id:`file_timeout`: :zeek:type:`event`                                 Indicates that file analysis has timed out because no activity was seen
+                                                                            for the file in a while.
+:zeek:id:`file_weird`: :zeek:type:`event`                                   Generated for unexpected activity that is tied to a file.
+:zeek:id:`flow_weird`: :zeek:type:`event`                                   Generated for unexpected activity related to a pair of hosts, but independent
+                                                                            of a specific connection.
+:zeek:id:`get_file_handle`: :zeek:type:`event`                              This event is handled to provide feedback to the file analysis framework
+                                                                            about how to identify the logical "file" to which some data/input
+                                                                            belongs.
+:zeek:id:`ipv6_ext_headers`: :zeek:type:`event`                             Generated for every IPv6 packet that contains extension headers.
+:zeek:id:`mobile_ipv6_message`: :zeek:type:`event`                          Generated for any packet using a Mobile IPv6 Mobility Header.
+:zeek:id:`net_done`: :zeek:type:`event`                                     Generated as one of the first steps of Zeek's main-loop termination, just
+                                                                            before it starts to flush any remaining events/timers/state.
+:zeek:id:`net_weird`: :zeek:type:`event`                                    Generated for unexpected activity that is not tied to a specific connection
+                                                                            or pair of hosts.
+:zeek:id:`network_time_init`: :zeek:type:`event`                            Generated when network time is initialized.
+:zeek:id:`new_connection`: :zeek:type:`event`                               Generated for every new connection.
+:zeek:id:`new_event`: :zeek:type:`event`                                    A meta event generated for events that Zeek raises.
+:zeek:id:`new_packet`: :zeek:type:`event`                                   Generated for all packets that make it into Zeek's connection processing.
+:zeek:id:`packet_contents`: :zeek:type:`event`                              Generated for every packet that has a non-empty transport-layer payload.
+:zeek:id:`packet_not_processed`: :zeek:type:`event`                         An event for handling packets that reached the end of processing without
+                                                                            being marked as processed.
+:zeek:id:`profiling_update`: :zeek:type:`event`                             Generated each time Zeek's internal profiling log is updated.
+:zeek:id:`protocol_late_match`: :zeek:type:`event`                          Generated if a DPD signature matched but the DPD buffer is already exhausted
+                                                                            and thus the analyzer could not be attached.
+:zeek:id:`raw_packet`: :zeek:type:`event`                                   Generated for every packet Zeek sees that have a valid link-layer header.
+:zeek:id:`reporter_error`: :zeek:type:`event` :zeek:attr:`&error_handler`   Raised for errors reported via Zeek's reporter framework.
+:zeek:id:`reporter_info`: :zeek:type:`event` :zeek:attr:`&error_handler`    Raised for informational messages reported via Zeek's reporter framework.
+:zeek:id:`reporter_warning`: :zeek:type:`event` :zeek:attr:`&error_handler` Raised for warnings reported via Zeek's reporter framework.
+:zeek:id:`rexmit_inconsistency`: :zeek:type:`event`                         Generated when Zeek detects a TCP retransmission inconsistency.
+:zeek:id:`scheduled_analyzer_applied`: :zeek:type:`event`                   Generated when a connection is seen that is marked as being expected.
+:zeek:id:`signature_match`: :zeek:type:`event`                              Generated when a signature matches.
+:zeek:id:`tunnel_changed`: :zeek:type:`event`                               Generated for a connection whose tunneling has changed.
+:zeek:id:`udp_session_done`: :zeek:type:`event`                             Generated when a UDP session for a supported protocol has finished.
+:zeek:id:`unknown_protocol`: :zeek:type:`event`                             Generated when a packet analyzer attempts to forward a protocol that it doesn't
+                                                                            know how to handle.
+:zeek:id:`zeek_done`: :zeek:type:`event`                                    Generated at Zeek termination time.
+:zeek:id:`zeek_init`: :zeek:type:`event`                                    Generated at Zeek initialization time.
+:zeek:id:`zeek_script_loaded`: :zeek:type:`event`                           Raised for each policy script loaded by the script interpreter.
+=========================================================================== =======================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: Pcap::file_done
+   :source-code: base/bif/event.bif.zeek 948 948
+
+   :Type: :zeek:type:`event` (path: :zeek:type:`string`)
+
+   An event that signals a pcap file is done being processed.
+   
+
+   :param path: the filesystem path of the pcap file
+
+.. zeek:id:: analyzer_confirmation_info
+   :source-code: base/bif/event.bif.zeek 411 411
+
+   :Type: :zeek:type:`event` (atype: :zeek:type:`AllAnalyzers::Tag`, info: :zeek:type:`AnalyzerConfirmationInfo`)
+
+   Generated when an analyzer confirms successful parsing of a protocol, file, or packets.
+   
+
+   :param atype: The type of the analyzer confirming analysis. The value may be associated
+          with a protocol, file or packet analyzer.
+   
+
+   :param info: Details about the confirmation, which may include a :zeek:type:`connection`
+         object or :zeek:type:`fa_file` object related to the confirmation.
+   
+   .. note::
+   
+      For packet analyzers, a confirmation is only raised if there's a session
+      (connection) associated with a given packet. Confirmations are raised only
+      once per session. Tunnel protocols like VXLAN or Geneve are examples for
+      this behavior.
+   
+   .. zeek:see:: is_protocol_analyzer is_packet_analyzer is_file_analyzer
+
+.. zeek:id:: analyzer_violation_info
+   :source-code: base/bif/event.bif.zeek 424 424
+
+   :Type: :zeek:type:`event` (atype: :zeek:type:`AllAnalyzers::Tag`, info: :zeek:type:`AnalyzerViolationInfo`)
+
+   Generated for analyzer violations when parsing of a protocol, file, or packet.
+   
+
+   :param atype: The type of the analyzer reporting the violation. The value may be associated
+          with a protocol, file or packet analyzer.
+   
+
+   :param info: Details about the violation. This record may include a :zeek:type:`connection`
+         object or :zeek:type:`fa_file` and optionally the raw data as :zeek:type:`string`
+         related to this violation.
+   
+   .. zeek:see:: is_protocol_analyzer is_packet_analyzer is_file_analyzer
+
+.. zeek:id:: anonymization_mapping
+   :source-code: base/bif/event.bif.zeek 942 942
+
+   :Type: :zeek:type:`event` (orig: :zeek:type:`addr`, mapped: :zeek:type:`addr`)
+
+   Shows an IP address anonymization mapping.
+
+.. zeek:id:: conn_stats
+   :source-code: base/bif/event.bif.zeek 453 453
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, os: :zeek:type:`endpoint_stats`, rs: :zeek:type:`endpoint_stats`)
+
+   Generated when a TCP connection terminated, passing on statistics about the
+   two endpoints. This event is always generated when Zeek flushes the internal
+   connection state, independent of how a connection terminates.
+   
+
+   :param c: The connection.
+   
+
+   :param os: Statistics for the originator endpoint.
+   
+
+   :param rs: Statistics for the responder endpoint.
+   
+   .. zeek:see:: connection_state_remove
+
+.. zeek:id:: conn_weird
+   :source-code: base/bif/event.bif.zeek 479 479
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, c: :zeek:type:`connection`, addl: :zeek:type:`string`, source: :zeek:type:`string`)
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, c: :zeek:type:`connection`, addl: :zeek:type:`string`)
+
+   Generated for unexpected activity related to a specific connection.  When
+   Zeek's packet analysis encounters activity that does not conform to a
+   protocol's specification, it raises one of the ``*_weird`` events to report
+   that. This event is raised if the activity is tied directly to a specific
+   connection.
+   
+
+   :param name: A unique name for the specific type of "weird" situation. Zeek's default
+         scripts use this name in filtering policies that specify which
+         "weirds" are worth reporting.
+   
+
+   :param c: The corresponding connection.
+   
+
+   :param addl: Optional additional context further describing the situation.
+   
+
+   :param source: Optional source for the weird. When called by analyzers, this should
+           be filled in with the name of the analyzer.
+   
+   .. zeek:see:: flow_weird net_weird file_weird expired_conn_weird
+   
+   .. note:: "Weird" activity is much more common in real-world network traffic
+      than one would intuitively expect. While in principle, any protocol
+      violation could be an attack attempt, it's much more likely that an
+      endpoint's implementation interprets an RFC quite liberally.
+
+.. zeek:id:: connection_flipped
+   :source-code: base/protocols/conn/main.zeek 319 327
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for a connection when the direction was flipped by Zeek's
+   heuristics and originator and responder roles were reversed. If state is
+   kept on a connection record for originator and responder, this event
+   can be used to update or reset such state. The ``orig`` and ``resp`` fields
+   as well as the contents of the ``id`` field reflect the post-flip state.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_established new_connection
+
+.. zeek:id:: connection_flow_label_changed
+   :source-code: base/bif/event.bif.zeek 236 236
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, old_label: :zeek:type:`count`, new_label: :zeek:type:`count`)
+
+   Generated for a connection over IPv6 when one direction has changed
+   the flow label that it's using.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the event is raised for the originator side.
+   
+
+   :param old_label: The old flow label that the endpoint was using.
+   
+
+   :param new_label: The new flow label that the endpoint is using.
+   
+   .. zeek:see:: connection_established new_connection
+
+.. zeek:id:: connection_reused
+   :source-code: base/protocols/ftp/main.zeek 460 464
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when a connection 4-tuple is reused. This event is raised when Zeek
+   sees a new TCP session or UDP flow using a 4-tuple matching that of an
+   earlier connection it still considers active.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_partial_close
+      connection_pending connection_rejected connection_reset connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+
+.. zeek:id:: connection_state_remove
+   :source-code: base/bif/event.bif.zeek 179 179
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when a connection's internal state is about to be removed from
+   memory. Zeek generates this event reliably once for every connection when it
+   is about to delete the internal state. As such, the event is well-suited for
+   script-level cleanup that needs to be performed for every connection.  This
+   event is generated not only for TCP sessions but also for UDP and ICMP
+   flows.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_partial_close
+      connection_pending connection_rejected connection_reset connection_reused
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection udp_inactivity_timeout
+      tcp_inactivity_timeout icmp_inactivity_timeout unknown_ip_inactivity_timeout
+      conn_stats
+
+.. zeek:id:: connection_status_update
+   :source-code: base/bif/event.bif.zeek 209 209
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated in regular intervals during the lifetime of a connection. The
+   event is raised each ``connection_status_update_interval`` seconds
+   and can be used to check conditions on a regular basis.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_partial_close
+      connection_pending connection_rejected connection_reset connection_reused
+      connection_state_remove  connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+
+.. zeek:id:: connection_timeout
+   :source-code: base/bif/event.bif.zeek 159 159
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when a TCP connection timed out. This event is raised when
+   no activity was seen for an interval of at least
+   :zeek:id:`tcp_connection_linger`, and either one endpoint has already
+   closed the connection or one side never became active.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_partial_close
+      connection_pending connection_rejected connection_reset connection_reused
+      connection_state_remove connection_status_update
+      scheduled_analyzer_applied new_connection new_connection_contents
+      partial_connection
+   
+   .. note::
+   
+      The precise semantics of this event can be unintuitive as it only
+      covers a subset of cases where a connection times out. Often, handling
+      :zeek:id:`connection_state_remove` is the better option. That one will be
+      generated reliably when an interval of ``tcp_inactivity_timeout`` has
+      passed without any activity seen (but also for all other ways a
+      connection may terminate).
+
+.. zeek:id:: content_gap
+   :source-code: base/bif/event.bif.zeek 392 392
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, seq: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   Generated when Zeek detects a gap in a reassembled TCP payload stream. This
+   event is raised when Zeek, while reassembling a payload stream, determines
+   that a chunk of payload is missing (e.g., because the responder has already
+   acknowledged it, even though Zeek didn't see it).
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the gap is on the originator's side.
+   
+
+   :param seq: The sequence number where the gap starts.
+   
+
+   :param length: The number of bytes missing.
+   
+   .. note::
+   
+      Content gaps tend to occur occasionally for various reasons, including
+      broken TCP stacks. If, however, one finds lots of them, that typically
+      means that there is a problem with the monitoring infrastructure such as
+      a tap dropping packets, split routing on the path, or reordering at the
+      tap.
+
+.. zeek:id:: dns_mapping_altered
+   :source-code: base/bif/event.bif.zeek 926 926
+
+   :Type: :zeek:type:`event` (dm: :zeek:type:`dns_mapping`, old_addrs: :zeek:type:`addr_set`, new_addrs: :zeek:type:`addr_set`)
+
+   Generated when an internal DNS lookup produced a different result than in
+   the past.  Zeek keeps an internal DNS cache for host names and IP addresses
+   it has already resolved. This event is generated when a subsequent lookup
+   returns a different answer than we have stored in the cache.
+   
+
+   :param dm: A record describing the new resolver result.
+   
+
+   :param old_addrs: Addresses that used to be part of the returned set for the query
+              described by *dm*, but are not anymore.
+   
+
+   :param new_addrs: Addresses that were not part of the returned set for the query
+              described by *dm*, but now are.
+   
+   .. zeek:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid
+
+.. zeek:id:: dns_mapping_lost_name
+   :source-code: base/bif/event.bif.zeek 893 893
+
+   :Type: :zeek:type:`event` (dm: :zeek:type:`dns_mapping`)
+
+   Generated when an internal DNS lookup returned zero answers even though it
+   had succeeded in the past. Zeek keeps an internal DNS cache for host names
+   and IP addresses it has already resolved. This event is generated when
+   on a subsequent lookup we receive an answer that is empty even
+   though we have already stored a result in the cache.
+   
+
+   :param dm: A record describing the old resolver result.
+   
+   .. zeek:see:: dns_mapping_altered dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid
+
+.. zeek:id:: dns_mapping_name_changed
+   :source-code: base/bif/event.bif.zeek 908 908
+
+   :Type: :zeek:type:`event` (prev: :zeek:type:`dns_mapping`, latest: :zeek:type:`dns_mapping`)
+
+   Generated when an internal DNS lookup returns a different host name than
+   in the past.  Zeek keeps an internal DNS cache for host names
+   and IP addresses it has already resolved. This event is generated when
+   on a subsequent lookup we receive an answer that has a different host
+   string than we already have in the cache.
+   
+
+   :param prev: A record describing the old resolver result.
+
+   :param latest: A record describing the new resolver result.
+   
+   .. zeek:see:: dns_mapping_altered dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid
+
+.. zeek:id:: dns_mapping_new_name
+   :source-code: base/bif/event.bif.zeek 880 880
+
+   :Type: :zeek:type:`event` (dm: :zeek:type:`dns_mapping`)
+
+   Generated when an internal DNS lookup succeeded but an earlier attempt
+   did not. Zeek keeps an internal DNS cache for host names and IP
+   addresses it has already resolved. This event is generated when a subsequent
+   lookup produces an answer for a query that was marked as failed in the cache.
+   
+
+   :param dm: A record describing the new resolver result.
+   
+   .. zeek:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_unverified
+      dns_mapping_valid
+
+.. zeek:id:: dns_mapping_unverified
+   :source-code: base/bif/event.bif.zeek 868 868
+
+   :Type: :zeek:type:`event` (dm: :zeek:type:`dns_mapping`)
+
+   Generated when an internal DNS lookup got no answer even though it had
+   succeeded in the past. Zeek keeps an internal DNS cache for host names and IP
+   addresses it has already resolved. This event is generated when a
+   subsequent lookup does not produce an answer even though we have
+   already stored a result in the cache.
+   
+
+   :param dm: A record describing the old resolver result.
+   
+   .. zeek:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_valid
+
+.. zeek:id:: dns_mapping_valid
+   :source-code: base/bif/event.bif.zeek 855 855
+
+   :Type: :zeek:type:`event` (dm: :zeek:type:`dns_mapping`)
+
+   Generated when an internal DNS lookup produces the same result as last time.
+   Zeek keeps an internal DNS cache for host names and IP addresses it has
+   already resolved. This event is generated when a subsequent lookup returns
+   the same result as stored in the cache.
+   
+
+   :param dm: A record describing the new resolver result (which matches the old one).
+   
+   .. zeek:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified
+
+.. zeek:id:: esp_packet
+   :source-code: base/bif/event.bif.zeek 322 322
+
+   :Type: :zeek:type:`event` (p: :zeek:type:`pkt_hdr`)
+
+   Generated for any packets using the IPv6 Encapsulating Security Payload (ESP)
+   extension header.
+   
+
+   :param p: Information from the header of the packet that triggered the event.
+   
+   .. zeek:see:: new_packet tcp_packet ipv6_ext_headers
+
+.. zeek:id:: event_queue_flush_point
+   :source-code: base/bif/event.bif.zeek 719 719
+
+   :Type: :zeek:type:`event` ()
+
+   Marks a point in the event stream at which the event queue started flushing.
+
+.. zeek:id:: expired_conn_weird
+   :source-code: base/frameworks/notice/weird.zeek 432 444
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, id: :zeek:type:`conn_id`, uid: :zeek:type:`string`, addl: :zeek:type:`string`, source: :zeek:type:`string`)
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, id: :zeek:type:`conn_id`, uid: :zeek:type:`string`, addl: :zeek:type:`string`)
+
+   Generated for unexpected activity related to a specific connection whose
+   internal state has already been expired.  That is to say,
+   :zeek:see:`Reporter::conn_weird` may have been called from a script, but
+   the internal connection object/state was expired and so the full
+   :zeek:see:`connection` record is no longer available, just the UID
+   and :zeek:see:`conn_id`.
+   When Zeek's packet analysis encounters activity that does not conform to a
+   protocol's specification, it raises one of the ``*_weird`` events to report
+   that. This event is raised if the activity is tied directly to a specific
+   connection.
+   
+
+   :param name: A unique name for the specific type of "weird" situation. Zeek's default
+         scripts use this name in filtering policies that specify which
+         "weirds" are worth reporting.
+   
+
+   :param id: The tuple associated with a previously-expired connection.
+   
+
+   :param uid: The UID string associated with a previously-expired connection.
+   
+
+   :param addl: Optional additional context further describing the situation.
+   
+
+   :param source: Optional source for the weird. When called by analyzers, this should
+           be filled in with the name of the analyzer.
+   
+   .. zeek:see:: flow_weird net_weird file_weird conn_weird
+   
+   .. note:: "Weird" activity is much more common in real-world network traffic
+      than one would intuitively expect. While in principle, any protocol
+      violation could be an attack attempt, it's much more likely that an
+      endpoint's implementation interprets an RFC quite liberally.
+
+.. zeek:id:: file_gap
+   :source-code: base/bif/event.bif.zeek 814 814
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, offset: :zeek:type:`count`, len: :zeek:type:`count`)
+
+   Indicates that a chunk of the file is missing.
+   
+
+   :param f: The file.
+   
+
+   :param offset: The byte offset from the start of the file at which the gap begins.
+   
+
+   :param len: The number of missing bytes.
+   
+   .. zeek:see:: file_new file_over_new_connection file_timeout
+      file_sniff file_state_remove file_reassembly_overflow
+
+.. zeek:id:: file_new
+   :source-code: base/bif/event.bif.zeek 752 752
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`)
+
+   Indicates that analysis of a new file has begun.  The analysis can be
+   augmented at this time via :zeek:see:`Files::add_analyzer`.  This event
+   triggers once when Zeek first establishes state for the file.  Zeek does not
+   base identity on content (it cannot, since analysis has only just begun), but
+   on the relevant protocol analyzer's notion of file identity as per the
+   :zeek:see:`get_file_handle`/:zeek:see:`set_file_handle` mechanism.  That is,
+   Zeek triggers this event whenever a protocol analyzer thinks it's
+   encountering a new file.
+   
+
+   :param f: The file.
+   
+   .. zeek:see:: file_over_new_connection file_timeout file_gap
+      file_sniff file_state_remove
+
+.. zeek:id:: file_opened
+   :source-code: base/bif/event.bif.zeek 715 715
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`file`)
+
+   Generated each time Zeek's script interpreter opens a file. This event is
+   triggered only for files opened via :zeek:id:`open`, and in particular not for
+   normal log files as created by log writers.
+   
+
+   :param f: The opened file.
+
+.. zeek:id:: file_over_new_connection
+   :source-code: base/bif/event.bif.zeek 771 771
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Indicates that Zeek has begun to observe a file for the first time on the
+   given connection.  This is similar to :zeek:see:`file_new`, but also triggers
+   once on each subsequent connection in which the relevant protocol analyzer
+   encounters any part of the file.  As with :zeek:see:`file_new`, the protocol
+   analyzer defines file identity.  When Zeek encounters a file for the first
+   time, it first triggers :zeek:see:`file_new`, then
+   :zeek:see:`file_over_new_connection`.
+   
+
+   :param f: The file.
+   
+
+   :param c: The new connection over which the file is seen being transferred.
+   
+
+   :param is_orig: true if the originator of *c* is the one sending the file.
+   
+   .. zeek:see:: file_new file_timeout file_gap file_sniff
+      file_state_remove
+
+.. zeek:id:: file_reassembly_overflow
+   :source-code: base/bif/event.bif.zeek 834 834
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, offset: :zeek:type:`count`, skipped: :zeek:type:`count`)
+
+   Indicates that the file had an overflow of the reassembly buffer.
+   This is a specialization of the :zeek:id:`file_gap` event.
+   
+
+   :param f: The file.
+   
+
+   :param offset: The byte offset from the start of the file at which the reassembly
+           couldn't continue due to running out of reassembly buffer space.
+   
+
+   :param skipped: The number of bytes of the file skipped over to flush some
+            file data and get back under the reassembly buffer size limit.
+            This value will also be represented as a gap.
+   
+   .. zeek:see:: file_new file_over_new_connection file_timeout
+      file_sniff file_state_remove file_gap
+      Files::enable_reassembler Files::reassembly_buffer_size
+      Files::enable_reassembly Files::disable_reassembly
+      Files::set_reassembly_buffer_size
+
+.. zeek:id:: file_sniff
+   :source-code: base/bif/event.bif.zeek 790 790
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, meta: :zeek:type:`fa_metadata`)
+
+   Provide all metadata that has been inferred about a particular file
+   from inspection of the initial content that been seen at the beginning
+   of the file.  The analysis can be augmented at this time via
+   :zeek:see:`Files::add_analyzer`.  The amount of data fed into the file
+   sniffing can be increased or decreased by changing either
+   :zeek:see:`default_file_bof_buffer_size` or the ``bof_buffer_size`` field
+   in an :zeek:type:`fa_file` record. The event will be raised even if content inspection
+   has been unable to infer any metadata, in which case the fields in *meta*
+   will be left all unset.
+   
+
+   :param f: The file.
+   
+
+   :param meta: Metadata that's been discovered about the file.
+   
+   .. zeek:see:: file_over_new_connection file_timeout file_gap
+      file_state_remove
+
+.. zeek:id:: file_state_remove
+   :source-code: base/bif/event.bif.zeek 843 843
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`)
+
+   This event is generated each time file analysis is ending for a given file.
+   
+
+   :param f: The file.
+   
+   .. zeek:see:: file_new file_over_new_connection file_timeout file_gap
+      file_sniff
+
+.. zeek:id:: file_timeout
+   :source-code: base/frameworks/files/main.zeek 572 576
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`)
+
+   Indicates that file analysis has timed out because no activity was seen
+   for the file in a while.
+   
+
+   :param f: The file.
+   
+   .. zeek:see:: file_new file_over_new_connection file_gap
+      file_sniff file_state_remove default_file_timeout_interval
+      Files::set_timeout_interval
+
+.. zeek:id:: file_weird
+   :source-code: base/frameworks/notice/weird.zeek 477 488
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, f: :zeek:type:`fa_file`, addl: :zeek:type:`string`, source: :zeek:type:`string`)
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, f: :zeek:type:`fa_file`, addl: :zeek:type:`string`)
+
+   Generated for unexpected activity that is tied to a file.
+   When Zeek's packet analysis encounters activity that
+   does not conform to a protocol's specification, it raises one of the
+   ``*_weird`` events to report that.
+   
+
+   :param name: A unique name for the specific type of "weird" situation. Zeek's default
+         scripts use this name in filtering policies that specify which
+         "weirds" are worth reporting.
+   
+
+   :param f: The corresponding file.
+   
+
+   :param addl: Additional information related to the weird.
+   
+
+   :param source: The name of the file analyzer that generated the weird.
+   
+   .. zeek:see:: flow_weird net_weird conn_weird expired_conn_weird
+   
+   .. note:: "Weird" activity is much more common in real-world network traffic
+      than one would intuitively expect. While in principle, any protocol
+      violation could be an attack attempt, it's much more likely that an
+      endpoint's implementation interprets an RFC quite liberally.
+
+.. zeek:id:: flow_weird
+   :source-code: base/frameworks/notice/weird.zeek 446 462
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, src: :zeek:type:`addr`, dst: :zeek:type:`addr`, addl: :zeek:type:`string`, source: :zeek:type:`string`)
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, src: :zeek:type:`addr`, dst: :zeek:type:`addr`, addl: :zeek:type:`string`)
+
+   Generated for unexpected activity related to a pair of hosts, but independent
+   of a specific connection.  When Zeek's packet analysis encounters activity
+   that does not conform to a protocol's specification, it raises one of
+   the ``*_weird`` events to report that. This event is raised if the activity
+   is related to a pair of hosts, yet not to a specific connection between
+   them.
+   
+
+   :param name: A unique name for the specific type of "weird" situation. Zeek's default
+         scripts use this name in filtering policies that specify which
+         "weirds" are worth reporting.
+   
+
+   :param src: The source address corresponding to the activity.
+   
+
+   :param dst: The destination address corresponding to the activity.
+   
+
+   :param addl: Optional additional context further describing the situation.
+   
+
+   :param source: Optional source for the weird. When called by analyzers, this should
+           be filled in with the name of the analyzer.
+   
+   .. zeek:see:: conn_weird net_weird file_weird expired_conn_weird
+   
+   .. note:: "Weird" activity is much more common in real-world network traffic
+      than one would intuitively expect. While in principle, any protocol
+      violation could be an attack attempt, it's much more likely that an
+      endpoint's implementation interprets an RFC quite liberally.
+
+.. zeek:id:: get_file_handle
+   :source-code: base/frameworks/files/main.zeek 516 532
+
+   :Type: :zeek:type:`event` (tag: :zeek:type:`Analyzer::Tag`, c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   This event is handled to provide feedback to the file analysis framework
+   about how to identify the logical "file" to which some data/input
+   belongs.  All incoming data to the framework is buffered, and depends
+   on a handler for this event to return a string value that uniquely
+   identifies a file.  Among all handlers of this event, the last one to
+   call :zeek:see:`set_file_handle` will "win".
+   
+
+   :param tag: The analyzer which is carrying the file data.
+   
+
+   :param c: The connection which is carrying the file data.
+   
+
+   :param is_orig: The direction the file data is flowing over the connection.
+   
+   .. zeek:see:: set_file_handle
+
+.. zeek:id:: ipv6_ext_headers
+   :source-code: base/bif/event.bif.zeek 313 313
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, p: :zeek:type:`pkt_hdr`)
+
+   Generated for every IPv6 packet that contains extension headers.
+   This is potentially an expensive event to handle if analysing IPv6 traffic
+   that happens to utilize extension headers frequently.
+   
+
+   :param c: The connection the packet is part of.
+   
+
+   :param p: Information from the header of the packet that triggered the event.
+   
+   .. zeek:see:: new_packet tcp_packet packet_contents esp_packet
+
+.. zeek:id:: mobile_ipv6_message
+   :source-code: base/bif/event.bif.zeek 330 330
+
+   :Type: :zeek:type:`event` (p: :zeek:type:`pkt_hdr`)
+
+   Generated for any packet using a Mobile IPv6 Mobility Header.
+   
+
+   :param p: Information from the header of the packet that triggered the event.
+   
+   .. zeek:see:: new_packet tcp_packet ipv6_ext_headers
+
+.. zeek:id:: net_done
+   :source-code: base/init-bare.zeek 6471 6474
+
+   :Type: :zeek:type:`event` (t: :zeek:type:`time`)
+
+   Generated as one of the first steps of Zeek's main-loop termination, just
+   before it starts to flush any remaining events/timers/state. The event
+   engine generates this event when Zeek is about to terminate, either due to
+   having exhausted reading its input trace file(s), receiving a termination
+   signal, or because Zeek was run without a network input source and has
+   finished executing any global statements.  This event comes before
+   :zeek:see:`zeek_done`.
+   
+
+   :param t: The time at with the Zeek-termination process started.
+   
+   .. zeek:see:: zeek_init zeek_done
+   
+   .. note::
+   
+      If Zeek terminates due to an invocation of :zeek:id:`exit`, then this event
+      is not generated.
+
+.. zeek:id:: net_weird
+   :source-code: base/bif/event.bif.zeek 571 571
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, addl: :zeek:type:`string`, source: :zeek:type:`string`)
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, addl: :zeek:type:`string`)
+
+   Generated for unexpected activity that is not tied to a specific connection
+   or pair of hosts. When Zeek's packet analysis encounters activity that
+   does not conform to a protocol's specification, it raises one of the
+   ``*_weird`` events to report that. This event is raised if the activity is
+   not tied directly to a specific connection or pair of hosts.
+   
+
+   :param name: A unique name for the specific type of "weird" situation. Zeek's default
+         scripts use this name in filtering policies that specify which
+         "weirds" are worth reporting.
+   
+
+   :param addl: Optional additional context further describing the situation.
+   
+
+   :param source: Optional source for the weird. When called by analyzers, this should
+           be filled in with the name of the analyzer.
+   
+   .. zeek:see:: flow_weird file_weird conn_weird expired_conn_weird
+   
+   .. note:: "Weird" activity is much more common in real-world network traffic
+      than one would intuitively expect. While in principle, any protocol
+      violation could be an attack attempt, it's much more likely that an
+      endpoint's implementation interprets an RFC quite liberally.
+
+.. zeek:id:: network_time_init
+   :source-code: base/bif/event.bif.zeek 95 95
+
+   :Type: :zeek:type:`event` ()
+
+   Generated when network time is initialized. The event engine generates this
+   event after the network time has been determined but before processing of
+   packets is started.
+   
+   .. zeek:see:: zeek_init network_time
+   
+
+.. zeek:id:: new_connection
+   :source-code: base/bif/event.bif.zeek 118 118
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for every new connection. This event is raised with the first
+   packet of a previously unknown connection. Zeek uses a flow-based definition
+   of "connection" here that includes not only TCP sessions but also UDP and
+   ICMP flows.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_partial_close
+      connection_pending connection_rejected connection_reset connection_reused
+      connection_state_remove connection_status_update connection_timeout
+      scheduled_analyzer_applied new_connection_contents partial_connection
+   
+   .. note::
+   
+      Handling this event is potentially expensive. For example, during a SYN
+      flooding attack, every spoofed SYN packet will lead to a new
+      event. Consider to use events like :zeek:id:`connection_established` or
+      :zeek:id:`conn_generic_packet_threshold_crossed` instead.
+
+.. zeek:id:: new_event
+   :source-code: policy/misc/dump-events.zeek 27 50
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, params: :zeek:type:`call_argument_vector`)
+
+   A meta event generated for events that Zeek raises. This will report all
+   events for which at least one handler is defined.
+   
+   Note that handling this meta event is expensive and should be limited to
+   debugging purposes.
+   
+
+   :param name: The name of the event.
+   
+
+   :param params: The event's parameters.
+
+.. zeek:id:: new_packet
+   :source-code: base/bif/event.bif.zeek 301 301
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, p: :zeek:type:`pkt_hdr`)
+
+   Generated for all packets that make it into Zeek's connection processing. In
+   contrast to :zeek:id:`raw_packet` this filters out some more packets that don't
+   pass certain sanity checks.
+   
+   This is a very low-level and expensive event that should be avoided when at all
+   possible. It's usually infeasible to handle when processing even medium volumes
+   of traffic in real-time. That said, if you work from a trace and want to do some
+   packet-level analysis, it may come in handy.
+   
+
+   :param c: The connection the packet is part of.
+   
+
+   :param p: Information from the header of the packet that triggered the event.
+   
+   .. zeek:see:: tcp_packet packet_contents raw_packet
+
+.. zeek:id:: packet_contents
+   :source-code: base/bif/event.bif.zeek 345 345
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, contents: :zeek:type:`string`)
+
+   Generated for every packet that has a non-empty transport-layer payload.
+   This is a very low-level and expensive event that should be avoided when
+   at all possible.  It's usually infeasible to handle when processing even
+   medium volumes of traffic in real-time. It's even worse than
+   :zeek:id:`new_packet`. That said, if you work from a trace and want to
+   do some packet-level analysis, it may come in handy.
+   
+
+   :param c: The connection the packet is part of.
+   
+
+   :param contents: The raw transport-layer payload.
+   
+   .. zeek:see:: new_packet tcp_packet
+
+.. zeek:id:: packet_not_processed
+   :source-code: base/bif/event.bif.zeek 974 974
+
+   :Type: :zeek:type:`event` (pkt: :zeek:type:`pcap_packet`)
+
+   An event for handling packets that reached the end of processing without
+   being marked as processed. Note that this event may lead to unpredictable
+   performance spikes, particularly if a network suddenly receives a burst
+   of packets that are unprocessed.
+   
+
+   :param pkt: Data for the unprocessed packet
+
+.. zeek:id:: profiling_update
+   :source-code: base/bif/event.bif.zeek 638 638
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`file`, expensive: :zeek:type:`bool`)
+
+   Generated each time Zeek's internal profiling log is updated. The file is
+   defined by :zeek:id:`profiling_file`, and its update frequency by
+   :zeek:id:`profiling_interval` and :zeek:id:`expensive_profiling_multiple`.
+   
+
+   :param f: The profiling file.
+   
+
+   :param expensive: True if this event corresponds to heavier-weight profiling as
+              indicated by the :zeek:id:`expensive_profiling_multiple` variable.
+   
+   .. zeek:see::  profiling_interval expensive_profiling_multiple
+
+.. zeek:id:: protocol_late_match
+   :source-code: policy/protocols/conn/speculative-service.zeek 32 37
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, atype: :zeek:type:`Analyzer::Tag`)
+
+   Generated if a DPD signature matched but the DPD buffer is already exhausted
+   and thus the analyzer could not be attached. While this does not confirm
+   that a protocol is actually used, it allows to retain that information.
+   
+
+   :param c: The connection.
+   
+
+   :param atype: The type of the analyzer confirming that its protocol is in
+          use. The value is one of the ``Analyzer::ANALYZER_*`` constants. For example,
+          ``Analyzer::ANALYZER_HTTP`` means the HTTP analyzer determined that it's indeed
+          parsing an HTTP connection.
+   
+   .. zeek:see:: dpd_buffer_size dpd_max_packets
+
+.. zeek:id:: raw_packet
+   :source-code: base/bif/event.bif.zeek 284 284
+
+   :Type: :zeek:type:`event` (p: :zeek:type:`raw_pkt_hdr`)
+
+   Generated for every packet Zeek sees that have a valid link-layer header. This
+   is a very very low-level and expensive event that should be avoided when at all
+   possible. It's usually infeasible to handle when processing even medium volumes
+   of traffic in real-time. That said, if you work from a trace and want to do some
+   packet-level analysis, it may come in handy.
+   
+
+   :param p: Information from the header of the packet that triggered the event.
+   
+   .. zeek:see:: new_packet packet_contents
+
+.. zeek:id:: reporter_error
+   :source-code: base/frameworks/reporter/main.zeek 56 59
+
+   :Type: :zeek:type:`event` (t: :zeek:type:`time`, msg: :zeek:type:`string`, location: :zeek:type:`string`)
+   :Attributes: :zeek:attr:`&error_handler`
+
+   Raised for errors reported via Zeek's reporter framework. Such messages may
+   be generated internally by the event engine and also by other scripts calling
+   :zeek:id:`Reporter::error`.
+   
+
+   :param t: The time the error was passed to the reporter.
+   
+
+   :param msg: The error message.
+   
+
+   :param location: A (potentially empty) string describing a location associated with
+       the error.
+   
+   .. zeek:see:: reporter_info reporter_warning Reporter::info Reporter::warning
+      Reporter::error
+   
+   .. note:: Zeek will not call reporter events recursively. If the handler of
+      any reporter event triggers a new reporter message itself, the output
+      will go to ``stderr`` instead.
+
+.. zeek:id:: reporter_info
+   :source-code: base/frameworks/reporter/main.zeek 46 49
+
+   :Type: :zeek:type:`event` (t: :zeek:type:`time`, msg: :zeek:type:`string`, location: :zeek:type:`string`)
+   :Attributes: :zeek:attr:`&error_handler`
+
+   Raised for informational messages reported via Zeek's reporter framework. Such
+   messages may be generated internally by the event engine and also by other
+   scripts calling :zeek:id:`Reporter::info`.
+   
+
+   :param t: The time the message was passed to the reporter.
+   
+
+   :param msg: The message itself.
+   
+
+   :param location: A (potentially empty) string describing a location associated with
+             the message.
+   
+   .. zeek:see:: reporter_warning reporter_error Reporter::info Reporter::warning
+      Reporter::error
+   
+   .. note:: Zeek will not call reporter events recursively. If the handler of
+      any reporter event triggers a new reporter message itself, the output
+      will go to ``stderr`` instead.
+
+.. zeek:id:: reporter_warning
+   :source-code: base/frameworks/reporter/main.zeek 51 54
+
+   :Type: :zeek:type:`event` (t: :zeek:type:`time`, msg: :zeek:type:`string`, location: :zeek:type:`string`)
+   :Attributes: :zeek:attr:`&error_handler`
+
+   Raised for warnings reported via Zeek's reporter framework. Such messages may
+   be generated internally by the event engine and also by other scripts calling
+   :zeek:id:`Reporter::warning`.
+   
+
+   :param t: The time the warning was passed to the reporter.
+   
+
+   :param msg: The warning message.
+   
+
+   :param location: A (potentially empty) string describing a location associated with
+       the warning.
+   
+   .. zeek:see:: reporter_info reporter_error Reporter::info Reporter::warning
+      Reporter::error
+   
+   .. note:: Zeek will not call reporter events recursively. If the handler of
+      any reporter event triggers a new reporter message itself, the output
+      will go to ``stderr`` instead.
+
+.. zeek:id:: rexmit_inconsistency
+   :source-code: policy/protocols/conn/weirds.zeek 20 27
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, t1: :zeek:type:`string`, t2: :zeek:type:`string`, tcp_flags: :zeek:type:`string`)
+
+   Generated when Zeek detects a TCP retransmission inconsistency. When
+   reassembling a TCP stream, Zeek buffers all payload until it sees the
+   responder acking it. If during that time, the sender resends a chunk of
+   payload but with different content than originally, this event will be
+   raised. In addition, if :zeek:id:`tcp_max_old_segments` is larger than zero,
+   mismatches with that older still-buffered data will likewise trigger the event.
+   
+
+   :param c: The connection showing the inconsistency.
+   
+
+   :param t1: The original payload.
+   
+
+   :param t2: The new payload.
+   
+
+   :param tcp_flags: A string with the TCP flags of the packet triggering the
+              inconsistency. In the string, each character corresponds to one
+              set flag, as follows: ``S`` -> SYN; ``F`` -> FIN; ``R`` -> RST;
+              ``A`` -> ACK; ``P`` -> PUSH; ``U`` -> URGENT. This string will
+              not always be set, only if the information is available; it's
+              "best effort".
+   
+   .. zeek:see:: tcp_rexmit tcp_contents
+
+.. zeek:id:: scheduled_analyzer_applied
+   :source-code: base/bif/event.bif.zeek 272 272
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, a: :zeek:type:`Analyzer::Tag`)
+
+   Generated when a connection is seen that is marked as being expected.
+   The function :zeek:id:`Analyzer::schedule_analyzer` tells Zeek to expect a
+   particular connection to come up, and which analyzer to associate with it.
+   Once the first packet of such a connection is indeed seen, this event is
+   raised.
+   
+
+   :param c: The connection.
+   
+
+   :param a: The analyzer that was scheduled for the connection with the
+      :zeek:id:`Analyzer::schedule_analyzer` call. When the event is raised, that
+      analyzer will already have been activated to process the connection. The
+      ``count`` is one of the ``ANALYZER_*`` constants, e.g., ``ANALYZER_HTTP``.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_partial_close
+      connection_pending connection_rejected connection_reset connection_reused
+      connection_state_remove connection_status_update connection_timeout
+      new_connection new_connection_contents partial_connection
+   
+   .. todo:: We don't have a good way to document the automatically generated
+      ``ANALYZER_*`` constants right now.
+
+.. zeek:id:: signature_match
+   :source-code: base/bif/event.bif.zeek 620 620
+
+   :Type: :zeek:type:`event` (state: :zeek:type:`signature_state`, msg: :zeek:type:`string`, data: :zeek:type:`string`, end_of_match: :zeek:type:`count`)
+   :Type: :zeek:type:`event` (state: :zeek:type:`signature_state`, msg: :zeek:type:`string`, data: :zeek:type:`string`)
+
+   Generated when a signature matches. Zeek's signature engine provides
+   high-performance pattern matching separately from the normal script
+   processing. If a signature with an ``event`` action matches, this event is
+   raised.
+   
+   See the :doc:`user manual </frameworks/signatures>` for more information
+   about Zeek's signature engine.
+   
+
+   :param state: Context about the match, including which signatures triggered the
+          event and the connection for which the match was found.
+   
+
+   :param msg: The message passed to the ``event`` signature action.
+   
+
+   :param data: The last chunk of input that triggered the match. Note that the
+         specifics here are not well-defined as Zeek does not buffer any input.
+         If a match is split across packet boundaries, only the last chunk
+         triggering the match will be passed on to the event.
+
+   :param end_of_match: Where within data the pattern match ended. 0 if not applicable or when *data* is empty.
+
+.. zeek:id:: tunnel_changed
+   :source-code: base/bif/event.bif.zeek 133 133
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, e: :zeek:type:`EncapsulatingConnVector`)
+
+   Generated for a connection whose tunneling has changed.  This could
+   be from a previously seen connection now being encapsulated in a tunnel,
+   or from the outer encapsulation changing.  Note that connection *c*'s
+   *tunnel* field is NOT automatically/internally assigned to the new
+   encapsulation value of *e* after this event is raised.  If the desired
+   behavior is to track the latest tunnel encapsulation per-connection,
+   then a handler of this event should assign *e* to ``c$tunnel`` (which Zeek's
+   default scripts are doing).
+   
+
+   :param c: The connection whose tunnel/encapsulation changed.
+   
+
+   :param e: The new encapsulation.
+
+.. zeek:id:: udp_session_done
+   :source-code: base/bif/event.bif.zeek 247 247
+
+   :Type: :zeek:type:`event` (u: :zeek:type:`connection`)
+
+   Generated when a UDP session for a supported protocol has finished. Some of
+   Zeek's application-layer UDP analyzers flag the end of a session by raising
+   this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA,
+   Teredo, and GTPv1 support this.
+   
+
+   :param u: The connection record for the corresponding UDP flow.
+   
+   .. zeek:see:: udp_contents udp_reply udp_request
+
+.. zeek:id:: unknown_protocol
+   :source-code: policy/misc/unknown-protocols.zeek 42 53
+
+   :Type: :zeek:type:`event` (analyzer_name: :zeek:type:`string`, protocol: :zeek:type:`count`, first_bytes: :zeek:type:`string`, analyzer_history: :zeek:type:`string_vec`)
+
+   Generated when a packet analyzer attempts to forward a protocol that it doesn't
+   know how to handle.
+   
+
+   :param analyzer_name: The string name of the analyzer attempting to forward the protocol
+   
+
+   :param protocol: The identifier of the protocol being forwarded
+   
+
+   :param first_bytes: A certain number of bytes at the start of the unknown protocol's header.
+   
+
+   :param analyzer_history: The chain of packet analyzers that processed the packet up to this
+                     point. This includes the history of encapsulating packets in case
+                     of tunneling.
+   
+   .. zeek:see:: UnknownProtocol::first_bytes_count
+
+.. zeek:id:: zeek_done
+   :source-code: base/bif/event.bif.zeek 67 67
+
+   :Type: :zeek:type:`event` ()
+
+   Generated at Zeek termination time. The event engine generates this event when
+   Zeek is about to terminate, either due to having exhausted reading its input
+   trace file(s), receiving a termination signal, or because Zeek was run without
+   a network input source and has finished executing any global statements.
+   
+   .. zeek:see:: zeek_init
+   
+   .. note::
+   
+      If Zeek terminates due to an invocation of :zeek:id:`exit`, then this event
+      is not generated.
+
+.. zeek:id:: zeek_init
+   :source-code: base/bif/event.bif.zeek 53 53
+
+   :Type: :zeek:type:`event` ()
+
+   Generated at Zeek initialization time. The event engine generates this
+   event just before normal input processing begins. It can be used to execute
+   one-time initialization code at startup. At the time a handler runs, Zeek will
+   have executed any global initializations and statements.
+   
+   .. zeek:see:: zeek_done network_time_init
+   
+   .. note::
+   
+      When a ``zeek_init`` handler executes, Zeek has not yet seen any input
+      packets and therefore :zeek:id:`network_time` is not initialized yet. An
+      artifact of that is that any timer installed in a ``zeek_init`` handler,
+      like with :zeek:keyword:`schedule`, will fire immediately with the first
+      packet. The standard way to work around that is to ignore the first time
+      the timer fires and immediately reschedule or to instead schedule the
+      first event from with the :zeek:see:`network_time_init` event.
+   
+
+.. zeek:id:: zeek_script_loaded
+   :source-code: policy/misc/loaded-scripts.zeek 37 40
+
+   :Type: :zeek:type:`event` (path: :zeek:type:`string`, level: :zeek:type:`count`)
+
+   Raised for each policy script loaded by the script interpreter.
+   
+
+   :param path: The full path to the script loaded.
+   
+
+   :param level: The "nesting level": zero for a top-level Zeek script and incremented
+          recursively for each ``@load``.
+
+
diff --git a/doc/scripts/base/bif/file_analysis.bif.zeek.rst b/doc/scripts/base/bif/file_analysis.bif.zeek.rst
new file mode 100644
index 0000000000..1efd970017
--- /dev/null
+++ b/doc/scripts/base/bif/file_analysis.bif.zeek.rst
@@ -0,0 +1,146 @@
+:tocdepth: 3
+
+base/bif/file_analysis.bif.zeek
+===============================
+.. zeek:namespace:: Files
+.. zeek:namespace:: GLOBAL
+
+Internal functions and types used by the file analysis framework.
+
+:Namespaces: Files, GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================================ ====================================================================
+:zeek:id:`Files::__add_analyzer`: :zeek:type:`function`          :zeek:see:`Files::add_analyzer`.
+:zeek:id:`Files::__analyzer_enabled`: :zeek:type:`function`      :zeek:see:`Files::analyzer_enabled`.
+:zeek:id:`Files::__analyzer_name`: :zeek:type:`function`         :zeek:see:`Files::analyzer_name`.
+:zeek:id:`Files::__disable_analyzer`: :zeek:type:`function`      :zeek:see:`Files::disable_analyzer`.
+:zeek:id:`Files::__disable_reassembly`: :zeek:type:`function`    :zeek:see:`Files::disable_reassembly`.
+:zeek:id:`Files::__enable_analyzer`: :zeek:type:`function`       :zeek:see:`Files::enable_analyzer`.
+:zeek:id:`Files::__enable_reassembly`: :zeek:type:`function`     :zeek:see:`Files::enable_reassembly`.
+:zeek:id:`Files::__file_exists`: :zeek:type:`function`           :zeek:see:`Files::file_exists`.
+:zeek:id:`Files::__lookup_file`: :zeek:type:`function`           :zeek:see:`Files::lookup_file`.
+:zeek:id:`Files::__remove_analyzer`: :zeek:type:`function`       :zeek:see:`Files::remove_analyzer`.
+:zeek:id:`Files::__set_reassembly_buffer`: :zeek:type:`function` :zeek:see:`Files::set_reassembly_buffer_size`.
+:zeek:id:`Files::__set_timeout_interval`: :zeek:type:`function`  :zeek:see:`Files::set_timeout_interval`.
+:zeek:id:`Files::__stop`: :zeek:type:`function`                  :zeek:see:`Files::stop`.
+:zeek:id:`set_file_handle`: :zeek:type:`function`                For use within a :zeek:see:`get_file_handle` handler to set a unique
+                                                                 identifier to associate with the current input to the file analysis
+                                                                 framework.
+================================================================ ====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Files::__add_analyzer
+   :source-code: base/bif/file_analysis.bif.zeek 42 42
+
+   :Type: :zeek:type:`function` (file_id: :zeek:type:`string`, tag: :zeek:type:`Files::Tag`, args: :zeek:type:`any`) : :zeek:type:`bool`
+
+   :zeek:see:`Files::add_analyzer`.
+
+.. zeek:id:: Files::__analyzer_enabled
+   :source-code: base/bif/file_analysis.bif.zeek 38 38
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`) : :zeek:type:`bool`
+
+   :zeek:see:`Files::analyzer_enabled`.
+
+.. zeek:id:: Files::__analyzer_name
+   :source-code: base/bif/file_analysis.bif.zeek 54 54
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`) : :zeek:type:`string`
+
+   :zeek:see:`Files::analyzer_name`.
+
+.. zeek:id:: Files::__disable_analyzer
+   :source-code: base/bif/file_analysis.bif.zeek 34 34
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`) : :zeek:type:`bool`
+
+   :zeek:see:`Files::disable_analyzer`.
+
+.. zeek:id:: Files::__disable_reassembly
+   :source-code: base/bif/file_analysis.bif.zeek 22 22
+
+   :Type: :zeek:type:`function` (file_id: :zeek:type:`string`) : :zeek:type:`bool`
+
+   :zeek:see:`Files::disable_reassembly`.
+
+.. zeek:id:: Files::__enable_analyzer
+   :source-code: base/bif/file_analysis.bif.zeek 30 30
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`) : :zeek:type:`bool`
+
+   :zeek:see:`Files::enable_analyzer`.
+
+.. zeek:id:: Files::__enable_reassembly
+   :source-code: base/bif/file_analysis.bif.zeek 18 18
+
+   :Type: :zeek:type:`function` (file_id: :zeek:type:`string`) : :zeek:type:`bool`
+
+   :zeek:see:`Files::enable_reassembly`.
+
+.. zeek:id:: Files::__file_exists
+   :source-code: base/bif/file_analysis.bif.zeek 58 58
+
+   :Type: :zeek:type:`function` (fuid: :zeek:type:`string`) : :zeek:type:`bool`
+
+   :zeek:see:`Files::file_exists`.
+
+.. zeek:id:: Files::__lookup_file
+   :source-code: base/bif/file_analysis.bif.zeek 62 62
+
+   :Type: :zeek:type:`function` (fuid: :zeek:type:`string`) : :zeek:type:`fa_file`
+
+   :zeek:see:`Files::lookup_file`.
+
+.. zeek:id:: Files::__remove_analyzer
+   :source-code: base/bif/file_analysis.bif.zeek 46 46
+
+   :Type: :zeek:type:`function` (file_id: :zeek:type:`string`, tag: :zeek:type:`Files::Tag`, args: :zeek:type:`any`) : :zeek:type:`bool`
+
+   :zeek:see:`Files::remove_analyzer`.
+
+.. zeek:id:: Files::__set_reassembly_buffer
+   :source-code: base/bif/file_analysis.bif.zeek 26 26
+
+   :Type: :zeek:type:`function` (file_id: :zeek:type:`string`, max: :zeek:type:`count`) : :zeek:type:`bool`
+
+   :zeek:see:`Files::set_reassembly_buffer_size`.
+
+.. zeek:id:: Files::__set_timeout_interval
+   :source-code: base/bif/file_analysis.bif.zeek 14 14
+
+   :Type: :zeek:type:`function` (file_id: :zeek:type:`string`, t: :zeek:type:`interval`) : :zeek:type:`bool`
+
+   :zeek:see:`Files::set_timeout_interval`.
+
+.. zeek:id:: Files::__stop
+   :source-code: base/bif/file_analysis.bif.zeek 50 50
+
+   :Type: :zeek:type:`function` (file_id: :zeek:type:`string`) : :zeek:type:`bool`
+
+   :zeek:see:`Files::stop`.
+
+.. zeek:id:: set_file_handle
+   :source-code: base/bif/file_analysis.bif.zeek 76 76
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`string`) : :zeek:type:`any`
+
+   For use within a :zeek:see:`get_file_handle` handler to set a unique
+   identifier to associate with the current input to the file analysis
+   framework.  Using an empty string for the handle signifies that the
+   input will be ignored/discarded.
+   
+
+   :param handle: A string that uniquely identifies a file.
+   
+   .. zeek:see:: get_file_handle
+
+
diff --git a/doc/scripts/base/bif/index.rst b/doc/scripts/base/bif/index.rst
new file mode 100644
index 0000000000..bb44d69a9c
--- /dev/null
+++ b/doc/scripts/base/bif/index.rst
@@ -0,0 +1,567 @@
+:orphan:
+
+Package: base/bif
+=================
+
+
+:doc:`/scripts/base/bif/const.bif.zeek`
+
+   Declaration of various scripting-layer constants that the Zeek core uses
+   internally.  Documentation and default values for the scripting-layer
+   variables themselves are found in :doc:`/scripts/base/init-bare.zeek`.
+
+:doc:`/scripts/base/bif/types.bif.zeek`
+
+   Declaration of various types that the Zeek core uses internally.
+
+:doc:`/scripts/base/bif/zeek.bif.zeek`
+
+   A collection of built-in functions that implement a variety of things
+   such as general programming algorithms, string processing, math functions,
+   introspection, type conversion, file/directory manipulation, packet
+   filtering, interprocess communication and controlling protocol analyzer
+   behavior.
+   
+   You'll find most of Zeek's built-in functions that aren't protocol-specific
+   in this file.
+
+:doc:`/scripts/base/bif/communityid.bif.zeek`
+
+
+:doc:`/scripts/base/bif/stats.bif.zeek`
+
+
+:doc:`/scripts/base/bif/reporter.bif.zeek`
+
+   The reporter built-in functions allow for the scripting layer to
+   generate messages of varying severity.  If no event handlers
+   exist for reporter messages, the messages are output to stderr.
+   If event handlers do exist, it's assumed they take care of determining
+   how/where to output the messages.
+   
+   See :doc:`/scripts/base/frameworks/reporter/main.zeek` for a convenient
+   reporter message logging framework.
+
+:doc:`/scripts/base/bif/strings.bif.zeek`
+
+   Definitions of built-in functions related to string processing and
+   manipulation.
+
+:doc:`/scripts/base/bif/option.bif.zeek`
+
+   Definitions of built-in functions that allow the scripting layer to
+   change the value of options and to be notified when option values change.
+
+:doc:`/scripts/base/bif/supervisor.bif.zeek`
+
+   The BIFs that define the Zeek supervisor control interface.
+
+:doc:`/scripts/base/bif/packet_analysis.bif.zeek`
+
+
+:doc:`/scripts/base/bif/CPP-load.bif.zeek`
+
+   Definitions of built-in functions related to loading compiled-to-C++
+   scripts.
+
+:doc:`/scripts/base/bif/mmdb.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/telemetry_functions.bif.zeek`
+
+   Functions for accessing counter metrics from script land.
+
+:doc:`/scripts/base/bif/telemetry_types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/event.bif.zeek`
+
+   The protocol-independent events that the C/C++ core of Zeek can generate.
+   
+   This is mostly events not related to a specific transport- or
+   application-layer protocol, but also includes a few that may be generated
+   by more than one protocols analyzer (like events generated by both UDP and
+   TCP analysis.)
+
+:doc:`/scripts/base/bif/analyzer.bif.zeek`
+
+   Internal functions and types used by the analyzer framework.
+
+:doc:`/scripts/base/bif/file_analysis.bif.zeek`
+
+   Internal functions and types used by the file analysis framework.
+
+:doc:`/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/logging.bif.zeek`
+
+   Internal functions and types used by the logging framework.
+
+:doc:`/scripts/base/bif/comm.bif.zeek`
+
+   Functions and events regarding broker communication mechanisms.
+
+:doc:`/scripts/base/bif/messaging.bif.zeek`
+
+   Functions for peering and various messaging patterns.
+
+:doc:`/scripts/base/bif/data.bif.zeek`
+
+   Functions for inspecting and manipulating broker data.
+
+:doc:`/scripts/base/bif/store.bif.zeek`
+
+   Functions to interface with broker's distributed data store.
+
+:doc:`/scripts/base/bif/input.bif.zeek`
+
+   Internal functions and types used by the input framework.
+
+:doc:`/scripts/base/bif/cluster.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/__load__.zeek`
+
+
+:doc:`/scripts/base/bif/telemetry_consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/zeekygen.bif.zeek`
+
+   Functions for querying script, package, or variable documentation.
+
+:doc:`/scripts/base/bif/pcap.bif.zeek`
+
+
+:doc:`/scripts/base/bif/bloom-filter.bif.zeek`
+
+   Functions to create and manipulate Bloom filters.
+
+:doc:`/scripts/base/bif/cardinality-counter.bif.zeek`
+
+   Functions to create and manipulate probabilistic cardinality counters.
+
+:doc:`/scripts/base/bif/top-k.bif.zeek`
+
+   Functions to probabilistically determine top-k elements.
+
+:doc:`/scripts/base/bif/storage.bif.zeek`
+
+   Functions related to general storage operations. These are not specific to async or sync.
+
+:doc:`/scripts/base/bif/storage-async.bif.zeek`
+
+   Functions related to asynchronous storage operations.
+
+:doc:`/scripts/base/bif/storage-events.bif.zeek`
+
+   Events related to storage operations.
+
+:doc:`/scripts/base/bif/storage-sync.bif.zeek`
+
+   Functions related to synchronous storage operations.
+
+:doc:`/scripts/base/bif/spicy.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/__load__.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_DHCP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_DHCP.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_File.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Login.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_MIME.consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_MIME.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Modbus.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_MQTT.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_MQTT.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_MySQL.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NCP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NCP.consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NetBIOS.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NTLM.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_RDP.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_RFB.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_RPC.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SIP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMTP.consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMTP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMTP.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SNMP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SOCKS.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SSH.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SSH.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SSL.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_StreamEvent.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_WebSocket.consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_WebSocket.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_WebSocket.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Geneve.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek`
+
+   Internal functions used by the extraction file analyzer.
+
+:doc:`/scripts/base/bif/plugins/Zeek_FileHash.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_PE.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_X509.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_X509.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_X509.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_ConfigReader.config.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_RawReader.raw.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek`
+
+
diff --git a/doc/scripts/base/bif/input.bif.zeek.rst b/doc/scripts/base/bif/input.bif.zeek.rst
new file mode 100644
index 0000000000..5db09d50cc
--- /dev/null
+++ b/doc/scripts/base/bif/input.bif.zeek.rst
@@ -0,0 +1,59 @@
+:tocdepth: 3
+
+base/bif/input.bif.zeek
+=======================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: Input
+
+Internal functions and types used by the input framework.
+
+:Namespaces: GLOBAL, Input
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================================= =
+:zeek:id:`Input::__create_analysis_stream`: :zeek:type:`function` 
+:zeek:id:`Input::__create_event_stream`: :zeek:type:`function`    
+:zeek:id:`Input::__create_table_stream`: :zeek:type:`function`    
+:zeek:id:`Input::__force_update`: :zeek:type:`function`           
+:zeek:id:`Input::__remove_stream`: :zeek:type:`function`          
+================================================================= =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Input::__create_analysis_stream
+   :source-code: base/bif/input.bif.zeek 28 28
+
+   :Type: :zeek:type:`function` (description: :zeek:type:`Input::AnalysisDescription`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Input::__create_event_stream
+   :source-code: base/bif/input.bif.zeek 25 25
+
+   :Type: :zeek:type:`function` (description: :zeek:type:`Input::EventDescription`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Input::__create_table_stream
+   :source-code: base/bif/input.bif.zeek 22 22
+
+   :Type: :zeek:type:`function` (description: :zeek:type:`Input::TableDescription`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Input::__force_update
+   :source-code: base/bif/input.bif.zeek 34 34
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`string`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Input::__remove_stream
+   :source-code: base/bif/input.bif.zeek 31 31
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`string`) : :zeek:type:`bool`
+
+
+
diff --git a/doc/scripts/base/bif/logging.bif.zeek.rst b/doc/scripts/base/bif/logging.bif.zeek.rst
new file mode 100644
index 0000000000..1f11c7b0c9
--- /dev/null
+++ b/doc/scripts/base/bif/logging.bif.zeek.rst
@@ -0,0 +1,122 @@
+:tocdepth: 3
+
+base/bif/logging.bif.zeek
+=========================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: Log
+
+Internal functions and types used by the logging framework.
+
+:Namespaces: GLOBAL, Log
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================================= =
+:zeek:id:`Log::__add_filter`: :zeek:type:`function`               
+:zeek:id:`Log::__create_stream`: :zeek:type:`function`            
+:zeek:id:`Log::__delay`: :zeek:type:`function`                    
+:zeek:id:`Log::__delay_finish`: :zeek:type:`function`             
+:zeek:id:`Log::__disable_stream`: :zeek:type:`function`           
+:zeek:id:`Log::__enable_stream`: :zeek:type:`function`            
+:zeek:id:`Log::__flush`: :zeek:type:`function`                    
+:zeek:id:`Log::__get_delay_queue_size`: :zeek:type:`function`     
+:zeek:id:`Log::__remove_filter`: :zeek:type:`function`            
+:zeek:id:`Log::__remove_stream`: :zeek:type:`function`            
+:zeek:id:`Log::__set_buf`: :zeek:type:`function`                  
+:zeek:id:`Log::__set_max_delay_interval`: :zeek:type:`function`   
+:zeek:id:`Log::__set_max_delay_queue_size`: :zeek:type:`function` 
+:zeek:id:`Log::__write`: :zeek:type:`function`                    
+================================================================= =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Log::__add_filter
+   :source-code: base/bif/logging.bif.zeek 35 35
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, filter: :zeek:type:`Log::Filter`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Log::__create_stream
+   :source-code: base/bif/logging.bif.zeek 23 23
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, stream: :zeek:type:`Log::Stream`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Log::__delay
+   :source-code: base/bif/logging.bif.zeek 52 52
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, rec: :zeek:type:`any`, post_delay_cb: :zeek:type:`Log::PostDelayCallback`) : :zeek:type:`Log::DelayToken`
+
+
+.. zeek:id:: Log::__delay_finish
+   :source-code: base/bif/logging.bif.zeek 55 55
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, rec: :zeek:type:`any`, token: :zeek:type:`Log::DelayToken`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Log::__disable_stream
+   :source-code: base/bif/logging.bif.zeek 32 32
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Log::__enable_stream
+   :source-code: base/bif/logging.bif.zeek 29 29
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Log::__flush
+   :source-code: base/bif/logging.bif.zeek 47 47
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Log::__get_delay_queue_size
+   :source-code: base/bif/logging.bif.zeek 64 64
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`int`
+
+
+.. zeek:id:: Log::__remove_filter
+   :source-code: base/bif/logging.bif.zeek 38 38
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, name: :zeek:type:`string`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Log::__remove_stream
+   :source-code: base/bif/logging.bif.zeek 26 26
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Log::__set_buf
+   :source-code: base/bif/logging.bif.zeek 44 44
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, buffered: :zeek:type:`bool`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Log::__set_max_delay_interval
+   :source-code: base/bif/logging.bif.zeek 58 58
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, max_delay: :zeek:type:`interval`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Log::__set_max_delay_queue_size
+   :source-code: base/bif/logging.bif.zeek 61 61
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, max_queue_size: :zeek:type:`count`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Log::__write
+   :source-code: base/bif/logging.bif.zeek 41 41
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, columns: :zeek:type:`any`) : :zeek:type:`bool`
+
+
+
diff --git a/doc/scripts/base/bif/messaging.bif.zeek.rst b/doc/scripts/base/bif/messaging.bif.zeek.rst
new file mode 100644
index 0000000000..bf921182a0
--- /dev/null
+++ b/doc/scripts/base/bif/messaging.bif.zeek.rst
@@ -0,0 +1,96 @@
+:tocdepth: 3
+
+base/bif/messaging.bif.zeek
+===========================
+.. zeek:namespace:: Broker
+.. zeek:namespace:: GLOBAL
+
+Functions for peering and various messaging patterns.
+
+:Namespaces: Broker, GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+======================================================= ===================================================================
+:zeek:id:`Broker::__flush_logs`: :zeek:type:`function`  
+:zeek:id:`Broker::__forward`: :zeek:type:`function`     
+:zeek:id:`Broker::__publish_id`: :zeek:type:`function`  
+:zeek:id:`Broker::__subscribe`: :zeek:type:`function`   
+:zeek:id:`Broker::__unsubscribe`: :zeek:type:`function` 
+:zeek:id:`Broker::make_event`: :zeek:type:`function`    Create a data structure that may be used to send a remote event via
+                                                        :zeek:see:`Broker::publish`.
+:zeek:id:`Broker::publish`: :zeek:type:`function`       Publishes an event at a given topic.
+======================================================= ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Broker::__flush_logs
+   :source-code: base/bif/messaging.bif.zeek 37 37
+
+   :Type: :zeek:type:`function` () : :zeek:type:`count`
+
+
+.. zeek:id:: Broker::__forward
+   :source-code: base/bif/messaging.bif.zeek 46 46
+
+   :Type: :zeek:type:`function` (topic_prefix: :zeek:type:`string`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__publish_id
+   :source-code: base/bif/messaging.bif.zeek 40 40
+
+   :Type: :zeek:type:`function` (topic: :zeek:type:`string`, id: :zeek:type:`string`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__subscribe
+   :source-code: base/bif/messaging.bif.zeek 43 43
+
+   :Type: :zeek:type:`function` (topic_prefix: :zeek:type:`string`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__unsubscribe
+   :source-code: base/bif/messaging.bif.zeek 49 49
+
+   :Type: :zeek:type:`function` (topic_prefix: :zeek:type:`string`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::make_event
+   :source-code: base/bif/messaging.bif.zeek 22 22
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`Broker::Event`
+
+   Create a data structure that may be used to send a remote event via
+   :zeek:see:`Broker::publish`.
+   
+
+   :param args: an event, followed by a list of argument values that may be used
+         to call it.
+   
+
+   :returns: opaque communication data that may be used to send a remote
+            event.
+
+.. zeek:id:: Broker::publish
+   :source-code: base/bif/messaging.bif.zeek 34 34
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`bool`
+
+   Publishes an event at a given topic.
+   
+
+   :param topic: a topic associated with the event message.
+   
+
+   :param args: Either the event arguments as already made by
+         :zeek:see:`Broker::make_event` or the argument list to pass along
+         to it.
+   
+
+   :returns: true if the message is sent.
+
+
diff --git a/doc/scripts/base/bif/mmdb.bif.zeek.rst b/doc/scripts/base/bif/mmdb.bif.zeek.rst
new file mode 100644
index 0000000000..a72a2f4b2a
--- /dev/null
+++ b/doc/scripts/base/bif/mmdb.bif.zeek.rst
@@ -0,0 +1,90 @@
+:tocdepth: 3
+
+base/bif/mmdb.bif.zeek
+======================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+========================================================== ================================================================
+:zeek:id:`lookup_autonomous_system`: :zeek:type:`function` Performs an lookup of AS number & organization of an IP address.
+:zeek:id:`lookup_location`: :zeek:type:`function`          Performs a geo-lookup of an IP address.
+:zeek:id:`mmdb_open_asn_db`: :zeek:type:`function`         Initializes MMDB for later use of lookup_autonomous_system.
+:zeek:id:`mmdb_open_location_db`: :zeek:type:`function`    Initializes MMDB for later use of lookup_location.
+========================================================== ================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: lookup_autonomous_system
+   :source-code: base/bif/mmdb.bif.zeek 47 47
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`geo_autonomous_system`
+
+   Performs an lookup of AS number & organization of an IP address.
+   Requires Zeek to be built with ``libmaxminddb``.
+   
+
+   :param a: The IP address to lookup.
+   
+
+   :returns: A record with autonomous system number and organization that contains *a*.
+   
+   .. zeek:see:: lookup_location
+
+.. zeek:id:: lookup_location
+   :source-code: base/bif/mmdb.bif.zeek 36 36
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`geo_location`
+
+   Performs a geo-lookup of an IP address.
+   Requires Zeek to be built with ``libmaxminddb``.
+   
+
+   :param a: The IP address to lookup.
+   
+
+   :returns: A record with country, region, city, latitude, and longitude.
+   
+   .. zeek:see:: lookup_autonomous_system
+
+.. zeek:id:: mmdb_open_asn_db
+   :source-code: base/bif/mmdb.bif.zeek 25 25
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Initializes MMDB for later use of lookup_autonomous_system.
+   Requires Zeek to be built with ``libmaxminddb``.
+   
+
+   :param f: The filename of the MaxMind ASN DB.
+   
+
+   :returns: A boolean indicating whether the db was successfully opened.
+   
+   .. zeek:see:: lookup_autonomous_system
+
+.. zeek:id:: mmdb_open_location_db
+   :source-code: base/bif/mmdb.bif.zeek 14 14
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Initializes MMDB for later use of lookup_location.
+   Requires Zeek to be built with ``libmaxminddb``.
+   
+
+   :param f: The filename of the MaxMind City or Country DB.
+   
+
+   :returns: A boolean indicating whether the db was successfully opened.
+   
+   .. zeek:see:: lookup_autonomous_system
+
+
diff --git a/doc/scripts/base/bif/option.bif.zeek.rst b/doc/scripts/base/bif/option.bif.zeek.rst
new file mode 100644
index 0000000000..5e173b626a
--- /dev/null
+++ b/doc/scripts/base/bif/option.bif.zeek.rst
@@ -0,0 +1,104 @@
+:tocdepth: 3
+
+base/bif/option.bif.zeek
+========================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: Option
+
+Definitions of built-in functions that allow the scripting layer to
+change the value of options and to be notified when option values change.
+
+:Namespaces: GLOBAL, Option
+
+Summary
+~~~~~~~
+Functions
+#########
+============================================================ ================================================================
+:zeek:id:`Option::any_set_to_any_vec`: :zeek:type:`function` Helper function that converts a set (of arbitrary index type) to
+                                                             a "vector of any".
+:zeek:id:`Option::set`: :zeek:type:`function`                Set an option to a new value.
+:zeek:id:`Option::set_change_handler`: :zeek:type:`function` Set a change handler for an option.
+============================================================ ================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Option::any_set_to_any_vec
+   :source-code: base/bif/option.bif.zeek 65 65
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`any`) : :zeek:type:`any_vec`
+
+   Helper function that converts a set (of arbitrary index type) to
+   a "vector of any".
+   
+
+   :param v: an "any" type corresponding to a set.
+   
+
+   :returns: a vector-of-any with one element for each member of v.
+
+.. zeek:id:: Option::set
+   :source-code: base/bif/option.bif.zeek 29 29
+
+   :Type: :zeek:type:`function` (ID: :zeek:type:`string`, val: :zeek:type:`any`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Set an option to a new value. This change will also cause the option change
+   handlers to be called.
+   
+
+   :param ID: The ID of the option to update.
+   
+
+   :param val: The new value of the option.
+   
+
+   :param location: Optional parameter detailing where this change originated from.
+   
+
+   :returns: true on success, false when an error occurred.
+   
+   .. zeek:see:: Option::set_change_handler Config::set_value
+   
+   .. note:: :zeek:id:`Option::set` only works on one node and does not distribute
+             new values across a cluster. The higher-level :zeek:id:`Config::set_value`
+             supports clusterization and should typically be used instead of this
+             lower-level function.
+
+.. zeek:id:: Option::set_change_handler
+   :source-code: base/bif/option.bif.zeek 56 56
+
+   :Type: :zeek:type:`function` (ID: :zeek:type:`string`, on_change: :zeek:type:`any`, priority: :zeek:type:`int` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Set a change handler for an option. The change handler will be
+   called anytime :zeek:id:`Option::set` is called for the option.
+   
+
+   :param ID: The ID of the option for which change notifications are desired.
+   
+
+   :param on_change: The function that will be called when a change occurs. The
+              function can choose to receive two or three parameters: the first
+              parameter is a string containing *ID*, the second parameter is
+              the new option value. The third, optional, parameter is the
+              location string as passed to Option::set. Note that the global
+              value is not yet changed when the function is called. The passed
+              function has to return the new value that it wants the option to
+              be set to. This enables it to reject changes, or change values
+              that are being set. When several change handlers are set for an
+              option they are chained; the second change handler will see the
+              return value of the first change handler as the "new value".
+   
+
+   :param priority: The priority of the function that was added; functions with higher
+             priority are called first, functions with the same priority are
+             called in the order in which they were added.
+   
+
+   :returns: true when the change handler was set, false when an error occurred.
+   
+   .. zeek:see:: Option::set
+
+
diff --git a/doc/scripts/base/bif/packet_analysis.bif.zeek.rst b/doc/scripts/base/bif/packet_analysis.bif.zeek.rst
new file mode 100644
index 0000000000..d1aca93cb6
--- /dev/null
+++ b/doc/scripts/base/bif/packet_analysis.bif.zeek.rst
@@ -0,0 +1,96 @@
+:tocdepth: 3
+
+base/bif/packet_analysis.bif.zeek
+=================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: PacketAnalyzer
+
+
+:Namespaces: GLOBAL, PacketAnalyzer
+
+Summary
+~~~~~~~
+Functions
+#########
+====================================================================================== ================================================================================================================
+:zeek:id:`PacketAnalyzer::__disable_analyzer`: :zeek:type:`function`                   Internal function to disable a packet analyzer.
+:zeek:id:`PacketAnalyzer::__enable_analyzer`: :zeek:type:`function`                    Internal function to enable a packet analyzer.
+:zeek:id:`PacketAnalyzer::__set_ignore_checksums_nets`: :zeek:type:`function`          Internal function that is used to update the core-mirror of the script-level ``ignore_checksums_nets`` variable.
+:zeek:id:`PacketAnalyzer::register_packet_analyzer`: :zeek:type:`function`             Add an entry to parent's dispatcher that maps a protocol/index to a next-stage child analyzer.
+:zeek:id:`PacketAnalyzer::register_protocol_detection`: :zeek:type:`function`          Registers a child analyzer with a parent analyzer to perform packet detection when determining whether
+                                                                                       to forward from parent to child.
+:zeek:id:`PacketAnalyzer::try_register_packet_analyzer_by_name`: :zeek:type:`function` Attempts to add an entry to ``parent``'s dispatcher that maps a protocol/index to a next-stage ``child``
+                                                                                       analyzer.
+====================================================================================== ================================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: PacketAnalyzer::__disable_analyzer
+   :source-code: base/bif/packet_analysis.bif.zeek 41 41
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`PacketAnalyzer::Tag`) : :zeek:type:`bool`
+
+   Internal function to disable a packet analyzer.
+
+.. zeek:id:: PacketAnalyzer::__enable_analyzer
+   :source-code: base/bif/packet_analysis.bif.zeek 45 45
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`PacketAnalyzer::Tag`) : :zeek:type:`bool`
+
+   Internal function to enable a packet analyzer.
+
+.. zeek:id:: PacketAnalyzer::__set_ignore_checksums_nets
+   :source-code: base/bif/packet_analysis.bif.zeek 29 29
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`subnet_set`) : :zeek:type:`bool`
+
+   Internal function that is used to update the core-mirror of the script-level ``ignore_checksums_nets`` variable.
+
+.. zeek:id:: PacketAnalyzer::register_packet_analyzer
+   :source-code: base/bif/packet_analysis.bif.zeek 15 15
+
+   :Type: :zeek:type:`function` (parent: :zeek:type:`PacketAnalyzer::Tag`, identifier: :zeek:type:`count`, child: :zeek:type:`PacketAnalyzer::Tag`) : :zeek:type:`bool`
+
+   Add an entry to parent's dispatcher that maps a protocol/index to a next-stage child analyzer.
+   
+
+   :param parent: The parent analyzer being modified
+
+   :param identifier: The identifier for the protocol being registered
+
+   :param child: The analyzer that will be called for the identifier
+   
+
+.. zeek:id:: PacketAnalyzer::register_protocol_detection
+   :source-code: base/bif/packet_analysis.bif.zeek 37 37
+
+   :Type: :zeek:type:`function` (parent: :zeek:type:`PacketAnalyzer::Tag`, child: :zeek:type:`PacketAnalyzer::Tag`) : :zeek:type:`bool`
+
+   Registers a child analyzer with a parent analyzer to perform packet detection when determining whether
+   to forward from parent to child.
+   
+
+   :param parent: The parent analyzer being modified
+
+   :param child: The analyzer that will use protocol detection
+
+.. zeek:id:: PacketAnalyzer::try_register_packet_analyzer_by_name
+   :source-code: base/bif/packet_analysis.bif.zeek 25 25
+
+   :Type: :zeek:type:`function` (parent: :zeek:type:`string`, identifier: :zeek:type:`count`, child: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Attempts to add an entry to ``parent``'s dispatcher that maps a protocol/index to a next-stage ``child``
+   analyzer. This may fail if either of the two names does not respond to a known analyzer.
+   
+
+   :param parent: The parent analyzer being modified
+
+   :param identifier: The identifier for the protocol being registered
+
+   :param child: The analyzer that will be called for the identifier
+   
+
+
diff --git a/doc/scripts/base/bif/pcap.bif.zeek.rst b/doc/scripts/base/bif/pcap.bif.zeek.rst
new file mode 100644
index 0000000000..08b2965364
--- /dev/null
+++ b/doc/scripts/base/bif/pcap.bif.zeek.rst
@@ -0,0 +1,149 @@
+:tocdepth: 3
+
+base/bif/pcap.bif.zeek
+======================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: Pcap
+
+
+:Namespaces: GLOBAL, Pcap
+
+Summary
+~~~~~~~
+Functions
+#########
+=============================================================== ======================================================================
+:zeek:id:`Pcap::error`: :zeek:type:`function`                   Returns a string representation of the last PCAP error.
+:zeek:id:`Pcap::findalldevs`: :zeek:type:`function`             
+:zeek:id:`Pcap::get_filter_state`: :zeek:type:`function`        Returns the initialization state of a PCAP filter, or OK if the either
+                                                                there's no active packet source or the pcap filter ID does not exist.
+:zeek:id:`Pcap::get_filter_state_string`: :zeek:type:`function` Returns a string containing any error messages that were reported by
+                                                                filter initialization.
+:zeek:id:`Pcap::install_pcap_filter`: :zeek:type:`function`     Installs a PCAP filter that has been precompiled with
+                                                                :zeek:id:`Pcap::precompile_pcap_filter`.
+:zeek:id:`Pcap::precompile_pcap_filter`: :zeek:type:`function`  Precompiles a PCAP filter and binds it to a given identifier.
+=============================================================== ======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Pcap::error
+   :source-code: base/bif/pcap.bif.zeek 71 71
+
+   :Type: :zeek:type:`function` () : :zeek:type:`string`
+
+   Returns a string representation of the last PCAP error.
+   
+
+   :returns: A descriptive error message of the PCAP function that failed.
+   
+   .. zeek:see:: Pcap::precompile_pcap_filter
+                Pcap::install_pcap_filter
+                install_src_addr_filter
+                install_src_net_filter
+                uninstall_src_addr_filter
+                uninstall_src_net_filter
+                install_dst_addr_filter
+                install_dst_net_filter
+                uninstall_dst_addr_filter
+                uninstall_dst_net_filter
+
+.. zeek:id:: Pcap::findalldevs
+   :source-code: base/bif/pcap.bif.zeek 101 101
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Pcap::Interfaces`
+
+
+.. zeek:id:: Pcap::get_filter_state
+   :source-code: base/bif/pcap.bif.zeek 84 84
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`PcapFilterID`) : :zeek:type:`Pcap::filter_state`
+
+   Returns the initialization state of a PCAP filter, or OK if the either
+   there's no active packet source or the pcap filter ID does not exist.
+   
+
+   :param id: The PCAP filter id of a precompiled filter.
+   
+
+   :returns: A state value denoting whether any warnings or errors were
+            encountered while initializing the filter.
+   
+   .. zeek:see:: Pcap::precompile_pcap_filter
+                 Pcap::install_pcap_filter
+
+.. zeek:id:: Pcap::get_filter_state_string
+   :source-code: base/bif/pcap.bif.zeek 98 98
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`PcapFilterID`) : :zeek:type:`string`
+
+   Returns a string containing any error messages that were reported by
+   filter initialization.
+   
+
+   :param id: The PCAP filter id of a precompiled filter.
+   
+
+   :returns: Warning/error strings from the initialization process, a blank
+            string if none were encountered, or '<unknown>' if either there
+            is no active packet source or the filter ID doesn't exist.
+   
+   .. zeek:see:: Pcap::precompile_pcap_filter
+                 Pcap::install_pcap_filter
+
+.. zeek:id:: Pcap::install_pcap_filter
+   :source-code: base/bif/pcap.bif.zeek 54 54
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`PcapFilterID`) : :zeek:type:`bool`
+
+   Installs a PCAP filter that has been precompiled with
+   :zeek:id:`Pcap::precompile_pcap_filter`.
+   
+
+   :param id: The PCAP filter id of a precompiled filter.
+   
+
+   :returns: True if the filter associated with *id* has been installed
+            successfully.
+   
+   .. zeek:see:: Pcap::precompile_pcap_filter
+                install_src_addr_filter
+                install_src_net_filter
+                uninstall_src_addr_filter
+                uninstall_src_net_filter
+                install_dst_addr_filter
+                install_dst_net_filter
+                uninstall_dst_addr_filter
+                uninstall_dst_net_filter
+                Pcap::error
+
+.. zeek:id:: Pcap::precompile_pcap_filter
+   :source-code: base/bif/pcap.bif.zeek 33 33
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`PcapFilterID`, s: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Precompiles a PCAP filter and binds it to a given identifier.
+   
+
+   :param id: The PCAP identifier to reference the filter *s* later on.
+   
+
+   :param s: The PCAP filter. See ``man tcpdump`` for valid expressions.
+   
+
+   :returns: True if *s* is valid and precompiles successfully.
+   
+   .. zeek:see:: Pcap::install_pcap_filter
+            install_src_addr_filter
+            install_src_net_filter
+            uninstall_src_addr_filter
+            uninstall_src_net_filter
+            install_dst_addr_filter
+            install_dst_net_filter
+            uninstall_dst_addr_filter
+            uninstall_dst_net_filter
+            Pcap::error
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek.rst
new file mode 100644
index 0000000000..64892d4d5e
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek
+==================================================
+.. zeek:namespace:: AF_Packet
+.. zeek:namespace:: GLOBAL
+
+
+:Namespaces: AF_Packet, GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek.rst
new file mode 100644
index 0000000000..0293e4d908
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek.rst
@@ -0,0 +1,116 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_ARP.events.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+========================================== =====================================================
+:zeek:id:`arp_reply`: :zeek:type:`event`   Generated for ARP replies.
+:zeek:id:`arp_request`: :zeek:type:`event` Generated for ARP requests.
+:zeek:id:`bad_arp`: :zeek:type:`event`     Generated for ARP packets that Zeek cannot interpret.
+========================================== =====================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: arp_reply
+   :source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 43 43
+
+   :Type: :zeek:type:`event` (mac_src: :zeek:type:`string`, mac_dst: :zeek:type:`string`, SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`)
+
+   Generated for ARP replies.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
+   for more information about the ARP protocol.
+   
+
+   :param mac_src: The reply's source MAC address.
+   
+
+   :param mac_dst: The reply's destination MAC address.
+   
+
+   :param SPA: The sender protocol address.
+   
+
+   :param SHA: The sender hardware address.
+   
+
+   :param TPA: The target protocol address.
+   
+
+   :param THA: The target hardware address.
+   
+   .. zeek:see::  arp_request bad_arp
+
+.. zeek:id:: arp_request
+   :source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 22 22
+
+   :Type: :zeek:type:`event` (mac_src: :zeek:type:`string`, mac_dst: :zeek:type:`string`, SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`)
+
+   Generated for ARP requests.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
+   for more information about the ARP protocol.
+   
+
+   :param mac_src: The request's source MAC address.
+   
+
+   :param mac_dst: The request's destination MAC address.
+   
+
+   :param SPA: The sender protocol address.
+   
+
+   :param SHA: The sender hardware address.
+   
+
+   :param TPA: The target protocol address.
+   
+
+   :param THA: The target hardware address.
+   
+   .. zeek:see:: arp_reply  bad_arp
+
+.. zeek:id:: bad_arp
+   :source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 66 66
+
+   :Type: :zeek:type:`event` (SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`, explanation: :zeek:type:`string`)
+
+   Generated for ARP packets that Zeek cannot interpret. Examples are packets
+   with non-standard hardware address formats or hardware addresses that do not
+   match the originator of the packet.
+   
+
+   :param SPA: The sender protocol address.
+   
+
+   :param SHA: The sender hardware address.
+   
+
+   :param TPA: The target protocol address.
+   
+
+   :param THA: The target hardware address.
+   
+
+   :param explanation: A short description of why the ARP packet is considered "bad".
+   
+   .. zeek:see:: arp_reply arp_request
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek.rst
new file mode 100644
index 0000000000..b1b98cd364
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek
+================================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: InputAscii
+
+
+:Namespaces: GLOBAL, InputAscii
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek.rst
new file mode 100644
index 0000000000..0147af57c4
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek
+================================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: LogAscii
+
+
+:Namespaces: GLOBAL, LogAscii
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek.rst
new file mode 100644
index 0000000000..b122a12a81
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek
+========================================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: InputBenchmark
+
+
+:Namespaces: GLOBAL, InputBenchmark
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek.rst
new file mode 100644
index 0000000000..34988049b3
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek
+==================================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: InputBinary
+
+
+:Namespaces: GLOBAL, InputBinary
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek.rst
new file mode 100644
index 0000000000..1592883c75
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek.rst
@@ -0,0 +1,328 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_BitTorrent.events.bif.zeek
+================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+============================================================= =====
+:zeek:id:`bittorrent_peer_bitfield`: :zeek:type:`event`       TODO.
+:zeek:id:`bittorrent_peer_cancel`: :zeek:type:`event`         TODO.
+:zeek:id:`bittorrent_peer_choke`: :zeek:type:`event`          TODO.
+:zeek:id:`bittorrent_peer_handshake`: :zeek:type:`event`      TODO.
+:zeek:id:`bittorrent_peer_have`: :zeek:type:`event`           TODO.
+:zeek:id:`bittorrent_peer_interested`: :zeek:type:`event`     TODO.
+:zeek:id:`bittorrent_peer_keep_alive`: :zeek:type:`event`     TODO.
+:zeek:id:`bittorrent_peer_not_interested`: :zeek:type:`event` TODO.
+:zeek:id:`bittorrent_peer_piece`: :zeek:type:`event`          TODO.
+:zeek:id:`bittorrent_peer_port`: :zeek:type:`event`           TODO.
+:zeek:id:`bittorrent_peer_request`: :zeek:type:`event`        TODO.
+:zeek:id:`bittorrent_peer_unchoke`: :zeek:type:`event`        TODO.
+:zeek:id:`bittorrent_peer_unknown`: :zeek:type:`event`        TODO.
+:zeek:id:`bittorrent_peer_weird`: :zeek:type:`event`          TODO.
+:zeek:id:`bt_tracker_request`: :zeek:type:`event`             TODO.
+:zeek:id:`bt_tracker_response`: :zeek:type:`event`            TODO.
+:zeek:id:`bt_tracker_response_not_ok`: :zeek:type:`event`     TODO.
+:zeek:id:`bt_tracker_weird`: :zeek:type:`event`               TODO.
+============================================================= =====
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: bittorrent_peer_bitfield
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 105 105
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, bitfield: :zeek:type:`string`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see::  bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake
+      bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
+      bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+      bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_cancel
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 144 144
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, index: :zeek:type:`count`, begin: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield  bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+      bittorrent_peer_unknown bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_choke
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 40 40
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+      bittorrent_peer_unknown bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_handshake
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 14 14
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, reserved: :zeek:type:`string`, info_hash: :zeek:type:`string`, peer_id: :zeek:type:`string`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
+      bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+      bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_have
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 92 92
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, piece_index: :zeek:type:`count`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake  bittorrent_peer_interested bittorrent_peer_keep_alive
+      bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+      bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_interested
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 66 66
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive
+      bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+      bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_keep_alive
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 27 27
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+      bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_not_interested
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 79 79
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive  bittorrent_peer_piece bittorrent_peer_port
+      bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_piece
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 131 131
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, index: :zeek:type:`count`, begin: :zeek:type:`count`, piece_length: :zeek:type:`count`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port
+      bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_port
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 157 157
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, listen_port: :zeek:type:`port`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_request
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 118 118
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, index: :zeek:type:`count`, begin: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port  bittorrent_peer_unchoke bittorrent_peer_unknown
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_unchoke
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 53 53
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request
+      bittorrent_peer_unknown bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_unknown
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 170 170
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, message_id: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+      bittorrent_peer_weird
+
+.. zeek:id:: bittorrent_peer_weird
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 183 183
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+      bittorrent_peer_unknown
+
+.. zeek:id:: bt_tracker_request
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 196 196
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, uri: :zeek:type:`string`, headers: :zeek:type:`bt_tracker_headers`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+      bittorrent_peer_unknown bittorrent_peer_weird
+
+.. zeek:id:: bt_tracker_response
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 209 209
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, status: :zeek:type:`count`, headers: :zeek:type:`bt_tracker_headers`, peers: :zeek:type:`bittorrent_peer_set`, benc: :zeek:type:`bittorrent_benc_dir`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+      bittorrent_peer_unknown bittorrent_peer_weird
+
+.. zeek:id:: bt_tracker_response_not_ok
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 222 222
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, status: :zeek:type:`count`, headers: :zeek:type:`bt_tracker_headers`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+      bittorrent_peer_unknown bittorrent_peer_weird
+
+.. zeek:id:: bt_tracker_weird
+   :source-code: base/bif/plugins/Zeek_BitTorrent.events.bif.zeek 235 235
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+   more information about the BitTorrent protocol.
+   
+   .. zeek:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+      bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+      bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+      bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+      bittorrent_peer_unknown bittorrent_peer_weird
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek.rst
new file mode 100644
index 0000000000..45e4b3db9f
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek.rst
@@ -0,0 +1,29 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek
+============================================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================================================== =
+:zeek:id:`Cluster::Backend::ZeroMQ::spawn_zmq_proxy_thread`: :zeek:type:`function` 
+================================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Cluster::Backend::ZeroMQ::spawn_zmq_proxy_thread
+   :source-code: base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek 6 6
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek.rst
new file mode 100644
index 0000000000..c28f699eef
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek.rst
@@ -0,0 +1,54 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek
+=======================================================
+.. zeek:namespace:: Cluster
+.. zeek:namespace:: GLOBAL
+
+
+:Namespaces: Cluster, GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+============================================================== ====================================================
+:zeek:id:`Cluster::websocket_client_added`: :zeek:type:`event` Generated when a new WebSocket client has connected.
+:zeek:id:`Cluster::websocket_client_lost`: :zeek:type:`event`  Generated when a WebSocket client was lost.
+============================================================== ====================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: Cluster::websocket_client_added
+   :source-code: base/frameworks/cluster/main.zeek 700 705
+
+   :Type: :zeek:type:`event` (endpoint: :zeek:type:`Cluster::EndpointInfo`, subscriptions: :zeek:type:`string_vec`)
+
+   Generated when a new WebSocket client has connected.
+   
+
+   :param endpoint: Various information about the WebSocket client.
+   
+
+   :param subscriptions: The WebSocket client's subscriptions as provided in the handshake.
+
+.. zeek:id:: Cluster::websocket_client_lost
+   :source-code: base/frameworks/cluster/main.zeek 707 713
+
+   :Type: :zeek:type:`event` (endpoint: :zeek:type:`Cluster::EndpointInfo`, code: :zeek:type:`count`, reason: :zeek:type:`string`)
+
+   Generated when a WebSocket client was lost.
+   
+
+   :param endpoint: Various information about the WebSocket client.
+
+   :param code: The code sent by the client in its CLOSE frame, or a code generated
+         internally if the server disconnected the client.
+
+   :param reason: The reason sent by the client in its CLOSE frame, or a reason generated
+           internally if the server disconnected the client.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_ConfigReader.config.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_ConfigReader.config.bif.zeek.rst
new file mode 100644
index 0000000000..1c739748b7
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_ConfigReader.config.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_ConfigReader.config.bif.zeek
+==================================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: InputConfig
+
+
+:Namespaces: GLOBAL, InputConfig
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek.rst
new file mode 100644
index 0000000000..3273257507
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek.rst
@@ -0,0 +1,112 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_ConnSize.events.bif.zeek
+==============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+==================================================================== =============================================================================================================
+:zeek:id:`conn_bytes_threshold_crossed`: :zeek:type:`event`          Generated for a connection that crossed a set byte threshold.
+:zeek:id:`conn_duration_threshold_crossed`: :zeek:type:`event`       Generated for a connection that crossed a set duration threshold.
+:zeek:id:`conn_generic_packet_threshold_crossed`: :zeek:type:`event` Generated for any IP-based session once :zeek:id:`ConnThreshold::generic_packet_thresholds` packets have been
+                                                                     observed.
+:zeek:id:`conn_packets_threshold_crossed`: :zeek:type:`event`        Generated for a connection that crossed a set packet threshold.
+==================================================================== =============================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: conn_bytes_threshold_crossed
+   :source-code: base/protocols/conn/thresholds.zeek 320 337
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`)
+
+   Generated for a connection that crossed a set byte threshold. Note that this
+   is a low level event that should usually be avoided for user code. Use
+   :zeek:see:`ConnThreshold::bytes_threshold_crossed` instead.
+   
+
+   :param c: the connection
+   
+
+   :param threshold: the threshold that was set
+   
+
+   :param is_orig: true if the threshold was crossed by the originator of the connection
+   
+   .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_packets_threshold_crossed
+                 get_current_conn_bytes_threshold get_current_conn_packets_threshold conn_duration_threshold_crossed
+                 set_current_conn_duration_threshold get_current_conn_duration_threshold
+
+.. zeek:id:: conn_duration_threshold_crossed
+   :source-code: base/protocols/conn/thresholds.zeek 358 370
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`interval`, is_orig: :zeek:type:`bool`)
+
+   Generated for a connection that crossed a set duration threshold. Note that this
+   is a low level event that should usually be avoided for user code. Use
+   :zeek:see:`ConnThreshold::duration_threshold_crossed` instead.
+   
+   Note that this event is not raised at the exact moment that a duration threshold is crossed; instead
+   it is raised when the next packet is seen after the threshold has been crossed. On a connection that is
+   idle, this can be raised significantly later.
+   
+
+   :param c: the connection
+   
+
+   :param threshold: the threshold that was set
+   
+
+   :param is_orig: true if the threshold was crossed by the originator of the connection
+   
+   .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
+                 get_current_conn_bytes_threshold get_current_conn_packets_threshold
+                 set_current_conn_duration_threshold get_current_conn_duration_threshold
+
+.. zeek:id:: conn_generic_packet_threshold_crossed
+   :source-code: base/bif/plugins/Zeek_ConnSize.events.bif.zeek 63 63
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`)
+
+   Generated for any IP-based session once :zeek:id:`ConnThreshold::generic_packet_thresholds` packets have been
+   observed. Only one endpoint sending traffic is sufficient to trigger the event. This allows to handle new
+   connections, while short interactions, like scans consisting of only a few packets, are ignored.
+   
+
+   :param c: the connection.
+   
+
+   :param threshold: the threshold that was set
+
+.. zeek:id:: conn_packets_threshold_crossed
+   :source-code: base/protocols/conn/thresholds.zeek 339 356
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`)
+
+   Generated for a connection that crossed a set packet threshold. Note that this
+   is a low level event that should usually be avoided for user code. Use
+   :zeek:see:`ConnThreshold::packets_threshold_crossed` instead.
+   
+
+   :param c: the connection
+   
+
+   :param threshold: the threshold that was set
+   
+
+   :param is_orig: true if the threshold was crossed by the originator of the connection
+   
+   .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
+                 get_current_conn_bytes_threshold get_current_conn_packets_threshold conn_duration_threshold_crossed
+                 set_current_conn_duration_threshold get_current_conn_duration_threshold
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek.rst
new file mode 100644
index 0000000000..938e44fc5f
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek.rst
@@ -0,0 +1,147 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_ConnSize.functions.bif.zeek
+=================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+===================================================================== ===================================================================================
+:zeek:id:`get_current_conn_bytes_threshold`: :zeek:type:`function`    
+:zeek:id:`get_current_conn_duration_threshold`: :zeek:type:`function` Gets the current duration threshold size for a connection.
+:zeek:id:`get_current_conn_packets_threshold`: :zeek:type:`function`  Gets the current packet threshold size for a connection.
+:zeek:id:`set_current_conn_bytes_threshold`: :zeek:type:`function`    Sets the current byte threshold for connection sizes, overwriting any potential old
+                                                                      threshold.
+:zeek:id:`set_current_conn_duration_threshold`: :zeek:type:`function` Sets the current duration threshold for connection, overwriting any potential old
+                                                                      threshold.
+:zeek:id:`set_current_conn_packets_threshold`: :zeek:type:`function`  Sets a threshold for connection packets, overwriting any potential old thresholds.
+===================================================================== ===================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: get_current_conn_bytes_threshold
+   :source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 63 63
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, is_orig: :zeek:type:`bool`) : :zeek:type:`count`
+
+   
+
+   :param cid: The connection id.
+   
+
+   :param is_orig: If true, threshold of originator, otherwise threshold of responder.
+   
+
+   :returns: 0 if no threshold is set or the threshold in bytes
+   
+   .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
+                 get_current_conn_packets_threshold set_current_conn_duration_threshold
+                 get_current_conn_duration_threshold
+
+.. zeek:id:: get_current_conn_duration_threshold
+   :source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 87 87
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`interval`
+
+   Gets the current duration threshold size for a connection.
+   
+
+   :param cid: The connection id.
+   
+
+   :returns: 0 if no threshold is set or the threshold in seconds
+   
+   .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
+                 get_current_conn_packets_threshold set_current_conn_duration_threshold
+
+.. zeek:id:: get_current_conn_packets_threshold
+   :source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 76 76
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, is_orig: :zeek:type:`bool`) : :zeek:type:`count`
+
+   Gets the current packet threshold size for a connection.
+   
+
+   :param cid: The connection id.
+   
+
+   :param is_orig: If true, threshold of originator, otherwise threshold of responder.
+   
+
+   :returns: 0 if no threshold is set or the threshold in packets
+   
+   .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
+                 get_current_conn_bytes_threshold set_current_conn_duration_threshold get_current_conn_duration_threshold
+
+.. zeek:id:: set_current_conn_bytes_threshold
+   :source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 19 19
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
+
+   Sets the current byte threshold for connection sizes, overwriting any potential old
+   threshold. Be aware that in nearly any case you will want to use the high level API
+   instead (:zeek:see:`ConnThreshold::set_bytes_threshold`).
+   
+
+   :param cid: The connection id.
+   
+
+   :param threshold: Threshold in bytes.
+   
+
+   :param is_orig: If true, threshold is set for bytes from originator, otherwise for bytes from responder.
+   
+   .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
+                 get_current_conn_bytes_threshold get_current_conn_packets_threshold
+                 set_current_conn_duration_threshold get_current_conn_duration_threshold
+
+.. zeek:id:: set_current_conn_duration_threshold
+   :source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 49 49
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, threshold: :zeek:type:`interval`) : :zeek:type:`bool`
+
+   Sets the current duration threshold for connection, overwriting any potential old
+   threshold. Be aware that in nearly any case you will want to use the high level API
+   instead (:zeek:see:`ConnThreshold::set_duration_threshold`).
+   
+
+   :param cid: The connection id.
+   
+
+   :param threshold: Threshold in seconds.
+   
+   .. zeek:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
+                 get_current_conn_bytes_threshold get_current_conn_packets_threshold
+                 get_current_conn_duration_threshold
+
+.. zeek:id:: set_current_conn_packets_threshold
+   :source-code: base/bif/plugins/Zeek_ConnSize.functions.bif.zeek 35 35
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
+
+   Sets a threshold for connection packets, overwriting any potential old thresholds.
+   Be aware that in nearly any case you will want to use the high level API
+   instead (:zeek:see:`ConnThreshold::set_packets_threshold`).
+   
+
+   :param cid: The connection id.
+   
+
+   :param threshold: Threshold in packets.
+   
+
+   :param is_orig: If true, threshold is set for packets from originator, otherwise for packets from responder.
+   
+   .. zeek:see:: set_current_conn_bytes_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
+                 get_current_conn_bytes_threshold get_current_conn_packets_threshold
+                 set_current_conn_duration_threshold get_current_conn_duration_threshold
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek.rst
new file mode 100644
index 0000000000..9bf6e6ea41
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek
+=============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek.rst
new file mode 100644
index 0000000000..7322c36d53
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek.rst
@@ -0,0 +1,258 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek
+=============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+========================================================= ==============================================================================================================================
+:zeek:id:`dce_rpc_alter_context`: :zeek:type:`event`      Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context request message.
+:zeek:id:`dce_rpc_alter_context_resp`: :zeek:type:`event` Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context response message.
+:zeek:id:`dce_rpc_bind`: :zeek:type:`event`               Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message.
+:zeek:id:`dce_rpc_bind_ack`: :zeek:type:`event`           Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message.
+:zeek:id:`dce_rpc_message`: :zeek:type:`event`            Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` message.
+:zeek:id:`dce_rpc_request`: :zeek:type:`event`            Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
+:zeek:id:`dce_rpc_request_stub`: :zeek:type:`event`       Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
+:zeek:id:`dce_rpc_response`: :zeek:type:`event`           Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
+:zeek:id:`dce_rpc_response_stub`: :zeek:type:`event`      Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
+========================================================= ==============================================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: dce_rpc_alter_context
+   :source-code: base/protocols/dce-rpc/main.zeek 137 149
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, uuid: :zeek:type:`string`, ver_major: :zeek:type:`count`, ver_minor: :zeek:type:`count`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context request message.
+   Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur
+   multiple times for a single RPC message.
+   
+
+   :param c: The connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+
+   :param ctx_id: The context identifier of the data representation.
+   
+
+   :param uuid: The string interpreted uuid of the endpoint being requested.
+   
+
+   :param ver_major: The major version of the endpoint being requested.
+   
+
+   :param ver_minor: The minor version of the endpoint being requested.
+   
+   .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context_resp
+
+.. zeek:id:: dce_rpc_alter_context_resp
+   :source-code: base/protocols/dce-rpc/main.zeek 162 165
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context response message.
+   
+
+   :param c: The connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+   .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context
+
+.. zeek:id:: dce_rpc_bind
+   :source-code: base/protocols/dce-rpc/main.zeek 123 135
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, uuid: :zeek:type:`string`, ver_major: :zeek:type:`count`, ver_minor: :zeek:type:`count`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message.
+   Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur
+   multiple times for a single RPC message.
+   
+
+   :param c: The connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+
+   :param ctx_id: The context identifier of the data representation.
+   
+
+   :param uuid: The string interpreted uuid of the endpoint being requested.
+   
+
+   :param ver_major: The major version of the endpoint being requested.
+   
+
+   :param ver_minor: The minor version of the endpoint being requested.
+   
+   .. zeek:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response
+
+.. zeek:id:: dce_rpc_bind_ack
+   :source-code: base/protocols/dce-rpc/main.zeek 151 160
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, sec_addr: :zeek:type:`string`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message.
+   
+
+   :param c: The connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+
+   :param sec_addr: Secondary address for the ack.
+   
+   .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response
+
+.. zeek:id:: dce_rpc_message
+   :source-code: base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek 19 19
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, fid: :zeek:type:`count`, ptype_id: :zeek:type:`count`, ptype: :zeek:type:`DCE_RPC::PType`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` message.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the message was sent by the originator of the TCP connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+
+   :param ptype_id: Numeric representation of the procedure type of the message.
+   
+
+   :param ptype: Enum representation of the procedure type of the message.
+   
+   .. zeek:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response
+
+.. zeek:id:: dce_rpc_request
+   :source-code: base/protocols/dce-rpc/main.zeek 167 175
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, opnum: :zeek:type:`count`, stub_len: :zeek:type:`count`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
+   
+
+   :param c: The connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+
+   :param ctx_id: The context identifier of the data representation.
+   
+
+   :param opnum: Number of the RPC operation.
+   
+
+   :param stub_len: Length of the data for the request.
+   
+   .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response dce_rpc_request_stub
+
+.. zeek:id:: dce_rpc_request_stub
+   :source-code: base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek 143 143
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, opnum: :zeek:type:`count`, stub: :zeek:type:`string`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
+   
+
+   :param c: The connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+
+   :param ctx_id: The context identifier of the data representation.
+   
+
+   :param opnum: Number of the RPC operation.
+   
+
+   :param stub: The data for the request.
+   
+   .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response_stub dce_rpc_request
+
+.. zeek:id:: dce_rpc_response
+   :source-code: base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek 125 125
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, opnum: :zeek:type:`count`, stub_len: :zeek:type:`count`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
+   
+
+   :param c: The connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+
+   :param ctx_id: The context identifier of the data representation.
+
+   :param opnum: Number of the RPC operation.
+   
+
+   :param stub_len: Length of the data for the response.
+   
+   .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response_stub
+
+.. zeek:id:: dce_rpc_response_stub
+   :source-code: base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek 161 161
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, fid: :zeek:type:`count`, ctx_id: :zeek:type:`count`, opnum: :zeek:type:`count`, stub: :zeek:type:`string`)
+
+   Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
+   
+
+   :param c: The connection.
+   
+
+   :param fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+        message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+        not transported over a pipe.
+   
+
+   :param ctx_id: The context identifier of the data representation.
+
+   :param opnum: Number of the RPC operation.
+   
+
+   :param stub: The data for the response.
+   
+   .. zeek:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request_stub dce_rpc_response
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek.rst
new file mode 100644
index 0000000000..56527df579
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek.rst
@@ -0,0 +1,107 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek
+============================================
+.. zeek:namespace:: DCE_RPC
+.. zeek:namespace:: GLOBAL
+
+
+:Namespaces: DCE_RPC, GLOBAL
+
+Summary
+~~~~~~~
+Types
+#####
+============================================== =
+:zeek:type:`DCE_RPC::IfID`: :zeek:type:`enum`  
+:zeek:type:`DCE_RPC::PType`: :zeek:type:`enum` 
+============================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: DCE_RPC::IfID
+   :source-code: base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek 33 33
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: DCE_RPC::unknown_if DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::epmapper DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::lsarpc DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::lsa_ds DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::mgmt DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::netlogon DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::samr DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::srvsvc DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::spoolss DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::drs DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::winspipe DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::wkssvc DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::oxid DCE_RPC::IfID
+
+      .. zeek:enum:: DCE_RPC::ISCMActivator DCE_RPC::IfID
+
+
+.. zeek:type:: DCE_RPC::PType
+   :source-code: base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek 8 8
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: DCE_RPC::REQUEST DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::PING DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::RESPONSE DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::FAULT DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::WORKING DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::NOCALL DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::REJECT DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::ACK DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::CL_CANCEL DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::FACK DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::CANCEL_ACK DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::BIND DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::BIND_ACK DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::BIND_NAK DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::ALTER_CONTEXT DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::ALTER_CONTEXT_RESP DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::AUTH3 DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::SHUTDOWN DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::CO_CANCEL DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::ORPHANED DCE_RPC::PType
+
+      .. zeek:enum:: DCE_RPC::RTS DCE_RPC::PType
+
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_DHCP.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_DHCP.events.bif.zeek.rst
new file mode 100644
index 0000000000..3cb4a94a90
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_DHCP.events.bif.zeek.rst
@@ -0,0 +1,44 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_DHCP.events.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=========================================== ================================
+:zeek:id:`dhcp_message`: :zeek:type:`event` Generated for all DHCP messages.
+=========================================== ================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: dhcp_message
+   :source-code: base/protocols/dhcp/main.zeek 301 308
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`DHCP::Msg`, options: :zeek:type:`DHCP::Options`)
+
+   Generated for all DHCP messages.
+   
+
+   :param c: The connection record describing the underlying UDP flow.
+   
+
+   :param is_orig: Indicate if the message came in a packet from the
+           originator/client of the udp flow or the responder/server.
+   
+
+   :param msg: The parsed type-independent part of the DHCP message. The message
+        type is indicated in this record.
+   
+
+   :param options: The full set of supported and parsed DHCP options.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_DHCP.types.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_DHCP.types.bif.zeek.rst
new file mode 100644
index 0000000000..9fc5d55368
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_DHCP.types.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_DHCP.types.bif.zeek
+=========================================
+.. zeek:namespace:: DHCP
+.. zeek:namespace:: GLOBAL
+
+
+:Namespaces: DHCP, GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek.rst
new file mode 100644
index 0000000000..9fb9e18326
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek.rst
@@ -0,0 +1,618 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_DNP3.events.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+====================================================================== ===========================================================================
+:zeek:id:`dnp3_analog_input_16wFlag`: :zeek:type:`event`               Generated for DNP3 objects with the group number 30 and variation number 2
+                                                                       analog input 16 bit with flag
+:zeek:id:`dnp3_analog_input_16woFlag`: :zeek:type:`event`              Generated for DNP3 objects with the group number 30 and variation number 4
+                                                                       analog input 16 bit without flag
+:zeek:id:`dnp3_analog_input_32wFlag`: :zeek:type:`event`               Generated for DNP3 objects with the group number 30 and variation number 1
+                                                                       analog input 32 bit with flag
+:zeek:id:`dnp3_analog_input_32woFlag`: :zeek:type:`event`              Generated for DNP3 objects with the group number 30 and variation number 3
+                                                                       analog input 32 bit without flag
+:zeek:id:`dnp3_analog_input_DPwFlag`: :zeek:type:`event`               Generated for DNP3 objects with the group number 30 and variation number 6
+                                                                       analog input double precision, float point with flag
+:zeek:id:`dnp3_analog_input_SPwFlag`: :zeek:type:`event`               Generated for DNP3 objects with the group number 30 and variation number 5
+                                                                       analog input single precision, float point with flag
+:zeek:id:`dnp3_analog_input_event_16wTime`: :zeek:type:`event`         Generated for DNP3 objects with the group number 32 and variation number 4
+                                                                       analog input event 16 bit with time
+:zeek:id:`dnp3_analog_input_event_16woTime`: :zeek:type:`event`        Generated for DNP3 objects with the group number 32 and variation number 2
+                                                                       analog input event 16 bit without time
+:zeek:id:`dnp3_analog_input_event_32wTime`: :zeek:type:`event`         Generated for DNP3 objects with the group number 32 and variation number 3
+                                                                       analog input event 32 bit with time
+:zeek:id:`dnp3_analog_input_event_32woTime`: :zeek:type:`event`        Generated for DNP3 objects with the group number 32 and variation number 1
+                                                                       analog input event 32 bit without time
+:zeek:id:`dnp3_analog_input_event_DPwTime`: :zeek:type:`event`         Generated for DNP3 objects with the group number 32 and variation number 8
+                                                                       analog input event double-precision float point with time
+:zeek:id:`dnp3_analog_input_event_DPwoTime`: :zeek:type:`event`        Generated for DNP3 objects with the group number 32 and variation number 6
+                                                                       analog input event double-precision float point without time
+:zeek:id:`dnp3_analog_input_event_SPwTime`: :zeek:type:`event`         Generated for DNP3 objects with the group number 32 and variation number 7
+                                                                       analog input event single-precision float point with time
+:zeek:id:`dnp3_analog_input_event_SPwoTime`: :zeek:type:`event`        Generated for DNP3 objects with the group number 32 and variation number 5
+                                                                       analog input event single-precision float point without time
+:zeek:id:`dnp3_application_request_header`: :zeek:type:`event`         Generated for a DNP3 request header.
+:zeek:id:`dnp3_application_response_header`: :zeek:type:`event`        Generated for a DNP3 response header.
+:zeek:id:`dnp3_attribute_common`: :zeek:type:`event`                   Generated for DNP3 attributes.
+:zeek:id:`dnp3_counter_16wFlag`: :zeek:type:`event`                    Generated for DNP3 objects with the group number 20 and variation number 2
+                                                                       counter 16 bit with flag
+:zeek:id:`dnp3_counter_16woFlag`: :zeek:type:`event`                   Generated for DNP3 objects with the group number 20 and variation number 6
+                                                                       counter 16 bit without flag
+:zeek:id:`dnp3_counter_32wFlag`: :zeek:type:`event`                    Generated for DNP3 objects with the group number 20 and variation number 1
+                                                                       counter 32 bit with flag
+:zeek:id:`dnp3_counter_32woFlag`: :zeek:type:`event`                   Generated for DNP3 objects with the group number 20 and variation number 5
+                                                                       counter 32 bit without flag
+:zeek:id:`dnp3_crob`: :zeek:type:`event`                               Generated for DNP3 objects with the group number 12 and variation number 1
+                                                                       CROB: control relay output block
+:zeek:id:`dnp3_debug_byte`: :zeek:type:`event`                         Debugging event generated by the DNP3 analyzer.
+:zeek:id:`dnp3_file_transport`: :zeek:type:`event`                     g70
+:zeek:id:`dnp3_frozen_analog_input_16wFlag`: :zeek:type:`event`        Generated for DNP3 objects with the group number 31 and variation number 2
+                                                                       frozen analog input 16 bit with flag
+:zeek:id:`dnp3_frozen_analog_input_16wTime`: :zeek:type:`event`        Generated for DNP3 objects with the group number 31 and variation number 4
+                                                                       frozen analog input 16 bit with time-of-freeze
+:zeek:id:`dnp3_frozen_analog_input_16woFlag`: :zeek:type:`event`       Generated for DNP3 objects with the group number 31 and variation number 6
+                                                                       frozen analog input 16 bit without flag
+:zeek:id:`dnp3_frozen_analog_input_32wFlag`: :zeek:type:`event`        Generated for DNP3 objects with the group number 31 and variation number 1
+                                                                       frozen analog input 32 bit with flag
+:zeek:id:`dnp3_frozen_analog_input_32wTime`: :zeek:type:`event`        Generated for DNP3 objects with the group number 31 and variation number 3
+                                                                       frozen analog input 32 bit with time-of-freeze
+:zeek:id:`dnp3_frozen_analog_input_32woFlag`: :zeek:type:`event`       Generated for DNP3 objects with the group number 31 and variation number 5
+                                                                       frozen analog input 32 bit without flag
+:zeek:id:`dnp3_frozen_analog_input_DPwFlag`: :zeek:type:`event`        Generated for DNP3 objects with the group number 31 and variation number 8
+                                                                       frozen analog input double-precision, float point with flag
+:zeek:id:`dnp3_frozen_analog_input_SPwFlag`: :zeek:type:`event`        Generated for DNP3 objects with the group number 31 and variation number 7
+                                                                       frozen analog input single-precision, float point with flag
+:zeek:id:`dnp3_frozen_analog_input_event_16wTime`: :zeek:type:`event`  Generated for DNP3 objects with the group number 33 and variation number 4
+                                                                       frozen analog input event 16 bit with time
+:zeek:id:`dnp3_frozen_analog_input_event_16woTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 2
+                                                                       frozen analog input event 16 bit without time
+:zeek:id:`dnp3_frozen_analog_input_event_32wTime`: :zeek:type:`event`  Generated for DNP3 objects with the group number 33 and variation number 3
+                                                                       frozen analog input event 32 bit with time
+:zeek:id:`dnp3_frozen_analog_input_event_32woTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 1
+                                                                       frozen analog input event 32 bit without time
+:zeek:id:`dnp3_frozen_analog_input_event_DPwTime`: :zeek:type:`event`  Generated for DNP3 objects with the group number 34 and variation number 8
+                                                                       frozen analog input event double-precision float point with time
+:zeek:id:`dnp3_frozen_analog_input_event_DPwoTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 6
+                                                                       frozen analog input event double-precision float point without time
+:zeek:id:`dnp3_frozen_analog_input_event_SPwTime`: :zeek:type:`event`  Generated for DNP3 objects with the group number 33 and variation number 7
+                                                                       frozen analog input event single-precision float point with time
+:zeek:id:`dnp3_frozen_analog_input_event_SPwoTime`: :zeek:type:`event` Generated for DNP3 objects with the group number 33 and variation number 5
+                                                                       frozen analog input event single-precision float point without time
+:zeek:id:`dnp3_frozen_counter_16wFlag`: :zeek:type:`event`             Generated for DNP3 objects with the group number 21 and variation number 2
+                                                                       frozen counter 16 bit with flag
+:zeek:id:`dnp3_frozen_counter_16wFlagTime`: :zeek:type:`event`         Generated for DNP3 objects with the group number 21 and variation number 6
+                                                                       frozen counter 16 bit with flag and time
+:zeek:id:`dnp3_frozen_counter_16woFlag`: :zeek:type:`event`            Generated for DNP3 objects with the group number 21 and variation number 10
+                                                                       frozen counter 16 bit without flag
+:zeek:id:`dnp3_frozen_counter_32wFlag`: :zeek:type:`event`             Generated for DNP3 objects with the group number 21 and variation number 1
+                                                                       frozen counter 32 bit with flag
+:zeek:id:`dnp3_frozen_counter_32wFlagTime`: :zeek:type:`event`         Generated for DNP3 objects with the group number 21 and variation number 5
+                                                                       frozen counter 32 bit with flag and time
+:zeek:id:`dnp3_frozen_counter_32woFlag`: :zeek:type:`event`            Generated for DNP3 objects with the group number 21 and variation number 9
+                                                                       frozen counter 32 bit without flag
+:zeek:id:`dnp3_header_block`: :zeek:type:`event`                       Generated for an additional header that the DNP3 analyzer passes to the
+                                                                       script-level.
+:zeek:id:`dnp3_object_header`: :zeek:type:`event`                      Generated for the object header found in both DNP3 requests and responses.
+:zeek:id:`dnp3_object_prefix`: :zeek:type:`event`                      Generated for the prefix before a DNP3 object.
+:zeek:id:`dnp3_pcb`: :zeek:type:`event`                                Generated for DNP3 objects with the group number 12 and variation number 2
+                                                                       PCB: Pattern Control Block
+:zeek:id:`dnp3_response_data_object`: :zeek:type:`event`               Generated for a DNP3 "Response_Data_Object".
+====================================================================== ===========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: dnp3_analog_input_16wFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 173 173
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 30 and variation number 2
+   analog input 16 bit with flag
+
+.. zeek:id:: dnp3_analog_input_16woFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 183 183
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 30 and variation number 4
+   analog input 16 bit without flag
+
+.. zeek:id:: dnp3_analog_input_32wFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 168 168
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 30 and variation number 1
+   analog input 32 bit with flag
+
+.. zeek:id:: dnp3_analog_input_32woFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 178 178
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 30 and variation number 3
+   analog input 32 bit without flag
+
+.. zeek:id:: dnp3_analog_input_DPwFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 193 193
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value_low: :zeek:type:`count`, value_high: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 30 and variation number 6
+   analog input double precision, float point with flag
+
+.. zeek:id:: dnp3_analog_input_SPwFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 188 188
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 30 and variation number 5
+   analog input single precision, float point with flag
+
+.. zeek:id:: dnp3_analog_input_event_16wTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 253 253
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 32 and variation number 4
+   analog input event 16 bit with time
+
+.. zeek:id:: dnp3_analog_input_event_16woTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 243 243
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 32 and variation number 2
+   analog input event 16 bit without time
+
+.. zeek:id:: dnp3_analog_input_event_32wTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 248 248
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 32 and variation number 3
+   analog input event 32 bit with time
+
+.. zeek:id:: dnp3_analog_input_event_32woTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 238 238
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 32 and variation number 1
+   analog input event 32 bit without time
+
+.. zeek:id:: dnp3_analog_input_event_DPwTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 273 273
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value_low: :zeek:type:`count`, value_high: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 32 and variation number 8
+   analog input event double-precision float point with time
+
+.. zeek:id:: dnp3_analog_input_event_DPwoTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 263 263
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value_low: :zeek:type:`count`, value_high: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 32 and variation number 6
+   analog input event double-precision float point without time
+
+.. zeek:id:: dnp3_analog_input_event_SPwTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 268 268
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 32 and variation number 7
+   analog input event single-precision float point with time
+
+.. zeek:id:: dnp3_analog_input_event_SPwoTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 258 258
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 32 and variation number 5
+   analog input event single-precision float point without time
+
+.. zeek:id:: dnp3_application_request_header
+   :source-code: base/protocols/dnp3/main.zeek 49 59
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, application: :zeek:type:`count`, fc: :zeek:type:`count`)
+
+   Generated for a DNP3 request header.
+   
+
+   :param c: The connection the DNP3 communication is part of.
+   
+
+   :param is_orig: True if this reflects originator-side activity.
+   
+
+   :param fc: function code.
+   
+
+.. zeek:id:: dnp3_application_response_header
+   :source-code: base/protocols/dnp3/main.zeek 61 76
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, application: :zeek:type:`count`, fc: :zeek:type:`count`, iin: :zeek:type:`count`)
+
+   Generated for a DNP3 response header.
+   
+
+   :param c: The connection the DNP3 communication is part of.
+   
+
+   :param is_orig: True if this reflects originator-side activity.
+   
+
+   :param fc: function code.
+   
+
+   :param iin: internal indication number.
+   
+
+.. zeek:id:: dnp3_attribute_common
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 103 103
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data_type_code: :zeek:type:`count`, leng: :zeek:type:`count`, attribute_obj: :zeek:type:`string`)
+
+   Generated for DNP3 attributes.
+
+.. zeek:id:: dnp3_counter_16wFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 123 123
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 20 and variation number 2
+   counter 16 bit with flag
+
+.. zeek:id:: dnp3_counter_16woFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 133 133
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, count_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 20 and variation number 6
+   counter 16 bit without flag
+
+.. zeek:id:: dnp3_counter_32wFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 118 118
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 20 and variation number 1
+   counter 32 bit with flag
+
+.. zeek:id:: dnp3_counter_32woFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 128 128
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, count_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 20 and variation number 5
+   counter 32 bit without flag
+
+.. zeek:id:: dnp3_crob
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 108 108
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, control_code: :zeek:type:`count`, count8: :zeek:type:`count`, on_time: :zeek:type:`count`, off_time: :zeek:type:`count`, status_code: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 12 and variation number 1
+
+   :param CROB: control relay output block
+
+.. zeek:id:: dnp3_debug_byte
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 323 323
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, debug: :zeek:type:`string`)
+
+   Debugging event generated by the DNP3 analyzer. The "Debug_Byte" binpac unit
+   generates this for unknown "cases". The user can use it to debug the byte
+   string to check what caused the malformed network packets.
+
+.. zeek:id:: dnp3_file_transport
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 317 317
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, file_handle: :zeek:type:`count`, block_num: :zeek:type:`count`, file_data: :zeek:type:`string`)
+
+   g70
+
+.. zeek:id:: dnp3_frozen_analog_input_16wFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 203 203
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 31 and variation number 2
+   frozen analog input 16 bit with flag
+
+.. zeek:id:: dnp3_frozen_analog_input_16wTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 213 213
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 31 and variation number 4
+   frozen analog input 16 bit with time-of-freeze
+
+.. zeek:id:: dnp3_frozen_analog_input_16woFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 223 223
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, frozen_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 31 and variation number 6
+   frozen analog input 16 bit without flag
+
+.. zeek:id:: dnp3_frozen_analog_input_32wFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 198 198
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 31 and variation number 1
+   frozen analog input 32 bit with flag
+
+.. zeek:id:: dnp3_frozen_analog_input_32wTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 208 208
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 31 and variation number 3
+   frozen analog input 32 bit with time-of-freeze
+
+.. zeek:id:: dnp3_frozen_analog_input_32woFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 218 218
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, frozen_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 31 and variation number 5
+   frozen analog input 32 bit without flag
+
+.. zeek:id:: dnp3_frozen_analog_input_DPwFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 233 233
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value_low: :zeek:type:`count`, frozen_value_high: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 31 and variation number 8
+   frozen analog input double-precision, float point with flag
+
+.. zeek:id:: dnp3_frozen_analog_input_SPwFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 228 228
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 31 and variation number 7
+   frozen analog input single-precision, float point with flag
+
+.. zeek:id:: dnp3_frozen_analog_input_event_16wTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 293 293
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 33 and variation number 4
+   frozen analog input event 16 bit with time
+
+.. zeek:id:: dnp3_frozen_analog_input_event_16woTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 283 283
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 33 and variation number 2
+   frozen analog input event 16 bit without time
+
+.. zeek:id:: dnp3_frozen_analog_input_event_32wTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 288 288
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 33 and variation number 3
+   frozen analog input event 32 bit with time
+
+.. zeek:id:: dnp3_frozen_analog_input_event_32woTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 278 278
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 33 and variation number 1
+   frozen analog input event 32 bit without time
+
+.. zeek:id:: dnp3_frozen_analog_input_event_DPwTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 313 313
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value_low: :zeek:type:`count`, frozen_value_high: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 34 and variation number 8
+   frozen analog input event double-precision float point with time
+
+.. zeek:id:: dnp3_frozen_analog_input_event_DPwoTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 303 303
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value_low: :zeek:type:`count`, frozen_value_high: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 33 and variation number 6
+   frozen analog input event double-precision float point without time
+
+.. zeek:id:: dnp3_frozen_analog_input_event_SPwTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 308 308
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 33 and variation number 7
+   frozen analog input event single-precision float point with time
+
+.. zeek:id:: dnp3_frozen_analog_input_event_SPwoTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 298 298
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, frozen_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 33 and variation number 5
+   frozen analog input event single-precision float point without time
+
+.. zeek:id:: dnp3_frozen_counter_16wFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 143 143
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 21 and variation number 2
+   frozen counter 16 bit with flag
+
+.. zeek:id:: dnp3_frozen_counter_16wFlagTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 153 153
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 21 and variation number 6
+   frozen counter 16 bit with flag and time
+
+.. zeek:id:: dnp3_frozen_counter_16woFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 163 163
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, count_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 21 and variation number 10
+   frozen counter 16 bit without flag
+
+.. zeek:id:: dnp3_frozen_counter_32wFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 138 138
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 21 and variation number 1
+   frozen counter 32 bit with flag
+
+.. zeek:id:: dnp3_frozen_counter_32wFlagTime
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 148 148
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flag: :zeek:type:`count`, count_value: :zeek:type:`count`, time48: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 21 and variation number 5
+   frozen counter 32 bit with flag and time
+
+.. zeek:id:: dnp3_frozen_counter_32woFlag
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 158 158
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, count_value: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 21 and variation number 9
+   frozen counter 32 bit without flag
+
+.. zeek:id:: dnp3_header_block
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 82 82
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, len: :zeek:type:`count`, ctrl: :zeek:type:`count`, dest_addr: :zeek:type:`count`, src_addr: :zeek:type:`count`)
+
+   Generated for an additional header that the DNP3 analyzer passes to the
+   script-level. This header mimics the DNP3 transport-layer yet is only passed
+   once for each sequence of DNP3 records (which are otherwise reassembled and
+   treated as a single entity).
+   
+
+   :param c: The connection the DNP3 communication is part of.
+   
+
+   :param is_orig: True if this reflects originator-side activity.
+   
+
+   :param len:   the "length" field in the DNP3 Pseudo Link Layer.
+   
+
+   :param ctrl:  the "control" field in the DNP3 Pseudo Link Layer.
+   
+
+   :param dest_addr: the "destination" field in the DNP3 Pseudo Link Layer.
+   
+
+   :param src_addr: the "source" field in the DNP3 Pseudo Link Layer.
+   
+
+.. zeek:id:: dnp3_object_header
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 50 50
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, obj_type: :zeek:type:`count`, qua_field: :zeek:type:`count`, number: :zeek:type:`count`, rf_low: :zeek:type:`count`, rf_high: :zeek:type:`count`)
+
+   Generated for the object header found in both DNP3 requests and responses.
+   
+
+   :param c: The connection the DNP3 communication is part of.
+   
+
+   :param is_orig: True if this reflects originator-side activity.
+   
+
+   :param obj_type: type of object, which is classified based on an 8-bit group number
+             and an 8-bit variation number.
+   
+
+   :param qua_field: qualifier field.
+   
+
+   :param number: TODO.
+   
+
+   :param rf_low: the structure of the range field depends on the qualified field.
+           In some cases, the range field contains only one logic part, e.g.,
+           number of objects, so only *rf_low* contains useful values.
+   
+
+   :param rf_high: in some cases, the range field contains two logic parts, e.g., start
+            index and stop index, so *rf_low* contains the start index
+            while *rf_high* contains the stop index.
+   
+
+.. zeek:id:: dnp3_object_prefix
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 62 62
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix_value: :zeek:type:`count`)
+
+   Generated for the prefix before a DNP3 object. The structure and the meaning
+   of the prefix are defined by the qualifier field.
+   
+
+   :param c: The connection the DNP3 communication is part of.
+   
+
+   :param is_orig: True if this reflects originator-side activity.
+   
+
+   :param prefix_value: The prefix.
+   
+
+.. zeek:id:: dnp3_pcb
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 113 113
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, control_code: :zeek:type:`count`, count8: :zeek:type:`count`, on_time: :zeek:type:`count`, off_time: :zeek:type:`count`, status_code: :zeek:type:`count`)
+
+   Generated for DNP3 objects with the group number 12 and variation number 2
+
+   :param PCB: Pattern Control Block
+
+.. zeek:id:: dnp3_response_data_object
+   :source-code: base/bif/plugins/Zeek_DNP3.events.bif.zeek 99 99
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data_value: :zeek:type:`count`)
+
+   Generated for a DNP3 "Response_Data_Object".
+   The "Response_Data_Object" contains two parts: object prefix and object
+   data. In most cases, object data are defined by new record types. But
+   in a few cases, object data are directly basic types, such as int16_t, or
+   int8_t; thus we use an additional *data_value* to record the values of those
+   object data.
+   
+
+   :param c: The connection the DNP3 communication is part of.
+   
+
+   :param is_orig: True if this reflects originator-side activity.
+   
+
+   :param data_value: The value for those objects that carry their information here
+               directly.
+   
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek.rst
new file mode 100644
index 0000000000..6b1a8e19e0
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek.rst
@@ -0,0 +1,1206 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_DNS.events.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+===================================================== =======================================================================================
+:zeek:id:`dns_A6_reply`: :zeek:type:`event`           Generated for DNS replies of type *A6*.
+:zeek:id:`dns_AAAA_reply`: :zeek:type:`event`         Generated for DNS replies of type *AAAA*.
+:zeek:id:`dns_A_reply`: :zeek:type:`event`            Generated for DNS replies of type *A*.
+:zeek:id:`dns_BINDS`: :zeek:type:`event`              Generated for DNS replies of type *BINDS*.
+:zeek:id:`dns_CAA_reply`: :zeek:type:`event`          Generated for DNS replies of type *CAA* (Certification Authority Authorization).
+:zeek:id:`dns_CNAME_reply`: :zeek:type:`event`        Generated for DNS replies of type *CNAME*.
+:zeek:id:`dns_DNSKEY`: :zeek:type:`event`             Generated for DNS replies of type *DNSKEY*.
+:zeek:id:`dns_DS`: :zeek:type:`event`                 Generated for DNS replies of type *DS*.
+:zeek:id:`dns_EDNS_addl`: :zeek:type:`event`          Generated for DNS replies of type *EDNS*.
+:zeek:id:`dns_EDNS_cookie`: :zeek:type:`event`        Generated for DNS replies of type *EDNS*, and an option field in this *EDNS* record has
+                                                      an opt-type of 10.
+:zeek:id:`dns_EDNS_ecs`: :zeek:type:`event`           Generated for DNS replies of type *EDNS*.
+:zeek:id:`dns_EDNS_tcp_keepalive`: :zeek:type:`event` Generated for DNS replies of type *EDNS*, and an option field in this *EDNS* record has
+                                                      an opt-type of 11.
+:zeek:id:`dns_HINFO_reply`: :zeek:type:`event`        Generated for DNS replies of type *HINFO*.
+:zeek:id:`dns_HTTPS`: :zeek:type:`event`              Generated for DNS replies of type *HTTPS* (HTTPS Specific Service Endpoints).
+:zeek:id:`dns_LOC`: :zeek:type:`event`                Generated for DNS replies of type *LOC*.
+:zeek:id:`dns_MX_reply`: :zeek:type:`event`           Generated for DNS replies of type *MX*.
+:zeek:id:`dns_NAPTR_reply`: :zeek:type:`event`        Generated for DNS replies of type *NAPTR*.
+:zeek:id:`dns_NSEC`: :zeek:type:`event`               Generated for DNS replies of type *NSEC*.
+:zeek:id:`dns_NSEC3`: :zeek:type:`event`              Generated for DNS replies of type *NSEC3*.
+:zeek:id:`dns_NSEC3PARAM`: :zeek:type:`event`         Generated for DNS replies of type *NSEC3PARAM*.
+:zeek:id:`dns_NS_reply`: :zeek:type:`event`           Generated for DNS replies of type *NS*.
+:zeek:id:`dns_PTR_reply`: :zeek:type:`event`          Generated for DNS replies of type *PTR*.
+:zeek:id:`dns_RRSIG`: :zeek:type:`event`              Generated for DNS replies of type *RRSIG*.
+:zeek:id:`dns_SOA_reply`: :zeek:type:`event`          Generated for DNS replies of type *CNAME*.
+:zeek:id:`dns_SPF_reply`: :zeek:type:`event`          Generated for DNS replies of type *SPF*.
+:zeek:id:`dns_SRV_reply`: :zeek:type:`event`          Generated for DNS replies of type *SRV*.
+:zeek:id:`dns_SSHFP`: :zeek:type:`event`              Generated for DNS replies of type *BINDS*.
+:zeek:id:`dns_SVCB`: :zeek:type:`event`               Generated for DNS replies of type *SVCB* (General Purpose Service Endpoints).
+:zeek:id:`dns_TKEY`: :zeek:type:`event`               Generated for DNS replies of type *TKEY*.
+:zeek:id:`dns_TSIG_addl`: :zeek:type:`event`          Generated for DNS replies of type *TSIG*.
+:zeek:id:`dns_TXT_reply`: :zeek:type:`event`          Generated for DNS replies of type *TXT*.
+:zeek:id:`dns_WKS_reply`: :zeek:type:`event`          Generated for DNS replies of type *WKS*.
+:zeek:id:`dns_end`: :zeek:type:`event`                Generated at the end of processing a DNS packet.
+:zeek:id:`dns_message`: :zeek:type:`event`            Generated for all DNS messages.
+:zeek:id:`dns_query_reply`: :zeek:type:`event`        Generated for each entry in the Question section of a DNS reply.
+:zeek:id:`dns_rejected`: :zeek:type:`event`           Generated for DNS replies that reject a query.
+:zeek:id:`dns_request`: :zeek:type:`event`            Generated for DNS requests.
+:zeek:id:`dns_unknown_reply`: :zeek:type:`event`      Generated on DNS reply resource records when the type of record is not one
+                                                      that Zeek knows how to parse and generate another more specific event.
+===================================================== =======================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: dns_A6_reply
+   :source-code: base/protocols/dns/main.zeek 499 502
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, a: :zeek:type:`addr`)
+
+   Generated for DNS replies of type *A6*. For replies with multiple answers, an
+   individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param a: The address returned by the reply.
+   
+   .. zeek:see::  dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
+      dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+      dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
+      dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+      dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_AAAA_reply
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 175 175
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, a: :zeek:type:`addr`)
+
+   Generated for DNS replies of type *AAAA*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param a: The address returned by the reply.
+   
+   .. zeek:see::  dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
+      dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+      dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
+      dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+      dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_A_reply
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 149 149
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, a: :zeek:type:`addr`)
+
+   Generated for DNS replies of type *A*. For replies with multiple answers, an
+   individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param a: The address returned by the reply.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply
+      dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
+      dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_BINDS
+   :source-code: base/protocols/dns/main.zeek 618 621
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, binds: :zeek:type:`dns_binds_rr`)
+
+   Generated for DNS replies of type *BINDS*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param binds: The parsed RDATA of BIND-Signing state record.
+
+.. zeek:id:: dns_CAA_reply
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 453 453
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, flags: :zeek:type:`count`, tag: :zeek:type:`string`, value: :zeek:type:`string`)
+
+   Generated for DNS replies of type *CAA* (Certification Authority Authorization).
+   For replies with multiple answers, an individual event of the corresponding type
+   is raised for each.
+   See `RFC 6844 <https://tools.ietf.org/html/rfc6844>`__ for more details.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param flags: The flags byte of the CAA reply.
+   
+
+   :param tag: The property identifier of the CAA reply.
+   
+
+   :param value: The property value of the CAA reply.
+
+.. zeek:id:: dns_CNAME_reply
+   :source-code: base/protocols/dns/main.zeek 509 512
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, name: :zeek:type:`string`)
+
+   Generated for DNS replies of type *CNAME*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param name: The name returned by the reply.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply  dns_EDNS_addl dns_HINFO_reply dns_MX_reply
+      dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+      dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
+      dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+      dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_DNSKEY
+   :source-code: base/protocols/dns/main.zeek 589 594
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, dnskey: :zeek:type:`dns_dnskey_rr`)
+
+   Generated for DNS replies of type *DNSKEY*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param dnskey: The parsed DNSKEY record.
+
+.. zeek:id:: dns_DS
+   :source-code: base/protocols/dns/main.zeek 611 616
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, ds: :zeek:type:`dns_ds_rr`)
+
+   Generated for DNS replies of type *DS*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param ds: The parsed RDATA of DS record.
+
+.. zeek:id:: dns_EDNS_addl
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 552 552
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_edns_additional`)
+
+   Generated for DNS replies of type *EDNS*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The parsed EDNS reply.
+   
+   .. note::
+   
+        Note that this event will only be raised if :zeek:see:`dns_skip_all_addl`
+        is set to false.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
+      dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+      dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
+      dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+      dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_EDNS_cookie
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 643 643
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, opt: :zeek:type:`dns_edns_cookie`)
+
+   Generated for DNS replies of type *EDNS*, and an option field in this *EDNS* record has
+   an opt-type of 10. For replies with multiple options fields, an individual event
+   is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. See `RFC7873 <https://tools.ietf.org/html/rfc7873>`__ for
+   more information about EDNS0 cookie. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param opt: The parsed EDNS Cookie option.
+   
+   .. note::
+   
+        Note that this event will only be raised if :zeek:see:`dns_skip_all_addl`
+        is set to false.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
+      dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+      dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
+      dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+      dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_EDNS_ecs
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 581 581
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, opt: :zeek:type:`dns_edns_ecs`)
+
+   Generated for DNS replies of type *EDNS*. For replies with multiple options,
+   an individual event is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param opt: The parsed EDNS option.
+   
+   .. note::
+   
+        Note that this event will only be raised if :zeek:see:`dns_skip_all_addl`
+        is set to false.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
+      dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+      dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
+      dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+      dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_EDNS_tcp_keepalive
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 612 612
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, opt: :zeek:type:`dns_edns_tcp_keepalive`)
+
+   Generated for DNS replies of type *EDNS*, and an option field in this *EDNS* record has
+   an opt-type of 11. For replies with multiple option fields, an individual event is
+   raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. See `RFC7828 <https://tools.ietf.org/html/rfc7828>`__ for
+   more information about EDNS0 TCP keepalive. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param opt: The parsed EDNS Keepalive option.
+   
+   .. note::
+   
+        Note that this event will only be raised if :zeek:see:`dns_skip_all_addl`
+        is set to false.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
+      dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+      dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
+      dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+      dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_HINFO_reply
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 353 353
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, cpu: :zeek:type:`string`, os: :zeek:type:`string`)
+
+   Generated for DNS replies of type *HINFO*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply
+      dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+      dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_mapping_altered
+      dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+      dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+      dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_HTTPS
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 856 856
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, https: :zeek:type:`dns_svcb_rr`)
+
+   Generated for DNS replies of type *HTTPS* (HTTPS Specific Service Endpoints).
+   See `RFC draft for DNS SVCB/HTTPS <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07>`__
+   for more information about DNS SVCB/HTTPS resource records.
+   Since SVCB and HTTPS records share the same wire format layout, the argument https is dns_svcb_rr.
+   For replies with multiple answers, an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param https: The parsed RDATA of HTTPS type record.
+
+.. zeek:id:: dns_LOC
+   :source-code: base/protocols/dns/main.zeek 630 635
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, loc: :zeek:type:`dns_loc_rr`)
+
+   Generated for DNS replies of type *LOC*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param loc: The parsed RDATA of LOC type record.
+
+.. zeek:id:: dns_MX_reply
+   :source-code: base/protocols/dns/main.zeek 515 518
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, name: :zeek:type:`string`, preference: :zeek:type:`count`)
+
+   Generated for DNS replies of type *MX*. For replies with multiple answers, an
+   individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param name: The name returned by the reply.
+   
+
+   :param preference: The preference for *name* specified by the reply.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply  dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
+      dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_NAPTR_reply
+   :source-code: base/protocols/dns/main.zeek 540 559
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, naptr: :zeek:type:`dns_naptr_rr`)
+
+   Generated for DNS replies of type *NAPTR*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param naptr: The parsed RDATA of NAPTR type record.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_SRV_reply dns_end
+
+.. zeek:id:: dns_NSEC
+   :source-code: base/protocols/dns/main.zeek 596 599
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, next_name: :zeek:type:`string`, bitmaps: :zeek:type:`string_vec`)
+
+   Generated for DNS replies of type *NSEC*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param next_name: The parsed next secure domain name.
+   
+
+   :param bitmaps: vector of strings in hex for the bit maps present.
+
+.. zeek:id:: dns_NSEC3
+   :source-code: base/protocols/dns/main.zeek 601 604
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, nsec3: :zeek:type:`dns_nsec3_rr`)
+
+   Generated for DNS replies of type *NSEC3*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param nsec3: The parsed RDATA of Nsec3 record.
+
+.. zeek:id:: dns_NSEC3PARAM
+   :source-code: base/protocols/dns/main.zeek 606 609
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, nsec3param: :zeek:type:`dns_nsec3param_rr`)
+
+   Generated for DNS replies of type *NSEC3PARAM*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param nsec3param: The parsed RDATA of NSEC3PARAM record.
+
+.. zeek:id:: dns_NS_reply
+   :source-code: base/protocols/dns/main.zeek 504 507
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, name: :zeek:type:`string`)
+
+   Generated for DNS replies of type *NS*. For replies with multiple answers, an
+   individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param name: The name returned by the reply.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply  dns_PTR_reply dns_SOA_reply dns_SRV_reply
+      dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_PTR_reply
+   :source-code: base/protocols/dns/main.zeek 520 523
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, name: :zeek:type:`string`)
+
+   Generated for DNS replies of type *PTR*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param name: The name returned by the reply.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply  dns_SOA_reply dns_SRV_reply
+      dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_RRSIG
+   :source-code: base/protocols/dns/main.zeek 581 587
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, rrsig: :zeek:type:`dns_rrsig_rr`)
+
+   Generated for DNS replies of type *RRSIG*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param rrsig: The parsed RRSIG record.
+
+.. zeek:id:: dns_SOA_reply
+   :source-code: base/protocols/dns/main.zeek 525 528
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, soa: :zeek:type:`dns_soa`)
+
+   Generated for DNS replies of type *CNAME*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param soa: The parsed SOA value.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply
+      dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_SPF_reply
+   :source-code: base/protocols/dns/main.zeek 479 492
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, strs: :zeek:type:`string_vec`)
+
+   Generated for DNS replies of type *SPF*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param strs: The textual information returned by the reply.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl  dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_SRV_reply
+   :source-code: base/protocols/dns/main.zeek 535 538
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, target: :zeek:type:`string`, priority: :zeek:type:`count`, weight: :zeek:type:`count`, p: :zeek:type:`count`)
+
+   Generated for DNS replies of type *SRV*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param target: Target of the SRV response -- the canonical hostname of the
+           machine providing the service, ending in a dot.
+   
+
+   :param priority: Priority of the SRV response -- the priority of the target
+             host, lower value means more preferred.
+   
+
+   :param weight: Weight of the SRV response -- a relative weight for records
+           with the same priority, higher value means more preferred.
+   
+
+   :param p: Port of the SRV response -- the TCP or UDP port on which the
+      service is to be found.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_SSHFP
+   :source-code: base/protocols/dns/main.zeek 623 628
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, algo: :zeek:type:`count`, fptype: :zeek:type:`count`, fingerprint: :zeek:type:`string`)
+
+   Generated for DNS replies of type *BINDS*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param binds: The parsed RDATA of BIND-Signing state record.
+
+.. zeek:id:: dns_SVCB
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 839 839
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, svcb: :zeek:type:`dns_svcb_rr`)
+
+   Generated for DNS replies of type *SVCB* (General Purpose Service Endpoints).
+   See `RFC draft for DNS SVCB/HTTPS <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07>`__
+   for more information about DNS SVCB/HTTPS resource records.
+   For replies with multiple answers, an individual event of the corresponding type is raised for each.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param svcb: The parsed RDATA of SVCB type record.
+
+.. zeek:id:: dns_TKEY
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 666 666
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_tkey`)
+
+   Generated for DNS replies of type *TKEY*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. See `RFC2930 <https://tools.ietf.org/html/rfc2930>`__
+   for more information about TKEY. Zeek analyzes both UDP and TCP DNS sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The parsed TKEY reply.
+   
+   .. note::
+   
+        Note that ``ans`` will only be populated if :zeek:see:`dns_skip_all_addl`
+        is set to false.
+   
+   .. zeek:see:: dns_TSIG_addl
+
+.. zeek:id:: dns_TSIG_addl
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 695 695
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_tsig_additional`)
+
+   Generated for DNS replies of type *TSIG*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The parsed TSIG reply.
+   
+   .. note::
+   
+        Note that this event will only be raised if :zeek:see:`dns_skip_all_addl`
+        is set to false.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply  dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_TXT_reply
+   :source-code: base/protocols/dns/main.zeek 464 477
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, strs: :zeek:type:`string_vec`)
+
+   Generated for DNS replies of type *TXT*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+
+   :param strs: The textual information returned by the reply.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl  dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_WKS_reply
+   :source-code: base/protocols/dns/main.zeek 530 533
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`)
+
+   Generated for DNS replies of type *WKS*. For replies with multiple answers,
+   an individual event of the corresponding type is raised for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply  dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_end
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 879 879
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`)
+
+   Generated at the end of processing a DNS packet. This event is the last
+   ``dns_*`` event that will be raised for a DNS query/reply and signals that
+   all resource records have been passed on.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_request dns_max_queries dns_session_timeout
+      dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_message
+   :source-code: base/protocols/dns/main.zeek 348 355
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`dns_msg`, len: :zeek:type:`count`)
+
+   Generated for all DNS messages.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param is_orig:  True if the message was sent by the originator of the connection.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param len: The length of the message's raw representation (i.e., the DNS payload).
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid  dns_query_reply dns_rejected
+      dns_request dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_query_reply
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 121 121
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, query: :zeek:type:`string`, qtype: :zeek:type:`count`, qclass: :zeek:type:`count`, original_query: :zeek:type:`string`)
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, query: :zeek:type:`string`, qtype: :zeek:type:`count`, qclass: :zeek:type:`count`)
+
+   Generated for each entry in the Question section of a DNS reply.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param query: The queried name.
+   
+
+   :param qtype: The queried resource record type.
+   
+
+   :param qclass: The queried resource record class.
+   
+
+   :param original_query: The queried name, with the original case kept intact
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_rejected
+      dns_request dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_rejected
+   :source-code: base/protocols/dns/main.zeek 637 641
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, query: :zeek:type:`string`, qtype: :zeek:type:`count`, qclass: :zeek:type:`count`, original_query: :zeek:type:`string`)
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, query: :zeek:type:`string`, qtype: :zeek:type:`count`, qclass: :zeek:type:`count`)
+
+   Generated for DNS replies that reject a query. This event is raised if a DNS
+   reply indicates failure because it does not pass on any
+   answers to a query. Note that all of the event's parameters are parsed out of
+   the reply; there's no stateful correlation with the query.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param query: The queried name (normalized to all lowercase).
+   
+
+   :param qtype: The queried resource record type.
+   
+
+   :param qclass: The queried resource record class.
+   
+
+   :param original_query: The queried name, with the original case kept intact
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_request dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_request
+   :source-code: base/bif/plugins/Zeek_DNS.events.bif.zeek 56 56
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, query: :zeek:type:`string`, qtype: :zeek:type:`count`, qclass: :zeek:type:`count`, original_query: :zeek:type:`string`)
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, query: :zeek:type:`string`, qtype: :zeek:type:`count`, qclass: :zeek:type:`count`)
+
+   Generated for DNS requests. For requests with multiple queries, this event
+   is raised once for each.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+   information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+   sessions.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param query: The queried name (normalized to all lowercase).
+   
+
+   :param qtype: The queried resource record type.
+   
+
+   :param qclass: The queried resource record class.
+   
+
+   :param original_query: The queried name, with the original case kept intact
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
+      dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+      dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+      dns_rejected dns_max_queries dns_session_timeout dns_skip_addl
+      dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+
+.. zeek:id:: dns_unknown_reply
+   :source-code: base/protocols/dns/main.zeek 454 457
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`)
+
+   Generated on DNS reply resource records when the type of record is not one
+   that Zeek knows how to parse and generate another more specific event.
+   
+
+   :param c: The connection, which may be UDP or TCP depending on the type of the
+      transport-layer session being analyzed.
+   
+
+   :param msg: The parsed DNS message header.
+   
+
+   :param ans: The type-independent part of the parsed answer record.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_SRV_reply dns_end
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek.rst
new file mode 100644
index 0000000000..1e1adc948b
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek.rst
@@ -0,0 +1,87 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_FTP.events.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=========================================== ==============================================================
+:zeek:id:`ftp_reply`: :zeek:type:`event`    Generated for server-side FTP replies.
+:zeek:id:`ftp_request`: :zeek:type:`event`  Generated for client-side FTP commands.
+:zeek:id:`ftp_starttls`: :zeek:type:`event` Generated if an FTP connection switched to TLS using AUTH TLS.
+=========================================== ==============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: ftp_reply
+   :source-code: base/bif/plugins/Zeek_FTP.events.bif.zeek 38 38
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, code: :zeek:type:`count`, msg: :zeek:type:`string`, cont_resp: :zeek:type:`bool`)
+
+   Generated for server-side FTP replies.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for
+   more information about the FTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param code: The numerical response code the server responded with.
+   
+
+   :param msg:  The textual message of the response.
+   
+
+   :param cont_resp: True if the reply line is tagged as being continued to the next
+              line. If so, further events will be raised and a handler may want
+              to reassemble the pieces before processing the response any
+              further.
+   
+   .. zeek:see:: ftp_request fmt_ftp_port parse_eftp_port
+      parse_ftp_epsv parse_ftp_pasv parse_ftp_port
+
+.. zeek:id:: ftp_request
+   :source-code: base/bif/plugins/Zeek_FTP.events.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, command: :zeek:type:`string`, arg: :zeek:type:`string`)
+
+   Generated for client-side FTP commands.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for
+   more information about the FTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param command: The FTP command issued by the client (without any arguments).
+   
+
+   :param arg: The arguments going with the command.
+   
+   .. zeek:see:: ftp_reply fmt_ftp_port parse_eftp_port
+      parse_ftp_epsv parse_ftp_pasv parse_ftp_port
+
+.. zeek:id:: ftp_starttls
+   :source-code: base/bif/plugins/Zeek_FTP.events.bif.zeek 46 46
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated if an FTP connection switched to TLS using AUTH TLS. After this
+   event no more FTP events will be raised for the connection. See the SSL
+   analyzer for related SSL events, which will now be generated.
+   
+
+   :param c: The connection.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek.rst
new file mode 100644
index 0000000000..2742727a34
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek.rst
@@ -0,0 +1,115 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_FTP.functions.bif.zeek
+============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================= ==========================================================================
+:zeek:id:`fmt_ftp_port`: :zeek:type:`function`    Formats an IP address and TCP port as an FTP PORT command.
+:zeek:id:`parse_eftp_port`: :zeek:type:`function` Converts a string representation of the FTP EPRT command (see :rfc:`2428`)
+                                                  to an :zeek:type:`ftp_port`.
+:zeek:id:`parse_ftp_epsv`: :zeek:type:`function`  Converts the result of the FTP EPSV command (see :rfc:`2428`) to an
+                                                  :zeek:type:`ftp_port`.
+:zeek:id:`parse_ftp_pasv`: :zeek:type:`function`  Converts the result of the FTP PASV command to an :zeek:type:`ftp_port`.
+:zeek:id:`parse_ftp_port`: :zeek:type:`function`  Converts a string representation of the FTP PORT command to an
+                                                  :zeek:type:`ftp_port`.
+================================================= ==========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: fmt_ftp_port
+   :source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 65 65
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`, p: :zeek:type:`port`) : :zeek:type:`string`
+
+   Formats an IP address and TCP port as an FTP PORT command. For example,
+   ``10.0.0.1`` and ``1055/tcp`` yields ``"10,0,0,1,4,31"``.
+   
+
+   :param a: The IP address.
+   
+
+   :param p: The TCP port.
+   
+
+   :returns: The FTP PORT string.
+   
+   .. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv
+
+.. zeek:id:: parse_eftp_port
+   :source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 30 30
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`ftp_port`
+
+   Converts a string representation of the FTP EPRT command (see :rfc:`2428`)
+   to an :zeek:type:`ftp_port`.  The format is
+   ``"EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>"``,
+   where ``<d>`` is a delimiter in the ASCII range 33-126 (usually ``|``).
+   
+
+   :param s: The string of the FTP EPRT command, e.g., ``"|1|10.0.0.1|1055|"``.
+   
+
+   :returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
+   
+   .. zeek:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port
+
+.. zeek:id:: parse_ftp_epsv
+   :source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 52 52
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`ftp_port`
+
+   Converts the result of the FTP EPSV command (see :rfc:`2428`) to an
+   :zeek:type:`ftp_port`.  The format is ``"<text> (<d><d><d><tcp-port><d>)"``,
+   where ``<d>`` is a delimiter in the ASCII range 33-126 (usually ``|``).
+   
+
+   :param str: The string containing the result of the FTP EPSV command.
+   
+
+   :returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
+   
+   .. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port
+
+.. zeek:id:: parse_ftp_pasv
+   :source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 40 40
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`ftp_port`
+
+   Converts the result of the FTP PASV command to an :zeek:type:`ftp_port`.
+   
+
+   :param str: The string containing the result of the FTP PASV command.
+   
+
+   :returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
+   
+   .. zeek:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port
+
+.. zeek:id:: parse_ftp_port
+   :source-code: base/bif/plugins/Zeek_FTP.functions.bif.zeek 17 17
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`ftp_port`
+
+   Converts a string representation of the FTP PORT command to an
+   :zeek:type:`ftp_port`.
+   
+
+   :param s: The string of the FTP PORT command, e.g., ``"10,0,0,1,4,31"``.
+   
+
+   :returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]``.
+   
+   .. zeek:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_File.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_File.events.bif.zeek.rst
new file mode 100644
index 0000000000..f306df3058
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_File.events.bif.zeek.rst
@@ -0,0 +1,45 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_File.events.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=============================================== ========================================================================
+:zeek:id:`file_transferred`: :zeek:type:`event` Generated when a TCP connection associated w/ file data transfer is seen
+                                                (e.g.
+=============================================== ========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: file_transferred
+   :source-code: base/protocols/ftp/main.zeek 450 458
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, prefix: :zeek:type:`string`, descr: :zeek:type:`string`, mime_type: :zeek:type:`string`)
+
+   Generated when a TCP connection associated w/ file data transfer is seen
+   (e.g. as happens w/ FTP or IRC).
+   
+
+   :param c: The connection over which file data is transferred.
+   
+
+   :param prefix: Up to 1024 bytes of the file data.
+   
+
+   :param descr: Deprecated/unused argument.
+   
+
+   :param mime_type: MIME type of the file or "<unknown>" if no file magic signatures
+              matched.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek.rst
new file mode 100644
index 0000000000..93fff213eb
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek.rst
@@ -0,0 +1,39 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
+=================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=========================================== ========================================================
+:zeek:id:`file_entropy`: :zeek:type:`event` This event is generated each time file analysis performs
+                                            entropy testing on a file.
+=========================================== ========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: file_entropy
+   :source-code: policy/frameworks/files/entropy-test-all-files.zeek 16 19
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, ent: :zeek:type:`entropy_test_result`)
+
+   This event is generated each time file analysis performs
+   entropy testing on a file.
+   
+
+   :param f: The file.
+   
+
+   :param ent: The results of the entropy testing.
+   
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek.rst
new file mode 100644
index 0000000000..aa15c6ead2
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek.rst
@@ -0,0 +1,51 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_FileExtract.events.bif.zeek
+=================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+==================================================== ================================================================
+:zeek:id:`file_extraction_limit`: :zeek:type:`event` This event is generated when a file extraction analyzer is about
+                                                     to exceed the maximum permitted file size allowed by the
+                                                     *extract_limit* field of :zeek:see:`Files::AnalyzerArgs`.
+==================================================== ================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: file_extraction_limit
+   :source-code: base/files/extract/main.zeek 89 93
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, args: :zeek:type:`Files::AnalyzerArgs`, limit: :zeek:type:`count`, len: :zeek:type:`count`)
+
+   This event is generated when a file extraction analyzer is about
+   to exceed the maximum permitted file size allowed by the
+   *extract_limit* field of :zeek:see:`Files::AnalyzerArgs`.
+   The analyzer is automatically removed from file *f*.
+   
+
+   :param f: The file.
+   
+
+   :param args: Arguments that identify a particular file extraction analyzer.
+         This is only provided to be able to pass along to
+         :zeek:see:`FileExtract::set_limit`.
+   
+
+   :param limit: The limit, in bytes, the extracted file is about to breach.
+   
+
+   :param len: The length of the file chunk about to be written.
+   
+   .. zeek:see:: Files::add_analyzer Files::ANALYZER_EXTRACT
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek.rst
new file mode 100644
index 0000000000..24be1a0da1
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek.rst
@@ -0,0 +1,32 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_FileExtract.functions.bif.zeek
+====================================================
+.. zeek:namespace:: FileExtract
+.. zeek:namespace:: GLOBAL
+
+Internal functions used by the extraction file analyzer.
+
+:Namespaces: FileExtract, GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+========================================================== ===================================
+:zeek:id:`FileExtract::__set_limit`: :zeek:type:`function` :zeek:see:`FileExtract::set_limit`.
+========================================================== ===================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: FileExtract::__set_limit
+   :source-code: base/bif/plugins/Zeek_FileExtract.functions.bif.zeek 12 12
+
+   :Type: :zeek:type:`function` (file_id: :zeek:type:`string`, args: :zeek:type:`any`, n: :zeek:type:`count`) : :zeek:type:`bool`
+
+   :zeek:see:`FileExtract::set_limit`.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_FileHash.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_FileHash.events.bif.zeek.rst
new file mode 100644
index 0000000000..319516fe11
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_FileHash.events.bif.zeek.rst
@@ -0,0 +1,44 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_FileHash.events.bif.zeek
+==============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+======================================== =========================================================================
+:zeek:id:`file_hash`: :zeek:type:`event` This event is generated each time file analysis generates a digest of the
+                                         file contents.
+======================================== =========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: file_hash
+   :source-code: base/bif/plugins/Zeek_FileHash.events.bif.zeek 15 15
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, kind: :zeek:type:`string`, hash: :zeek:type:`string`)
+
+   This event is generated each time file analysis generates a digest of the
+   file contents.
+   
+
+   :param f: The file.
+   
+
+   :param kind: The type of digest algorithm.
+   
+
+   :param hash: The result of the hashing.
+   
+   .. zeek:see:: Files::add_analyzer Files::ANALYZER_MD5
+      Files::ANALYZER_SHA1 Files::ANALYZER_SHA256
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek.rst
new file mode 100644
index 0000000000..83fa642ed4
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek.rst
@@ -0,0 +1,37 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_GSSAPI.events.bif.zeek
+============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+================================================ =========================================
+:zeek:id:`gssapi_neg_result`: :zeek:type:`event` Generated for GSSAPI negotiation results.
+================================================ =========================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: gssapi_neg_result
+   :source-code: base/bif/plugins/Zeek_GSSAPI.events.bif.zeek 10 10
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, state: :zeek:type:`count`)
+
+   Generated for GSSAPI negotiation results.
+   
+
+   :param c: The connection.
+   
+
+   :param state: The resulting state of the negotiation.
+   
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek.rst
new file mode 100644
index 0000000000..fc20c1d6de
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek.rst
@@ -0,0 +1,173 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_GTPv1.events.bif.zeek
+===========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+============================================================ ===================================================================
+:zeek:id:`gtpv1_create_pdp_ctx_request`: :zeek:type:`event`  Generated for GTPv1-C Create PDP Context Request messages.
+:zeek:id:`gtpv1_create_pdp_ctx_response`: :zeek:type:`event` Generated for GTPv1-C Create PDP Context Response messages.
+:zeek:id:`gtpv1_delete_pdp_ctx_request`: :zeek:type:`event`  Generated for GTPv1-C Delete PDP Context Request messages.
+:zeek:id:`gtpv1_delete_pdp_ctx_response`: :zeek:type:`event` Generated for GTPv1-C Delete PDP Context Response messages.
+:zeek:id:`gtpv1_g_pdu_packet`: :zeek:type:`event`            Generated for GTPv1 G-PDU packets.
+:zeek:id:`gtpv1_message`: :zeek:type:`event`                 Generated for any GTP message with a GTPv1 header.
+:zeek:id:`gtpv1_update_pdp_ctx_request`: :zeek:type:`event`  Generated for GTPv1-C Update PDP Context Request messages.
+:zeek:id:`gtpv1_update_pdp_ctx_response`: :zeek:type:`event` Generated for GTPv1-C Update PDP Context Response messages.
+:zeek:id:`new_gtpv1_state`: :zeek:type:`event`               Generated when a new GTP analyzer is instantiated for a connection.
+============================================================ ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: gtpv1_create_pdp_ctx_request
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 45 45
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_create_pdp_ctx_request_elements`)
+
+   Generated for GTPv1-C Create PDP Context Request messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+.. zeek:id:: gtpv1_create_pdp_ctx_response
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 55 55
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_create_pdp_ctx_response_elements`)
+
+   Generated for GTPv1-C Create PDP Context Response messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+.. zeek:id:: gtpv1_delete_pdp_ctx_request
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 85 85
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_delete_pdp_ctx_request_elements`)
+
+   Generated for GTPv1-C Delete PDP Context Request messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+.. zeek:id:: gtpv1_delete_pdp_ctx_response
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 95 95
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_delete_pdp_ctx_response_elements`)
+
+   Generated for GTPv1-C Delete PDP Context Response messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+.. zeek:id:: gtpv1_g_pdu_packet
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 35 35
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner_gtp: :zeek:type:`gtpv1_hdr`, inner_ip: :zeek:type:`pkt_hdr`)
+
+   Generated for GTPv1 G-PDU packets.  That is, packets with a UDP payload
+   that includes a GTP header followed by an IPv4 or IPv6 packet.
+   
+
+   :param outer: The GTP outer tunnel connection.
+   
+
+   :param inner_gtp: The GTP header.
+   
+
+   :param inner_ip: The inner IP and transport layer packet headers.
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+.. zeek:id:: gtpv1_message
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 21 21
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`)
+
+   Generated for any GTP message with a GTPv1 header.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+
+.. zeek:id:: gtpv1_update_pdp_ctx_request
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 65 65
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_update_pdp_ctx_request_elements`)
+
+   Generated for GTPv1-C Update PDP Context Request messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+.. zeek:id:: gtpv1_update_pdp_ctx_response
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 75 75
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_update_pdp_ctx_response_elements`)
+
+   Generated for GTPv1-C Update PDP Context Response messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+.. zeek:id:: new_gtpv1_state
+   :source-code: base/packet-protocols/gtpv1/main.zeek 35 38
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when a new GTP analyzer is instantiated for a connection.
+   
+   This event exists to install a connection removal hook to clear
+   internal per-connection GTPv1 state.
+   
+
+   :param c: The connection for which the analyzer is instantiated.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek.rst
new file mode 100644
index 0000000000..e151e200aa
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek.rst
@@ -0,0 +1,30 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_GTPv1.functions.bif.zeek
+==============================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: PacketAnalyzer::GTPV1
+
+
+:Namespaces: GLOBAL, PacketAnalyzer::GTPV1
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================================================ =
+:zeek:id:`PacketAnalyzer::GTPV1::remove_gtpv1_connection`: :zeek:type:`function` 
+================================================================================ =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: PacketAnalyzer::GTPV1::remove_gtpv1_connection
+   :source-code: base/bif/plugins/Zeek_GTPv1.functions.bif.zeek 9 9
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`bool`
+
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek.rst
new file mode 100644
index 0000000000..65e5ce2617
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek.rst
@@ -0,0 +1,43 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_Geneve.events.bif.zeek
+============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+============================================ =========================================================
+:zeek:id:`geneve_packet`: :zeek:type:`event` Generated for any packet encapsulated in a Geneve tunnel.
+============================================ =========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: geneve_packet
+   :source-code: base/bif/plugins/Zeek_Geneve.events.bif.zeek 15 15
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`pkt_hdr`, vni: :zeek:type:`count`)
+
+   Generated for any packet encapsulated in a Geneve tunnel.
+   See :rfc:`8926` for more information about the Geneve protocol.
+   
+
+   :param outer: The Geneve tunnel connection.
+   
+
+   :param inner: The Geneve-encapsulated Ethernet packet header and transport header.
+   
+
+   :param vni: Geneve Network Identifier.
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_Geneve.functions.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_Geneve.functions.bif.zeek.rst
new file mode 100644
index 0000000000..1197d1f453
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_Geneve.functions.bif.zeek.rst
@@ -0,0 +1,36 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_Geneve.functions.bif.zeek
+===============================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: PacketAnalyzer::Geneve
+
+
+:Namespaces: GLOBAL, PacketAnalyzer::Geneve
+
+Summary
+~~~~~~~
+Functions
+#########
+===================================================================== =================================================================
+:zeek:id:`PacketAnalyzer::Geneve::get_options`: :zeek:type:`function` Returns all Geneve options from all layers of the current packet.
+===================================================================== =================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: PacketAnalyzer::Geneve::get_options
+   :source-code: base/bif/plugins/Zeek_Geneve.functions.bif.zeek 15 15
+
+   :Type: :zeek:type:`function` () : :zeek:type:`geneve_options_vec_vec`
+
+   Returns all Geneve options from all layers of the current packet.
+   
+   The last entry in the outer vector are the options of the most
+   inner Geneve header.
+   
+   Returns a vector of vector of :zeek:see:`PacketAnalyzer::Geneve::Option` records.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek.rst
new file mode 100644
index 0000000000..97ed6393dd
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek.rst
@@ -0,0 +1,137 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_Gnutella.events.bif.zeek
+==============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+========================================================== =====
+:zeek:id:`gnutella_binary_msg`: :zeek:type:`event`         TODO.
+:zeek:id:`gnutella_establish`: :zeek:type:`event`          TODO.
+:zeek:id:`gnutella_http_notify`: :zeek:type:`event`        TODO.
+:zeek:id:`gnutella_not_establish`: :zeek:type:`event`      TODO.
+:zeek:id:`gnutella_partial_binary_msg`: :zeek:type:`event` TODO.
+:zeek:id:`gnutella_text_msg`: :zeek:type:`event`           TODO.
+========================================================== =====
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: gnutella_binary_msg
+   :source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 32 32
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, msg_type: :zeek:type:`count`, ttl: :zeek:type:`count`, hops: :zeek:type:`count`, msg_len: :zeek:type:`count`, payload: :zeek:type:`string`, payload_len: :zeek:type:`count`, trunc: :zeek:type:`bool`, complete: :zeek:type:`bool`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+   information about the Gnutella protocol.
+   
+   .. zeek:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
+      gnutella_partial_binary_msg gnutella_text_msg
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: gnutella_establish
+   :source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 62 62
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+   information about the Gnutella protocol.
+   
+   .. zeek:see:: gnutella_binary_msg  gnutella_http_notify gnutella_not_establish
+      gnutella_partial_binary_msg gnutella_text_msg
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: gnutella_http_notify
+   :source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 92 92
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+   information about the Gnutella protocol.
+   
+   .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
+      gnutella_partial_binary_msg gnutella_text_msg
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: gnutella_not_establish
+   :source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 77 77
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+   information about the Gnutella protocol.
+   
+   .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
+      gnutella_partial_binary_msg gnutella_text_msg
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: gnutella_partial_binary_msg
+   :source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 47 47
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, msg: :zeek:type:`string`, len: :zeek:type:`count`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+   information about the Gnutella protocol.
+   
+   .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
+      gnutella_not_establish  gnutella_text_msg
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: gnutella_text_msg
+   :source-code: base/bif/plugins/Zeek_Gnutella.events.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, headers: :zeek:type:`string`)
+
+   TODO.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+   information about the Gnutella protocol.
+   
+   .. zeek:see::  gnutella_binary_msg gnutella_establish gnutella_http_notify
+      gnutella_not_establish gnutella_partial_binary_msg
+   
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek.rst
new file mode 100644
index 0000000000..90c57d4e62
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek.rst
@@ -0,0 +1,374 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_HTTP.events.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+====================================================== ========================================================================
+:zeek:id:`http_all_headers`: :zeek:type:`event`        Generated for HTTP headers, passing on all headers of an HTTP message at
+                                                       once.
+:zeek:id:`http_begin_entity`: :zeek:type:`event`       Generated when starting to parse an HTTP body entity.
+:zeek:id:`http_connection_upgrade`: :zeek:type:`event` Generated when a HTTP session is upgraded to a different protocol (e.g.
+:zeek:id:`http_content_type`: :zeek:type:`event`       Generated for reporting an HTTP body's content type.
+:zeek:id:`http_end_entity`: :zeek:type:`event`         Generated when finishing parsing an HTTP body entity.
+:zeek:id:`http_entity_data`: :zeek:type:`event`        Generated when parsing an HTTP body entity, passing on the data.
+:zeek:id:`http_event`: :zeek:type:`event`              Generated for errors found when decoding HTTP requests or replies.
+:zeek:id:`http_header`: :zeek:type:`event`             Generated for HTTP headers.
+:zeek:id:`http_message_done`: :zeek:type:`event`       Generated once at the end of parsing an HTTP message.
+:zeek:id:`http_reply`: :zeek:type:`event`              Generated for HTTP replies.
+:zeek:id:`http_request`: :zeek:type:`event`            Generated for HTTP requests.
+:zeek:id:`http_stats`: :zeek:type:`event`              Generated at the end of an HTTP session to report statistics about it.
+====================================================== ========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: http_all_headers
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 100 100
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, hlist: :zeek:type:`mime_header_list`)
+
+   Generated for HTTP headers, passing on all headers of an HTTP message at
+   once. Zeek supports persistent and pipelined HTTP sessions and raises
+   corresponding events as it parses client/server dialogues.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the header was sent by the originator of the TCP connection.
+   
+
+   :param hlist: A *table* containing all headers extracted from the current entity.
+          The table is indexed by the position of the header (1 for the first,
+          2 for the second, etc.).
+   
+   .. zeek:see::  http_begin_entity http_content_type http_end_entity http_entity_data
+      http_event http_header http_message_done http_reply http_request http_stats
+      http_connection_upgrade
+   
+   .. note:: This event is also raised for headers found in nested body
+      entities.
+
+.. zeek:id:: http_begin_entity
+   :source-code: base/protocols/http/entities.zeek 73 83
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Generated when starting to parse an HTTP body entity. This event is generated
+   at least once for each non-empty (client or server) HTTP body; and
+   potentially more than once if the body contains further nested MIME
+   entities. Zeek raises this event just before it starts parsing each entity's
+   content.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the entity was sent by the originator of the TCP
+            connection.
+   
+   .. zeek:see:: http_all_headers  http_content_type http_end_entity http_entity_data
+      http_event http_header http_message_done http_reply http_request http_stats
+      mime_begin_entity http_connection_upgrade
+
+.. zeek:id:: http_connection_upgrade
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 267 267
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, protocol: :zeek:type:`string`)
+
+   Generated when a HTTP session is upgraded to a different protocol (e.g. websocket).
+   This event is raised when a server replies with a HTTP 101 reply. No more HTTP events
+   will be raised after this event.
+   
+
+   :param c: The connection.
+   
+
+   :param protocol: The protocol to which the connection is switching.
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+      http_entity_data http_event http_header http_message_done http_reply
+      http_request
+
+.. zeek:id:: http_content_type
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 196 196
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, ty: :zeek:type:`string`, subty: :zeek:type:`string`)
+
+   Generated for reporting an HTTP body's content type.  This event is
+   generated at the end of parsing an HTTP header, passing on the MIME
+   type as specified by the ``Content-Type`` header. If that header is
+   missing, this event is still raised with a default value of ``text/plain``.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the entity was sent by the originator of the TCP
+            connection.
+   
+
+   :param ty: The main type.
+   
+
+   :param subty: The subtype.
+   
+   .. zeek:see:: http_all_headers http_begin_entity  http_end_entity http_entity_data
+      http_event http_header http_message_done http_reply http_request http_stats
+      http_connection_upgrade
+   
+   .. note:: This event is also raised for headers found in nested body
+      entities.
+
+.. zeek:id:: http_end_entity
+   :source-code: base/protocols/http/entities.zeek 214 218
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Generated when finishing parsing an HTTP body entity. This event is generated
+   at least once for each non-empty (client or server) HTTP body; and
+   potentially more than once if the body contains further nested MIME
+   entities. Zeek raises this event at the point when it has finished parsing an
+   entity's content.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the entity was sent by the originator of the TCP
+            connection.
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_entity_data
+      http_event http_header http_message_done http_reply http_request
+      http_stats mime_end_entity http_connection_upgrade
+
+.. zeek:id:: http_entity_data
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 170 170
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, length: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated when parsing an HTTP body entity, passing on the data. This event
+   can potentially be raised many times for each entity, each time passing a
+   chunk of the data of not further defined size.
+   
+   A common idiom for using this event is to first *reassemble* the data
+   at the scripting layer by concatenating it to a successively growing
+   string; and only perform further content analysis once the corresponding
+   :zeek:id:`http_end_entity` event has been raised. Note, however, that doing so
+   can be quite expensive for HTTP tranders. At the very least, one should
+   impose an upper size limit on how much data is being buffered.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the entity was sent by the originator of the TCP
+            connection.
+   
+
+   :param length: The length of *data*.
+   
+
+   :param data: One chunk of raw entity data.
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+      http_event http_header http_message_done http_reply http_request http_stats
+      mime_entity_data http_entity_data_delivery_size skip_http_data
+      http_connection_upgrade
+
+.. zeek:id:: http_event
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 238 238
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, event_type: :zeek:type:`string`, detail: :zeek:type:`string`)
+
+   Generated for errors found when decoding HTTP requests or replies.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param event_type: A string describing the general category of the problem found
+               (e.g., ``illegal format``).
+   
+
+   :param detail: Further more detailed description of the error.
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+      http_entity_data  http_header http_message_done http_reply http_request
+      http_stats mime_event http_connection_upgrade
+
+.. zeek:id:: http_header
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 74 74
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, original_name: :zeek:type:`string`, name: :zeek:type:`string`, value: :zeek:type:`string`)
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, name: :zeek:type:`string`, value: :zeek:type:`string`)
+
+   Generated for HTTP headers. Zeek supports persistent and pipelined HTTP
+   sessions and raises corresponding events as it parses client/server
+   dialogues.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the header was sent by the originator of the TCP connection.
+   
+
+   :param original_name: The name of the header (unaltered).
+   
+
+   :param name: The name of the header (converted to all uppercase).
+   
+
+   :param value: The value of the header.
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+      http_entity_data http_event  http_message_done http_reply http_request
+      http_stats http_connection_upgrade
+   
+   .. note:: This event is also raised for headers found in nested body
+      entities.
+
+.. zeek:id:: http_message_done
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 220 220
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, stat: :zeek:type:`http_message_stat`)
+
+   Generated once at the end of parsing an HTTP message. Zeek supports persistent
+   and pipelined HTTP sessions and raises corresponding events as it parses
+   client/server dialogues. A "message" is one top-level HTTP entity, such as a
+   complete request or reply. Each message can have further nested sub-entities
+   inside. This event is raised once all sub-entities belonging to a top-level
+   message have been processed (and their corresponding ``http_entity_*`` events
+   generated).
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the entity was sent by the originator of the TCP
+            connection.
+   
+
+   :param stat: Further meta information about the message.
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+      http_entity_data http_event http_header  http_reply http_request http_stats
+      http_connection_upgrade
+
+.. zeek:id:: http_reply
+   :source-code: base/protocols/http/main.zeek 274 313
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`string`, code: :zeek:type:`count`, reason: :zeek:type:`string`)
+
+   Generated for HTTP replies. Zeek supports persistent and pipelined HTTP
+   sessions and raises corresponding events as it parses client/server
+   dialogues. This event is generated as soon as a reply's initial line has
+   been parsed, and before any :zeek:id:`http_header` events are raised.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param version: The version number specified in the reply (e.g., ``1.1``).
+   
+
+   :param code: The numerical response code returned by the server.
+   
+
+   :param reason: The textual description returned by the server along with *code*.
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+      http_entity_data http_event http_header http_message_done http_request
+      http_stats http_connection_upgrade
+
+.. zeek:id:: http_request
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 26 26
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, method: :zeek:type:`string`, original_URI: :zeek:type:`string`, unescaped_URI: :zeek:type:`string`, version: :zeek:type:`string`)
+
+   Generated for HTTP requests. Zeek supports persistent and pipelined HTTP
+   sessions and raises corresponding events as it parses client/server
+   dialogues. This event is generated as soon as a request's initial line has
+   been parsed, and before any :zeek:id:`http_header` events are raised.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
+   for more information about the HTTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param method: The HTTP method extracted from the request (e.g., ``GET``, ``POST``).
+   
+
+   :param original_URI: The unprocessed URI as specified in the request.
+   
+
+   :param unescaped_URI: The URI with all percent-encodings decoded.
+   
+
+   :param version: The version number specified in the request (e.g., ``1.1``).
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+      http_entity_data http_event http_header http_message_done http_reply http_stats
+      truncate_http_URI http_connection_upgrade
+
+.. zeek:id:: http_stats
+   :source-code: base/bif/plugins/Zeek_HTTP.events.bif.zeek 253 253
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, stats: :zeek:type:`http_stats_rec`)
+
+   Generated at the end of an HTTP session to report statistics about it. This
+   event is raised after all of an HTTP session's requests and replies have been
+   fully processed.
+   
+
+   :param c: The connection.
+   
+
+   :param stats: Statistics summarizing HTTP-level properties of the finished
+          connection.
+   
+   .. zeek:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+      http_entity_data http_event http_header http_message_done http_reply
+      http_request http_connection_upgrade
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek.rst
new file mode 100644
index 0000000000..5285c3f95a
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek.rst
@@ -0,0 +1,60 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_HTTP.functions.bif.zeek
+=============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+======================================================= ===============================================================
+:zeek:id:`skip_http_entity_data`: :zeek:type:`function` Skips the data of the HTTP entity.
+:zeek:id:`unescape_URI`: :zeek:type:`function`          Unescapes all characters in a URI (decode every ``%xx`` group).
+======================================================= ===============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: skip_http_entity_data
+   :source-code: base/bif/plugins/Zeek_HTTP.functions.bif.zeek 14 14
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`any`
+
+   Skips the data of the HTTP entity.
+   
+
+   :param c: The HTTP connection.
+   
+
+   :param is_orig: If true, the client data is skipped, and the server data otherwise.
+   
+   .. zeek:see:: skip_smtp_data
+
+.. zeek:id:: unescape_URI
+   :source-code: base/bif/plugins/Zeek_HTTP.functions.bif.zeek 30 30
+
+   :Type: :zeek:type:`function` (URI: :zeek:type:`string`) : :zeek:type:`string`
+
+   Unescapes all characters in a URI (decode every ``%xx`` group).
+   
+
+   :param URI: The URI to unescape.
+   
+
+   :returns: The unescaped URI with all ``%xx`` groups decoded.
+   
+   .. note::
+   
+        Unescaping reserved characters may cause loss of information.
+        :rfc:`2396`: A URI is always in an "escaped" form, since escaping or
+        unescaping a completed URI might change its semantics.  Normally, the
+        only time escape encodings can safely be made is when the URI is
+        being created from its component parts.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek.rst
new file mode 100644
index 0000000000..169d6bd7fa
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek.rst
@@ -0,0 +1,529 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_ICMP.events.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+========================================================== =====================================================================
+:zeek:id:`icmp_echo_reply`: :zeek:type:`event`             Generated for ICMP *echo reply* messages.
+:zeek:id:`icmp_echo_request`: :zeek:type:`event`           Generated for ICMP *echo request* messages.
+:zeek:id:`icmp_error_message`: :zeek:type:`event`          Generated for all ICMPv6 error messages that are not handled
+                                                           separately with dedicated events.
+:zeek:id:`icmp_neighbor_advertisement`: :zeek:type:`event` Generated for ICMP *neighbor advertisement* messages.
+:zeek:id:`icmp_neighbor_solicitation`: :zeek:type:`event`  Generated for ICMP *neighbor solicitation* messages.
+:zeek:id:`icmp_packet_too_big`: :zeek:type:`event`         Generated for ICMPv6 *packet too big* messages.
+:zeek:id:`icmp_parameter_problem`: :zeek:type:`event`      Generated for ICMPv6 *parameter problem* messages.
+:zeek:id:`icmp_redirect`: :zeek:type:`event`               Generated for ICMP *redirect* messages.
+:zeek:id:`icmp_router_advertisement`: :zeek:type:`event`   Generated for ICMP *router advertisement* messages.
+:zeek:id:`icmp_router_solicitation`: :zeek:type:`event`    Generated for ICMP *router solicitation* messages.
+:zeek:id:`icmp_sent`: :zeek:type:`event`                   Generated for all ICMP messages that are not handled separately with
+                                                           dedicated ICMP events.
+:zeek:id:`icmp_sent_payload`: :zeek:type:`event`           The same as :zeek:see:`icmp_sent` except containing the ICMP payload.
+:zeek:id:`icmp_time_exceeded`: :zeek:type:`event`          Generated for ICMP *time exceeded* messages.
+:zeek:id:`icmp_unreachable`: :zeek:type:`event`            Generated for ICMP *destination unreachable* messages.
+========================================================== =====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: icmp_echo_reply
+   :source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 88 88
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, id: :zeek:type:`count`, seq: :zeek:type:`count`, payload: :zeek:type:`string`)
+
+   Generated for ICMP *echo reply* messages.
+   
+   See `Wikipedia
+   <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+   information about the ICMP protocol.
+   
+
+   :param c: The connection record for the corresponding ICMP flow.
+   
+
+   :param icmp: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param info: Additional ICMP-specific information augmenting the standard
+         connection record *c*.
+   
+
+   :param id: The *echo reply* identifier.
+   
+
+   :param seq: The *echo reply* sequence number.
+   
+
+   :param payload: The message-specific data of the packet payload, i.e., everything
+            after the first 8 bytes of the ICMP header.
+   
+   .. zeek:see:: icmp_echo_request
+
+.. zeek:id:: icmp_echo_request
+   :source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 63 63
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, id: :zeek:type:`count`, seq: :zeek:type:`count`, payload: :zeek:type:`string`)
+
+   Generated for ICMP *echo request* messages.
+   
+   See `Wikipedia
+   <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+   information about the ICMP protocol.
+   
+
+   :param c: The connection record for the corresponding ICMP flow.
+   
+
+   :param icmp: Additional ICMP-specific information augmenting the standard
+         connection record *c*.
+   
+
+   :param info: Additional ICMP-specific information augmenting the standard
+         connection record *c*.
+   
+
+   :param id: The *echo request* identifier.
+   
+
+   :param seq: The *echo request* sequence number.
+   
+
+   :param payload: The message-specific data of the packet payload, i.e., everything
+            after the first 8 bytes of the ICMP header.
+   
+   .. zeek:see:: icmp_echo_reply
+
+.. zeek:id:: icmp_error_message
+   :source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 115 115
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, code: :zeek:type:`count`, context: :zeek:type:`icmp_context`)
+
+   Generated for all ICMPv6 error messages that are not handled
+   separately with dedicated events. Zeek's ICMP analyzer handles a number
+   of ICMP error messages directly with dedicated events. This event acts
+   as a fallback for those it doesn't.
+   
+   See `Wikipedia
+   <http://en.wikipedia.org/wiki/ICMPv6>`__ for more
+   information about the ICMPv6 protocol.
+   
+
+   :param c: The connection record for the corresponding ICMP flow.
+   
+
+   :param icmp: Additional ICMP-specific information augmenting the standard
+         connection record *c*.
+   
+
+   :param info: Additional ICMP-specific information augmenting the standard
+         connection record *c*.
+   
+
+   :param code: The ICMP code of the error message.
+   
+
+   :param context: A record with specifics of the original packet that the message
+            refers to.
+   
+   .. zeek:see:: icmp_unreachable icmp_packet_too_big
+      icmp_time_exceeded icmp_parameter_problem
+
+.. zeek:id:: icmp_neighbor_advertisement
+   :source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 343 343
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, router: :zeek:type:`bool`, solicited: :zeek:type:`bool`, override: :zeek:type:`bool`, tgt: :zeek:type:`addr`, options: :zeek:type:`icmp6_nd_options`)
+
+   Generated for ICMP *neighbor advertisement* messages.
+   
+   See `Wikipedia
+   <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+   information about the ICMP protocol.
+   
+
+   :param c: The connection record for the corresponding ICMP flow.
+   
+
+   :param icmp: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param info: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param router: Flag indicating the sender is a router.
+   
+
+   :param solicited: Flag indicating advertisement is in response to a solicitation.
+   
+
+   :param override: Flag indicating advertisement should override existing caches.
+   
+
+   :param tgt: the Target Address in the soliciting message or the address whose
+        link-layer address has changed for unsolicited adverts.
+   
+
+   :param options: Any Neighbor Discovery options included with message (:rfc:`4861`).
+   
+   .. zeek:see:: icmp_router_solicitation icmp_router_advertisement
+      icmp_neighbor_solicitation icmp_redirect
+
+.. zeek:id:: icmp_neighbor_solicitation
+   :source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 313 313
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, tgt: :zeek:type:`addr`, options: :zeek:type:`icmp6_nd_options`)
+
+   Generated for ICMP *neighbor solicitation* messages.
+   
+   See `Wikipedia
+   <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+   information about the ICMP protocol.
+   
+
+   :param c: The connection record for the corresponding ICMP flow.
+   
+
+   :param icmp: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param info: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param tgt: The IP address of the target of the solicitation.
+   
+
+   :param options: Any Neighbor Discovery options included with message (:rfc:`4861`).
+   
+   .. zeek:see:: icmp_router_solicitation icmp_router_advertisement
+      icmp_neighbor_advertisement icmp_redirect
+
+.. zeek:id:: icmp_packet_too_big
+   :source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 171 171
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, code: :zeek:type:`count`, context: :zeek:type:`icmp_context`)
+
+   Generated for ICMPv6 *packet too big* messages.
+   
+   See `Wikipedia
+   <http://en.wikipedia.org/wiki/ICMPv6>`__ for more
+   information about the ICMPv6 protocol.
+   
+
+   :param c: The connection record for the corresponding ICMP flow.
+   
+
+   :param icmp: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param info: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param code: The ICMP code of the *too big* message.
+   
+
+   :param context: A record with specifics of the original packet that the message
+            refers to. *Too big* messages should include the original IP header
+            from the packet that triggered them, and Zeek parses that into
+            the *context* structure. Note that if the *too big* includes only
+            a partial IP header for some reason, no fields of *context* will
+            be filled out.
+   
+   .. zeek:see:: icmp_error_message icmp_unreachable
+      icmp_time_exceeded icmp_parameter_problem
+
+.. zeek:id:: icmp_parameter_problem
+   :source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 227 227
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, code: :zeek:type:`count`, context: :zeek:type:`icmp_context`)
+
+   Generated for ICMPv6 *parameter problem* messages.
+   
+   See `Wikipedia
+   <http://en.wikipedia.org/wiki/ICMPv6>`__ for more
+   information about the ICMPv6 protocol.
+   
+
+   :param c: The connection record for the corresponding ICMP flow.
+   
+
+   :param icmp: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param info: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param code: The ICMP code of the *parameter problem* message.
+   
+
+   :param context: A record with specifics of the original packet that the message
+            refers to. *Parameter problem* messages should include the original
+            IP header from the packet that triggered them, and Zeek parses that
+            into the *context* structure. Note that if the *parameter problem*
+            includes only a partial IP header for some reason, no fields
+            of *context* will be filled out.
+   
+   .. zeek:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
+      icmp_time_exceeded
+
+.. zeek:id:: icmp_redirect
+   :source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 369 369
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, tgt: :zeek:type:`addr`, dest: :zeek:type:`addr`, options: :zeek:type:`icmp6_nd_options`)
+
+   Generated for ICMP *redirect* messages.
+   
+   See `Wikipedia
+   <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+   information about the ICMP protocol.
+   
+
+   :param c: The connection record for the corresponding ICMP flow.
+   
+
+   :param icmp: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param info: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param tgt: The address that is supposed to be a better first hop to use for
+        ICMP Destination Address.
+   
+
+   :param dest: The address of the destination which is redirected to the target.
+   
+
+   :param options: Any Neighbor Discovery options included with message (:rfc:`4861`).
+   
+   .. zeek:see:: icmp_router_solicitation icmp_router_advertisement
+      icmp_neighbor_solicitation icmp_neighbor_advertisement
+
+.. zeek:id:: icmp_router_advertisement
+   :source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 290 290
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, cur_hop_limit: :zeek:type:`count`, managed: :zeek:type:`bool`, other: :zeek:type:`bool`, home_agent: :zeek:type:`bool`, pref: :zeek:type:`count`, proxy: :zeek:type:`bool`, rsv: :zeek:type:`count`, router_lifetime: :zeek:type:`interval`, reachable_time: :zeek:type:`interval`, retrans_timer: :zeek:type:`interval`, options: :zeek:type:`icmp6_nd_options`)
+
+   Generated for ICMP *router advertisement* messages.
+   
+   See `Wikipedia
+   <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+   information about the ICMP protocol.
+   
+
+   :param c: The connection record for the corresponding ICMP flow.
+   
+
+   :param icmp: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param info: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param cur_hop_limit: The default value that should be placed in Hop Count field
+                  for outgoing IP packets.
+   
+
+   :param managed: Managed address configuration flag, :rfc:`4861`.
+   
+
+   :param other: Other stateful configuration flag, :rfc:`4861`.
+   
+
+   :param home_agent: Mobile IPv6 home agent flag, :rfc:`3775`.
+   
+
+   :param pref: Router selection preferences, :rfc:`4191`.
+   
+
+   :param proxy: Neighbor discovery proxy flag, :rfc:`4389`.
+   
+
+   :param rsv: Remaining two reserved bits of router advertisement flags.
+   
+
+   :param router_lifetime: How long this router should be used as a default router.
+   
+
+   :param reachable_time: How long a neighbor should be considered reachable.
+   
+
+   :param retrans_timer: How long a host should wait before retransmitting.
+   
+
+   :param options: Any Neighbor Discovery options included with message (:rfc:`4861`).
+   
+   .. zeek:see:: icmp_router_solicitation
+      icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
+
+.. zeek:id:: icmp_router_solicitation
+   :source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 248 248
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, options: :zeek:type:`icmp6_nd_options`)
+
+   Generated for ICMP *router solicitation* messages.
+   
+   See `Wikipedia
+   <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+   information about the ICMP protocol.
+   
+
+   :param c: The connection record for the corresponding ICMP flow.
+   
+
+   :param icmp: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param info: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param options: Any Neighbor Discovery options included with message (:rfc:`4861`).
+   
+   .. zeek:see:: icmp_router_advertisement
+      icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
+
+.. zeek:id:: icmp_sent
+   :source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 22 22
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`)
+
+   Generated for all ICMP messages that are not handled separately with
+   dedicated ICMP events. Zeek's ICMP analyzer handles a number of ICMP messages
+   directly with dedicated events. This event acts as a fallback for those it
+   doesn't.
+   
+   See `Wikipedia
+   <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+   information about the ICMP protocol.
+   
+
+   :param c: The connection record for the corresponding ICMP flow.
+   
+
+   :param icmp: Additional ICMP-specific information augmenting the standard
+         connection record *c*.
+   
+
+   :param info: Additional ICMP-specific information augmenting the standard
+         connection record *c*.
+   
+   .. zeek:see:: icmp_error_message icmp_sent_payload
+
+.. zeek:id:: icmp_sent_payload
+   :source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 38 38
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, payload: :zeek:type:`string`)
+
+   The same as :zeek:see:`icmp_sent` except containing the ICMP payload.
+   
+
+   :param c: The connection record for the corresponding ICMP flow.
+   
+
+   :param icmp: Additional ICMP-specific information augmenting the standard
+         connection record *c*.
+   
+
+   :param info: Additional ICMP-specific information augmenting the standard
+         connection record *c*.
+   
+
+   :param payload: The payload of the ICMP message.
+   
+   .. zeek:see:: icmp_error_message icmp_sent_payload
+
+.. zeek:id:: icmp_time_exceeded
+   :source-code: policy/misc/detect-traceroute/main.zeek 100 103
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, code: :zeek:type:`count`, context: :zeek:type:`icmp_context`)
+
+   Generated for ICMP *time exceeded* messages.
+   
+   See `Wikipedia
+   <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+   information about the ICMP protocol.
+   
+
+   :param c: The connection record for the corresponding ICMP flow.
+   
+
+   :param icmp: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param info: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param code: The ICMP code of the *exceeded* message.
+   
+
+   :param context: A record with specifics of the original packet that the message
+            refers to. *Unreachable* messages should include the original IP
+            header from the packet that triggered them, and Zeek parses that
+            into the *context* structure. Note that if the *exceeded* includes
+            only a partial IP header for some reason, no fields of *context*
+            will be filled out.
+   
+   .. zeek:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
+      icmp_parameter_problem
+
+.. zeek:id:: icmp_unreachable
+   :source-code: base/bif/plugins/Zeek_ICMP.events.bif.zeek 143 143
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`icmp_info`, code: :zeek:type:`count`, context: :zeek:type:`icmp_context`)
+
+   Generated for ICMP *destination unreachable* messages.
+   
+   See `Wikipedia
+   <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+   information about the ICMP protocol.
+   
+
+   :param c: The connection record for the corresponding ICMP flow.
+   
+
+   :param icmp: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param info: Additional ICMP-specific information augmenting the standard connection
+         record *c*.
+   
+
+   :param code: The ICMP code of the *unreachable* message.
+   
+
+   :param context: A record with specifics of the original packet that the message
+            refers to. *Unreachable* messages should include the original IP
+            header from the packet that triggered them, and Zeek parses that
+            into the *context* structure. Note that if the *unreachable*
+            includes only a partial IP header for some reason, no
+            fields of *context* will be filled out.
+   
+   .. zeek:see:: icmp_error_message icmp_packet_too_big
+      icmp_time_exceeded icmp_parameter_problem
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek.rst
new file mode 100644
index 0000000000..75508fce9b
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek.rst
@@ -0,0 +1,51 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_IMAP.events.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+================================================ ==================================================================
+:zeek:id:`imap_capabilities`: :zeek:type:`event` Generated when a server sends a capability list to the client,
+                                                 after being queried using the CAPABILITY command.
+:zeek:id:`imap_starttls`: :zeek:type:`event`     Generated when a IMAP connection goes encrypted after a successful
+                                                 StartTLS exchange between the client and the server.
+================================================ ==================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: imap_capabilities
+   :source-code: base/bif/plugins/Zeek_IMAP.events.bif.zeek 10 10
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, capabilities: :zeek:type:`string_vec`)
+
+   Generated when a server sends a capability list to the client,
+   after being queried using the CAPABILITY command.
+   
+
+   :param c: The connection.
+   
+
+   :param capabilities: The list of IMAP capabilities as sent by the server.
+
+.. zeek:id:: imap_starttls
+   :source-code: base/bif/plugins/Zeek_IMAP.events.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when a IMAP connection goes encrypted after a successful
+   StartTLS exchange between the client and the server.
+   
+
+   :param c: The connection.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek.rst
new file mode 100644
index 0000000000..ebdd37afab
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek.rst
@@ -0,0 +1,1162 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_IRC.events.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+====================================================== ===================================================================
+:zeek:id:`irc_channel_info`: :zeek:type:`event`        Generated for an IRC reply of type *luserchannels*.
+:zeek:id:`irc_channel_topic`: :zeek:type:`event`       Generated for an IRC reply of type *topic*.
+:zeek:id:`irc_dcc_message`: :zeek:type:`event`         Generated for IRC messages of type *dcc*.
+:zeek:id:`irc_dcc_send_ack`: :zeek:type:`event`        Generated for IRC messages of type *dcc*.
+:zeek:id:`irc_error_message`: :zeek:type:`event`       Generated for IRC messages of type *error*.
+:zeek:id:`irc_global_users`: :zeek:type:`event`        Generated for an IRC reply of type *globalusers*.
+:zeek:id:`irc_invalid_nick`: :zeek:type:`event`        Generated when a server rejects an IRC nickname.
+:zeek:id:`irc_invite_message`: :zeek:type:`event`      Generated for IRC messages of type *invite*.
+:zeek:id:`irc_join_message`: :zeek:type:`event`        Generated for IRC messages of type *join*.
+:zeek:id:`irc_kick_message`: :zeek:type:`event`        Generated for IRC messages of type *kick*.
+:zeek:id:`irc_message`: :zeek:type:`event`             Generated for IRC commands forwarded from the server to the client.
+:zeek:id:`irc_mode_message`: :zeek:type:`event`        Generated for IRC messages of type *mode*.
+:zeek:id:`irc_names_info`: :zeek:type:`event`          Generated for an IRC reply of type *namereply*.
+:zeek:id:`irc_network_info`: :zeek:type:`event`        Generated for an IRC reply of type *luserclient*.
+:zeek:id:`irc_nick_message`: :zeek:type:`event`        Generated for IRC messages of type *nick*.
+:zeek:id:`irc_notice_message`: :zeek:type:`event`      Generated for IRC messages of type *notice*.
+:zeek:id:`irc_oper_message`: :zeek:type:`event`        Generated for IRC messages of type *oper*.
+:zeek:id:`irc_oper_response`: :zeek:type:`event`       Generated for IRC replies of type *youreoper* and *nooperhost*.
+:zeek:id:`irc_part_message`: :zeek:type:`event`        Generated for IRC messages of type *part*.
+:zeek:id:`irc_password_message`: :zeek:type:`event`    Generated for IRC messages of type *password*.
+:zeek:id:`irc_privmsg_message`: :zeek:type:`event`     Generated for IRC messages of type *privmsg*.
+:zeek:id:`irc_quit_message`: :zeek:type:`event`        Generated for IRC messages of type *quit*.
+:zeek:id:`irc_reply`: :zeek:type:`event`               Generated for all IRC replies.
+:zeek:id:`irc_request`: :zeek:type:`event`             Generated for all client-side IRC commands.
+:zeek:id:`irc_server_info`: :zeek:type:`event`         Generated for an IRC reply of type *luserme*.
+:zeek:id:`irc_squery_message`: :zeek:type:`event`      Generated for IRC messages of type *squery*.
+:zeek:id:`irc_squit_message`: :zeek:type:`event`       Generated for IRC messages of type *squit*.
+:zeek:id:`irc_starttls`: :zeek:type:`event`            Generated if an IRC connection switched to TLS using STARTTLS.
+:zeek:id:`irc_user_message`: :zeek:type:`event`        Generated for IRC messages of type *user*.
+:zeek:id:`irc_who_line`: :zeek:type:`event`            Generated for an IRC reply of type *whoreply*.
+:zeek:id:`irc_who_message`: :zeek:type:`event`         Generated for IRC messages of type *who*.
+:zeek:id:`irc_whois_channel_line`: :zeek:type:`event`  Generated for an IRC reply of type *whoischannels*.
+:zeek:id:`irc_whois_message`: :zeek:type:`event`       Generated for IRC messages of type *whois*.
+:zeek:id:`irc_whois_operator_line`: :zeek:type:`event` Generated for an IRC reply of type *whoisoperator*.
+:zeek:id:`irc_whois_user_line`: :zeek:type:`event`     Generated for an IRC reply of type *whoisuser*.
+====================================================== ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: irc_channel_info
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 339 339
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, chans: :zeek:type:`count`)
+
+   Generated for an IRC reply of type *luserchannels*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param chans: The number of channels as returned in the reply.
+   
+   .. zeek:see::  irc_channel_topic irc_dcc_message irc_error_message irc_global_users
+      irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_channel_topic
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 534 534
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, channel: :zeek:type:`string`, topic: :zeek:type:`string`)
+
+   Generated for an IRC reply of type *topic*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param channel: The channel name specified in the reply.
+   
+
+   :param topic: The topic specified in the reply.
+   
+   .. zeek:see:: irc_channel_info  irc_dcc_message irc_error_message irc_global_users
+      irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_dcc_message
+   :source-code: base/protocols/irc/dcc-send.zeek 109 123
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, target: :zeek:type:`string`, dcc_type: :zeek:type:`string`, argument: :zeek:type:`string`, address: :zeek:type:`addr`, dest_port: :zeek:type:`count`, size: :zeek:type:`count`)
+
+   Generated for IRC messages of type *dcc*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+   See `Wikipedia <https://en.wikipedia.org/wiki/Direct_Client-to-Client>`__ for more
+   information about the DCC.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param target: The target specified in the message.
+   
+
+   :param dcc_type: The DCC type specified in the message.
+   
+
+   :param argument:  The argument specified in the message.
+   
+
+   :param address: The address specified in the message.
+   
+
+   :param dest_port: The destination port specified in the message.
+   
+
+   :param size: The size specified in the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic  irc_error_message irc_global_users
+      irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_dcc_send_ack
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 789 789
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, bytes_received: :zeek:type:`count`)
+
+   Generated for IRC messages of type *dcc*. This event is generated for
+   DCC SEND acknowledge message.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+   See `Wikipedia <https://en.wikipedia.org/wiki/Direct_Client-to-Client>`__ for more
+   information about the DCC.
+   
+
+   :param c: The connection.
+   
+
+   :param bytes_received: The number of bytes received as reported by the recipient.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message
+
+.. zeek:id:: irc_error_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 655 655
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, message: :zeek:type:`string`)
+
+   Generated for IRC messages of type *error*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param message: The textual description specified in the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users
+      irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_global_users
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 512 512
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, msg: :zeek:type:`string`)
+
+   Generated for an IRC reply of type *globalusers*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param msg: The message coming with the reply.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_invalid_nick
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 271 271
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Generated when a server rejects an IRC nickname.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users  irc_invite_message irc_join_message irc_kick_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_invite_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 681 681
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, nickname: :zeek:type:`string`, channel: :zeek:type:`string`)
+
+   Generated for IRC messages of type *invite*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param nickname: The nickname specified in the message.
+   
+
+   :param channel: The channel specified in the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick  irc_join_message irc_kick_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_join_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 205 205
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, info_list: :zeek:type:`irc_join_list`)
+
+   Generated for IRC messages of type *join*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param info_list: The user information coming with the command.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_kick_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_kick_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 631 631
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, chans: :zeek:type:`string`, users: :zeek:type:`string`, comment: :zeek:type:`string`)
+
+   Generated for IRC messages of type *kick*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param chans: The channels specified in the message.
+   
+
+   :param users: The users specified in the message.
+   
+
+   :param comment: The comment specified in the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 86 86
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, command: :zeek:type:`string`, message: :zeek:type:`string`)
+
+   Generated for IRC commands forwarded from the server to the client.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Always false.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param command: The command.
+   
+
+   :param message: TODO.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message  irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+   
+   .. note::
+   
+      This event is generated only for messages that are forwarded by the server
+      to the client. Commands coming from client trigger the
+      :zeek:id:`irc_request` event instead.
+
+.. zeek:id:: irc_mode_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 705 705
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, params: :zeek:type:`string`)
+
+   Generated for IRC messages of type *mode*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param params: The parameters coming with the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message  irc_names_info irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_names_info
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 400 400
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, c_type: :zeek:type:`string`, channel: :zeek:type:`string`, users: :zeek:type:`string_set`)
+
+   Generated for an IRC reply of type *namereply*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param c_type: The channel type.
+   
+
+   :param channel: The channel.
+   
+
+   :param users: The set of users.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message  irc_network_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_network_info
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 295 295
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, users: :zeek:type:`count`, services: :zeek:type:`count`, servers: :zeek:type:`count`)
+
+   Generated for an IRC reply of type *luserclient*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param users: The number of users as returned in the reply.
+   
+
+   :param services: The number of services as returned in the reply.
+   
+
+   :param servers: The number of servers as returned in the reply.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_nick_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 253 253
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, who: :zeek:type:`string`, newnick: :zeek:type:`string`)
+
+   Generated for IRC messages of type *nick*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param who: The user changing its nickname.
+   
+
+   :param newnick: The new nickname.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_notice_message irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_notice_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 159 159
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, source: :zeek:type:`string`, target: :zeek:type:`string`, message: :zeek:type:`string`)
+
+   Generated for IRC messages of type *notice*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param source: The source of the private communication.
+   
+
+   :param target: The target of the private communication.
+   
+
+   :param message: The text of communication.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message  irc_oper_message irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_oper_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 603 603
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, user: :zeek:type:`string`, password: :zeek:type:`string`)
+
+   Generated for IRC messages of type *oper*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param user: The user specified in the message.
+   
+
+   :param password: The password specified in the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message  irc_oper_response irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_oper_response
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 489 489
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, got_oper: :zeek:type:`bool`)
+
+   Generated for IRC replies of type *youreoper* and *nooperhost*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param got_oper: True if the *oper* command was executed successfully
+             (*youreport*) and false otherwise (*nooperhost*).
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_part_message
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_part_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 230 230
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, nick: :zeek:type:`string`, chans: :zeek:type:`string_set`, message: :zeek:type:`string`)
+
+   Generated for IRC messages of type *part*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param nick: The nickname coming with the message.
+   
+
+   :param chans: The set of channels affected.
+   
+
+   :param message: The text coming with the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_password_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 837 837
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, password: :zeek:type:`string`)
+
+   Generated for IRC messages of type *password*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param password: The password specified in the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_dcc_send_ack
+
+.. zeek:id:: irc_privmsg_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 134 134
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, source: :zeek:type:`string`, target: :zeek:type:`string`, message: :zeek:type:`string`)
+
+   Generated for IRC messages of type *privmsg*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param source: The source of the private communication.
+   
+
+   :param target: The target of the private communication.
+   
+
+   :param message: The text of communication.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_quit_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 109 109
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, nick: :zeek:type:`string`, message: :zeek:type:`string`)
+
+   Generated for IRC messages of type *quit*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param nick: The nickname coming with the message.
+   
+
+   :param message: The text included with the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_reply
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 56 56
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, code: :zeek:type:`count`, params: :zeek:type:`string`)
+
+   Generated for all IRC replies. IRC replies are sent in response to a
+   request and come with a reply code.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param prefix: The optional prefix coming with the reply. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param code: The reply code, as specified by the protocol.
+   
+
+   :param params: The reply's parameters.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_request
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 30 30
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, command: :zeek:type:`string`, arguments: :zeek:type:`string`)
+
+   Generated for all client-side IRC commands.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Always true.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param command: The command.
+   
+
+   :param arguments: The arguments for the command.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+   
+   .. note:: This event is generated only for messages that originate
+      at the client-side. Commands coming in from remote trigger
+      the :zeek:id:`irc_message` event instead.
+
+.. zeek:id:: irc_server_info
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 319 319
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, users: :zeek:type:`count`, services: :zeek:type:`count`, servers: :zeek:type:`count`)
+
+   Generated for an IRC reply of type *luserme*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param users: The number of users as returned in the reply.
+   
+
+   :param services: The number of services as returned in the reply.
+   
+
+   :param servers: The number of servers as returned in the reply.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_squery_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 184 184
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, source: :zeek:type:`string`, target: :zeek:type:`string`, message: :zeek:type:`string`)
+
+   Generated for IRC messages of type *squery*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param source: The source of the private communication.
+   
+
+   :param target: The target of the private communication.
+   
+
+   :param message: The text of communication.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_squit_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 731 731
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, prefix: :zeek:type:`string`, server: :zeek:type:`string`, message: :zeek:type:`string`)
+
+   Generated for IRC messages of type *squit*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param prefix: The optional prefix coming with the command. IRC uses the prefix to
+           indicate the true origin of a message.
+   
+
+   :param server: The server specified in the message.
+   
+
+   :param message: The textual description specified in the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_starttls
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 845 845
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated if an IRC connection switched to TLS using STARTTLS. After this
+   event no more IRC events will be raised for the connection. See the SSL
+   analyzer for related SSL events, which will now be generated.
+   
+
+   :param c: The connection.
+
+.. zeek:id:: irc_user_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 816 816
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, user: :zeek:type:`string`, host: :zeek:type:`string`, server: :zeek:type:`string`, real_name: :zeek:type:`string`)
+
+   Generated for IRC messages of type *user*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param user: The user specified in the message.
+   
+
+   :param host: The host name specified in the message.
+   
+
+   :param server: The server name specified in the message.
+   
+
+   :param real_name: The real name specified in the message.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_who_line
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 375 375
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, target_nick: :zeek:type:`string`, channel: :zeek:type:`string`, user: :zeek:type:`string`, host: :zeek:type:`string`, server: :zeek:type:`string`, nick: :zeek:type:`string`, params: :zeek:type:`string`, hops: :zeek:type:`count`, real_name: :zeek:type:`string`)
+
+   Generated for an IRC reply of type *whoreply*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param target_nick: The target nickname.
+   
+
+   :param channel: The channel.
+   
+
+   :param user: The user.
+   
+
+   :param host: The host.
+   
+
+   :param server: The server.
+   
+
+   :param nick: The nickname.
+   
+
+   :param params: The parameters.
+   
+
+   :param hops: The hop count.
+   
+
+   :param real_name: The real name.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_who_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 557 557
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, mask: :zeek:type:`string`, oper: :zeek:type:`bool`)
+
+   Generated for IRC messages of type *who*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param mask: The mask specified in the message.
+   
+
+   :param oper: True if the operator flag was set.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_whois_channel_line
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 442 442
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, nick: :zeek:type:`string`, chans: :zeek:type:`string_set`)
+
+   Generated for an IRC reply of type *whoischannels*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param nick: The nickname specified in the reply.
+   
+
+   :param chans: The set of channels returned.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_whois_message
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 580 580
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, server: :zeek:type:`string`, users: :zeek:type:`string`)
+
+   Generated for IRC messages of type *whois*. This event is generated for
+   messages coming from both the client and the server.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param server: TODO.
+   
+
+   :param users: TODO.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_whois_operator_line
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 420 420
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, nick: :zeek:type:`string`)
+
+   Generated for an IRC reply of type *whoisoperator*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param nick: The nickname specified in the reply.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+.. zeek:id:: irc_whois_user_line
+   :source-code: base/bif/plugins/Zeek_IRC.events.bif.zeek 468 468
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, nick: :zeek:type:`string`, user: :zeek:type:`string`, host: :zeek:type:`string`, real_name: :zeek:type:`string`)
+
+   Generated for an IRC reply of type *whoisuser*.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+   information about the IRC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param nick: The nickname specified in the reply.
+   
+
+   :param user: The user name specified in the reply.
+   
+
+   :param host: The host name specified in the reply.
+   
+
+   :param real_name: The real name specified in the reply.
+   
+   .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+      irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+      irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+      irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+      irc_part_message irc_password_message irc_dcc_send_ack
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek.rst
new file mode 100644
index 0000000000..3f9d2d41c5
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek.rst
@@ -0,0 +1,112 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_Ident.events.bif.zeek
+===========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+============================================ ==================================
+:zeek:id:`ident_error`: :zeek:type:`event`   Generated for Ident error replies.
+:zeek:id:`ident_reply`: :zeek:type:`event`   Generated for Ident replies.
+:zeek:id:`ident_request`: :zeek:type:`event` Generated for Ident requests.
+============================================ ==================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: ident_error
+   :source-code: base/bif/plugins/Zeek_Ident.events.bif.zeek 67 67
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, lport: :zeek:type:`port`, rport: :zeek:type:`port`, line: :zeek:type:`string`)
+
+   Generated for Ident error replies.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
+   information about the Ident protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param lport: The corresponding request's local port.
+   
+
+   :param rport: The corresponding request's remote port.
+   
+
+   :param line: The error description returned by the reply.
+   
+   .. zeek:see:: ident_reply ident_request
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: ident_reply
+   :source-code: base/bif/plugins/Zeek_Ident.events.bif.zeek 45 45
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, lport: :zeek:type:`port`, rport: :zeek:type:`port`, user_id: :zeek:type:`string`, system: :zeek:type:`string`)
+
+   Generated for Ident replies.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
+   information about the Ident protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param lport: The corresponding request's local port.
+   
+
+   :param rport: The corresponding request's remote port.
+   
+
+   :param user_id: The user id returned by the reply.
+   
+
+   :param system: The operating system returned by the reply.
+   
+   .. zeek:see:: ident_error  ident_request
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: ident_request
+   :source-code: base/bif/plugins/Zeek_Ident.events.bif.zeek 21 21
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, lport: :zeek:type:`port`, rport: :zeek:type:`port`)
+
+   Generated for Ident requests.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
+   information about the Ident protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param lport: The request's local port.
+   
+
+   :param rport: The request's remote port.
+   
+   .. zeek:see:: ident_error ident_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek.rst
new file mode 100644
index 0000000000..181ff44098
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek
+================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek.rst
new file mode 100644
index 0000000000..1a6c7d4cf3
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek.rst
@@ -0,0 +1,260 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_KRB.events.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=============================================== ==================================================================
+:zeek:id:`krb_ap_request`: :zeek:type:`event`   A Kerberos 5 ``Authentication Header (AP) Request`` as defined
+                                                in :rfc:`4120`.
+:zeek:id:`krb_ap_response`: :zeek:type:`event`  A Kerberos 5 ``Authentication Header (AP) Response`` as defined
+                                                in :rfc:`4120`.
+:zeek:id:`krb_as_request`: :zeek:type:`event`   A Kerberos 5 ``Authentication Server (AS) Request`` as defined
+                                                in :rfc:`4120`.
+:zeek:id:`krb_as_response`: :zeek:type:`event`  A Kerberos 5 ``Authentication Server (AS) Response`` as defined
+                                                in :rfc:`4120`.
+:zeek:id:`krb_cred`: :zeek:type:`event`         A Kerberos 5 ``Credential Message`` as defined in :rfc:`4120`.
+:zeek:id:`krb_error`: :zeek:type:`event`        A Kerberos 5 ``Error Message`` as defined in :rfc:`4120`.
+:zeek:id:`krb_priv`: :zeek:type:`event`         A Kerberos 5 ``Private Message`` as defined in :rfc:`4120`.
+:zeek:id:`krb_safe`: :zeek:type:`event`         A Kerberos 5 ``Safe Message`` as defined in :rfc:`4120`.
+:zeek:id:`krb_tgs_request`: :zeek:type:`event`  A Kerberos 5 ``Ticket Granting Service (TGS) Request`` as defined
+                                                in :rfc:`4120`.
+:zeek:id:`krb_tgs_response`: :zeek:type:`event` A Kerberos 5 ``Ticket Granting Service (TGS) Response`` as defined
+                                                in :rfc:`4120`.
+=============================================== ==================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: krb_ap_request
+   :source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 90 90
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, ticket: :zeek:type:`KRB::Ticket`, opts: :zeek:type:`KRB::AP_Options`)
+
+   A Kerberos 5 ``Authentication Header (AP) Request`` as defined
+   in :rfc:`4120`. This message contains authentication information
+   that should be part of the first message in an authenticated
+   transaction.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param ticket: The Kerberos ticket being used for authentication.
+   
+
+   :param opts: A Kerberos AP options data structure.
+   
+   .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+      krb_ap_response krb_priv krb_safe krb_cred krb_error
+
+.. zeek:id:: krb_ap_response
+   :source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 106 106
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   A Kerberos 5 ``Authentication Header (AP) Response`` as defined
+   in :rfc:`4120`. This is used if mutual authentication is desired.
+   All of the interesting information in here is encrypted, so the event
+   doesn't have much useful data, but it's provided in case it's important
+   to know that this message was sent.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+   .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+      krb_ap_request krb_priv krb_safe krb_cred krb_error
+
+.. zeek:id:: krb_as_request
+   :source-code: base/protocols/krb/main.zeek 145 168
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::KDC_Request`)
+
+   A Kerberos 5 ``Authentication Server (AS) Request`` as defined
+   in :rfc:`4120`. The AS request contains a username of the client
+   requesting authentication, and returns an AS reply with an
+   encrypted Ticket Granting Ticket (TGT) for that user. The TGT
+   can then be used to request further tickets for other services.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param msg: A Kerberos KDC request message data structure.
+   
+   .. zeek:see:: krb_as_response krb_tgs_request krb_tgs_response krb_ap_request
+      krb_ap_response krb_priv krb_safe krb_cred krb_error
+
+.. zeek:id:: krb_as_response
+   :source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 36 36
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::KDC_Response`)
+
+   A Kerberos 5 ``Authentication Server (AS) Response`` as defined
+   in :rfc:`4120`. Following the AS request for a user, an AS reply
+   contains an encrypted Ticket Granting Ticket (TGT) for that user.
+   The TGT can then be used to request further tickets for other services.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param msg: A Kerberos KDC reply message data structure.
+   
+   .. zeek:see:: krb_as_request krb_tgs_request krb_tgs_response krb_ap_request
+      krb_ap_response krb_priv krb_safe krb_cred krb_error
+
+.. zeek:id:: krb_cred
+   :source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 157 157
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, tickets: :zeek:type:`KRB::Ticket_Vector`)
+
+   A Kerberos 5 ``Credential Message`` as defined in :rfc:`4120`. This is
+   a private (encrypted) message to forward credentials.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param is_orig: Whether the originator of the connection sent this message.
+   
+
+   :param tickets: Tickets obtained from the KDC that are being forwarded.
+   
+   .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+      krb_ap_request krb_ap_response krb_priv krb_safe krb_error
+
+.. zeek:id:: krb_error
+   :source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 171 171
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::Error_Msg`)
+
+   A Kerberos 5 ``Error Message`` as defined in :rfc:`4120`.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param msg: A Kerberos error message data structure.
+   
+   .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+      krb_ap_request krb_ap_response krb_priv krb_safe krb_cred
+
+.. zeek:id:: krb_priv
+   :source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 123 123
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   A Kerberos 5 ``Private Message`` as defined in :rfc:`4120`. This
+   is a private (encrypted) application message, so the event doesn't
+   have much useful data, but it's provided in case it's important to
+   know that this message was sent.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param is_orig: Whether the originator of the connection sent this message.
+   
+   .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+      krb_ap_request krb_ap_response krb_safe krb_cred krb_error
+
+.. zeek:id:: krb_safe
+   :source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 140 140
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`KRB::SAFE_Msg`)
+
+   A Kerberos 5 ``Safe Message`` as defined in :rfc:`4120`. This is a
+   safe (checksummed) application message.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param is_orig: Whether the originator of the connection sent this message.
+   
+
+   :param msg: A Kerberos SAFE message data structure.
+   
+   .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
+      krb_ap_request krb_ap_response krb_priv krb_cred krb_error
+
+.. zeek:id:: krb_tgs_request
+   :source-code: base/protocols/krb/main.zeek 196 214
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::KDC_Request`)
+
+   A Kerberos 5 ``Ticket Granting Service (TGS) Request`` as defined
+   in :rfc:`4120`. Following the Authentication Server exchange, if
+   successful, the client now has a Ticket Granting Ticket (TGT). To
+   authenticate to a Kerberized service, the client requests a Service
+   Ticket, which will be returned in the TGS reply.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param msg: A Kerberos KDC request message data structure.
+   
+   .. zeek:see:: krb_as_request krb_as_response krb_tgs_response krb_ap_request
+      krb_ap_response krb_priv krb_safe krb_cred krb_error
+
+.. zeek:id:: krb_tgs_response
+   :source-code: base/bif/plugins/Zeek_KRB.events.bif.zeek 71 71
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`KRB::KDC_Response`)
+
+   A Kerberos 5 ``Ticket Granting Service (TGS) Response`` as defined
+   in :rfc:`4120`. This message returns a Service Ticket to the client,
+   which is encrypted with the service's long-term key, and which the
+   client can use to authenticate to that service.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>`__ for
+   more information about the Kerberos protocol.
+   
+
+   :param c: The connection over which this Kerberos message was sent.
+   
+
+   :param msg: A Kerberos KDC reply message data structure.
+   
+   .. zeek:see:: krb_as_request krb_as_response krb_tgs_request krb_ap_request
+      krb_ap_response krb_priv krb_safe krb_cred krb_error
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek.rst
new file mode 100644
index 0000000000..5b7280d517
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_KRB.types.bif.zeek
+========================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: KRB
+
+
+:Namespaces: GLOBAL, KRB
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.rst
new file mode 100644
index 0000000000..d5025fd333
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.rst
@@ -0,0 +1,565 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_Login.events.bif.zeek
+===========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+====================================================== =========================================================================
+:zeek:id:`activating_encryption`: :zeek:type:`event`   Generated for Telnet sessions when encryption is activated.
+:zeek:id:`authentication_accepted`: :zeek:type:`event` Generated when a Telnet authentication has been successful.
+:zeek:id:`authentication_rejected`: :zeek:type:`event` Generated when a Telnet authentication has been unsuccessful.
+:zeek:id:`authentication_skipped`: :zeek:type:`event`  Generated for Telnet/Rlogin sessions when a pattern match indicates
+                                                       that no authentication is performed.
+:zeek:id:`bad_option`: :zeek:type:`event`              Generated for an ill-formed or unrecognized Telnet option.
+:zeek:id:`bad_option_termination`: :zeek:type:`event`  Generated for a Telnet option that's incorrectly terminated.
+:zeek:id:`inconsistent_option`: :zeek:type:`event`     Generated for an inconsistent Telnet option.
+:zeek:id:`login_confused`: :zeek:type:`event`          Generated when tracking of Telnet/Rlogin authentication failed.
+:zeek:id:`login_confused_text`: :zeek:type:`event`     Generated after getting confused while tracking a Telnet/Rlogin
+                                                       authentication dialog.
+:zeek:id:`login_display`: :zeek:type:`event`           Generated for clients transmitting an X11 DISPLAY in a Telnet session.
+:zeek:id:`login_failure`: :zeek:type:`event`           Generated for Telnet/Rlogin login failures.
+:zeek:id:`login_input_line`: :zeek:type:`event`        Generated for lines of input on Telnet/Rlogin sessions.
+:zeek:id:`login_output_line`: :zeek:type:`event`       Generated for lines of output on Telnet/Rlogin sessions.
+:zeek:id:`login_prompt`: :zeek:type:`event`            Generated for clients transmitting a terminal prompt in a Telnet session.
+:zeek:id:`login_success`: :zeek:type:`event`           Generated for successful Telnet/Rlogin logins.
+:zeek:id:`login_terminal`: :zeek:type:`event`          Generated for clients transmitting a terminal type in a Telnet session.
+:zeek:id:`rsh_reply`: :zeek:type:`event`               Generated for client side commands on an RSH connection.
+:zeek:id:`rsh_request`: :zeek:type:`event`             Generated for client side commands on an RSH connection.
+====================================================== =========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: activating_encryption
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 367 367
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for Telnet sessions when encryption is activated. The Telnet
+   protocol includes options for negotiating encryption. When such a series of
+   options is successfully negotiated, the event engine generates this event.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+   about the Telnet protocol.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: authentication_accepted authentication_rejected authentication_skipped
+      login_confused login_confused_text login_display login_failure login_input_line
+      login_output_line login_prompt login_success login_terminal
+
+.. zeek:id:: authentication_accepted
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 279 279
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, c: :zeek:type:`connection`)
+
+   Generated when a Telnet authentication has been successful. The Telnet
+   protocol includes options for negotiating authentication. When such an
+   option is sent from client to server and the server replies that it accepts
+   the authentication, then the event engine generates this event.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+   about the Telnet protocol.
+   
+
+   :param name: The authenticated name.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see::  authentication_rejected authentication_skipped login_success
+   
+   .. note::  This event inspects the corresponding Telnet option
+      while :zeek:id:`login_success` heuristically determines success by watching
+      session data.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: authentication_rejected
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 305 305
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, c: :zeek:type:`connection`)
+
+   Generated when a Telnet authentication has been unsuccessful. The Telnet
+   protocol includes options for negotiating authentication. When such an option
+   is sent from client to server and the server replies that it did not accept
+   the authentication, then the event engine generates this event.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+   about the Telnet protocol.
+   
+
+   :param name: The attempted authentication name.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: authentication_accepted authentication_skipped login_failure
+   
+   .. note::  This event inspects the corresponding Telnet option
+      while :zeek:id:`login_success` heuristically determines failure by watching
+      session data.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: authentication_skipped
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 330 330
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for Telnet/Rlogin sessions when a pattern match indicates
+   that no authentication is performed.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+   about the Telnet protocol.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: authentication_accepted authentication_rejected direct_login_prompts
+      get_login_state login_failure_msgs login_non_failure_msgs login_prompts
+      login_success_msgs login_timeouts set_login_state
+   
+   .. note:: The login analyzer depends on a set of script-level variables that
+      need to be configured with patterns identifying activity. This
+      configuration has not yet been ported, and
+      the analyzer is therefore not directly usable at the moment.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: bad_option
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 407 407
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for an ill-formed or unrecognized Telnet option.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+   about the Telnet protocol.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: inconsistent_option bad_option_termination authentication_accepted
+      authentication_rejected authentication_skipped login_confused
+      login_confused_text login_display login_failure login_input_line
+      login_output_line login_prompt login_success login_terminal
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: bad_option_termination
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 427 427
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for a Telnet option that's incorrectly terminated.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+   about the Telnet protocol.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: inconsistent_option bad_option authentication_accepted
+      authentication_rejected authentication_skipped login_confused
+      login_confused_text login_display login_failure login_input_line
+      login_output_line login_prompt login_success login_terminal
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: inconsistent_option
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 387 387
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for an inconsistent Telnet option. Telnet options are specified
+   by the client and server stating which options they are willing to
+   support vs. which they are not, and then instructing one another which in
+   fact they should or should not use for the current connection. If the event
+   engine sees a peer violate either what the other peer has instructed it to
+   do, or what it itself offered in terms of options in the past, then the
+   engine generates this event.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+   about the Telnet protocol.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: bad_option bad_option_termination  authentication_accepted
+      authentication_rejected authentication_skipped login_confused
+      login_confused_text login_display login_failure login_input_line
+      login_output_line login_prompt login_success login_terminal
+
+.. zeek:id:: login_confused
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 195 195
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`, line: :zeek:type:`string`)
+
+   Generated when tracking of Telnet/Rlogin authentication failed. As Zeek's
+   *login* analyzer uses a number of heuristics to extract authentication
+   information, it may become confused. If it can no longer correctly track
+   the authentication dialog, it raises this event.
+   
+
+   :param c: The connection.
+   
+
+   :param msg: Gives the particular problem the heuristics detected (for example,
+        ``multiple_login_prompts`` means that the engine saw several login
+        prompts in a row, without the type-ahead from the client side presumed
+        necessary to cause them)
+   
+
+   :param line: The line of text that caused the heuristics to conclude they were
+         confused.
+   
+   .. zeek:see::  login_confused_text login_display login_failure login_input_line login_output_line
+      login_prompt login_success login_terminal direct_login_prompts get_login_state
+      login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
+      login_timeouts set_login_state
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: login_confused_text
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 217 217
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, line: :zeek:type:`string`)
+
+   Generated after getting confused while tracking a Telnet/Rlogin
+   authentication dialog. The *login* analyzer generates this even for every
+   line of user input after it has reported :zeek:id:`login_confused` for a
+   connection.
+   
+
+   :param c: The connection.
+   
+
+   :param line: The line the user typed.
+   
+   .. zeek:see:: login_confused  login_display login_failure login_input_line
+      login_output_line login_prompt login_success login_terminal direct_login_prompts
+      get_login_state login_failure_msgs login_non_failure_msgs login_prompts
+      login_success_msgs login_timeouts set_login_state
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: login_display
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 253 253
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, display: :zeek:type:`string`)
+
+   Generated for clients transmitting an X11 DISPLAY in a Telnet session. This
+   information is extracted out of environment variables sent as Telnet options.
+   
+
+   :param c: The connection.
+   
+
+   :param display: The DISPLAY transmitted.
+   
+   .. zeek:see:: login_confused login_confused_text  login_failure login_input_line
+      login_output_line login_prompt login_success login_terminal
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: login_failure
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 95 95
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, user: :zeek:type:`string`, client_user: :zeek:type:`string`, password: :zeek:type:`string`, line: :zeek:type:`string`)
+
+   Generated for Telnet/Rlogin login failures. The *login* analyzer inspects
+   Telnet/Rlogin sessions to heuristically extract username and password
+   information as well as the text returned by the login server. This event is
+   raised if a login attempt appears to have been unsuccessful.
+   
+
+   :param c: The connection.
+   
+
+   :param user: The user name tried.
+   
+
+   :param client_user: For Telnet connections, this is an empty string, but for Rlogin
+         connections, it is the client name passed in the initial authentication
+         information (to check against .rhosts).
+   
+
+   :param password:  The password tried.
+   
+
+   :param line:  The line of text that led the analyzer to conclude that the
+          authentication had failed.
+   
+   .. zeek:see:: login_confused login_confused_text login_display login_input_line
+      login_output_line login_prompt login_success login_terminal direct_login_prompts
+      get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
+      login_timeouts set_login_state
+   
+   .. note:: The login analyzer depends on a set of script-level variables that
+      need to be configured with patterns identifying login attempts. This
+      configuration has not yet been ported, and
+      the analyzer is therefore not directly usable at the moment.
+   
+   .. todo:: Zeeks's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: login_input_line
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 149 149
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, line: :zeek:type:`string`)
+
+   Generated for lines of input on Telnet/Rlogin sessions. The line will have
+   control characters (such as in-band Telnet options) removed.
+   
+
+   :param c: The connection.
+   
+
+   :param line: The input line.
+   
+   .. zeek:see:: login_confused login_confused_text login_display login_failure
+      login_output_line login_prompt login_success login_terminal    rsh_request
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: login_output_line
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 167 167
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, line: :zeek:type:`string`)
+
+   Generated for lines of output on Telnet/Rlogin sessions. The line will have
+   control characters (such as in-band Telnet options) removed.
+   
+
+   :param c: The connection.
+   
+
+   :param line: The output line.
+   
+   .. zeek:see:: login_confused login_confused_text login_display login_failure
+      login_input_line  login_prompt login_success login_terminal rsh_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: login_prompt
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 352 352
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, prompt: :zeek:type:`string`)
+
+   Generated for clients transmitting a terminal prompt in a Telnet session.
+   This information is extracted out of environment variables sent as Telnet
+   options.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Telnet>`__ for more information
+   about the Telnet protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param prompt: The TTYPROMPT transmitted.
+   
+   .. zeek:see:: login_confused login_confused_text login_display login_failure
+      login_input_line login_output_line  login_success login_terminal
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: login_success
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 131 131
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, user: :zeek:type:`string`, client_user: :zeek:type:`string`, password: :zeek:type:`string`, line: :zeek:type:`string`)
+
+   Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects
+   Telnet/Rlogin sessions to heuristically extract username and password
+   information as well as the text returned by the login server. This event is
+   raised if a login attempt appears to have been successful.
+   
+
+   :param c: The connection.
+   
+
+   :param user: The user name used.
+   
+
+   :param client_user: For Telnet connections, this is an empty string, but for Rlogin
+         connections, it is the client name passed in the initial authentication
+         information (to check against .rhosts).
+   
+
+   :param password: The password used.
+   
+
+   :param line:  The line of text that led the analyzer to conclude that the
+          authentication had succeeded.
+   
+   .. zeek:see:: login_confused login_confused_text login_display login_failure
+      login_input_line login_output_line login_prompt login_terminal
+      direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs
+      login_prompts login_success_msgs login_timeouts set_login_state
+   
+   .. note:: The login analyzer depends on a set of script-level variables that
+      need to be configured with patterns identifying login attempts. This
+      configuration has not yet been ported, and
+      the analyzer is therefore not directly usable at the moment.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: login_terminal
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 235 235
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, terminal: :zeek:type:`string`)
+
+   Generated for clients transmitting a terminal type in a Telnet session.  This
+   information is extracted out of environment variables sent as Telnet options.
+   
+
+   :param c: The connection.
+   
+
+   :param terminal: The TERM value transmitted.
+   
+   .. zeek:see:: login_confused login_confused_text login_display login_failure
+      login_input_line login_output_line login_prompt login_success
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: rsh_reply
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 59 59
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, client_user: :zeek:type:`string`, server_user: :zeek:type:`string`, line: :zeek:type:`string`)
+
+   Generated for client side commands on an RSH connection.
+   
+   See :rfc:`1258` for more information about the Rlogin/Rsh protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param client_user: The client-side user name as sent in the initial protocol
+         handshake.
+   
+
+   :param server_user: The server-side user name as sent in the initial protocol
+         handshake.
+   
+
+   :param line: The command line sent in the request.
+   
+   .. zeek:see:: rsh_request login_confused login_confused_text login_display
+      login_failure login_input_line login_output_line login_prompt login_success
+      login_terminal
+   
+   .. note:: For historical reasons, these events are separate from the
+      ``login_`` events. Ideally, they would all be handled uniquely.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: rsh_request
+   :source-code: base/bif/plugins/Zeek_Login.events.bif.zeek 31 31
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, client_user: :zeek:type:`string`, server_user: :zeek:type:`string`, line: :zeek:type:`string`, new_session: :zeek:type:`bool`)
+
+   Generated for client side commands on an RSH connection.
+   
+   See :rfc:`1258` for more information about the Rlogin/Rsh protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param client_user: The client-side user name as sent in the initial protocol
+         handshake.
+   
+
+   :param server_user: The server-side user name as sent in the initial protocol
+         handshake.
+   
+
+   :param line: The command line sent in the request.
+   
+
+   :param new_session: True if this is the first command of the Rsh session.
+   
+   .. zeek:see:: rsh_reply login_confused login_confused_text login_display
+      login_failure login_input_line login_output_line login_prompt login_success
+      login_terminal
+   
+   .. note:: For historical reasons, these events are separate from the
+      ``login_`` events. Ideally, they would all be handled uniquely.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_Login.functions.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_Login.functions.bif.zeek.rst
new file mode 100644
index 0000000000..0f0b081185
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_Login.functions.bif.zeek.rst
@@ -0,0 +1,71 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_Login.functions.bif.zeek
+==============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================= ===================================================================
+:zeek:id:`get_login_state`: :zeek:type:`function` Returns the state of the given login (Telnet or Rlogin) connection.
+:zeek:id:`set_login_state`: :zeek:type:`function` Sets the login state of a connection with a login analyzer.
+================================================= ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: get_login_state
+   :source-code: base/bif/plugins/Zeek_Login.functions.bif.zeek 26 26
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`count`
+
+   Returns the state of the given login (Telnet or Rlogin) connection.
+   
+
+   :param cid: The connection ID.
+   
+
+   :returns: False if the connection is not active or is not tagged as a
+            login analyzer. Otherwise the function returns the state, which can
+            be one of:
+   
+                - ``LOGIN_STATE_AUTHENTICATE``: The connection is in its
+                  initial authentication dialog.
+                - ``LOGIN_STATE_LOGGED_IN``: The analyzer believes the user has
+                  successfully authenticated.
+                - ``LOGIN_STATE_SKIP``: The analyzer has skipped any further
+                  processing of the connection.
+                - ``LOGIN_STATE_CONFUSED``: The analyzer has concluded that it
+                  does not correctly know the state of the connection, and/or
+                  the username associated with it.
+   
+   .. zeek:see:: set_login_state
+
+.. zeek:id:: set_login_state
+   :source-code: base/bif/plugins/Zeek_Login.functions.bif.zeek 40 40
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, new_state: :zeek:type:`count`) : :zeek:type:`bool`
+
+   Sets the login state of a connection with a login analyzer.
+   
+
+   :param cid: The connection ID.
+   
+
+   :param new_state: The new state of the login analyzer. See
+              :zeek:id:`get_login_state` for possible values.
+   
+
+   :returns: Returns false if *cid* is not an active connection
+            or is not tagged as a login analyzer, and true otherwise.
+   
+   .. zeek:see:: get_login_state
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_MIME.consts.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_MIME.consts.bif.zeek.rst
new file mode 100644
index 0000000000..8bf38e4abc
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_MIME.consts.bif.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_MIME.consts.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_MIME.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_MIME.events.bif.zeek.rst
new file mode 100644
index 0000000000..789cabb12f
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_MIME.events.bif.zeek.rst
@@ -0,0 +1,289 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_MIME.events.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+================================================ =============================================================================
+:zeek:id:`mime_all_data`: :zeek:type:`event`     Generated for passing on all data decoded from a single email MIME
+                                                 message.
+:zeek:id:`mime_all_headers`: :zeek:type:`event`  Generated for MIME headers extracted from email MIME entities, passing all
+                                                 headers at once.
+:zeek:id:`mime_begin_entity`: :zeek:type:`event` Generated when starting to parse an email MIME entity.
+:zeek:id:`mime_content_hash`: :zeek:type:`event` Generated for decoded MIME entities extracted from email messages, passing on
+                                                 their MD5 checksums.
+:zeek:id:`mime_end_entity`: :zeek:type:`event`   Generated when finishing parsing an email MIME entity.
+:zeek:id:`mime_entity_data`: :zeek:type:`event`  Generated for data decoded from an email MIME entity.
+:zeek:id:`mime_event`: :zeek:type:`event`        Generated for errors found when decoding email MIME entities.
+:zeek:id:`mime_one_header`: :zeek:type:`event`   Generated for individual MIME headers extracted from email MIME
+                                                 entities.
+:zeek:id:`mime_segment_data`: :zeek:type:`event` Generated for chunks of decoded MIME data from email MIME entities.
+================================================ =============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: mime_all_data
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 164 164
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, length: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for passing on all data decoded from a single email MIME
+   message. If an email message has more than one MIME entity, this event
+   combines all their data into a single value for analysis. Note that because
+   of the potentially significant buffering necessary, using this event can be
+   expensive.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+
+   :param length: The length of *data*.
+   
+
+   :param data: The raw data of all MIME entities concatenated.
+   
+   .. zeek:see::  mime_all_headers mime_begin_entity mime_content_hash mime_end_entity
+      mime_entity_data mime_event mime_one_header mime_segment_data
+   
+   .. note:: While Zeek also decodes MIME entities extracted from HTTP
+      sessions, there's no corresponding event for that currently.
+
+.. zeek:id:: mime_all_headers
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 85 85
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hlist: :zeek:type:`mime_header_list`)
+
+   Generated for MIME headers extracted from email MIME entities, passing all
+   headers at once.  MIME is a protocol-independent data format for encoding
+   text and files, along with corresponding metadata, for transmission.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+
+   :param hlist: A *table* containing all headers extracted from the current entity.
+          The table is indexed by the position of the header (1 for the first,
+          2 for the second, etc.).
+   
+   .. zeek:see:: mime_all_data  mime_begin_entity mime_content_hash mime_end_entity
+      mime_entity_data mime_event mime_one_header mime_segment_data
+      http_header  http_all_headers
+   
+   .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
+      however, it raises :zeek:id:`http_header` instead.
+
+.. zeek:id:: mime_begin_entity
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 21 21
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when starting to parse an email MIME entity. MIME is a
+   protocol-independent data format for encoding text and files, along with
+   corresponding metadata, for transmission. Zeek raises this event when it
+   begins parsing a MIME entity extracted from an email protocol.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: mime_all_data mime_all_headers  mime_content_hash mime_end_entity
+      mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
+      http_begin_entity
+   
+   .. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
+      however, it raises :zeek:id:`http_begin_entity` instead.
+
+.. zeek:id:: mime_content_hash
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 207 207
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, content_len: :zeek:type:`count`, hash_value: :zeek:type:`string`)
+
+   Generated for decoded MIME entities extracted from email messages, passing on
+   their MD5 checksums. Zeek computes the MD5 over the complete decoded data of
+   each MIME entity.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+
+   :param content_len: The length of the entity being hashed.
+   
+
+   :param hash_value: The MD5 hash.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity
+      mime_entity_data mime_event mime_one_header mime_segment_data
+   
+   .. note:: While Zeek also decodes MIME entities extracted from HTTP
+      sessions, there's no corresponding event for that currently.
+
+.. zeek:id:: mime_end_entity
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 41 41
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when finishing parsing an email MIME entity.  MIME is a
+   protocol-independent data format for encoding text and files, along with
+   corresponding metadata, for transmission. Zeek raises this event when it
+   finished parsing a MIME entity extracted from an email protocol.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+      mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
+      http_end_entity
+   
+   .. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
+      however, it raises :zeek:id:`http_end_entity` instead.
+
+.. zeek:id:: mime_entity_data
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 140 140
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, length: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for data decoded from an email MIME entity. This event delivers
+   the complete content of a single MIME entity with the quoted-printable and
+   and base64 data decoded. In contrast, there is also :zeek:id:`mime_segment_data`,
+   which passes on a sequence of data chunks as they come in. While
+   ``mime_entity_data`` is more convenient to handle, ``mime_segment_data`` is
+   more efficient as Zeek does not need to buffer the data. Thus, if possible,
+   the latter should be preferred.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+
+   :param length: The length of *data*.
+   
+
+   :param data: The raw data of the complete entity.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+      mime_end_entity  mime_event mime_one_header mime_segment_data
+   
+   .. note:: While Zeek also decodes MIME entities extracted from HTTP
+      sessions, there's no corresponding event for that currently.
+
+.. zeek:id:: mime_event
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 185 185
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, event_type: :zeek:type:`string`, detail: :zeek:type:`string`)
+
+   Generated for errors found when decoding email MIME entities.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+
+   :param event_type: A string describing the general category of the problem found
+      (e.g., ``illegal format``).
+   
+
+   :param detail: Further more detailed description of the error.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+      mime_end_entity mime_entity_data  mime_one_header mime_segment_data http_event
+   
+   .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
+      however, it raises :zeek:id:`http_event` instead.
+
+.. zeek:id:: mime_one_header
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 62 62
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, h: :zeek:type:`mime_header_rec`)
+
+   Generated for individual MIME headers extracted from email MIME
+   entities.  MIME is a protocol-independent data format for encoding text and
+   files, along with corresponding metadata, for transmission.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+
+   :param h: The parsed MIME header.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+      mime_end_entity mime_entity_data mime_event  mime_segment_data
+      http_header  http_all_headers
+   
+   .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
+      however, it raises :zeek:id:`http_header` instead.
+
+.. zeek:id:: mime_segment_data
+   :source-code: base/bif/plugins/Zeek_MIME.events.bif.zeek 114 114
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, length: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for chunks of decoded MIME data from email MIME entities.  MIME
+   is a protocol-independent data format for encoding text and files, along with
+   corresponding metadata, for transmission. As Zeek parses the data of an
+   entity, it raises a sequence of these events, each coming as soon as a new
+   chunk of data is available. In contrast, there is also
+   :zeek:id:`mime_entity_data`, which passes all of an entities data at once
+   in a single block. While the latter is more convenient to handle,
+   ``mime_segment_data`` is more efficient as Zeek does not need to buffer
+   the data. Thus, if possible, this event should be preferred.
+   
+   Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
+   `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
+   about MIME.
+   
+
+   :param c: The connection.
+   
+
+   :param length: The length of *data*.
+   
+
+   :param data: The raw data of one segment of the current entity.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+      mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data
+      mime_segment_length mime_segment_overlap_length
+   
+   .. note:: Zeek also extracts MIME data from HTTP sessions. For those,
+      however, it raises :zeek:id:`http_entity_data` (sic!) instead.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_MQTT.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_MQTT.events.bif.zeek.rst
new file mode 100644
index 0000000000..d312881c1b
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_MQTT.events.bif.zeek.rst
@@ -0,0 +1,239 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_MQTT.events.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=============================================== ===========================================================================================
+:zeek:id:`mqtt_connack`: :zeek:type:`event`     Generated for MQTT acknowledge connection messages
+:zeek:id:`mqtt_connect`: :zeek:type:`event`     Generated for MQTT "client requests a connection" messages
+:zeek:id:`mqtt_disconnect`: :zeek:type:`event`  Generated for MQTT disconnect messages sent by the client when it is disconnecting cleanly.
+:zeek:id:`mqtt_pingreq`: :zeek:type:`event`     Generated for MQTT ping requests sent by the client.
+:zeek:id:`mqtt_pingresp`: :zeek:type:`event`    Generated for MQTT ping responses sent by the server.
+:zeek:id:`mqtt_puback`: :zeek:type:`event`      Generated for MQTT publish acknowledgement messages
+:zeek:id:`mqtt_pubcomp`: :zeek:type:`event`     Generated for MQTT publish complete messages (QoS 2 publish received, part 3)
+:zeek:id:`mqtt_publish`: :zeek:type:`event`     Generated for MQTT publish messages
+:zeek:id:`mqtt_pubrec`: :zeek:type:`event`      Generated for MQTT publish received messages (QoS 2 publish received, part 1)
+:zeek:id:`mqtt_pubrel`: :zeek:type:`event`      Generated for MQTT publish release messages (QoS 2 publish received, part 2)
+:zeek:id:`mqtt_suback`: :zeek:type:`event`      Generated for MQTT subscribe messages
+:zeek:id:`mqtt_subscribe`: :zeek:type:`event`   Generated for MQTT subscribe messages
+:zeek:id:`mqtt_unsuback`: :zeek:type:`event`    Generated for MQTT unsubscribe acknowledgements sent by the server
+:zeek:id:`mqtt_unsubscribe`: :zeek:type:`event` Generated for MQTT unsubscribe messages sent by the client
+=============================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: mqtt_connack
+   :source-code: base/protocols/mqtt/main.zeek 190 197
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`MQTT::ConnectAckMsg`)
+
+   Generated for MQTT acknowledge connection messages
+   
+
+   :param c: The connection
+   
+
+   :param msg: MQTT connect ack message fields.
+
+.. zeek:id:: mqtt_connect
+   :source-code: base/protocols/mqtt/main.zeek 177 188
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`MQTT::ConnectMsg`)
+
+   Generated for MQTT "client requests a connection" messages
+   
+
+   :param c: The connection
+   
+
+   :param msg: MQTT connect message fields.
+
+.. zeek:id:: mqtt_disconnect
+   :source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 127 127
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for MQTT disconnect messages sent by the client when it is disconnecting cleanly.
+   
+
+   :param c: The connection
+
+.. zeek:id:: mqtt_pingreq
+   :source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 115 115
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for MQTT ping requests sent by the client.
+   
+
+   :param c: The connection
+
+.. zeek:id:: mqtt_pingresp
+   :source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 121 121
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for MQTT ping responses sent by the server.
+   
+
+   :param c: The connection
+
+.. zeek:id:: mqtt_puback
+   :source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 37 37
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`)
+
+   Generated for MQTT publish acknowledgement messages
+   
+
+   :param c: The connection
+   
+
+   :param is_orig: Direction in which the message was sent
+   
+
+   :param msg_id: The id value for the message.
+
+.. zeek:id:: mqtt_pubcomp
+   :source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 67 67
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`)
+
+   Generated for MQTT publish complete messages (QoS 2 publish received, part 3)
+   
+
+   :param c: The connection
+   
+
+   :param is_orig: Direction in which the message was sent
+   
+
+   :param msg_id: The id value for the message.
+
+.. zeek:id:: mqtt_publish
+   :source-code: base/bif/plugins/Zeek_MQTT.events.bif.zeek 27 27
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`, msg: :zeek:type:`MQTT::PublishMsg`)
+
+   Generated for MQTT publish messages
+   
+
+   :param c: The connection
+   
+
+   :param is_orig: Direction in which the message was sent
+   
+
+   :param msg: The MQTT publish message record.
+
+.. zeek:id:: mqtt_pubrec
+   :source-code: base/protocols/mqtt/main.zeek 257 266
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`)
+
+   Generated for MQTT publish received messages (QoS 2 publish received, part 1)
+   
+
+   :param c: The connection
+   
+
+   :param is_orig: Direction in which the message was sent
+   
+
+   :param msg_id: The id value for the message.
+
+.. zeek:id:: mqtt_pubrel
+   :source-code: base/protocols/mqtt/main.zeek 268 277
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_id: :zeek:type:`count`)
+
+   Generated for MQTT publish release messages (QoS 2 publish received, part 2)
+   
+
+   :param c: The connection
+   
+
+   :param is_orig: Direction in which the message was sent
+   
+
+   :param msg_id: The id value for the message.
+
+.. zeek:id:: mqtt_suback
+   :source-code: base/protocols/mqtt/main.zeek 320 333
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg_id: :zeek:type:`count`, granted_qos: :zeek:type:`count`)
+
+   Generated for MQTT subscribe messages
+   
+
+   :param c: The connection
+   
+
+   :param is_orig: Direction in which the message was sent
+   
+
+   :param msg_id: The id value for the message.
+
+.. zeek:id:: mqtt_subscribe
+   :source-code: base/protocols/mqtt/main.zeek 306 318
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg_id: :zeek:type:`count`, topics: :zeek:type:`string_vec`, requested_qos: :zeek:type:`index_vec`)
+
+   Generated for MQTT subscribe messages
+   
+
+   :param c: The connection
+   
+
+   :param is_orig: Direction in which the message was sent
+   
+
+   :param msg_id: The id value for the message.
+   
+
+   :param topics: The topics being subscribed to
+   
+
+   :param requested_qos: The desired QoS option associated with each topic.
+
+.. zeek:id:: mqtt_unsuback
+   :source-code: base/protocols/mqtt/main.zeek 348 360
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg_id: :zeek:type:`count`)
+
+   Generated for MQTT unsubscribe acknowledgements sent by the server
+   
+
+   :param c: The connection
+   
+
+   :param msg_id: The id value for the message.
+
+.. zeek:id:: mqtt_unsubscribe
+   :source-code: base/protocols/mqtt/main.zeek 335 346
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg_id: :zeek:type:`count`, topics: :zeek:type:`string_vec`)
+
+   Generated for MQTT unsubscribe messages sent by the client
+   
+
+   :param c: The connection
+   
+
+   :param msg_id: The id value for the message.
+   
+
+   :param topics: The topics being unsubscribed from
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_MQTT.types.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_MQTT.types.bif.zeek.rst
new file mode 100644
index 0000000000..c864a67941
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_MQTT.types.bif.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_MQTT.types.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_Modbus.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_Modbus.events.bif.zeek.rst
new file mode 100644
index 0000000000..2184860b8c
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_Modbus.events.bif.zeek.rst
@@ -0,0 +1,650 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_Modbus.events.bif.zeek
+============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+============================================================================ ======================================================================
+:zeek:id:`modbus_diagnostics_request`: :zeek:type:`event`                    Generated for a Modbus Diagnostics request.
+:zeek:id:`modbus_diagnostics_response`: :zeek:type:`event`                   Generated for a Modbus Diagnostics response.
+:zeek:id:`modbus_encap_interface_transport_request`: :zeek:type:`event`      Generated for a Modbus Encapsulated Interface Transport request.
+:zeek:id:`modbus_encap_interface_transport_response`: :zeek:type:`event`     Generated for a Modbus Encapsulated Interface Transport response.
+:zeek:id:`modbus_exception`: :zeek:type:`event`                              Generated for any Modbus exception message.
+:zeek:id:`modbus_mask_write_register_request`: :zeek:type:`event`            Generated for a Modbus mask write register request.
+:zeek:id:`modbus_mask_write_register_response`: :zeek:type:`event`           Generated for a Modbus mask write register request.
+:zeek:id:`modbus_message`: :zeek:type:`event`                                Generated for any Modbus message regardless if the particular function
+                                                                             is further supported or not.
+:zeek:id:`modbus_read_coils_request`: :zeek:type:`event`                     Generated for a Modbus read coils request.
+:zeek:id:`modbus_read_coils_response`: :zeek:type:`event`                    Generated for a Modbus read coils response.
+:zeek:id:`modbus_read_discrete_inputs_request`: :zeek:type:`event`           Generated for a Modbus read discrete inputs request.
+:zeek:id:`modbus_read_discrete_inputs_response`: :zeek:type:`event`          Generated for a Modbus read discrete inputs response.
+:zeek:id:`modbus_read_fifo_queue_request`: :zeek:type:`event`                Generated for a Modbus read FIFO queue request.
+:zeek:id:`modbus_read_fifo_queue_response`: :zeek:type:`event`               Generated for a Modbus read FIFO queue response.
+:zeek:id:`modbus_read_file_record_request`: :zeek:type:`event`               Generated for a Modbus read file record request.
+:zeek:id:`modbus_read_file_record_response`: :zeek:type:`event`              Generated for a Modbus read file record response.
+:zeek:id:`modbus_read_holding_registers_request`: :zeek:type:`event`         Generated for a Modbus read holding registers request.
+:zeek:id:`modbus_read_holding_registers_response`: :zeek:type:`event`        Generated for a Modbus read holding registers response.
+:zeek:id:`modbus_read_input_registers_request`: :zeek:type:`event`           Generated for a Modbus read input registers request.
+:zeek:id:`modbus_read_input_registers_response`: :zeek:type:`event`          Generated for a Modbus read input registers response.
+:zeek:id:`modbus_read_write_multiple_registers_request`: :zeek:type:`event`  Generated for a Modbus read/write multiple registers request.
+:zeek:id:`modbus_read_write_multiple_registers_response`: :zeek:type:`event` Generated for a Modbus read/write multiple registers response.
+:zeek:id:`modbus_write_file_record_request`: :zeek:type:`event`              Generated for a Modbus write file record request.
+:zeek:id:`modbus_write_file_record_response`: :zeek:type:`event`             Generated for a Modbus write file record response.
+:zeek:id:`modbus_write_multiple_coils_request`: :zeek:type:`event`           Generated for a Modbus write multiple coils request.
+:zeek:id:`modbus_write_multiple_coils_response`: :zeek:type:`event`          Generated for a Modbus write multiple coils response.
+:zeek:id:`modbus_write_multiple_registers_request`: :zeek:type:`event`       Generated for a Modbus write multiple registers request.
+:zeek:id:`modbus_write_multiple_registers_response`: :zeek:type:`event`      Generated for a Modbus write multiple registers response.
+:zeek:id:`modbus_write_single_coil_request`: :zeek:type:`event`              Generated for a Modbus write single coil request.
+:zeek:id:`modbus_write_single_coil_response`: :zeek:type:`event`             Generated for a Modbus write single coil response.
+:zeek:id:`modbus_write_single_register_request`: :zeek:type:`event`          Generated for a Modbus write single register request.
+:zeek:id:`modbus_write_single_register_response`: :zeek:type:`event`         Generated for a Modbus write single register response.
+============================================================================ ======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: modbus_diagnostics_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 341 341
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, subfunction: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for a Modbus Diagnostics request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param subfunction: The subfunction for the diagnostics request.
+   
+
+   :param data: The data passed in the diagnostics request.
+
+.. zeek:id:: modbus_diagnostics_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 353 353
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, subfunction: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for a Modbus Diagnostics response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param subfunction: The subfunction for the diagnostics response.
+   
+
+   :param data: The data passed in the diagnostics response.
+
+.. zeek:id:: modbus_encap_interface_transport_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 365 365
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, mei_type: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for a Modbus Encapsulated Interface Transport request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param mei_type: The MEI type for the request.
+   
+
+   :param data: The MEI type specific data passed in the request.
+
+.. zeek:id:: modbus_encap_interface_transport_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 377 377
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, mei_type: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for a Modbus Encapsulated Interface Transport response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param mei_type: The MEI type for the response.
+   
+
+   :param data: The MEI type specific data passed in the response.
+
+.. zeek:id:: modbus_exception
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 22 22
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, code: :zeek:type:`count`)
+
+   Generated for any Modbus exception message.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param code: The exception code.
+
+.. zeek:id:: modbus_mask_write_register_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 268 268
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, and_mask: :zeek:type:`count`, or_mask: :zeek:type:`count`)
+
+   Generated for a Modbus mask write register request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param address: The memory address of the register where the masks should be applied.
+   
+
+   :param and_mask: The value of the logical AND mask to apply to the register.
+   
+
+   :param or_mask: The value of the logical OR mask to apply to the register.
+
+.. zeek:id:: modbus_mask_write_register_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 282 282
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, and_mask: :zeek:type:`count`, or_mask: :zeek:type:`count`)
+
+   Generated for a Modbus mask write register request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param address: The memory address of the register where the masks were applied.
+   
+
+   :param and_mask: The value of the logical AND mask applied register.
+   
+
+   :param or_mask: The value of the logical OR mask applied to the register.
+
+.. zeek:id:: modbus_message
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 12 12
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, is_orig: :zeek:type:`bool`)
+
+   Generated for any Modbus message regardless if the particular function
+   is further supported or not.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param is_orig: True if the event is raised for the originator side.
+
+.. zeek:id:: modbus_read_coils_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 34 34
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
+
+   Generated for a Modbus read coils request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The memory address of the first coil to be read.
+   
+
+   :param quantity: The number of coils to be read.
+
+.. zeek:id:: modbus_read_coils_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 44 44
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, coils: :zeek:type:`ModbusCoils`)
+
+   Generated for a Modbus read coils response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param coils: The coil values returned from the device.
+
+.. zeek:id:: modbus_read_discrete_inputs_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 56 56
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
+
+   Generated for a Modbus read discrete inputs request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The memory address of the first coil to be read.
+   
+
+   :param quantity: The number of coils to be read.
+
+.. zeek:id:: modbus_read_discrete_inputs_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 66 66
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, coils: :zeek:type:`ModbusCoils`)
+
+   Generated for a Modbus read discrete inputs response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param coils: The coil values returned from the device.
+
+.. zeek:id:: modbus_read_fifo_queue_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 319 319
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`)
+
+   Generated for a Modbus read FIFO queue request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The address of the FIFO queue to read.
+
+.. zeek:id:: modbus_read_fifo_queue_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 329 329
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, fifos: :zeek:type:`ModbusRegisters`)
+
+   Generated for a Modbus read FIFO queue response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param fifos: The register values read from the FIFO queue on the device.
+
+.. zeek:id:: modbus_read_file_record_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 218 218
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, byte_count: :zeek:type:`count`, refs: :zeek:type:`ModbusFileRecordRequests`)
+
+   Generated for a Modbus read file record request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param byte_count: The full byte count for all of the reference records that follow.
+   
+
+   :param refs: A vector of reference records.
+
+.. zeek:id:: modbus_read_file_record_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 230 230
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, byte_count: :zeek:type:`count`, refs: :zeek:type:`ModbusFileRecordResponses`)
+
+   Generated for a Modbus read file record response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param byte_count: The full byte count for all of the reference records that follow.
+   
+
+   :param refs: A vector of reference records.
+
+.. zeek:id:: modbus_read_holding_registers_request
+   :source-code: policy/protocols/modbus/track-memmap.zeek 62 65
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
+
+   Generated for a Modbus read holding registers request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The memory address of the first register to be read.
+   
+
+   :param quantity: The number of registers to be read.
+
+.. zeek:id:: modbus_read_holding_registers_response
+   :source-code: policy/protocols/modbus/track-memmap.zeek 67 101
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, registers: :zeek:type:`ModbusRegisters`)
+
+   Generated for a Modbus read holding registers response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param registers: The register values returned from the device.
+
+.. zeek:id:: modbus_read_input_registers_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 100 100
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
+
+   Generated for a Modbus read input registers request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The memory address of the first register to be read.
+   
+
+   :param quantity: The number of registers to be read.
+
+.. zeek:id:: modbus_read_input_registers_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 110 110
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, registers: :zeek:type:`ModbusRegisters`)
+
+   Generated for a Modbus read input registers response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param registers: The register values returned from the device.
+
+.. zeek:id:: modbus_read_write_multiple_registers_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 298 298
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, read_start_address: :zeek:type:`count`, read_quantity: :zeek:type:`count`, write_start_address: :zeek:type:`count`, write_registers: :zeek:type:`ModbusRegisters`)
+
+   Generated for a Modbus read/write multiple registers request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param read_start_address: The memory address of the first register to be read.
+   
+
+   :param read_quantity: The number of registers to read.
+   
+
+   :param write_start_address: The memory address of the first register to be written.
+   
+
+   :param write_registers: The values to be written to the registers.
+
+.. zeek:id:: modbus_read_write_multiple_registers_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 309 309
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, written_registers: :zeek:type:`ModbusRegisters`)
+
+   Generated for a Modbus read/write multiple registers response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param written_registers: The register values read from the registers specified in
+                      the request.
+
+.. zeek:id:: modbus_write_file_record_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 242 242
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, byte_count: :zeek:type:`count`, refs: :zeek:type:`ModbusFileReferences`)
+
+   Generated for a Modbus write file record request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param byte_count: The full byte count for all of the reference records that follow.
+   
+
+   :param refs: A vector of reference records.
+
+.. zeek:id:: modbus_write_file_record_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 254 254
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, byte_count: :zeek:type:`count`, refs: :zeek:type:`ModbusFileReferences`)
+
+   Generated for a Modbus write file record response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param byte_count: The full byte count for all of the reference records that follow.
+   
+
+   :param refs: A vector of reference records.
+
+.. zeek:id:: modbus_write_multiple_coils_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 170 170
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, coils: :zeek:type:`ModbusCoils`)
+
+   Generated for a Modbus write multiple coils request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The memory address of the first coil to be written.
+   
+
+   :param coils: The values to be written to the coils.
+
+.. zeek:id:: modbus_write_multiple_coils_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 182 182
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
+
+   Generated for a Modbus write multiple coils response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The memory address of the first coil that was written.
+   
+
+   :param quantity: The quantity of coils that were written.
+
+.. zeek:id:: modbus_write_multiple_registers_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 194 194
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, registers: :zeek:type:`ModbusRegisters`)
+
+   Generated for a Modbus write multiple registers request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The memory address of the first register to be written.
+   
+
+   :param registers: The values to be written to the registers.
+
+.. zeek:id:: modbus_write_multiple_registers_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 206 206
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, start_address: :zeek:type:`count`, quantity: :zeek:type:`count`)
+
+   Generated for a Modbus write multiple registers response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param start_address: The memory address of the first register that was written.
+   
+
+   :param quantity: The quantity of registers that were written.
+
+.. zeek:id:: modbus_write_single_coil_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 122 122
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, value: :zeek:type:`bool`)
+
+   Generated for a Modbus write single coil request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param address: The memory address of the coil to be written.
+   
+
+   :param value: The value to be written to the coil.
+
+.. zeek:id:: modbus_write_single_coil_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 134 134
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, value: :zeek:type:`bool`)
+
+   Generated for a Modbus write single coil response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param address: The memory address of the coil that was written.
+   
+
+   :param value: The value that was written to the coil.
+
+.. zeek:id:: modbus_write_single_register_request
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 146 146
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, value: :zeek:type:`count`)
+
+   Generated for a Modbus write single register request.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param address: The memory address of the register to be written.
+   
+
+   :param value: The value to be written to the register.
+
+.. zeek:id:: modbus_write_single_register_response
+   :source-code: base/bif/plugins/Zeek_Modbus.events.bif.zeek 158 158
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, headers: :zeek:type:`ModbusHeaders`, address: :zeek:type:`count`, value: :zeek:type:`count`)
+
+   Generated for a Modbus write single register response.
+   
+
+   :param c: The connection.
+   
+
+   :param headers: The headers for the modbus function.
+   
+
+   :param address: The memory address of the register that was written.
+   
+
+   :param value: The value that was written to the register.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_MySQL.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_MySQL.events.bif.zeek.rst
new file mode 100644
index 0000000000..c980fd6e91
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_MySQL.events.bif.zeek.rst
@@ -0,0 +1,267 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_MySQL.events.bif.zeek
+===========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+======================================================== ======================================================================================================
+:zeek:id:`mysql_auth_more_data`: :zeek:type:`event`      Generated for opaque authentication data exchanged between client and server
+                                                         after the client's handshake packet, but before the server replied with
+                                                         an OK_Packet
+:zeek:id:`mysql_auth_plugin`: :zeek:type:`event`         Generated for information about plugin authentication within handshake packets.
+:zeek:id:`mysql_auth_switch_request`: :zeek:type:`event` Generated for a server packet with an auth switch request.
+:zeek:id:`mysql_change_user`: :zeek:type:`event`         Generated for a change user command from a MySQL client.
+:zeek:id:`mysql_command_request`: :zeek:type:`event`     Generated for a command request from a MySQL client.
+:zeek:id:`mysql_eof`: :zeek:type:`event`                 Generated for a MySQL EOF packet.
+:zeek:id:`mysql_error`: :zeek:type:`event`               Generated for an unsuccessful MySQL response.
+:zeek:id:`mysql_handshake`: :zeek:type:`event`           Generated for a client handshake response packet, which includes the username the client is attempting
+                                                         to connect as.
+:zeek:id:`mysql_ok`: :zeek:type:`event`                  Generated for a successful MySQL response.
+:zeek:id:`mysql_result_row`: :zeek:type:`event`          Generated for each MySQL ResultsetRow response packet.
+:zeek:id:`mysql_server_version`: :zeek:type:`event`      Generated for the initial server handshake packet, which includes the MySQL server version.
+:zeek:id:`mysql_ssl_request`: :zeek:type:`event`         Generated for a short client handshake response packet with the CLIENT_SSL
+                                                         flag set.
+======================================================== ======================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: mysql_auth_more_data
+   :source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 166 166
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data: :zeek:type:`string`)
+
+   Generated for opaque authentication data exchanged between client and server
+   after the client's handshake packet, but before the server replied with
+   an OK_Packet
+   
+   Data is specific to the plugin auth mechanism used by client and server.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if this is from the client, false if from the server.
+   
+
+   :param data: More authentication data.
+   
+   .. zeek:see:: mysql_handshake mysql_auth_switch_request
+
+.. zeek:id:: mysql_auth_plugin
+   :source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 138 138
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, name: :zeek:type:`string`, data: :zeek:type:`string`)
+
+   Generated for information about plugin authentication within handshake packets.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if this is from the client, false if from the server.
+   
+
+   :param name: Name of the authentication plugin.
+   
+
+   :param data: The initial auth data. From the server, it is the concatenation of
+         auth_plugin_data_part_1 and auth_plugin_data_part_2 in the handshake.
+         For the client it is the auth_response in the handshake response.
+   
+   .. zeek:see:: mysql_handshake mysql_auth_switch_request mysql_auth_more_data
+
+.. zeek:id:: mysql_auth_switch_request
+   :source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 150 150
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, name: :zeek:type:`string`, data: :zeek:type:`string`)
+
+   Generated for a server packet with an auth switch request.
+   
+
+   :param c: The connection.
+   
+
+   :param name: The plugin name.
+   
+
+   :param data: Initial authentication data for the plugin.
+   
+   .. zeek:see:: mysql_handshake mysql_auth_more_data
+
+.. zeek:id:: mysql_change_user
+   :source-code: base/protocols/mysql/main.zeek 87 90
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, username: :zeek:type:`string`)
+
+   Generated for a change user command from a MySQL client.
+   
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param username: The username supplied by the client
+   
+   .. zeek:see:: mysql_error mysql_ok mysql_server_version mysql_handshake
+
+.. zeek:id:: mysql_command_request
+   :source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 16 16
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, command: :zeek:type:`count`, arg: :zeek:type:`string`)
+
+   Generated for a command request from a MySQL client.
+   
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param command: The numerical code of the command issued.
+   
+
+   :param arg: The argument for the command (empty string if not provided).
+   
+   .. zeek:see:: mysql_error mysql_ok mysql_server_version mysql_handshake
+
+.. zeek:id:: mysql_eof
+   :source-code: base/protocols/mysql/main.zeek 120 137
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_intermediate: :zeek:type:`bool`)
+
+   Generated for a MySQL EOF packet.
+   
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_intermediate: True if this is an EOF packet between the column definition and the rows, false if a final EOF.
+   
+   .. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake
+
+.. zeek:id:: mysql_error
+   :source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 44 44
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, code: :zeek:type:`count`, msg: :zeek:type:`string`)
+
+   Generated for an unsuccessful MySQL response.
+   
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param code: The error code.
+   
+
+   :param msg: Any extra details about the error (empty string if not provided).
+   
+   .. zeek:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake
+
+.. zeek:id:: mysql_handshake
+   :source-code: base/protocols/mysql/main.zeek 52 65
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, username: :zeek:type:`string`)
+
+   Generated for a client handshake response packet, which includes the username the client is attempting
+   to connect as.
+   
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param username: The username supplied by the client
+   
+   .. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_server_version mysql_ssl_request
+
+.. zeek:id:: mysql_ok
+   :source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 57 57
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, affected_rows: :zeek:type:`count`)
+
+   Generated for a successful MySQL response.
+   
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param affected_rows: The number of rows that were affected.
+   
+   .. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake
+
+.. zeek:id:: mysql_result_row
+   :source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 83 83
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, row: :zeek:type:`string_vec`)
+
+   Generated for each MySQL ResultsetRow response packet.
+   
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param row: The result row data.
+   
+   .. zeek:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake mysql_ok
+
+.. zeek:id:: mysql_server_version
+   :source-code: policy/protocols/mysql/software.zeek 14 20
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, ver: :zeek:type:`string`)
+
+   Generated for the initial server handshake packet, which includes the MySQL server version.
+   
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param ver: The server version string.
+   
+   .. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_handshake
+
+.. zeek:id:: mysql_ssl_request
+   :source-code: base/bif/plugins/Zeek_MySQL.events.bif.zeek 122 122
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for a short client handshake response packet with the CLIENT_SSL
+   flag set. Usually the client will initiate a TLS handshake afterwards.
+   See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+   for more information about the MySQL protocol.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: mysql_handshake
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_NCP.consts.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_NCP.consts.bif.zeek.rst
new file mode 100644
index 0000000000..c7ce765552
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_NCP.consts.bif.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_NCP.consts.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_NCP.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_NCP.events.bif.zeek.rst
new file mode 100644
index 0000000000..45fe34f5a0
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_NCP.events.bif.zeek.rst
@@ -0,0 +1,88 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_NCP.events.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+========================================== ===================================================
+:zeek:id:`ncp_reply`: :zeek:type:`event`   Generated for NCP replies (Netware Core Protocol).
+:zeek:id:`ncp_request`: :zeek:type:`event` Generated for NCP requests (Netware Core Protocol).
+========================================== ===================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: ncp_reply
+   :source-code: base/bif/plugins/Zeek_NCP.events.bif.zeek 49 49
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, frame_type: :zeek:type:`count`, length: :zeek:type:`count`, req_frame: :zeek:type:`count`, req_func: :zeek:type:`count`, completion_code: :zeek:type:`count`)
+
+   Generated for NCP replies (Netware Core Protocol).
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetWare_Core_Protocol>`__ for
+   more information about the NCP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param frame_type: The frame type, as specified by the protocol.
+   
+
+   :param length: The length of the request body, excluding the frame header.
+   
+
+   :param req_frame: The frame type from the corresponding request.
+   
+
+   :param req_func: The function code from the corresponding request.
+   
+
+   :param completion_code: The reply's completion code, as specified by the protocol.
+   
+   .. zeek:see:: ncp_request
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: ncp_request
+   :source-code: base/bif/plugins/Zeek_NCP.events.bif.zeek 23 23
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, frame_type: :zeek:type:`count`, length: :zeek:type:`count`, func: :zeek:type:`count`)
+
+   Generated for NCP requests (Netware Core Protocol).
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetWare_Core_Protocol>`__ for
+   more information about the NCP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param frame_type: The frame type, as specified by the protocol.
+   
+
+   :param length: The length of the request body, excluding the frame header.
+   
+
+   :param func: The requested function, as specified by the protocol.
+   
+   .. zeek:see:: ncp_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek.rst
new file mode 100644
index 0000000000..dbbc1c39ea
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek.rst
@@ -0,0 +1,70 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_NTLM.events.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+================================================ ============================================================================
+:zeek:id:`ntlm_authenticate`: :zeek:type:`event` Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *authenticate*.
+:zeek:id:`ntlm_challenge`: :zeek:type:`event`    Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *challenge*.
+:zeek:id:`ntlm_negotiate`: :zeek:type:`event`    Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *negotiate*.
+================================================ ============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: ntlm_authenticate
+   :source-code: base/protocols/ntlm/main.zeek 85 95
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, request: :zeek:type:`NTLM::Authenticate`)
+
+   Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *authenticate*.
+   
+
+   :param c: The connection.
+   
+
+   :param request: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
+   
+   .. zeek:see:: ntlm_negotiate ntlm_challenge
+
+.. zeek:id:: ntlm_challenge
+   :source-code: base/protocols/ntlm/main.zeek 69 83
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, challenge: :zeek:type:`NTLM::Challenge`)
+
+   Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *challenge*.
+   
+
+   :param c: The connection.
+   
+
+   :param negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
+   
+   .. zeek:see:: ntlm_negotiate ntlm_authenticate
+
+.. zeek:id:: ntlm_negotiate
+   :source-code: base/protocols/ntlm/main.zeek 64 67
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, negotiate: :zeek:type:`NTLM::Negotiate`)
+
+   Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *negotiate*.
+   
+
+   :param c: The connection.
+   
+
+   :param negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
+   
+   .. zeek:see:: ntlm_challenge ntlm_authenticate
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_NTLM.types.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_NTLM.types.bif.zeek.rst
new file mode 100644
index 0000000000..d29ca1ae83
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_NTLM.types.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_NTLM.types.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: NTLM
+
+
+:Namespaces: GLOBAL, NTLM
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek.rst
new file mode 100644
index 0000000000..d680763feb
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek.rst
@@ -0,0 +1,43 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_NTP.events.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+========================================== ===============================
+:zeek:id:`ntp_message`: :zeek:type:`event` Generated for all NTP messages.
+========================================== ===============================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: ntp_message
+   :source-code: base/bif/plugins/Zeek_NTP.events.bif.zeek 15 15
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`NTP::Message`)
+
+   Generated for all NTP messages. Different from many other of Zeek's events,
+   this one is generated for both client-side and server-side messages.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Network_Time_Protocol>`__ for
+   more information about the NTP protocol.
+   
+
+   :param c: The connection record describing the corresponding UDP flow.
+   
+
+   :param is_orig: True if the message was sent by the originator.
+   
+
+   :param msg: The parsed NTP message.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek.rst
new file mode 100644
index 0000000000..deeb0211d3
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_NTP.types.bif.zeek
+========================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: NTP
+
+
+:Namespaces: GLOBAL, NTP
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_NetBIOS.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_NetBIOS.events.bif.zeek.rst
new file mode 100644
index 0000000000..8cce3dca41
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_NetBIOS.events.bif.zeek.rst
@@ -0,0 +1,284 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_NetBIOS.events.bif.zeek
+=============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=========================================================== =====================================================================
+:zeek:id:`netbios_session_accepted`: :zeek:type:`event`     Generated for NetBIOS messages of type *positive session response*.
+:zeek:id:`netbios_session_keepalive`: :zeek:type:`event`    Generated for NetBIOS messages of type *keep-alive*.
+:zeek:id:`netbios_session_message`: :zeek:type:`event`      Generated for all NetBIOS SSN and DGM messages.
+:zeek:id:`netbios_session_raw_message`: :zeek:type:`event`  Generated for NetBIOS messages of type *session message* that are not
+                                                            carrying an SMB payload.
+:zeek:id:`netbios_session_rejected`: :zeek:type:`event`     Generated for NetBIOS messages of type *negative session response*.
+:zeek:id:`netbios_session_request`: :zeek:type:`event`      Generated for NetBIOS messages of type *session request*.
+:zeek:id:`netbios_session_ret_arg_resp`: :zeek:type:`event` Generated for NetBIOS messages of type *retarget response*.
+=========================================================== =====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: netbios_session_accepted
+   :source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 92 92
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
+
+   Generated for NetBIOS messages of type *positive session response*. Zeek's
+   NetBIOS analyzer processes the NetBIOS session service running on TCP port
+   139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+   about NetBIOS.  :rfc:`1002` describes
+   the packet format for NetBIOS over TCP/IP, which Zeek parses.
+   
+
+   :param c: The connection, which may be TCP or UDP, depending on the type of the
+      NetBIOS session.
+   
+
+   :param msg: The raw payload of the message sent, excluding the common NetBIOS
+        header.
+   
+   .. zeek:see::  netbios_session_keepalive netbios_session_message
+      netbios_session_raw_message netbios_session_rejected netbios_session_request
+      netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
+   
+   .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+      `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
+      SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: netbios_session_keepalive
+   :source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 217 217
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
+
+   Generated for NetBIOS messages of type *keep-alive*. Zeek's NetBIOS analyzer
+   processes the NetBIOS session service running on TCP port 139, and (despite
+   its name!) the NetBIOS datagram service on UDP port 138.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+   about NetBIOS.  :rfc:`1002` describes
+   the packet format for NetBIOS over TCP/IP, which Zeek parses.
+   
+
+   :param c: The connection, which may be TCP or UDP, depending on the type of the
+      NetBIOS session.
+   
+
+   :param msg: The raw payload of the message sent, excluding the common NetBIOS
+        header.
+   
+   .. zeek:see:: netbios_session_accepted netbios_session_message
+      netbios_session_raw_message netbios_session_rejected netbios_session_request
+      netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
+   
+   .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+      `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
+      SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: netbios_session_message
+   :source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 34 34
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg_type: :zeek:type:`count`, data_len: :zeek:type:`count`)
+
+   Generated for all NetBIOS SSN and DGM messages. Zeek's NetBIOS analyzer
+   processes the NetBIOS session service running on TCP port 139, and (despite
+   its name!) the NetBIOS datagram service on UDP port 138.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+   about NetBIOS.  :rfc:`1002` describes
+   the packet format for NetBIOS over TCP/IP, which Zeek parses.
+   
+
+   :param c: The connection, which may be TCP or UDP, depending on the type of the
+      NetBIOS session.
+   
+
+   :param is_orig:  True if the message was sent by the originator of the connection.
+   
+
+   :param msg_type: The general type of message, as defined in Section 4.3.1 of
+             :rfc:`1002`.
+   
+
+   :param data_len: The length of the message's payload.
+   
+   .. zeek:see:: netbios_session_accepted netbios_session_keepalive
+      netbios_session_raw_message netbios_session_rejected netbios_session_request
+      netbios_session_ret_arg_resp  decode_netbios_name decode_netbios_name_type
+   
+   .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+      `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
+      SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: netbios_session_raw_message
+   :source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 157 157
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`)
+
+   Generated for NetBIOS messages of type *session message* that are not
+   carrying an SMB payload.
+   
+   NetBIOS analyzer processes the NetBIOS session service running on TCP port
+   139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+   about NetBIOS.  :rfc:`1002` describes
+   the packet format for NetBIOS over TCP/IP, which Zeek parses.
+   
+
+   :param c: The connection, which may be TCP or UDP, depending on the type of the
+      NetBIOS session.
+   
+
+   :param is_orig: True if the message was sent by the originator of the connection.
+   
+
+   :param msg: The raw payload of the message sent, excluding the common NetBIOS
+        header (i.e., the ``user_data``).
+   
+   .. zeek:see:: netbios_session_accepted netbios_session_keepalive
+      netbios_session_message netbios_session_rejected netbios_session_request
+      netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
+   
+   .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+      `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
+      SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+   
+   .. todo:: This is an oddly named event. In fact, it's probably an odd event
+      to have to begin with.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: netbios_session_rejected
+   :source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 121 121
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
+
+   Generated for NetBIOS messages of type *negative session response*. Zeek's
+   NetBIOS analyzer processes the NetBIOS session service running on TCP port
+   139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+   about NetBIOS.  :rfc:`1002` describes
+   the packet format for NetBIOS over TCP/IP, which Zeek parses.
+   
+
+   :param c: The connection, which may be TCP or UDP, depending on the type of the
+      NetBIOS session.
+   
+
+   :param msg: The raw payload of the message sent, excluding the common NetBIOS
+        header.
+   
+   .. zeek:see:: netbios_session_accepted netbios_session_keepalive
+      netbios_session_message netbios_session_raw_message netbios_session_request
+      netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
+   
+   .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+      `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
+      SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: netbios_session_request
+   :source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 63 63
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
+
+   Generated for NetBIOS messages of type *session request*. Zeek's NetBIOS
+   analyzer processes the NetBIOS session service running on TCP port 139, and
+   (despite its name!) the NetBIOS datagram service on UDP port 138.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+   about NetBIOS.  :rfc:`1002` describes
+   the packet format for NetBIOS over TCP/IP, which Zeek parses.
+   
+
+   :param c: The connection, which may be TCP or UDP, depending on the type of the
+      NetBIOS session.
+   
+
+   :param msg: The raw payload of the message sent, excluding the common NetBIOS
+        header.
+   
+   .. zeek:see:: netbios_session_accepted netbios_session_keepalive
+      netbios_session_message netbios_session_raw_message netbios_session_rejected
+      netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
+   
+   .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+      `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
+      SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: netbios_session_ret_arg_resp
+   :source-code: base/bif/plugins/Zeek_NetBIOS.events.bif.zeek 188 188
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, msg: :zeek:type:`string`)
+
+   Generated for NetBIOS messages of type *retarget response*. Zeek's NetBIOS
+   analyzer processes the NetBIOS session service running on TCP port 139, and
+   (despite its name!) the NetBIOS datagram service on UDP port 138.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
+   about NetBIOS.  :rfc:`1002` describes
+   the packet format for NetBIOS over TCP/IP, which Zeek parses.
+   
+
+   :param c: The connection, which may be TCP or UDP, depending on the type of the
+      NetBIOS session.
+   
+
+   :param msg: The raw payload of the message sent, excluding the common NetBIOS
+        header.
+   
+   .. zeek:see:: netbios_session_accepted netbios_session_keepalive
+      netbios_session_message netbios_session_raw_message netbios_session_rejected
+      netbios_session_request decode_netbios_name decode_netbios_name_type
+   
+   .. note:: These days, NetBIOS is primarily used as a transport mechanism for
+      `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
+      SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
+   
+   .. todo:: This is an oddly named event.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek.rst
new file mode 100644
index 0000000000..1e8b89d55a
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek.rst
@@ -0,0 +1,58 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek
+================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+========================================================== ================================================================
+:zeek:id:`decode_netbios_name`: :zeek:type:`function`      Decode a NetBIOS name.
+:zeek:id:`decode_netbios_name_type`: :zeek:type:`function` Converts a NetBIOS name type to its corresponding numeric value.
+========================================================== ================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: decode_netbios_name
+   :source-code: base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek 16 16
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`string`
+
+   Decode a NetBIOS name.  See https://jeffpar.github.io/kbarchive/kb/194/Q194203/.
+   
+
+   :param name: The encoded NetBIOS name, e.g., ``"FEEIEFCAEOEFFEECEJEPFDCAEOEBENEF"``.
+   
+
+   :returns: The decoded NetBIOS name, e.g., ``"THE NETBIOS NAM"``.  An empty
+            string is returned if the argument is not a valid NetBIOS encoding
+            (though an encoding that would decode to something that includes
+            only null-bytes or space-characters also yields an empty string).
+   
+   .. zeek:see:: decode_netbios_name_type
+
+.. zeek:id:: decode_netbios_name_type
+   :source-code: base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek 27 27
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`count`
+
+   Converts a NetBIOS name type to its corresponding numeric value.
+   See https://en.wikipedia.org/wiki/NetBIOS#NetBIOS_Suffixes.
+   
+
+   :param name: An encoded NetBIOS name.
+   
+
+   :returns: The numeric value of *name* or 256 if it's not a valid encoding.
+   
+   .. zeek:see:: decode_netbios_name
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek.rst
new file mode 100644
index 0000000000..13ede71b39
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_NoneWriter.none.bif.zeek
+==============================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: LogNone
+
+
+:Namespaces: GLOBAL, LogNone
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_PE.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_PE.events.bif.zeek.rst
new file mode 100644
index 0000000000..631ef1a6a7
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_PE.events.bif.zeek.rst
@@ -0,0 +1,115 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_PE.events.bif.zeek
+========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+================================================= ===================================================================
+:zeek:id:`pe_dos_code`: :zeek:type:`event`        A :abbr:`PE (Portable Executable)` file DOS stub was parsed.
+:zeek:id:`pe_dos_header`: :zeek:type:`event`      A :abbr:`PE (Portable Executable)` file DOS header was parsed.
+:zeek:id:`pe_file_header`: :zeek:type:`event`     A :abbr:`PE (Portable Executable)` file file header was parsed.
+:zeek:id:`pe_optional_header`: :zeek:type:`event` A :abbr:`PE (Portable Executable)` file optional header was parsed.
+:zeek:id:`pe_section_header`: :zeek:type:`event`  A :abbr:`PE (Portable Executable)` file section header was parsed.
+================================================= ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: pe_dos_code
+   :source-code: base/bif/plugins/Zeek_PE.events.bif.zeek 25 25
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, code: :zeek:type:`string`)
+
+   A :abbr:`PE (Portable Executable)` file DOS stub was parsed.
+   The stub is a valid application that runs under MS-DOS, by default
+   to inform the user that the program can't be run in DOS mode.
+   
+
+   :param f: The file.
+   
+
+   :param code: The DOS stub
+   
+   .. zeek:see:: pe_dos_header pe_file_header pe_optional_header pe_section_header
+
+.. zeek:id:: pe_dos_header
+   :source-code: base/files/pe/main.zeek 72 75
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, h: :zeek:type:`PE::DOSHeader`)
+
+   A :abbr:`PE (Portable Executable)` file DOS header was parsed.
+   This is the top-level header and contains information like the
+   size of the file, initial value of registers, etc.
+   
+
+   :param f: The file.
+   
+
+   :param h: The parsed DOS header information.
+   
+   .. zeek:see:: pe_dos_code pe_file_header pe_optional_header pe_section_header
+
+.. zeek:id:: pe_file_header
+   :source-code: base/files/pe/main.zeek 77 90
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, h: :zeek:type:`PE::FileHeader`)
+
+   A :abbr:`PE (Portable Executable)` file file header was parsed.
+   This header contains information like the target machine,
+   the timestamp when the file was created, the number of sections, and
+   pointers to other parts of the file.
+   
+
+   :param f: The file.
+   
+
+   :param h: The parsed file header information.
+   
+   .. zeek:see:: pe_dos_header pe_dos_code pe_optional_header pe_section_header
+
+.. zeek:id:: pe_optional_header
+   :source-code: base/files/pe/main.zeek 92 119
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, h: :zeek:type:`PE::OptionalHeader`)
+
+   A :abbr:`PE (Portable Executable)` file optional header was parsed.
+   This header is required for executable files, but not for object files.
+   It contains information like OS requirements to execute the file, the
+   original entry point address, and information needed to load the file
+   into memory.
+   
+
+   :param f: The file.
+   
+
+   :param h: The parsed optional header information.
+   
+   .. zeek:see:: pe_dos_header pe_dos_code pe_file_header pe_section_header
+
+.. zeek:id:: pe_section_header
+   :source-code: base/files/pe/main.zeek 121 132
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, h: :zeek:type:`PE::SectionHeader`)
+
+   A :abbr:`PE (Portable Executable)` file section header was parsed.
+   This header contains information like the section name, size, address,
+   and characteristics.
+   
+
+   :param f: The file.
+   
+
+   :param h: The parsed section header information.
+   
+   .. zeek:see:: pe_dos_header pe_dos_code pe_file_header pe_optional_header
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek.rst
new file mode 100644
index 0000000000..8395f452aa
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_POP3.consts.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek.rst
new file mode 100644
index 0000000000..648d5b96fe
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek.rst
@@ -0,0 +1,241 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_POP3.events.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+================================================= ===================================================================
+:zeek:id:`pop3_data`: :zeek:type:`event`          Generated for server-side multi-line responses on POP3 connections.
+:zeek:id:`pop3_login_failure`: :zeek:type:`event` Generated for unsuccessful authentications on POP3 connections.
+:zeek:id:`pop3_login_success`: :zeek:type:`event` Generated for successful authentications on POP3 connections.
+:zeek:id:`pop3_reply`: :zeek:type:`event`         Generated for server-side replies to commands on POP3 connections.
+:zeek:id:`pop3_request`: :zeek:type:`event`       Generated for client-side commands on POP3 connections.
+:zeek:id:`pop3_starttls`: :zeek:type:`event`      Generated when a POP3 connection goes encrypted.
+:zeek:id:`pop3_unexpected`: :zeek:type:`event`    Generated for errors encountered on POP3 sessions.
+================================================= ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: pop3_data
+   :source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 76 76
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data: :zeek:type:`string`)
+
+   Generated for server-side multi-line responses on POP3 connections. POP3
+   connections use multi-line responses to send bulk data, such as the actual
+   mails. This event is generated once for each line that's part of such a
+   response.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
+   about the POP3 protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the data was sent by the originator of the TCP connection.
+   
+
+   :param data: The data sent.
+   
+   .. zeek:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request
+      pop3_unexpected
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pop3_login_failure
+   :source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 168 168
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, user: :zeek:type:`string`, password: :zeek:type:`string`)
+
+   Generated for unsuccessful authentications on POP3 connections.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
+   about the POP3 protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Always false.
+   
+
+   :param user: The user name attempted for authentication. The event is only
+         generated if a non-empty user name was used.
+   
+
+   :param password: The password attempted for authentication.
+   
+   .. zeek:see:: pop3_data pop3_login_success pop3_reply pop3_request
+      pop3_unexpected
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pop3_login_success
+   :source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 144 144
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, user: :zeek:type:`string`, password: :zeek:type:`string`)
+
+   Generated for successful authentications on POP3 connections.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
+   about the POP3 protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Always false.
+   
+
+   :param user: The user name used for authentication. The event is only generated if
+         a non-empty user name was used.
+   
+
+   :param password: The password used for authentication.
+   
+   .. zeek:see:: pop3_data pop3_login_failure pop3_reply pop3_request
+      pop3_unexpected
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pop3_reply
+   :source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 52 52
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, cmd: :zeek:type:`string`, msg: :zeek:type:`string`)
+
+   Generated for server-side replies to commands on POP3 connections.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
+   about the POP3 protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param cmd: The success indicator sent by the server. This corresponds to the
+        first token on the line sent, and should be either ``OK`` or ``ERR``.
+   
+
+   :param msg: The textual description the server sent along with *cmd*.
+   
+   .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_request
+      pop3_unexpected
+   
+   .. todo:: This event is receiving odd parameters, should unify.
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pop3_request
+   :source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 25 25
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, command: :zeek:type:`string`, arg: :zeek:type:`string`)
+
+   Generated for client-side commands on POP3 connections.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
+   about the POP3 protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the command was sent by the originator of the TCP
+            connection.
+   
+
+   :param command: The command sent.
+   
+
+   :param arg: The argument to the command.
+   
+   .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
+      pop3_unexpected
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pop3_starttls
+   :source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 120 120
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when a POP3 connection goes encrypted. While POP3 is by default a
+   clear-text protocol, extensions exist to switch to encryption. This event is
+   generated if that happens and the analyzer then stops processing the
+   connection.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
+   about the POP3 protocol.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
+      pop3_request pop3_unexpected
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pop3_unexpected
+   :source-code: base/bif/plugins/Zeek_POP3.events.bif.zeek 100 100
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`, detail: :zeek:type:`string`)
+
+   Generated for errors encountered on POP3 sessions. If the POP3 analyzer
+   finds state transitions that do not conform to the protocol specification,
+   or other situations it can't handle, it raises this event.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/POP3>`__ for more information
+   about the POP3 protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the data was sent by the originator of the TCP connection.
+   
+
+   :param msg: A textual description of the situation.
+   
+
+   :param detail: The input that triggered the event.
+   
+   .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek.rst
new file mode 100644
index 0000000000..1269f5cee4
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek.rst
@@ -0,0 +1,37 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_PPPoE.functions.bif.zeek
+==============================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: PacketAnalyzer::PPPoE
+
+
+:Namespaces: GLOBAL, PacketAnalyzer::PPPoE
+
+Summary
+~~~~~~~
+Functions
+#########
+=================================================================== ===============================================================
+:zeek:id:`PacketAnalyzer::PPPoE::session_id`: :zeek:type:`function` Returns the PPPoE Session ID of the current packet, if present.
+=================================================================== ===============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: PacketAnalyzer::PPPoE::session_id
+   :source-code: base/bif/plugins/Zeek_PPPoE.functions.bif.zeek 15 15
+
+   :Type: :zeek:type:`function` () : :zeek:type:`count`
+
+   Returns the PPPoE Session ID of the current packet, if present.
+   
+   If no PPPoE Session ID is present, 0xFFFFFFFF is returned, which
+   is out of range of the session ID.
+   
+
+   :returns: The PPPoE session ID if present, 0xFFFFFFFF otherwise.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek.rst
new file mode 100644
index 0000000000..8e5bacbce0
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek.rst
@@ -0,0 +1,61 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_RADIUS.events.bif.zeek
+============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=============================================== ====================================
+:zeek:id:`radius_attribute`: :zeek:type:`event` Generated for each RADIUS attribute.
+:zeek:id:`radius_message`: :zeek:type:`event`   Generated for RADIUS messages.
+=============================================== ====================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: radius_attribute
+   :source-code: base/bif/plugins/Zeek_RADIUS.events.bif.zeek 27 27
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, attr_type: :zeek:type:`count`, value: :zeek:type:`string`)
+
+   Generated for each RADIUS attribute.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/RADIUS>`__ for more
+   information about RADIUS.
+   
+
+   :param c: The connection.
+   
+
+   :param attr_type: The value of the code field (1 == User-Name, 2 == User-Password, etc.).
+   
+
+   :param value: The data/value bound to the attribute.
+   
+
+.. zeek:id:: radius_message
+   :source-code: base/bif/plugins/Zeek_RADIUS.events.bif.zeek 13 13
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, result: :zeek:type:`RADIUS::Message`)
+
+   Generated for RADIUS messages.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/RADIUS>`__ for more
+   information about RADIUS.
+   
+
+   :param c: The connection.
+   
+
+   :param result: A record containing fields parsed from a RADIUS packet.
+   
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek.rst
new file mode 100644
index 0000000000..f39df5d3f2
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek.rst
@@ -0,0 +1,269 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_RDP.events.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+============================================================= =================================================================================
+:zeek:id:`rdp_begin_encryption`: :zeek:type:`event`           Generated when an RDP session becomes encrypted.
+:zeek:id:`rdp_client_cluster_data`: :zeek:type:`event`        Generated for client cluster data packets.
+:zeek:id:`rdp_client_core_data`: :zeek:type:`event`           Generated for MCS client requests.
+:zeek:id:`rdp_client_network_data`: :zeek:type:`event`        Generated for Client Network Data (TS_UD_CS_NET) packets
+:zeek:id:`rdp_client_security_data`: :zeek:type:`event`       Generated for client security data packets.
+:zeek:id:`rdp_connect_request`: :zeek:type:`event`            Generated for X.224 client requests.
+:zeek:id:`rdp_gcc_server_create_response`: :zeek:type:`event` Generated for MCS server responses.
+:zeek:id:`rdp_native_encrypted_data`: :zeek:type:`event`      Generated for each packet after RDP native encryption begins
+:zeek:id:`rdp_negotiation_failure`: :zeek:type:`event`        Generated for RDP Negotiation Failure messages.
+:zeek:id:`rdp_negotiation_response`: :zeek:type:`event`       Generated for RDP Negotiation Response messages.
+:zeek:id:`rdp_server_certificate`: :zeek:type:`event`         Generated for a server certificate section.
+:zeek:id:`rdp_server_security`: :zeek:type:`event`            Generated for MCS server responses.
+:zeek:id:`rdpeudp_data`: :zeek:type:`event`                   Generated when for data messages exchanged after a RDPEUDP connection establishes
+:zeek:id:`rdpeudp_established`: :zeek:type:`event`            Generated when RDPEUDP connections are established (both sides SYN)
+:zeek:id:`rdpeudp_syn`: :zeek:type:`event`                    Generated for RDPEUDP SYN UDP Datagram
+:zeek:id:`rdpeudp_synack`: :zeek:type:`event`                 Generated for RDPEUDP SYNACK UDP Datagram
+============================================================= =================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: rdp_begin_encryption
+   :source-code: base/protocols/rdp/main.zeek 259 269
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, security_protocol: :zeek:type:`count`)
+
+   Generated when an RDP session becomes encrypted.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param security_protocol: The security protocol being used for the session.
+
+.. zeek:id:: rdp_client_cluster_data
+   :source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 111 111
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`RDP::ClientClusterData`)
+
+   Generated for client cluster data packets.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param data: The data contained in the client security data structure.
+
+.. zeek:id:: rdp_client_core_data
+   :source-code: base/protocols/rdp/main.zeek 187 213
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`RDP::ClientCoreData`)
+
+   Generated for MCS client requests.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param data: The data contained in the client core data structure.
+
+.. zeek:id:: rdp_client_network_data
+   :source-code: base/protocols/rdp/main.zeek 215 228
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, channels: :zeek:type:`RDP::ClientChannelList`)
+
+   Generated for Client Network Data (TS_UD_CS_NET) packets
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param channels: The channels that were requested
+
+.. zeek:id:: rdp_client_security_data
+   :source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 95 95
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`RDP::ClientSecurityData`)
+
+   Generated for client security data packets.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param data: The data contained in the client security data structure.
+
+.. zeek:id:: rdp_connect_request
+   :source-code: base/protocols/rdp/main.zeek 166 171
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, cookie: :zeek:type:`string`, flags: :zeek:type:`count`)
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, cookie: :zeek:type:`string`)
+
+   Generated for X.224 client requests.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param cookie: The cookie included in the request; empty if no cookie was provided.
+   
+
+   :param flags: The flags set by the client.
+
+.. zeek:id:: rdp_gcc_server_create_response
+   :source-code: base/protocols/rdp/main.zeek 230 235
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, result: :zeek:type:`count`)
+
+   Generated for MCS server responses.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param result: The 8-bit integer representing the GCC Conference Create Response result.
+
+.. zeek:id:: rdp_native_encrypted_data
+   :source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 43 43
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, len: :zeek:type:`count`)
+
+   Generated for each packet after RDP native encryption begins
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param orig: True if the packet was sent by the originator of the connection.
+   
+
+   :param len: The length of the encrypted data.
+
+.. zeek:id:: rdp_negotiation_failure
+   :source-code: base/protocols/rdp/main.zeek 180 185
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, failure_code: :zeek:type:`count`, flags: :zeek:type:`count`)
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, failure_code: :zeek:type:`count`)
+
+   Generated for RDP Negotiation Failure messages.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param failure_code: The failure code sent by the server.
+   
+
+   :param flags: The flags set by the server.
+
+.. zeek:id:: rdp_negotiation_response
+   :source-code: base/protocols/rdp/main.zeek 173 178
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, security_protocol: :zeek:type:`count`, flags: :zeek:type:`count`)
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, security_protocol: :zeek:type:`count`)
+
+   Generated for RDP Negotiation Response messages.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param security_protocol: The security protocol selected by the server.
+   
+
+   :param flags: The flags set by the server.
+
+.. zeek:id:: rdp_server_certificate
+   :source-code: base/protocols/rdp/main.zeek 245 257
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, cert_type: :zeek:type:`count`, permanently_issued: :zeek:type:`bool`)
+
+   Generated for a server certificate section.  If multiple X.509 
+   certificates are included in chain, this event will still
+   only be generated a single time.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param cert_type: Indicates the type of certificate.
+   
+
+   :param permanently_issued: Value will be true is the certificate(s) is permanent on the server.
+
+.. zeek:id:: rdp_server_security
+   :source-code: base/protocols/rdp/main.zeek 237 243
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, encryption_method: :zeek:type:`count`, encryption_level: :zeek:type:`count`)
+
+   Generated for MCS server responses.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param encryption_method: The 32-bit integer representing the encryption method used in the connection.
+   
+
+   :param encryption_level: The 32-bit integer representing the encryption level used in the connection.
+
+.. zeek:id:: rdpeudp_data
+   :source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 33 33
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated when for data messages exchanged after a RDPEUDP connection establishes
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param is_orig: Whether the data was sent by the originator or responder of the connection.
+   
+
+   :param version: Whether the connection is RDPEUDP1 or RDPEUDP2
+   
+
+   :param data: The payload of the packet. This is probably very non-performant.
+
+.. zeek:id:: rdpeudp_established
+   :source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 21 21
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`count`)
+
+   Generated when RDPEUDP connections are established (both sides SYN)
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param version: Whether the connection is RDPEUDP1 or RDPEUDP2
+
+.. zeek:id:: rdpeudp_syn
+   :source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 7 7
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for RDPEUDP SYN UDP Datagram
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+
+.. zeek:id:: rdpeudp_synack
+   :source-code: base/bif/plugins/Zeek_RDP.events.bif.zeek 13 13
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for RDPEUDP SYNACK UDP Datagram
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_RDP.types.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_RDP.types.bif.zeek.rst
new file mode 100644
index 0000000000..6f0b9c2823
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_RDP.types.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_RDP.types.bif.zeek
+========================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: RDP
+
+
+:Namespaces: GLOBAL, RDP
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_RFB.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_RFB.events.bif.zeek.rst
new file mode 100644
index 0000000000..9c86e8d1f1
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_RFB.events.bif.zeek.rst
@@ -0,0 +1,112 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_RFB.events.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+====================================================== ==========================================================
+:zeek:id:`rfb_auth_result`: :zeek:type:`event`         Generated for RFB event authentication result message
+:zeek:id:`rfb_authentication_type`: :zeek:type:`event` Generated for RFB event authentication mechanism selection
+:zeek:id:`rfb_client_version`: :zeek:type:`event`      Generated for RFB event client banner message
+:zeek:id:`rfb_server_parameters`: :zeek:type:`event`   Generated for RFB event server parameter message
+:zeek:id:`rfb_server_version`: :zeek:type:`event`      Generated for RFB event server banner message
+:zeek:id:`rfb_share_flag`: :zeek:type:`event`          Generated for RFB event share flag messages
+====================================================== ==========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: rfb_auth_result
+   :source-code: base/protocols/rfb/main.zeek 152 155
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, result: :zeek:type:`bool`)
+
+   Generated for RFB event authentication result message
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param result: whether or not authentication was successful
+
+.. zeek:id:: rfb_authentication_type
+   :source-code: base/protocols/rfb/main.zeek 131 136
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, authtype: :zeek:type:`count`)
+
+   Generated for RFB event authentication mechanism selection
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param authtype: the value of the chosen authentication mechanism
+
+.. zeek:id:: rfb_client_version
+   :source-code: base/protocols/rfb/main.zeek 117 122
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, major_version: :zeek:type:`string`, minor_version: :zeek:type:`string`)
+
+   Generated for RFB event client banner message
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param version: of the client's rfb library
+
+.. zeek:id:: rfb_server_parameters
+   :source-code: base/bif/plugins/Zeek_RFB.events.bif.zeek 53 53
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, name: :zeek:type:`string`, width: :zeek:type:`count`, height: :zeek:type:`count`)
+
+   Generated for RFB event server parameter message
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param name: name of the shared screen
+   
+
+   :param width: width of the shared screen
+   
+
+   :param height: height of the shared screen
+
+.. zeek:id:: rfb_server_version
+   :source-code: base/protocols/rfb/main.zeek 124 129
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, major_version: :zeek:type:`string`, minor_version: :zeek:type:`string`)
+
+   Generated for RFB event server banner message
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param version: of the server's rfb library
+
+.. zeek:id:: rfb_share_flag
+   :source-code: base/protocols/rfb/main.zeek 157 160
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, flag: :zeek:type:`bool`)
+
+   Generated for RFB event share flag messages
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param flag: whether or not the share flag was set
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_RPC.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_RPC.events.bif.zeek.rst
new file mode 100644
index 0000000000..c5c5c31c7f
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_RPC.events.bif.zeek.rst
@@ -0,0 +1,1320 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_RPC.events.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+========================================================= ==========================================================================
+:zeek:id:`mount_proc_mnt`: :zeek:type:`event`             Generated for MOUNT3 request/reply dialogues of type *mnt*.
+:zeek:id:`mount_proc_not_implemented`: :zeek:type:`event` Generated for MOUNT3 request/reply dialogues of a type that Zeek's MOUNTv3
+                                                          analyzer does not implement.
+:zeek:id:`mount_proc_null`: :zeek:type:`event`            Generated for MOUNT3 request/reply dialogues of type *null*.
+:zeek:id:`mount_proc_umnt`: :zeek:type:`event`            Generated for MOUNT3 request/reply dialogues of type *umnt*.
+:zeek:id:`mount_proc_umnt_all`: :zeek:type:`event`        Generated for MOUNT3 request/reply dialogues of type *umnt_all*.
+:zeek:id:`mount_reply_status`: :zeek:type:`event`         Generated for each MOUNT3 reply message received, reporting just the
+                                                          status included.
+:zeek:id:`nfs_proc_create`: :zeek:type:`event`            Generated for NFSv3 request/reply dialogues of type *create*.
+:zeek:id:`nfs_proc_getattr`: :zeek:type:`event`           Generated for NFSv3 request/reply dialogues of type *getattr*.
+:zeek:id:`nfs_proc_link`: :zeek:type:`event`              Generated for NFSv3 request/reply dialogues of type *link*.
+:zeek:id:`nfs_proc_lookup`: :zeek:type:`event`            Generated for NFSv3 request/reply dialogues of type *lookup*.
+:zeek:id:`nfs_proc_mkdir`: :zeek:type:`event`             Generated for NFSv3 request/reply dialogues of type *mkdir*.
+:zeek:id:`nfs_proc_not_implemented`: :zeek:type:`event`   Generated for NFSv3 request/reply dialogues of a type that Zeek's NFSv3
+                                                          analyzer does not implement.
+:zeek:id:`nfs_proc_null`: :zeek:type:`event`              Generated for NFSv3 request/reply dialogues of type *null*.
+:zeek:id:`nfs_proc_read`: :zeek:type:`event`              Generated for NFSv3 request/reply dialogues of type *read*.
+:zeek:id:`nfs_proc_readdir`: :zeek:type:`event`           Generated for NFSv3 request/reply dialogues of type *readdir*.
+:zeek:id:`nfs_proc_readlink`: :zeek:type:`event`          Generated for NFSv3 request/reply dialogues of type *readlink*.
+:zeek:id:`nfs_proc_remove`: :zeek:type:`event`            Generated for NFSv3 request/reply dialogues of type *remove*.
+:zeek:id:`nfs_proc_rename`: :zeek:type:`event`            Generated for NFSv3 request/reply dialogues of type *rename*.
+:zeek:id:`nfs_proc_rmdir`: :zeek:type:`event`             Generated for NFSv3 request/reply dialogues of type *rmdir*.
+:zeek:id:`nfs_proc_sattr`: :zeek:type:`event`             Generated for NFSv3 request/reply dialogues of type *sattr*.
+:zeek:id:`nfs_proc_symlink`: :zeek:type:`event`           Generated for NFSv3 request/reply dialogues of type *symlink*.
+:zeek:id:`nfs_proc_write`: :zeek:type:`event`             Generated for NFSv3 request/reply dialogues of type *write*.
+:zeek:id:`nfs_reply_status`: :zeek:type:`event`           Generated for each NFSv3 reply message received, reporting just the
+                                                          status included.
+:zeek:id:`pm_attempt_callit`: :zeek:type:`event`          Generated for failed Portmapper requests of type *callit*.
+:zeek:id:`pm_attempt_dump`: :zeek:type:`event`            Generated for failed Portmapper requests of type *dump*.
+:zeek:id:`pm_attempt_getport`: :zeek:type:`event`         Generated for failed Portmapper requests of type *getport*.
+:zeek:id:`pm_attempt_null`: :zeek:type:`event`            Generated for failed Portmapper requests of type *null*.
+:zeek:id:`pm_attempt_set`: :zeek:type:`event`             Generated for failed Portmapper requests of type *set*.
+:zeek:id:`pm_attempt_unset`: :zeek:type:`event`           Generated for failed Portmapper requests of type *unset*.
+:zeek:id:`pm_bad_port`: :zeek:type:`event`                Generated for Portmapper requests or replies that include an invalid port
+                                                          number.
+:zeek:id:`pm_request_callit`: :zeek:type:`event`          Generated for Portmapper request/reply dialogues of type *callit*.
+:zeek:id:`pm_request_dump`: :zeek:type:`event`            Generated for Portmapper request/reply dialogues of type *dump*.
+:zeek:id:`pm_request_getport`: :zeek:type:`event`         Generated for Portmapper request/reply dialogues of type *getport*.
+:zeek:id:`pm_request_null`: :zeek:type:`event`            Generated for Portmapper requests of type *null*.
+:zeek:id:`pm_request_set`: :zeek:type:`event`             Generated for Portmapper request/reply dialogues of type *set*.
+:zeek:id:`pm_request_unset`: :zeek:type:`event`           Generated for Portmapper request/reply dialogues of type *unset*.
+:zeek:id:`rpc_call`: :zeek:type:`event`                   Generated for RPC *call* messages.
+:zeek:id:`rpc_dialogue`: :zeek:type:`event`               Generated for RPC request/reply *pairs*.
+:zeek:id:`rpc_reply`: :zeek:type:`event`                  Generated for RPC *reply* messages.
+========================================================= ==========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: mount_proc_mnt
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 929 929
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`MOUNT3::info_t`, req: :zeek:type:`MOUNT3::dirmntargs_t`, rep: :zeek:type:`MOUNT3::mnt_reply_t`)
+
+   Generated for MOUNT3 request/reply dialogues of type *mnt*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   MOUNT is a service running on top of RPC.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req:  The arguments passed in the request.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: mount_proc_mnt mount_proc_umnt
+      mount_proc_umnt_all mount_proc_not_implemented
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: mount_proc_not_implemented
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 990 990
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`MOUNT3::info_t`, proc: :zeek:type:`MOUNT3::proc_t`)
+
+   Generated for MOUNT3 request/reply dialogues of a type that Zeek's MOUNTv3
+   analyzer does not implement.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param proc: The procedure called that Zeek does not implement.
+   
+   .. zeek:see:: mount_proc_mnt mount_proc_umnt
+      mount_proc_umnt_all mount_proc_not_implemented
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: mount_proc_null
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 905 905
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`MOUNT3::info_t`)
+
+   Generated for MOUNT3 request/reply dialogues of type *null*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   MOUNT is a service running on top of RPC.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+   .. zeek:see:: mount_proc_mnt mount_proc_umnt
+      mount_proc_umnt_all mount_proc_not_implemented
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: mount_proc_umnt
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 950 950
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`MOUNT3::info_t`, req: :zeek:type:`MOUNT3::dirmntargs_t`)
+
+   Generated for MOUNT3 request/reply dialogues of type *umnt*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   MOUNT is a service running on top of RPC.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req:  The arguments passed in the request.
+   
+   .. zeek:see:: mount_proc_mnt mount_proc_umnt
+      mount_proc_umnt_all mount_proc_not_implemented
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: mount_proc_umnt_all
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 971 971
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`MOUNT3::info_t`, req: :zeek:type:`MOUNT3::dirmntargs_t`)
+
+   Generated for MOUNT3 request/reply dialogues of type *umnt_all*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   MOUNT is a service running on top of RPC.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req:  The arguments passed in the request.
+   
+   .. zeek:see:: mount_proc_mnt mount_proc_umnt
+      mount_proc_umnt_all mount_proc_not_implemented
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: mount_reply_status
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 1007 1007
+
+   :Type: :zeek:type:`event` (n: :zeek:type:`connection`, info: :zeek:type:`MOUNT3::info_t`)
+
+   Generated for each MOUNT3 reply message received, reporting just the
+   status included.
+   
+
+   :param n: The connection.
+   
+
+   :param info: Reports the status included in the reply.
+   
+   .. zeek:see:: mount_proc_mnt mount_proc_umnt
+      mount_proc_umnt_all mount_proc_not_implemented
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_create
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 287 287
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::diropargs_t`, rep: :zeek:type:`NFS3::newobj_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *create*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req: TODO.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see::  nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+      rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_getattr
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 54 54
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, fh: :zeek:type:`string`, attrs: :zeek:type:`NFS3::fattr_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *getattr*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param fh: TODO.
+   
+
+   :param attrs: The attributes returned in the reply. The values may not be valid if
+         the request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+      rpc_call rpc_dialogue rpc_reply file_mode
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_link
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 228 228
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::linkargs_t`, rep: :zeek:type:`NFS3::link_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *link*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req:  The arguments passed in the request.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
+      nfs_proc_symlink rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_lookup
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 112 112
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::diropargs_t`, rep: :zeek:type:`NFS3::lookup_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *lookup*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req:  The arguments passed in the request.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr  nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+      rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_mkdir
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 316 316
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::diropargs_t`, rep: :zeek:type:`NFS3::newobj_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req: TODO.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+      rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_not_implemented
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 456 456
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, proc: :zeek:type:`NFS3::proc_t`)
+
+   Generated for NFSv3 request/reply dialogues of a type that Zeek's NFSv3
+   analyzer does not implement.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param proc: The procedure called that Zeek does not implement.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove
+      nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_null
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 25 25
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *null*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented  nfs_proc_read nfs_proc_readdir nfs_proc_readlink
+      nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_read
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 141 141
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::readargs_t`, rep: :zeek:type:`NFS3::read_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *read*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req:  The arguments passed in the request.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_remove nfs_proc_rmdir
+      nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
+      NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_readdir
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 432 432
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::readdirargs_t`, rep: :zeek:type:`NFS3::readdir_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *readdir*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req: TODO.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readlink
+      nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_readlink
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 170 170
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, fh: :zeek:type:`string`, rep: :zeek:type:`NFS3::readlink_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *readlink*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param fh: The file handle passed in the request.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+      nfs_proc_symlink rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_remove
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 345 345
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::diropargs_t`, rep: :zeek:type:`NFS3::delobj_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *remove*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req: TODO.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink  nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_rename
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 403 403
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::renameopargs_t`, rep: :zeek:type:`NFS3::renameobj_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *rename*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req: TODO.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rename nfs_proc_write
+      nfs_reply_status rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_rmdir
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 374 374
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::diropargs_t`, rep: :zeek:type:`NFS3::delobj_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req: TODO.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove  nfs_proc_write nfs_reply_status rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_sattr
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 83 83
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::sattrargs_t`, rep: :zeek:type:`NFS3::sattr_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *sattr*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req:  The arguments passed in the request.
+   
+
+   :param rep: The attributes returned in the reply. The values may not be
+        valid if the request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+      rpc_call rpc_dialogue rpc_reply file_mode
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_symlink
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 199 199
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::symlinkargs_t`, rep: :zeek:type:`NFS3::newobj_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *symlink*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req:  The arguments passed in the request.
+   
+
+   :param rep: The attributes returned in the reply. The values may not be
+        valid if the request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+      nfs_proc_link rpc_call rpc_dialogue rpc_reply file_mode
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_proc_write
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 258 258
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`, req: :zeek:type:`NFS3::writeargs_t`, rep: :zeek:type:`NFS3::write_reply_t`)
+
+   Generated for NFSv3 request/reply dialogues of type *write*. The event is
+   generated once we have either seen both the request and its corresponding
+   reply, or an unanswered request has timed out.
+   
+   NFS is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+   information about the service.
+   
+
+   :param c: The RPC connection.
+   
+
+   :param info: Reports the status of the dialogue, along with some meta information.
+   
+
+   :param req: TODO.
+   
+
+   :param rep: The response returned in the reply. The values may not be valid if the
+        request was unsuccessful.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir  nfs_reply_status rpc_call
+      rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only
+      NFS3::return_data_max
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: nfs_reply_status
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 475 475
+
+   :Type: :zeek:type:`event` (n: :zeek:type:`connection`, info: :zeek:type:`NFS3::info_t`)
+
+   Generated for each NFSv3 reply message received, reporting just the
+   status included.
+   
+
+   :param n: The connection.
+   
+
+   :param info: Reports the status included in the reply.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+      nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+      nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_attempt_callit
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 770 770
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, status: :zeek:type:`rpc_status`, call: :zeek:type:`pm_callit_request`)
+
+   Generated for failed Portmapper requests of type *callit*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param status: The status of the reply, which should be one of the index values of
+           :zeek:id:`RPC_status`.
+   
+
+   :param call: The argument to the original request.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_dump pm_request_callit
+      pm_attempt_null pm_attempt_set pm_attempt_unset
+      pm_attempt_getport pm_attempt_dump pm_bad_port rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_attempt_dump
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 744 744
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, status: :zeek:type:`rpc_status`)
+
+   Generated for failed Portmapper requests of type *dump*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param status: The status of the reply, which should be one of the index values of
+           :zeek:id:`RPC_status`.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_dump pm_request_callit
+      pm_attempt_null pm_attempt_set pm_attempt_unset
+      pm_attempt_getport pm_attempt_callit pm_bad_port rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_attempt_getport
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 720 720
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, status: :zeek:type:`rpc_status`, pr: :zeek:type:`pm_port_request`)
+
+   Generated for failed Portmapper requests of type *getport*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param status: The status of the reply, which should be one of the index values of
+           :zeek:id:`RPC_status`.
+   
+
+   :param pr: The argument to the original request.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_dump pm_request_callit
+      pm_attempt_null pm_attempt_set pm_attempt_unset pm_attempt_dump
+      pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_attempt_null
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 643 643
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, status: :zeek:type:`rpc_status`)
+
+   Generated for failed Portmapper requests of type *null*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param status: The status of the reply, which should be one of the index values of
+           :zeek:id:`RPC_status`.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_dump pm_request_callit
+      pm_attempt_set pm_attempt_unset pm_attempt_getport
+      pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_attempt_set
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 669 669
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, status: :zeek:type:`rpc_status`, m: :zeek:type:`pm_mapping`)
+
+   Generated for failed Portmapper requests of type *set*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param status: The status of the reply, which should be one of the index values of
+           :zeek:id:`RPC_status`.
+   
+
+   :param m: The argument to the original request.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_dump pm_request_callit
+      pm_attempt_null pm_attempt_unset pm_attempt_getport
+      pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_attempt_unset
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 695 695
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, status: :zeek:type:`rpc_status`, m: :zeek:type:`pm_mapping`)
+
+   Generated for failed Portmapper requests of type *unset*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param status: The status of the reply, which should be one of the index values of
+           :zeek:id:`RPC_status`.
+   
+
+   :param m: The argument to the original request.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_dump pm_request_callit
+      pm_attempt_null pm_attempt_set pm_attempt_getport
+      pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_bad_port
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 796 796
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, bad_p: :zeek:type:`count`)
+
+   Generated for Portmapper requests or replies that include an invalid port
+   number. Since ports are represented by unsigned 4-byte integers, they can
+   stray outside the allowed range of 0--65535 by being >= 65536. If so, this
+   event is generated.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param bad_p: The invalid port value.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_dump pm_request_callit
+      pm_attempt_null pm_attempt_set pm_attempt_unset
+      pm_attempt_getport pm_attempt_dump pm_attempt_callit rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_request_callit
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 619 619
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, call: :zeek:type:`pm_callit_request`, p: :zeek:type:`port`)
+
+   Generated for Portmapper request/reply dialogues of type *callit*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param call: The argument to the request.
+   
+
+   :param p: The port value returned by the call.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_dump pm_attempt_null
+      pm_attempt_set pm_attempt_unset pm_attempt_getport
+      pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_request_dump
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 594 594
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, m: :zeek:type:`pm_mappings`)
+
+   Generated for Portmapper request/reply dialogues of type *dump*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param m: The mappings returned by the server.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_getport pm_request_callit pm_attempt_null
+      pm_attempt_set pm_attempt_unset pm_attempt_getport
+      pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
+      rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_request_getport
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 571 571
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, pr: :zeek:type:`pm_port_request`, p: :zeek:type:`port`)
+
+   Generated for Portmapper request/reply dialogues of type *getport*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param pr: The argument to the request.
+   
+
+   :param p: The port returned by the server.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_unset
+      pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set
+      pm_attempt_unset pm_attempt_getport pm_attempt_dump
+      pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_request_null
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 495 495
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`)
+
+   Generated for Portmapper requests of type *null*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+   .. zeek:see:: pm_request_set pm_request_unset pm_request_getport
+      pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set
+      pm_attempt_unset pm_attempt_getport pm_attempt_dump
+      pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_request_set
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 521 521
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, m: :zeek:type:`pm_mapping`, success: :zeek:type:`bool`)
+
+   Generated for Portmapper request/reply dialogues of type *set*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param m: The argument to the request.
+   
+
+   :param success: True if the request was successful, according to the corresponding
+            reply. If no reply was seen, this will be false once the request
+            times out.
+   
+   .. zeek:see:: pm_request_null pm_request_unset pm_request_getport
+      pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set
+      pm_attempt_unset pm_attempt_getport pm_attempt_dump
+      pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: pm_request_unset
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 547 547
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`connection`, m: :zeek:type:`pm_mapping`, success: :zeek:type:`bool`)
+
+   Generated for Portmapper request/reply dialogues of type *unset*.
+   
+   Portmapper is a service running on top of RPC. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Portmap>`__ for more information about the
+   service.
+   
+
+   :param r: The RPC connection.
+   
+
+   :param m: The argument to the request.
+   
+
+   :param success: True if the request was successful, according to the corresponding
+            reply. If no reply was seen, this will be false once the request
+            times out.
+   
+   .. zeek:see:: pm_request_null pm_request_set pm_request_getport
+      pm_request_dump pm_request_callit pm_attempt_null pm_attempt_set
+      pm_attempt_unset pm_attempt_getport pm_attempt_dump
+      pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. zeek:id:: rpc_call
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 861 861
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, xid: :zeek:type:`count`, prog: :zeek:type:`count`, ver: :zeek:type:`count`, proc: :zeek:type:`count`, call_len: :zeek:type:`count`)
+
+   Generated for RPC *call* messages.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/ONC_RPC>`__ for more information
+   about the ONC RPC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param xid: The transaction identifier allowing to match requests with replies.
+   
+
+   :param prog: The remote program to call.
+   
+
+   :param ver: The version of the remote program to call.
+   
+
+   :param proc: The procedure of the remote program to call.
+   
+
+   :param call_len: The size of the *call_body* PDU.
+   
+   .. zeek:see::  rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
+      dce_rpc_response rpc_timeout
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: rpc_dialogue
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 833 833
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, prog: :zeek:type:`count`, ver: :zeek:type:`count`, proc: :zeek:type:`count`, status: :zeek:type:`rpc_status`, start_time: :zeek:type:`time`, call_len: :zeek:type:`count`, reply_len: :zeek:type:`count`)
+
+   Generated for RPC request/reply *pairs*. The RPC analyzer associates request
+   and reply by their transaction identifiers and raises this event once both
+   have been seen. If there's not a reply, this event will still be generated
+   eventually on timeout. In that case, *status* will be set to
+   :zeek:enum:`RPC_TIMEOUT`.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/ONC_RPC>`__ for more information
+   about the ONC RPC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param prog: The remote program to call.
+   
+
+   :param ver: The version of the remote program to call.
+   
+
+   :param proc: The procedure of the remote program to call.
+   
+
+   :param status: The status of the reply, which should be one of the index values of
+           :zeek:id:`RPC_status`.
+   
+
+   :param start_time: The time when the *call* was seen.
+   
+
+   :param call_len: The size of the *call_body* PDU.
+   
+
+   :param reply_len: The size of the *reply_body* PDU.
+   
+   .. zeek:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
+      dce_rpc_response rpc_timeout
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+.. zeek:id:: rpc_reply
+   :source-code: base/bif/plugins/Zeek_RPC.events.bif.zeek 886 886
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, xid: :zeek:type:`count`, status: :zeek:type:`rpc_status`, reply_len: :zeek:type:`count`)
+
+   Generated for RPC *reply* messages.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/ONC_RPC>`__ for more information
+   about the ONC RPC protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param xid: The transaction identifier allowing to match requests with replies.
+   
+
+   :param status: The status of the reply, which should be one of the index values of
+           :zeek:id:`RPC_status`.
+   
+
+   :param reply_len: The size of the *reply_body* PDU.
+   
+   .. zeek:see:: rpc_call rpc_dialogue  dce_rpc_bind dce_rpc_message dce_rpc_request
+      dce_rpc_response rpc_timeout
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to add a
+      call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
+      signature.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_RawReader.raw.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_RawReader.raw.bif.zeek.rst
new file mode 100644
index 0000000000..d31728adf2
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_RawReader.raw.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_RawReader.raw.bif.zeek
+============================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: InputRaw
+
+
+:Namespaces: GLOBAL, InputRaw
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SIP.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SIP.events.bif.zeek.rst
new file mode 100644
index 0000000000..cc18ccd4ba
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SIP.events.bif.zeek.rst
@@ -0,0 +1,163 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SIP.events.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=============================================== ==========================================================================================================
+:zeek:id:`sip_all_headers`: :zeek:type:`event`  Generated once for all :abbr:`SIP (Session Initiation Protocol)` headers from the originator or responder.
+:zeek:id:`sip_begin_entity`: :zeek:type:`event` Generated at the beginning of a :abbr:`SIP (Session Initiation Protocol)` message.
+:zeek:id:`sip_end_entity`: :zeek:type:`event`   Generated at the end of a :abbr:`SIP (Session Initiation Protocol)` message.
+:zeek:id:`sip_header`: :zeek:type:`event`       Generated for each :abbr:`SIP (Session Initiation Protocol)` header.
+:zeek:id:`sip_reply`: :zeek:type:`event`        Generated for :abbr:`SIP (Session Initiation Protocol)` replies, used in Voice over IP (VoIP).
+:zeek:id:`sip_request`: :zeek:type:`event`      Generated for :abbr:`SIP (Session Initiation Protocol)` requests, used in Voice over IP (VoIP).
+=============================================== ==========================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: sip_all_headers
+   :source-code: base/bif/plugins/Zeek_SIP.events.bif.zeek 71 71
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, hlist: :zeek:type:`mime_header_list`)
+
+   Generated once for all :abbr:`SIP (Session Initiation Protocol)` headers from the originator or responder.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+   for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Whether the headers came from the originator.
+   
+
+   :param hlist: All the headers, and their values
+   
+   .. zeek:see:: sip_request sip_reply sip_header sip_begin_entity sip_end_entity
+
+.. zeek:id:: sip_begin_entity
+   :source-code: base/bif/plugins/Zeek_SIP.events.bif.zeek 86 86
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Generated at the beginning of a :abbr:`SIP (Session Initiation Protocol)` message.
+   
+   This event is generated as soon as a message's initial line has been parsed.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+   for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Whether the message came from the originator.
+   
+   .. zeek:see:: sip_request sip_reply sip_header sip_all_headers sip_end_entity
+
+.. zeek:id:: sip_end_entity
+   :source-code: base/bif/plugins/Zeek_SIP.events.bif.zeek 99 99
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Generated at the end of a :abbr:`SIP (Session Initiation Protocol)` message.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+   for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Whether the message came from the originator.
+   
+   .. zeek:see:: sip_request sip_reply sip_header sip_all_headers sip_begin_entity
+
+.. zeek:id:: sip_header
+   :source-code: base/protocols/sip/main.zeek 193 273
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, name: :zeek:type:`string`, value: :zeek:type:`string`)
+
+   Generated for each :abbr:`SIP (Session Initiation Protocol)` header.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+   for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Whether the header came from the originator.
+   
+
+   :param name: Header name.
+   
+
+   :param value: Header value.
+   
+   .. zeek:see:: sip_request sip_reply sip_all_headers sip_begin_entity sip_end_entity
+
+.. zeek:id:: sip_reply
+   :source-code: base/protocols/sip/main.zeek 181 191
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`string`, code: :zeek:type:`count`, reason: :zeek:type:`string`)
+
+   Generated for :abbr:`SIP (Session Initiation Protocol)` replies, used in Voice over IP (VoIP).
+   
+   This event is generated as soon as a reply's initial line has been parsed.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+   for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param version: The :abbr:`SIP (Session Initiation Protocol)` version in use.
+   
+
+   :param code: The response code.
+   
+
+   :param reason: Textual details for the response code.
+   
+   .. zeek:see:: sip_request sip_header sip_all_headers sip_begin_entity sip_end_entity
+
+.. zeek:id:: sip_request
+   :source-code: base/protocols/sip/main.zeek 170 179
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, method: :zeek:type:`string`, original_URI: :zeek:type:`string`, version: :zeek:type:`string`)
+
+   Generated for :abbr:`SIP (Session Initiation Protocol)` requests, used in Voice over IP (VoIP).
+   
+   This event is generated as soon as a request's initial line has been parsed.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Session_Initiation_Protocol>`__
+   for more information about the :abbr:`SIP (Session Initiation Protocol)` protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param method: The :abbr:`SIP (Session Initiation Protocol)` method extracted from the request (e.g., ``REGISTER``, ``NOTIFY``).
+   
+
+   :param original_URI: The unprocessed URI as specified in the request.
+   
+
+   :param version: The version number specified in the request (e.g., ``2.0``).
+   
+   .. zeek:see:: sip_reply sip_header sip_all_headers sip_begin_entity sip_end_entity
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.consts.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.consts.bif.zeek.rst
new file mode 100644
index 0000000000..db755d4245
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.consts.bif.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.consts.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.events.bif.zeek.rst
new file mode 100644
index 0000000000..05568e2c5b
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.events.bif.zeek.rst
@@ -0,0 +1,58 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.events.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+============================================================== ==========================================================================
+:zeek:id:`smb_discarded_dce_rpc_analyzers`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)` when the number of
+                                                               :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+                                                               analyzers exceeds :zeek:see:`SMB::max_dce_rpc_analyzers`.
+:zeek:id:`smb_pipe_connect_heuristic`: :zeek:type:`event`      Generated for :abbr:`SMB (Server Message Block)` connections when a
+                                                               named pipe has been detected heuristically.
+============================================================== ==========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb_discarded_dce_rpc_analyzers
+   :source-code: base/protocols/dce-rpc/main.zeek 231 238
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for :abbr:`SMB (Server Message Block)` when the number of
+   :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+   analyzers exceeds :zeek:see:`SMB::max_dce_rpc_analyzers`.
+   Occurrence of this event may indicate traffic loss, traffic load-balancing
+   issues or abnormal SMB protocol usage.
+   
+
+   :param c: The connection.
+   
+
+.. zeek:id:: smb_pipe_connect_heuristic
+   :source-code: base/protocols/smb/main.zeek 243 247
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for :abbr:`SMB (Server Message Block)` connections when a
+   named pipe has been detected heuristically.  The case when this comes
+   up is when the drive mapping isn't seen so the analyzer is not able
+   to determine whether to send the data to the files framework or to
+   the DCE_RPC analyzer. This heuristic can be tuned by adding or
+   removing "named pipe" names from the :zeek:see:`SMB::pipe_filenames`
+   const.
+   
+
+   :param c: The connection.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek.rst
new file mode 100644
index 0000000000..1710959219
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek.rst
@@ -0,0 +1,67 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek
+===========================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+============================================================ ===========================================================================================
+:zeek:id:`smb1_check_directory_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                             version 1 requests of type *check directory*.
+:zeek:id:`smb1_check_directory_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                             version 1 responses of type *check directory*.
+============================================================ ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_check_directory_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, directory_name: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *check directory*. This is used by the client to verify that
+   a specified path resolves to a valid directory on the server.
+   
+   For more information, see MS-CIFS:2.2.4.17
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param directory_name: The directory name to check for existence.
+   
+   .. zeek:see:: smb1_message smb1_check_directory_response
+
+.. zeek:id:: smb1_check_directory_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek 31 31
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *check directory*. This is the server response to the
+   *check directory* request.
+   
+   For more information, see MS-CIFS:2.2.4.17
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+   .. zeek:see:: smb1_message smb1_check_directory_request
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek.rst
new file mode 100644
index 0000000000..fce668717c
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek.rst
@@ -0,0 +1,46 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek
+=================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+================================================= ===========================================================================================
+:zeek:id:`smb1_close_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                  version 1 requests of type *close*.
+================================================= ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_close_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_id: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *close*. This is used by the client to close an instance of an object
+   associated with a valid file ID.
+   
+   For more information, see MS-CIFS:2.2.4.5
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param file_id: The file identifier being closed.
+   
+   .. zeek:see:: smb1_message
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek.rst
new file mode 100644
index 0000000000..a0a2517dda
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek.rst
@@ -0,0 +1,69 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek
+============================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+============================================================= ===========================================================================================
+:zeek:id:`smb1_create_directory_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                              version 1 requests of type *create directory*.
+:zeek:id:`smb1_create_directory_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                              version 1 responses of type *create directory*.
+============================================================= ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_create_directory_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek 18 18
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, directory_name: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *create directory*. This is a deprecated command which
+   has been replaced by the *trans2_create_directory* subcommand. This is used by the client to
+   create a new directory on the server, relative to a connected share.
+   
+   For more information, see MS-CIFS:2.2.4.1
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param directory_name: The name of the directory to create.
+   
+   .. zeek:see:: smb1_message smb1_create_directory_response smb1_transaction2_request
+
+.. zeek:id:: smb1_create_directory_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek 33 33
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *create directory*. This is a deprecated command which
+   has been replaced by the *trans2_create_directory* subcommand. This is the server response
+   to the *create directory* request.
+   
+   For more information, see MS-CIFS:2.2.4.1
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+   .. zeek:see:: smb1_message smb1_create_directory_request smb1_transaction2_request
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek.rst
new file mode 100644
index 0000000000..32bd323493
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek.rst
@@ -0,0 +1,75 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek
+================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+================================================= ===========================================================================================
+:zeek:id:`smb1_echo_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                  version 1 requests of type *echo*.
+:zeek:id:`smb1_echo_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                  version 1 responses of type *echo*.
+================================================= ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_echo_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek 19 19
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, echo_count: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *echo*. This is sent by the client to test the transport layer
+   connection with the server.
+   
+   For more information, see MS-CIFS:2.2.4.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param echo_count: The number of times the server should echo the data back.
+   
+
+   :param data: The data for the server to echo.
+   
+   .. zeek:see:: smb1_message smb1_echo_response
+
+.. zeek:id:: smb1_echo_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek 36 36
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, seq_num: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *echo*. This is the server response to the *echo* request.
+   
+   For more information, see MS-CIFS:2.2.4.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param seq_num: The sequence number of this echo reply.
+   
+
+   :param data: The data echoed back from the client.
+   
+   .. zeek:see:: smb1_message smb1_echo_request
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek.rst
new file mode 100644
index 0000000000..938b525257
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek.rst
@@ -0,0 +1,45 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek
+=======================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=============================================== ===========================================================================================
+:zeek:id:`smb1_logoff_andx`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                version 1 requests of type *logoff andx*.
+=============================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_logoff_andx
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *logoff andx*. This is used by the client to logoff the user
+   connection represented by UID in the SMB Header. The server releases all locks and closes
+   all files currently open by this user, disconnects all tree connects, cancels any outstanding
+   requests for this UID, and invalidates the UID.
+   
+   For more information, see MS-CIFS:2.2.4.54
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Indicates which host sent the logoff message.
+   
+   .. zeek:see:: smb1_message
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek.rst
new file mode 100644
index 0000000000..5147cb160e
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek.rst
@@ -0,0 +1,71 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek
+=====================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+====================================================== ===========================================================================================
+:zeek:id:`smb1_negotiate_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                       version 1 requests of type *negotiate*.
+:zeek:id:`smb1_negotiate_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                       version 1 responses of type *negotiate*.
+====================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_negotiate_request
+   :source-code: base/protocols/smb/smb1-main.zeek 77 80
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, dialects: :zeek:type:`string_vec`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *negotiate*. This is sent by the client to initiate an SMB
+   connection between the client and the server. A *negotiate* exchange MUST be completed
+   before any other SMB messages are sent to the server.
+   
+   For more information, see MS-CIFS:2.2.4.52
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param dialects: The SMB dialects supported by the client.
+   
+   .. zeek:see:: smb1_message smb1_negotiate_response
+
+.. zeek:id:: smb1_negotiate_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek 34 34
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, response: :zeek:type:`SMB1::NegotiateResponse`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *negotiate*. This is the server response to the *negotiate*
+   request.
+   
+   For more information, see MS-CIFS:2.2.4.52
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param response: A record structure containing more information from the response.
+   
+   .. zeek:see:: smb1_message smb1_negotiate_request
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek.rst
new file mode 100644
index 0000000000..91849b1100
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek.rst
@@ -0,0 +1,43 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek
+=====================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+===================================================== ===========================================================================================
+:zeek:id:`smb1_nt_cancel_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                      version 1 requests of type *nt cancel*.
+===================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_nt_cancel_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek 15 15
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *nt cancel*. This is sent by the client to request that a currently
+   pending request be cancelled.
+   
+   For more information, see MS-CIFS:2.2.4.65
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+   .. zeek:see:: smb1_message
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek.rst
new file mode 100644
index 0000000000..c431092226
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek.rst
@@ -0,0 +1,77 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek
+==========================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=========================================================== ===========================================================================================
+:zeek:id:`smb1_nt_create_andx_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                            version 1 requests of type *nt create andx*.
+:zeek:id:`smb1_nt_create_andx_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                            version 1 responses of type *nt create andx*.
+=========================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_nt_create_andx_request
+   :source-code: base/protocols/smb/smb1-main.zeek 137 146
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_name: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *nt create andx*. This is sent by the client to create and open
+   a new file, or to open an existing file, or to open and truncate an existing file to zero
+   length, or to create a directory, or to create a connection to a named pipe.
+   
+   For more information, see MS-CIFS:2.2.4.64
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param name: The ``name`` attribute  specified in the message.
+   
+   .. zeek:see:: smb1_message smb1_nt_create_andx_response
+
+.. zeek:id:: smb1_nt_create_andx_response
+   :source-code: base/protocols/smb/smb1-main.zeek 148 165
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_id: :zeek:type:`count`, file_size: :zeek:type:`count`, times: :zeek:type:`SMB::MACTimes`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *nt create andx*. This is the server response to the
+   *nt create andx* request.
+   
+   For more information, see MS-CIFS:2.2.4.64
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param file_size: Size of the file.
+   
+
+   :param times: Timestamps associated with the file in question.
+   
+   .. zeek:see:: smb1_message smb1_nt_create_andx_request
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek.rst
new file mode 100644
index 0000000000..5ad78c487a
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek.rst
@@ -0,0 +1,47 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek
+=============================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+============================================================= ===========================================================================================
+:zeek:id:`smb1_query_information_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                              version 1 requests of type *query information*.
+============================================================= ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_query_information_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek 18 18
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, filename: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *query information*. This is a deprecated command which
+   has been replaced by the *trans2_query_path_information* subcommand. This is used by the
+   client to obtain attribute information about a file.
+   
+   For more information, see MS-CIFS:2.2.4.9
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param filename: The filename that the client is querying.
+   
+   .. zeek:see:: smb1_message smb1_transaction2_request
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek.rst
new file mode 100644
index 0000000000..dc7a7609d9
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek.rst
@@ -0,0 +1,76 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek
+=====================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+====================================================== ===========================================================================================
+:zeek:id:`smb1_read_andx_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                       version 1 requests of type *read andx*.
+:zeek:id:`smb1_read_andx_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                       version 1 responses of type *read andx*.
+====================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_read_andx_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek 22 22
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_id: :zeek:type:`count`, offset: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *read andx*. This is sent by the client to read bytes from a regular
+   file, a named pipe, or a directly accessible device such as a serial port (COM) or printer
+   port (LPT).
+   
+   For more information, see MS-CIFS:2.2.4.42
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param file_id: The file identifier being written to.
+   
+
+   :param offset: The byte offset the requested read begins at.
+   
+
+   :param length: The number of bytes being requested.
+   
+   .. zeek:see:: smb1_message smb1_read_andx_response
+
+.. zeek:id:: smb1_read_andx_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek 37 37
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, data_len: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *read andx*. This is the server response to the *read andx* request.
+   
+   For more information, see MS-CIFS:2.2.4.42
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param data_len: The length of data from the requested file.
+   
+   .. zeek:see:: smb1_message smb1_read_andx_request
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek.rst
new file mode 100644
index 0000000000..3f80244cdf
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek.rst
@@ -0,0 +1,68 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek
+==============================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=============================================================== ===========================================================================================
+:zeek:id:`smb1_session_setup_andx_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                                version 1 requests of type *setup andx*.
+:zeek:id:`smb1_session_setup_andx_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                                version 1 responses of type *setup andx*.
+=============================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_session_setup_andx_request
+   :source-code: base/protocols/smb/smb1-main.zeek 252 253
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, request: :zeek:type:`SMB1::SessionSetupAndXRequest`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *setup andx*. This is sent by the client to configure an SMB session.
+   
+   For more information, see MS-CIFS:2.2.4.53
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param request: The parsed request data of the SMB message. See init-bare for more details.
+   
+   .. zeek:see:: smb1_message smb1_session_setup_andx_response
+
+.. zeek:id:: smb1_session_setup_andx_response
+   :source-code: base/protocols/smb/smb1-main.zeek 257 258
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, response: :zeek:type:`SMB1::SessionSetupAndXResponse`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *setup andx*. This is the server response to the *setup andx* request.
+   
+   For more information, see MS-CIFS:2.2.4.53
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param response: The parsed response data of the SMB message. See init-bare for more details.
+   
+   .. zeek:see:: smb1_message smb1_session_setup_andx_request
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek.rst
new file mode 100644
index 0000000000..12df6037be
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek.rst
@@ -0,0 +1,83 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek
+=======================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+======================================================== ===========================================================================================
+:zeek:id:`smb1_transaction_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                         version 1 requests of type *transaction*.
+:zeek:id:`smb1_transaction_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                         version 1 requests of type *transaction*.
+======================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_transaction_request
+   :source-code: base/protocols/smb/smb1-main.zeek 262 265
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, name: :zeek:type:`string`, sub_cmd: :zeek:type:`count`, parameters: :zeek:type:`string`, data: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *transaction*. This command serves as the transport for the
+   Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
+   which are interprocess communication endpoints within the CIFS file system.
+   
+   For more information, see MS-CIFS:2.2.4.33.1
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param name: A name string that MAY identify the resource (a specific Mailslot or Named Pipe) 
+         against which the operation is performed.
+   
+
+   :param sub_cmd: The sub command, some may be parsed and have their own events.
+   
+
+   :param parameters: content of the SMB_Data.Trans_Parameters field
+   
+
+   :param data: content of the SMB_Data.Trans_Data field
+   
+   .. zeek:see:: smb1_message smb1_transaction2_request
+
+.. zeek:id:: smb1_transaction_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek 42 42
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, parameters: :zeek:type:`string`, data: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *transaction*. This command serves as the transport for the
+   Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
+   which are interprocess communication endpoints within the CIFS file system.
+   
+   For more information, see MS-CIFS:2.2.4.33.2
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param parameters: content of the SMB_Data.Trans_Parameters field
+   
+
+   :param data: content of the SMB_Data.Trans_Data field
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek.rst
new file mode 100644
index 0000000000..b334c00baf
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek.rst
@@ -0,0 +1,126 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek
+========================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=================================================================== ===========================================================================================
+:zeek:id:`smb1_trans2_find_first2_request`: :zeek:type:`event`      Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                                    version 1 *transaction2* requests of subtype *find first2*.
+:zeek:id:`smb1_trans2_get_dfs_referral_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                                    version 1 *transaction2* requests of subtype *get DFS referral*.
+:zeek:id:`smb1_trans2_query_path_info_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                                    version 1 *transaction2* requests of subtype *query path info*.
+:zeek:id:`smb1_transaction2_request`: :zeek:type:`event`            Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                                    version 1 requests of type *transaction2*.
+=================================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_trans2_find_first2_request
+   :source-code: base/protocols/smb/smb1-main.zeek 247 250
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, args: :zeek:type:`SMB1::Find_First2_Request_Args`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 *transaction2* requests of subtype *find first2*. This transaction is used to begin
+   a search for file(s) within a directory or for a directory
+   
+   For more information, see MS-CIFS:2.2.6.2
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param args: A record data structure with arguments given to the command.
+   
+   .. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_query_path_info_request
+      smb1_trans2_get_dfs_referral_request
+
+.. zeek:id:: smb1_trans2_get_dfs_referral_request
+   :source-code: base/protocols/smb/smb1-main.zeek 237 240
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_name: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 *transaction2* requests of subtype *get DFS referral*. This transaction is used
+   to request a referral for a disk object in DFS.
+   
+   For more information, see MS-CIFS:2.2.6.16
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param file_name: File name the request is in reference to.
+   
+   .. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request
+      smb1_trans2_query_path_info_request
+
+.. zeek:id:: smb1_trans2_query_path_info_request
+   :source-code: base/protocols/smb/smb1-main.zeek 242 245
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_name: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 *transaction2* requests of subtype *query path info*. This transaction is used to
+   get information about a specific file or directory.
+   
+   For more information, see MS-CIFS:2.2.6.6
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param file_name: File name the request is in reference to. 
+   
+   .. zeek:see:: smb1_message smb1_transaction2_request smb1_trans2_find_first2_request
+      smb1_trans2_get_dfs_referral_request
+
+.. zeek:id:: smb1_transaction2_request
+   :source-code: base/protocols/smb/smb1-main.zeek 71 74
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, args: :zeek:type:`SMB1::Trans2_Args`, sub_cmd: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *transaction2*. This command serves as the transport for the
+   Transaction2 Subprotocol Commands. These commands operate on mailslots and named pipes,
+   which are interprocess communication endpoints within the CIFS file system. Compared to the
+   Transaction Subprotocol Commands, these commands allow clients to set and retrieve Extended
+   Attribute key/value pairs, make use of long file names (longer than the original 8.3 format
+   names), and perform directory searches, among other tasks.
+   
+   For more information, see MS-CIFS:2.2.4.46
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param sub_cmd: The sub command, some are parsed and have their own events.
+   
+   .. zeek:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request
+      smb1_trans2_get_dfs_referral_request smb1_transaction_request
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek.rst
new file mode 100644
index 0000000000..28eab94900
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek.rst
@@ -0,0 +1,50 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek
+==================================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+================================================================== ===========================================================================================
+:zeek:id:`smb1_transaction2_secondary_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                                   version 1 requests of type *transaction2 secondary*.
+================================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_transaction2_secondary_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek 19 19
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, args: :zeek:type:`SMB1::Trans2_Sec_Args`, parameters: :zeek:type:`string`, data: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *transaction2 secondary*.
+   
+   For more information, see MS-CIFS:2.2.4.47.1
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)`
+        version 1 message.
+   
+
+   :param args: arguments of the message (SMB_Parameters.Words)
+   
+
+   :param parameters: content of the SMB_Data.Trans_Parameters field
+   
+
+   :param data: content of the SMB_Data.Trans_Data field
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek.rst
new file mode 100644
index 0000000000..35ee635db1
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek.rst
@@ -0,0 +1,49 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek
+=================================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+================================================================= ===========================================================================================
+:zeek:id:`smb1_transaction_secondary_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                                  version 1 requests of type *transaction_secondary*.
+================================================================= ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_transaction_secondary_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek 19 19
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, args: :zeek:type:`SMB1::Trans_Sec_Args`, parameters: :zeek:type:`string`, data: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *transaction_secondary*. This command
+   serves as an additional request data container for the
+   Transaction Subprotocol Commands (carried by *transaction* requests).
+   
+   For more information, see MS-CIFS:2.2.4.34
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param parameters: the SMB_Data.Trans_Parameters field content
+   
+
+   :param data: the SMB_Data.Trans_Data field content
+   
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek.rst
new file mode 100644
index 0000000000..4d3d1e102a
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek.rst
@@ -0,0 +1,76 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek
+=============================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+============================================================== ===========================================================================================
+:zeek:id:`smb1_tree_connect_andx_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                               version 1 requests of type *tree connect andx*.
+:zeek:id:`smb1_tree_connect_andx_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                               version 1 responses of type *tree connect andx*.
+============================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_tree_connect_andx_request
+   :source-code: base/protocols/smb/smb1-main.zeek 100 106
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, path: :zeek:type:`string`, service: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *tree connect andx*. This is sent by the client to establish a
+   connection to a server share.
+   
+   For more information, see MS-CIFS:2.2.4.55
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param path: The ``path`` attribute specified in the message.
+   
+
+   :param service: The ``service`` attribute specified in the message.
+   
+   .. zeek:see:: smb1_message smb1_tree_connect_andx_response
+
+.. zeek:id:: smb1_tree_connect_andx_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek 37 37
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, service: :zeek:type:`string`, native_file_system: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *tree connect andx*. This is the server reply to the *tree connect andx*
+   request.
+   
+   For more information, see MS-CIFS:2.2.4.55
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param service: The ``service`` attribute specified in the message.
+   
+
+   :param native_file_system: The file system of the remote server as indicate by the server.
+   
+   .. zeek:see:: smb1_message smb1_tree_connect_andx_request
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek.rst
new file mode 100644
index 0000000000..eaa9250e69
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek.rst
@@ -0,0 +1,46 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek
+===========================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=================================================== ===========================================================================================
+:zeek:id:`smb1_tree_disconnect`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                    version 1 requests of type *tree disconnect*.
+=================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_tree_disconnect
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, is_orig: :zeek:type:`bool`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *tree disconnect*. This is sent by the client to logically disconnect
+   client access to a server resource.
+   
+   For more information, see MS-CIFS:2.2.4.51
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param is_orig: True if the message was from the originator.
+   
+   .. zeek:see:: smb1_message
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek.rst
new file mode 100644
index 0000000000..c22707c347
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek.rst
@@ -0,0 +1,74 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek
+======================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+======================================================= ===========================================================================================
+:zeek:id:`smb1_write_andx_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                        version 1 requests of type *write andx*.
+:zeek:id:`smb1_write_andx_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                        version 1 responses of type *write andx*.
+======================================================= ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_write_andx_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek 20 20
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, file_id: :zeek:type:`count`, offset: :zeek:type:`count`, data_len: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 requests of type *write andx*. This is sent by the client to write bytes to a
+   regular file, a named pipe, or a directly accessible I/O device such as a serial port (COM)
+   or printer port (LPT).
+   
+   For more information, see MS-CIFS:2.2.4.43
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param offset: The byte offset into the referenced file data is being written.
+   
+
+   :param data: The data being written.
+   
+   .. zeek:see:: smb1_message smb1_write_andx_response
+
+.. zeek:id:: smb1_write_andx_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek 36 36
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, written_bytes: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 1 responses of type *write andx*. This is the server response to the *write andx*
+   request.
+   
+   For more information, see MS-CIFS:2.2.4.43
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param written_bytes: The number of bytes the server reported having actually written.
+   
+   .. zeek:see:: smb1_message smb1_write_andx_request
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek.rst
new file mode 100644
index 0000000000..1b42e09bc8
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek.rst
@@ -0,0 +1,89 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek
+==============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+================================================== =========================================================================================================
+:zeek:id:`smb1_empty_response`: :zeek:type:`event` Generated when there is an :abbr:`SMB (Server Message Block)` version 1 response with no message body.
+:zeek:id:`smb1_error`: :zeek:type:`event`          Generated for :abbr:`SMB (Server Message Block)` version 1 messages
+                                                   that indicate an error.
+:zeek:id:`smb1_message`: :zeek:type:`event`        Generated for all :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` version 1
+                                                   messages.
+================================================== =========================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb1_empty_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek 31 31
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`)
+
+   Generated when there is an :abbr:`SMB (Server Message Block)` version 1 response with no message body.
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` message.
+   
+   .. zeek:see:: smb1_message
+
+.. zeek:id:: smb1_error
+   :source-code: policy/protocols/smb/log-cmds.zeek 49 64
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, is_orig: :zeek:type:`bool`)
+
+   Generated for :abbr:`SMB (Server Message Block)` version 1 messages
+   that indicate an error. This event is triggered by an :abbr:`SMB (Server Message Block)` header
+   including a status that signals an error.
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` message.
+   
+
+   :param is_orig: True if the message was sent by the originator of the underlying
+            transport-level connection.
+   
+   .. zeek:see:: smb1_message
+
+.. zeek:id:: smb1_message
+   :source-code: base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek 21 21
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB1::Header`, is_orig: :zeek:type:`bool`)
+
+   Generated for all :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` version 1
+   messages.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
+   :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Zeek's
+   :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
+   both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
+   ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+   
+
+   :param is_orig: True if the message was sent by the originator of the underlying
+            transport-level connection.
+   
+   .. zeek:see:: smb2_message
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek.rst
new file mode 100644
index 0000000000..496c0cc935
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek.rst
@@ -0,0 +1,70 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek
+=================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+================================================== ===========================================================================================
+:zeek:id:`smb2_close_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                   version 2 requests of type *close*.
+:zeek:id:`smb2_close_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                   version 2 responses of type *close*.
+================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb2_close_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *close*. This is used by the client to close an instance of a
+   file that was opened previously with a successful SMB2 CREATE Request.
+   
+   For more information, see MS-SMB2:2.2.15
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_name: The SMB2 GUID of the file being closed.
+   
+   .. zeek:see:: smb2_message smb2_close_response
+
+.. zeek:id:: smb2_close_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek 33 33
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, response: :zeek:type:`SMB2::CloseResponse`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 responses of type *close*. This is sent by the server to indicate that an SMB2 CLOSE
+   request was processed successfully.
+   
+   For more information, see MS-SMB2:2.2.16
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param response: A record of attributes returned from the server from the close.
+   
+   .. zeek:see:: smb2_message smb2_close_request
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek.rst
new file mode 100644
index 0000000000..be2d37cee3
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek.rst
@@ -0,0 +1,70 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek
+==================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=================================================== ===========================================================================================
+:zeek:id:`smb2_create_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                    version 2 requests of type *create*.
+:zeek:id:`smb2_create_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                    version 2 responses of type *create*.
+=================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb2_create_request
+   :source-code: base/protocols/smb/smb2-main.zeek 129 152
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, request: :zeek:type:`SMB2::CreateRequest`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *create*. This is sent by the client to request either creation
+   of or access to a file.
+   
+   For more information, see MS-SMB2:2.2.13
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param request: A record with more information related to the request.
+   
+   .. zeek:see:: smb2_message smb2_create_response
+
+.. zeek:id:: smb2_create_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek 33 33
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, response: :zeek:type:`SMB2::CreateResponse`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 responses of type *create*. This is sent by the server to notify the client of
+   the status of its SMB2 CREATE request.
+   
+   For more information, see MS-SMB2:2.2.14
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param response: A record with more information related to the response.
+   
+   .. zeek:see:: smb2_message smb2_create_request
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek.rst
new file mode 100644
index 0000000000..8fafb327d2
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek.rst
@@ -0,0 +1,70 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek
+=====================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+====================================================== ===========================================================================================
+:zeek:id:`smb2_negotiate_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                       version 2 requests of type *negotiate*.
+:zeek:id:`smb2_negotiate_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                       version 2 responses of type *negotiate*.
+====================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb2_negotiate_request
+   :source-code: base/protocols/smb/smb2-main.zeek 83 86
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, dialects: :zeek:type:`index_vec`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *negotiate*. This is used by the client to notify the server what
+   dialects of the SMB2 Protocol the client understands.
+   
+   For more information, see MS-SMB2:2.2.3
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param dialects: A vector of the client's supported dialects.
+   
+   .. zeek:see:: smb2_message smb2_negotiate_response
+
+.. zeek:id:: smb2_negotiate_response
+   :source-code: base/protocols/smb/smb2-main.zeek 88 102
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, response: :zeek:type:`SMB2::NegotiateResponse`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 responses of type *negotiate*. This is sent by the server to notify the client of
+   the preferred common dialect.
+   
+   For more information, see MS-SMB2:2.2.4
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param response: The negotiate response data structure.
+   
+   .. zeek:see:: smb2_message smb2_negotiate_request
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek.rst
new file mode 100644
index 0000000000..12eff1c066
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek.rst
@@ -0,0 +1,52 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek
+================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+================================================ ===========================================================================================
+:zeek:id:`smb2_read_request`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                 version 2 requests of type *read*.
+================================================ ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb2_read_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek 21 21
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, offset: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *read*. This is sent by the client to request a read operation on
+   the specified file.
+   
+   For more information, see MS-SMB2:2.2.19
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The GUID being used for the file.
+   
+
+   :param offset: How far into the file this read should be taking place.
+   
+
+   :param length: The number of bytes of the file being read.
+   
+   .. zeek:see:: smb2_message
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek.rst
new file mode 100644
index 0000000000..086d31dc96
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek.rst
@@ -0,0 +1,71 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek
+=========================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+========================================================== ===========================================================================================
+:zeek:id:`smb2_session_setup_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                           version 2 requests of type *session_setup*.
+:zeek:id:`smb2_session_setup_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                           version 2 responses of type *session_setup*.
+========================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb2_session_setup_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek 18 18
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, request: :zeek:type:`SMB2::SessionSetupRequest`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *session_setup*. This is sent by the client to request a new
+   authenticated session within a new or existing SMB 2 Protocol transport connection to the
+   server.
+   
+   For more information, see MS-SMB2:2.2.5
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param request: A record containing more information related to the request.
+   
+   .. zeek:see:: smb2_message smb2_session_setup_response
+
+.. zeek:id:: smb2_session_setup_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek 34 34
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, response: :zeek:type:`SMB2::SessionSetupResponse`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 responses of type *session_setup*. This is sent by the server in response to a
+   *session_setup* request.
+   
+   For more information, see MS-SMB2:2.2.6
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param response: A record containing more information related to the response.
+   
+   .. zeek:see:: smb2_message smb2_session_setup_request
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek.rst
new file mode 100644
index 0000000000..e147d83062
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek.rst
@@ -0,0 +1,399 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek
+====================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+======================================================== ===========================================================================================
+:zeek:id:`smb2_file_allocation`: :zeek:type:`event`      Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                         version 2 requests of type *set_info* of the *allocation* subtype
+:zeek:id:`smb2_file_delete`: :zeek:type:`event`          Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                         version 2 requests of type *set_info* of the *delete* subtype.
+:zeek:id:`smb2_file_endoffile`: :zeek:type:`event`       Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                         version 2 requests of type *set_info* of the *end_of_file* subtype
+:zeek:id:`smb2_file_fscontrol`: :zeek:type:`event`       Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                         version 2 requests of type *set_info* of the *fs_control* subtype
+:zeek:id:`smb2_file_fsobjectid`: :zeek:type:`event`      Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                         version 2 requests of type *set_info* of the *fs_object_id* subtype
+:zeek:id:`smb2_file_fullea`: :zeek:type:`event`          Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                         version 2 requests of type *set_info* of the *full_EA* subtype
+:zeek:id:`smb2_file_link`: :zeek:type:`event`            Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                         version 2 requests of type *set_info* of the *link* subtype
+:zeek:id:`smb2_file_mode`: :zeek:type:`event`            Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                         version 2 requests of type *set_info* of the *mode* subtype
+:zeek:id:`smb2_file_pipe`: :zeek:type:`event`            Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                         version 2 requests of type *set_info* of the *pipe* subtype
+:zeek:id:`smb2_file_position`: :zeek:type:`event`        Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                         version 2 requests of type *set_info* of the *position* subtype
+:zeek:id:`smb2_file_rename`: :zeek:type:`event`          Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                         version 2 requests of type *set_info* of the *rename* subtype.
+:zeek:id:`smb2_file_sattr`: :zeek:type:`event`           Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                         version 2 requests of type *set_info* of the *file* subtype
+:zeek:id:`smb2_file_shortname`: :zeek:type:`event`       Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                         version 2 requests of type *set_info* of the *short_name* subtype
+:zeek:id:`smb2_file_validdatalength`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                         version 2 requests of type *set_info* of the *valid_data_length* subtype
+======================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb2_file_allocation
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 75 75
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, alloc_size: :zeek:type:`int`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *allocation* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param alloc_size: desired allocation size.
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_delete
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 38 38
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, delete_pending: :zeek:type:`bool`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *delete* subtype.
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param delete_pending: A boolean value to indicate that a file should be deleted 
+                   when it's closed if set to T.
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_endoffile
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 92 92
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, end_of_file: :zeek:type:`int`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *end_of_file* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param end_of_file: the absolute new end of file position as a byte offset from the start of the file
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_fscontrol
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 235 235
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, fs_control: :zeek:type:`SMB2::Fscontrol`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *fs_control* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param fs_control: contains fs_control info (see MS-FCC 2.5.2)
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_fsobjectid
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 254 254
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, object_id: :zeek:type:`SMB2::GUID`, extended_info: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *fs_object_id* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param object_id: contains a 16-bytes GUID that identifies the file system volume (see MS-FCC 2.5.6)
+   
+
+   :param extended_info: contains extended information on the file system volume
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link
+
+.. zeek:id:: smb2_file_fullea
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 199 199
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, file_eas: :zeek:type:`SMB2::FileEAs`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *full_EA* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param FileEAs: a vector of extended file attributes as defined in MS-FSCC:2.4.15
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_link
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 218 218
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, root_directory: :zeek:type:`count`, file_name: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *link* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param root_directory: contains the file handle for the directory where the link is to be created
+   
+
+   :param file_name: contains the name to be assigned to the newly created link
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_mode
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 110 110
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, mode: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *mode* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param mode: specifies how the file will subsequently be accessed.
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_pipe
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 130 130
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, read_mode: :zeek:type:`count`, completion_mode: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *pipe* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param read_mode: specifies if data must be read as a stream of bytes or messages
+   
+
+   :param completion_mode: specifies if blocking mode must be enabled or not
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_position
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 148 148
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, current_byte_offset: :zeek:type:`int`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *position* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param current_byte_offset: specifies the offset, in bytes, of the file pointer from the beginning of the file
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_rename
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 19 19
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, dst_filename: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *rename* subtype.
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: A GUID to identify the file.
+   
+
+   :param dst_filename: The filename to rename the file into.
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_sattr
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 58 58
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, times: :zeek:type:`SMB::MACTimes`, attrs: :zeek:type:`SMB2::FileAttrs`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *file* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param times: Timestamps associated with the file in question.
+   
+
+   :param attrs: File attributes.
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_shortname
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 165 165
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, file_name: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *short_name* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param file_name: specifies the name of the file to be changed
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+.. zeek:id:: smb2_file_validdatalength
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek 182 182
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, valid_data_length: :zeek:type:`int`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *set_info* of the *valid_data_length* subtype
+   
+   For more information, see MS-SMB2:2.2.39
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The SMB2 GUID for the file.
+   
+
+   :param valid_data_length: specifies the new valid data length for the file
+   
+   .. zeek:see:: smb2_message smb2_file_delete smb2_file_sattr smb2_file_allocation smb2_file_endoffile smb2_file_mode smb2_file_pipe smb2_file_position smb2_file_shortname smb2_file_validdatalength smb2_file_fullea smb2_file_link smb2_file_fsobjectid
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek.rst
new file mode 100644
index 0000000000..6ff09093ba
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek.rst
@@ -0,0 +1,43 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek
+============================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+==================================================== ===========================================================================================
+:zeek:id:`smb2_transform_header`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                     version 3.x *transform_header*.
+==================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb2_transform_header
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek 15 15
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Transform_header`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 3.x *transform_header*. This is used by the client or server when sending
+   encrypted messages.
+   
+   For more information, see MS-SMB2:2.2.41
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed transformed header message, which is starting with \xfdSMB and different from SMB1 and SMB2 headers.
+   
+   .. zeek:see:: smb2_message
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek.rst
new file mode 100644
index 0000000000..9de6f7641b
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek.rst
@@ -0,0 +1,70 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek
+========================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+========================================================= ===========================================================================================
+:zeek:id:`smb2_tree_connect_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                          version 2 requests of type *tree_connect*.
+:zeek:id:`smb2_tree_connect_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                          version 2 responses of type *tree_connect*.
+========================================================= ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb2_tree_connect_request
+   :source-code: base/protocols/smb/smb2-main.zeek 104 107
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, path: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *tree_connect*. This is sent by a client to request access to a
+   particular share on the server.
+   
+   For more information, see MS-SMB2:2.2.9
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param path: Path of the requested tree.
+   
+   .. zeek:see:: smb2_message smb2_tree_connect_response
+
+.. zeek:id:: smb2_tree_connect_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek 33 33
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, response: :zeek:type:`SMB2::TreeConnectResponse`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 responses of type *tree_connect*. This is sent by the server when a *tree_connect*
+   request is successfully processed by the server.
+   
+   For more information, see MS-SMB2:2.2.10
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param response: A record with more information related to the response.
+   
+   .. zeek:see:: smb2_message smb2_tree_connect_request
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek.rst
new file mode 100644
index 0000000000..0213b7344c
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek.rst
@@ -0,0 +1,60 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek
+===========================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+============================================================ ===========================================================================================
+:zeek:id:`smb2_tree_disconnect_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                             version 2 requests of type *tree disconnect*.
+:zeek:id:`smb2_tree_disconnect_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                             version 2 requests of type *tree disconnect*.
+============================================================ ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb2_tree_disconnect_request
+   :source-code: base/protocols/smb/smb2-main.zeek 119 127
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *tree disconnect*. This is sent by the client to logically disconnect
+   client access to a server resource.
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+   .. zeek:see:: smb2_message
+
+.. zeek:id:: smb2_tree_disconnect_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek 26 26
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *tree disconnect*. This is sent by the server to logically disconnect
+   client access to a server resource.
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+   .. zeek:see:: smb2_message
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek.rst
new file mode 100644
index 0000000000..c4e6c82b40
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek.rst
@@ -0,0 +1,76 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek
+=================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+================================================== ===========================================================================================
+:zeek:id:`smb2_write_request`: :zeek:type:`event`  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                   version 2 requests of type *write*.
+:zeek:id:`smb2_write_response`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                   version 2 requests of type *write*.
+================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb2_write_request
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek 21 21
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, file_id: :zeek:type:`SMB2::GUID`, offset: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *write*. This is sent by the client to write data to the file or
+   named pipe on the server.
+   
+   For more information, see MS-SMB2:2.2.21
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param file_id: The GUID being used for the file.
+   
+
+   :param offset: How far into the file this write should be taking place.
+   
+
+   :param length: The number of bytes of the file being written.
+   
+   .. zeek:see:: smb2_message
+
+.. zeek:id:: smb2_write_response
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek 37 37
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, length: :zeek:type:`count`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 requests of type *write*. This is sent by the server in response to a write request or
+   named pipe on the server.
+   
+   For more information, see MS-SMB2:2.2.22
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param length: The number of bytes of the file being written.
+   
+   .. zeek:see:: smb2_message
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek.rst
new file mode 100644
index 0000000000..4a53f16adb
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek.rst
@@ -0,0 +1,71 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek
+==============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+============================================================ ===========================================================================================
+:zeek:id:`smb2_discarded_messages_state`: :zeek:type:`event` Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                             version 2 connections for which pending read, ioctl or tree requests exceeds
+                                                             the :zeek:see:`SMB::max_pending_messages` setting.
+:zeek:id:`smb2_message`: :zeek:type:`event`                  Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+                                                             version 2 messages.
+============================================================ ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smb2_discarded_messages_state
+   :source-code: base/protocols/smb/smb2-main.zeek 350 366
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, state: :zeek:type:`string`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 connections for which pending read, ioctl or tree requests exceeds
+   the :zeek:see:`SMB::max_pending_messages` setting. This event indicates either
+   traffic loss, traffic load-balancing issues, or failures to parse or match
+   SMB responses with SMB requests. When this event is raised, internal per-connection
+   parser state has been reset.
+   
+
+   :param c: The affected connection.
+   
+
+   :param state: String describing what kind of state was affected.
+          One of read, ioctl or tree.
+
+.. zeek:id:: smb2_message
+   :source-code: base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek 20 20
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`SMB2::Header`, is_orig: :zeek:type:`bool`)
+
+   Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+   version 2 messages.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
+   :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Zeek's
+   :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
+   both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
+   ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.
+   
+
+   :param c: The connection.
+   
+
+   :param hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+   
+
+   :param is_orig: True if the message came from the originator side.
+   
+   .. zeek:see:: smb1_message
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMB.types.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMB.types.bif.zeek.rst
new file mode 100644
index 0000000000..a99f4b99cd
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMB.types.bif.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMB.types.bif.zeek
+========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMTP.consts.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMTP.consts.bif.zeek.rst
new file mode 100644
index 0000000000..1e36b4d3d5
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMTP.consts.bif.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMTP.consts.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMTP.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMTP.events.bif.zeek.rst
new file mode 100644
index 0000000000..8d39f21b04
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMTP.events.bif.zeek.rst
@@ -0,0 +1,174 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMTP.events.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+============================================== =================================================================================
+:zeek:id:`smtp_data`: :zeek:type:`event`       Generated for DATA transmitted on SMTP sessions.
+:zeek:id:`smtp_reply`: :zeek:type:`event`      Generated for server-side SMTP commands.
+:zeek:id:`smtp_request`: :zeek:type:`event`    Generated for client-side SMTP commands.
+:zeek:id:`smtp_starttls`: :zeek:type:`event`   Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS.
+:zeek:id:`smtp_unexpected`: :zeek:type:`event` Generated for unexpected activity on SMTP sessions.
+============================================== =================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: smtp_data
+   :source-code: base/bif/plugins/Zeek_SMTP.events.bif.zeek 85 85
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data: :zeek:type:`string`)
+
+   Generated for DATA transmitted on SMTP sessions. This event is raised for
+   subsequent chunks of raw data following the ``DATA`` SMTP command until the
+   corresponding end marker ``.`` is seen. A handler may want to reassemble
+   the pieces as they come in if stream-analysis is required.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol>`__
+   for more information about the SMTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the sender of the data is the originator of the TCP
+         connection.
+   
+
+   :param data: The raw data. Note that the size of each chunk is undefined and
+         depends on specifics of the underlying TCP connection.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+      mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
+      smtp_reply smtp_request skip_smtp_data
+   
+   .. note:: This event receives the unprocessed raw data. There is a separate
+      set of ``mime_*`` events that strip out the outer MIME-layer of emails and
+      provide structured access to their content.
+
+.. zeek:id:: smtp_reply
+   :source-code: base/bif/plugins/Zeek_SMTP.events.bif.zeek 59 59
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, code: :zeek:type:`count`, cmd: :zeek:type:`string`, msg: :zeek:type:`string`, cont_resp: :zeek:type:`bool`)
+
+   Generated for server-side SMTP commands.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol>`__
+   for more information about the SMTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the sender of the command is the originator of the TCP
+         connection. Note that this is not redundant: the SMTP ``TURN`` command
+         allows client and server to flip roles on established SMTP sessions,
+         and hence a "reply" might still come from the TCP-level originator. In
+         practice, however, that will rarely happen as TURN is considered
+         insecure and rarely used.
+   
+
+   :param code: The reply's numerical code.
+   
+
+   :param cmd: TODO.
+   
+
+   :param msg: The reply's textual description.
+   
+
+   :param cont_resp: True if the reply line is tagged as being continued to the next
+         line. If so, further events will be raised and a handler may want to
+         reassemble the pieces before processing the response any further.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+      mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
+      smtp_data  smtp_request
+   
+   .. note:: Zeek doesn't support the newer ETRN extension yet.
+
+.. zeek:id:: smtp_request
+   :source-code: base/protocols/smtp/main.zeek 205 274
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, command: :zeek:type:`string`, arg: :zeek:type:`string`)
+
+   Generated for client-side SMTP commands.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol>`__
+   for more information about the SMTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the sender of the command is the originator of the TCP
+         connection. Note that this is not redundant: the SMTP ``TURN`` command
+         allows client and server to flip roles on established SMTP sessions,
+         and hence a "request" might still come from the TCP-level responder.
+         In practice, however, that will rarely happen as TURN is considered
+         insecure and rarely used.
+   
+
+   :param command: The request's command, without any arguments.
+   
+
+   :param arg: The request command's arguments.
+   
+   .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
+      mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
+      smtp_data smtp_reply
+   
+   .. note:: Zeek does not support the newer ETRN extension yet.
+
+.. zeek:id:: smtp_starttls
+   :source-code: base/protocols/smtp/main.zeek 407 414
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS.
+   After this event no more SMTP events will be raised for the connection. See the SSL
+   analyzer for related SSL events, which will now be generated.
+   
+
+   :param c: The connection.
+   
+
+.. zeek:id:: smtp_unexpected
+   :source-code: base/bif/plugins/Zeek_SMTP.events.bif.zeek 106 106
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`, detail: :zeek:type:`string`)
+
+   Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks
+   the state of SMTP sessions and reports commands and other activity with this
+   event that it sees even though it would not expect so at the current point
+   of the communication.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol>`__
+   for more information about the SMTP protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the sender of the unexpected activity is the originator of
+         the TCP connection.
+   
+
+   :param msg: A descriptive message of what was unexpected.
+   
+
+   :param detail: The actual SMTP line triggering the event.
+   
+   .. zeek:see:: smtp_data  smtp_request smtp_reply
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SMTP.functions.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SMTP.functions.bif.zeek.rst
new file mode 100644
index 0000000000..47f26d9881
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SMTP.functions.bif.zeek.rst
@@ -0,0 +1,35 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SMTP.functions.bif.zeek
+=============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================ =====================================================
+:zeek:id:`skip_smtp_data`: :zeek:type:`function` Skips SMTP data until the next email in a connection.
+================================================ =====================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: skip_smtp_data
+   :source-code: base/bif/plugins/Zeek_SMTP.functions.bif.zeek 12 12
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`) : :zeek:type:`any`
+
+   Skips SMTP data until the next email in a connection.
+   
+
+   :param c: The SMTP connection.
+   
+   .. zeek:see:: skip_http_entity_data
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SNMP.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SNMP.events.bif.zeek.rst
new file mode 100644
index 0000000000..d2c56ad3e1
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SNMP.events.bif.zeek.rst
@@ -0,0 +1,294 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SNMP.events.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+========================================================== ==========================================================================
+:zeek:id:`snmp_encrypted_pdu`: :zeek:type:`event`          An SNMPv3 encrypted PDU message.
+:zeek:id:`snmp_get_bulk_request`: :zeek:type:`event`       An SNMP ``GetBulkRequest-PDU`` message from :rfc:`3416`.
+:zeek:id:`snmp_get_next_request`: :zeek:type:`event`       An SNMP ``GetNextRequest-PDU`` message from either :rfc:`1157` or
+                                                           :rfc:`3416`.
+:zeek:id:`snmp_get_request`: :zeek:type:`event`            An SNMP ``GetRequest-PDU`` message from either :rfc:`1157` or :rfc:`3416`.
+:zeek:id:`snmp_inform_request`: :zeek:type:`event`         An SNMP ``InformRequest-PDU`` message from :rfc:`3416`.
+:zeek:id:`snmp_report`: :zeek:type:`event`                 An SNMP ``Report-PDU`` message from :rfc:`3416`.
+:zeek:id:`snmp_response`: :zeek:type:`event`               An SNMP ``GetResponse-PDU`` message from :rfc:`1157` or a
+                                                           ``Response-PDU`` from :rfc:`3416`.
+:zeek:id:`snmp_set_request`: :zeek:type:`event`            An SNMP ``SetRequest-PDU`` message from either :rfc:`1157` or :rfc:`3416`.
+:zeek:id:`snmp_trap`: :zeek:type:`event`                   An SNMP ``Trap-PDU`` message from :rfc:`1157`.
+:zeek:id:`snmp_trapV2`: :zeek:type:`event`                 An SNMP ``SNMPv2-Trap-PDU`` message from :rfc:`1157`.
+:zeek:id:`snmp_unknown_header_version`: :zeek:type:`event` A datagram with an unknown SNMP version.
+:zeek:id:`snmp_unknown_pdu`: :zeek:type:`event`            An SNMP PDU message of unknown type.
+:zeek:id:`snmp_unknown_scoped_pdu`: :zeek:type:`event`     An SNMPv3 ``ScopedPDUData`` of unknown type (neither plaintext or
+                                                           an encrypted PDU was in the datagram).
+========================================================== ==========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: snmp_encrypted_pdu
+   :source-code: base/protocols/snmp/main.zeek 182 185
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`)
+
+   An SNMPv3 encrypted PDU message.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+
+.. zeek:id:: snmp_get_bulk_request
+   :source-code: base/protocols/snmp/main.zeek 115 119
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::BulkPDU`)
+
+   An SNMP ``GetBulkRequest-PDU`` message from :rfc:`3416`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_get_next_request
+   :source-code: base/protocols/snmp/main.zeek 121 125
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::PDU`)
+
+   An SNMP ``GetNextRequest-PDU`` message from either :rfc:`1157` or
+   :rfc:`3416`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_get_request
+   :source-code: base/protocols/snmp/main.zeek 109 113
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::PDU`)
+
+   An SNMP ``GetRequest-PDU`` message from either :rfc:`1157` or :rfc:`3416`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_inform_request
+   :source-code: base/protocols/snmp/main.zeek 157 160
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::PDU`)
+
+   An SNMP ``InformRequest-PDU`` message from :rfc:`3416`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_report
+   :source-code: base/protocols/snmp/main.zeek 167 170
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::PDU`)
+
+   An SNMP ``Report-PDU`` message from :rfc:`3416`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_response
+   :source-code: base/protocols/snmp/main.zeek 127 144
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::PDU`)
+
+   An SNMP ``GetResponse-PDU`` message from :rfc:`1157` or a
+   ``Response-PDU`` from :rfc:`3416`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_set_request
+   :source-code: base/protocols/snmp/main.zeek 146 150
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::PDU`)
+
+   An SNMP ``SetRequest-PDU`` message from either :rfc:`1157` or :rfc:`3416`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_trap
+   :source-code: base/protocols/snmp/main.zeek 152 155
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::TrapPDU`)
+
+   An SNMP ``Trap-PDU`` message from :rfc:`1157`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_trapV2
+   :source-code: base/protocols/snmp/main.zeek 162 165
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, pdu: :zeek:type:`SNMP::PDU`)
+
+   An SNMP ``SNMPv2-Trap-PDU`` message from :rfc:`1157`.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param pdu: An SNMP PDU data structure.
+
+.. zeek:id:: snmp_unknown_header_version
+   :source-code: base/bif/plugins/Zeek_SNMP.events.bif.zeek 168 168
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`)
+
+   A datagram with an unknown SNMP version.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param version: The value of the unknown SNMP version.
+
+.. zeek:id:: snmp_unknown_pdu
+   :source-code: base/protocols/snmp/main.zeek 172 175
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, tag: :zeek:type:`count`)
+
+   An SNMP PDU message of unknown type.
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param tag: The tag of the unknown SNMP PDU.
+
+.. zeek:id:: snmp_unknown_scoped_pdu
+   :source-code: base/protocols/snmp/main.zeek 177 180
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, header: :zeek:type:`SNMP::Header`, tag: :zeek:type:`count`)
+
+   An SNMPv3 ``ScopedPDUData`` of unknown type (neither plaintext or
+   an encrypted PDU was in the datagram).
+   
+
+   :param c: The connection over which the SNMP datagram is sent.
+   
+
+   :param is_orig: The endpoint which sent the SNMP datagram.
+   
+
+   :param header: SNMP version-dependent data that precedes PDU data in the top-level
+           SNMP message structure.
+   
+
+   :param tag: The tag of the unknown SNMP PDU scope.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek.rst
new file mode 100644
index 0000000000..42c912b7a0
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SNMP.types.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: SNMP
+
+
+:Namespaces: GLOBAL, SNMP
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SOCKS.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SOCKS.events.bif.zeek.rst
new file mode 100644
index 0000000000..4e6d32074e
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SOCKS.events.bif.zeek.rst
@@ -0,0 +1,103 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SOCKS.events.bif.zeek
+===========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=========================================================== ===========================================================================
+:zeek:id:`socks_login_userpass_reply`: :zeek:type:`event`   Generated when a SOCKS server replies to a username/password login attempt.
+:zeek:id:`socks_login_userpass_request`: :zeek:type:`event` Generated when a SOCKS client performs username and password based login.
+:zeek:id:`socks_reply`: :zeek:type:`event`                  Generated when a SOCKS reply is analyzed.
+:zeek:id:`socks_request`: :zeek:type:`event`                Generated when a SOCKS request is analyzed.
+=========================================================== ===========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: socks_login_userpass_reply
+   :source-code: base/protocols/socks/main.zeek 115 121
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, code: :zeek:type:`count`)
+
+   Generated when a SOCKS server replies to a username/password login attempt.
+   
+
+   :param c: The parent connection of the proxy.
+   
+
+   :param code: The response code for the attempted login.
+
+.. zeek:id:: socks_login_userpass_request
+   :source-code: base/protocols/socks/main.zeek 104 113
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, user: :zeek:type:`string`, password: :zeek:type:`string`)
+
+   Generated when a SOCKS client performs username and password based login.
+   
+
+   :param c: The parent connection of the proxy.
+   
+
+   :param user: The given username.
+   
+
+   :param password: The given password.
+
+.. zeek:id:: socks_reply
+   :source-code: base/protocols/socks/main.zeek 91 102
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`count`, reply: :zeek:type:`count`, sa: :zeek:type:`SOCKS::Address`, p: :zeek:type:`port`)
+
+   Generated when a SOCKS reply is analyzed.
+   
+
+   :param c: The parent connection of the proxy.
+   
+
+   :param version: The version of SOCKS this message used.
+   
+
+   :param reply: The status reply from the server.
+   
+
+   :param sa: The address that the server sent the traffic to.
+   
+
+   :param p: The destination port for the proxied traffic.
+
+.. zeek:id:: socks_request
+   :source-code: base/protocols/socks/main.zeek 76 89
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`count`, request_type: :zeek:type:`count`, sa: :zeek:type:`SOCKS::Address`, p: :zeek:type:`port`, user: :zeek:type:`string`)
+
+   Generated when a SOCKS request is analyzed.
+   
+
+   :param c: The parent connection of the proxy.
+   
+
+   :param version: The version of SOCKS this message used.
+   
+
+   :param request_type: The type of the request.
+   
+
+   :param sa: Address that the tunneled traffic should be sent to.
+   
+
+   :param p: The destination port for the proxied traffic.
+   
+
+   :param user: Username given for the SOCKS connection.  This is not yet implemented
+         for SOCKSv5.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek.rst
new file mode 100644
index 0000000000..e028c32265
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek
+==================================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: InputSQLite
+
+
+:Namespaces: GLOBAL, InputSQLite
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek.rst
new file mode 100644
index 0000000000..2544121c40
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek
+==================================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: LogSQLite
+
+
+:Namespaces: GLOBAL, LogSQLite
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SSH.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SSH.events.bif.zeek.rst
new file mode 100644
index 0000000000..3159e9e90b
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SSH.events.bif.zeek.rst
@@ -0,0 +1,527 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SSH.events.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+========================================================= ==================================================================
+:zeek:id:`ssh1_server_host_key`: :zeek:type:`event`       During the :abbr:`SSH (Secure Shell)` key exchange, the server
+                                                          supplies its public host key.
+:zeek:id:`ssh2_dh_gex_init`: :zeek:type:`event`           Generated if the connection uses a Diffie-Hellman Group Exchange
+                                                          key exchange method.
+:zeek:id:`ssh2_dh_server_params`: :zeek:type:`event`      Generated if the connection uses a Diffie-Hellman Group Exchange
+                                                          key exchange method.
+:zeek:id:`ssh2_ecc_init`: :zeek:type:`event`              The :abbr:`ECDH (Elliptic Curve Diffie-Hellman)` and
+                                                          :abbr:`ECMQV (Elliptic Curve Menezes-Qu-Vanstone)` key exchange
+                                                          algorithms use two ephemeral key pairs to generate a shared
+                                                          secret.
+:zeek:id:`ssh2_ecc_key`: :zeek:type:`event`               The :abbr:`ECDH (Elliptic Curve Diffie-Hellman)` and
+                                                          :abbr:`ECMQV (Elliptic Curve Menezes-Qu-Vanstone)` key exchange
+                                                          algorithms use two ephemeral key pairs to generate a shared
+                                                          secret.
+:zeek:id:`ssh2_gss_error`: :zeek:type:`event`             In the event of a GSS-API error on the server, the server MAY send
+                                                          send an error message with some additional details.
+:zeek:id:`ssh2_gss_init`: :zeek:type:`event`              In the event of a GSS-API key exchange, this event is raised on
+                                                          SSH_MSG_KEXGSS_INIT message.
+:zeek:id:`ssh2_rsa_secret`: :zeek:type:`event`            In the event of a GSS-API key exchange, this event is raised on
+                                                          SSH_MSG_KEXRSA_PUBKEY message.
+:zeek:id:`ssh2_server_host_key`: :zeek:type:`event`       During the :abbr:`SSH (Secure Shell)` key exchange, the server
+                                                          supplies its public host key.
+:zeek:id:`ssh_auth_attempted`: :zeek:type:`event`         This event is generated when an :abbr:`SSH (Secure Shell)`
+                                                          connection was determined to have had an authentication attempt.
+:zeek:id:`ssh_auth_successful`: :zeek:type:`event`        This event is generated when an :abbr:`SSH (Secure Shell)`
+                                                          connection was determined to have had a successful
+                                                          authentication.
+:zeek:id:`ssh_capabilities`: :zeek:type:`event`           During the initial :abbr:`SSH (Secure Shell)` key exchange, each
+                                                          endpoint lists the algorithms that it supports, in order of
+                                                          preference.
+:zeek:id:`ssh_client_version`: :zeek:type:`event`         An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
+                                                          from the client.
+:zeek:id:`ssh_encrypted_packet`: :zeek:type:`event`       This event is generated when an :abbr:`SSH (Secure Shell)`
+                                                          encrypted packet is seen.
+:zeek:id:`ssh_server_host_key`: :zeek:type:`event`        During the :abbr:`SSH (Secure Shell)` key exchange, the server
+                                                          supplies its public host key.
+:zeek:id:`ssh_server_pre_banner_data`: :zeek:type:`event` SSH servers can send textual data to the client before sending
+                                                          a banner.
+:zeek:id:`ssh_server_version`: :zeek:type:`event`         An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
+                                                          from the server.
+========================================================= ==================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: ssh1_server_host_key
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 163 163
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, modulus: :zeek:type:`string`, exponent: :zeek:type:`string`)
+
+   During the :abbr:`SSH (Secure Shell)` key exchange, the server
+   supplies its public host key. This event is generated when the
+   appropriate key exchange message is seen for SSH1.
+   
+
+   :param c: The connection over which the :abbr:`SSH (Secure Shell)`
+      connection took place.
+   
+
+   :param p: The exponent for the server's public host key (note this parameter
+      is truly the exponent even though named *p* and the *exponent* parameter
+      will eventually replace it).
+   
+
+   :param e: The prime modulus for the server's public host key (note this parameter
+      is truly the modulus even though named *e* and the *modulus* parameter
+      will eventually replace it).
+   
+
+   :param modulus: The prime modulus of the server's public host key.
+   
+
+   :param exponent: The exponent of the server's public host key.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh2_dh_gex_init
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 321 321
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Generated if the connection uses a Diffie-Hellman Group Exchange
+   key exchange method. This event contains the direction of the key
+   exchange setup, which is indicated by the the SSH_MSG_KEX_DH_GEX_INIT
+   message as defined in :rfc:`4419#section-3`.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Did this message come from the originator?
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh2_dh_server_params
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 237 237
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, p: :zeek:type:`string`, q: :zeek:type:`string`)
+
+   Generated if the connection uses a Diffie-Hellman Group Exchange
+   key exchange method. This event contains the server DH parameters,
+   which are sent in the SSH_MSG_KEY_DH_GEX_GROUP message as defined in
+   :rfc:`4419#section-3`.
+   
+
+   :param c: The connection.
+   
+
+   :param p: The DH prime modulus.
+   
+
+   :param q: The DH generator.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh2_ecc_init
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 303 303
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   The :abbr:`ECDH (Elliptic Curve Diffie-Hellman)` and
+   :abbr:`ECMQV (Elliptic Curve Menezes-Qu-Vanstone)` key exchange
+   algorithms use two ephemeral key pairs to generate a shared
+   secret. This event is generated when either the SSH_MSG_KEX_ECDH_INIT
+   or SSH_MSG_ECMQV_INIT message is observed. By definition, these need
+   to originate from the client and not from the server.
+   For more information, see:
+   :rfc:`5656#section-4`.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Did this message come from the originator?
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh2_ecc_key
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 281 281
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, q: :zeek:type:`string`)
+
+   The :abbr:`ECDH (Elliptic Curve Diffie-Hellman)` and
+   :abbr:`ECMQV (Elliptic Curve Menezes-Qu-Vanstone)` key exchange
+   algorithms use two ephemeral key pairs to generate a shared
+   secret. This event is generated when either the client's or
+   server's ephemeral public key is seen. For more information, see:
+   :rfc:`5656#section-4`.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Did this message come from the originator?
+   
+
+   :param q: The ephemeral public key
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh2_gss_error
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 259 259
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, major_status: :zeek:type:`count`, minor_status: :zeek:type:`count`, err_msg: :zeek:type:`string`)
+
+   In the event of a GSS-API error on the server, the server MAY send
+   send an error message with some additional details. This event is
+   generated when such an error message is seen. For more information,
+   see :rfc:`4462#section-2.1`.
+   
+
+   :param c: The connection.
+   
+
+   :param major_status: GSS-API major status code.
+   
+
+   :param minor_status: GSS-API minor status code.
+   
+
+   :param err_msg: Detailed human-readable error message
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh2_gss_init
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 338 338
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   In the event of a GSS-API key exchange, this event is raised on
+   SSH_MSG_KEXGSS_INIT message.
+   For more information see :rfc:`4462#section-2.1`.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Did this message come from the originator?
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh2_rsa_secret
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 356 356
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   In the event of a GSS-API key exchange, this event is raised on
+   SSH_MSG_KEXRSA_PUBKEY message. This message is sent first by the server,
+   after which the server will respond with a SSH_MSG_KEXRSA_SECRET message.
+   For more information see :rfc:`4432#section-4`.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: Did this message come from the originator?
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh2_server_host_key
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 135 135
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, key: :zeek:type:`string`)
+
+   During the :abbr:`SSH (Secure Shell)` key exchange, the server
+   supplies its public host key. This event is generated when the
+   appropriate key exchange message is seen for SSH2.
+   
+
+   :param c: The connection over which the :abbr:`SSH (Secure Shell)`
+      connection took place.
+   
+
+   :param key: The server's public host key. Note that this is the public key
+      itself, and not just the fingerprint or hash.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_attempted ssh_capabilities
+      ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
+      ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
+      ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init ssh2_gss_init
+      ssh2_rsa_secret
+
+.. zeek:id:: ssh_auth_attempted
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 92 92
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, authenticated: :zeek:type:`bool`)
+
+   This event is generated when an :abbr:`SSH (Secure Shell)`
+   connection was determined to have had an authentication attempt.
+   This determination is based on packet size analysis, and errs
+   on the side of caution - that is, if there's any doubt about
+   whether or not an authentication attempt occurred, this event is
+   *not* raised.
+   
+   At this point in the protocol, all we can determine is whether
+   or not the user is authenticated. We don't know if the particular
+   attempt succeeded or failed, since some servers require multiple
+   authentications (e.g. require both a password AND a pubkey), and
+   could return an authentication failed message which is marked
+   as a partial success.
+   
+   This event will often be raised multiple times per connection.
+   In almost all connections, it will be raised once unless
+   
+
+   :param c: The connection over which the :abbr:`SSH (Secure Shell)`
+      connection took place.
+   
+
+   :param authenticated: This is true if the analyzer detected a
+      successful connection from the authentication attempt.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh_auth_successful
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 60 60
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, auth_method_none: :zeek:type:`bool`)
+
+   This event is generated when an :abbr:`SSH (Secure Shell)`
+   connection was determined to have had a successful
+   authentication. This determination is based on packet size
+   analysis, and errs on the side of caution - that is, if there's any
+   doubt about the authentication success, this event is *not* raised.
+   
+
+   :param c: The connection over which the :abbr:`SSH (Secure Shell)`
+      connection took place.
+   
+
+   :param auth_method_none: This is true if the analyzer detected a
+      successful connection before any authentication challenge. The
+      :abbr:`SSH (Secure Shell)` protocol provides a mechanism for
+      unauthenticated access, which some servers support.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh_capabilities
+   :source-code: base/protocols/ssh/main.zeek 287 310
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, cookie: :zeek:type:`string`, capabilities: :zeek:type:`SSH::Capabilities`)
+
+   During the initial :abbr:`SSH (Secure Shell)` key exchange, each
+   endpoint lists the algorithms that it supports, in order of
+   preference. This event is generated for each endpoint, when the
+   SSH_MSG_KEXINIT message is seen. See :rfc:`4253#section-7.1` for
+   details.
+   
+
+   :param c: The connection over which the :abbr:`SSH (Secure Shell)`
+      connection took place.
+   
+
+   :param cookie: The SSH_MSG_KEXINIT cookie - a random value generated by
+      the sender.
+   
+
+   :param capabilities: The list of algorithms and languages that the sender
+      advertises support for, in order of preference.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh_client_version
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 37 37
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`string`)
+
+   An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
+   from the client. This contains an identification string that's used
+   for version identification. See :rfc:`4253#section-4.2` for
+   details.
+   
+
+   :param c: The connection over which the message was sent.
+   
+
+   :param version: The identification string
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh_encrypted_packet
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 217 217
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, orig: :zeek:type:`bool`, len: :zeek:type:`count`)
+
+   This event is generated when an :abbr:`SSH (Secure Shell)`
+   encrypted packet is seen. This event is not handled by default, but
+   is provided for heuristic analysis scripts. Note that you have to set
+   :zeek:id:`SSH::disable_analyzer_after_detection` to false to use this
+   event. This carries a performance penalty.
+   
+
+   :param c: The connection over which the :abbr:`SSH (Secure Shell)`
+      connection took place.
+   
+
+   :param orig: Whether the packet was sent by the originator of the TCP
+      connection.
+   
+
+   :param len: The length of the :abbr:`SSH (Secure Shell)` payload, in
+      bytes. Note that this ignores reassembly, as this is unknown.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh_server_host_key
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 193 193
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hash: :zeek:type:`string`)
+
+   During the :abbr:`SSH (Secure Shell)` key exchange, the server
+   supplies its public host key. This event is generated when the
+   appropriate key exchange message is seen for SSH1 or SSH2 and provides
+   a fingerprint of the server's host key.
+   
+
+   :param c: The connection over which the :abbr:`SSH (Secure Shell)`
+      connection took place.
+   
+
+   :param hash: an MD5 hash fingerprint associated with the server's host key.
+         For SSH2, this is the hash of the "server public host key" string as
+         seen on the wire in the Diffie-Hellman key exchange reply message
+         (the string itself, excluding the 4-byte length associated with it),
+         which is also the *key* parameter of :zeek:see:`ssh2_server_host_key`
+         For SSH1, this is the hash of the combined multiprecision integer
+         strings representing the RSA1 key's prime modulus and public exponent
+         (concatenated in that order) as seen on the wire,
+         which are also the parameters of :zeek:see:`ssh1_server_host_key`.
+         In either case, the hash is the same "fingerprint" string as presented
+         by other traditional tools, ``ssh``, ``ssh-keygen``, etc, and is the
+         hexadecimal representation of all 16 MD5 hash bytes delimited by colons.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret
+
+.. zeek:id:: ssh_server_pre_banner_data
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 372 372
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`string`)
+
+   SSH servers can send textual data to the client before sending
+   a banner. The primary use case of this are error messages of TCP
+   wrappers.
+   
+   As this event happens before the SSH banner is exchanged, it is
+   possible that it contains data from different protocols; e.g. if
+   an SSH client connects to a non-SSH-server.
+   
+
+   :param c: The connection.
+   
+
+   :param data: The pre-banner data.
+   
+   .. zeek:see:: ssh_server_version
+
+.. zeek:id:: ssh_server_version
+   :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 19 19
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`string`)
+
+   An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
+   from the server. This contains an identification string that's used
+   for version identification. See :rfc:`4253#section-4.2` for
+   details.
+   
+
+   :param c: The connection over which the message was sent.
+   
+
+   :param version: The identification string
+   
+   .. zeek:see:: ssh_server_version ssh_client_version ssh_auth_failed
+      ssh_auth_result ssh_auth_successful ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
+      ssh2_gss_init ssh2_rsa_secret ssh_server_pre_banner_data
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SSH.types.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SSH.types.bif.zeek.rst
new file mode 100644
index 0000000000..f94db88ae6
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SSH.types.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SSH.types.bif.zeek
+========================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: SSH
+
+
+:Namespaces: GLOBAL, SSH
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek.rst
new file mode 100644
index 0000000000..2a0edc07bc
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SSL.consts.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek.rst
new file mode 100644
index 0000000000..4a3ab42b44
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek.rst
@@ -0,0 +1,1068 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SSL.events.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=================================================================================== =======================================================================================
+:zeek:id:`ssl_alert`: :zeek:type:`event`                                            Generated for SSL/TLS alert records.
+:zeek:id:`ssl_certificate_request`: :zeek:type:`event`                              This event is raised, when a Certificate Request handshake message is encountered.
+:zeek:id:`ssl_change_cipher_spec`: :zeek:type:`event`                               This event is raised when a SSL/TLS ChangeCipherSpec message is encountered
+                                                                                    before encryption begins.
+:zeek:id:`ssl_client_hello`: :zeek:type:`event`                                     Generated for an SSL/TLS client's initial *hello* message.
+:zeek:id:`ssl_connection_flipped`: :zeek:type:`event`                               Zeek typically assumes that the originator of a connection is the client of the SSL/TLS
+                                                                                    session.
+:zeek:id:`ssl_dh_client_params`: :zeek:type:`event`                                 Generated if a client uses a DH-anon or DHE cipher suite.
+:zeek:id:`ssl_dh_server_params`: :zeek:type:`event`                                 Generated if a server uses a DH-anon or DHE cipher suite.
+:zeek:id:`ssl_ecdh_client_params`: :zeek:type:`event`                               Generated if a client uses an ECDH-anon or ECDHE cipher suite.
+:zeek:id:`ssl_ecdh_server_params`: :zeek:type:`event`                               Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve
+                                                                                    This event contains the named curve name and the server ECDH parameters contained
+                                                                                    in the ServerKeyExchange message as defined in :rfc:`4492`.
+:zeek:id:`ssl_encrypted_data`: :zeek:type:`event`                                   Generated for SSL/TLS messages that are sent after session encryption
+                                                                                    started.
+:zeek:id:`ssl_established`: :zeek:type:`event`                                      Generated at the end of an SSL/TLS handshake.
+:zeek:id:`ssl_extension`: :zeek:type:`event`                                        Generated for SSL/TLS extensions seen in an initial handshake.
+:zeek:id:`ssl_extension_application_layer_protocol_negotiation`: :zeek:type:`event` Generated for an SSL/TLS Application-Layer Protocol Negotiation extension.
+:zeek:id:`ssl_extension_connection_id`: :zeek:type:`event`                          Generated for an DTLS Connection ID extension.
+:zeek:id:`ssl_extension_ec_point_formats`: :zeek:type:`event`                       Generated for an SSL/TLS Supported Point Formats extension.
+:zeek:id:`ssl_extension_elliptic_curves`: :zeek:type:`event`                        Generated for an SSL/TLS Elliptic Curves extension.
+:zeek:id:`ssl_extension_key_share`: :zeek:type:`event`                              Generated for a Key Share extension.
+:zeek:id:`ssl_extension_pre_shared_key_client_hello`: :zeek:type:`event`            Generated for the pre-shared key extension as it is sent in the TLS 1.3 client hello.
+:zeek:id:`ssl_extension_pre_shared_key_server_hello`: :zeek:type:`event`            Generated for the pre-shared key extension as it is sent in the TLS 1.3 server hello.
+:zeek:id:`ssl_extension_psk_key_exchange_modes`: :zeek:type:`event`                 Generated for an TLS Pre-Shared Key Exchange Modes extension.
+:zeek:id:`ssl_extension_server_name`: :zeek:type:`event`                            Generated for an SSL/TLS Server Name extension.
+:zeek:id:`ssl_extension_signature_algorithm`: :zeek:type:`event`                    Generated for an Signature Algorithms extension.
+:zeek:id:`ssl_extension_signed_certificate_timestamp`: :zeek:type:`event`           Generated for the signed_certificate_timestamp TLS extension as defined in
+                                                                                    :rfc:`6962`.
+:zeek:id:`ssl_extension_supported_versions`: :zeek:type:`event`                     Generated for an TLS Supported Versions extension.
+:zeek:id:`ssl_handshake_message`: :zeek:type:`event`                                This event is raised for each unencrypted SSL/TLS handshake message.
+:zeek:id:`ssl_heartbeat`: :zeek:type:`event`                                        Generated for SSL/TLS heartbeat messages that are sent before session
+                                                                                    encryption starts.
+:zeek:id:`ssl_plaintext_data`: :zeek:type:`event`                                   Generated for SSL/TLS messages that are sent before full session encryption
+                                                                                    starts.
+:zeek:id:`ssl_probable_encrypted_handshake_message`: :zeek:type:`event`             This event is generated for application data records of TLS 1.3 connections of which
+                                                                                    we suspect that they contain handshake messages.
+:zeek:id:`ssl_rsa_client_pms`: :zeek:type:`event`                                   Generated if a client uses RSA key exchange.
+:zeek:id:`ssl_server_hello`: :zeek:type:`event`                                     Generated for an SSL/TLS server's initial *hello* message.
+:zeek:id:`ssl_server_signature`: :zeek:type:`event`                                 Generated if a server uses a non-anonymous DHE or ECDHE cipher suite.
+:zeek:id:`ssl_session_ticket_handshake`: :zeek:type:`event`                         Generated for SSL/TLS handshake messages that are a part of the
+                                                                                    stateless-server session resumption mechanism.
+:zeek:id:`ssl_stapled_ocsp`: :zeek:type:`event`                                     This event contains the OCSP response contained in a Certificate Status Request
+                                                                                    message, when the client requested OCSP stapling and the server supports it.
+=================================================================================== =======================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: ssl_alert
+   :source-code: base/protocols/ssl/main.zeek 487 493
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, level: :zeek:type:`count`, desc: :zeek:type:`count`)
+
+   Generated for SSL/TLS alert records. SSL/TLS sessions start with an
+   unencrypted handshake, and Zeek extracts as much information out of that as
+   it can. If during that handshake, an endpoint encounters a fatal error, it
+   sends an *alert* record, that in turn triggers this event. After an *alert*,
+   any endpoint may close the connection immediately.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
+   more information about the SSL/TLS protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param level: The severity level, as sent in the *alert*. The values are defined as
+          part of the SSL/TLS protocol.
+   
+
+   :param desc: A numerical value identifying the cause of the *alert*. The values are
+         defined as part of the SSL/TLS protocol.
+   
+   .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+      ssl_session_ticket_handshake
+
+.. zeek:id:: ssl_certificate_request
+   :source-code: policy/protocols/ssl/certificate-request-info.zeek 13 23
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, certificate_types: :zeek:type:`index_vec`, supported_signature_algorithms: :zeek:type:`signature_and_hashalgorithm_vec`, certificate_authorities: :zeek:type:`string_vec`)
+
+   This event is raised, when a Certificate Request handshake message is encountered. This
+   Message can be used by a TLS server to request a client certificate.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param certificate_types: List of the types of certificates that the client may offer.
+   
+
+   :param supported_signature_algorithms: List of hash/sighature algorithm pairs that the server
+                                   supports, listed in descending order of preferences.
+   
+
+   :param certificate_authorities: List of distinguished names of certificate authorities that are
+                            acceptable to the server. The individual entries are DER encoded.
+                            :zeek:id:`parse_distinguished_name` can be used to decode the strings.
+   
+   .. zeek:see:: ssl_handshake_message x509_certificate ssl_server_hello ssl_client_hello
+                 parse_distinguished_name
+
+.. zeek:id:: ssl_change_cipher_spec
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 747 747
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`)
+
+   This event is raised when a SSL/TLS ChangeCipherSpec message is encountered
+   before encryption begins. Traffic will be encrypted following this message.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+   .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
+      ssl_session_ticket_handshake x509_certificate ssl_client_hello
+      ssl_handshake_message
+
+.. zeek:id:: ssl_client_hello
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 41 41
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`count`, record_version: :zeek:type:`count`, possible_ts: :zeek:type:`time`, client_random: :zeek:type:`string`, session_id: :zeek:type:`string`, ciphers: :zeek:type:`index_vec`, comp_methods: :zeek:type:`index_vec`)
+
+   Generated for an SSL/TLS client's initial *hello* message.  SSL/TLS sessions
+   start with an unencrypted handshake, and Zeek extracts as much information out
+   of that as it can. This event provides access to the initial information
+   sent by the client.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
+   more information about the SSL/TLS protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param version: The protocol version as extracted from the client's message.  The
+            values are standardized as part of the SSL/TLS protocol. The
+            :zeek:id:`SSL::version_strings` table maps them to descriptive names.
+   
+
+   :param record_version: TLS version given in the record layer of the message.
+                   Set to 0 for SSLv2.
+   
+
+   :param possible_ts: The current time as sent by the client. Note that SSL/TLS does
+                not require clocks to be set correctly, so treat with care.
+   
+
+   :param session_id: The session ID sent by the client (if any).
+   
+
+   :param client_random: The random value sent by the client. For version 2 connections,
+   		  the client challenge is returned.
+   
+
+   :param ciphers: The list of ciphers the client offered to use. The values are
+            standardized as part of the SSL/TLS protocol. The
+            :zeek:id:`SSL::cipher_desc` table maps them to descriptive names.
+   
+
+   :param comp_methods: The list of compression methods that the client offered to use.
+                 This value is not sent in TLSv1.3 or SSLv2.
+   
+   .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
+      ssl_session_ticket_handshake x509_certificate ssl_handshake_message
+      ssl_change_cipher_spec
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_rsa_client_pms ssl_connection_flipped
+
+.. zeek:id:: ssl_connection_flipped
+   :source-code: base/protocols/ssl/main.zeek 369 374
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Zeek typically assumes that the originator of a connection is the client of the SSL/TLS
+   session. In some scenarios this does not hold, and the responder of a connection is the
+   client, and the initiator is the server.
+   
+   In these cases, Zeek raises this event. Connection direction is detected by looking at the
+   server hello, client hello, and hello request handshake messages.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
+      ssl_session_ticket_handshake x509_certificate ssl_client_hello
+      ssl_handshake_message
+
+.. zeek:id:: ssl_dh_client_params
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 348 348
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, Yc: :zeek:type:`string`)
+
+   Generated if a client uses a DH-anon or DHE cipher suite. This event contains
+   the client DH parameters contained in the ClientKeyExchange message as
+   defined in :rfc:`5246`.
+   
+
+   :param c: The connection.
+   
+
+   :param Yc: The client's DH public key.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_server_signature
+      ssl_ecdh_server_params ssl_ecdh_client_params ssl_rsa_client_pms
+
+.. zeek:id:: ssl_dh_server_params
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 297 297
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, p: :zeek:type:`string`, q: :zeek:type:`string`, Ys: :zeek:type:`string`)
+
+   Generated if a server uses a DH-anon or DHE cipher suite. This event contains
+   the server DH parameters, contained in the ServerKeyExchange message as
+   defined in :rfc:`5246`.
+   
+
+   :param c: The connection.
+   
+
+   :param p: The DH prime modulus.
+   
+
+   :param q: The DH generator.
+   
+
+   :param Ys: The server's DH public key.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_server_signature
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_rsa_client_pms
+
+.. zeek:id:: ssl_ecdh_client_params
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 334 334
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, point: :zeek:type:`string`)
+
+   Generated if a client uses an ECDH-anon or ECDHE cipher suite. This event
+   contains the client ECDH public value contained in the ClientKeyExchange
+   message as defined in :rfc:`4492`.
+   
+
+   :param c: The connection.
+   
+
+   :param point: The client's ECDH public key.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_server_signature
+      ssl_dh_client_params ssl_ecdh_server_params ssl_rsa_client_pms
+
+.. zeek:id:: ssl_ecdh_server_params
+   :source-code: base/protocols/ssl/main.zeek 330 335
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, curve: :zeek:type:`count`, point: :zeek:type:`string`)
+
+   Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve
+   This event contains the named curve name and the server ECDH parameters contained
+   in the ServerKeyExchange message as defined in :rfc:`4492`.
+   
+
+   :param c: The connection.
+   
+
+   :param curve: The curve parameters.
+   
+
+   :param point: The server's ECDH public key.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_server_signature
+      ssl_dh_client_params ssl_ecdh_client_params ssl_rsa_client_pms
+
+.. zeek:id:: ssl_encrypted_data
+   :source-code: policy/protocols/ssl/heartbleed.zeek 226 238
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, record_version: :zeek:type:`count`, content_type: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   Generated for SSL/TLS messages that are sent after session encryption
+   started.
+   
+   Note that :zeek:id:`SSL::disable_analyzer_after_detection` has to be changed
+   from its default to false for this event to be generated.
+   
+   Also note that, for DTLS 1.3, it is not always possible to give an exact length for
+   the payload that is transported in the packet. If connection IDs are used, the length
+   provided is the length of the entire packet, without the first byte (for the unified header).
+   If no connection IDs are used, the length given is the actual payload length. Connection IDs
+   are used with the connection ID extension in the client or server hello.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param record_version: TLS version given in the record layer of the message.
+                   Set to 0 for SSLv2.
+   
+
+   :param content_type: message type as reported by TLS session layer. Not populated for
+                 SSLv2.
+   
+
+   :param length: length of the encrypted payload in the record.
+   
+   .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+      ssl_alert ssl_heartbeat ssl_probable_encrypted_handshake_message
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_established
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 533 533
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
+   an unencrypted handshake, and Zeek extracts as much information out of that
+   as it can. This event signals the time when an SSL/TLS has finished the
+   handshake and its endpoints consider it as fully established. Typically,
+   everything from now on will be encrypted.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
+   more information about the SSL/TLS protocol.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello  ssl_extension ssl_server_hello
+      ssl_session_ticket_handshake x509_certificate
+
+.. zeek:id:: ssl_extension
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 115 115
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, code: :zeek:type:`count`, val: :zeek:type:`string`)
+
+   Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
+   sessions start with an unencrypted handshake, and Zeek extracts as much
+   information out of that as it can. This event provides access to any
+   extensions either side sends as part of an extended *hello* message.
+   
+   Note that Zeek offers more specialized events for a few extensions.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param code: The numerical code of the extension.  The values are standardized as
+         part of the SSL/TLS protocol. The :zeek:id:`SSL::extensions` table maps
+         them to descriptive names.
+   
+
+   :param val: The raw extension value that was sent in the message.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension_ec_point_formats
+      ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_connection_flipped ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_application_layer_protocol_negotiation
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 388 388
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, protocols: :zeek:type:`string_vec`)
+
+   Generated for an SSL/TLS Application-Layer Protocol Negotiation extension.
+   This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in
+   the initial handshake. It contains the list of client supported application
+   protocols by the client or the server, respectively.
+   
+   At the moment it is mostly used to negotiate the use of SPDY / HTTP2.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param protocols: List of supported application layer protocols.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+      ssl_extension_server_name ssl_extension_key_share
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_extension_signed_certificate_timestamp
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_connection_id
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 517 517
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, cid: :zeek:type:`string`)
+
+   Generated for an DTLS Connection ID extension. This TLS extension is defined
+   in the RFC 9146 and sent by the client or the server to signify that Connection IDs should
+   be used for the connection.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param cid: The connection ID given by the client or the server.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+      ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_key_share ssl_extension_server_name
+      ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+
+.. zeek:id:: ssl_extension_ec_point_formats
+   :source-code: policy/protocols/ssl/ssl-log-ext.zeek 93 101
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, point_formats: :zeek:type:`index_vec`)
+
+   Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
+   is defined in :rfc:`4492` and sent by the client and/or server in the initial
+   handshake. It gives the list of elliptic curve point formats supported by the
+   client.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param point_formats: List of supported point formats.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_server_name ssl_extension_signature_algorithm
+      ssl_extension_key_share
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_rsa_client_pms ssl_server_signature
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_elliptic_curves
+   :source-code: policy/protocols/ssl/ssl-log-ext.zeek 103 111
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, curves: :zeek:type:`index_vec`)
+
+   Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is
+   defined in :rfc:`4492` and sent by the client in the initial handshake. It
+   gives the list of elliptic curves supported by the client.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param curves: List of supported elliptic curves.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_server_name ssl_extension_signature_algorithm
+      ssl_extension_key_share ssl_rsa_client_pms ssl_server_signature
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_key_share
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 214 214
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, curves: :zeek:type:`index_vec`)
+
+   Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16
+   and sent by the client and the server in the initial handshake. It gives the list of
+   named groups supported by the client and chosen by the server.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param curves: List of supported/chosen named groups.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_server_name
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_rsa_client_pms ssl_server_signature
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_pre_shared_key_client_hello
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 240 240
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, identities: :zeek:type:`psk_identity_vec`, binders: :zeek:type:`string_vec`)
+
+   Generated for the pre-shared key extension as it is sent in the TLS 1.3 client hello.
+   
+   The extension lists the identities the client is willing to negotiate with the server;
+   they can either be pre-shared or be based on previous handshakes.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param identities: A list of the identities the client is willing to negotiate with the server.
+   
+
+   :param binders: A series of HMAC values; for computation, see the TLS 1.3 RFC.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_server_name
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_server_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_pre_shared_key_server_hello
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 262 262
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, selected_identity: :zeek:type:`count`)
+
+   Generated for the pre-shared key extension as it is sent in the TLS 1.3 server hello.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param selected_identity: The identity the server chose as a 0-based index into the identities
+                      the client sent.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_server_name
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_psk_key_exchange_modes
+   :source-code: policy/protocols/ssl/ssl-log-ext.zeek 139 147
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, modes: :zeek:type:`index_vec`)
+
+   Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined
+   in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the
+   list of Pre-Shared Key Exchange Modes that it supports.
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param versions: List of supported Pre-Shared Key Exchange Modes.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+      ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_key_share ssl_extension_server_name
+      ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_server_name
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 414 414
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, names: :zeek:type:`string_vec`)
+
+   Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is
+   defined in :rfc:`3546` and sent by the client in the initial handshake. It
+   contains the name of the server it is contacting. This information can be
+   used by the server to choose the correct certificate for the host the client
+   wants to contact.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param names: A list of server names (DNS hostnames).
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+      ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_key_share
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_extension_signed_certificate_timestamp
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_signature_algorithm
+   :source-code: policy/protocols/ssl/ssl-log-ext.zeek 159 178
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, signature_algorithms: :zeek:type:`signature_and_hashalgorithm_vec`)
+
+   Generated for an Signature Algorithms extension. This TLS extension
+   is defined in :rfc:`5246` and sent by the client in the initial
+   handshake. It gives the list of signature and hash algorithms supported by the
+   client.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param signature_algorithms: List of supported signature and hash algorithm pairs.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_server_name ssl_extension_key_share
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_rsa_client_pms ssl_server_signature
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_signed_certificate_timestamp
+   :source-code: policy/protocols/ssl/validate-sct.zeek 77 80
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, version: :zeek:type:`count`, logid: :zeek:type:`string`, timestamp: :zeek:type:`count`, signature_and_hashalgorithm: :zeek:type:`SSL::SignatureAndHashAlgorithm`, signature: :zeek:type:`string`)
+
+   Generated for the signed_certificate_timestamp TLS extension as defined in
+   :rfc:`6962`. The extension is used to transmit signed proofs that are
+   used for Certificate Transparency.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param version: the version of the protocol to which the SCT conforms. Always
+            should be 0 (representing version 1)
+   
+
+   :param logid: 32 bit key id
+   
+
+   :param timestamp: the NTP Time when the entry was logged measured since
+              the epoch, ignoring leap seconds, in milliseconds.
+   
+
+   :param signature_and_hashalgorithm: signature and hash algorithm used for the
+                                digitally_signed struct
+   
+
+   :param signature: signature part of the digitally_signed struct
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+      ssl_extension_server_name ssl_extension_key_share
+      ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+      ssl_extension_application_layer_protocol_negotiation
+      x509_ocsp_ext_signed_certificate_timestamp sct_verify
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_extension_supported_versions
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 473 473
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, versions: :zeek:type:`index_vec`)
+
+   Generated for an TLS Supported Versions extension. This TLS extension
+   is defined in the TLS 1.3 rfc and sent by the client in the initial handshake.
+   It contains the TLS versions that it supports. This information can be used by
+   the server to choose the best TLS version o use.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param versions: List of supported TLS versions.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_extension
+      ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+      ssl_extension_application_layer_protocol_negotiation
+      ssl_extension_key_share ssl_extension_server_name
+      ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp
+      ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+      ssl_extension_connection_id
+
+.. zeek:id:: ssl_handshake_message
+   :source-code: base/protocols/ssl/main.zeek 376 458
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, msg_type: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   This event is raised for each unencrypted SSL/TLS handshake message.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param msg_type: Type of the handshake message that was seen.
+   
+
+   :param length: Length of the handshake message that was seen.
+   
+   .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
+      ssl_session_ticket_handshake x509_certificate ssl_client_hello
+      ssl_change_cipher_spec ssl_connection_flipped ssl_certificate_request
+
+.. zeek:id:: ssl_heartbeat
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 606 606
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, length: :zeek:type:`count`, heartbeat_type: :zeek:type:`count`, payload_length: :zeek:type:`count`, payload: :zeek:type:`string`)
+
+   Generated for SSL/TLS heartbeat messages that are sent before session
+   encryption starts. Generally heartbeat messages should rarely be seen in
+   normal TLS traffic. Heartbeats are described in :rfc:`6520`.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param length: length of the entire heartbeat message.
+   
+
+   :param heartbeat_type: type of the heartbeat message. Per RFC, 1 = request, 2 = response.
+   
+
+   :param payload_length: length of the payload of the heartbeat message, according to
+                   packet field.
+   
+
+   :param payload: payload contained in the heartbeat message. Size can differ from
+            payload_length, if payload_length and actual packet length disagree.
+   
+   .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+      ssl_alert ssl_encrypted_data
+
+.. zeek:id:: ssl_plaintext_data
+   :source-code: base/protocols/ssl/main.zeek 538 547
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, record_version: :zeek:type:`count`, content_type: :zeek:type:`count`, length: :zeek:type:`count`)
+
+   Generated for SSL/TLS messages that are sent before full session encryption
+   starts. Note that "full encryption" is a bit fuzzy, especially for TLSv1.3;
+   here this event will be raised for early packets that are already using
+   pre-encryption.  # This event is also used by Zeek internally to determine if
+   the connection has been completely setup. This is necessary as TLS 1.3 does
+   not have CCS anymore.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param record_version: TLS version given in the record layer of the message.
+                   Set to 0 for SSLv2.
+   
+
+   :param content_type: message type as reported by TLS session layer. Not populated for
+                 SSLv2.
+   
+
+   :param length: length of the entire message.
+   
+   .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+      ssl_alert ssl_heartbeat
+
+.. zeek:id:: ssl_probable_encrypted_handshake_message
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 700 700
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, length: :zeek:type:`count`)
+
+   This event is generated for application data records of TLS 1.3 connections of which
+   we suspect that they contain handshake messages.
+   
+   In TLS 1.3, large parts of the handshake are encrypted; the only cleartext packets
+   typically exchanged are the client hello and the server hello. The first few packets
+   after the client and server hello, however, are a continuation of the handshake and
+   still include handshake data.
+   
+   This event is raised for these packets of which we suspect that they are handshake records,
+   including the finished record.
+   
+   The heuristic for this is: all application data record after the server hello are
+   handshake records until at least one application data record has been received
+   from both the server and the client. Typically, the server will send more records
+   before the client sends the first application data record; and the first application
+   data record of the client will typically include the finished message.
+   
+   Given the encrypted nature of the protocol, in some cases this determination is
+   not correct; the client can send more handshake packets before the finished message, e.g.,
+   when client certificates are used.
+   
+   Note that :zeek:see:`ssl_encrypted_data` is also raised for these messages.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param length: length of the entire message.
+   
+   .. zeek:see::  ssl_client_hello ssl_established ssl_server_hello
+      ssl_encrypted_data
+
+.. zeek:id:: ssl_rsa_client_pms
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 362 362
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, pms: :zeek:type:`string`)
+
+   Generated if a client uses RSA key exchange. This event contains the client
+   encrypted pre-master secret which is encrypted using the public key of the
+   server's certificate as defined in :rfc:`5246`.
+   
+
+   :param c: The connection.
+   
+
+   :param pms: The encrypted pre-master secret.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_server_signature
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+
+.. zeek:id:: ssl_server_hello
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 86 86
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, version: :zeek:type:`count`, record_version: :zeek:type:`count`, possible_ts: :zeek:type:`time`, server_random: :zeek:type:`string`, session_id: :zeek:type:`string`, cipher: :zeek:type:`count`, comp_method: :zeek:type:`count`)
+
+   Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
+   start with an unencrypted handshake, and Zeek extracts as much information out
+   of that as it can. This event provides access to the initial information
+   sent by the client.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
+   more information about the SSL/TLS protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param version: The protocol version as extracted from the server's message.
+            The values are standardized as part of the SSL/TLS protocol. The
+            :zeek:id:`SSL::version_strings` table maps them to descriptive names.
+   
+
+   :param record_version: TLS version given in the record layer of the message.
+                   Set to 0 for SSLv2.
+   
+
+   :param possible_ts: The current time as sent by the server. Note that SSL/TLS does
+                not require clocks to be set correctly, so treat with care. This value
+                is meaningless in SSLv2 and TLSv1.3.
+   
+
+   :param session_id: The session ID as sent back by the server (if any). This value is not
+               sent in TLSv1.3.
+   
+
+   :param server_random: The random value sent by the server. For version 2 connections,
+   		  the connection-id is returned. Note - the full 32 bytes are included in
+   		  server_random. This means that the 4 bytes present in possible_ts are repeated;
+   		  if you do not want this behavior ignore the first 4 bytes.
+   
+
+   :param cipher: The cipher chosen by the server.  The values are standardized as part
+           of the SSL/TLS protocol. The :zeek:id:`SSL::cipher_desc` table maps
+           them to descriptive names.
+   
+
+   :param comp_method: The compression method chosen by the client. The values are
+                standardized as part of the SSL/TLS protocol. This value is not
+                sent in TLSv1.3 or SSLv2.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
+      ssl_session_ticket_handshake x509_certificate
+      ssl_dh_server_params ssl_handshake_message ssl_change_cipher_spec
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+      ssl_rsa_client_pms ssl_connection_flipped
+
+.. zeek:id:: ssl_server_signature
+   :source-code: base/bif/plugins/Zeek_SSL.events.bif.zeek 320 320
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, signature_and_hashalgorithm: :zeek:type:`SSL::SignatureAndHashAlgorithm`, signature: :zeek:type:`string`)
+
+   Generated if a server uses a non-anonymous DHE or ECDHE cipher suite. This event
+   contains the server signature over the key exchange parameters contained in
+   the ServerKeyExchange message as defined in :rfc:`4492` and :rfc:`5246`.
+   
+
+   :param c: The connection.
+   
+
+   :param signature_and_hashalgorithm: signature and hash algorithm used for the
+                                digitally_signed struct. This field is only present
+                                starting with TLSv1.2 and DTLSv1.2. Earlier versions
+                                used a hardcoded hash algorithm. For protocol versions
+                                below D(TLS)v1.2 this field is filled with an dummy
+                                value of 256.
+   
+
+   :param signature: Signature part of the digitally_signed struct. The private key
+              corresponding to the certified public key in the server's certificate
+              message is used for signing.
+   
+   .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+      ssl_session_ticket_handshake ssl_rsa_client_pms
+      ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+
+.. zeek:id:: ssl_session_ticket_handshake
+   :source-code: policy/protocols/ssl/ssl-log-ext.zeek 68 73
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, ticket_lifetime_hint: :zeek:type:`count`, ticket: :zeek:type:`string`)
+
+   Generated for SSL/TLS handshake messages that are a part of the
+   stateless-server session resumption mechanism. SSL/TLS sessions start with
+   an unencrypted handshake, and Zeek extracts as much information out of that
+   as it can. This event is raised when an SSL/TLS server passes a session
+   ticket to the client that can later be used for resuming the session. The
+   mechanism is described in :rfc:`4507`.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Transport_Layer_Security>`__ for
+   more information about the SSL/TLS protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param ticket_lifetime_hint: A hint from the server about how long the ticket
+                         should be stored by the client.
+   
+
+   :param ticket: The raw ticket data.
+   
+   .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+      ssl_alert
+
+.. zeek:id:: ssl_stapled_ocsp
+   :source-code: policy/protocols/ssl/validate-ocsp.zeek 34 37
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_client: :zeek:type:`bool`, response: :zeek:type:`string`)
+
+   This event contains the OCSP response contained in a Certificate Status Request
+   message, when the client requested OCSP stapling and the server supports it.
+   See description in :rfc:`6066`.
+   
+
+   :param c: The connection.
+   
+
+   :param is_client: True if event is raised for the client side of the connection
+              (the side that sends the client hello). This is typically equivalent
+              with the originator, but does not have to be in all circumstances.
+   
+
+   :param response: OCSP data.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek.rst
new file mode 100644
index 0000000000..00dcdcc89b
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek.rst
@@ -0,0 +1,93 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SSL.functions.bif.zeek
+============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+========================================================== ==============================================================================
+:zeek:id:`parse_distinguished_name`: :zeek:type:`function` Decodes a DER-encoded distinguished name into an ASCII string,
+                                                           using the RFC2253 representation
+:zeek:id:`set_keys`: :zeek:type:`function`                 Set the decryption keys that should be used to decrypt
+                                                           TLS application data in the connection.
+:zeek:id:`set_secret`: :zeek:type:`function`               Set the secret that should be used to derive keys for the connection.
+:zeek:id:`set_ssl_established`: :zeek:type:`function`      Sets if the SSL analyzer should consider the connection established (handshake
+                                                           finished successfully).
+========================================================== ==============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: parse_distinguished_name
+   :source-code: base/bif/plugins/Zeek_SSL.functions.bif.zeek 46 46
+
+   :Type: :zeek:type:`function` (dn: :zeek:type:`string`) : :zeek:type:`string`
+
+   Decodes a DER-encoded distinguished name into an ASCII string,
+   using the RFC2253 representation
+   
+
+   :param dn: DER encoded distinguished name
+   
+
+   :returns: Ascii representation on success, empty string on failure
+   
+   .. zeek:see:: ssl_certificate_request
+
+.. zeek:id:: set_keys
+   :source-code: base/bif/plugins/Zeek_SSL.functions.bif.zeek 35 35
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, keys: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Set the decryption keys that should be used to decrypt
+   TLS application data in the connection.
+   
+
+   :param c: The affected connection
+   
+
+   :param keys: The key buffer as derived via TLS PRF.
+   
+
+   :returns: T on success, F on failure.
+
+.. zeek:id:: set_secret
+   :source-code: base/bif/plugins/Zeek_SSL.functions.bif.zeek 24 24
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, secret: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Set the secret that should be used to derive keys for the connection.
+   (For TLS 1.2 this is the pre-master secret).
+   
+
+   :param c: The affected connection
+   
+
+   :param secret: secret to set
+   
+
+   :returns: T on success, F on failure.
+
+.. zeek:id:: set_ssl_established
+   :source-code: base/bif/plugins/Zeek_SSL.functions.bif.zeek 13 13
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`) : :zeek:type:`bool`
+
+   Sets if the SSL analyzer should consider the connection established (handshake
+   finished successfully).
+   
+
+   :param c: The SSL connection.
+   
+
+   :returns: T on success, F on failure.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_SSL.types.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_SSL.types.bif.zeek.rst
new file mode 100644
index 0000000000..2b4ceea5c5
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_SSL.types.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_SSL.types.bif.zeek
+========================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: SSL
+
+
+:Namespaces: GLOBAL, SSL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_StreamEvent.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_StreamEvent.events.bif.zeek.rst
new file mode 100644
index 0000000000..8d80781ec8
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_StreamEvent.events.bif.zeek.rst
@@ -0,0 +1,73 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_StreamEvent.events.bif.zeek
+=================================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+================================================= ======================================================================
+:zeek:id:`stream_deliver`: :zeek:type:`event`     Generated for each chunk of reassembled TCP payload.
+:zeek:id:`stream_undelivered`: :zeek:type:`event` Generated when Zeek detects a gap in a reassembled TCP payload stream.
+================================================= ======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: stream_deliver
+   :source-code: base/bif/plugins/Zeek_StreamEvent.events.bif.zeek 23 23
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data: :zeek:type:`string`)
+
+   Generated for each chunk of reassembled TCP payload.
+   
+   This is a low-level event to inspect stream data from the originator
+   and responder endpoints. This can be useful for debugging purposes, or
+   for logging of plain-text interactive sessions when no more appropriate
+   analyzer is available.
+   
+   Note that this event is potentially expensive if connections that have
+   the stream event analyzer attached carry significant amounts of data.
+   Generally, a native protocol parser will have much less overhead than
+   passing the complete stream data to the scripting layer.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: T if stream data is from the originator-side, else F.
+   
+
+   :param data: The raw payload.
+   
+   .. zeek:see:: stream_undelivered tcp_contents
+
+.. zeek:id:: stream_undelivered
+   :source-code: base/bif/plugins/Zeek_StreamEvent.events.bif.zeek 37 37
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, seq: :zeek:type:`count`, len: :zeek:type:`count`)
+
+   Generated when Zeek detects a gap in a reassembled TCP payload stream.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: T if the gap is in the originator-side input, else F.
+   
+
+   :param seq: The sequence number of the first byte of the gap.
+   
+
+   :param len: The length of the gap.
+   
+   .. zeek:see:: stream_deliver content_gap
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek.rst
new file mode 100644
index 0000000000..5651a5cbed
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek.rst
@@ -0,0 +1,578 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_TCP.events.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=========================================================== =============================================================================
+:zeek:id:`connection_EOF`: :zeek:type:`event`               Generated at the end of reassembled TCP connections.
+:zeek:id:`connection_SYN_packet`: :zeek:type:`event`        Generated for a SYN packet.
+:zeek:id:`connection_attempt`: :zeek:type:`event`           Generated for an unsuccessful connection attempt.
+:zeek:id:`connection_established`: :zeek:type:`event`       Generated when seeing a SYN-ACK packet from the responder in a TCP
+                                                            handshake.
+:zeek:id:`connection_finished`: :zeek:type:`event`          Generated for a TCP connection that finished normally.
+:zeek:id:`connection_first_ACK`: :zeek:type:`event`         Generated for the first ACK packet seen for a TCP connection from
+                                                            its *originator*.
+:zeek:id:`connection_half_finished`: :zeek:type:`event`     Generated when one endpoint of a TCP connection attempted to gracefully close
+                                                            the connection, but the other endpoint is in the TCP_INACTIVE state.
+:zeek:id:`connection_partial_close`: :zeek:type:`event`     Generated when a previously inactive endpoint attempts to close a TCP
+                                                            connection via a normal FIN handshake or an abort RST sequence.
+:zeek:id:`connection_pending`: :zeek:type:`event`           Generated for each still-open TCP connection when Zeek terminates.
+:zeek:id:`connection_rejected`: :zeek:type:`event`          Generated for a rejected TCP connection.
+:zeek:id:`connection_reset`: :zeek:type:`event`             Generated when an endpoint aborted a TCP connection.
+:zeek:id:`contents_file_write_failure`: :zeek:type:`event`  Generated when failing to write contents of a TCP stream to a file.
+:zeek:id:`new_connection_contents`: :zeek:type:`event`      Generated when reassembly starts for a TCP connection.
+:zeek:id:`partial_connection`: :zeek:type:`event`           Generated for a new active TCP connection if Zeek did not see the initial
+                                                            handshake.
+:zeek:id:`tcp_contents`: :zeek:type:`event`                 Generated for each chunk of reassembled TCP payload.
+:zeek:id:`tcp_multiple_checksum_errors`: :zeek:type:`event` Generated if a TCP flow crosses a checksum-error threshold, per
+                                                            'C'/'c' history reporting.
+:zeek:id:`tcp_multiple_gap`: :zeek:type:`event`             Generated if a TCP flow crosses a gap threshold, per 'G'/'g' history
+                                                            reporting.
+:zeek:id:`tcp_multiple_retransmissions`: :zeek:type:`event` Generated if a TCP flow crosses a retransmission threshold, per
+                                                            'T'/'t' history reporting.
+:zeek:id:`tcp_multiple_zero_windows`: :zeek:type:`event`    Generated if a TCP flow crosses a zero-window threshold, per
+                                                            'W'/'w' history reporting.
+:zeek:id:`tcp_option`: :zeek:type:`event`                   Generated for each option found in a TCP header.
+:zeek:id:`tcp_options`: :zeek:type:`event`                  Generated for each TCP header that contains TCP options.
+:zeek:id:`tcp_packet`: :zeek:type:`event`                   Generated for every TCP packet.
+:zeek:id:`tcp_rexmit`: :zeek:type:`event`                   Generated for each detected TCP segment retransmission.
+=========================================================== =============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: connection_EOF
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 227 227
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`)
+
+   Generated at the end of reassembled TCP connections. The TCP reassembler
+   raised the event once for each endpoint of a connection when it finished
+   reassembling the corresponding side of the communication.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the event is raised for the originator side.
+   
+   .. zeek:see::  connection_SYN_packet connection_attempt connection_established
+      connection_finished connection_first_ACK
+      connection_half_finished connection_partial_close connection_pending
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+
+.. zeek:id:: connection_SYN_packet
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 192 192
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, pkt: :zeek:type:`SYN_packet`)
+
+   Generated for a SYN packet. Zeek raises this event for every SYN packet seen
+   by its TCP analyzer. This includes packets that have other flags set - like
+   in the case of SYN-ACK packets.
+   
+
+   :param c: The connection.
+   
+
+   :param pkt: Information extracted from the SYN packet.
+   
+   .. zeek:see:: connection_EOF  connection_attempt connection_established
+      connection_finished connection_first_ACK
+      connection_half_finished connection_partial_close connection_pending
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+   
+   .. note::
+   
+      This event has quite low-level semantics and can potentially be expensive
+      to generate. It should only be used if one really needs the specific
+      information passed into the handler via the ``pkt`` argument. If not,
+      handling one of the other ``connection_*`` events is typically the
+      better approach.
+
+.. zeek:id:: connection_attempt
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 531 535
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for an unsuccessful connection attempt. This event is raised when
+   an originator unsuccessfully attempted to establish a connection.
+   "Unsuccessful" is defined as at least :zeek:id:`tcp_attempt_delay` seconds
+   having elapsed since the originator first sent a connection establishment
+   packet to the destination without seeing a reply.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_established
+      connection_finished connection_first_ACK
+      connection_half_finished connection_partial_close connection_pending
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+
+.. zeek:id:: connection_established
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 53 53
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when seeing a SYN-ACK packet from the responder in a TCP
+   handshake.  An associated SYN packet was not seen from the originator
+   side if its state is not set to :zeek:see:`TCP_ESTABLISHED`.
+   The final ACK of the handshake in response to SYN-ACK may
+   or may not occur later, one way to tell is to check the *history* field of
+   :zeek:type:`connection` to see if the originator sent an ACK, indicated by
+   'A' in the history string.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_finished connection_first_ACK
+      connection_half_finished connection_partial_close connection_pending
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+
+.. zeek:id:: connection_finished
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 101 101
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for a TCP connection that finished normally. The event is raised
+   when a regular FIN handshake from both endpoints was observed.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_first_ACK
+      connection_half_finished connection_partial_close connection_pending
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+
+.. zeek:id:: connection_first_ACK
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 210 210
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for the first ACK packet seen for a TCP connection from
+   its *originator*.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_half_finished connection_partial_close connection_pending
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+   
+   .. note::
+   
+      This event has quite low-level semantics and should be used only rarely.
+
+.. zeek:id:: connection_half_finished
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 116 116
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when one endpoint of a TCP connection attempted to gracefully close
+   the connection, but the other endpoint is in the TCP_INACTIVE state. This can
+   happen due to split routing, in which Zeek only sees one side of a connection.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK  connection_partial_close connection_pending
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+
+.. zeek:id:: connection_partial_close
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 87 87
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when a previously inactive endpoint attempts to close a TCP
+   connection via a normal FIN handshake or an abort RST sequence. When the
+   endpoint sent one of these packets, Zeek waits
+   :zeek:id:`tcp_partial_close_delay` prior to generating the event, to give
+   the other endpoint a chance to close the connection normally.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_pending
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+
+.. zeek:id:: connection_pending
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 549 553
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for each still-open TCP connection when Zeek terminates.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_partial_close
+      connection_rejected connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection zeek_done
+
+.. zeek:id:: connection_rejected
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 537 541
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for a rejected TCP connection. This event is raised when an
+   originator attempted to setup a TCP connection but the responder replied
+   with a RST packet denying it.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_partial_close
+      connection_pending  connection_reset connection_reused connection_state_remove
+      connection_status_update connection_timeout scheduled_analyzer_applied
+      new_connection new_connection_contents partial_connection
+   
+   .. note::
+   
+      If the responder does not respond at all, :zeek:id:`connection_attempt` is
+      raised instead. If the responder initially accepts the connection but
+      aborts it later, Zeek first generates :zeek:id:`connection_established`
+      and then :zeek:id:`connection_reset`.
+
+.. zeek:id:: connection_reset
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 543 547
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when an endpoint aborted a TCP connection. The event is raised
+   when one endpoint of an established TCP connection aborted by sending a RST
+   packet.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_partial_close
+      connection_pending connection_rejected  connection_reused
+      connection_state_remove connection_status_update connection_timeout
+      scheduled_analyzer_applied new_connection new_connection_contents
+      partial_connection
+
+.. zeek:id:: contents_file_write_failure
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 403 403
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`string`)
+
+   Generated when failing to write contents of a TCP stream to a file.
+   
+
+   :param c: The connection whose contents are being recorded.
+   
+
+   :param is_orig: Which side of the connection encountered a failure to write.
+   
+
+   :param msg: A reason or description for the failure.
+   
+   .. zeek:see:: set_contents_file get_contents_file
+
+.. zeek:id:: new_connection_contents
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 17 17
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when reassembly starts for a TCP connection. This event is raised
+   at the moment when Zeek's TCP analyzer enables stream reassembly for a
+   connection.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_partial_close
+      connection_pending connection_rejected connection_reset connection_reused
+      connection_state_remove connection_status_update connection_timeout
+      scheduled_analyzer_applied new_connection partial_connection
+
+.. zeek:id:: partial_connection
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 525 529
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated for a new active TCP connection if Zeek did not see the initial
+   handshake. This event is raised when Zeek has observed traffic from each
+   endpoint, but the activity did not begin with the usual connection
+   establishment.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: connection_EOF connection_SYN_packet connection_attempt
+      connection_established connection_finished
+      connection_first_ACK connection_half_finished connection_partial_close
+      connection_pending connection_rejected connection_reset connection_reused
+      connection_state_remove connection_status_update connection_timeout
+      scheduled_analyzer_applied new_connection new_connection_contents
+   
+
+.. zeek:id:: tcp_contents
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 320 320
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, seq: :zeek:type:`count`, contents: :zeek:type:`string`)
+
+   Generated for each chunk of reassembled TCP payload. When content delivery is
+   enabled for a TCP connection (via :zeek:id:`tcp_content_delivery_ports_orig`,
+   :zeek:id:`tcp_content_delivery_ports_resp`,
+   :zeek:id:`tcp_content_deliver_all_orig`,
+   :zeek:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk
+   of in-order payload reconstructed from the packet stream. Note that this
+   event is potentially expensive if many connections carry significant amounts
+   of data as then all that data needs to be passed on to the scripting layer.
+   
+
+   :param c: The connection the payload is part of.
+   
+
+   :param is_orig: True if the packet was sent by the connection's originator.
+   
+
+   :param seq: The sequence number corresponding to the first byte of the payload
+        chunk.
+   
+
+   :param contents: The raw payload, which will be non-empty.
+   
+   .. zeek:see:: tcp_packet tcp_option tcp_rexmit
+      tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp
+      tcp_content_deliver_all_resp tcp_content_deliver_all_orig
+   
+   .. note::
+   
+      The payload received by this event is the same that is also passed into
+      application-layer protocol analyzers internally. Subsequent invocations of
+      this event for the same connection receive non-overlapping in-order chunks
+      of its TCP payload stream. It is however undefined what size each chunk
+      has; while Zeek passes the data on as soon as possible, specifics depend on
+      network-level effects such as latency, acknowledgements, reordering, etc.
+
+.. zeek:id:: tcp_multiple_checksum_errors
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 352 352
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, threshold: :zeek:type:`count`)
+
+   Generated if a TCP flow crosses a checksum-error threshold, per
+   'C'/'c' history reporting.
+   
+
+   :param c: The connection record for the TCP connection.
+   
+
+   :param is_orig: True if the event is raised for the originator side.
+   
+
+   :param threshold: the threshold that was crossed
+   
+   .. zeek:see::  udp_multiple_checksum_errors
+      tcp_multiple_zero_windows tcp_multiple_retransmissions tcp_multiple_gap
+
+.. zeek:id:: tcp_multiple_gap
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 391 391
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, threshold: :zeek:type:`count`)
+
+   Generated if a TCP flow crosses a gap threshold, per 'G'/'g' history
+   reporting.
+   
+
+   :param c: The connection record for the TCP connection.
+   
+
+   :param is_orig: True if the event is raised for the originator side.
+   
+
+   :param threshold: the threshold that was crossed
+   
+   .. zeek:see::  tcp_multiple_checksum_errors tcp_multiple_zero_windows tcp_multiple_retransmissions
+
+.. zeek:id:: tcp_multiple_retransmissions
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 378 378
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, threshold: :zeek:type:`count`)
+
+   Generated if a TCP flow crosses a retransmission threshold, per
+   'T'/'t' history reporting.
+   
+
+   :param c: The connection record for the TCP connection.
+   
+
+   :param is_orig: True if the event is raised for the originator side.
+   
+
+   :param threshold: the threshold that was crossed
+   
+   .. zeek:see::  tcp_multiple_checksum_errors tcp_multiple_zero_windows tcp_multiple_gap
+
+.. zeek:id:: tcp_multiple_zero_windows
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 365 365
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, threshold: :zeek:type:`count`)
+
+   Generated if a TCP flow crosses a zero-window threshold, per
+   'W'/'w' history reporting.
+   
+
+   :param c: The connection record for the TCP connection.
+   
+
+   :param is_orig: True if the event is raised for the originator side.
+   
+
+   :param threshold: the threshold that was crossed
+   
+   .. zeek:see::  tcp_multiple_checksum_errors tcp_multiple_retransmissions tcp_multiple_gap
+
+.. zeek:id:: tcp_option
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 274 274
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, opt: :zeek:type:`count`, optlen: :zeek:type:`count`)
+
+   Generated for each option found in a TCP header. Like many of the ``tcp_*``
+   events, this is a very low-level event and potentially expensive as it may
+   be raised very often.
+   
+
+   :param c: The connection the packet is part of.
+   
+
+   :param is_orig: True if the packet was sent by the connection's originator.
+   
+
+   :param opt: The numerical option number, as found in the TCP header.
+   
+
+   :param optlen: The length of the options value.
+   
+   .. zeek:see:: tcp_packet tcp_contents tcp_rexmit tcp_options
+   
+   .. note:: To inspect the actual option values, if any, use :zeek:see:`tcp_options`.
+
+.. zeek:id:: tcp_options
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 287 287
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, options: :zeek:type:`TCP::OptionList`)
+
+   Generated for each TCP header that contains TCP options.  This is a very
+   low-level event and potentially expensive as it may be raised very often.
+   
+
+   :param c: The connection the packet is part of.
+   
+
+   :param is_orig: True if the packet was sent by the connection's originator.
+   
+
+   :param options: The list of options parsed out of the TCP header.
+   
+   .. zeek:see:: tcp_packet tcp_contents tcp_rexmit tcp_option
+
+.. zeek:id:: tcp_packet
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 256 256
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, flags: :zeek:type:`string`, seq: :zeek:type:`count`, ack: :zeek:type:`count`, len: :zeek:type:`count`, payload: :zeek:type:`string`)
+
+   Generated for every TCP packet. This is a very low-level and expensive event
+   that should be avoided when at all possible. It's usually infeasible to
+   handle when processing even medium volumes of traffic in real-time.  It's
+   slightly better than :zeek:id:`new_packet` because it affects only TCP, but
+   not much. That said, if you work from a trace and want to do some
+   packet-level analysis, it may come in handy.
+   
+
+   :param c: The connection the packet is part of.
+   
+
+   :param is_orig: True if the packet was sent by the connection's originator.
+   
+
+   :param flags: A string with the packet's TCP flags. In the string, each character
+          corresponds to one set flag, as follows: ``S`` -> SYN; ``F`` -> FIN;
+          ``R`` -> RST; ``A`` -> ACK; ``P`` -> PUSH; ``U`` -> URGENT.
+   
+
+   :param seq: The packet's relative TCP sequence number.
+   
+
+   :param ack: If the ACK flag is set for the packet, the packet's relative ACK
+        number, else zero.
+   
+
+   :param len: The length of the TCP payload, as specified in the packet header.
+   
+
+   :param payload: The raw TCP payload. Note that this may be shorter than *len* if
+            the packet was not fully captured.
+   
+   .. zeek:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit
+
+.. zeek:id:: tcp_rexmit
+   :source-code: base/bif/plugins/Zeek_TCP.events.bif.zeek 338 338
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, seq: :zeek:type:`count`, len: :zeek:type:`count`, data_in_flight: :zeek:type:`count`, window: :zeek:type:`count`)
+
+   Generated for each detected TCP segment retransmission.
+   
+
+   :param c: The connection the packet is part of.
+   
+
+   :param is_orig: True if the packet was sent by the connection's originator.
+   
+
+   :param seq: The segment's relative TCP sequence number.
+   
+
+   :param len: The length of the TCP segment, as specified in the packet header.
+   
+
+   :param data_in_flight: The number of bytes corresponding to the difference between
+                   the last sequence number and last acknowledgement number
+                   we've seen for a given endpoint.
+   
+
+   :param window: the TCP window size.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek.rst
new file mode 100644
index 0000000000..945838f119
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek.rst
@@ -0,0 +1,126 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_TCP.functions.bif.zeek
+============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+=================================================== ======================================================================
+:zeek:id:`get_contents_file`: :zeek:type:`function` Returns the file handle of the contents file of a connection.
+:zeek:id:`get_orig_seq`: :zeek:type:`function`      Get the originator sequence number of a TCP connection.
+:zeek:id:`get_resp_seq`: :zeek:type:`function`      Get the responder sequence number of a TCP connection.
+:zeek:id:`set_contents_file`: :zeek:type:`function` Associates a file handle with a connection for writing TCP byte stream
+                                                    contents.
+=================================================== ======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: get_contents_file
+   :source-code: base/bif/plugins/Zeek_TCP.functions.bif.zeek 80 80
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, direction: :zeek:type:`count`) : :zeek:type:`file`
+
+   Returns the file handle of the contents file of a connection.
+   
+
+   :param cid: The connection ID.
+   
+
+   :param direction: Controls what sides of the connection to record. See
+              :zeek:id:`set_contents_file` for possible values.
+   
+
+   :returns: The :zeek:type:`file` handle for the contents file of the
+            connection identified by *cid*. If the connection exists
+            but there is no contents file for *direction*, then the function
+            generates an error and returns a file handle to ``stderr``.
+   
+   .. zeek:see:: set_contents_file set_record_packets contents_file_write_failure
+
+.. zeek:id:: get_orig_seq
+   :source-code: base/bif/plugins/Zeek_TCP.functions.bif.zeek 17 17
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`count`
+
+   Get the originator sequence number of a TCP connection. Sequence numbers
+   are absolute (i.e., they reflect the values seen directly in packet headers;
+   they are not relative to the beginning of the connection).
+   
+
+   :param cid: The connection ID.
+   
+
+   :returns: The highest sequence number sent by a connection's originator, or 0
+            if *cid* does not point to an active TCP connection.
+   
+   .. zeek:see:: get_resp_seq
+
+.. zeek:id:: get_resp_seq
+   :source-code: base/bif/plugins/Zeek_TCP.functions.bif.zeek 30 30
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`count`
+
+   Get the responder sequence number of a TCP connection. Sequence numbers
+   are absolute (i.e., they reflect the values seen directly in packet headers;
+   they are not relative to the beginning of the connection).
+   
+
+   :param cid: The connection ID.
+   
+
+   :returns: The highest sequence number sent by a connection's responder, or 0
+            if *cid* does not point to an active TCP connection.
+   
+   .. zeek:see:: get_orig_seq
+
+.. zeek:id:: set_contents_file
+   :source-code: base/bif/plugins/Zeek_TCP.functions.bif.zeek 64 64
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, direction: :zeek:type:`count`, f: :zeek:type:`file`) : :zeek:type:`bool`
+
+   Associates a file handle with a connection for writing TCP byte stream
+   contents.
+   
+
+   :param cid: The connection ID.
+   
+
+   :param direction: Controls what sides of the connection to record. The argument can
+              take one of the four values:
+   
+              - ``CONTENTS_NONE``: Stop recording the connection's content.
+              - ``CONTENTS_ORIG``: Record the data sent by the connection
+                originator (often the client).
+              - ``CONTENTS_RESP``: Record the data sent by the connection
+                responder (often the server).
+              - ``CONTENTS_BOTH``: Record the data sent in both directions.
+                Results in the two directions being intermixed in the file,
+                in the order the data was seen by Zeek.
+   
+
+   :param f: The file handle of the file to write the contents to.
+   
+
+   :returns: Returns false if *cid* does not point to an active connection, and
+            true otherwise.
+   
+   .. note::
+   
+       The data recorded to the file reflects the byte stream, not the
+       contents of individual packets. Reordering and duplicates are
+       removed. If any data is missing, the recording stops at the
+       missing data; this can happen, e.g., due to an
+       :zeek:id:`content_gap` event.
+   
+   .. zeek:see:: get_contents_file set_record_packets contents_file_write_failure
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek.rst
new file mode 100644
index 0000000000..07e1af1d8c
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_TCP.types.bif.zeek
+========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek.rst
new file mode 100644
index 0000000000..14a4f5e42c
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek.rst
@@ -0,0 +1,121 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_Teredo.events.bif.zeek
+============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+======================================================= ===============================================================
+:zeek:id:`new_teredo_state`: :zeek:type:`event`         Generated when per connection Teredo state is created.
+:zeek:id:`teredo_authentication`: :zeek:type:`event`    Generated for IPv6 packets encapsulated in a Teredo tunnel that
+                                                        use the Teredo authentication encapsulation method.
+:zeek:id:`teredo_bubble`: :zeek:type:`event`            Generated for Teredo bubble packets.
+:zeek:id:`teredo_origin_indication`: :zeek:type:`event` Generated for IPv6 packets encapsulated in a Teredo tunnel that
+                                                        use the Teredo origin indication encapsulation method.
+:zeek:id:`teredo_packet`: :zeek:type:`event`            Generated for any IPv6 packet encapsulated in a Teredo tunnel.
+======================================================= ===============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: new_teredo_state
+   :source-code: base/packet-protocols/teredo/main.zeek 36 39
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when per connection Teredo state is created.
+   
+   This is primarily useful to install a connection removal hook to clear
+   internal per-connection Teredo state.
+   
+
+   :param c: The Teredo tunnel connection.
+
+.. zeek:id:: teredo_authentication
+   :source-code: base/bif/plugins/Zeek_Teredo.events.bif.zeek 42 42
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`teredo_hdr`)
+
+   Generated for IPv6 packets encapsulated in a Teredo tunnel that
+   use the Teredo authentication encapsulation method.
+   See :rfc:`4380` for more information about the Teredo protocol.
+   
+
+   :param outer: The Teredo tunnel connection.
+   
+
+   :param inner: The Teredo-encapsulated IPv6 packet header and transport header.
+   
+   .. zeek:see:: teredo_packet teredo_origin_indication teredo_bubble
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+.. zeek:id:: teredo_bubble
+   :source-code: base/bif/plugins/Zeek_Teredo.events.bif.zeek 72 72
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`teredo_hdr`)
+
+   Generated for Teredo bubble packets.  That is, IPv6 packets encapsulated
+   in a Teredo tunnel that have a Next Header value of :zeek:id:`IPPROTO_NONE`.
+   See :rfc:`4380` for more information about the Teredo protocol.
+   
+
+   :param outer: The Teredo tunnel connection.
+   
+
+   :param inner: The Teredo-encapsulated IPv6 packet header and transport header.
+   
+   .. zeek:see:: teredo_packet teredo_authentication teredo_origin_indication
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+.. zeek:id:: teredo_origin_indication
+   :source-code: base/bif/plugins/Zeek_Teredo.events.bif.zeek 57 57
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`teredo_hdr`)
+
+   Generated for IPv6 packets encapsulated in a Teredo tunnel that
+   use the Teredo origin indication encapsulation method.
+   See :rfc:`4380` for more information about the Teredo protocol.
+   
+
+   :param outer: The Teredo tunnel connection.
+   
+
+   :param inner: The Teredo-encapsulated IPv6 packet header and transport header.
+   
+   .. zeek:see:: teredo_packet teredo_authentication teredo_bubble
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+.. zeek:id:: teredo_packet
+   :source-code: base/bif/plugins/Zeek_Teredo.events.bif.zeek 18 18
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`teredo_hdr`)
+
+   Generated for any IPv6 packet encapsulated in a Teredo tunnel.
+   See :rfc:`4380` for more information about the Teredo protocol.
+   
+
+   :param outer: The Teredo tunnel connection.
+   
+
+   :param inner: The Teredo-encapsulated IPv6 packet header and transport header.
+   
+   .. zeek:see:: teredo_authentication teredo_origin_indication teredo_bubble
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek.rst
new file mode 100644
index 0000000000..b49571fc5c
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek.rst
@@ -0,0 +1,30 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_Teredo.functions.bif.zeek
+===============================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: PacketAnalyzer::TEREDO
+
+
+:Namespaces: GLOBAL, PacketAnalyzer::TEREDO
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================================================== =
+:zeek:id:`PacketAnalyzer::TEREDO::remove_teredo_connection`: :zeek:type:`function` 
+================================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: PacketAnalyzer::TEREDO::remove_teredo_connection
+   :source-code: base/bif/plugins/Zeek_Teredo.functions.bif.zeek 9 9
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`bool`
+
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek.rst
new file mode 100644
index 0000000000..a3b312e36f
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek.rst
@@ -0,0 +1,103 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_UDP.events.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=========================================================== ===============================================================
+:zeek:id:`udp_contents`: :zeek:type:`event`                 Generated for UDP packets to pass on their payload.
+:zeek:id:`udp_multiple_checksum_errors`: :zeek:type:`event` Generated if a UDP flow crosses a checksum-error threshold, per
+                                                            'C'/'c' history reporting.
+:zeek:id:`udp_reply`: :zeek:type:`event`                    Generated for each packet sent by a UDP flow's responder.
+:zeek:id:`udp_request`: :zeek:type:`event`                  Generated for each packet sent by a UDP flow's originator.
+=========================================================== ===============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: udp_contents
+   :source-code: base/bif/plugins/Zeek_UDP.events.bif.zeek 43 43
+
+   :Type: :zeek:type:`event` (u: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, contents: :zeek:type:`string`)
+
+   Generated for UDP packets to pass on their payload. As the number of UDP
+   packets can be very large, this event is normally raised only for those on
+   ports configured in :zeek:id:`udp_content_delivery_ports_orig` (for packets
+   sent by the flow's originator) or :zeek:id:`udp_content_delivery_ports_resp`
+   (for packets sent by the flow's responder). However, delivery can be enabled
+   for all UDP request and reply packets by setting
+   :zeek:id:`udp_content_deliver_all_orig` or
+   :zeek:id:`udp_content_deliver_all_resp`, respectively. Note that this
+   event is also raised for all matching UDP packets, including empty ones.
+   
+
+   :param u: The connection record for the corresponding UDP flow.
+   
+
+   :param is_orig: True if the event is raised for the originator side.
+   
+
+   :param contents: TODO.
+   
+   .. zeek:see::  udp_reply udp_request udp_session_done
+      udp_content_deliver_all_orig udp_content_deliver_all_resp
+      udp_content_delivery_ports_orig udp_content_delivery_ports_resp
+
+.. zeek:id:: udp_multiple_checksum_errors
+   :source-code: base/bif/plugins/Zeek_UDP.events.bif.zeek 57 57
+
+   :Type: :zeek:type:`event` (u: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, threshold: :zeek:type:`count`)
+
+   Generated if a UDP flow crosses a checksum-error threshold, per
+   'C'/'c' history reporting.
+   
+
+   :param u: The connection record for the corresponding UDP flow.
+   
+
+   :param is_orig: True if the event is raised for the originator side.
+   
+
+   :param threshold: the threshold that was crossed
+   
+   .. zeek:see::  udp_reply udp_request udp_session_done
+      tcp_multiple_checksum_errors
+
+.. zeek:id:: udp_reply
+   :source-code: base/bif/plugins/Zeek_UDP.events.bif.zeek 21 21
+
+   :Type: :zeek:type:`event` (u: :zeek:type:`connection`)
+
+   Generated for each packet sent by a UDP flow's responder. This a potentially
+   expensive event due to the volume of UDP traffic and should be used with
+   care.
+   
+
+   :param u: The connection record for the corresponding UDP flow.
+   
+   .. zeek:see:: udp_contents  udp_request udp_session_done
+
+.. zeek:id:: udp_request
+   :source-code: base/bif/plugins/Zeek_UDP.events.bif.zeek 11 11
+
+   :Type: :zeek:type:`event` (u: :zeek:type:`connection`)
+
+   Generated for each packet sent by a UDP flow's originator. This a potentially
+   expensive event due to the volume of UDP traffic and should be used with
+   care.
+   
+
+   :param u: The connection record for the corresponding UDP flow.
+   
+   .. zeek:see:: udp_contents udp_reply  udp_session_done
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek.rst
new file mode 100644
index 0000000000..538f7f2e3f
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek.rst
@@ -0,0 +1,43 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_VXLAN.events.bif.zeek
+===========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+=========================================== ========================================================
+:zeek:id:`vxlan_packet`: :zeek:type:`event` Generated for any packet encapsulated in a VXLAN tunnel.
+=========================================== ========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: vxlan_packet
+   :source-code: base/bif/plugins/Zeek_VXLAN.events.bif.zeek 15 15
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`pkt_hdr`, vni: :zeek:type:`count`)
+
+   Generated for any packet encapsulated in a VXLAN tunnel.
+   See :rfc:`7348` for more information about the VXLAN protocol.
+   
+
+   :param outer: The VXLAN tunnel connection.
+   
+
+   :param inner: The VXLAN-encapsulated Ethernet packet header and transport header.
+   
+
+   :param vni: VXLAN Network Identifier.
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_WebSocket.consts.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_WebSocket.consts.bif.zeek.rst
new file mode 100644
index 0000000000..ced8ad70fd
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_WebSocket.consts.bif.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_WebSocket.consts.bif.zeek
+===============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_WebSocket.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_WebSocket.events.bif.zeek.rst
new file mode 100644
index 0000000000..a58890846f
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_WebSocket.events.bif.zeek.rst
@@ -0,0 +1,130 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_WebSocket.events.bif.zeek
+===============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+==================================================== ==========================================================
+:zeek:id:`websocket_close`: :zeek:type:`event`       Generated for WebSocket Close frames.
+:zeek:id:`websocket_established`: :zeek:type:`event` Generated when a WebSocket handshake completed.
+:zeek:id:`websocket_frame`: :zeek:type:`event`       Generated for every WebSocket frame.
+:zeek:id:`websocket_frame_data`: :zeek:type:`event`  Generated for every chunk of WebSocket frame payload data.
+:zeek:id:`websocket_message`: :zeek:type:`event`     Generated for every completed WebSocket message.
+==================================================== ==========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: websocket_close
+   :source-code: base/bif/plugins/Zeek_WebSocket.events.bif.zeek 72 72
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, status: :zeek:type:`count`, reason: :zeek:type:`string`)
+
+   Generated for WebSocket Close frames.
+   
+
+   :param c: The WebSocket connection.
+   
+
+   :param is_orig: True if the frame is from the originator, else false.
+   
+
+   :param status: If the CloseFrame had no payload, this is 0, otherwise the value
+           of the first two bytes in the frame's payload.
+   
+
+   :param reason: Remaining payload after *status*. This is capped at
+           2 bytes less than :zeek:see:`WebSocket::payload_chunk_size`.
+   
+   .. zeek:see:: WebSocket::payload_chunk_size
+
+.. zeek:id:: websocket_established
+   :source-code: base/bif/plugins/Zeek_WebSocket.events.bif.zeek 11 11
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, aid: :zeek:type:`count`)
+
+   Generated when a WebSocket handshake completed.
+   
+
+   :param c: The WebSocket connection.
+   
+
+   :param aid: The analyzer identifier of the WebSocket analyzer.
+   
+   .. zeek:see:: WebSocket::__configure_analyzer WebSocket::configure_analyzer
+
+.. zeek:id:: websocket_frame
+   :source-code: base/bif/plugins/Zeek_WebSocket.events.bif.zeek 28 28
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, fin: :zeek:type:`bool`, rsv: :zeek:type:`count`, opcode: :zeek:type:`count`, payload_len: :zeek:type:`count`)
+
+   Generated for every WebSocket frame.
+   
+
+   :param c: The WebSocket connection.
+   
+
+   :param is_orig: True if the frame is from the originator, else false.
+   
+
+   :param fin: True if the fin bit is set, else false.
+   
+
+   :param rsv: The value of the RSV1, RSV2 and RSV3 bits.
+   
+
+   :param opcode: The frame's opcode.
+   
+
+   :param payload_len: The frame's payload length.
+   
+
+.. zeek:id:: websocket_frame_data
+   :source-code: base/bif/plugins/Zeek_WebSocket.events.bif.zeek 45 45
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, data: :zeek:type:`string`)
+
+   Generated for every chunk of WebSocket frame payload data.
+   
+   Do not use it to extract data from a WebSocket connection unless for testing
+   or experimentation. Consider implementing a proper analyzer instead.
+   
+
+   :param c: The WebSocket connection.
+   
+
+   :param is_orig: True if the frame is from the originator, else false.
+   
+
+   :param data: One data chunk of frame payload. The length of is at most
+         :zeek:see:`WebSocket::payload_chunk_size` bytes. A frame with
+         a longer payload will result in multiple events events.
+   
+   .. zeek:see:: WebSocket::payload_chunk_size
+
+.. zeek:id:: websocket_message
+   :source-code: base/bif/plugins/Zeek_WebSocket.events.bif.zeek 56 56
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, opcode: :zeek:type:`count`)
+
+   Generated for every completed WebSocket message.
+   
+
+   :param c: The WebSocket connection.
+   
+
+   :param is_orig: True if the frame is from the originator, else false.
+   
+
+   :param opcode: The first frame's opcode.
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_WebSocket.functions.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_WebSocket.functions.bif.zeek.rst
new file mode 100644
index 0000000000..d7b3e23a4b
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_WebSocket.functions.bif.zeek.rst
@@ -0,0 +1,48 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_WebSocket.functions.bif.zeek
+==================================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: WebSocket
+
+
+:Namespaces: GLOBAL, WebSocket
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================================= =================================
+:zeek:id:`WebSocket::__configure_analyzer`: :zeek:type:`function` Configure the WebSocket analyzer.
+================================================================= =================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: WebSocket::__configure_analyzer
+   :source-code: base/bif/plugins/Zeek_WebSocket.functions.bif.zeek 24 24
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, aid: :zeek:type:`count`, config: :zeek:type:`WebSocket::AnalyzerConfig`) : :zeek:type:`bool`
+
+   Configure the WebSocket analyzer.
+   
+   Called during :zeek:see:`websocket_established` to configure
+   the WebSocket analyzer given the selected protocol and extension
+   as chosen by the server.
+   
+
+   :param c: The WebSocket connection.
+
+   :param aid: The identifier for the WebSocket analyzer as provided to :zeek:see:`websocket_established`.
+   
+
+   :param server_protocol: The protocol as found in the server's Sec-WebSocket-Protocol HTTP header, or empty.
+   
+
+   :param server_extensions: The extension as selected by the server via the Sec-WebSocket-Extensions HTTP Header.
+   
+   .. zeek:see:: websocket_established
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek.rst
new file mode 100644
index 0000000000..09676de26f
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_WebSocket.types.bif.zeek
+==============================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: WebSocket
+
+
+:Namespaces: GLOBAL, WebSocket
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_X509.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_X509.events.bif.zeek.rst
new file mode 100644
index 0000000000..7dc3a546d2
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_X509.events.bif.zeek.rst
@@ -0,0 +1,150 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_X509.events.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+========================================================================= ================================================================================
+:zeek:id:`x509_certificate`: :zeek:type:`event`                           Generated for encountered X509 certificates, e.g., in the clear SSL/TLS
+                                                                          connection handshake.
+:zeek:id:`x509_ext_basic_constraints`: :zeek:type:`event`                 Generated for the X509 basic constraints extension seen in a certificate.
+:zeek:id:`x509_ext_subject_alternative_name`: :zeek:type:`event`          Generated for the X509 subject alternative name extension seen in a certificate.
+:zeek:id:`x509_extension`: :zeek:type:`event`                             Generated for X509 extensions seen in a certificate.
+:zeek:id:`x509_ocsp_ext_signed_certificate_timestamp`: :zeek:type:`event` Generated for the signed_certificate_timestamp X509 extension as defined in
+                                                                          :rfc:`6962`.
+========================================================================= ================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: x509_certificate
+   :source-code: base/bif/plugins/Zeek_X509.events.bif.zeek 20 20
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, cert_ref: :zeek:type:`opaque` of x509, cert: :zeek:type:`X509::Certificate`)
+
+   Generated for encountered X509 certificates, e.g., in the clear SSL/TLS
+   connection handshake.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
+   about the X.509 format.
+   
+
+   :param f: The file.
+   
+
+   :param cert_ref: An opaque pointer to the underlying OpenSSL data structure of the
+             certificate.
+   
+
+   :param cert: The parsed certificate information.
+   
+   .. zeek:see:: x509_extension x509_ext_basic_constraints
+                x509_ext_subject_alternative_name x509_parse x509_verify
+                x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: x509_ext_basic_constraints
+   :source-code: base/files/x509/main.zeek 214 221
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, ext: :zeek:type:`X509::BasicConstraints`)
+
+   Generated for the X509 basic constraints extension seen in a certificate.
+   This extension can be used to identify the subject of a certificate as a CA.
+   
+
+   :param f: The file.
+   
+
+   :param ext: The parsed basic constraints extension.
+   
+   .. zeek:see:: x509_certificate x509_extension
+                x509_ext_subject_alternative_name x509_parse x509_verify
+                x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: x509_ext_subject_alternative_name
+   :source-code: base/bif/plugins/Zeek_X509.events.bif.zeek 63 63
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, ext: :zeek:type:`X509::SubjectAlternativeName`)
+
+   Generated for the X509 subject alternative name extension seen in a certificate.
+   This extension can be used to allow additional entities to be bound to the
+   subject of the certificate. Usually it is used to specify one or multiple DNS
+   names for which a certificate is valid.
+   
+
+   :param f: The file.
+   
+
+   :param ext: The parsed subject alternative name extension.
+   
+   .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints
+                x509_parse x509_verify x509_ocsp_ext_signed_certificate_timestamp
+                x509_get_certificate_string
+
+.. zeek:id:: x509_extension
+   :source-code: base/files/x509/main.zeek 205 212
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, ext: :zeek:type:`X509::Extension`)
+
+   Generated for X509 extensions seen in a certificate.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
+   about the X.509 format.
+   
+
+   :param f: The file.
+   
+
+   :param ext: The parsed extension.
+   
+   .. zeek:see:: x509_certificate x509_ext_basic_constraints
+                x509_ext_subject_alternative_name x509_parse x509_verify
+                x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: x509_ocsp_ext_signed_certificate_timestamp
+   :source-code: base/bif/plugins/Zeek_X509.events.bif.zeek 92 92
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, version: :zeek:type:`count`, logid: :zeek:type:`string`, timestamp: :zeek:type:`count`, hash_algorithm: :zeek:type:`count`, signature_algorithm: :zeek:type:`count`, signature: :zeek:type:`string`)
+
+   Generated for the signed_certificate_timestamp X509 extension as defined in
+   :rfc:`6962`. The extension is used to transmit signed proofs that are
+   used for Certificate Transparency. Raised when the extension is encountered
+   in an X.509 certificate or in an OCSP reply.
+   
+
+   :param f: The file.
+   
+
+   :param version: the version of the protocol to which the SCT conforms. Always
+            should be 0 (representing version 1)
+   
+
+   :param logid: 32 bit key id
+   
+
+   :param timestamp: the NTP Time when the entry was logged measured since
+              the epoch, ignoring leap seconds, in milliseconds.
+   
+
+   :param signature_and_hashalgorithm: signature and hash algorithm used for the
+                                digitally_signed struct
+   
+
+   :param signature: signature part of the digitally_signed struct
+   
+   .. zeek:see:: ssl_extension_signed_certificate_timestamp x509_extension x509_ext_basic_constraints
+                x509_parse x509_verify x509_ext_subject_alternative_name
+                x509_get_certificate_string ssl_extension_signed_certificate_timestamp
+                sct_verify ocsp_request ocsp_request_certificate ocsp_response_status
+                ocsp_response_bytes ocsp_response_certificate
+                x509_ocsp_ext_signed_certificate_timestamp
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_X509.functions.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_X509.functions.bif.zeek.rst
new file mode 100644
index 0000000000..e86f6292fb
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_X509.functions.bif.zeek.rst
@@ -0,0 +1,331 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_X509.functions.bif.zeek
+=============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+========================================================================= ================================================================================================
+:zeek:id:`sct_verify`: :zeek:type:`function`                              Verifies a Signed Certificate Timestamp as used for Certificate Transparency.
+:zeek:id:`x509_check_cert_hostname`: :zeek:type:`function`                This function checks if a hostname matches one of the hostnames given in the certificate.
+:zeek:id:`x509_check_hostname`: :zeek:type:`function`                     This function checks a hostname against the name given in a certificate subject/SAN, including
+                                                                          our interpretation of RFC6128 wildcard expansions.
+:zeek:id:`x509_from_der`: :zeek:type:`function`                           Constructs an opaque of X509 from a der-formatted string.
+:zeek:id:`x509_get_certificate_string`: :zeek:type:`function`             Returns the string form of a certificate.
+:zeek:id:`x509_issuer_name_hash`: :zeek:type:`function`                   Get the hash of the issuer's distinguished name.
+:zeek:id:`x509_ocsp_verify`: :zeek:type:`function`                        Verifies an OCSP reply.
+:zeek:id:`x509_parse`: :zeek:type:`function`                              Parses a certificate into an X509::Certificate structure.
+:zeek:id:`x509_set_certificate_cache`: :zeek:type:`function`              This function can be used to set up certificate caching.
+:zeek:id:`x509_set_certificate_cache_hit_callback`: :zeek:type:`function` This function sets up the callback that is called when an entry is matched against the table set
+                                                                          by :zeek:id:`x509_set_certificate_cache`.
+:zeek:id:`x509_spki_hash`: :zeek:type:`function`                          Get the hash of the Subject Public Key Information of the certificate.
+:zeek:id:`x509_subject_name_hash`: :zeek:type:`function`                  Get the hash of the subject's distinguished name.
+:zeek:id:`x509_verify`: :zeek:type:`function`                             Verifies a certificate.
+========================================================================= ================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: sct_verify
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 104 104
+
+   :Type: :zeek:type:`function` (cert: :zeek:type:`opaque` of x509, logid: :zeek:type:`string`, log_key: :zeek:type:`string`, signature: :zeek:type:`string`, timestamp: :zeek:type:`count`, hash_algorithm: :zeek:type:`count`, issuer_key_hash: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Verifies a Signed Certificate Timestamp as used for Certificate Transparency.
+   See RFC6962 for more details.
+   
+
+   :param cert: Certificate against which the SCT should be validated.
+   
+
+   :param logid: Log id of the SCT.
+   
+
+   :param log_key: Public key of the Log that issued the SCT proof.
+   
+
+   :param timestamp: Timestamp at which the proof was generated.
+   
+
+   :param hash_algorithm: Hash algorithm that was used for the SCT proof.
+   
+
+   :param issuer_key_hash: The SHA-256 hash of the certificate issuer's public key.
+                    This only has to be provided if the SCT was encountered in an X.509
+                    certificate extension; in that case, it is necessary for validation.
+   
+
+   :returns: T if the validation could be performed successfully, F otherwise.
+   
+   .. zeek:see:: ssl_extension_signed_certificate_timestamp
+                x509_ocsp_ext_signed_certificate_timestamp
+                x509_verify
+
+.. zeek:id:: x509_check_cert_hostname
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 216 216
+
+   :Type: :zeek:type:`function` (cert_opaque: :zeek:type:`opaque` of x509, hostname: :zeek:type:`string`) : :zeek:type:`string`
+
+   This function checks if a hostname matches one of the hostnames given in the certificate.
+   
+   For our matching we adhere to RFC6128 for the labels (see :zeek:id:`x509_check_hostname`).
+   Furthermore we adhere to RFC2818 and check only the names given in the SAN, if a SAN is present,
+   ignoring CNs in the Subject. If no SAN is present, we will use the last CN in the subject
+   for our tests.
+   
+
+   :param cert: The X509 certificate opaque handle.
+   
+
+   :param hostname: Hostname to check
+   
+
+   :returns: empty string if the hostname does not match; matched name (which can contain wildcards)
+            if it did.
+   
+   .. zeek:see:: x509_check_hostname
+
+.. zeek:id:: x509_check_hostname
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 198 198
+
+   :Type: :zeek:type:`function` (hostname: :zeek:type:`string`, certname: :zeek:type:`string`) : :zeek:type:`bool`
+
+   This function checks a hostname against the name given in a certificate subject/SAN, including
+   our interpretation of RFC6128 wildcard expansions. This specifically means that wildcards are
+   only allowed in the leftmost label, wildcards only span one label, the wildcard has to be the
+   last character before the label-separator, but additional characters are allowed before it, and
+   the wildcard has to be at least at the third level (so \*.a.b).
+   
+
+   :param hostname: Hostname to test
+   
+
+   :param certname: Name given in the CN/SAN of a certificate; wildcards will be expanded
+   
+
+   :returns: True if the hostname matches.
+   
+   .. zeek:see:: x509_check_cert_hostname
+
+.. zeek:id:: x509_from_der
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 25 25
+
+   :Type: :zeek:type:`function` (der: :zeek:type:`string`) : :zeek:type:`opaque` of x509
+
+   Constructs an opaque of X509 from a der-formatted string.
+   
+
+   :param Note: this function is mostly meant for testing purposes
+   
+   .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints
+                x509_ext_subject_alternative_name x509_verify
+                x509_get_certificate_string x509_parse
+
+.. zeek:id:: x509_get_certificate_string
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 40 40
+
+   :Type: :zeek:type:`function` (cert: :zeek:type:`opaque` of x509, pem: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Returns the string form of a certificate.
+   
+
+   :param cert: The X509 certificate opaque handle.
+   
+
+   :param pem: A boolean that specifies if the certificate is returned
+        in pem-form (true), or as the raw ASN1 encoded binary
+        (false).
+   
+
+   :returns: X509 certificate as a string.
+   
+   .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints
+                x509_ext_subject_alternative_name x509_parse x509_verify
+
+.. zeek:id:: x509_issuer_name_hash
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 135 135
+
+   :Type: :zeek:type:`function` (cert: :zeek:type:`opaque` of x509, hash_alg: :zeek:type:`count`) : :zeek:type:`string`
+
+   Get the hash of the issuer's distinguished name.
+   
+
+   :param cert: The X509 certificate opaque handle.
+   
+
+   :param hash_alg: the hash algorithm to use, according to the IANA mapping at
+
+             :param https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+   
+
+   :returns: The hash as a string.
+   
+   .. zeek:see:: x509_subject_name_hash x509_spki_hash
+                x509_verify sct_verify
+
+.. zeek:id:: x509_ocsp_verify
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 59 59
+
+   :Type: :zeek:type:`function` (certs: :zeek:type:`x509_opaque_vector`, ocsp_reply: :zeek:type:`string`, root_certs: :zeek:type:`table_string_of_string`, verify_time: :zeek:type:`time` :zeek:attr:`&default` = ``0.0`` :zeek:attr:`&optional`) : :zeek:type:`X509::Result`
+
+   Verifies an OCSP reply.
+   
+
+   :param certs: Specifies the certificate chain to use. Server certificate first.
+   
+
+   :param ocsp_reply: the ocsp reply to validate.
+   
+
+   :param root_certs: A list of root certificates to validate the certificate chain.
+   
+
+   :param verify_time: Time for the validity check of the certificates.
+   
+
+   :returns: A record of type X509::Result containing the result code of the
+            verify operation.
+   
+   .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints
+                x509_ext_subject_alternative_name x509_parse
+                x509_get_certificate_string x509_verify
+
+.. zeek:id:: x509_parse
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 15 15
+
+   :Type: :zeek:type:`function` (cert: :zeek:type:`opaque` of x509) : :zeek:type:`X509::Certificate`
+
+   Parses a certificate into an X509::Certificate structure.
+   
+
+   :param cert: The X509 certificate opaque handle.
+   
+
+   :returns: A X509::Certificate structure.
+   
+   .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints
+                x509_ext_subject_alternative_name x509_verify
+                x509_get_certificate_string
+
+.. zeek:id:: x509_set_certificate_cache
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 168 168
+
+   :Type: :zeek:type:`function` (tbl: :zeek:type:`string_any_table`) : :zeek:type:`bool`
+
+   This function can be used to set up certificate caching. It has to be passed a table[string] which
+   can contain any type.
+   
+   After this is set up, for each certificate encountered, the X509 analyzer will check if the entry
+   tbl[sha256 of certificate] is set. If this is the case, the X509 analyzer will skip all further
+   processing, and instead just call the callback that is set with
+
+   :param zeek:id:`x509_set_certificate_cache_hit_callback`.
+   
+
+   :param tbl: Table to use as the certificate cache.
+   
+
+   :returns: Always returns true.
+   
+   .. note:: The base scripts use this function to set up certificate caching. You should only change the
+             cache table if you are sure you will not conflict with the base scripts.
+   
+   .. zeek:see:: x509_set_certificate_cache_hit_callback
+
+.. zeek:id:: x509_set_certificate_cache_hit_callback
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 182 182
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`string_any_file_hook`) : :zeek:type:`bool`
+
+   This function sets up the callback that is called when an entry is matched against the table set
+   by :zeek:id:`x509_set_certificate_cache`.
+   
+
+   :param f: The callback that will be called when encountering a certificate in the cache table.
+   
+
+   :returns: Always returns true.
+   
+   .. note:: The base scripts use this function to set up certificate caching. You should only change the
+             callback function if you are sure you will not conflict with the base scripts.
+   
+   .. zeek:see:: x509_set_certificate_cache
+
+.. zeek:id:: x509_spki_hash
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 149 149
+
+   :Type: :zeek:type:`function` (cert: :zeek:type:`opaque` of x509, hash_alg: :zeek:type:`count`) : :zeek:type:`string`
+
+   Get the hash of the Subject Public Key Information of the certificate.
+   
+
+   :param cert: The X509 certificate opaque handle.
+   
+
+   :param hash_alg: the hash algorithm to use, according to the IANA mapping at
+
+             :param https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+   
+
+   :returns: The hash as a string.
+   
+   .. zeek:see:: x509_subject_name_hash x509_issuer_name_hash
+                x509_verify sct_verify
+
+.. zeek:id:: x509_subject_name_hash
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 121 121
+
+   :Type: :zeek:type:`function` (cert: :zeek:type:`opaque` of x509, hash_alg: :zeek:type:`count`) : :zeek:type:`string`
+
+   Get the hash of the subject's distinguished name.
+   
+
+   :param cert: The X509 certificate opaque handle.
+   
+
+   :param hash_alg: the hash algorithm to use, according to the IANA mapping at
+
+             :param https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+   
+
+   :returns: The hash as a string.
+   
+   .. zeek:see:: x509_issuer_name_hash x509_spki_hash
+                x509_verify sct_verify
+
+.. zeek:id:: x509_verify
+   :source-code: base/bif/plugins/Zeek_X509.functions.bif.zeek 79 79
+
+   :Type: :zeek:type:`function` (certs: :zeek:type:`x509_opaque_vector`, root_certs: :zeek:type:`table_string_of_string`, verify_time: :zeek:type:`time` :zeek:attr:`&default` = ``0.0`` :zeek:attr:`&optional`) : :zeek:type:`X509::Result`
+
+   Verifies a certificate.
+   
+
+   :param certs: Specifies a certificate chain that is being used to validate
+          the given certificate against the root store given in *root_certs*.
+          The host certificate has to be at index 0.
+   
+
+   :param root_certs: A list of root certificates to validate the certificate chain.
+   
+
+   :param verify_time: Time for the validity check of the certificates.
+   
+
+   :returns: A record of type X509::Result containing the result code of the
+            verify operation. In case of success also returns the full
+            certificate chain.
+   
+   .. zeek:see:: x509_certificate x509_extension x509_ext_basic_constraints
+                x509_ext_subject_alternative_name x509_parse
+                x509_get_certificate_string x509_ocsp_verify sct_verify
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek.rst
new file mode 100644
index 0000000000..32ea256cac
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek.rst
@@ -0,0 +1,196 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek
+===============================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+======================================================== ===========================================================================================
+:zeek:id:`ocsp_extension`: :zeek:type:`event`            This event is raised when an OCSP extension is encountered in an OCSP response.
+:zeek:id:`ocsp_request`: :zeek:type:`event`              Event that is raised when encountering an OCSP request, e.g.
+:zeek:id:`ocsp_request_certificate`: :zeek:type:`event`  Event that is raised when encountering an OCSP request for a certificate,
+                                                         e.g.
+:zeek:id:`ocsp_response_bytes`: :zeek:type:`event`       This event is raised when encountering an OCSP response that contains response information.
+:zeek:id:`ocsp_response_certificate`: :zeek:type:`event` This event is raised for each SingleResponse contained in an OCSP response.
+:zeek:id:`ocsp_response_status`: :zeek:type:`event`      This event is raised when encountering an OCSP reply, e.g.
+======================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: ocsp_extension
+   :source-code: base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek 122 122
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, ext: :zeek:type:`X509::Extension`, global_resp: :zeek:type:`bool`)
+
+   This event is raised when an OCSP extension is encountered in an OCSP response.
+   See :rfc:`6960` for more details on OCSP.
+   
+
+   :param f: The file.
+   
+
+   :param ext: The parsed extension (same format as X.509 extensions).
+   
+
+   :param global_resp: T if extension encountered in the global response (in ResponseData),
+                F when encountered in a SingleResponse.
+   
+   .. zeek:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+                ocsp_response_bytes ocsp_response_certificate
+                x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: ocsp_request
+   :source-code: base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek 16 16
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, version: :zeek:type:`count`)
+
+   Event that is raised when encountering an OCSP request, e.g. in an HTTP
+   connection. See :rfc:`6960` for more details.
+   
+   This event is raised exactly once for each OCSP Request.
+   
+
+   :param f: The file.
+   
+
+   :param req: version: the version of the OCSP request. Typically 0 (Version 1).
+   
+   .. zeek:see:: ocsp_request_certificate ocsp_response_status
+                ocsp_response_bytes ocsp_response_certificate ocsp_extension
+                x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: ocsp_request_certificate
+   :source-code: base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek 37 37
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, hashAlgorithm: :zeek:type:`string`, issuerNameHash: :zeek:type:`string`, issuerKeyHash: :zeek:type:`string`, serialNumber: :zeek:type:`string`)
+
+   Event that is raised when encountering an OCSP request for a certificate,
+   e.g. in an HTTP connection. See :rfc:`6960` for more details.
+   
+   Note that a single OCSP request can contain requests for several certificates.
+   Thus this event can fire several times for one OCSP request, each time
+   requesting information for a different (or in theory even the same) certificate.
+   
+
+   :param f: The file.
+   
+
+   :param hashAlgorithm: The hash algorithm used for the issuerKeyHash.
+   
+
+   :param issuerKeyHash: Hash of the issuers public key.
+   
+
+   :param serialNumber: Serial number of the certificate for which the status is requested.
+   
+   .. zeek:see:: ocsp_request ocsp_response_status
+                ocsp_response_bytes ocsp_response_certificate ocsp_extension
+                x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: ocsp_response_bytes
+   :source-code: base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek 77 77
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, status: :zeek:type:`string`, version: :zeek:type:`count`, responderId: :zeek:type:`string`, producedAt: :zeek:type:`time`, signatureAlgorithm: :zeek:type:`string`, certs: :zeek:type:`x509_opaque_vector`)
+
+   This event is raised when encountering an OCSP response that contains response information.
+   An OCSP reply can be encountered, for example, in an HTTP connection or
+   a TLS extension. See :rfc:`6960` for more details on OCSP.
+   
+
+   :param f: The file.
+   
+
+   :param status: The status of the OCSP response (e.g. successful, malformedRequest, tryLater).
+   
+
+   :param version: Version of the OCSP response (typically - for version 1).
+   
+
+   :param responderId: The id of the OCSP responder; either a public key hash or a distinguished name.
+   
+
+   :param producedAt: Time at which the reply was produced.
+   
+
+   :param signatureAlgorithm: Algorithm used for the OCSP signature.
+   
+
+   :param certs: Optional list of certificates that are sent with the OCSP response; these typically
+          are needed to perform validation of the reply.
+   
+   .. zeek:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+                ocsp_response_certificate ocsp_extension
+                x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: ocsp_response_certificate
+   :source-code: base/files/x509/log-ocsp.zeek 47 61
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, hashAlgorithm: :zeek:type:`string`, issuerNameHash: :zeek:type:`string`, issuerKeyHash: :zeek:type:`string`, serialNumber: :zeek:type:`string`, certStatus: :zeek:type:`string`, revokeTime: :zeek:type:`time`, revokeReason: :zeek:type:`string`, thisUpdate: :zeek:type:`time`, nextUpdate: :zeek:type:`time`)
+
+   This event is raised for each SingleResponse contained in an OCSP response.
+   See :rfc:`6960` for more details on OCSP.
+   
+
+   :param f: The file.
+   
+
+   :param hashAlgorithm: The hash algorithm used for issuerNameHash and issuerKeyHash.
+   
+
+   :param issuerNameHash: Hash of the issuer's distinguished name.
+   
+
+   :param issuerKeyHash: Hash of the issuer's public key.
+   
+
+   :param serialNumber: Serial number of the affected certificate.
+   
+
+   :param certStatus: Status of the certificate.
+   
+
+   :param revokeTime: Time the certificate was revoked, 0 if not revoked.
+   
+
+   :param revokeReason: Reason certificate was revoked; empty string if not revoked or not specified.
+   
+
+   :param thisUpdate: Time this response was generated.
+   
+
+   :param nextUpdate: Time next response will be ready; 0 if not supplied.
+   
+   .. zeek:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+                ocsp_response_bytes ocsp_extension
+                x509_ocsp_ext_signed_certificate_timestamp
+
+.. zeek:id:: ocsp_response_status
+   :source-code: base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek 52 52
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, status: :zeek:type:`string`)
+
+   This event is raised when encountering an OCSP reply, e.g. in an HTTP
+   connection or a TLS extension. See :rfc:`6960` for more details.
+   
+   This event is raised exactly once for each OCSP reply.
+   
+
+   :param f: The file.
+   
+
+   :param status: The status of the OCSP response (e.g. successful, malformedRequest, tryLater).
+   
+   .. zeek:see:: ocsp_request ocsp_request_certificate
+                ocsp_response_bytes ocsp_response_certificate ocsp_extension
+                x509_ocsp_ext_signed_certificate_timestamp
+
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_X509.types.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_X509.types.bif.zeek.rst
new file mode 100644
index 0000000000..f0862e3137
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_X509.types.bif.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_X509.types.bif.zeek
+=========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek.rst b/doc/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek.rst
new file mode 100644
index 0000000000..8b02f2f0c3
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek.rst
@@ -0,0 +1,35 @@
+:tocdepth: 3
+
+base/bif/plugins/Zeek_XMPP.events.bif.zeek
+==========================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Events
+######
+============================================ ==================================================================
+:zeek:id:`xmpp_starttls`: :zeek:type:`event` Generated when a XMPP connection goes encrypted after a successful
+                                             StartTLS exchange between the client and the server.
+============================================ ==================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: xmpp_starttls
+   :source-code: base/bif/plugins/Zeek_XMPP.events.bif.zeek 8 8
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when a XMPP connection goes encrypted after a successful
+   StartTLS exchange between the client and the server.
+   
+
+   :param c: The connection.
+
+
diff --git a/doc/scripts/base/bif/plugins/__load__.zeek.rst b/doc/scripts/base/bif/plugins/__load__.zeek.rst
new file mode 100644
index 0000000000..d891466aeb
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/bif/plugins/__load__.zeek
+==============================
+
+
+:Imports: :doc:`base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek </scripts/base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek>`, :doc:`base/bif/plugins/Zeek_ARP.events.bif.zeek </scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek </scripts/base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek>`, :doc:`base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek </scripts/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek>`, :doc:`base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek </scripts/base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek>`, :doc:`base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek </scripts/base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek>`, :doc:`base/bif/plugins/Zeek_BitTorrent.events.bif.zeek </scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek </scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek>`, :doc:`base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek </scripts/base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_ConfigReader.config.bif.zeek </scripts/base/bif/plugins/Zeek_ConfigReader.config.bif.zeek>`, :doc:`base/bif/plugins/Zeek_ConnSize.events.bif.zeek </scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_ConnSize.functions.bif.zeek </scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek>`, :doc:`base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek </scripts/base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek>`, :doc:`base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek </scripts/base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek </scripts/base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek>`, :doc:`base/bif/plugins/Zeek_DHCP.events.bif.zeek </scripts/base/bif/plugins/Zeek_DHCP.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_DHCP.types.bif.zeek </scripts/base/bif/plugins/Zeek_DHCP.types.bif.zeek>`, :doc:`base/bif/plugins/Zeek_DNP3.events.bif.zeek </scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_DNS.events.bif.zeek </scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_FTP.events.bif.zeek </scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_FTP.functions.bif.zeek </scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek>`, :doc:`base/bif/plugins/Zeek_File.events.bif.zeek </scripts/base/bif/plugins/Zeek_File.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_FileEntropy.events.bif.zeek </scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_FileExtract.events.bif.zeek </scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_FileExtract.functions.bif.zeek </scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek>`, :doc:`base/bif/plugins/Zeek_FileHash.events.bif.zeek </scripts/base/bif/plugins/Zeek_FileHash.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_GSSAPI.events.bif.zeek </scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_GTPv1.events.bif.zeek </scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_GTPv1.functions.bif.zeek </scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek>`, :doc:`base/bif/plugins/Zeek_Geneve.events.bif.zeek </scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_Geneve.functions.bif.zeek </scripts/base/bif/plugins/Zeek_Geneve.functions.bif.zeek>`, :doc:`base/bif/plugins/Zeek_Gnutella.events.bif.zeek </scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_HTTP.events.bif.zeek </scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_HTTP.functions.bif.zeek </scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek>`, :doc:`base/bif/plugins/Zeek_ICMP.events.bif.zeek </scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_IMAP.events.bif.zeek </scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_IRC.events.bif.zeek </scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_Ident.events.bif.zeek </scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek </scripts/base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek>`, :doc:`base/bif/plugins/Zeek_KRB.events.bif.zeek </scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_KRB.types.bif.zeek </scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek>`, :doc:`base/bif/plugins/Zeek_Login.events.bif.zeek </scripts/base/bif/plugins/Zeek_Login.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_Login.functions.bif.zeek </scripts/base/bif/plugins/Zeek_Login.functions.bif.zeek>`, :doc:`base/bif/plugins/Zeek_MIME.consts.bif.zeek </scripts/base/bif/plugins/Zeek_MIME.consts.bif.zeek>`, :doc:`base/bif/plugins/Zeek_MIME.events.bif.zeek </scripts/base/bif/plugins/Zeek_MIME.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_MQTT.events.bif.zeek </scripts/base/bif/plugins/Zeek_MQTT.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_MQTT.types.bif.zeek </scripts/base/bif/plugins/Zeek_MQTT.types.bif.zeek>`, :doc:`base/bif/plugins/Zeek_Modbus.events.bif.zeek </scripts/base/bif/plugins/Zeek_Modbus.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_MySQL.events.bif.zeek </scripts/base/bif/plugins/Zeek_MySQL.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_NCP.consts.bif.zeek </scripts/base/bif/plugins/Zeek_NCP.consts.bif.zeek>`, :doc:`base/bif/plugins/Zeek_NCP.events.bif.zeek </scripts/base/bif/plugins/Zeek_NCP.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_NTLM.events.bif.zeek </scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_NTLM.types.bif.zeek </scripts/base/bif/plugins/Zeek_NTLM.types.bif.zeek>`, :doc:`base/bif/plugins/Zeek_NTP.events.bif.zeek </scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_NTP.types.bif.zeek </scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek>`, :doc:`base/bif/plugins/Zeek_NetBIOS.events.bif.zeek </scripts/base/bif/plugins/Zeek_NetBIOS.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek </scripts/base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek>`, :doc:`base/bif/plugins/Zeek_NoneWriter.none.bif.zeek </scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek>`, :doc:`base/bif/plugins/Zeek_PE.events.bif.zeek </scripts/base/bif/plugins/Zeek_PE.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_POP3.consts.bif.zeek </scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek>`, :doc:`base/bif/plugins/Zeek_POP3.events.bif.zeek </scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_PPPoE.functions.bif.zeek </scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek>`, :doc:`base/bif/plugins/Zeek_RADIUS.events.bif.zeek </scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_RDP.events.bif.zeek </scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_RDP.types.bif.zeek </scripts/base/bif/plugins/Zeek_RDP.types.bif.zeek>`, :doc:`base/bif/plugins/Zeek_RFB.events.bif.zeek </scripts/base/bif/plugins/Zeek_RFB.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_RPC.events.bif.zeek </scripts/base/bif/plugins/Zeek_RPC.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_RawReader.raw.bif.zeek </scripts/base/bif/plugins/Zeek_RawReader.raw.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SIP.events.bif.zeek </scripts/base/bif/plugins/Zeek_SIP.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.consts.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.consts.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.events.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMB.types.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.types.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMTP.consts.bif.zeek </scripts/base/bif/plugins/Zeek_SMTP.consts.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMTP.events.bif.zeek </scripts/base/bif/plugins/Zeek_SMTP.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SMTP.functions.bif.zeek </scripts/base/bif/plugins/Zeek_SMTP.functions.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SNMP.events.bif.zeek </scripts/base/bif/plugins/Zeek_SNMP.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SNMP.types.bif.zeek </scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SOCKS.events.bif.zeek </scripts/base/bif/plugins/Zeek_SOCKS.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek </scripts/base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek </scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SSH.events.bif.zeek </scripts/base/bif/plugins/Zeek_SSH.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SSH.types.bif.zeek </scripts/base/bif/plugins/Zeek_SSH.types.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SSL.consts.bif.zeek </scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SSL.events.bif.zeek </scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SSL.functions.bif.zeek </scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SSL.types.bif.zeek </scripts/base/bif/plugins/Zeek_SSL.types.bif.zeek>`, :doc:`base/bif/plugins/Zeek_StreamEvent.events.bif.zeek </scripts/base/bif/plugins/Zeek_StreamEvent.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_TCP.events.bif.zeek </scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_TCP.functions.bif.zeek </scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek>`, :doc:`base/bif/plugins/Zeek_TCP.types.bif.zeek </scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek>`, :doc:`base/bif/plugins/Zeek_Teredo.events.bif.zeek </scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_Teredo.functions.bif.zeek </scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek>`, :doc:`base/bif/plugins/Zeek_UDP.events.bif.zeek </scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_VXLAN.events.bif.zeek </scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_WebSocket.consts.bif.zeek </scripts/base/bif/plugins/Zeek_WebSocket.consts.bif.zeek>`, :doc:`base/bif/plugins/Zeek_WebSocket.events.bif.zeek </scripts/base/bif/plugins/Zeek_WebSocket.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_WebSocket.functions.bif.zeek </scripts/base/bif/plugins/Zeek_WebSocket.functions.bif.zeek>`, :doc:`base/bif/plugins/Zeek_WebSocket.types.bif.zeek </scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek>`, :doc:`base/bif/plugins/Zeek_X509.events.bif.zeek </scripts/base/bif/plugins/Zeek_X509.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_X509.functions.bif.zeek </scripts/base/bif/plugins/Zeek_X509.functions.bif.zeek>`, :doc:`base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek </scripts/base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_X509.types.bif.zeek </scripts/base/bif/plugins/Zeek_X509.types.bif.zeek>`, :doc:`base/bif/plugins/Zeek_XMPP.events.bif.zeek </scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/plugins/index.rst b/doc/scripts/base/bif/plugins/index.rst
new file mode 100644
index 0000000000..bda604603a
--- /dev/null
+++ b/doc/scripts/base/bif/plugins/index.rst
@@ -0,0 +1,409 @@
+:orphan:
+
+Package: base/bif/plugins
+=========================
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/__load__.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_DHCP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_DHCP.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_File.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Login.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_MIME.consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_MIME.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Modbus.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_MQTT.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_MQTT.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_MySQL.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NCP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NCP.consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NetBIOS.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NTLM.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_RDP.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_RFB.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_RPC.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SIP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMB.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMTP.consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMTP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SMTP.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SNMP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SOCKS.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SSH.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SSH.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SSL.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_StreamEvent.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_WebSocket.consts.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_WebSocket.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_WebSocket.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_Geneve.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek`
+
+   Internal functions used by the extraction file analyzer.
+
+:doc:`/scripts/base/bif/plugins/Zeek_FileHash.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_PE.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_X509.events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_X509.types.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_X509.functions.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_ConfigReader.config.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_RawReader.raw.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek`
+
+
+:doc:`/scripts/base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek`
+
+
diff --git a/doc/scripts/base/bif/reporter.bif.zeek.rst b/doc/scripts/base/bif/reporter.bif.zeek.rst
new file mode 100644
index 0000000000..f93ae9a241
--- /dev/null
+++ b/doc/scripts/base/bif/reporter.bif.zeek.rst
@@ -0,0 +1,312 @@
+:tocdepth: 3
+
+base/bif/reporter.bif.zeek
+==========================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: Reporter
+
+The reporter built-in functions allow for the scripting layer to
+generate messages of varying severity.  If no event handlers
+exist for reporter messages, the messages are output to stderr.
+If event handlers do exist, it's assumed they take care of determining
+how/where to output the messages.
+
+See :doc:`/scripts/base/frameworks/reporter/main.zeek` for a convenient
+reporter message logging framework.
+
+:Namespaces: GLOBAL, Reporter
+
+Summary
+~~~~~~~
+Functions
+#########
+========================================================================== =========================================================================
+:zeek:id:`Reporter::conn_weird`: :zeek:type:`function`                     Generates a "conn" weird.
+:zeek:id:`Reporter::error`: :zeek:type:`function`                          Generates a usually non-fatal error indicative of a definite problem that
+                                                                           should be addressed.
+:zeek:id:`Reporter::fatal`: :zeek:type:`function`                          Generates a fatal error on stderr and terminates program execution.
+:zeek:id:`Reporter::fatal_error_with_core`: :zeek:type:`function`          Generates a fatal error on stderr and terminates program execution
+                                                                           after dumping a core file
+:zeek:id:`Reporter::file_weird`: :zeek:type:`function`                     Generates a "file" weird.
+:zeek:id:`Reporter::flow_weird`: :zeek:type:`function`                     Generates a "flow" weird.
+:zeek:id:`Reporter::get_weird_sampling_duration`: :zeek:type:`function`    Gets the current weird sampling duration.
+:zeek:id:`Reporter::get_weird_sampling_global_list`: :zeek:type:`function` Gets the weird sampling global list
+:zeek:id:`Reporter::get_weird_sampling_rate`: :zeek:type:`function`        Gets the current weird sampling rate.
+:zeek:id:`Reporter::get_weird_sampling_threshold`: :zeek:type:`function`   Gets the current weird sampling threshold
+:zeek:id:`Reporter::get_weird_sampling_whitelist`: :zeek:type:`function`   Gets the weird sampling whitelist
+:zeek:id:`Reporter::info`: :zeek:type:`function`                           Generates an informational message.
+:zeek:id:`Reporter::net_weird`: :zeek:type:`function`                      Generates a "net" weird.
+:zeek:id:`Reporter::set_weird_sampling_duration`: :zeek:type:`function`    Sets the current weird sampling duration.
+:zeek:id:`Reporter::set_weird_sampling_global_list`: :zeek:type:`function` Sets the weird sampling global list
+:zeek:id:`Reporter::set_weird_sampling_rate`: :zeek:type:`function`        Sets the weird sampling rate.
+:zeek:id:`Reporter::set_weird_sampling_threshold`: :zeek:type:`function`   Sets the current weird sampling threshold
+:zeek:id:`Reporter::set_weird_sampling_whitelist`: :zeek:type:`function`   Sets the weird sampling whitelist
+:zeek:id:`Reporter::warning`: :zeek:type:`function`                        Generates a message that warns of a potential problem.
+========================================================================== =========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Reporter::conn_weird
+   :source-code: base/bif/reporter.bif.zeek 96 96
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`, c: :zeek:type:`connection`, addl: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`, source: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Generates a "conn" weird.
+   
+
+   :param name: the name of the weird.
+   
+
+   :param c: the connection associated with the weird.
+   
+
+   :param addl: additional information to accompany the weird.
+   
+
+   :returns: Always true.
+
+.. zeek:id:: Reporter::error
+   :source-code: base/bif/reporter.bif.zeek 47 47
+
+   :Type: :zeek:type:`function` (msg: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Generates a usually non-fatal error indicative of a definite problem that
+   should be addressed. Program execution does not terminate unless the error
+   is reported during initialization (e.g., :zeek:see:`zeek_init`).
+   
+
+   :param msg: The error message to report.
+   
+
+   :returns: Always true.
+   
+   .. zeek:see:: reporter_error
+
+.. zeek:id:: Reporter::fatal
+   :source-code: base/bif/reporter.bif.zeek 55 55
+
+   :Type: :zeek:type:`function` (msg: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Generates a fatal error on stderr and terminates program execution.
+   
+
+   :param msg: The error message to report.
+   
+
+   :returns: Always true.
+
+.. zeek:id:: Reporter::fatal_error_with_core
+   :source-code: base/bif/reporter.bif.zeek 64 64
+
+   :Type: :zeek:type:`function` (msg: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Generates a fatal error on stderr and terminates program execution
+   after dumping a core file
+   
+
+   :param msg: The error message to report.
+   
+
+   :returns: Always true.
+
+.. zeek:id:: Reporter::file_weird
+   :source-code: base/bif/reporter.bif.zeek 108 108
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`, f: :zeek:type:`fa_file`, addl: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`, source: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Generates a "file" weird.
+   
+
+   :param name: the name of the weird.
+   
+
+   :param f: the file associated with the weird.
+   
+
+   :param addl: additional information to accompany the weird.
+   
+
+   :returns: true if the file was still valid, else false.
+
+.. zeek:id:: Reporter::flow_weird
+   :source-code: base/bif/reporter.bif.zeek 84 84
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`, orig: :zeek:type:`addr`, resp: :zeek:type:`addr`, addl: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`, source: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Generates a "flow" weird.
+   
+
+   :param name: the name of the weird.
+   
+
+   :param orig: the originator host associated with the weird.
+   
+
+   :param resp: the responder host associated with the weird.
+   
+
+   :returns: Always true.
+
+.. zeek:id:: Reporter::get_weird_sampling_duration
+   :source-code: base/bif/reporter.bif.zeek 171 171
+
+   :Type: :zeek:type:`function` () : :zeek:type:`interval`
+
+   Gets the current weird sampling duration.
+   
+
+   :returns: weird sampling duration.
+
+.. zeek:id:: Reporter::get_weird_sampling_global_list
+   :source-code: base/bif/reporter.bif.zeek 128 128
+
+   :Type: :zeek:type:`function` () : :zeek:type:`string_set`
+
+   Gets the weird sampling global list
+   
+
+   :returns: Current weird sampling global list
+
+.. zeek:id:: Reporter::get_weird_sampling_rate
+   :source-code: base/bif/reporter.bif.zeek 157 157
+
+   :Type: :zeek:type:`function` () : :zeek:type:`count`
+
+   Gets the current weird sampling rate.
+   
+
+   :returns: weird sampling rate.
+
+.. zeek:id:: Reporter::get_weird_sampling_threshold
+   :source-code: base/bif/reporter.bif.zeek 142 142
+
+   :Type: :zeek:type:`function` () : :zeek:type:`count`
+
+   Gets the current weird sampling threshold
+   
+
+   :returns: current weird sampling threshold.
+
+.. zeek:id:: Reporter::get_weird_sampling_whitelist
+   :source-code: base/bif/reporter.bif.zeek 114 114
+
+   :Type: :zeek:type:`function` () : :zeek:type:`string_set`
+
+   Gets the weird sampling whitelist
+   
+
+   :returns: Current weird sampling whitelist
+
+.. zeek:id:: Reporter::info
+   :source-code: base/bif/reporter.bif.zeek 25 25
+
+   :Type: :zeek:type:`function` (msg: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Generates an informational message.
+   
+
+   :param msg: The informational message to report.
+   
+
+   :returns: Always true.
+   
+   .. zeek:see:: reporter_info
+
+.. zeek:id:: Reporter::net_weird
+   :source-code: base/bif/reporter.bif.zeek 72 72
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`, addl: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`, source: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Generates a "net" weird.
+   
+
+   :param name: the name of the weird.
+   
+
+   :returns: Always true.
+
+.. zeek:id:: Reporter::set_weird_sampling_duration
+   :source-code: base/bif/reporter.bif.zeek 180 180
+
+   :Type: :zeek:type:`function` (weird_sampling_duration: :zeek:type:`interval`) : :zeek:type:`bool`
+
+   Sets the current weird sampling duration. Please note that
+   this will not delete already running timers.
+   
+
+   :param weird_sampling_duration: New weird sampling duration.
+   
+
+   :returns: always returns True
+
+.. zeek:id:: Reporter::set_weird_sampling_global_list
+   :source-code: base/bif/reporter.bif.zeek 136 136
+
+   :Type: :zeek:type:`function` (weird_sampling_global_list: :zeek:type:`string_set`) : :zeek:type:`bool`
+
+   Sets the weird sampling global list
+   
+
+   :param global_list: New weird sampling rate.
+   
+
+   :returns: Always true.
+
+.. zeek:id:: Reporter::set_weird_sampling_rate
+   :source-code: base/bif/reporter.bif.zeek 165 165
+
+   :Type: :zeek:type:`function` (weird_sampling_rate: :zeek:type:`count`) : :zeek:type:`bool`
+
+   Sets the weird sampling rate.
+   
+
+   :param weird_sampling_rate: New weird sampling rate.
+   
+
+   :returns: Always returns true.
+
+.. zeek:id:: Reporter::set_weird_sampling_threshold
+   :source-code: base/bif/reporter.bif.zeek 150 150
+
+   :Type: :zeek:type:`function` (weird_sampling_threshold: :zeek:type:`count`) : :zeek:type:`bool`
+
+   Sets the current weird sampling threshold
+   
+
+   :param threshold: New weird sampling threshold.
+   
+
+   :returns: Always returns true;
+
+.. zeek:id:: Reporter::set_weird_sampling_whitelist
+   :source-code: base/bif/reporter.bif.zeek 122 122
+
+   :Type: :zeek:type:`function` (weird_sampling_whitelist: :zeek:type:`string_set`) : :zeek:type:`bool`
+
+   Sets the weird sampling whitelist
+   
+
+   :param whitelist: New weird sampling rate.
+   
+
+   :returns: Always true.
+
+.. zeek:id:: Reporter::warning
+   :source-code: base/bif/reporter.bif.zeek 35 35
+
+   :Type: :zeek:type:`function` (msg: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Generates a message that warns of a potential problem.
+   
+
+   :param msg: The warning message to report.
+   
+
+   :returns: Always true.
+   
+   .. zeek:see:: reporter_warning
+
+
diff --git a/doc/scripts/base/bif/spicy.bif.zeek.rst b/doc/scripts/base/bif/spicy.bif.zeek.rst
new file mode 100644
index 0000000000..6861218fed
--- /dev/null
+++ b/doc/scripts/base/bif/spicy.bif.zeek.rst
@@ -0,0 +1,51 @@
+:tocdepth: 3
+
+base/bif/spicy.bif.zeek
+=======================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: Spicy
+
+
+:Namespaces: GLOBAL, Spicy
+
+Summary
+~~~~~~~
+Events
+######
+============================================================= =
+:zeek:id:`Spicy::max_file_depth_exceeded`: :zeek:type:`event` 
+============================================================= =
+
+Functions
+#########
+========================================================== =
+:zeek:id:`Spicy::__resource_usage`: :zeek:type:`function`  
+:zeek:id:`Spicy::__toggle_analyzer`: :zeek:type:`function` 
+========================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: Spicy::max_file_depth_exceeded
+   :source-code: base/frameworks/spicy/main.zeek 9 15
+
+   :Type: :zeek:type:`event` (f: :zeek:type:`fa_file`, args: :zeek:type:`Files::AnalyzerArgs`, limit: :zeek:type:`count`)
+
+
+Functions
+#########
+.. zeek:id:: Spicy::__resource_usage
+   :source-code: base/bif/spicy.bif.zeek 37 37
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Spicy::ResourceUsage`
+
+
+.. zeek:id:: Spicy::__toggle_analyzer
+   :source-code: base/bif/spicy.bif.zeek 32 32
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`any`, enable: :zeek:type:`bool`) : :zeek:type:`bool`
+
+
+
diff --git a/doc/scripts/base/bif/stats.bif.zeek.rst b/doc/scripts/base/bif/stats.bif.zeek.rst
new file mode 100644
index 0000000000..f3e6688782
--- /dev/null
+++ b/doc/scripts/base/bif/stats.bif.zeek.rst
@@ -0,0 +1,354 @@
+:tocdepth: 3
+
+base/bif/stats.bif.zeek
+=======================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+========================================================= =======================================================
+:zeek:id:`get_broker_stats`: :zeek:type:`function`        Returns statistics about Broker communication.
+:zeek:id:`get_conn_stats`: :zeek:type:`function`          Returns Zeek traffic statistics.
+:zeek:id:`get_dns_stats`: :zeek:type:`function`           Returns statistics about DNS lookup activity.
+:zeek:id:`get_event_handler_stats`: :zeek:type:`function` Returns statistics about calls to event handlers.
+:zeek:id:`get_event_stats`: :zeek:type:`function`         Returns statistics about the event engine.
+:zeek:id:`get_file_analysis_stats`: :zeek:type:`function` Returns statistics about file analysis.
+:zeek:id:`get_gap_stats`: :zeek:type:`function`           Returns statistics about TCP gaps.
+:zeek:id:`get_matcher_stats`: :zeek:type:`function`       Returns statistics about the regular expression engine.
+:zeek:id:`get_net_stats`: :zeek:type:`function`           Returns packet capture statistics.
+:zeek:id:`get_proc_stats`: :zeek:type:`function`          Returns Zeek process statistics.
+:zeek:id:`get_reassembler_stats`: :zeek:type:`function`   Returns statistics about reassembler usage.
+:zeek:id:`get_reporter_stats`: :zeek:type:`function`      Returns statistics about reporter messages and weirds.
+:zeek:id:`get_thread_stats`: :zeek:type:`function`        Returns statistics about thread usage.
+:zeek:id:`get_timer_stats`: :zeek:type:`function`         Returns statistics about timer usage.
+========================================================= =======================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: get_broker_stats
+   :source-code: base/bif/stats.bif.zeek 239 239
+
+   :Type: :zeek:type:`function` () : :zeek:type:`BrokerStats`
+
+   Returns statistics about Broker communication.
+   
+
+   :returns: A record with Broker statistics.
+   
+   .. zeek:see:: get_conn_stats
+                get_dns_stats
+                get_event_stats
+                get_file_analysis_stats
+                get_gap_stats
+                get_matcher_stats
+                get_net_stats
+                get_proc_stats
+                get_reassembler_stats
+                get_thread_stats
+                get_timer_stats
+                get_broker_stats
+                get_reporter_stats
+
+.. zeek:id:: get_conn_stats
+   :source-code: base/bif/stats.bif.zeek 44 44
+
+   :Type: :zeek:type:`function` () : :zeek:type:`ConnStats`
+
+   Returns Zeek traffic statistics.
+   
+
+   :returns: A record with connection and packet statistics.
+   
+   .. zeek:see:: get_dns_stats
+                get_event_stats
+                get_file_analysis_stats
+                get_gap_stats
+                get_matcher_stats
+                get_net_stats
+                get_proc_stats
+                get_reassembler_stats
+                get_thread_stats
+                get_timer_stats
+                get_broker_stats
+                get_reporter_stats
+
+.. zeek:id:: get_dns_stats
+   :source-code: base/bif/stats.bif.zeek 121 121
+
+   :Type: :zeek:type:`function` () : :zeek:type:`DNSStats`
+
+   Returns statistics about DNS lookup activity.
+   
+
+   :returns: A record with DNS lookup statistics.
+   
+   .. zeek:see:: get_conn_stats
+                get_event_stats
+                get_file_analysis_stats
+                get_gap_stats
+                get_matcher_stats
+                get_net_stats
+                get_proc_stats
+                get_reassembler_stats
+                get_thread_stats
+                get_timer_stats
+                get_broker_stats
+                get_reporter_stats
+
+.. zeek:id:: get_event_handler_stats
+   :source-code: base/bif/stats.bif.zeek 265 265
+
+   :Type: :zeek:type:`function` () : :zeek:type:`EventNameStats`
+
+   Returns statistics about calls to event handlers.
+   
+
+   :returns: A record with event call statistics.
+   
+
+.. zeek:id:: get_event_stats
+   :source-code: base/bif/stats.bif.zeek 82 82
+
+   :Type: :zeek:type:`function` () : :zeek:type:`EventStats`
+
+   Returns statistics about the event engine.
+   
+
+   :returns: A record with event engine statistics.
+   
+   .. zeek:see:: get_conn_stats
+                get_dns_stats
+                get_file_analysis_stats
+                get_gap_stats
+                get_matcher_stats
+                get_net_stats
+                get_proc_stats
+                get_reassembler_stats
+                get_thread_stats
+                get_timer_stats
+                get_broker_stats
+                get_reporter_stats
+
+.. zeek:id:: get_file_analysis_stats
+   :source-code: base/bif/stats.bif.zeek 159 159
+
+   :Type: :zeek:type:`function` () : :zeek:type:`FileAnalysisStats`
+
+   Returns statistics about file analysis.
+   
+
+   :returns: A record with file analysis statistics.
+   
+   .. zeek:see:: get_conn_stats
+                get_dns_stats
+                get_event_stats
+                get_gap_stats
+                get_matcher_stats
+                get_net_stats
+                get_proc_stats
+                get_reassembler_stats
+                get_thread_stats
+                get_timer_stats
+                get_broker_stats
+                get_reporter_stats
+
+.. zeek:id:: get_gap_stats
+   :source-code: base/bif/stats.bif.zeek 197 197
+
+   :Type: :zeek:type:`function` () : :zeek:type:`GapStats`
+
+   Returns statistics about TCP gaps.
+   
+
+   :returns: A record with TCP gap statistics.
+   
+   .. zeek:see:: get_conn_stats
+                get_dns_stats
+                get_event_stats
+                get_file_analysis_stats
+                get_matcher_stats
+                get_net_stats
+                get_proc_stats
+                get_reassembler_stats
+                get_thread_stats
+                get_timer_stats
+                get_broker_stats
+                get_reporter_stats
+
+.. zeek:id:: get_matcher_stats
+   :source-code: base/bif/stats.bif.zeek 219 219
+
+   :Type: :zeek:type:`function` () : :zeek:type:`MatcherStats`
+
+   Returns statistics about the regular expression engine. Statistics include
+   the number of distinct matchers, DFA states, DFA state transitions, memory
+   usage of DFA states, cache hits/misses, and average number of NFA states
+   across all matchers.
+   
+
+   :returns: A record with matcher statistics.
+   
+   .. zeek:see:: get_conn_stats
+                get_dns_stats
+                get_event_stats
+                get_file_analysis_stats
+                get_gap_stats
+                get_net_stats
+                get_proc_stats
+                get_reassembler_stats
+                get_thread_stats
+                get_timer_stats
+                get_broker_stats
+                get_reporter_stats
+
+.. zeek:id:: get_net_stats
+   :source-code: base/bif/stats.bif.zeek 25 25
+
+   :Type: :zeek:type:`function` () : :zeek:type:`NetStats`
+
+   Returns packet capture statistics. Statistics include the number of
+   packets *(i)* received by Zeek, *(ii)* dropped, and *(iii)* seen on the
+   link (not always available).
+   
+
+   :returns: A record of packet statistics.
+   
+   .. zeek:see:: get_conn_stats
+                get_dns_stats
+                get_event_stats
+                get_file_analysis_stats
+                get_gap_stats
+                get_matcher_stats
+                get_proc_stats
+                get_reassembler_stats
+                get_thread_stats
+                get_timer_stats
+                get_broker_stats
+                get_reporter_stats
+
+.. zeek:id:: get_proc_stats
+   :source-code: base/bif/stats.bif.zeek 63 63
+
+   :Type: :zeek:type:`function` () : :zeek:type:`ProcStats`
+
+   Returns Zeek process statistics.
+   
+
+   :returns: A record with process statistics.
+   
+   .. zeek:see:: get_conn_stats
+                get_dns_stats
+                get_event_stats
+                get_file_analysis_stats
+                get_gap_stats
+                get_matcher_stats
+                get_net_stats
+                get_reassembler_stats
+                get_thread_stats
+                get_timer_stats
+                get_broker_stats
+                get_reporter_stats
+
+.. zeek:id:: get_reassembler_stats
+   :source-code: base/bif/stats.bif.zeek 102 102
+
+   :Type: :zeek:type:`function` () : :zeek:type:`ReassemblerStats`
+
+   Returns statistics about reassembler usage.
+   
+
+   :returns: A record with reassembler statistics.
+   
+   .. zeek:see:: get_conn_stats
+                get_dns_stats
+                get_event_stats
+                get_file_analysis_stats
+                get_gap_stats
+                get_matcher_stats
+                get_net_stats
+                get_proc_stats
+                get_thread_stats
+                get_timer_stats
+                get_broker_stats
+                get_reporter_stats
+
+   :param TODO: this should have been deprecated before?
+
+.. zeek:id:: get_reporter_stats
+   :source-code: base/bif/stats.bif.zeek 258 258
+
+   :Type: :zeek:type:`function` () : :zeek:type:`ReporterStats`
+
+   Returns statistics about reporter messages and weirds.
+   
+
+   :returns: A record with reporter statistics.
+   
+   .. zeek:see:: get_conn_stats
+                get_dns_stats
+                get_event_stats
+                get_file_analysis_stats
+                get_gap_stats
+                get_matcher_stats
+                get_net_stats
+                get_proc_stats
+                get_reassembler_stats
+                get_thread_stats
+                get_timer_stats
+                get_broker_stats
+
+.. zeek:id:: get_thread_stats
+   :source-code: base/bif/stats.bif.zeek 178 178
+
+   :Type: :zeek:type:`function` () : :zeek:type:`ThreadStats`
+
+   Returns statistics about thread usage.
+   
+
+   :returns: A record with thread usage statistics.
+   
+   .. zeek:see:: get_conn_stats
+                get_dns_stats
+                get_event_stats
+                get_file_analysis_stats
+                get_gap_stats
+                get_matcher_stats
+                get_net_stats
+                get_proc_stats
+                get_reassembler_stats
+                get_timer_stats
+                get_broker_stats
+                get_reporter_stats
+
+.. zeek:id:: get_timer_stats
+   :source-code: base/bif/stats.bif.zeek 140 140
+
+   :Type: :zeek:type:`function` () : :zeek:type:`TimerStats`
+
+   Returns statistics about timer usage.
+   
+
+   :returns: A record with timer usage statistics.
+   
+   .. zeek:see:: get_conn_stats
+                get_dns_stats
+                get_event_stats
+                get_file_analysis_stats
+                get_gap_stats
+                get_matcher_stats
+                get_net_stats
+                get_proc_stats
+                get_reassembler_stats
+                get_thread_stats
+                get_broker_stats
+                get_reporter_stats
+
+
diff --git a/doc/scripts/base/bif/storage-async.bif.zeek.rst b/doc/scripts/base/bif/storage-async.bif.zeek.rst
new file mode 100644
index 0000000000..bdc0f15875
--- /dev/null
+++ b/doc/scripts/base/bif/storage-async.bif.zeek.rst
@@ -0,0 +1,59 @@
+:tocdepth: 3
+
+base/bif/storage-async.bif.zeek
+===============================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: Storage::Async
+
+Functions related to asynchronous storage operations.
+
+:Namespaces: GLOBAL, Storage::Async
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================================= =
+:zeek:id:`Storage::Async::__close_backend`: :zeek:type:`function` 
+:zeek:id:`Storage::Async::__erase`: :zeek:type:`function`         
+:zeek:id:`Storage::Async::__get`: :zeek:type:`function`           
+:zeek:id:`Storage::Async::__open_backend`: :zeek:type:`function`  
+:zeek:id:`Storage::Async::__put`: :zeek:type:`function`           
+================================================================= =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Storage::Async::__close_backend
+   :source-code: base/bif/storage-async.bif.zeek 14 14
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle) : :zeek:type:`Storage::OperationResult`
+
+
+.. zeek:id:: Storage::Async::__erase
+   :source-code: base/bif/storage-async.bif.zeek 23 23
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle, key: :zeek:type:`any`) : :zeek:type:`Storage::OperationResult`
+
+
+.. zeek:id:: Storage::Async::__get
+   :source-code: base/bif/storage-async.bif.zeek 20 20
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle, key: :zeek:type:`any`) : :zeek:type:`Storage::OperationResult`
+
+
+.. zeek:id:: Storage::Async::__open_backend
+   :source-code: base/bif/storage-async.bif.zeek 11 11
+
+   :Type: :zeek:type:`function` (btype: :zeek:type:`Storage::Backend`, options: :zeek:type:`any`, key_type: :zeek:type:`any`, val_type: :zeek:type:`any`) : :zeek:type:`Storage::OperationResult`
+
+
+.. zeek:id:: Storage::Async::__put
+   :source-code: base/bif/storage-async.bif.zeek 17 17
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle, key: :zeek:type:`any`, value: :zeek:type:`any`, overwrite: :zeek:type:`bool`, expire_time: :zeek:type:`interval`) : :zeek:type:`Storage::OperationResult`
+
+
+
diff --git a/doc/scripts/base/bif/storage-events.bif.zeek.rst b/doc/scripts/base/bif/storage-events.bif.zeek.rst
new file mode 100644
index 0000000000..cc2827542e
--- /dev/null
+++ b/doc/scripts/base/bif/storage-events.bif.zeek.rst
@@ -0,0 +1,66 @@
+:tocdepth: 3
+
+base/bif/storage-events.bif.zeek
+================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: Storage
+
+Events related to storage operations.
+
+:Namespaces: GLOBAL, Storage
+
+Summary
+~~~~~~~
+Events
+######
+====================================================== =============================================================================
+:zeek:id:`Storage::backend_lost`: :zeek:type:`event`   May be generated when a backend connection is lost, both normally and
+                                                       unexpectedly.
+:zeek:id:`Storage::backend_opened`: :zeek:type:`event` Generated automatically when a new backend connection is opened successfully.
+====================================================== =============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: Storage::backend_lost
+   :source-code: base/bif/storage-events.bif.zeek 34 34
+
+   :Type: :zeek:type:`event` (tag: :zeek:type:`Storage::Backend`, options: :zeek:type:`any`, reason: :zeek:type:`string`)
+
+   May be generated when a backend connection is lost, both normally and
+   unexpectedly. This event depends on the backends implementing handling for
+   it, and is not generated automatically by the storage framework.
+   
+
+   :param tag: A tag for one of the storage backends.
+   
+
+   :param options: A copy of the configuration options passed to
+            :zeek:see:`Storage::Async::open_backend` or
+            :zeek:see:`Storage::Sync::open_backend` when the backend was initially opened.
+   
+
+   :param reason: A string describing why the connection was lost.
+   
+   .. zeek:see:: Storage::backend_opened
+
+.. zeek:id:: Storage::backend_opened
+   :source-code: base/bif/storage-events.bif.zeek 18 18
+
+   :Type: :zeek:type:`event` (tag: :zeek:type:`Storage::Backend`, options: :zeek:type:`any`)
+
+   Generated automatically when a new backend connection is opened successfully.
+   
+
+   :param tag: A tag for one of the storage backends.
+   
+
+   :param options: A copy of the configuration options passed to
+            :zeek:see:`Storage::Async::open_backend` or
+            :zeek:see:`Storage::Sync::open_backend` when the backend was initially opened.
+   
+   .. zeek:see:: Storage::backend_lost
+
+
diff --git a/doc/scripts/base/bif/storage-sync.bif.zeek.rst b/doc/scripts/base/bif/storage-sync.bif.zeek.rst
new file mode 100644
index 0000000000..d5a37adcdc
--- /dev/null
+++ b/doc/scripts/base/bif/storage-sync.bif.zeek.rst
@@ -0,0 +1,59 @@
+:tocdepth: 3
+
+base/bif/storage-sync.bif.zeek
+==============================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: Storage::Sync
+
+Functions related to synchronous storage operations.
+
+:Namespaces: GLOBAL, Storage::Sync
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================================ =
+:zeek:id:`Storage::Sync::__close_backend`: :zeek:type:`function` 
+:zeek:id:`Storage::Sync::__erase`: :zeek:type:`function`         
+:zeek:id:`Storage::Sync::__get`: :zeek:type:`function`           
+:zeek:id:`Storage::Sync::__open_backend`: :zeek:type:`function`  
+:zeek:id:`Storage::Sync::__put`: :zeek:type:`function`           
+================================================================ =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Storage::Sync::__close_backend
+   :source-code: base/bif/storage-sync.bif.zeek 14 14
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle) : :zeek:type:`Storage::OperationResult`
+
+
+.. zeek:id:: Storage::Sync::__erase
+   :source-code: base/bif/storage-sync.bif.zeek 23 23
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle, key: :zeek:type:`any`) : :zeek:type:`Storage::OperationResult`
+
+
+.. zeek:id:: Storage::Sync::__get
+   :source-code: base/bif/storage-sync.bif.zeek 20 20
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle, key: :zeek:type:`any`) : :zeek:type:`Storage::OperationResult`
+
+
+.. zeek:id:: Storage::Sync::__open_backend
+   :source-code: base/bif/storage-sync.bif.zeek 11 11
+
+   :Type: :zeek:type:`function` (btype: :zeek:type:`Storage::Backend`, options: :zeek:type:`any`, key_type: :zeek:type:`any`, val_type: :zeek:type:`any`) : :zeek:type:`Storage::OperationResult`
+
+
+.. zeek:id:: Storage::Sync::__put
+   :source-code: base/bif/storage-sync.bif.zeek 17 17
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle, key: :zeek:type:`any`, value: :zeek:type:`any`, overwrite: :zeek:type:`bool`, expire_time: :zeek:type:`interval`) : :zeek:type:`Storage::OperationResult`
+
+
+
diff --git a/doc/scripts/base/bif/storage.bif.zeek.rst b/doc/scripts/base/bif/storage.bif.zeek.rst
new file mode 100644
index 0000000000..165d1914a0
--- /dev/null
+++ b/doc/scripts/base/bif/storage.bif.zeek.rst
@@ -0,0 +1,54 @@
+:tocdepth: 3
+
+base/bif/storage.bif.zeek
+=========================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: Storage
+
+Functions related to general storage operations. These are not specific to async or sync.
+
+:Namespaces: GLOBAL, Storage
+
+Summary
+~~~~~~~
+Functions
+#########
+========================================================= =======================================================================
+:zeek:id:`Storage::is_forced_sync`: :zeek:type:`function` Checks whether a storage backend was opened in forced-synchronous mode.
+:zeek:id:`Storage::is_open`: :zeek:type:`function`        Checks whether a storage backend is open.
+========================================================= =======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Storage::is_forced_sync
+   :source-code: base/bif/storage.bif.zeek 26 26
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle) : :zeek:type:`bool`
+
+   Checks whether a storage backend was opened in forced-synchronous mode.
+   
+
+   :param backend: A handle to the backend to check.
+   
+
+   :returns: T if the forced_synchronous option was set to T, F otherwise or if the
+            handle is invalid.
+
+.. zeek:id:: Storage::is_open
+   :source-code: base/bif/storage.bif.zeek 17 17
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle) : :zeek:type:`bool`
+
+   Checks whether a storage backend is open.
+   
+
+   :param backend: A handle to the backed to check.
+   
+
+   :returns: T if the backend is open, F if the backend is not open or if the handle
+            is invalid.
+
+
diff --git a/doc/scripts/base/bif/store.bif.zeek.rst b/doc/scripts/base/bif/store.bif.zeek.rst
new file mode 100644
index 0000000000..edea332da2
--- /dev/null
+++ b/doc/scripts/base/bif/store.bif.zeek.rst
@@ -0,0 +1,171 @@
+:tocdepth: 3
+
+base/bif/store.bif.zeek
+=======================
+.. zeek:namespace:: Broker
+.. zeek:namespace:: GLOBAL
+
+Functions to interface with broker's distributed data store.
+
+:Namespaces: Broker, GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================================ =
+:zeek:id:`Broker::__append`: :zeek:type:`function`               
+:zeek:id:`Broker::__clear`: :zeek:type:`function`                
+:zeek:id:`Broker::__close`: :zeek:type:`function`                
+:zeek:id:`Broker::__create_clone`: :zeek:type:`function`         
+:zeek:id:`Broker::__create_master`: :zeek:type:`function`        
+:zeek:id:`Broker::__decrement`: :zeek:type:`function`            
+:zeek:id:`Broker::__erase`: :zeek:type:`function`                
+:zeek:id:`Broker::__exists`: :zeek:type:`function`               
+:zeek:id:`Broker::__get`: :zeek:type:`function`                  
+:zeek:id:`Broker::__get_index_from_value`: :zeek:type:`function` 
+:zeek:id:`Broker::__increment`: :zeek:type:`function`            
+:zeek:id:`Broker::__insert_into_set`: :zeek:type:`function`      
+:zeek:id:`Broker::__insert_into_table`: :zeek:type:`function`    
+:zeek:id:`Broker::__is_closed`: :zeek:type:`function`            
+:zeek:id:`Broker::__keys`: :zeek:type:`function`                 
+:zeek:id:`Broker::__pop`: :zeek:type:`function`                  
+:zeek:id:`Broker::__push`: :zeek:type:`function`                 
+:zeek:id:`Broker::__put`: :zeek:type:`function`                  
+:zeek:id:`Broker::__put_unique`: :zeek:type:`function`           
+:zeek:id:`Broker::__remove_from`: :zeek:type:`function`          
+:zeek:id:`Broker::__store_name`: :zeek:type:`function`           
+================================================================ =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Broker::__append
+   :source-code: base/bif/store.bif.zeek 64 64
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, s: :zeek:type:`any`, e: :zeek:type:`interval`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__clear
+   :source-code: base/bif/store.bif.zeek 82 82
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__close
+   :source-code: base/bif/store.bif.zeek 31 31
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__create_clone
+   :source-code: base/bif/store.bif.zeek 25 25
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`string`, resync_interval: :zeek:type:`interval`, stale_interval: :zeek:type:`interval`, mutation_buffer_interval: :zeek:type:`interval`) : :zeek:type:`opaque` of Broker::Store
+
+
+.. zeek:id:: Broker::__create_master
+   :source-code: base/bif/store.bif.zeek 22 22
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`string`, b: :zeek:type:`Broker::BackendType`, options: :zeek:type:`Broker::BackendOptions` :zeek:attr:`&default` = *[sqlite=[path=, synchronous=<uninitialized>, journal_mode=<uninitialized>, failure_mode=Broker::SQLITE_FAILURE_MODE_FAIL, integrity_check=F]]* :zeek:attr:`&optional`) : :zeek:type:`opaque` of Broker::Store
+
+
+.. zeek:id:: Broker::__decrement
+   :source-code: base/bif/store.bif.zeek 61 61
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, a: :zeek:type:`any`, e: :zeek:type:`interval`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__erase
+   :source-code: base/bif/store.bif.zeek 55 55
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__exists
+   :source-code: base/bif/store.bif.zeek 37 37
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`) : :zeek:type:`Broker::QueryResult`
+
+
+.. zeek:id:: Broker::__get
+   :source-code: base/bif/store.bif.zeek 40 40
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`) : :zeek:type:`Broker::QueryResult`
+
+
+.. zeek:id:: Broker::__get_index_from_value
+   :source-code: base/bif/store.bif.zeek 46 46
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, i: :zeek:type:`any`) : :zeek:type:`Broker::QueryResult`
+
+
+.. zeek:id:: Broker::__increment
+   :source-code: base/bif/store.bif.zeek 58 58
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, a: :zeek:type:`any`, e: :zeek:type:`interval`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__insert_into_set
+   :source-code: base/bif/store.bif.zeek 67 67
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, i: :zeek:type:`any`, e: :zeek:type:`interval`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__insert_into_table
+   :source-code: base/bif/store.bif.zeek 70 70
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, i: :zeek:type:`any`, v: :zeek:type:`any`, e: :zeek:type:`interval`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__is_closed
+   :source-code: base/bif/store.bif.zeek 28 28
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__keys
+   :source-code: base/bif/store.bif.zeek 49 49
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store) : :zeek:type:`Broker::QueryResult`
+
+
+.. zeek:id:: Broker::__pop
+   :source-code: base/bif/store.bif.zeek 79 79
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, e: :zeek:type:`interval`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__push
+   :source-code: base/bif/store.bif.zeek 76 76
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, v: :zeek:type:`any`, e: :zeek:type:`interval`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__put
+   :source-code: base/bif/store.bif.zeek 52 52
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, v: :zeek:type:`any`, e: :zeek:type:`interval`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__put_unique
+   :source-code: base/bif/store.bif.zeek 43 43
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, v: :zeek:type:`any`, e: :zeek:type:`interval`) : :zeek:type:`Broker::QueryResult`
+
+
+.. zeek:id:: Broker::__remove_from
+   :source-code: base/bif/store.bif.zeek 73 73
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, i: :zeek:type:`any`, e: :zeek:type:`interval`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Broker::__store_name
+   :source-code: base/bif/store.bif.zeek 34 34
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store) : :zeek:type:`string`
+
+
+
diff --git a/doc/scripts/base/bif/strings.bif.zeek.rst b/doc/scripts/base/bif/strings.bif.zeek.rst
new file mode 100644
index 0000000000..ee130c8736
--- /dev/null
+++ b/doc/scripts/base/bif/strings.bif.zeek.rst
@@ -0,0 +1,1011 @@
+:tocdepth: 3
+
+base/bif/strings.bif.zeek
+=========================
+.. zeek:namespace:: GLOBAL
+
+Definitions of built-in functions related to string processing and
+manipulation.
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+====================================================== ==========================================================================================================
+:zeek:id:`clean`: :zeek:type:`function`                Replaces non-printable characters in a string with escaped sequences.
+:zeek:id:`count_substr`: :zeek:type:`function`         Returns the number of times a substring occurs within a string
+:zeek:id:`edit`: :zeek:type:`function`                 Returns an edited version of a string that applies a special
+                                                       "backspace character" (usually ``\x08`` for backspace or ``\x7f`` for DEL).
+:zeek:id:`ends_with`: :zeek:type:`function`            Returns whether a string ends with a substring.
+:zeek:id:`escape_string`: :zeek:type:`function`        Replaces non-printable characters in a string with escaped sequences.
+:zeek:id:`find_all`: :zeek:type:`function`             Finds all occurrences of a pattern in a string.
+:zeek:id:`find_all_ordered`: :zeek:type:`function`     Finds all occurrences of a pattern in a string.
+:zeek:id:`find_first`: :zeek:type:`function`           Finds the first occurrence of a pattern in a string.
+:zeek:id:`find_last`: :zeek:type:`function`            Finds the last occurrence of a pattern in a string.
+:zeek:id:`find_str`: :zeek:type:`function`             Finds a string within another string, starting from the beginning.
+:zeek:id:`gsub`: :zeek:type:`function`                 Substitutes a given replacement string for all occurrences of a pattern
+                                                       in a given string.
+:zeek:id:`hexdump`: :zeek:type:`function`              Returns a hex dump for given input data.
+:zeek:id:`is_alnum`: :zeek:type:`function`             Returns whether a string consists entirely of alphanumeric characters.
+:zeek:id:`is_alpha`: :zeek:type:`function`             Returns whether a string consists entirely of alphabetic characters.
+:zeek:id:`is_ascii`: :zeek:type:`function`             Determines whether a given string contains only ASCII characters.
+:zeek:id:`is_num`: :zeek:type:`function`               Returns whether a string consists entirely of digits.
+:zeek:id:`join_string_set`: :zeek:type:`function`      Joins all values in the given set of strings with a separator placed
+                                                       between each element.
+:zeek:id:`join_string_vec`: :zeek:type:`function`      Joins all values in the given vector of strings with a separator placed
+                                                       between each element.
+:zeek:id:`levenshtein_distance`: :zeek:type:`function` Calculates the Levenshtein distance between the two strings.
+:zeek:id:`ljust`: :zeek:type:`function`                Returns a left-justified version of the string, padded to a specific length
+                                                       with a specified character.
+:zeek:id:`lstrip`: :zeek:type:`function`               Removes all combinations of characters in the *chars* argument
+                                                       starting at the beginning of the string until first mismatch.
+:zeek:id:`remove_prefix`: :zeek:type:`function`        Similar to lstrip(), except does the removal repeatedly if the pattern repeats at the start of the string.
+:zeek:id:`remove_suffix`: :zeek:type:`function`        Similar to rstrip(), except does the removal repeatedly if the pattern repeats at the end of the string.
+:zeek:id:`reverse`: :zeek:type:`function`              Returns a reversed copy of the string
+:zeek:id:`rfind_str`: :zeek:type:`function`            The same as :zeek:see:`find_str`, but returns the highest index matching
+                                                       the substring instead of the smallest.
+:zeek:id:`rjust`: :zeek:type:`function`                Returns a right-justified version of the string, padded to a specific length
+                                                       with a specified character.
+:zeek:id:`rstrip`: :zeek:type:`function`               Removes all combinations of characters in the *chars* argument
+                                                       starting at the end of the string until first mismatch.
+:zeek:id:`safe_shell_quote`: :zeek:type:`function`     Takes a string and escapes characters that would allow execution of
+                                                       commands at the shell level.
+:zeek:id:`split_string`: :zeek:type:`function`         Splits a string into an array of strings according to a pattern.
+:zeek:id:`split_string1`: :zeek:type:`function`        Splits a string *once* into a two-element array of strings according to a
+                                                       pattern.
+:zeek:id:`split_string_all`: :zeek:type:`function`     Splits a string into an array of strings according to a pattern.
+:zeek:id:`split_string_n`: :zeek:type:`function`       Splits a string a given number of times into an array of strings according
+                                                       to a pattern.
+:zeek:id:`starts_with`: :zeek:type:`function`          Returns whether a string starts with a substring.
+:zeek:id:`str_smith_waterman`: :zeek:type:`function`   Uses the Smith-Waterman algorithm to find similar/overlapping substrings.
+:zeek:id:`str_split_indices`: :zeek:type:`function`    Splits a string into substrings with the help of an index vector of cutting
+                                                       points.
+:zeek:id:`strcmp`: :zeek:type:`function`               Lexicographically compares two strings.
+:zeek:id:`string_cat`: :zeek:type:`function`           Concatenates all arguments into a single string.
+:zeek:id:`string_fill`: :zeek:type:`function`          Generates a string of a given size and fills it with repetitions of a source
+                                                       string.
+:zeek:id:`string_to_ascii_hex`: :zeek:type:`function`  Returns an ASCII hexadecimal representation of a string.
+:zeek:id:`strip`: :zeek:type:`function`                Strips whitespace at both ends of a string.
+:zeek:id:`strstr`: :zeek:type:`function`               Locates the first occurrence of one string in another.
+:zeek:id:`sub`: :zeek:type:`function`                  Substitutes a given replacement string for the first occurrence of a pattern
+                                                       in a given string.
+:zeek:id:`sub_bytes`: :zeek:type:`function`            Get a substring from a string, given a starting position and length.
+:zeek:id:`subst_string`: :zeek:type:`function`         Substitutes each (non-overlapping) appearance of a string in another.
+:zeek:id:`swap_case`: :zeek:type:`function`            Swaps the case of every alphabetic character in a string.
+:zeek:id:`to_lower`: :zeek:type:`function`             Replaces all uppercase letters in a string with their lowercase counterpart.
+:zeek:id:`to_string_literal`: :zeek:type:`function`    Replaces non-printable characters in a string with escaped sequences.
+:zeek:id:`to_title`: :zeek:type:`function`             Converts a string to Title Case.
+:zeek:id:`to_upper`: :zeek:type:`function`             Replaces all lowercase letters in a string with their uppercase counterpart.
+:zeek:id:`zfill`: :zeek:type:`function`                Returns a copy of a string filled on the left side with zeroes.
+====================================================== ==========================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: clean
+   :source-code: base/bif/strings.bif.zeek 281 281
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`string`
+
+   Replaces non-printable characters in a string with escaped sequences. The
+   mappings are:
+   
+       - values not in *[32, 126]* to ``\xXX``
+   
+   If the string does not yet have a trailing NUL, one is added internally.
+   
+   In contrast to :zeek:id:`escape_string`, this encoding is *not* fully reversible.`
+   
+
+   :param str: The string to escape.
+   
+
+   :returns: The escaped string.
+   
+   .. zeek:see:: to_string_literal escape_string
+
+.. zeek:id:: count_substr
+   :source-code: base/bif/strings.bif.zeek 528 528
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, sub: :zeek:type:`string`) : :zeek:type:`count`
+
+   Returns the number of times a substring occurs within a string
+   
+
+   :param str: The string to search in.
+
+   :param substr: The string to search for.
+   
+
+   :returns: The number of times the substring occurred.
+   
+
+.. zeek:id:: edit
+   :source-code: base/bif/strings.bif.zeek 82 82
+
+   :Type: :zeek:type:`function` (arg_s: :zeek:type:`string`, arg_edit_char: :zeek:type:`string`) : :zeek:type:`string`
+
+   Returns an edited version of a string that applies a special
+   "backspace character" (usually ``\x08`` for backspace or ``\x7f`` for DEL).
+   For example, ``edit("hello there", "e")`` returns ``"llo t"``.
+   
+
+   :param arg_s: The string to edit.
+   
+
+   :param arg_edit_char: A string of exactly one character that represents the
+                  "backspace character". If it is longer than one character Zeek
+                  generates a run-time error and uses the first character in
+                  the string.
+   
+
+   :returns: An edited version of *arg_s* where *arg_edit_char* triggers the
+            deletion of the last character.
+   
+   .. zeek:see:: clean
+                to_string_literal
+                escape_string
+                strip
+
+.. zeek:id:: ends_with
+   :source-code: base/bif/strings.bif.zeek 579 579
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, sub: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Returns whether a string ends with a substring.
+   
+
+.. zeek:id:: escape_string
+   :source-code: base/bif/strings.bif.zeek 324 324
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`string`
+
+   Replaces non-printable characters in a string with escaped sequences. The
+   mappings are:
+   
+       - values not in *[32, 126]* to ``\xXX``
+       - ``\`` to ``\\``
+   
+   In contrast to :zeek:id:`clean`, this encoding is fully reversible.`
+   
+
+   :param str: The string to escape.
+   
+
+   :returns: The escaped string.
+   
+   .. zeek:see:: clean to_string_literal
+
+.. zeek:id:: find_all
+   :source-code: base/bif/strings.bif.zeek 448 448
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, re: :zeek:type:`pattern`, max_str_size: :zeek:type:`int` :zeek:attr:`&default` = ``-1`` :zeek:attr:`&optional`) : :zeek:type:`string_set`
+
+   Finds all occurrences of a pattern in a string.
+   
+
+   :param str: The string to inspect.
+   
+
+   :param re: The pattern to look for in *str*.
+   
+
+   :param max_str_size: The maximum string size allowed as input. If set to -1, this will use the
+                 :zeek:see:`max_find_all_string_length` global constant. If set to 0, this
+                 check is disabled. If the length of `str` is greater than this size, an
+                 empty set is returned.
+   
+
+   :returns: The set of strings in *str* that match *re*, or the empty set.
+   
+   .. zeek:see: find_all_ordered find_first find_last strstr
+
+.. zeek:id:: find_all_ordered
+   :source-code: base/bif/strings.bif.zeek 467 467
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, re: :zeek:type:`pattern`, max_str_size: :zeek:type:`int` :zeek:attr:`&default` = ``-1`` :zeek:attr:`&optional`) : :zeek:type:`string_vec`
+
+   Finds all occurrences of a pattern in a string.  The order in which
+   occurrences are found is preserved and the return value may contain
+   duplicate elements.
+   
+
+   :param str: The string to inspect.
+   
+
+   :param re: The pattern to look for in *str*.
+   
+
+   :param max_str_size: The maximum string size allowed as input. If set to -1, this will use the
+                 :zeek:see:`max_find_all_string_length` global constant. If set to 0, this
+                 check is disabled. If the length of `str` is greater than this size, an
+                 empty set is returned.
+   
+
+   :returns: All strings in *str* that match *re*, or an empty vector.
+   
+   .. zeek:see: find_all find_first find_last strstr
+
+.. zeek:id:: find_first
+   :source-code: base/bif/strings.bif.zeek 494 494
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, re: :zeek:type:`pattern`) : :zeek:type:`string`
+
+   Finds the first occurrence of a pattern in a string.
+   
+
+   :param str: The string to inspect.
+   
+
+   :param re: The pattern to look for in *str*.
+   
+
+   :returns: The first string in *str* that matches *re*, or the empty string.
+   
+   .. zeek:see:: find_all find_all_ordered find_last strstr
+
+.. zeek:id:: find_last
+   :source-code: base/bif/strings.bif.zeek 482 482
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, re: :zeek:type:`pattern`) : :zeek:type:`string`
+
+   Finds the last occurrence of a pattern in a string. This function returns
+   the match that starts at the largest index in the string, which is not
+   necessarily the longest match.  For example, a pattern of ``/.*/`` will
+   return the final character in the string.
+   
+
+   :param str: The string to inspect.
+   
+
+   :param re: The pattern to look for in *str*.
+   
+
+   :returns: The last string in *str* that matches *re*, or the empty string.
+   
+   .. zeek:see: find_all find_all_ordered strstr find_first
+
+.. zeek:id:: find_str
+   :source-code: base/bif/strings.bif.zeek 551 551
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, sub: :zeek:type:`string`, start: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`, end: :zeek:type:`int` :zeek:attr:`&default` = ``-1`` :zeek:attr:`&optional`, case_sensitive: :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`) : :zeek:type:`int`
+
+   Finds a string within another string, starting from the beginning. This works
+   by taking a substring within the provided indexes and searching for the sub
+   argument. This means that ranges shorter than the string in the sub argument
+   will always return a failure.
+   
+
+   :param str: The string to search in.
+
+   :param substr: The string to search for.
+
+   :param start: An optional position for the start of the substring.
+
+   :param end: An optional position for the end of the substring. A value less than
+        zero (such as the default -1) means a search until the end of the
+        string.
+
+   :param case_sensitive: Set to false to perform a case-insensitive search.
+                   (default: T). Note that case-insensitive searches use the
+                   ``tolower`` libc function, which is locale-sensitive.
+   
+
+   :returns: The position of the substring. Returns -1 if the string wasn't
+            found. Prints an error if the starting position is after the ending
+            position.
+
+.. zeek:id:: gsub
+   :source-code: base/bif/strings.bif.zeek 201 201
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, re: :zeek:type:`pattern`, repl: :zeek:type:`string`) : :zeek:type:`string`
+
+   Substitutes a given replacement string for all occurrences of a pattern
+   in a given string.
+   
+
+   :param str: The string to perform the substitution in.
+   
+
+   :param re: The pattern being replaced with *repl*.
+   
+
+   :param repl: The string that replaces *re*.
+   
+
+   :returns: A copy of *str* with all occurrences of *re* replaced with *repl*.
+   
+   .. zeek:see:: sub subst_string
+
+.. zeek:id:: hexdump
+   :source-code: base/bif/strings.bif.zeek 509 509
+
+   :Type: :zeek:type:`function` (data_str: :zeek:type:`string`) : :zeek:type:`string`
+
+   Returns a hex dump for given input data. The hex dump renders 16 bytes per
+   line, with hex on the left and ASCII (where printable)
+   on the right.
+   
+
+   :param data_str: The string to dump in hex format.
+   
+
+   :returns: The hex dump of the given string.
+   
+   .. zeek:see:: string_to_ascii_hex bytestring_to_hexstr
+   
+   .. note:: Based on Netdude's hex editor code.
+   
+
+.. zeek:id:: is_alnum
+   :source-code: base/bif/strings.bif.zeek 597 597
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Returns whether a string consists entirely of alphanumeric characters.
+   The empty string is not alphanumeric.
+   
+
+.. zeek:id:: is_alpha
+   :source-code: base/bif/strings.bif.zeek 591 591
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Returns whether a string consists entirely of alphabetic characters.
+   The empty string is not alphabetic.
+   
+
+.. zeek:id:: is_ascii
+   :source-code: base/bif/strings.bif.zeek 308 308
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Determines whether a given string contains only ASCII characters.
+   The empty string is ASCII.
+   
+
+   :param str: The string to examine.
+   
+
+   :returns: False if any byte value of *str* is greater than 127, and true
+            otherwise.
+   
+   .. zeek:see:: to_upper to_lower
+
+.. zeek:id:: is_num
+   :source-code: base/bif/strings.bif.zeek 585 585
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Returns whether a string consists entirely of digits.
+   The empty string is not numeric.
+   
+
+.. zeek:id:: join_string_set
+   :source-code: base/bif/strings.bif.zeek 61 61
+
+   :Type: :zeek:type:`function` (ss: :zeek:type:`string_set`, sep: :zeek:type:`string`) : :zeek:type:`string`
+
+   Joins all values in the given set of strings with a separator placed
+   between each element.
+   
+
+   :param ss: The :zeek:type:`string_set` (``set[string]``).
+   
+
+   :param sep: The separator to place between each element.
+   
+
+   :returns: The concatenation of all elements in *s*, with *sep* placed
+            between each element.
+   
+   .. zeek:see:: cat cat_sep string_cat
+                fmt
+                join_string_vec
+
+.. zeek:id:: join_string_vec
+   :source-code: base/bif/strings.bif.zeek 45 45
+
+   :Type: :zeek:type:`function` (vec: :zeek:type:`string_vec`, sep: :zeek:type:`string`) : :zeek:type:`string`
+
+   Joins all values in the given vector of strings with a separator placed
+   between each element.
+   
+
+   :param sep: The separator to place between each element.
+   
+
+   :param vec: The :zeek:type:`string_vec` (``vector of string``).
+   
+
+   :returns: The concatenation of all elements in *vec*, with *sep* placed
+            between each element.
+   
+   .. zeek:see:: cat cat_sep string_cat
+                fmt
+
+.. zeek:id:: levenshtein_distance
+   :source-code: base/bif/strings.bif.zeek 19 19
+
+   :Type: :zeek:type:`function` (s1: :zeek:type:`string`, s2: :zeek:type:`string`) : :zeek:type:`count`
+
+   Calculates the Levenshtein distance between the two strings. See `Wikipedia
+   <http://en.wikipedia.org/wiki/Levenshtein_distance>`__ for more information.
+   
+
+   :param s1: The first string.
+   
+
+   :param s2: The second string.
+   
+
+   :returns: The Levenshtein distance of two strings as a count.
+   
+
+.. zeek:id:: ljust
+   :source-code: base/bif/strings.bif.zeek 613 613
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, width: :zeek:type:`count`, fill: :zeek:type:`string` :zeek:attr:`&default` = ``" "`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Returns a left-justified version of the string, padded to a specific length
+   with a specified character.
+   
+
+   :param str: The string to left-justify.
+
+   :param count: The length of the returned string. If this value is less than or
+          equal to the length of str, a copy of str is returned.
+
+   :param fill: The character used to fill in any extra characters in the resulting
+         string. If a string longer than one character is passed, an error is
+         reported. This defaults to the space character.
+   
+
+   :returns: A left-justified version of a string, padded with characters to a
+            specific length.
+   
+
+.. zeek:id:: lstrip
+   :source-code: base/bif/strings.bif.zeek 386 386
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, chars: :zeek:type:`string` :zeek:attr:`&default` = ``" \x09\x0a\x0d\x0b\x0c"`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Removes all combinations of characters in the *chars* argument
+   starting at the beginning of the string until first mismatch.
+   
+
+   :param str: The string to strip characters from.
+   
+
+   :param chars: A string consisting of the characters to be removed.
+          Defaults to all whitespace characters.
+   
+
+   :returns: A copy of *str* with the characters in *chars* removed from
+            the beginning.
+   
+   .. zeek:see:: sub gsub strip rstrip
+
+.. zeek:id:: remove_prefix
+   :source-code: base/bif/strings.bif.zeek 658 658
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, sub: :zeek:type:`string`) : :zeek:type:`string`
+
+   Similar to lstrip(), except does the removal repeatedly if the pattern repeats at the start of the string.
+
+.. zeek:id:: remove_suffix
+   :source-code: base/bif/strings.bif.zeek 662 662
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, sub: :zeek:type:`string`) : :zeek:type:`string`
+
+   Similar to rstrip(), except does the removal repeatedly if the pattern repeats at the end of the string.
+
+.. zeek:id:: reverse
+   :source-code: base/bif/strings.bif.zeek 518 518
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`string`
+
+   Returns a reversed copy of the string
+   
+
+   :param str: The string to reverse.
+   
+
+   :returns: A reversed copy of *str*
+   
+
+.. zeek:id:: rfind_str
+   :source-code: base/bif/strings.bif.zeek 569 569
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, sub: :zeek:type:`string`, start: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`, end: :zeek:type:`int` :zeek:attr:`&default` = ``-1`` :zeek:attr:`&optional`, case_sensitive: :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`) : :zeek:type:`int`
+
+   The same as :zeek:see:`find_str`, but returns the highest index matching
+   the substring instead of the smallest.
+   
+
+   :param str: The string to search in.
+
+   :param substr: The string to search for.
+
+   :param start: An optional position for the start of the substring.
+
+   :param end: An optional position for the end of the substring. A value less than
+        zero (such as the default -1) means a search from the end of the string.
+
+   :param case_sensitive: Set to false to perform a case-insensitive search.
+                   (default: T). Note that case-insensitive searches use the
+                   ``tolower`` libc function, which is locale-sensitive.
+   
+
+   :returns: The position of the substring. Returns -1 if the string wasn't
+            found. Prints an error if the starting position is after the ending
+            position.
+
+.. zeek:id:: rjust
+   :source-code: base/bif/strings.bif.zeek 631 631
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, width: :zeek:type:`count`, fill: :zeek:type:`string` :zeek:attr:`&default` = ``" "`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Returns a right-justified version of the string, padded to a specific length
+   with a specified character.
+   
+
+   :param str: The string to right-justify.
+
+   :param count: The length of the returned string. If this value is less than or
+          equal to the length of str, a copy of str is returned.
+
+   :param fill: The character used to fill in any extra characters in the resulting
+         string. If a string longer than one character is passed, an error is
+         reported. This defaults to the space character.
+   
+
+   :returns: A right-justified version of a string, padded with characters to a
+            specific length.
+   
+
+.. zeek:id:: rstrip
+   :source-code: base/bif/strings.bif.zeek 401 401
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, chars: :zeek:type:`string` :zeek:attr:`&default` = ``" \x09\x0a\x0d\x0b\x0c"`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Removes all combinations of characters in the *chars* argument
+   starting at the end of the string until first mismatch.
+   
+
+   :param str: The string to strip characters from.
+   
+
+   :param chars: A string consisting of the characters to be removed.
+          Defaults to all whitespace characters.
+   
+
+   :returns: A copy of *str* with the characters in *chars* removed from
+            the end.
+   
+   .. zeek:see:: sub gsub strip lstrip
+
+.. zeek:id:: safe_shell_quote
+   :source-code: base/bif/strings.bif.zeek 429 429
+
+   :Type: :zeek:type:`function` (source: :zeek:type:`string`) : :zeek:type:`string`
+
+   Takes a string and escapes characters that would allow execution of
+   commands at the shell level. Must be used before including strings in
+   :zeek:id:`system` or similar calls.
+   
+
+   :param source: The string to escape.
+   
+
+   :returns: A shell-escaped version of *source*.  Specifically, this
+            backslash-escapes characters whose literal value is not otherwise
+            preserved by enclosure in double-quotes (dollar-sign, backquote,
+            backslash, and double-quote itself), and then encloses that
+            backslash-escaped string in double-quotes to ultimately preserve
+            the literal value of all input characters.
+   
+   .. zeek:see:: system safe_shell_quote
+
+.. zeek:id:: split_string
+   :source-code: base/bif/strings.bif.zeek 111 111
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, re: :zeek:type:`pattern`) : :zeek:type:`string_vec`
+
+   Splits a string into an array of strings according to a pattern.
+   
+
+   :param str: The string to split.
+   
+
+   :param re: The pattern describing the element separator in *str*.
+   
+
+   :returns: An array of strings where each element corresponds to a substring
+            in *str* separated by *re*.
+   
+   .. zeek:see:: split_string1 split_string_all split_string_n
+   
+
+.. zeek:id:: split_string1
+   :source-code: base/bif/strings.bif.zeek 129 129
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, re: :zeek:type:`pattern`) : :zeek:type:`string_vec`
+
+   Splits a string *once* into a two-element array of strings according to a
+   pattern. This function is the same as :zeek:id:`split_string`, but *str* is
+   only split once (if possible) at the earliest position and an array of two
+   strings is returned.
+   
+
+   :param str: The string to split.
+   
+
+   :param re: The pattern describing the separator to split *str* in two pieces.
+   
+
+   :returns: An array of strings with two elements in which the first represents
+            the substring in *str* up to the first occurrence of *re*, and the
+            second everything after *re*. An array of one string is returned
+            when *s* cannot be split.
+   
+   .. zeek:see:: split_string split_string_all split_string_n
+
+.. zeek:id:: split_string_all
+   :source-code: base/bif/strings.bif.zeek 147 147
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, re: :zeek:type:`pattern`) : :zeek:type:`string_vec`
+
+   Splits a string into an array of strings according to a pattern. This
+   function is the same as :zeek:id:`split_string`, except that the separators
+   are returned as well. For example, ``split_string_all("a-b--cd", /(\-)+/)``
+   returns ``{"a", "-", "b", "--", "cd"}``: odd-indexed elements do match the
+   pattern and even-indexed ones do not.
+   
+
+   :param str: The string to split.
+   
+
+   :param re: The pattern describing the element separator in *str*.
+   
+
+   :returns: An array of strings where each two successive elements correspond
+            to a substring in *str* of the part not matching *re* (even-indexed)
+            and the part that matches *re* (odd-indexed).
+   
+   .. zeek:see:: split_string split_string1 split_string_n
+
+.. zeek:id:: split_string_n
+   :source-code: base/bif/strings.bif.zeek 170 170
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, re: :zeek:type:`pattern`, incl_sep: :zeek:type:`bool`, max_num_sep: :zeek:type:`count`) : :zeek:type:`string_vec`
+
+   Splits a string a given number of times into an array of strings according
+   to a pattern. This function is similar to :zeek:id:`split_string1` and
+   :zeek:id:`split_string_all`, but with customizable behavior with respect to
+   including separators in the result and the number of times to split.
+   
+
+   :param str: The string to split.
+   
+
+   :param re: The pattern describing the element separator in *str*.
+   
+
+   :param incl_sep: A flag indicating whether to include the separator matches in the
+             result (as in :zeek:id:`split_string_all`).
+   
+
+   :param max_num_sep: The number of times to split *str*.
+   
+
+   :returns: An array of strings where, if *incl_sep* is true, each two
+            successive elements correspond to a substring in *str* of the part
+            not matching *re* (even-indexed) and the part that matches *re*
+            (odd-indexed).
+   
+   .. zeek:see:: split_string split_string1 split_string_all
+
+.. zeek:id:: starts_with
+   :source-code: base/bif/strings.bif.zeek 574 574
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, sub: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Returns whether a string starts with a substring.
+   
+
+.. zeek:id:: str_smith_waterman
+   :source-code: base/bif/strings.bif.zeek 346 346
+
+   :Type: :zeek:type:`function` (s1: :zeek:type:`string`, s2: :zeek:type:`string`, params: :zeek:type:`sw_params`) : :zeek:type:`sw_substring_vec`
+
+   Uses the Smith-Waterman algorithm to find similar/overlapping substrings.
+   See `Wikipedia <http://en.wikipedia.org/wiki/Smith%E2%80%93Waterman_algorithm>`__.
+   
+
+   :param s1: The first string.
+   
+
+   :param s2: The second string.
+   
+
+   :param params: Parameters for the Smith-Waterman algorithm.
+   
+
+   :returns: The result of the Smith-Waterman algorithm calculation.
+
+.. zeek:id:: str_split_indices
+   :source-code: base/bif/strings.bif.zeek 359 359
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`, idx: :zeek:type:`index_vec`) : :zeek:type:`string_vec`
+
+   Splits a string into substrings with the help of an index vector of cutting
+   points.
+   
+
+   :param s: The string to split.
+   
+
+   :param idx: The index vector (``vector of count``) with the cutting points
+   
+
+   :returns: A zero-indexed vector of strings.
+   
+   .. zeek:see:: split_string split_string1 split_string_all split_string_n
+
+.. zeek:id:: strcmp
+   :source-code: base/bif/strings.bif.zeek 213 213
+
+   :Type: :zeek:type:`function` (s1: :zeek:type:`string`, s2: :zeek:type:`string`) : :zeek:type:`int`
+
+   Lexicographically compares two strings.
+   
+
+   :param s1: The first string.
+   
+
+   :param s2: The second string.
+   
+
+   :returns: An integer greater than, equal to, or less than 0 according as
+            *s1* is greater than, equal to, or less than *s2*.
+
+.. zeek:id:: string_cat
+   :source-code: base/bif/strings.bif.zeek 30 30
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`string`
+
+   Concatenates all arguments into a single string. The function takes a
+   variable number of arguments of type string and stitches them together.
+   
+
+   :returns: The concatenation of all (string) arguments.
+   
+   .. zeek:see:: cat cat_sep
+                fmt
+                join_string_vec
+
+.. zeek:id:: string_fill
+   :source-code: base/bif/strings.bif.zeek 412 412
+
+   :Type: :zeek:type:`function` (len: :zeek:type:`int`, source: :zeek:type:`string`) : :zeek:type:`string`
+
+   Generates a string of a given size and fills it with repetitions of a source
+   string.
+   
+
+   :param len: The length of the output string.
+   
+
+   :param source: The string to concatenate repeatedly until *len* has been reached.
+   
+
+   :returns: A string of length *len* filled with *source*.
+
+.. zeek:id:: string_to_ascii_hex
+   :source-code: base/bif/strings.bif.zeek 333 333
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`string`
+
+   Returns an ASCII hexadecimal representation of a string.
+   
+
+   :param s: The string to convert to hex.
+   
+
+   :returns: A copy of *s* where each byte is replaced with the corresponding
+            hex nibble.
+
+.. zeek:id:: strip
+   :source-code: base/bif/strings.bif.zeek 369 369
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`string`
+
+   Strips whitespace at both ends of a string.
+   
+
+   :param str: The string to strip the whitespace from.
+   
+
+   :returns: A copy of *str* with leading and trailing whitespace removed.
+   
+   .. zeek:see:: sub gsub lstrip rstrip
+
+.. zeek:id:: strstr
+   :source-code: base/bif/strings.bif.zeek 226 226
+
+   :Type: :zeek:type:`function` (big: :zeek:type:`string`, little: :zeek:type:`string`) : :zeek:type:`count`
+
+   Locates the first occurrence of one string in another.
+   
+
+   :param big: The string to look in.
+   
+
+   :param little: The (smaller) string to find inside *big*.
+   
+
+   :returns: The location of *little* in *big*, or 0 if *little* is not found in
+            *big*.
+   
+   .. zeek:see:: find_all find_first find_last
+
+.. zeek:id:: sub
+   :source-code: base/bif/strings.bif.zeek 186 186
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, re: :zeek:type:`pattern`, repl: :zeek:type:`string`) : :zeek:type:`string`
+
+   Substitutes a given replacement string for the first occurrence of a pattern
+   in a given string.
+   
+
+   :param str: The string to perform the substitution in.
+   
+
+   :param re: The pattern being replaced with *repl*.
+   
+
+   :param repl: The string that replaces *re*.
+   
+
+   :returns: A copy of *str* with the first occurrence of *re* replaced with
+            *repl*.
+   
+   .. zeek:see:: gsub subst_string
+
+.. zeek:id:: sub_bytes
+   :source-code: base/bif/strings.bif.zeek 95 95
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`, start: :zeek:type:`count`, n: :zeek:type:`int`) : :zeek:type:`string`
+
+   Get a substring from a string, given a starting position and length.
+   
+
+   :param s: The string to obtain a substring from.
+   
+
+   :param start: The starting position of the substring in *s*, where 1 is the first
+          character. As a special case, 0 also represents the first character.
+   
+
+   :param n: The number of characters to extract, beginning at *start*.
+   
+
+   :returns: A substring of *s* of length *n* from position *start*.
+
+.. zeek:id:: subst_string
+   :source-code: base/bif/strings.bif.zeek 240 240
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`, from: :zeek:type:`string`, to: :zeek:type:`string`) : :zeek:type:`string`
+
+   Substitutes each (non-overlapping) appearance of a string in another.
+   
+
+   :param s: The string in which to perform the substitution.
+   
+
+   :param from: The string to look for which is replaced with *to*.
+   
+
+   :param to: The string that replaces all occurrences of *from* in *s*.
+   
+
+   :returns: A copy of *s* where each occurrence of *from* is replaced with *to*.
+   
+   .. zeek:see:: sub gsub
+
+.. zeek:id:: swap_case
+   :source-code: base/bif/strings.bif.zeek 640 640
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`string`
+
+   Swaps the case of every alphabetic character in a string. For example, the string "aBc" be returned as "AbC".
+   
+
+   :param str: The string to swap cases in.
+   
+
+   :returns: A copy of the str with the case of each character swapped.
+   
+
+.. zeek:id:: to_lower
+   :source-code: base/bif/strings.bif.zeek 252 252
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`string`
+
+   Replaces all uppercase letters in a string with their lowercase counterpart.
+   
+
+   :param str: The string to convert to lowercase letters.
+   
+
+   :returns: A copy of the given string with the uppercase letters (as indicated
+            by ``isascii`` and ``isupper``) folded to lowercase
+            (via ``tolower``).
+   
+   .. zeek:see:: to_upper is_ascii
+
+.. zeek:id:: to_string_literal
+   :source-code: base/bif/strings.bif.zeek 296 296
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`string`
+
+   Replaces non-printable characters in a string with escaped sequences. The
+   mappings are:
+   
+       - values not in *[32, 126]* to ``\xXX``
+       - ``\`` to ``\\``
+       - ``'`` and ``""`` to ``\'`` and ``\"``, respectively.
+   
+
+   :param str: The string to escape.
+   
+
+   :returns: The escaped string.
+   
+   .. zeek:see:: clean escape_string
+
+.. zeek:id:: to_title
+   :source-code: base/bif/strings.bif.zeek 650 650
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`string`
+
+   Converts a string to Title Case. This changes the first character of each sequence of non-space characters
+   in the string to be capitalized. See https://docs.python.org/3/library/stdtypes.html#str.title for more info.
+   
+
+   :param str: The string to convert.
+   
+
+   :returns: A title-cased version of the string.
+   
+
+.. zeek:id:: to_upper
+   :source-code: base/bif/strings.bif.zeek 264 264
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`string`
+
+   Replaces all lowercase letters in a string with their uppercase counterpart.
+   
+
+   :param str: The string to convert to uppercase letters.
+   
+
+   :returns: A copy of the given string with the lowercase letters (as indicated
+            by ``isascii`` and ``islower``) folded to uppercase
+            (via ``toupper``).
+   
+   .. zeek:see:: to_lower is_ascii
+
+.. zeek:id:: zfill
+   :source-code: base/bif/strings.bif.zeek 654 654
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, width: :zeek:type:`count`) : :zeek:type:`string`
+
+   Returns a copy of a string filled on the left side with zeroes. This is effectively rjust(str, width, "0").
+
+
diff --git a/doc/scripts/base/bif/supervisor.bif.zeek.rst b/doc/scripts/base/bif/supervisor.bif.zeek.rst
new file mode 100644
index 0000000000..0c49781f2a
--- /dev/null
+++ b/doc/scripts/base/bif/supervisor.bif.zeek.rst
@@ -0,0 +1,80 @@
+:tocdepth: 3
+
+base/bif/supervisor.bif.zeek
+============================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: Supervisor
+
+The BIFs that define the Zeek supervisor control interface.
+
+:Namespaces: GLOBAL, Supervisor
+
+Summary
+~~~~~~~
+Functions
+#########
+============================================================= =
+:zeek:id:`Supervisor::__create`: :zeek:type:`function`        
+:zeek:id:`Supervisor::__destroy`: :zeek:type:`function`       
+:zeek:id:`Supervisor::__is_supervised`: :zeek:type:`function` 
+:zeek:id:`Supervisor::__is_supervisor`: :zeek:type:`function` 
+:zeek:id:`Supervisor::__node`: :zeek:type:`function`          
+:zeek:id:`Supervisor::__restart`: :zeek:type:`function`       
+:zeek:id:`Supervisor::__status`: :zeek:type:`function`        
+:zeek:id:`Supervisor::__stem_pid`: :zeek:type:`function`      
+============================================================= =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Supervisor::__create
+   :source-code: base/bif/supervisor.bif.zeek 27 27
+
+   :Type: :zeek:type:`function` (node: :zeek:type:`Supervisor::NodeConfig`) : :zeek:type:`string`
+
+
+.. zeek:id:: Supervisor::__destroy
+   :source-code: base/bif/supervisor.bif.zeek 30 30
+
+   :Type: :zeek:type:`function` (node: :zeek:type:`string`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Supervisor::__is_supervised
+   :source-code: base/bif/supervisor.bif.zeek 36 36
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+
+.. zeek:id:: Supervisor::__is_supervisor
+   :source-code: base/bif/supervisor.bif.zeek 42 42
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+
+.. zeek:id:: Supervisor::__node
+   :source-code: base/bif/supervisor.bif.zeek 39 39
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Supervisor::NodeConfig`
+
+
+.. zeek:id:: Supervisor::__restart
+   :source-code: base/bif/supervisor.bif.zeek 33 33
+
+   :Type: :zeek:type:`function` (node: :zeek:type:`string`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Supervisor::__status
+   :source-code: base/bif/supervisor.bif.zeek 24 24
+
+   :Type: :zeek:type:`function` (node: :zeek:type:`string`) : :zeek:type:`Supervisor::Status`
+
+
+.. zeek:id:: Supervisor::__stem_pid
+   :source-code: base/bif/supervisor.bif.zeek 45 45
+
+   :Type: :zeek:type:`function` () : :zeek:type:`int`
+
+
+
diff --git a/doc/scripts/base/bif/telemetry_consts.bif.zeek.rst b/doc/scripts/base/bif/telemetry_consts.bif.zeek.rst
new file mode 100644
index 0000000000..72574e12cc
--- /dev/null
+++ b/doc/scripts/base/bif/telemetry_consts.bif.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/bif/telemetry_consts.bif.zeek
+==================================
+.. zeek:namespace:: GLOBAL
+
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/bif/telemetry_functions.bif.zeek.rst b/doc/scripts/base/bif/telemetry_functions.bif.zeek.rst
new file mode 100644
index 0000000000..91ae79b3f8
--- /dev/null
+++ b/doc/scripts/base/bif/telemetry_functions.bif.zeek.rst
@@ -0,0 +1,129 @@
+:tocdepth: 3
+
+base/bif/telemetry_functions.bif.zeek
+=====================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: Telemetry
+
+Functions for accessing counter metrics from script land.
+
+:Namespaces: GLOBAL, Telemetry
+
+Summary
+~~~~~~~
+Functions
+#########
+========================================================================== =
+:zeek:id:`Telemetry::__collect_histogram_metrics`: :zeek:type:`function`   
+:zeek:id:`Telemetry::__collect_metrics`: :zeek:type:`function`             
+:zeek:id:`Telemetry::__counter_family`: :zeek:type:`function`              
+:zeek:id:`Telemetry::__counter_inc`: :zeek:type:`function`                 
+:zeek:id:`Telemetry::__counter_metric_get_or_add`: :zeek:type:`function`   
+:zeek:id:`Telemetry::__counter_value`: :zeek:type:`function`               
+:zeek:id:`Telemetry::__gauge_dec`: :zeek:type:`function`                   
+:zeek:id:`Telemetry::__gauge_family`: :zeek:type:`function`                
+:zeek:id:`Telemetry::__gauge_inc`: :zeek:type:`function`                   
+:zeek:id:`Telemetry::__gauge_metric_get_or_add`: :zeek:type:`function`     
+:zeek:id:`Telemetry::__gauge_value`: :zeek:type:`function`                 
+:zeek:id:`Telemetry::__histogram_family`: :zeek:type:`function`            
+:zeek:id:`Telemetry::__histogram_metric_get_or_add`: :zeek:type:`function` 
+:zeek:id:`Telemetry::__histogram_observe`: :zeek:type:`function`           
+:zeek:id:`Telemetry::__histogram_sum`: :zeek:type:`function`               
+========================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Telemetry::__collect_histogram_metrics
+   :source-code: base/bif/telemetry_functions.bif.zeek 59 59
+
+   :Type: :zeek:type:`function` (prefix: :zeek:type:`string`, name: :zeek:type:`string`) : :zeek:type:`any_vec`
+
+
+.. zeek:id:: Telemetry::__collect_metrics
+   :source-code: base/bif/telemetry_functions.bif.zeek 56 56
+
+   :Type: :zeek:type:`function` (prefix: :zeek:type:`string`, name: :zeek:type:`string`) : :zeek:type:`any_vec`
+
+
+.. zeek:id:: Telemetry::__counter_family
+   :source-code: base/bif/telemetry_functions.bif.zeek 13 13
+
+   :Type: :zeek:type:`function` (prefix: :zeek:type:`string`, name: :zeek:type:`string`, labels: :zeek:type:`string_vec`, helptext: :zeek:type:`string` :zeek:attr:`&default` = ``"Zeek Script Metric"`` :zeek:attr:`&optional`, unit: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`opaque` of counter_metric_family
+
+
+.. zeek:id:: Telemetry::__counter_inc
+   :source-code: base/bif/telemetry_functions.bif.zeek 19 19
+
+   :Type: :zeek:type:`function` (val: :zeek:type:`opaque` of counter_metric, amount: :zeek:type:`double` :zeek:attr:`&default` = ``1.0`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Telemetry::__counter_metric_get_or_add
+   :source-code: base/bif/telemetry_functions.bif.zeek 16 16
+
+   :Type: :zeek:type:`function` (family: :zeek:type:`opaque` of counter_metric_family, labels: :zeek:type:`table_string_of_string`) : :zeek:type:`opaque` of counter_metric
+
+
+.. zeek:id:: Telemetry::__counter_value
+   :source-code: base/bif/telemetry_functions.bif.zeek 22 22
+
+   :Type: :zeek:type:`function` (val: :zeek:type:`opaque` of counter_metric) : :zeek:type:`double`
+
+
+.. zeek:id:: Telemetry::__gauge_dec
+   :source-code: base/bif/telemetry_functions.bif.zeek 36 36
+
+   :Type: :zeek:type:`function` (val: :zeek:type:`opaque` of gauge_metric, amount: :zeek:type:`double` :zeek:attr:`&default` = ``1.0`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Telemetry::__gauge_family
+   :source-code: base/bif/telemetry_functions.bif.zeek 27 27
+
+   :Type: :zeek:type:`function` (prefix: :zeek:type:`string`, name: :zeek:type:`string`, labels: :zeek:type:`string_vec`, helptext: :zeek:type:`string` :zeek:attr:`&default` = ``"Zeek Script Metric"`` :zeek:attr:`&optional`, unit: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`opaque` of gauge_metric_family
+
+
+.. zeek:id:: Telemetry::__gauge_inc
+   :source-code: base/bif/telemetry_functions.bif.zeek 33 33
+
+   :Type: :zeek:type:`function` (val: :zeek:type:`opaque` of gauge_metric, amount: :zeek:type:`double` :zeek:attr:`&default` = ``1.0`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Telemetry::__gauge_metric_get_or_add
+   :source-code: base/bif/telemetry_functions.bif.zeek 30 30
+
+   :Type: :zeek:type:`function` (family: :zeek:type:`opaque` of gauge_metric_family, labels: :zeek:type:`table_string_of_string`) : :zeek:type:`opaque` of gauge_metric
+
+
+.. zeek:id:: Telemetry::__gauge_value
+   :source-code: base/bif/telemetry_functions.bif.zeek 39 39
+
+   :Type: :zeek:type:`function` (val: :zeek:type:`opaque` of gauge_metric) : :zeek:type:`double`
+
+
+.. zeek:id:: Telemetry::__histogram_family
+   :source-code: base/bif/telemetry_functions.bif.zeek 44 44
+
+   :Type: :zeek:type:`function` (prefix: :zeek:type:`string`, name: :zeek:type:`string`, labels: :zeek:type:`string_vec`, bounds: :zeek:type:`double_vec`, helptext: :zeek:type:`string` :zeek:attr:`&default` = ``"Zeek Script Metric"`` :zeek:attr:`&optional`, unit: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`opaque` of histogram_metric_family
+
+
+.. zeek:id:: Telemetry::__histogram_metric_get_or_add
+   :source-code: base/bif/telemetry_functions.bif.zeek 47 47
+
+   :Type: :zeek:type:`function` (family: :zeek:type:`opaque` of histogram_metric_family, labels: :zeek:type:`table_string_of_string`) : :zeek:type:`opaque` of histogram_metric
+
+
+.. zeek:id:: Telemetry::__histogram_observe
+   :source-code: base/bif/telemetry_functions.bif.zeek 50 50
+
+   :Type: :zeek:type:`function` (val: :zeek:type:`opaque` of histogram_metric, measurement: :zeek:type:`double`) : :zeek:type:`bool`
+
+
+.. zeek:id:: Telemetry::__histogram_sum
+   :source-code: base/bif/telemetry_functions.bif.zeek 53 53
+
+   :Type: :zeek:type:`function` (val: :zeek:type:`opaque` of histogram_metric) : :zeek:type:`double`
+
+
+
diff --git a/doc/scripts/base/bif/telemetry_types.bif.zeek.rst b/doc/scripts/base/bif/telemetry_types.bif.zeek.rst
new file mode 100644
index 0000000000..5a2ba8a89d
--- /dev/null
+++ b/doc/scripts/base/bif/telemetry_types.bif.zeek.rst
@@ -0,0 +1,43 @@
+:tocdepth: 3
+
+base/bif/telemetry_types.bif.zeek
+=================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: Telemetry
+
+
+:Namespaces: GLOBAL, Telemetry
+
+Summary
+~~~~~~~
+Types
+#####
+===================================================== ================================================================
+:zeek:type:`Telemetry::MetricType`: :zeek:type:`enum` An enum that specifies which type of metric you're operating on.
+===================================================== ================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Telemetry::MetricType
+   :source-code: base/bif/telemetry_types.bif.zeek 8 8
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Telemetry::COUNTER Telemetry::MetricType
+
+         Counters track entities that increment over time.
+
+      .. zeek:enum:: Telemetry::GAUGE Telemetry::MetricType
+
+         Gauges track entities that fluctuate over time.
+
+      .. zeek:enum:: Telemetry::HISTOGRAM Telemetry::MetricType
+
+         Histograms group observations into predefined bins.
+
+   An enum that specifies which type of metric you're operating on.
+
+
diff --git a/doc/scripts/base/bif/top-k.bif.zeek.rst b/doc/scripts/base/bif/top-k.bif.zeek.rst
new file mode 100644
index 0000000000..c72c2bd6ac
--- /dev/null
+++ b/doc/scripts/base/bif/top-k.bif.zeek.rst
@@ -0,0 +1,215 @@
+:tocdepth: 3
+
+base/bif/top-k.bif.zeek
+=======================
+.. zeek:namespace:: GLOBAL
+
+Functions to probabilistically determine top-k elements.
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================== ==========================================================================
+:zeek:id:`topk_add`: :zeek:type:`function`         Add a new observed object to the data structure.
+:zeek:id:`topk_count`: :zeek:type:`function`       Get an overestimated count of how often a value has been encountered.
+:zeek:id:`topk_epsilon`: :zeek:type:`function`     Get the maximal overestimation for count.
+:zeek:id:`topk_get_top`: :zeek:type:`function`     Get the first *k* elements of the top-k data structure.
+:zeek:id:`topk_init`: :zeek:type:`function`        Creates a top-k data structure which tracks *size* elements.
+:zeek:id:`topk_merge`: :zeek:type:`function`       Merge the second top-k data structure into the first.
+:zeek:id:`topk_merge_prune`: :zeek:type:`function` Merge the second top-k data structure into the first and prunes the final
+                                                   data structure back to the size given on initialization.
+:zeek:id:`topk_size`: :zeek:type:`function`        Get the number of elements this data structure is supposed to track (given
+                                                   on init).
+:zeek:id:`topk_sum`: :zeek:type:`function`         Get the sum of all counts of all elements in the data structure.
+================================================== ==========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: topk_add
+   :source-code: base/bif/top-k.bif.zeek 31 31
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of topk, value: :zeek:type:`any`) : :zeek:type:`any`
+
+   Add a new observed object to the data structure.
+   
+   .. note:: The first added object sets the type of data tracked by
+      the top-k data structure. All following values have to be of the same
+      type.
+   
+
+   :param handle: the TopK handle.
+   
+
+   :param value: observed value.
+   
+   .. zeek:see:: topk_init topk_get_top topk_count topk_epsilon
+      topk_size topk_sum topk_merge topk_merge_prune
+
+.. zeek:id:: topk_count
+   :source-code: base/bif/top-k.bif.zeek 61 61
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of topk, value: :zeek:type:`any`) : :zeek:type:`count`
+
+   Get an overestimated count of how often a value has been encountered.
+   
+   .. note:: The value has to be part of the currently tracked elements,
+      otherwise 0 will be returned and an error message will be added to
+      reporter.
+   
+
+   :param handle: the TopK handle.
+   
+
+   :param value: Value to look up count for.
+   
+
+   :returns: Overestimated number for how often the element has been encountered.
+   
+   .. zeek:see:: topk_init topk_add topk_get_top topk_epsilon
+      topk_size topk_sum topk_merge topk_merge_prune
+
+.. zeek:id:: topk_epsilon
+   :source-code: base/bif/top-k.bif.zeek 77 77
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of topk, value: :zeek:type:`any`) : :zeek:type:`count`
+
+   Get the maximal overestimation for count.
+   
+   .. note:: Same restrictions as for :zeek:id:`topk_count` apply.
+   
+
+   :param handle: the TopK handle.
+   
+
+   :param value: Value to look up epsilon for.
+   
+
+   :returns: Number which represents the maximal overestimation for the count of
+            this element.
+   
+   .. zeek:see:: topk_init topk_add topk_get_top topk_count
+      topk_size topk_sum topk_merge topk_merge_prune
+
+.. zeek:id:: topk_get_top
+   :source-code: base/bif/top-k.bif.zeek 44 44
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of topk, k: :zeek:type:`count`) : :zeek:type:`any_vec`
+
+   Get the first *k* elements of the top-k data structure.
+   
+
+   :param handle: the TopK handle.
+   
+
+   :param k: number of elements to return.
+   
+
+   :returns: vector of the first k elements.
+   
+   .. zeek:see:: topk_init topk_add topk_count topk_epsilon
+      topk_size topk_sum topk_merge topk_merge_prune
+
+.. zeek:id:: topk_init
+   :source-code: base/bif/top-k.bif.zeek 16 16
+
+   :Type: :zeek:type:`function` (size: :zeek:type:`count`) : :zeek:type:`opaque` of topk
+
+   Creates a top-k data structure which tracks *size* elements.
+   
+
+   :param size: number of elements to track.
+   
+
+   :returns: Opaque pointer to the data structure.
+   
+   .. zeek:see:: topk_add topk_get_top topk_count topk_epsilon
+      topk_size topk_sum topk_merge topk_merge_prune
+
+.. zeek:id:: topk_merge
+   :source-code: base/bif/top-k.bif.zeek 122 122
+
+   :Type: :zeek:type:`function` (handle1: :zeek:type:`opaque` of topk, handle2: :zeek:type:`opaque` of topk) : :zeek:type:`any`
+
+   Merge the second top-k data structure into the first.
+   
+
+   :param handle1: the first TopK handle.
+   
+
+   :param handle2: the second TopK handle.
+   
+   .. note:: This does not remove any elements, the resulting data structure
+      can be bigger than the maximum size given on initialization.
+   
+   .. zeek:see:: topk_init topk_add topk_get_top topk_count topk_epsilon
+      topk_size topk_sum topk_merge_prune
+
+.. zeek:id:: topk_merge_prune
+   :source-code: base/bif/top-k.bif.zeek 138 138
+
+   :Type: :zeek:type:`function` (handle1: :zeek:type:`opaque` of topk, handle2: :zeek:type:`opaque` of topk) : :zeek:type:`any`
+
+   Merge the second top-k data structure into the first and prunes the final
+   data structure back to the size given on initialization.
+   
+   .. note:: Use with care and only when being aware of the restrictions this
+      entails. Do not call :zeek:id:`topk_size` or :zeek:id:`topk_add` afterwards,
+      results will probably not be what you expect.
+   
+
+   :param handle1: the TopK handle in which the second TopK structure is merged.
+   
+
+   :param handle2: the TopK handle in which is merged into the first TopK structure.
+   
+   .. zeek:see:: topk_init topk_add topk_get_top topk_count topk_epsilon
+      topk_size topk_sum topk_merge
+
+.. zeek:id:: topk_size
+   :source-code: base/bif/top-k.bif.zeek 92 92
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of topk) : :zeek:type:`count`
+
+   Get the number of elements this data structure is supposed to track (given
+   on init).
+   
+   .. note:: Note that the actual number of elements in the data structure can
+      be lower or higher (due to non-pruned merges) than this.
+   
+
+   :param handle: the TopK handle.
+   
+
+   :returns: size given during initialization.
+   
+   .. zeek:see:: topk_init topk_add topk_get_top topk_count topk_epsilon
+      topk_sum topk_merge topk_merge_prune
+
+.. zeek:id:: topk_sum
+   :source-code: base/bif/top-k.bif.zeek 108 108
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of topk) : :zeek:type:`count`
+
+   Get the sum of all counts of all elements in the data structure.
+   
+   .. note:: This is equal to the number of all inserted objects if the data
+      structure never has been pruned. Do not use after
+      calling :zeek:id:`topk_merge_prune` (will throw a warning message if used
+      afterwards).
+   
+
+   :param handle: the TopK handle.
+   
+
+   :returns: sum of all counts.
+   
+   .. zeek:see:: topk_init topk_add topk_get_top topk_count topk_epsilon
+      topk_size topk_merge topk_merge_prune
+
+
diff --git a/doc/scripts/base/bif/types.bif.zeek.rst b/doc/scripts/base/bif/types.bif.zeek.rst
new file mode 100644
index 0000000000..3300313b23
--- /dev/null
+++ b/doc/scripts/base/bif/types.bif.zeek.rst
@@ -0,0 +1,420 @@
+:tocdepth: 3
+
+base/bif/types.bif.zeek
+=======================
+.. zeek:namespace:: AF_Packet
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: MOUNT3
+.. zeek:namespace:: NFS3
+.. zeek:namespace:: Reporter
+.. zeek:namespace:: Tunnel
+
+Declaration of various types that the Zeek core uses internally.
+
+:Namespaces: AF_Packet, GLOBAL, MOUNT3, NFS3, Reporter, Tunnel
+
+Summary
+~~~~~~~
+Types
+#####
+======================================================= ====================================
+:zeek:type:`AF_Packet::ChecksumMode`: :zeek:type:`enum` Available checksum validation modes.
+:zeek:type:`AF_Packet::FanoutMode`: :zeek:type:`enum`   Available fanout modes.
+:zeek:type:`MOUNT3::auth_flavor_t`: :zeek:type:`enum`   
+:zeek:type:`MOUNT3::proc_t`: :zeek:type:`enum`          
+:zeek:type:`MOUNT3::status_t`: :zeek:type:`enum`        
+:zeek:type:`NFS3::createmode_t`: :zeek:type:`enum`      
+:zeek:type:`NFS3::file_type_t`: :zeek:type:`enum`       
+:zeek:type:`NFS3::proc_t`: :zeek:type:`enum`            
+:zeek:type:`NFS3::stable_how_t`: :zeek:type:`enum`      
+:zeek:type:`NFS3::status_t`: :zeek:type:`enum`          
+:zeek:type:`NFS3::time_how_t`: :zeek:type:`enum`        
+:zeek:type:`Reporter::Level`: :zeek:type:`enum`         
+:zeek:type:`TableChange`: :zeek:type:`enum`             
+:zeek:type:`Tunnel::Type`: :zeek:type:`enum`            
+:zeek:type:`layer3_proto`: :zeek:type:`enum`            
+:zeek:type:`link_encap`: :zeek:type:`enum`              
+:zeek:type:`rpc_status`: :zeek:type:`enum`              
+======================================================= ====================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: AF_Packet::ChecksumMode
+   :source-code: base/bif/types.bif.zeek 288 288
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: AF_Packet::CHECKSUM_OFF AF_Packet::ChecksumMode
+
+         Ignore checksums, i.e. always assume they are correct.
+
+      .. zeek:enum:: AF_Packet::CHECKSUM_ON AF_Packet::ChecksumMode
+
+         Let Zeek compute and verify checksums.
+
+      .. zeek:enum:: AF_Packet::CHECKSUM_KERNEL AF_Packet::ChecksumMode
+
+         Let the kernel handle checksum offloading.
+         Note: Semantics may depend on the kernel and driver version.
+
+   Available checksum validation modes.
+
+.. zeek:type:: AF_Packet::FanoutMode
+   :source-code: base/bif/types.bif.zeek 278 278
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: AF_Packet::FANOUT_HASH AF_Packet::FanoutMode
+
+      .. zeek:enum:: AF_Packet::FANOUT_CPU AF_Packet::FanoutMode
+
+      .. zeek:enum:: AF_Packet::FANOUT_QM AF_Packet::FanoutMode
+
+      .. zeek:enum:: AF_Packet::FANOUT_CBPF AF_Packet::FanoutMode
+
+      .. zeek:enum:: AF_Packet::FANOUT_EBPF AF_Packet::FanoutMode
+
+   Available fanout modes.
+
+.. zeek:type:: MOUNT3::auth_flavor_t
+   :source-code: base/bif/types.bif.zeek 49 49
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: MOUNT3::AUTH_NULL MOUNT3::auth_flavor_t
+
+      .. zeek:enum:: MOUNT3::AUTH_UNIX MOUNT3::auth_flavor_t
+
+      .. zeek:enum:: MOUNT3::AUTH_SHORT MOUNT3::auth_flavor_t
+
+      .. zeek:enum:: MOUNT3::AUTH_DES MOUNT3::auth_flavor_t
+
+
+.. zeek:type:: MOUNT3::proc_t
+   :source-code: base/bif/types.bif.zeek 23 23
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: MOUNT3::PROC_NULL MOUNT3::proc_t
+
+      .. zeek:enum:: MOUNT3::PROC_MNT MOUNT3::proc_t
+
+      .. zeek:enum:: MOUNT3::PROC_DUMP MOUNT3::proc_t
+
+      .. zeek:enum:: MOUNT3::PROC_UMNT MOUNT3::proc_t
+
+      .. zeek:enum:: MOUNT3::PROC_UMNT_ALL MOUNT3::proc_t
+
+      .. zeek:enum:: MOUNT3::PROC_EXPORT MOUNT3::proc_t
+
+      .. zeek:enum:: MOUNT3::PROC_END_OF_PROCS MOUNT3::proc_t
+
+
+.. zeek:type:: MOUNT3::status_t
+   :source-code: base/bif/types.bif.zeek 34 34
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: MOUNT3::MNT3_OK MOUNT3::status_t
+
+      .. zeek:enum:: MOUNT3::MNT3ERR_PERM MOUNT3::status_t
+
+      .. zeek:enum:: MOUNT3::MNT3ERR_NOENT MOUNT3::status_t
+
+      .. zeek:enum:: MOUNT3::MNT3ERR_IO MOUNT3::status_t
+
+      .. zeek:enum:: MOUNT3::MNT3ERR_ACCES MOUNT3::status_t
+
+      .. zeek:enum:: MOUNT3::MNT3ERR_NOTDIR MOUNT3::status_t
+
+      .. zeek:enum:: MOUNT3::MNT3ERR_INVAL MOUNT3::status_t
+
+      .. zeek:enum:: MOUNT3::MNT3ERR_NAMETOOLONG MOUNT3::status_t
+
+      .. zeek:enum:: MOUNT3::MNT3ERR_NOTSUPP MOUNT3::status_t
+
+      .. zeek:enum:: MOUNT3::MNT3ERR_SERVERFAULT MOUNT3::status_t
+
+      .. zeek:enum:: MOUNT3::MOUNT3ERR_UNKNOWN MOUNT3::status_t
+
+
+.. zeek:type:: NFS3::createmode_t
+   :source-code: base/bif/types.bif.zeek 151 151
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: NFS3::UNCHECKED NFS3::createmode_t
+
+      .. zeek:enum:: NFS3::GUARDED NFS3::createmode_t
+
+      .. zeek:enum:: NFS3::EXCLUSIVE NFS3::createmode_t
+
+
+.. zeek:type:: NFS3::file_type_t
+   :source-code: base/bif/types.bif.zeek 132 132
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: NFS3::FTYPE_REG NFS3::file_type_t
+
+      .. zeek:enum:: NFS3::FTYPE_DIR NFS3::file_type_t
+
+      .. zeek:enum:: NFS3::FTYPE_BLK NFS3::file_type_t
+
+      .. zeek:enum:: NFS3::FTYPE_CHR NFS3::file_type_t
+
+      .. zeek:enum:: NFS3::FTYPE_LNK NFS3::file_type_t
+
+      .. zeek:enum:: NFS3::FTYPE_SOCK NFS3::file_type_t
+
+      .. zeek:enum:: NFS3::FTYPE_FIFO NFS3::file_type_t
+
+
+.. zeek:type:: NFS3::proc_t
+   :source-code: base/bif/types.bif.zeek 64 64
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: NFS3::PROC_NULL NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_GETATTR NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_SETATTR NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_LOOKUP NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_ACCESS NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_READLINK NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_READ NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_WRITE NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_CREATE NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_MKDIR NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_SYMLINK NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_MKNOD NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_REMOVE NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_RMDIR NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_RENAME NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_LINK NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_READDIR NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_READDIRPLUS NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_FSSTAT NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_FSINFO NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_PATHCONF NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_COMMIT NFS3::proc_t
+
+      .. zeek:enum:: NFS3::PROC_END_OF_PROCS NFS3::proc_t
+
+
+.. zeek:type:: NFS3::stable_how_t
+   :source-code: base/bif/types.bif.zeek 144 144
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: NFS3::UNSTABLE NFS3::stable_how_t
+
+      .. zeek:enum:: NFS3::DATA_SYNC NFS3::stable_how_t
+
+      .. zeek:enum:: NFS3::FILE_SYNC NFS3::stable_how_t
+
+
+.. zeek:type:: NFS3::status_t
+   :source-code: base/bif/types.bif.zeek 91 91
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: NFS3::NFS3ERR_OK NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_PERM NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_NOENT NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_IO NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_NXIO NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_ACCES NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_EXIST NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_XDEV NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_NODEV NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_NOTDIR NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_ISDIR NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_INVAL NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_FBIG NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_NOSPC NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_ROFS NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_MLINK NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_NAMETOOLONG NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_NOTEMPTY NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_DQUOT NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_STALE NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_REMOTE NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_BADHANDLE NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_NOT_SYNC NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_BAD_COOKIE NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_NOTSUPP NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_TOOSMALL NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_SERVERFAULT NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_BADTYPE NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_JUKEBOX NFS3::status_t
+
+      .. zeek:enum:: NFS3::NFS3ERR_UNKNOWN NFS3::status_t
+
+
+.. zeek:type:: NFS3::time_how_t
+   :source-code: base/bif/types.bif.zeek 125 125
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: NFS3::DONT_CHANGE NFS3::time_how_t
+
+      .. zeek:enum:: NFS3::SET_TO_SERVER_TIME NFS3::time_how_t
+
+      .. zeek:enum:: NFS3::SET_TO_CLIENT_TIME NFS3::time_how_t
+
+
+.. zeek:type:: Reporter::Level
+   :source-code: base/bif/types.bif.zeek 267 267
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Reporter::INFO Reporter::Level
+
+      .. zeek:enum:: Reporter::WARNING Reporter::Level
+
+      .. zeek:enum:: Reporter::ERROR Reporter::Level
+
+
+.. zeek:type:: TableChange
+   :source-code: base/bif/types.bif.zeek 256 256
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: TABLE_ELEMENT_NEW TableChange
+
+      .. zeek:enum:: TABLE_ELEMENT_CHANGED TableChange
+
+      .. zeek:enum:: TABLE_ELEMENT_REMOVED TableChange
+
+      .. zeek:enum:: TABLE_ELEMENT_EXPIRED TableChange
+
+
+.. zeek:type:: Tunnel::Type
+   :source-code: base/bif/types.bif.zeek 209 209
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Tunnel::NONE Tunnel::Type
+
+      .. zeek:enum:: Tunnel::IP Tunnel::Type
+
+      .. zeek:enum:: Tunnel::AYIYA Tunnel::Type
+
+      .. zeek:enum:: Tunnel::TEREDO Tunnel::Type
+
+      .. zeek:enum:: Tunnel::SOCKS Tunnel::Type
+
+      .. zeek:enum:: Tunnel::GTPv1 Tunnel::Type
+
+      .. zeek:enum:: Tunnel::HTTP Tunnel::Type
+
+      .. zeek:enum:: Tunnel::GRE Tunnel::Type
+
+      .. zeek:enum:: Tunnel::VXLAN Tunnel::Type
+
+      .. zeek:enum:: Tunnel::GENEVE Tunnel::Type
+
+
+.. zeek:type:: layer3_proto
+   :source-code: base/bif/types.bif.zeek 234 234
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: L3_IPV4 layer3_proto
+
+      .. zeek:enum:: L3_IPV6 layer3_proto
+
+      .. zeek:enum:: L3_ARP layer3_proto
+
+      .. zeek:enum:: L3_UNKNOWN layer3_proto
+
+
+.. zeek:type:: link_encap
+   :source-code: base/bif/types.bif.zeek 228 228
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: LINK_ETHERNET link_encap
+
+      .. zeek:enum:: LINK_UNKNOWN link_encap
+
+
+.. zeek:type:: rpc_status
+   :source-code: base/bif/types.bif.zeek 6 6
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: RPC_SUCCESS rpc_status
+
+      .. zeek:enum:: RPC_PROG_UNAVAIL rpc_status
+
+      .. zeek:enum:: RPC_PROG_MISMATCH rpc_status
+
+      .. zeek:enum:: RPC_PROC_UNAVAIL rpc_status
+
+      .. zeek:enum:: RPC_GARBAGE_ARGS rpc_status
+
+      .. zeek:enum:: RPC_SYSTEM_ERR rpc_status
+
+      .. zeek:enum:: RPC_TIMEOUT rpc_status
+
+      .. zeek:enum:: RPC_VERS_MISMATCH rpc_status
+
+      .. zeek:enum:: RPC_AUTH_ERROR rpc_status
+
+      .. zeek:enum:: RPC_UNKNOWN_ERROR rpc_status
+
+
+
diff --git a/doc/scripts/base/bif/zeek.bif.zeek.rst b/doc/scripts/base/bif/zeek.bif.zeek.rst
new file mode 100644
index 0000000000..01d6cb3523
--- /dev/null
+++ b/doc/scripts/base/bif/zeek.bif.zeek.rst
@@ -0,0 +1,4065 @@
+:tocdepth: 3
+
+base/bif/zeek.bif.zeek
+======================
+.. zeek:namespace:: GLOBAL
+
+A collection of built-in functions that implement a variety of things
+such as general programming algorithms, string processing, math functions,
+introspection, type conversion, file/directory manipulation, packet
+filtering, interprocess communication and controlling protocol analyzer
+behavior.
+
+You'll find most of Zeek's built-in functions that aren't protocol-specific
+in this file.
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+=============================================================== ========================================================================================
+:zeek:id:`EventMetadata::current`: :zeek:type:`function`        Query the current event's metadata with identifier *id*.
+:zeek:id:`EventMetadata::current_all`: :zeek:type:`function`    Query all of the current event's metadata.
+:zeek:id:`EventMetadata::register`: :zeek:type:`function`       Register the expected Zeek type for event metadata.
+:zeek:id:`__init_secondary_bifs`: :zeek:type:`function`         An internal function that helps initialize BIFs.
+:zeek:id:`active_file`: :zeek:type:`function`                   Checks whether a given file is open.
+:zeek:id:`addr_to_counts`: :zeek:type:`function`                Converts an :zeek:type:`addr` to an :zeek:type:`index_vec`.
+:zeek:id:`addr_to_ptr_name`: :zeek:type:`function`              Converts an IP address to a reverse pointer name.
+:zeek:id:`addr_to_subnet`: :zeek:type:`function`                Converts a :zeek:type:`addr` to a :zeek:type:`subnet`.
+:zeek:id:`all_set`: :zeek:type:`function`                       Tests whether *all* elements of a boolean vector (``vector of bool``) are
+                                                                true.
+:zeek:id:`anonymize_addr`: :zeek:type:`function`                Anonymizes an IP address.
+:zeek:id:`any_set`: :zeek:type:`function`                       Tests whether a boolean vector (``vector of bool``) has *any* true
+                                                                element.
+:zeek:id:`backtrace`: :zeek:type:`function`                     Returns a representation of the call stack as a vector of call stack
+                                                                elements, each containing call location information.
+:zeek:id:`bare_mode`: :zeek:type:`function`                     Returns whether Zeek was started in bare mode.
+:zeek:id:`blocking_lookup_hostname`: :zeek:type:`function`      Issues a synchronous DNS lookup.
+:zeek:id:`bytestring_to_count`: :zeek:type:`function`           Converts a string of bytes to a :zeek:type:`count`.
+:zeek:id:`bytestring_to_double`: :zeek:type:`function`          Converts a string of bytes representing a double value (in network byte order)
+                                                                to a :zeek:type:`double`.
+:zeek:id:`bytestring_to_float`: :zeek:type:`function`           Converts a string of bytes representing a float value (in network byte order)
+                                                                to a :zeek:type:`double`.
+:zeek:id:`bytestring_to_hexstr`: :zeek:type:`function`          Converts a string of bytes into its hexadecimal representation.
+:zeek:id:`calc_next_rotate`: :zeek:type:`function`              Calculates the duration until the next time a file is to be rotated, based
+                                                                on a given rotate interval.
+:zeek:id:`cat`: :zeek:type:`function`                           Returns the concatenation of the string representation of its arguments.
+:zeek:id:`cat_sep`: :zeek:type:`function`                       Concatenates all arguments, with a separator placed between each one.
+:zeek:id:`ceil`: :zeek:type:`function`                          Computes the smallest integer greater or equal than the given :zeek:type:`double` value.
+:zeek:id:`check_subnet`: :zeek:type:`function`                  Checks if a specific subnet is a member of a set/table[subnet].
+:zeek:id:`clear_table`: :zeek:type:`function`                   Removes all elements from a set or table.
+:zeek:id:`close`: :zeek:type:`function`                         Closes an open file and flushes any buffered content.
+:zeek:id:`compress_path`: :zeek:type:`function`                 Compresses a given path by removing '..'s and the parent directory it
+                                                                references and also removing dual '/'s and extraneous '/./'s.
+:zeek:id:`connection_exists`: :zeek:type:`function`             Checks whether a connection is (still) active.
+:zeek:id:`continue_processing`: :zeek:type:`function`           Resumes Zeek's packet processing.
+:zeek:id:`convert_for_pattern`: :zeek:type:`function`           Escapes a string so that it becomes a valid :zeek:type:`pattern` and can be
+                                                                used with the :zeek:id:`string_to_pattern`.
+:zeek:id:`count_to_double`: :zeek:type:`function`               Converts a :zeek:type:`count` to a :zeek:type:`double`.
+:zeek:id:`count_to_port`: :zeek:type:`function`                 Converts a :zeek:type:`count` and ``transport_proto`` to a :zeek:type:`port`.
+:zeek:id:`count_to_v4_addr`: :zeek:type:`function`              Converts a :zeek:type:`count` to an :zeek:type:`addr`.
+:zeek:id:`counts_to_addr`: :zeek:type:`function`                Converts an :zeek:type:`index_vec` to an :zeek:type:`addr`.
+:zeek:id:`current_analyzer`: :zeek:type:`function`              Returns the ID of the analyzer which raised the current event.
+:zeek:id:`current_event_time`: :zeek:type:`function`            Returns the timestamp of the last raised event.
+:zeek:id:`current_time`: :zeek:type:`function`                  Returns the current wall-clock time.
+:zeek:id:`decode_base64`: :zeek:type:`function`                 Decodes a Base64-encoded string.
+:zeek:id:`decode_base64_conn`: :zeek:type:`function`            Decodes a Base64-encoded string that was derived from processing a connection.
+:zeek:id:`disable_analyzer`: :zeek:type:`function`              Disables the analyzer which raised the current event (if the analyzer
+                                                                belongs to the given connection).
+:zeek:id:`disable_event_group`: :zeek:type:`function`           Disabled the given event group.
+:zeek:id:`disable_module_events`: :zeek:type:`function`         Disable all event handlers and hooks in the given module.
+:zeek:id:`do_profiling`: :zeek:type:`function`                  Enables detailed collection of profiling statistics.
+:zeek:id:`double_to_count`: :zeek:type:`function`               Converts a :zeek:type:`double` to a :zeek:type:`count`.
+:zeek:id:`double_to_int`: :zeek:type:`function`                 Converts a :zeek:type:`double` to a :zeek:type:`int`.
+:zeek:id:`double_to_interval`: :zeek:type:`function`            Converts a :zeek:type:`double` to an :zeek:type:`interval`.
+:zeek:id:`double_to_time`: :zeek:type:`function`                Converts a :zeek:type:`double` value to a :zeek:type:`time`.
+:zeek:id:`dump_current_packet`: :zeek:type:`function`           Writes the current packet to a file.
+:zeek:id:`dump_packet`: :zeek:type:`function`                   Writes a given packet to a file.
+:zeek:id:`dump_rule_stats`: :zeek:type:`function`               Write rule matcher statistics (DFA states, transitions, memory usage, cache
+                                                                hits/misses) to a file.
+:zeek:id:`enable_event_group`: :zeek:type:`function`            Enabled the given event group.
+:zeek:id:`enable_module_events`: :zeek:type:`function`          Enable all event handlers and hooks in the given module.
+:zeek:id:`enable_raw_output`: :zeek:type:`function`             Prevents escaping of non-ASCII characters when writing to a file.
+:zeek:id:`encode_base64`: :zeek:type:`function`                 Encodes a Base64-encoded string.
+:zeek:id:`entropy_test_add`: :zeek:type:`function`              Adds data to an incremental entropy calculation.
+:zeek:id:`entropy_test_finish`: :zeek:type:`function`           Finishes an incremental entropy calculation.
+:zeek:id:`entropy_test_init`: :zeek:type:`function`             Initializes data structures for incremental entropy calculation.
+:zeek:id:`enum_names`: :zeek:type:`function`                    Returns all value names associated with an enum type.
+:zeek:id:`enum_to_int`: :zeek:type:`function`                   Converts an :zeek:type:`enum` to an :zeek:type:`int`.
+:zeek:id:`exit`: :zeek:type:`function`                          Shuts down the Zeek process immediately.
+:zeek:id:`exp`: :zeek:type:`function`                           Computes the exponential function.
+:zeek:id:`file_magic`: :zeek:type:`function`                    Determines the MIME type of a piece of data using Zeek's file magic
+                                                                signatures.
+:zeek:id:`file_mode`: :zeek:type:`function`                     Converts UNIX file permissions given by a mode to an ASCII string.
+:zeek:id:`file_size`: :zeek:type:`function`                     Returns the size of a given file.
+:zeek:id:`filter_subnet_table`: :zeek:type:`function`           For a set[subnet]/table[subnet], create a new table that contains all entries
+                                                                that contain a given subnet.
+:zeek:id:`find_entropy`: :zeek:type:`function`                  Performs an entropy test on the given data.
+:zeek:id:`find_in_zeekpath`: :zeek:type:`function`              Determine the path used by a non-relative @load directive.
+:zeek:id:`floor`: :zeek:type:`function`                         Computes the greatest integer less than the given :zeek:type:`double` value.
+:zeek:id:`flush_all`: :zeek:type:`function`                     Flushes all open files to disk.
+:zeek:id:`fmt`: :zeek:type:`function`                           Produces a formatted string à la ``printf``.
+:zeek:id:`fnv1a32`: :zeek:type:`function`                       Returns 32-bit digest of arbitrary input values using FNV-1a hash algorithm.
+:zeek:id:`fnv1a64`: :zeek:type:`function`                       Returns 64-bit digest of arbitrary input values using FNV-1a hash algorithm.
+:zeek:id:`from_json`: :zeek:type:`function`                     A function to convert a JSON string into Zeek values of a given type.
+:zeek:id:`generate_all_events`: :zeek:type:`function`           By default, zeek does not generate (raise) events that have not handled by
+                                                                any scripts.
+:zeek:id:`get_conn_transport_proto`: :zeek:type:`function`      Extracts the transport protocol from a connection.
+:zeek:id:`get_current_packet`: :zeek:type:`function`            Returns the currently processed PCAP packet.
+:zeek:id:`get_current_packet_header`: :zeek:type:`function`     Function to get the raw headers of the currently processed packet.
+:zeek:id:`get_current_packet_ts`: :zeek:type:`function`         Returns the currently processed PCAP packet's timestamp or a 0 timestamp if
+                                                                there is no packet being processed at the moment.
+:zeek:id:`get_file_name`: :zeek:type:`function`                 Gets the filename associated with a file handle.
+:zeek:id:`get_plugin_components`: :zeek:type:`function`         Get a list of tags available for a plugin category.
+:zeek:id:`get_port_transport_proto`: :zeek:type:`function`      Extracts the transport protocol from a :zeek:type:`port`.
+:zeek:id:`getenv`: :zeek:type:`function`                        Returns a system environment variable.
+:zeek:id:`gethostname`: :zeek:type:`function`                   Returns the hostname of the machine Zeek runs on.
+:zeek:id:`getpid`: :zeek:type:`function`                        Returns Zeek's process ID.
+:zeek:id:`global_container_footprints`: :zeek:type:`function`   Generates a table of the "footprint" of all global container variables.
+:zeek:id:`global_ids`: :zeek:type:`function`                    Generates a table with information about all global identifiers.
+:zeek:id:`global_options`: :zeek:type:`function`                Returns a set giving the names of all global options.
+:zeek:id:`has_event_group`: :zeek:type:`function`               Does an attribute event group with this name exist?
+:zeek:id:`has_module_events`: :zeek:type:`function`             Does a module event group with this name exist?
+:zeek:id:`have_spicy`: :zeek:type:`function`                    Returns true if Zeek was built with support for using Spicy analyzers (which
+                                                                is the default).
+:zeek:id:`have_spicy_analyzers`: :zeek:type:`function`          Returns true if Zeek was built with support for its in-tree Spicy analyzers
+                                                                (which is the default if Spicy support is available).
+:zeek:id:`haversine_distance`: :zeek:type:`function`            Calculates distance between two geographic locations using the haversine
+                                                                formula.
+:zeek:id:`hexstr_to_bytestring`: :zeek:type:`function`          Converts a hex-string into its binary representation.
+:zeek:id:`hrw_weight`: :zeek:type:`function`                    Calculates a weight value for use in a Rendezvous Hashing algorithm.
+:zeek:id:`identify_data`: :zeek:type:`function`                 Determines the MIME type of a piece of data using Zeek's file magic
+                                                                signatures.
+:zeek:id:`install_dst_addr_filter`: :zeek:type:`function`       Installs a filter to drop packets destined to a given IP address with
+                                                                a certain probability if none of a given set of TCP flags are set.
+:zeek:id:`install_dst_net_filter`: :zeek:type:`function`        Installs a filter to drop packets destined to a given subnet with
+                                                                a certain probability if none of a given set of TCP flags are set.
+:zeek:id:`install_src_addr_filter`: :zeek:type:`function`       Installs a filter to drop packets from a given IP source address with
+                                                                a certain probability if none of a given set of TCP flags are set.
+:zeek:id:`install_src_net_filter`: :zeek:type:`function`        Installs a filter to drop packets originating from a given subnet with
+                                                                a certain probability if none of a given set of TCP flags are set.
+:zeek:id:`int_to_count`: :zeek:type:`function`                  Converts a (positive) :zeek:type:`int` to a :zeek:type:`count`.
+:zeek:id:`int_to_double`: :zeek:type:`function`                 Converts an :zeek:type:`int` to a :zeek:type:`double`.
+:zeek:id:`interval_to_double`: :zeek:type:`function`            Converts an :zeek:type:`interval` to a :zeek:type:`double`.
+:zeek:id:`is_event_handled`: :zeek:type:`function`              Check if an event is handled.
+:zeek:id:`is_file_analyzer`: :zeek:type:`function`              Returns true if the given tag belongs to a file analyzer.
+:zeek:id:`is_icmp_port`: :zeek:type:`function`                  Checks whether a given :zeek:type:`port` has ICMP as transport protocol.
+:zeek:id:`is_local_interface`: :zeek:type:`function`            Checks whether a given IP address belongs to a local interface.
+:zeek:id:`is_packet_analyzer`: :zeek:type:`function`            Returns true if the given tag belongs to a packet analyzer.
+:zeek:id:`is_processing_suspended`: :zeek:type:`function`       Returns whether or not processing is currently suspended.
+:zeek:id:`is_protocol_analyzer`: :zeek:type:`function`          Returns true if the given tag belongs to a protocol analyzer.
+:zeek:id:`is_remote_event`: :zeek:type:`function`               Checks whether the current event came from a remote peer.
+:zeek:id:`is_tcp_port`: :zeek:type:`function`                   Checks whether a given :zeek:type:`port` has TCP as transport protocol.
+:zeek:id:`is_udp_port`: :zeek:type:`function`                   Checks whether a given :zeek:type:`port` has UDP as transport protocol.
+:zeek:id:`is_v4_addr`: :zeek:type:`function`                    Returns whether an address is IPv4 or not.
+:zeek:id:`is_v4_subnet`: :zeek:type:`function`                  Returns whether a subnet specification is IPv4 or not.
+:zeek:id:`is_v6_addr`: :zeek:type:`function`                    Returns whether an address is IPv6 or not.
+:zeek:id:`is_v6_subnet`: :zeek:type:`function`                  Returns whether a subnet specification is IPv6 or not.
+:zeek:id:`is_valid_ip`: :zeek:type:`function`                   Checks if a string is a valid IPv4 or IPv6 address.
+:zeek:id:`is_valid_subnet`: :zeek:type:`function`               Checks if a string is a valid IPv4 or IPv6 subnet.
+:zeek:id:`ln`: :zeek:type:`function`                            Computes the natural logarithm of a number.
+:zeek:id:`log10`: :zeek:type:`function`                         Computes the common logarithm of a number.
+:zeek:id:`log2`: :zeek:type:`function`                          Computes the base 2 logarithm of a number.
+:zeek:id:`lookup_ID`: :zeek:type:`function`                     Returns the value of a global identifier.
+:zeek:id:`lookup_addr`: :zeek:type:`function`                   Issues an asynchronous reverse DNS lookup and delays the function result.
+:zeek:id:`lookup_connection`: :zeek:type:`function`             Returns the :zeek:type:`connection` record for a given connection identifier.
+:zeek:id:`lookup_connection_analyzer_id`: :zeek:type:`function` Returns the numeric ID of the requested protocol analyzer for the given
+                                                                connection.
+:zeek:id:`lookup_hostname`: :zeek:type:`function`               Issues an asynchronous DNS lookup and delays the function result.
+:zeek:id:`lookup_hostname_txt`: :zeek:type:`function`           Issues an asynchronous TEXT DNS lookup and delays the function result.
+:zeek:id:`mask_addr`: :zeek:type:`function`                     Masks an address down to the number of given upper bits.
+:zeek:id:`match_signatures`: :zeek:type:`function`              Manually triggers the signature engine for a given connection.
+:zeek:id:`matching_subnets`: :zeek:type:`function`              Gets all subnets that contain a given subnet from a set/table[subnet].
+:zeek:id:`md5_hash`: :zeek:type:`function`                      Computes the MD5 hash value of the provided list of arguments.
+:zeek:id:`md5_hash_finish`: :zeek:type:`function`               Returns the final MD5 digest of an incremental hash computation.
+:zeek:id:`md5_hash_init`: :zeek:type:`function`                 Constructs an MD5 handle to enable incremental hash computation.
+:zeek:id:`md5_hash_update`: :zeek:type:`function`               Updates the MD5 value associated with a given index.
+:zeek:id:`md5_hmac`: :zeek:type:`function`                      Computes an HMAC-MD5 hash value of the provided list of arguments.
+:zeek:id:`mkdir`: :zeek:type:`function`                         Creates a new directory.
+:zeek:id:`network_time`: :zeek:type:`function`                  Returns the timestamp of the last packet processed.
+:zeek:id:`open`: :zeek:type:`function`                          Opens a file for writing.
+:zeek:id:`open_for_append`: :zeek:type:`function`               Opens a file for writing or appending.
+:zeek:id:`order`: :zeek:type:`function`                         Returns the order of the elements in a vector according to some
+                                                                comparison function.
+:zeek:id:`packet_source`: :zeek:type:`function`                 Returns: the packet source being read by Zeek.
+:zeek:id:`paraglob_equals`: :zeek:type:`function`               Compares two paraglobs for equality.
+:zeek:id:`paraglob_init`: :zeek:type:`function`                 Initializes and returns a new paraglob.
+:zeek:id:`paraglob_match`: :zeek:type:`function`                Gets all the patterns inside the handle associated with an input string.
+:zeek:id:`piped_exec`: :zeek:type:`function`                    Opens a program with ``popen`` and writes a given string to the returned
+                                                                stream to send it to the opened process's stdin.
+:zeek:id:`port_to_count`: :zeek:type:`function`                 Converts a :zeek:type:`port` to a :zeek:type:`count`.
+:zeek:id:`pow`: :zeek:type:`function`                           Computes the *x* raised to the power *y*.
+:zeek:id:`preserve_prefix`: :zeek:type:`function`               Preserves the prefix of an IP address in anonymization.
+:zeek:id:`preserve_subnet`: :zeek:type:`function`               Preserves the prefix of a subnet in anonymization.
+:zeek:id:`print_raw`: :zeek:type:`function`                     Renders a sequence of values to a string of bytes and outputs them directly
+                                                                to ``stdout`` with no additional escape sequences added.
+:zeek:id:`ptr_name_to_addr`: :zeek:type:`function`              Converts a reverse pointer name to an address.
+:zeek:id:`rand`: :zeek:type:`function`                          Generates a random number.
+:zeek:id:`raw_bytes_to_v4_addr`: :zeek:type:`function`          Converts a :zeek:type:`string` of bytes into an IPv4 address.
+:zeek:id:`raw_bytes_to_v6_addr`: :zeek:type:`function`          Converts a :zeek:type:`string` of bytes into an IPv6 address.
+:zeek:id:`reading_live_traffic`: :zeek:type:`function`          Checks whether Zeek reads traffic from one or more network interfaces (as
+                                                                opposed to from a network trace in a file).
+:zeek:id:`reading_traces`: :zeek:type:`function`                Checks whether Zeek reads traffic from a trace file (as opposed to from a
+                                                                network interface).
+:zeek:id:`record_fields`: :zeek:type:`function`                 Generates metadata about a record's fields.
+:zeek:id:`remask_addr`: :zeek:type:`function`                   Takes some top bits (such as a subnet address) from one address and the other
+                                                                bits (intra-subnet part) from a second address and merges them to get a new
+                                                                address.
+:zeek:id:`rename`: :zeek:type:`function`                        Renames a file from src_f to dst_f.
+:zeek:id:`resize`: :zeek:type:`function`                        Resizes a vector.
+:zeek:id:`rmdir`: :zeek:type:`function`                         Removes a directory.
+:zeek:id:`rotate_file`: :zeek:type:`function`                   Rotates a file.
+:zeek:id:`rotate_file_by_name`: :zeek:type:`function`           Rotates a file identified by its name.
+:zeek:id:`routing0_data_to_addrs`: :zeek:type:`function`        Converts the *data* field of :zeek:type:`ip6_routing` records that have
+                                                                *rtype* of 0 into a vector of addresses.
+:zeek:id:`same_object`: :zeek:type:`function`                   Checks whether two objects reference the same internal object.
+:zeek:id:`set_buf`: :zeek:type:`function`                       Alters the buffering behavior of a file.
+:zeek:id:`set_inactivity_timeout`: :zeek:type:`function`        Sets an individual inactivity timeout for a connection and thus
+                                                                overrides the global inactivity timeout.
+:zeek:id:`set_network_time`: :zeek:type:`function`              Sets the timestamp associated with the last packet processed.
+:zeek:id:`set_record_packets`: :zeek:type:`function`            Controls whether packet contents belonging to a connection should be
+                                                                recorded (when ``-w`` option is provided on the command line).
+:zeek:id:`setenv`: :zeek:type:`function`                        Sets a system environment variable.
+:zeek:id:`sha1_hash`: :zeek:type:`function`                     Computes the SHA1 hash value of the provided list of arguments.
+:zeek:id:`sha1_hash_finish`: :zeek:type:`function`              Returns the final SHA1 digest of an incremental hash computation.
+:zeek:id:`sha1_hash_init`: :zeek:type:`function`                Constructs an SHA1 handle to enable incremental hash computation.
+:zeek:id:`sha1_hash_update`: :zeek:type:`function`              Updates the SHA1 value associated with a given index.
+:zeek:id:`sha256_hash`: :zeek:type:`function`                   Computes the SHA256 hash value of the provided list of arguments.
+:zeek:id:`sha256_hash_finish`: :zeek:type:`function`            Returns the final SHA256 digest of an incremental hash computation.
+:zeek:id:`sha256_hash_init`: :zeek:type:`function`              Constructs an SHA256 handle to enable incremental hash computation.
+:zeek:id:`sha256_hash_update`: :zeek:type:`function`            Updates the SHA256 value associated with a given index.
+:zeek:id:`skip_further_processing`: :zeek:type:`function`       Informs Zeek that it should skip any further processing of the contents of
+                                                                a given connection.
+:zeek:id:`sleep`: :zeek:type:`function`                         Sleeps for the given amount of time.
+:zeek:id:`sort`: :zeek:type:`function`                          Sorts a vector in place.
+:zeek:id:`sqrt`: :zeek:type:`function`                          Computes the square root of a :zeek:type:`double`.
+:zeek:id:`srand`: :zeek:type:`function`                         Sets the seed for subsequent :zeek:id:`rand` calls.
+:zeek:id:`strftime`: :zeek:type:`function`                      Formats a given time value according to a format string.
+:zeek:id:`string_to_pattern`: :zeek:type:`function`             Converts a :zeek:type:`string` into a :zeek:type:`pattern`.
+:zeek:id:`strptime`: :zeek:type:`function`                      Parse a textual representation of a date/time value into a ``time`` type value.
+:zeek:id:`subnet_to_addr`: :zeek:type:`function`                Converts a :zeek:type:`subnet` to an :zeek:type:`addr` by
+                                                                extracting the prefix.
+:zeek:id:`subnet_width`: :zeek:type:`function`                  Returns the width of a :zeek:type:`subnet`.
+:zeek:id:`suspend_processing`: :zeek:type:`function`            Stops Zeek's packet processing.
+:zeek:id:`syslog`: :zeek:type:`function`                        Send a string to syslog.
+:zeek:id:`system`: :zeek:type:`function`                        Invokes a command via the ``system`` function of the OS.
+:zeek:id:`system_env`: :zeek:type:`function`                    Invokes a command via the ``system`` function of the OS with a prepared
+                                                                environment.
+:zeek:id:`table_keys`: :zeek:type:`function`                    Gets all keys from a table.
+:zeek:id:`table_pattern_matcher_stats`: :zeek:type:`function`   Return MatcherStats for a table[pattern] or set[pattern] value.
+:zeek:id:`table_values`: :zeek:type:`function`                  Gets all values from a table.
+:zeek:id:`terminate`: :zeek:type:`function`                     Gracefully shut down Zeek by terminating outstanding processing.
+:zeek:id:`time_to_double`: :zeek:type:`function`                Converts a :zeek:type:`time` value to a :zeek:type:`double`.
+:zeek:id:`to_addr`: :zeek:type:`function`                       Converts a :zeek:type:`string` to an :zeek:type:`addr`.
+:zeek:id:`to_count`: :zeek:type:`function`                      Converts a :zeek:type:`string` to a :zeek:type:`count`.
+:zeek:id:`to_double`: :zeek:type:`function`                     Converts a :zeek:type:`string` to a :zeek:type:`double`.
+:zeek:id:`to_int`: :zeek:type:`function`                        Converts a :zeek:type:`string` to an :zeek:type:`int`.
+:zeek:id:`to_json`: :zeek:type:`function`                       A function to convert arbitrary Zeek data into a JSON string.
+:zeek:id:`to_port`: :zeek:type:`function`                       Converts a :zeek:type:`string` to a :zeek:type:`port`.
+:zeek:id:`to_subnet`: :zeek:type:`function`                     Converts a :zeek:type:`string` to a :zeek:type:`subnet`.
+:zeek:id:`type_aliases`: :zeek:type:`function`                  Returns all type name aliases of a value or type.
+:zeek:id:`type_name`: :zeek:type:`function`                     Returns the type name of an arbitrary Zeek variable.
+:zeek:id:`uninstall_dst_addr_filter`: :zeek:type:`function`     Removes a destination address filter.
+:zeek:id:`uninstall_dst_net_filter`: :zeek:type:`function`      Removes a destination subnet filter.
+:zeek:id:`uninstall_src_addr_filter`: :zeek:type:`function`     Removes a source address filter.
+:zeek:id:`uninstall_src_net_filter`: :zeek:type:`function`      Removes a source subnet filter.
+:zeek:id:`unique_id`: :zeek:type:`function`                     Creates an identifier that is unique with high probability.
+:zeek:id:`unique_id_from`: :zeek:type:`function`                Creates an identifier that is unique with high probability.
+:zeek:id:`unlink`: :zeek:type:`function`                        Removes a file from a directory.
+:zeek:id:`uuid_to_string`: :zeek:type:`function`                Converts a bytes representation of a UUID into its string form.
+:zeek:id:`val_footprint`: :zeek:type:`function`                 Computes a value's "footprint": the number of objects the value contains
+                                                                either directly or indirectly.
+:zeek:id:`write_file`: :zeek:type:`function`                    Writes data to an open file.
+:zeek:id:`zeek_args`: :zeek:type:`function`                     Returns: list of command-line arguments (``argv``) used to run Zeek.
+:zeek:id:`zeek_is_terminating`: :zeek:type:`function`           Checks if Zeek is terminating.
+:zeek:id:`zeek_version`: :zeek:type:`function`                  Returns the Zeek version string.
+=============================================================== ========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: EventMetadata::current
+   :source-code: base/bif/zeek.bif.zeek 90 90
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`EventMetadata::ID`) : :zeek:type:`any_vec`
+
+   Query the current event's metadata with identifier *id*.
+   
+
+   :param id: The metadata identifier, e.g. ``EventMetadata::NETWORK_TIMESTAMP``.
+   
+
+   :returns: A vector of values. The vector is empty if no metadata with
+            the given identifier is attached to this event, otherwise a
+            vector whose elements are of the type used during registration.
+   
+   .. zeek:see:: EventMetadata::register EventMetadata::current_all
+
+.. zeek:id:: EventMetadata::current_all
+   :source-code: base/bif/zeek.bif.zeek 99 99
+
+   :Type: :zeek:type:`function` () : :zeek:type:`event_metadata_vec`
+
+   Query all of the current event's metadata.
+   
+
+   :returns: A vector :zeek:see:`EventMetadata::Entry` elements holding all
+            the metadata attached to this event.
+   
+   .. zeek:see:: EventMetadata::register EventMetadata::current
+
+.. zeek:id:: EventMetadata::register
+   :source-code: base/bif/zeek.bif.zeek 78 78
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`EventMetadata::ID`, t: :zeek:type:`any`) : :zeek:type:`bool`
+
+   Register the expected Zeek type for event metadata.
+   
+
+   :param id: The event metadata identifier.
+   
+
+   :param t: A type expression or type alias. The type cannot be ``any``, ``func``,
+      ``file``, ``opaque`` or a composite type containing one of these types.
+   
+
+   :returns: true if the registration was successful, false if *id* is
+            registered with a different type already, or type is invalid.
+   
+   .. zeek:see:: EventMetadata::current EventMetadata::current_all
+
+.. zeek:id:: __init_secondary_bifs
+   :source-code: base/bif/zeek.bif.zeek 2567 2567
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+   An internal function that helps initialize BIFs.
+
+.. zeek:id:: active_file
+   :source-code: base/bif/zeek.bif.zeek 2247 2247
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`file`) : :zeek:type:`bool`
+
+   Checks whether a given file is open.
+   
+
+   :param f: The file to check.
+   
+
+   :returns: True if *f* is an open :zeek:type:`file`.
+   
+   .. todo:: Rename to ``is_open``.
+
+.. zeek:id:: addr_to_counts
+   :source-code: base/bif/zeek.bif.zeek 1247 1247
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`index_vec`
+
+   Converts an :zeek:type:`addr` to an :zeek:type:`index_vec`.
+   
+
+   :param a: The address to convert into a vector of counts.
+   
+
+   :returns: A vector containing the host-order address representation,
+            four elements in size for IPv6 addresses, or one element for IPv4.
+   
+   .. zeek:see:: counts_to_addr
+
+.. zeek:id:: addr_to_ptr_name
+   :source-code: base/bif/zeek.bif.zeek 1589 1589
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`string`
+
+   Converts an IP address to a reverse pointer name. For example,
+   ``192.168.0.1`` to ``1.0.168.192.in-addr.arpa``.
+   
+
+   :param a: The IP address to convert to a reverse pointer name.
+   
+
+   :returns: The reverse pointer representation of *a*.
+   
+   .. zeek:see:: ptr_name_to_addr to_addr
+
+.. zeek:id:: addr_to_subnet
+   :source-code: base/bif/zeek.bif.zeek 1455 1455
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`subnet`
+
+   Converts a :zeek:type:`addr` to a :zeek:type:`subnet`.
+   
+
+   :param a: The address to convert.
+   
+
+   :returns: The address as a :zeek:type:`subnet`.
+   
+   .. zeek:see:: to_subnet
+
+.. zeek:id:: all_set
+   :source-code: base/bif/zeek.bif.zeek 759 759
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`any`) : :zeek:type:`bool`
+
+   Tests whether *all* elements of a boolean vector (``vector of bool``) are
+   true.
+   
+
+   :param v: The boolean vector instance.
+   
+
+   :returns: True iff all elements in *v* are true or there are no elements.
+   
+   .. zeek:see:: any_set
+   
+   .. note::
+   
+        Missing elements count as false.
+
+.. zeek:id:: anonymize_addr
+   :source-code: base/bif/zeek.bif.zeek 2620 2620
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`, cl: :zeek:type:`IPAddrAnonymizationClass`) : :zeek:type:`addr`
+
+   Anonymizes an IP address.
+   
+
+   :param a: The address to anonymize.
+   
+
+   :param cl: The anonymization class, which can take on three different values:
+   
+       - ``ORIG_ADDR``: Tag *a* as an originator address.
+   
+       - ``RESP_ADDR``: Tag *a* as an responder address.
+   
+       - ``OTHER_ADDR``: Tag *a* as an arbitrary address.
+   
+
+   :returns: An anonymized version of *a*.
+   
+   .. zeek:see:: preserve_prefix preserve_subnet
+   
+   .. todo:: Currently dysfunctional.
+
+.. zeek:id:: any_set
+   :source-code: base/bif/zeek.bif.zeek 744 744
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`any`) : :zeek:type:`bool`
+
+   Tests whether a boolean vector (``vector of bool``) has *any* true
+   element.
+   
+
+   :param v: The boolean vector instance.
+   
+
+   :returns: True if any element in *v* is true.
+   
+   .. zeek:see:: all_set
+
+.. zeek:id:: backtrace
+   :source-code: base/bif/zeek.bif.zeek 1220 1220
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Backtrace`
+
+   Returns a representation of the call stack as a vector of call stack
+   elements, each containing call location information.
+   
+
+   :returns: the call stack information, including function, file, and line
+            location information.
+
+.. zeek:id:: bare_mode
+   :source-code: base/bif/zeek.bif.zeek 997 997
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+   Returns whether Zeek was started in bare mode.
+   
+
+   :returns: True if Zeek was started in bare mode, false otherwise.
+
+.. zeek:id:: blocking_lookup_hostname
+   :source-code: base/bif/zeek.bif.zeek 1977 1977
+
+   :Type: :zeek:type:`function` (host: :zeek:type:`string`) : :zeek:type:`addr_set`
+
+   Issues a synchronous DNS lookup.
+   
+
+   :param host: The hostname to lookup.
+   
+
+   :returns: A set addresses, either IPv4 or IPv6, associated with *host*.
+   
+   .. zeek:see:: lookup_addr
+   
+   .. note::
+   
+        This is a blocking call. You should use :zeek:see:`lookup_hostname`
+        unless for initialization or testing purposes.
+   
+   .. zeek:see:: lookup_addr lookup_hostname
+
+.. zeek:id:: bytestring_to_count
+   :source-code: base/bif/zeek.bif.zeek 1567 1567
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`, is_le: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`) : :zeek:type:`count`
+
+   Converts a string of bytes to a :zeek:type:`count`.
+   
+
+   :param s: A string of bytes containing the binary representation of the value.
+   
+
+   :param is_le: If true, *s* is assumed to be in little endian format, else it's big endian.
+   
+
+   :returns: The value contained in *s*, or 0 if the conversion failed.
+   
+
+.. zeek:id:: bytestring_to_double
+   :source-code: base/bif/zeek.bif.zeek 1543 1543
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`double`
+
+   Converts a string of bytes representing a double value (in network byte order)
+   to a :zeek:type:`double`. This is similar to :zeek:id:`bytestring_to_float`
+   but works on 8-byte strings.
+   
+
+   :param s: A string of bytes containing the binary representation of a double value.
+   
+
+   :returns: The double value contained in *s*, or 0 if the conversion
+            failed.
+   
+   .. zeek:see:: bytestring_to_float
+
+.. zeek:id:: bytestring_to_float
+   :source-code: base/bif/zeek.bif.zeek 1556 1556
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`double`
+
+   Converts a string of bytes representing a float value (in network byte order)
+   to a :zeek:type:`double`. This is similar to :zeek:id:`bytestring_to_double`
+   but works on 4-byte strings.
+   
+
+   :param s: A string of bytes containing the binary representation of a float value.
+   
+
+   :returns: The float value contained in *s*, or 0 if the conversion
+            failed.
+   
+   .. zeek:see:: bytestring_to_double
+
+.. zeek:id:: bytestring_to_hexstr
+   :source-code: base/bif/zeek.bif.zeek 1600 1600
+
+   :Type: :zeek:type:`function` (bytestring: :zeek:type:`string`) : :zeek:type:`string`
+
+   Converts a string of bytes into its hexadecimal representation.
+   For example, ``"04"`` would be converted to ``"3034"``.
+   
+
+   :param bytestring: The string of bytes.
+   
+
+   :returns: The hexadecimal representation of *bytestring*.
+   
+   .. zeek:see:: hexdump hexstr_to_bytestring
+
+.. zeek:id:: calc_next_rotate
+   :source-code: base/bif/zeek.bif.zeek 2290 2290
+
+   :Type: :zeek:type:`function` (i: :zeek:type:`interval`) : :zeek:type:`interval`
+
+   Calculates the duration until the next time a file is to be rotated, based
+   on a given rotate interval.
+   
+
+   :param i: The rotate interval to base the calculation on.
+   
+
+   :returns: The duration until the next file rotation time.
+   
+   .. zeek:see:: rotate_file rotate_file_by_name
+
+.. zeek:id:: cat
+   :source-code: base/bif/zeek.bif.zeek 803 803
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`string`
+
+   Returns the concatenation of the string representation of its arguments. The
+   arguments can be of any type. For example, ``cat("foo", 3, T)`` returns
+   ``"foo3T"``.
+   
+
+   :returns: A string concatenation of all arguments.
+
+.. zeek:id:: cat_sep
+   :source-code: base/bif/zeek.bif.zeek 819 819
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`string`
+
+   Concatenates all arguments, with a separator placed between each one. This
+   function is similar to :zeek:id:`cat`, but places a separator between each
+   given argument. If any of the variable arguments is an empty string it is
+   replaced by the given default string instead.
+   
+
+   :param sep: The separator to place between each argument.
+   
+
+   :param def: The default string to use when an argument is the empty string.
+   
+
+   :returns: A concatenation of all arguments with *sep* between each one and
+            empty strings replaced with *def*.
+   
+   .. zeek:see:: cat string_cat
+
+.. zeek:id:: ceil
+   :source-code: base/bif/zeek.bif.zeek 900 900
+
+   :Type: :zeek:type:`function` (d: :zeek:type:`double`) : :zeek:type:`double`
+
+   Computes the smallest integer greater or equal than the given :zeek:type:`double` value.
+   For example, ``ceil(3.14)`` returns ``4.0``, and ``ceil(-3.14)``
+   returns ``-3.0``.
+   
+
+   :param d: The :zeek:type:`double` to manipulate.
+   
+
+   :returns: The next lowest integer of *d* as :zeek:type:`double`.
+   
+   .. zeek:see:: floor sqrt exp ln log2 log10 pow
+
+.. zeek:id:: check_subnet
+   :source-code: base/bif/zeek.bif.zeek 711 711
+
+   :Type: :zeek:type:`function` (search: :zeek:type:`subnet`, t: :zeek:type:`any`) : :zeek:type:`bool`
+
+   Checks if a specific subnet is a member of a set/table[subnet].
+   In contrast to the ``in`` operator, this performs an exact match, not
+   a longest prefix match.
+   
+
+   :param search: the subnet to search for.
+   
+
+   :param t: the set[subnet] or table[subnet].
+   
+
+   :returns: True if the exact subnet is a member, false otherwise.
+
+.. zeek:id:: clear_table
+   :source-code: base/bif/zeek.bif.zeek 658 658
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`any`) : :zeek:type:`any`
+
+   Removes all elements from a set or table.
+   
+
+   :param v: The set or table
+
+.. zeek:id:: close
+   :source-code: base/bif/zeek.bif.zeek 2144 2144
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`file`) : :zeek:type:`bool`
+
+   Closes an open file and flushes any buffered content.
+   
+
+   :param f: A :zeek:type:`file` handle to an open file.
+   
+
+   :returns: True on success.
+   
+   .. zeek:see:: active_file open open_for_append write_file
+                get_file_name set_buf flush_all mkdir enable_raw_output
+                rmdir unlink rename
+
+.. zeek:id:: compress_path
+   :source-code: base/bif/zeek.bif.zeek 2683 2683
+
+   :Type: :zeek:type:`function` (dir: :zeek:type:`string`) : :zeek:type:`string`
+
+   Compresses a given path by removing '..'s and the parent directory it
+   references and also removing dual '/'s and extraneous '/./'s.
+   
+
+   :param dir: a path string, either relative or absolute.
+   
+
+   :returns: a compressed version of the input path.
+
+.. zeek:id:: connection_exists
+   :source-code: base/bif/zeek.bif.zeek 1827 1827
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`conn_id`) : :zeek:type:`bool`
+
+   Checks whether a connection is (still) active.
+   
+
+   :param c: The connection id to check.
+   
+
+   :returns: True if the connection identified by *c* exists.
+   
+   .. zeek:see:: lookup_connection
+
+.. zeek:id:: continue_processing
+   :source-code: base/bif/zeek.bif.zeek 2522 2522
+
+   :Type: :zeek:type:`function` () : :zeek:type:`any`
+
+   Resumes Zeek's packet processing.
+   
+   .. zeek:see:: suspend_processing
+                 is_processing_suspended
+
+.. zeek:id:: convert_for_pattern
+   :source-code: base/bif/zeek.bif.zeek 1686 1686
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`string`
+
+   Escapes a string so that it becomes a valid :zeek:type:`pattern` and can be
+   used with the :zeek:id:`string_to_pattern`. Any character from the set
+   ``^$-:"\/|*+?.(){}[]`` is prefixed with a ``\``.
+   
+
+   :param s: The string to escape.
+   
+
+   :returns: An escaped version of *s* that has the structure of a valid
+            :zeek:type:`pattern`.
+   
+   .. zeek:see:: string_to_pattern
+   
+
+.. zeek:id:: count_to_double
+   :source-code: base/bif/zeek.bif.zeek 1343 1343
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`count`) : :zeek:type:`double`
+
+   Converts a :zeek:type:`count` to a :zeek:type:`double`.
+   
+
+   :param c: The :zeek:type:`count` to convert.
+   
+
+   :returns: The :zeek:type:`count` *c* as :zeek:type:`double`.
+   
+   .. zeek:see:: int_to_double double_to_count
+
+.. zeek:id:: count_to_port
+   :source-code: base/bif/zeek.bif.zeek 1405 1405
+
+   :Type: :zeek:type:`function` (num: :zeek:type:`count`, proto: :zeek:type:`transport_proto`) : :zeek:type:`port`
+
+   Converts a :zeek:type:`count` and ``transport_proto`` to a :zeek:type:`port`.
+   
+
+   :param num: The :zeek:type:`port` number.
+   
+
+   :param proto: The transport protocol.
+   
+
+   :returns: The :zeek:type:`count` *num* as :zeek:type:`port`.
+   
+   .. zeek:see:: port_to_count
+
+.. zeek:id:: count_to_v4_addr
+   :source-code: base/bif/zeek.bif.zeek 1496 1496
+
+   :Type: :zeek:type:`function` (ip: :zeek:type:`count`) : :zeek:type:`addr`
+
+   Converts a :zeek:type:`count` to an :zeek:type:`addr`.
+   
+
+   :param ip: The :zeek:type:`count` to convert.
+   
+
+   :returns: The :zeek:type:`count` *ip* as :zeek:type:`addr`.
+   
+   .. zeek:see:: raw_bytes_to_v4_addr to_addr to_subnet raw_bytes_to_v6_addr
+
+.. zeek:id:: counts_to_addr
+   :source-code: base/bif/zeek.bif.zeek 1258 1258
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`index_vec`) : :zeek:type:`addr`
+
+   Converts an :zeek:type:`index_vec` to an :zeek:type:`addr`.
+   
+
+   :param v: The vector containing host-order IP address representation,
+      one element for IPv4 addresses, four elements for IPv6 addresses.
+   
+
+   :returns: An IP address.
+   
+   .. zeek:see:: addr_to_counts
+
+.. zeek:id:: current_analyzer
+   :source-code: base/bif/zeek.bif.zeek 975 975
+
+   :Type: :zeek:type:`function` () : :zeek:type:`count`
+
+   Returns the ID of the analyzer which raised the current event.
+   
+
+   :returns: The ID of the analyzer which raised the current event, or 0 if
+            none.
+
+.. zeek:id:: current_event_time
+   :source-code: base/bif/zeek.bif.zeek 64 64
+
+   :Type: :zeek:type:`function` () : :zeek:type:`time`
+
+   Returns the timestamp of the last raised event. The timestamp reflects the
+   network time the event was intended to be executed. For scheduled events,
+   this is the time the event was scheduled for. For any other event, this is
+   the time when the event was created.
+   
+
+   :returns: The timestamp of the last raised event.
+   
+   .. zeek:see:: current_time set_network_time
+
+.. zeek:id:: current_time
+   :source-code: base/bif/zeek.bif.zeek 32 32
+
+   :Type: :zeek:type:`function` () : :zeek:type:`time`
+
+   Returns the current wall-clock time.
+   
+   In general, you should use :zeek:id:`network_time` instead
+   unless you are using Zeek for non-networking uses (such as general
+   scripting; not particularly recommended), because otherwise your script
+   may behave very differently on live traffic versus played-back traffic
+   from a save file.
+   
+
+   :returns: The wall-clock time.
+   
+   .. zeek:see:: network_time set_network_time
+
+.. zeek:id:: decode_base64
+   :source-code: base/bif/zeek.bif.zeek 1640 1640
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`, a: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Decodes a Base64-encoded string.
+   
+
+   :param s: The Base64-encoded string.
+   
+
+   :param a: An optional custom alphabet. The empty string indicates the default
+      alphabet. If given, the string must consist of 64 unique characters.
+   
+
+   :returns: The decoded version of *s*.
+   
+   .. zeek:see:: decode_base64_conn encode_base64
+
+.. zeek:id:: decode_base64_conn
+   :source-code: base/bif/zeek.bif.zeek 1657 1657
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, s: :zeek:type:`string`, a: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Decodes a Base64-encoded string that was derived from processing a connection.
+   If an error is encountered decoding the string, that will be logged to
+   ``weird.log`` with the associated connection.
+   
+
+   :param cid: The identifier of the connection that the encoding originates from.
+   
+
+   :param s: The Base64-encoded string.
+   
+
+   :param a: An optional custom alphabet. The empty string indicates the default
+      alphabet. If given, the string must consist of 64 unique characters.
+   
+
+   :returns: The decoded version of *s*.
+   
+   .. zeek:see:: decode_base64
+
+.. zeek:id:: disable_analyzer
+   :source-code: base/bif/zeek.bif.zeek 2049 2049
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, aid: :zeek:type:`count`, err_if_no_conn: :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`, prevent: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Disables the analyzer which raised the current event (if the analyzer
+   belongs to the given connection).
+   
+
+   :param cid: The connection identifier.
+   
+
+   :param aid: The analyzer ID.
+   
+
+   :param err_if_no_conn: Emit an error message if the connection does not exit.
+   
+
+   :param prevent: Prevent the same analyzer type from being attached in the future.
+            This is useful for preventing the same analyzer from being
+            automatically reattached in the future, e.g. as a result of a
+            DPD signature suddenly matching.
+   
+
+   :returns: True if the connection identified by *cid* exists and has analyzer
+            *aid* and it is scheduled for removal.
+   
+   .. zeek:see:: Analyzer::schedule_analyzer Analyzer::name
+
+.. zeek:id:: disable_event_group
+   :source-code: base/bif/zeek.bif.zeek 2733 2733
+
+   :Type: :zeek:type:`function` (group: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Disabled the given event group.
+   
+   All event and hook handlers with a matching :zeek:attr:`&group` attribute
+   will be disabled if not already disabled through another group.
+   
+
+   :param group: The group to disable.
+   
+   .. zeek:see:: enable_event_group disable_event_group has_event_group
+                 enable_module_events disable_module_events has_module_events
+
+.. zeek:id:: disable_module_events
+   :source-code: base/bif/zeek.bif.zeek 2765 2765
+
+   :Type: :zeek:type:`function` (module_name: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Disable all event handlers and hooks in the given module.
+   
+   All event handlers and hooks defined in the given module will be disabled.
+   
+
+   :param module_name: The module to disable.
+   
+   .. zeek:see:: enable_event_group disable_event_group has_event_group
+                 enable_module_events disable_module_events has_module_events
+
+.. zeek:id:: do_profiling
+   :source-code: base/bif/zeek.bif.zeek 1145 1145
+
+   :Type: :zeek:type:`function` () : :zeek:type:`any`
+
+   Enables detailed collection of profiling statistics. Statistics include
+   CPU/memory usage, connections, TCP states/reassembler, DNS lookups,
+   timers, and script-level state. The script variable :zeek:id:`profiling_file`
+   holds the name of the file.
+   
+   .. zeek:see:: get_conn_stats
+                get_dns_stats
+                get_event_stats
+                get_file_analysis_stats
+                get_gap_stats
+                get_matcher_stats
+                get_net_stats
+                get_proc_stats
+                get_reassembler_stats
+                get_thread_stats
+                get_timer_stats
+
+.. zeek:id:: double_to_count
+   :source-code: base/bif/zeek.bif.zeek 1309 1309
+
+   :Type: :zeek:type:`function` (d: :zeek:type:`double`) : :zeek:type:`count`
+
+   Converts a :zeek:type:`double` to a :zeek:type:`count`.
+   
+
+   :param d: The :zeek:type:`double` to convert.
+   
+
+   :returns: The :zeek:type:`double` *d* as unsigned integer, or 0 if *d* < 0.0.
+            The value returned follows typical rounding rules, as implemented
+            by rint().
+
+.. zeek:id:: double_to_int
+   :source-code: base/bif/zeek.bif.zeek 1299 1299
+
+   :Type: :zeek:type:`function` (d: :zeek:type:`double`) : :zeek:type:`int`
+
+   Converts a :zeek:type:`double` to a :zeek:type:`int`.
+   
+
+   :param d: The :zeek:type:`double` to convert.
+   
+
+   :returns: The :zeek:type:`double` *d* as signed integer. The value returned
+            follows typical rounding rules, as implemented by rint().
+   
+   .. zeek:see:: double_to_time
+
+.. zeek:id:: double_to_interval
+   :source-code: base/bif/zeek.bif.zeek 1383 1383
+
+   :Type: :zeek:type:`function` (d: :zeek:type:`double`) : :zeek:type:`interval`
+
+   Converts a :zeek:type:`double` to an :zeek:type:`interval`.
+   
+
+   :param d: The :zeek:type:`double` to convert.
+   
+
+   :returns: The :zeek:type:`double` *d* as :zeek:type:`interval`.
+   
+   .. zeek:see:: interval_to_double
+
+.. zeek:id:: double_to_time
+   :source-code: base/bif/zeek.bif.zeek 1373 1373
+
+   :Type: :zeek:type:`function` (d: :zeek:type:`double`) : :zeek:type:`time`
+
+   Converts a :zeek:type:`double` value to a :zeek:type:`time`.
+   
+
+   :param d: The :zeek:type:`double` to convert.
+   
+
+   :returns: The :zeek:type:`double` value *d* as :zeek:type:`time`.
+   
+   .. zeek:see:: time_to_double double_to_count
+
+.. zeek:id:: dump_current_packet
+   :source-code: base/bif/zeek.bif.zeek 1855 1855
+
+   :Type: :zeek:type:`function` (file_name: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Writes the current packet to a file.
+   
+
+   :param file_name: The name of the file to write the packet to.
+   
+
+   :returns: True on success.
+   
+   .. zeek:see:: dump_packet get_current_packet
+   
+   .. note::
+   
+        See :zeek:see:`get_current_packet` for caveats.
+
+.. zeek:id:: dump_packet
+   :source-code: base/bif/zeek.bif.zeek 1922 1922
+
+   :Type: :zeek:type:`function` (pkt: :zeek:type:`pcap_packet`, file_name: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Writes a given packet to a file.
+   
+
+   :param pkt: The PCAP packet.
+   
+
+   :param file_name: The name of the file to write *pkt* to.
+   
+
+   :returns: True on success
+   
+   .. zeek:see:: get_current_packet dump_current_packet
+
+.. zeek:id:: dump_rule_stats
+   :source-code: base/bif/zeek.bif.zeek 1164 1164
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`file`) : :zeek:type:`bool`
+
+   Write rule matcher statistics (DFA states, transitions, memory usage, cache
+   hits/misses) to a file.
+   
+
+   :param f: The file to write to.
+   
+
+   :returns: True (unconditionally).
+   
+   .. zeek:see:: get_matcher_stats
+
+.. zeek:id:: enable_event_group
+   :source-code: base/bif/zeek.bif.zeek 2721 2721
+
+   :Type: :zeek:type:`function` (group: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Enabled the given event group.
+   
+   All event and hook handlers with a matching :zeek:attr:`&group` attribute
+   will be enabled if this group was the last disabled group of these handlers.
+   
+
+   :param group: The group to enable.
+   
+   .. zeek:see:: enable_event_group disable_event_group has_event_group
+                 enable_module_events disable_module_events has_module_events
+
+.. zeek:id:: enable_module_events
+   :source-code: base/bif/zeek.bif.zeek 2754 2754
+
+   :Type: :zeek:type:`function` (module_name: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Enable all event handlers and hooks in the given module.
+   
+   All event handlers and hooks defined in the given module will be enabled
+   if not disabled otherwise through an event group.
+   
+
+   :param module_name: The module to enable.
+   
+   .. zeek:see:: enable_event_group disable_event_group has_event_group
+                 enable_module_events disable_module_events has_module_events
+
+.. zeek:id:: enable_raw_output
+   :source-code: base/bif/zeek.bif.zeek 2305 2305
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`file`) : :zeek:type:`any`
+
+   Prevents escaping of non-ASCII characters when writing to a file.
+   This function is equivalent to :zeek:attr:`&raw_output`.
+   
+
+   :param f: The file to disable raw output for.
+
+.. zeek:id:: encode_base64
+   :source-code: base/bif/zeek.bif.zeek 1627 1627
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`, a: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Encodes a Base64-encoded string.
+   
+
+   :param s: The string to encode.
+   
+
+   :param a: An optional custom alphabet. The empty string indicates the default
+      alphabet. If given, the string must consist of 64 unique characters.
+   
+
+   :returns: The encoded version of *s*.
+   
+   .. zeek:see:: decode_base64
+
+.. zeek:id:: entropy_test_add
+   :source-code: base/bif/zeek.bif.zeek 611 611
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of entropy, data: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Adds data to an incremental entropy calculation.
+   
+
+   :param handle: The opaque handle representing the entropy calculation state.
+   
+
+   :param data: The data to add to the entropy calculation.
+   
+
+   :returns: True on success.
+   
+   .. zeek:see:: find_entropy entropy_test_add entropy_test_finish
+
+.. zeek:id:: entropy_test_finish
+   :source-code: base/bif/zeek.bif.zeek 624 624
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of entropy) : :zeek:type:`entropy_test_result`
+
+   Finishes an incremental entropy calculation. Before using this function,
+   one needs to obtain an opaque handle with :zeek:id:`entropy_test_init` and
+   add data to it via :zeek:id:`entropy_test_add`.
+   
+
+   :param handle: The opaque handle representing the entropy calculation state.
+   
+
+   :returns: The result of the entropy test. See :zeek:id:`find_entropy` for a
+            description of the individual components.
+   
+   .. zeek:see:: find_entropy entropy_test_init entropy_test_add
+
+.. zeek:id:: entropy_test_init
+   :source-code: base/bif/zeek.bif.zeek 599 599
+
+   :Type: :zeek:type:`function` () : :zeek:type:`opaque` of entropy
+
+   Initializes data structures for incremental entropy calculation.
+   
+
+   :returns: An opaque handle to be used in subsequent operations.
+   
+   .. zeek:see:: find_entropy entropy_test_add entropy_test_finish
+
+.. zeek:id:: enum_names
+   :source-code: base/bif/zeek.bif.zeek 1035 1035
+
+   :Type: :zeek:type:`function` (et: :zeek:type:`any`) : :zeek:type:`string_set`
+
+   Returns all value names associated with an enum type.
+   
+
+   :param et: An enum type or a string naming one.
+   
+
+   :returns: All enum value names associated with enum type *et*.
+            If *et* is not an enum type or does not name one, an empty set is returned.
+
+.. zeek:id:: enum_to_int
+   :source-code: base/bif/zeek.bif.zeek 1266 1266
+
+   :Type: :zeek:type:`function` (e: :zeek:type:`any`) : :zeek:type:`int`
+
+   Converts an :zeek:type:`enum` to an :zeek:type:`int`.
+   
+
+   :param e: The :zeek:type:`enum` to convert.
+   
+
+   :returns: The :zeek:type:`int` value that corresponds to the :zeek:type:`enum`.
+
+.. zeek:id:: exit
+   :source-code: base/bif/zeek.bif.zeek 130 130
+
+   :Type: :zeek:type:`function` (code: :zeek:type:`int`) : :zeek:type:`any`
+
+   Shuts down the Zeek process immediately.
+   
+
+   :param code: The exit code to return with.
+   
+   .. zeek:see:: terminate
+
+.. zeek:id:: exp
+   :source-code: base/bif/zeek.bif.zeek 920 920
+
+   :Type: :zeek:type:`function` (d: :zeek:type:`double`) : :zeek:type:`double`
+
+   Computes the exponential function.
+   
+
+   :param d: The argument to the exponential function.
+   
+
+   :returns: *e* to the power of *d*.
+   
+   .. zeek:see:: floor ceil sqrt ln log2 log10 pow
+
+.. zeek:id:: file_magic
+   :source-code: base/bif/zeek.bif.zeek 548 548
+
+   :Type: :zeek:type:`function` (data: :zeek:type:`string`) : :zeek:type:`mime_matches`
+
+   Determines the MIME type of a piece of data using Zeek's file magic
+   signatures.
+   
+
+   :param data: The data for which to find matching MIME types.
+   
+
+   :returns: All matching signatures, in order of strength.
+   
+   .. zeek:see:: identify_data
+
+.. zeek:id:: file_mode
+   :source-code: base/bif/zeek.bif.zeek 2005 2005
+
+   :Type: :zeek:type:`function` (mode: :zeek:type:`count`) : :zeek:type:`string`
+
+   Converts UNIX file permissions given by a mode to an ASCII string.
+   
+
+   :param mode: The permissions (an octal number like 0644 converted to decimal).
+   
+
+   :returns: A string representation of *mode* in the format
+            ``rw[xsS]rw[xsS]rw[xtT]``.
+
+.. zeek:id:: file_size
+   :source-code: base/bif/zeek.bif.zeek 2298 2298
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`string`) : :zeek:type:`double`
+
+   Returns the size of a given file.
+   
+
+   :param f: The name of the file whose size to lookup.
+   
+
+   :returns: The size of *f* in bytes.
+
+.. zeek:id:: filter_subnet_table
+   :source-code: base/bif/zeek.bif.zeek 699 699
+
+   :Type: :zeek:type:`function` (search: :zeek:type:`subnet`, t: :zeek:type:`any`) : :zeek:type:`any`
+
+   For a set[subnet]/table[subnet], create a new table that contains all entries
+   that contain a given subnet.
+   
+
+   :param search: the subnet to search for.
+   
+
+   :param t: the set[subnet] or table[subnet].
+   
+
+   :returns: A new table that contains all the entries that cover the subnet searched for.
+
+.. zeek:id:: find_entropy
+   :source-code: base/bif/zeek.bif.zeek 591 591
+
+   :Type: :zeek:type:`function` (data: :zeek:type:`string`) : :zeek:type:`entropy_test_result`
+
+   Performs an entropy test on the given data.
+   See http://www.fourmilab.ch/random.
+   
+
+   :param data: The data to compute the entropy for.
+   
+
+   :returns: The result of the entropy test, which contains the following
+            fields.
+   
+                - ``entropy``: The information density expressed as a number of
+                  bits per character.
+   
+                - ``chi_square``: The chi-square test value expressed as an
+                  absolute number and a percentage which indicates how
+                  frequently a truly random sequence would exceed the value
+                  calculated, i.e., the degree to which the sequence tested is
+                  suspected of being non-random.
+   
+                  If the percentage is greater than 99% or less than 1%, the
+                  sequence is almost certainly not random. If the percentage is
+                  between 99% and 95% or between 1% and 5%, the sequence is
+                  suspect. Percentages between 90\% and 95\% and 5\% and 10\%
+                  indicate the sequence is "almost suspect."
+   
+                - ``mean``: The arithmetic mean of all the bytes. If the data
+                  are close to random, it should be around 127.5.
+   
+                - ``monte_carlo_pi``: Each successive sequence of six bytes is
+                  used as 24-bit *x* and *y* coordinates within a square. If
+                  the distance of the randomly-generated point is less than the
+                  radius of a circle inscribed within the square, the six-byte
+                  sequence is considered a "hit." The percentage of hits can
+                  be used to calculate the value of pi. For very large streams
+                  the value will approach the correct value of pi if the
+                  sequence is close to random.
+   
+                - ``serial_correlation``: This quantity measures the extent to
+                  which each byte in the file depends upon the previous byte.
+                  For random sequences this value will be close to zero.
+   
+   .. zeek:see:: entropy_test_init entropy_test_add entropy_test_finish
+
+.. zeek:id:: find_in_zeekpath
+   :source-code: base/bif/zeek.bif.zeek 2815 2815
+
+   :Type: :zeek:type:`function` (p: :zeek:type:`string`) : :zeek:type:`string`
+
+   Determine the path used by a non-relative @load directive.
+   
+   This function is package aware: Passing *package* will yield the
+   path to *package.zeek*, *package/__load__.zeek* or an empty string
+   if neither can be found. Note that passing a relative path or absolute
+   path is an error.
+   
+
+   :param path: The filename, package or path to search for in ZEEKPATH.
+   
+
+   :returns: Path of script file that would be loaded by an @load directive.
+
+.. zeek:id:: floor
+   :source-code: base/bif/zeek.bif.zeek 888 888
+
+   :Type: :zeek:type:`function` (d: :zeek:type:`double`) : :zeek:type:`double`
+
+   Computes the greatest integer less than the given :zeek:type:`double` value.
+   For example, ``floor(3.14)`` returns ``3.0``, and ``floor(-3.14)``
+   returns ``-4.0``.
+   
+
+   :param d: The :zeek:type:`double` to manipulate.
+   
+
+   :returns: The next lowest integer of *d* as :zeek:type:`double`.
+   
+   .. zeek:see:: ceil sqrt exp ln log2 log10 pow
+
+.. zeek:id:: flush_all
+   :source-code: base/bif/zeek.bif.zeek 2183 2183
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+   Flushes all open files to disk.
+   
+
+   :returns: True on success.
+   
+   .. zeek:see:: active_file open open_for_append close
+                get_file_name write_file set_buf mkdir enable_raw_output
+                rmdir unlink rename
+
+.. zeek:id:: fmt
+   :source-code: base/bif/zeek.bif.zeek 860 860
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`string`
+
+   Produces a formatted string à la ``printf``. The first argument is the
+   *format string* and specifies how subsequent arguments are converted for
+   output. It is composed of zero or more directives: ordinary characters (not
+   ``%``), which are copied unchanged to the output, and conversion
+   specifications, each of which fetches zero or more subsequent arguments.
+   Conversion specifications begin with ``%`` and the arguments must properly
+   correspond to the specifier. After the ``%``, the following characters
+   may appear in sequence:
+   
+      - ``%``: Literal ``%``
+   
+      - ``-``: Left-align field
+   
+      - ``[0-9]+``: The field width (< 128)
+   
+      - ``.``: Precision of floating point specifiers ``[efg]`` (< 128)
+   
+      - ``[DTdxsefg]``: Format specifier
+   
+          - ``[DT]``: ISO timestamp with microsecond precision
+   
+          - ``d``: Signed/Unsigned integer (using C-style ``%lld``/``%llu``
+                   for ``int``/``count``)
+   
+          - ``x``: Unsigned hexadecimal (using C-style ``%llx``);
+                   addresses/ports are converted to host-byte order
+   
+          - ``s``: String (byte values less than 32 or greater than 126
+                   will be escaped)
+   
+          - ``[efg]``: Double
+   
+
+   :returns: Returns the formatted string. Given no arguments, :zeek:id:`fmt`
+            returns an empty string. Given no format string or the wrong
+            number of additional arguments for the given format specifier,
+            :zeek:id:`fmt` generates a run-time error.
+   
+   .. zeek:see:: cat cat_sep string_cat
+
+.. zeek:id:: fnv1a32
+   :source-code: base/bif/zeek.bif.zeek 461 461
+
+   :Type: :zeek:type:`function` (input: :zeek:type:`any`) : :zeek:type:`count`
+
+   Returns 32-bit digest of arbitrary input values using FNV-1a hash algorithm.
+   See `<https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function>`_.
+   
+
+   :param input: The desired input value to hash.
+   
+
+   :returns: The hashed value.
+   
+   .. zeek:see:: hrw_weight
+
+.. zeek:id:: fnv1a64
+   :source-code: base/bif/zeek.bif.zeek 470 470
+
+   :Type: :zeek:type:`function` (input: :zeek:type:`any`) : :zeek:type:`count`
+
+   Returns 64-bit digest of arbitrary input values using FNV-1a hash algorithm.
+   See `<https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function>`_.
+   
+
+   :param input: The desired input value to hash.
+   
+
+   :returns: The hashed value.
+
+.. zeek:id:: from_json
+   :source-code: base/bif/zeek.bif.zeek 2674 2674
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`, t: :zeek:type:`any`, key_func: :zeek:type:`string_mapper` :zeek:attr:`&default` = :zeek:see:`from_json_default_key_mapper` :zeek:attr:`&optional`) : :zeek:type:`from_json_result`
+
+   A function to convert a JSON string into Zeek values of a given type.
+   
+   Implicit conversion from JSON to Zeek types is implemented for:
+   
+     - bool
+     - int, count, real
+     - interval from numbers as seconds
+     - time from numbers as unix timestamp
+     - port from strings in "80/tcp" notation
+     - addr, subnet
+     - enum
+     - sets
+     - vectors
+     - records (from JSON objects)
+   
+   Optional or default record fields are allowed to be missing or null in the input.
+   
+
+   :param s: The JSON string to parse.
+   
+
+   :param t: Type of Zeek data.
+   
+
+   :param key_func: Optional function to normalize key names in JSON objects. Useful
+             when keys are not valid field identifiers, or represent reserved
+             keywords like **port** or **type**.
+   
+
+   :param returns: A record with the result of the conversion, containing either a value or an error message.
+   
+   .. zeek:see:: to_json
+
+.. zeek:id:: generate_all_events
+   :source-code: base/bif/zeek.bif.zeek 2549 2549
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+   By default, zeek does not generate (raise) events that have not handled by
+   any scripts. This means that these events will be invisible to a lot of other
+   event handlers - and will not raise :zeek:id:`new_event`.
+   
+   Calling this function will cause all event handlers to be raised. This is, likely,
+   only useful for debugging and causes reduced performance.
+
+.. zeek:id:: get_conn_transport_proto
+   :source-code: base/bif/zeek.bif.zeek 1806 1806
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`transport_proto`
+
+   Extracts the transport protocol from a connection.
+   
+
+   :param cid: The connection identifier.
+   
+
+   :returns: The transport protocol of the connection identified by *cid*.
+   
+   .. zeek:see:: get_port_transport_proto
+                get_orig_seq get_resp_seq
+
+.. zeek:id:: get_current_packet
+   :source-code: base/bif/zeek.bif.zeek 1881 1881
+
+   :Type: :zeek:type:`function` () : :zeek:type:`pcap_packet`
+
+   Returns the currently processed PCAP packet.
+   
+
+   :returns: The currently processed packet, which is a record
+            containing the timestamp, ``snaplen``, and packet data.
+   
+   .. zeek:see:: dump_current_packet dump_packet
+   
+   .. note::
+   
+        Calling ``get_current_packet()`` within events that are not directly
+        raised as a result of processing a specific packet may result in
+        unexpected behavior. For example, out-of-order TCP segments or IP
+        defragmentation may result in such scenarios. Details depend on the
+        involved packet and protocol analyzers. As a rule of thumb, in low-level
+        events, like :zeek:see:`raw_packet`, the behavior is well defined.
+   
+        The returned packet is directly taken from the packet source and any
+        tunnel or encapsulation layers will be present in the payload. Correctly
+        inspecting the payload using Zeek script is therefore a non-trivial task.
+   
+        The return value of ``get_current_packet()`` further should be considered
+        undefined when called within event handlers raised via :zeek:see:`event`,
+        :zeek:see:`schedule` or by recipient of Broker messages.
+
+.. zeek:id:: get_current_packet_header
+   :source-code: base/bif/zeek.bif.zeek 1894 1894
+
+   :Type: :zeek:type:`function` () : :zeek:type:`raw_pkt_hdr`
+
+   Function to get the raw headers of the currently processed packet.
+   
+
+   :returns: The :zeek:type:`raw_pkt_hdr` record containing the Layer 2, 3 and
+            4 headers of the currently processed packet.
+   
+   .. zeek:see:: raw_pkt_hdr get_current_packet
+   
+   .. note::
+   
+        See :zeek:see:`get_current_packet` for caveats.
+
+.. zeek:id:: get_current_packet_ts
+   :source-code: base/bif/zeek.bif.zeek 1910 1910
+
+   :Type: :zeek:type:`function` () : :zeek:type:`time`
+
+   Returns the currently processed PCAP packet's timestamp or a 0 timestamp if
+   there is no packet being processed at the moment.
+   
+
+   :returns: The currently processed packet's timestamp.
+   
+   .. zeek:see:: get_current_packet get_current_packet_header network_time
+   
+   .. note::
+   
+        When there is no packet being processed, ``get_current_packet_ts()``
+        will return a 0 timestamp, while ``network_time()`` will return the
+        timestamp of the last processed packet until it falls back to tracking
+        wall clock after ``packet_source_inactivity_timeout``.
+
+.. zeek:id:: get_file_name
+   :source-code: base/bif/zeek.bif.zeek 2257 2257
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`file`) : :zeek:type:`string`
+
+   Gets the filename associated with a file handle.
+   
+
+   :param f: The file handle to inquire the name for.
+   
+
+   :returns: The filename associated with *f*.
+   
+   .. zeek:see:: open
+
+.. zeek:id:: get_plugin_components
+   :source-code: base/bif/zeek.bif.zeek 2824 2824
+
+   :Type: :zeek:type:`function` (category: :zeek:type:`string`) : :zeek:type:`plugin_component_vec`
+
+   Get a list of tags available for a plugin category.
+   
+
+   :param category: The plugin category to request tags for.
+   
+
+   :returns: A vector of records containing the tags of all plugin components
+            that belong to the specified category.
+
+.. zeek:id:: get_port_transport_proto
+   :source-code: base/bif/zeek.bif.zeek 1817 1817
+
+   :Type: :zeek:type:`function` (p: :zeek:type:`port`) : :zeek:type:`transport_proto`
+
+   Extracts the transport protocol from a :zeek:type:`port`.
+   
+
+   :param p: The port.
+   
+
+   :returns: The transport protocol of the port *p*.
+   
+   .. zeek:see:: get_conn_transport_proto
+                get_orig_seq get_resp_seq
+
+.. zeek:id:: getenv
+   :source-code: base/bif/zeek.bif.zeek 110 110
+
+   :Type: :zeek:type:`function` (var: :zeek:type:`string`) : :zeek:type:`string`
+
+   Returns a system environment variable.
+   
+
+   :param var: The name of the variable whose value to request.
+   
+
+   :returns: The system environment variable identified by *var*, or an empty
+            string if it is not defined.
+   
+   .. zeek:see:: setenv
+
+.. zeek:id:: gethostname
+   :source-code: base/bif/zeek.bif.zeek 1178 1178
+
+   :Type: :zeek:type:`function` () : :zeek:type:`string`
+
+   Returns the hostname of the machine Zeek runs on.
+   
+
+   :returns: The hostname of the machine Zeek runs on.
+
+.. zeek:id:: getpid
+   :source-code: base/bif/zeek.bif.zeek 981 981
+
+   :Type: :zeek:type:`function` () : :zeek:type:`count`
+
+   Returns Zeek's process ID.
+   
+
+   :returns: Zeek's process ID.
+
+.. zeek:id:: global_container_footprints
+   :source-code: base/bif/zeek.bif.zeek 1077 1077
+
+   :Type: :zeek:type:`function` () : :zeek:type:`var_sizes`
+
+   Generates a table of the "footprint" of all global container variables.
+   This is (approximately) the number of objects the global contains either
+   directly or indirectly.  The number is not meant to be precise, but
+   rather comparable: larger footprint correlates with more memory consumption.
+   The table index is the variable name and the value is the footprint.
+   
+
+   :returns: A table that maps variable names to their footprints.
+   
+   .. zeek:see:: val_footprint
+
+.. zeek:id:: global_ids
+   :source-code: base/bif/zeek.bif.zeek 1100 1100
+
+   :Type: :zeek:type:`function` () : :zeek:type:`id_table`
+
+   Generates a table with information about all global identifiers. The table
+   value is a record containing the type name of the identifier, whether it is
+   exported, a constant, an enum constant, redefinable, and its value (if it
+   has one).
+   
+   Module names are included in the returned table as well. The ``type_name``
+   field is set to  "module" and their names are prefixed with "module " to avoid
+   clashing with global identifiers. Note that there is no module type in Zeek.
+   
+
+   :returns: A table that maps identifier names to information about them.
+
+.. zeek:id:: global_options
+   :source-code: base/bif/zeek.bif.zeek 1104 1104
+
+   :Type: :zeek:type:`function` () : :zeek:type:`string_set`
+
+   Returns a set giving the names of all global options.
+
+.. zeek:id:: has_event_group
+   :source-code: base/bif/zeek.bif.zeek 2742 2742
+
+   :Type: :zeek:type:`function` (group: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Does an attribute event group with this name exist?
+   
+
+   :param group: The group name.
+   
+   .. zeek:see:: enable_event_group disable_event_group has_event_group
+                 enable_module_events disable_module_events has_module_events
+
+.. zeek:id:: has_module_events
+   :source-code: base/bif/zeek.bif.zeek 2774 2774
+
+   :Type: :zeek:type:`function` (group: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Does a module event group with this name exist?
+   
+
+   :param group: The group name.
+   
+   .. zeek:see:: enable_event_group disable_event_group has_event_group
+                 enable_module_events disable_module_events has_module_events
+
+.. zeek:id:: have_spicy
+   :source-code: base/bif/zeek.bif.zeek 2779 2779
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+   Returns true if Zeek was built with support for using Spicy analyzers (which
+   is the default).
+
+.. zeek:id:: have_spicy_analyzers
+   :source-code: base/bif/zeek.bif.zeek 2784 2784
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+   Returns true if Zeek was built with support for its in-tree Spicy analyzers
+   (which is the default if Spicy support is available).
+
+.. zeek:id:: haversine_distance
+   :source-code: base/bif/zeek.bif.zeek 1996 1996
+
+   :Type: :zeek:type:`function` (lat1: :zeek:type:`double`, long1: :zeek:type:`double`, lat2: :zeek:type:`double`, long2: :zeek:type:`double`) : :zeek:type:`double`
+
+   Calculates distance between two geographic locations using the haversine
+   formula.  Latitudes and longitudes must be given in degrees, where southern
+   hemisphere latitudes are negative and western hemisphere longitudes are
+   negative.
+   
+
+   :param lat1: Latitude (in degrees) of location 1.
+   
+
+   :param long1: Longitude (in degrees) of location 1.
+   
+
+   :param lat2: Latitude (in degrees) of location 2.
+   
+
+   :param long2: Longitude (in degrees) of location 2.
+   
+
+   :returns: Distance in miles.
+   
+   .. zeek:see:: haversine_distance_ip
+
+.. zeek:id:: hexstr_to_bytestring
+   :source-code: base/bif/zeek.bif.zeek 1614 1614
+
+   :Type: :zeek:type:`function` (hexstr: :zeek:type:`string`) : :zeek:type:`string`
+
+   Converts a hex-string into its binary representation.
+   For example, ``"3034"`` would be converted to ``"04"``.
+   
+   The input string is assumed to contain an even number of hexadecimal digits
+   (0-9, a-f, or A-F), otherwise behavior is undefined.
+   
+
+   :param hexstr: The hexadecimal string representation.
+   
+
+   :returns: The binary representation of *hexstr*.
+   
+   .. zeek:see:: hexdump bytestring_to_hexstr
+
+.. zeek:id:: hrw_weight
+   :source-code: base/bif/zeek.bif.zeek 486 486
+
+   :Type: :zeek:type:`function` (key_digest: :zeek:type:`count`, site_id: :zeek:type:`count`) : :zeek:type:`count`
+
+   Calculates a weight value for use in a Rendezvous Hashing algorithm.
+   See `<https://en.wikipedia.org/wiki/Rendezvous_hashing>`_.
+   The weight function used is the one recommended in the original
+
+   :param paper: `<http://www.eecs.umich.edu/techreports/cse/96/CSE-TR-316-96.pdf>`_.
+   
+
+   :param key_digest: A 32-bit digest of a key.  E.g. use :zeek:see:`fnv1a32` to
+               produce this.
+   
+
+   :param site_id: A 32-bit site/node identifier.
+   
+
+   :returns: The weight value for the key/site pair.
+   
+   .. zeek:see:: fnv1a32
+
+.. zeek:id:: identify_data
+   :source-code: base/bif/zeek.bif.zeek 537 537
+
+   :Type: :zeek:type:`function` (data: :zeek:type:`string`, return_mime: :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Determines the MIME type of a piece of data using Zeek's file magic
+   signatures.
+   
+
+   :param data: The data to find the MIME type for.
+   
+
+   :param return_mime: Deprecated argument; does nothing, except emit a warning
+                when false.
+   
+
+   :returns: The MIME type of *data*, or "<unknown>" if there was an error
+            or no match.  This is the strongest signature match.
+   
+   .. zeek:see:: file_magic
+
+.. zeek:id:: install_dst_addr_filter
+   :source-code: base/bif/zeek.bif.zeek 2435 2435
+
+   :Type: :zeek:type:`function` (ip: :zeek:type:`addr`, tcp_flags: :zeek:type:`count`, prob: :zeek:type:`double`) : :zeek:type:`bool`
+
+   Installs a filter to drop packets destined to a given IP address with
+   a certain probability if none of a given set of TCP flags are set.
+   Note that for IPv6 packets with a routing type header and non-zero
+   segments left, this filters out against the final destination of the
+   packet according to the routing extension header.
+   
+
+   :param ip: Drop packets to this IP address.
+   
+
+   :param tcp_flags: If none of these TCP flags are set, drop packets to *ip* with
+              probability *prob*.
+   
+
+   :param prob: The probability [0.0, 1.0] used to drop packets to *ip*.
+   
+
+   :returns: True (unconditionally).
+   
+   .. zeek:see:: Pcap::precompile_pcap_filter
+                Pcap::install_pcap_filter
+                install_src_addr_filter
+                install_src_net_filter
+                uninstall_src_addr_filter
+                uninstall_src_net_filter
+                install_dst_net_filter
+                uninstall_dst_addr_filter
+                uninstall_dst_net_filter
+                Pcap::error
+   
+   .. todo:: The return value should be changed to any.
+
+.. zeek:id:: install_dst_net_filter
+   :source-code: base/bif/zeek.bif.zeek 2462 2462
+
+   :Type: :zeek:type:`function` (snet: :zeek:type:`subnet`, tcp_flags: :zeek:type:`count`, prob: :zeek:type:`double`) : :zeek:type:`bool`
+
+   Installs a filter to drop packets destined to a given subnet with
+   a certain probability if none of a given set of TCP flags are set.
+   
+
+   :param snet: Drop packets to this subnet.
+   
+
+   :param tcp_flags: If none of these TCP flags are set, drop packets to *snet* with
+              probability *prob*.
+   
+
+   :param prob: The probability [0.0, 1.0] used to drop packets to *snet*.
+   
+
+   :returns: True (unconditionally).
+   
+   .. zeek:see:: Pcap::precompile_pcap_filter
+                Pcap::install_pcap_filter
+                install_src_addr_filter
+                install_src_net_filter
+                uninstall_src_addr_filter
+                uninstall_src_net_filter
+                install_dst_addr_filter
+                uninstall_dst_addr_filter
+                uninstall_dst_net_filter
+                Pcap::error
+   
+   .. todo:: The return value should be changed to any.
+
+.. zeek:id:: install_src_addr_filter
+   :source-code: base/bif/zeek.bif.zeek 2340 2340
+
+   :Type: :zeek:type:`function` (ip: :zeek:type:`addr`, tcp_flags: :zeek:type:`count`, prob: :zeek:type:`double`) : :zeek:type:`bool`
+
+   Installs a filter to drop packets from a given IP source address with
+   a certain probability if none of a given set of TCP flags are set.
+   Note that for IPv6 packets with a Destination options header that has
+   the Home Address option, this filters out against that home address.
+   
+
+   :param ip: The IP address to drop.
+   
+
+   :param tcp_flags: If none of these TCP flags are set, drop packets from *ip* with
+              probability *prob*.
+   
+
+   :param prob: The probability [0.0, 1.0] used to drop packets from *ip*.
+   
+
+   :returns: True (unconditionally).
+   
+   .. zeek:see:: Pcap::precompile_pcap_filter
+                Pcap::install_pcap_filter
+                install_src_net_filter
+                uninstall_src_addr_filter
+                uninstall_src_net_filter
+                install_dst_addr_filter
+                install_dst_net_filter
+                uninstall_dst_addr_filter
+                uninstall_dst_net_filter
+                Pcap::error
+   
+   .. todo:: The return value should be changed to any.
+
+.. zeek:id:: install_src_net_filter
+   :source-code: base/bif/zeek.bif.zeek 2367 2367
+
+   :Type: :zeek:type:`function` (snet: :zeek:type:`subnet`, tcp_flags: :zeek:type:`count`, prob: :zeek:type:`double`) : :zeek:type:`bool`
+
+   Installs a filter to drop packets originating from a given subnet with
+   a certain probability if none of a given set of TCP flags are set.
+   
+
+   :param snet: The subnet to drop packets from.
+   
+
+   :param tcp_flags: If none of these TCP flags are set, drop packets from *snet* with
+              probability *prob*.
+   
+
+   :param prob: The probability [0.0, 1.0] used to drop packets from *snet*.
+   
+
+   :returns: True (unconditionally).
+   
+   .. zeek:see:: Pcap::precompile_pcap_filter
+                Pcap::install_pcap_filter
+                install_src_addr_filter
+                uninstall_src_addr_filter
+                uninstall_src_net_filter
+                install_dst_addr_filter
+                install_dst_net_filter
+                uninstall_dst_addr_filter
+                uninstall_dst_net_filter
+                Pcap::error
+   
+   .. todo:: The return value should be changed to any.
+
+.. zeek:id:: int_to_count
+   :source-code: base/bif/zeek.bif.zeek 1288 1288
+
+   :Type: :zeek:type:`function` (n: :zeek:type:`int`) : :zeek:type:`count`
+
+   Converts a (positive) :zeek:type:`int` to a :zeek:type:`count`.
+   
+
+   :param n: The :zeek:type:`int` to convert.
+   
+
+   :returns: The :zeek:type:`int` *n* as unsigned integer, or 0 if *n* < 0.
+
+.. zeek:id:: int_to_double
+   :source-code: base/bif/zeek.bif.zeek 1353 1353
+
+   :Type: :zeek:type:`function` (i: :zeek:type:`int`) : :zeek:type:`double`
+
+   Converts an :zeek:type:`int` to a :zeek:type:`double`.
+   
+
+   :param i: The :zeek:type:`int` to convert.
+   
+
+   :returns: The :zeek:type:`int` *i* as :zeek:type:`double`.
+   
+   .. zeek:see:: count_to_double double_to_count
+
+.. zeek:id:: interval_to_double
+   :source-code: base/bif/zeek.bif.zeek 1333 1333
+
+   :Type: :zeek:type:`function` (i: :zeek:type:`interval`) : :zeek:type:`double`
+
+   Converts an :zeek:type:`interval` to a :zeek:type:`double`.
+   
+
+   :param i: The :zeek:type:`interval` to convert.
+   
+
+   :returns: The :zeek:type:`interval` *i* as :zeek:type:`double`.
+   
+   .. zeek:see:: double_to_interval
+
+.. zeek:id:: is_event_handled
+   :source-code: base/bif/zeek.bif.zeek 2561 2561
+
+   :Type: :zeek:type:`function` (event_name: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Check if an event is handled. Typically this means that a script defines an event.
+   This currently is mainly used to warn when events are defined that will not be used
+   in certain conditions.
+   
+   Raises an error if the named event does not exist.
+   
+
+   :param event_name: event name to check
+   
+
+   :param returns: true if the named event is handled.
+
+.. zeek:id:: is_file_analyzer
+   :source-code: base/bif/zeek.bif.zeek 2699 2699
+
+   :Type: :zeek:type:`function` (atype: :zeek:type:`AllAnalyzers::Tag`) : :zeek:type:`bool`
+
+   Returns true if the given tag belongs to a file analyzer.
+   
+
+   :param atype: The analyzer tag to check.
+   
+
+   :returns: true if *atype* is a tag of a file analyzer, else false.
+
+.. zeek:id:: is_icmp_port
+   :source-code: base/bif/zeek.bif.zeek 1793 1793
+
+   :Type: :zeek:type:`function` (p: :zeek:type:`port`) : :zeek:type:`bool`
+
+   Checks whether a given :zeek:type:`port` has ICMP as transport protocol.
+   
+
+   :param p: The :zeek:type:`port` to check.
+   
+
+   :returns: True iff *p* is an ICMP port.
+   
+   .. zeek:see:: is_tcp_port is_udp_port
+
+.. zeek:id:: is_local_interface
+   :source-code: base/bif/zeek.bif.zeek 1153 1153
+
+   :Type: :zeek:type:`function` (ip: :zeek:type:`addr`) : :zeek:type:`bool`
+
+   Checks whether a given IP address belongs to a local interface.
+   
+
+   :param ip: The IP address to check.
+   
+
+   :returns: True if *ip* belongs to a local interface.
+
+.. zeek:id:: is_packet_analyzer
+   :source-code: base/bif/zeek.bif.zeek 2707 2707
+
+   :Type: :zeek:type:`function` (atype: :zeek:type:`AllAnalyzers::Tag`) : :zeek:type:`bool`
+
+   Returns true if the given tag belongs to a packet analyzer.
+   
+
+   :param atype: The analyzer type to check.
+   
+
+   :returns: true if *atype* is a tag of a packet analyzer, else false.
+
+.. zeek:id:: is_processing_suspended
+   :source-code: base/bif/zeek.bif.zeek 2529 2529
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+   Returns whether or not processing is currently suspended.
+   
+   .. zeek:see:: suspend_processing
+                 continue_processing
+
+.. zeek:id:: is_protocol_analyzer
+   :source-code: base/bif/zeek.bif.zeek 2691 2691
+
+   :Type: :zeek:type:`function` (atype: :zeek:type:`AllAnalyzers::Tag`) : :zeek:type:`bool`
+
+   Returns true if the given tag belongs to a protocol analyzer.
+   
+
+   :param atype: The analyzer tag to check.
+   
+
+   :returns: true if *atype* is a tag of a protocol analyzer, else false.
+
+.. zeek:id:: is_remote_event
+   :source-code: base/bif/zeek.bif.zeek 2506 2506
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+   Checks whether the current event came from a remote peer.
+   
+
+   :returns: True if the current event came from a remote peer.
+
+.. zeek:id:: is_tcp_port
+   :source-code: base/bif/zeek.bif.zeek 1773 1773
+
+   :Type: :zeek:type:`function` (p: :zeek:type:`port`) : :zeek:type:`bool`
+
+   Checks whether a given :zeek:type:`port` has TCP as transport protocol.
+   
+
+   :param p: The :zeek:type:`port` to check.
+   
+
+   :returns: True iff *p* is a TCP port.
+   
+   .. zeek:see:: is_udp_port is_icmp_port
+
+.. zeek:id:: is_udp_port
+   :source-code: base/bif/zeek.bif.zeek 1783 1783
+
+   :Type: :zeek:type:`function` (p: :zeek:type:`port`) : :zeek:type:`bool`
+
+   Checks whether a given :zeek:type:`port` has UDP as transport protocol.
+   
+
+   :param p: The :zeek:type:`port` to check.
+   
+
+   :returns: True iff *p* is a UDP port.
+   
+   .. zeek:see:: is_icmp_port is_tcp_port
+
+.. zeek:id:: is_v4_addr
+   :source-code: base/bif/zeek.bif.zeek 1186 1186
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`bool`
+
+   Returns whether an address is IPv4 or not.
+   
+
+   :param a: the address to check.
+   
+
+   :returns: true if *a* is an IPv4 address, else false.
+
+.. zeek:id:: is_v4_subnet
+   :source-code: base/bif/zeek.bif.zeek 1202 1202
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`subnet`) : :zeek:type:`bool`
+
+   Returns whether a subnet specification is IPv4 or not.
+   
+
+   :param s: the subnet to check.
+   
+
+   :returns: true if *s* is an IPv4 subnet, else false.
+
+.. zeek:id:: is_v6_addr
+   :source-code: base/bif/zeek.bif.zeek 1194 1194
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`bool`
+
+   Returns whether an address is IPv6 or not.
+   
+
+   :param a: the address to check.
+   
+
+   :returns: true if *a* is an IPv6 address, else false.
+
+.. zeek:id:: is_v6_subnet
+   :source-code: base/bif/zeek.bif.zeek 1210 1210
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`subnet`) : :zeek:type:`bool`
+
+   Returns whether a subnet specification is IPv6 or not.
+   
+
+   :param s: the subnet to check.
+   
+
+   :returns: true if *s* is an IPv6 subnet, else false.
+
+.. zeek:id:: is_valid_ip
+   :source-code: base/bif/zeek.bif.zeek 1425 1425
+
+   :Type: :zeek:type:`function` (ip: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Checks if a string is a valid IPv4 or IPv6 address.
+   
+
+   :param ip: the string to check for valid IP formatting.
+   
+
+   :returns: T if the string is a valid IPv4 or IPv6 address format.
+
+.. zeek:id:: is_valid_subnet
+   :source-code: base/bif/zeek.bif.zeek 1433 1433
+
+   :Type: :zeek:type:`function` (cidr: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Checks if a string is a valid IPv4 or IPv6 subnet.
+   
+
+   :param cidr: the string to check for valid subnet formatting.
+   
+
+   :returns: T if the string is a valid IPv4 or IPv6 subnet format.
+
+.. zeek:id:: ln
+   :source-code: base/bif/zeek.bif.zeek 930 930
+
+   :Type: :zeek:type:`function` (d: :zeek:type:`double`) : :zeek:type:`double`
+
+   Computes the natural logarithm of a number.
+   
+
+   :param d: The argument to the logarithm.
+   
+
+   :returns: The natural logarithm of *d*.
+   
+   .. zeek:see:: floor ceil sqrt exp log2 log10 pow
+
+.. zeek:id:: log10
+   :source-code: base/bif/zeek.bif.zeek 950 950
+
+   :Type: :zeek:type:`function` (d: :zeek:type:`double`) : :zeek:type:`double`
+
+   Computes the common logarithm of a number.
+   
+
+   :param d: The argument to the logarithm.
+   
+
+   :returns: The common logarithm of *d*.
+   
+   .. zeek:see:: floor ceil sqrt exp ln log2 pow
+
+.. zeek:id:: log2
+   :source-code: base/bif/zeek.bif.zeek 940 940
+
+   :Type: :zeek:type:`function` (d: :zeek:type:`double`) : :zeek:type:`double`
+
+   Computes the base 2 logarithm of a number.
+   
+
+   :param d: The argument to the logarithm.
+   
+
+   :returns: The base 2 logarithm of *d*.
+   
+   .. zeek:see:: floor ceil sqrt exp ln log10 pow
+
+.. zeek:id:: lookup_ID
+   :source-code: base/bif/zeek.bif.zeek 1113 1113
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`string`) : :zeek:type:`any`
+
+   Returns the value of a global identifier.
+   
+
+   :param id: The global identifier.
+   
+
+   :returns: The value of *id*. If *id* does not describe a valid identifier,
+            the string ``"<unknown id>"`` or ``"<no ID value>"`` is returned.
+
+.. zeek:id:: lookup_addr
+   :source-code: base/bif/zeek.bif.zeek 1936 1936
+
+   :Type: :zeek:type:`function` (host: :zeek:type:`addr`) : :zeek:type:`string`
+
+   Issues an asynchronous reverse DNS lookup and delays the function result.
+   This function can therefore only be called inside a ``when`` condition,
+   e.g., ``when ( local host = lookup_addr(10.0.0.1) ) { f(host); }``.
+   
+
+   :param host: The IP address to lookup.
+   
+
+   :returns: The DNS name of *host*.
+   
+   .. zeek:see:: lookup_hostname
+
+.. zeek:id:: lookup_connection
+   :source-code: base/bif/zeek.bif.zeek 1839 1839
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`connection`
+
+   Returns the :zeek:type:`connection` record for a given connection identifier.
+   
+
+   :param cid: The connection ID.
+   
+
+   :returns: The :zeek:type:`connection` record for *cid*. If *cid* does not point
+            to an existing connection, the function generates a run-time error
+            and returns a dummy value.
+   
+   .. zeek:see:: connection_exists
+
+.. zeek:id:: lookup_connection_analyzer_id
+   :source-code: base/bif/zeek.bif.zeek 2028 2028
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, atype: :zeek:type:`AllAnalyzers::Tag`) : :zeek:type:`count`
+
+   Returns the numeric ID of the requested protocol analyzer for the given
+   connection.
+   
+
+   :param cid: The connection identifier.
+   
+
+   :param atype: The analyzer tag, such as ``Analyzer::ANALYZER_HTTP``.
+   
+
+   :returns: a numeric identifier for the analyzer, valid for the given
+            connection. When no such analyzer exists the function returns
+            0, which is never a valid analyzer ID value.
+   
+   .. zeek:see:: disable_analyzer Analyzer::disabling_analyzer
+
+.. zeek:id:: lookup_hostname
+   :source-code: base/bif/zeek.bif.zeek 1960 1960
+
+   :Type: :zeek:type:`function` (host: :zeek:type:`string`) : :zeek:type:`addr_set`
+
+   Issues an asynchronous DNS lookup and delays the function result.
+   This function can therefore only be called inside a ``when`` condition,
+   e.g., ``when ( local h = lookup_hostname("www.zeek.org") ) { f(h); }``.
+   
+
+   :param host: The hostname to lookup.
+   
+
+   :returns: A set of DNS A and AAAA records associated with *host*.
+   
+   .. zeek:see:: lookup_addr blocking_lookup_hostname
+
+.. zeek:id:: lookup_hostname_txt
+   :source-code: base/bif/zeek.bif.zeek 1948 1948
+
+   :Type: :zeek:type:`function` (host: :zeek:type:`string`) : :zeek:type:`string`
+
+   Issues an asynchronous TEXT DNS lookup and delays the function result.
+   This function can therefore only be called inside a ``when`` condition,
+   e.g., ``when ( local h = lookup_hostname_txt("www.zeek.org") ) { f(h); }``.
+   
+
+   :param host: The hostname to lookup.
+   
+
+   :returns: The DNS TXT record associated with *host*.
+   
+   .. zeek:see:: lookup_hostname
+
+.. zeek:id:: mask_addr
+   :source-code: base/bif/zeek.bif.zeek 1743 1743
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`, top_bits_to_keep: :zeek:type:`count`) : :zeek:type:`subnet`
+
+   Masks an address down to the number of given upper bits. For example,
+   ``mask_addr(1.2.3.4, 18)`` returns ``1.2.0.0``.
+   
+
+   :param a: The address to mask.
+   
+
+   :param top_bits_to_keep: The number of top bits to keep in *a*; must be greater
+                     than 0 and less than 33 for IPv4, or 129 for IPv6.
+   
+
+   :returns: The address *a* masked down to *top_bits_to_keep* bits.
+   
+   .. zeek:see:: remask_addr
+
+.. zeek:id:: match_signatures
+   :source-code: base/bif/zeek.bif.zeek 2540 2540
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, pattern_type: :zeek:type:`int`, s: :zeek:type:`string`, bol: :zeek:type:`bool`, eol: :zeek:type:`bool`, from_orig: :zeek:type:`bool`, clear: :zeek:type:`bool`) : :zeek:type:`bool`
+
+   Manually triggers the signature engine for a given connection.
+   This is an internal function.
+
+.. zeek:id:: matching_subnets
+   :source-code: base/bif/zeek.bif.zeek 688 688
+
+   :Type: :zeek:type:`function` (search: :zeek:type:`subnet`, t: :zeek:type:`any`) : :zeek:type:`subnet_vec`
+
+   Gets all subnets that contain a given subnet from a set/table[subnet].
+   
+
+   :param search: the subnet to search for.
+   
+
+   :param t: the set[subnet] or table[subnet].
+   
+
+   :returns: All the keys of the set or table that cover the subnet searched for.
+
+.. zeek:id:: md5_hash
+   :source-code: base/bif/zeek.bif.zeek 223 223
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`string`
+
+   Computes the MD5 hash value of the provided list of arguments.
+   
+
+   :returns: The MD5 hash value of the concatenated arguments.
+   
+   .. zeek:see:: md5_hmac md5_hash_init md5_hash_update md5_hash_finish
+      sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish
+      sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish
+   
+   .. note::
+   
+        This function performs a one-shot computation of its arguments.
+        For incremental hash computation, see :zeek:id:`md5_hash_init` and
+        friends.
+
+.. zeek:id:: md5_hash_finish
+   :source-code: base/bif/zeek.bif.zeek 390 390
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of md5) : :zeek:type:`string`
+
+   Returns the final MD5 digest of an incremental hash computation.
+   
+
+   :param handle: The opaque handle associated with this hash computation.
+   
+
+   :returns: The hash value associated with the computation of *handle*.
+   
+   .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update
+      sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish
+      sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish
+
+.. zeek:id:: md5_hash_init
+   :source-code: base/bif/zeek.bif.zeek 288 288
+
+   :Type: :zeek:type:`function` () : :zeek:type:`opaque` of md5
+
+   Constructs an MD5 handle to enable incremental hash computation. You can
+   feed data to the returned opaque value with :zeek:id:`md5_hash_update` and
+   eventually need to call :zeek:id:`md5_hash_finish` to finish the computation
+   and get the hash digest.
+   
+   For example, when computing incremental MD5 values of transferred files in
+   multiple concurrent HTTP connections, one keeps an optional handle in the
+   HTTP session record. Then, one would call
+   ``c$http$md5_handle = md5_hash_init()`` once before invoking
+   ``md5_hash_update(c$http$md5_handle, some_more_data)`` in the
+   :zeek:id:`http_entity_data` event handler. When all data has arrived, a call
+   to :zeek:id:`md5_hash_finish` returns the final hash value.
+   
+
+   :returns: The opaque handle associated with this hash computation.
+   
+   .. zeek:see:: md5_hmac md5_hash md5_hash_update md5_hash_finish
+      sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish
+      sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish
+
+.. zeek:id:: md5_hash_update
+   :source-code: base/bif/zeek.bif.zeek 346 346
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of md5, data: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Updates the MD5 value associated with a given index. It is required to
+   call :zeek:id:`md5_hash_init` once before calling this
+   function.
+   
+
+   :param handle: The opaque handle associated with this hash computation.
+   
+
+   :param data: The data to add to the hash computation.
+   
+
+   :returns: True on success.
+   
+   .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_finish
+      sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish
+      sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish
+
+.. zeek:id:: md5_hmac
+   :source-code: base/bif/zeek.bif.zeek 267 267
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`string`
+
+   Computes an HMAC-MD5 hash value of the provided list of arguments. The HMAC
+   secret key is generated from available entropy when Zeek starts up, or it can
+   be specified for repeatability using the ``-K`` command line flag.
+   
+
+   :returns: The HMAC-MD5 hash value of the concatenated arguments.
+   
+   .. zeek:see:: md5_hash md5_hash_init md5_hash_update md5_hash_finish
+      sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish
+      sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish
+
+.. zeek:id:: mkdir
+   :source-code: base/bif/zeek.bif.zeek 2196 2196
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Creates a new directory.
+   
+
+   :param f: The directory name.
+   
+
+   :returns: True if the operation succeeds or if *f* already exists,
+            and false if the file creation fails.
+   
+   .. zeek:see:: active_file open_for_append close write_file
+                get_file_name set_buf flush_all enable_raw_output
+                rmdir unlink rename
+
+.. zeek:id:: network_time
+   :source-code: base/bif/zeek.bif.zeek 42 42
+
+   :Type: :zeek:type:`function` () : :zeek:type:`time`
+
+   Returns the timestamp of the last packet processed. This function returns
+   the timestamp of the most recently read packet, whether read from a
+   live network interface or from a save file.
+   
+
+   :returns: The timestamp of the packet processed.
+   
+   .. zeek:see:: current_time set_network_time
+
+.. zeek:id:: open
+   :source-code: base/bif/zeek.bif.zeek 2119 2119
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`string`) : :zeek:type:`file`
+
+   Opens a file for writing. If a file with the same name already exists, this
+   function overwrites it (as opposed to :zeek:id:`open_for_append`).
+   
+
+   :param f: The path to the file.
+   
+
+   :returns: A :zeek:type:`file` handle for subsequent operations.
+   
+   .. zeek:see:: active_file open_for_append close write_file
+                get_file_name set_buf flush_all mkdir enable_raw_output
+                rmdir unlink rename
+
+.. zeek:id:: open_for_append
+   :source-code: base/bif/zeek.bif.zeek 2132 2132
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`string`) : :zeek:type:`file`
+
+   Opens a file for writing or appending. If a file with the same name already
+   exists, this function appends to it (as opposed to :zeek:id:`open`).
+   
+
+   :param f: The path to the file.
+   
+
+   :returns: A :zeek:type:`file` handle for subsequent operations.
+   
+   .. zeek:see:: active_file open close write_file
+                get_file_name set_buf flush_all mkdir enable_raw_output
+                rmdir unlink rename
+
+.. zeek:id:: order
+   :source-code: base/bif/zeek.bif.zeek 789 789
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`index_vec`
+
+   Returns the order of the elements in a vector according to some
+   comparison function. See :zeek:id:`sort` for details about the comparison
+   function.
+   
+
+   :param v: The vector whose order to compute.
+   
+
+   :returns: A ``vector of count`` with the indices of the ordered elements.
+            For example, the elements of *v* in order are (assuming ``o``
+            is the vector returned by ``order``):  v[o[0]], v[o[1]], etc.
+   
+   .. zeek:see:: sort
+
+.. zeek:id:: packet_source
+   :source-code: base/bif/zeek.bif.zeek 1065 1065
+
+   :Type: :zeek:type:`function` () : :zeek:type:`PacketSource`
+
+
+   :returns: the packet source being read by Zeek.
+   
+   .. zeek:see:: reading_live_traffic reading_traces
+
+.. zeek:id:: paraglob_equals
+   :source-code: base/bif/zeek.bif.zeek 448 448
+
+   :Type: :zeek:type:`function` (p_one: :zeek:type:`opaque` of paraglob, p_two: :zeek:type:`opaque` of paraglob) : :zeek:type:`bool`
+
+   Compares two paraglobs for equality.
+   
+
+   :param p_one: A compiled paraglob.
+   
+
+   :param p_two: A compiled paraglob.
+   
+
+   :returns: True if both paraglobs contain the same patterns, false otherwise.
+   
+   .. zeek:see:: paraglob_match paraglob_init
+
+.. zeek:id:: paraglob_init
+   :source-code: base/bif/zeek.bif.zeek 424 424
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`any`) : :zeek:type:`opaque` of paraglob
+
+   Initializes and returns a new paraglob.
+   
+
+   :param v: Vector of patterns to initialize the paraglob with.
+   
+
+   :returns: A new, compiled, paraglob with the patterns in *v*
+   
+   .. zeek:see:: paraglob_match paraglob_equals
+
+.. zeek:id:: paraglob_match
+   :source-code: base/bif/zeek.bif.zeek 436 436
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of paraglob, match: :zeek:type:`string`) : :zeek:type:`string_vec`
+
+   Gets all the patterns inside the handle associated with an input string.
+   
+
+   :param handle: A compiled paraglob.
+   
+
+   :param match: string to match against the paraglob.
+   
+
+   :returns: A vector of strings matching the input string.
+   
+   .. zeek:see:: paraglob_equals paraglob_init
+
+.. zeek:id:: piped_exec
+   :source-code: base/bif/zeek.bif.zeek 190 190
+
+   :Type: :zeek:type:`function` (program: :zeek:type:`string`, to_write: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Opens a program with ``popen`` and writes a given string to the returned
+   stream to send it to the opened process's stdin.
+   
+
+   :param program: The program to execute.
+   
+
+   :param to_write: Data to pipe to the opened program's process via ``stdin``.
+   
+
+   :returns: True on success.
+   
+   .. zeek:see:: system system_env
+
+.. zeek:id:: port_to_count
+   :source-code: base/bif/zeek.bif.zeek 1393 1393
+
+   :Type: :zeek:type:`function` (p: :zeek:type:`port`) : :zeek:type:`count`
+
+   Converts a :zeek:type:`port` to a :zeek:type:`count`.
+   
+
+   :param p: The :zeek:type:`port` to convert.
+   
+
+   :returns: The :zeek:type:`port` *p* as :zeek:type:`count`.
+   
+   .. zeek:see:: count_to_port
+
+.. zeek:id:: pow
+   :source-code: base/bif/zeek.bif.zeek 962 962
+
+   :Type: :zeek:type:`function` (x: :zeek:type:`double`, y: :zeek:type:`double`) : :zeek:type:`double`
+
+   Computes the *x* raised to the power *y*.
+   
+
+   :param x: The number to be raised to a power.
+   
+
+   :param y: The number that specifies a power.
+   
+
+   :returns: The number *x* raised to the power *y*.
+   
+   .. zeek:see:: floor ceil sqrt exp ln log2 log10
+
+.. zeek:id:: preserve_prefix
+   :source-code: base/bif/zeek.bif.zeek 2590 2590
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`, width: :zeek:type:`count`) : :zeek:type:`any`
+
+   Preserves the prefix of an IP address in anonymization.
+   
+
+   :param a: The address to preserve.
+   
+
+   :param width: The number of bits from the top that should remain intact.
+   
+   .. zeek:see:: preserve_subnet anonymize_addr
+   
+   .. todo:: Currently dysfunctional.
+
+.. zeek:id:: preserve_subnet
+   :source-code: base/bif/zeek.bif.zeek 2600 2600
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`subnet`) : :zeek:type:`any`
+
+   Preserves the prefix of a subnet in anonymization.
+   
+
+   :param a: The subnet to preserve.
+   
+   .. zeek:see:: preserve_prefix anonymize_addr
+   
+   .. todo:: Currently dysfunctional.
+
+.. zeek:id:: print_raw
+   :source-code: base/bif/zeek.bif.zeek 870 870
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`bool`
+
+   Renders a sequence of values to a string of bytes and outputs them directly
+   to ``stdout`` with no additional escape sequences added.  No additional
+   newline is added to the end either.
+   
+
+   :returns: Always true.
+   
+   .. zeek:see:: fmt cat cat_sep string_cat to_json
+
+.. zeek:id:: ptr_name_to_addr
+   :source-code: base/bif/zeek.bif.zeek 1578 1578
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`addr`
+
+   Converts a reverse pointer name to an address. For example,
+   ``1.0.168.192.in-addr.arpa`` to ``192.168.0.1``.
+   
+
+   :param s: The string with the reverse pointer name.
+   
+
+   :returns: The IP address corresponding to *s*.
+   
+   .. zeek:see:: addr_to_ptr_name to_addr
+
+.. zeek:id:: rand
+   :source-code: base/bif/zeek.bif.zeek 501 501
+
+   :Type: :zeek:type:`function` (max: :zeek:type:`count`) : :zeek:type:`count`
+
+   Generates a random number.
+   
+
+   :param max: The maximum value of the random number.
+   
+
+   :returns: a random positive integer in the interval *[0, max)*.
+   
+   .. zeek:see:: srand
+   
+   .. note::
+   
+        This function is a wrapper about the function ``random``
+        provided by the OS.
+
+.. zeek:id:: raw_bytes_to_v4_addr
+   :source-code: base/bif/zeek.bif.zeek 1508 1508
+
+   :Type: :zeek:type:`function` (b: :zeek:type:`string`) : :zeek:type:`addr`
+
+   Converts a :zeek:type:`string` of bytes into an IPv4 address. In particular,
+   this function interprets the first 4 bytes of the string as an IPv4 address
+   in network order.
+   
+
+   :param b: The raw bytes (:zeek:type:`string`) to convert.
+   
+
+   :returns: The byte :zeek:type:`string` *b* as :zeek:type:`addr`.
+   
+   .. zeek:see:: raw_bytes_to_v4_addr to_addr to_subnet
+
+.. zeek:id:: raw_bytes_to_v6_addr
+   :source-code: base/bif/zeek.bif.zeek 1520 1520
+
+   :Type: :zeek:type:`function` (x: :zeek:type:`string`) : :zeek:type:`addr`
+
+   Converts a :zeek:type:`string` of bytes into an IPv6 address. In particular,
+   this function interprets the first 16 bytes of the string as an IPv6 address
+   in network order.
+   
+
+   :param b: The raw bytes (:zeek:type:`string`) to convert.
+   
+
+   :returns: The byte :zeek:type:`string` *b* as :zeek:type:`addr`.
+   
+   .. zeek:see:: raw_bytes_to_v6_addr to_addr to_subnet
+
+.. zeek:id:: reading_live_traffic
+   :source-code: base/bif/zeek.bif.zeek 1050 1050
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+   Checks whether Zeek reads traffic from one or more network interfaces (as
+   opposed to from a network trace in a file). Note that this function returns
+   true even after Zeek has stopped reading network traffic, for example due to
+   receiving a termination signal.
+   
+
+   :returns: True if reading traffic from a network interface.
+   
+   .. zeek:see:: reading_traces packet_source
+
+.. zeek:id:: reading_traces
+   :source-code: base/bif/zeek.bif.zeek 1059 1059
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+   Checks whether Zeek reads traffic from a trace file (as opposed to from a
+   network interface).
+   
+
+   :returns: True if reading traffic from a network trace.
+   
+   .. zeek:see:: reading_live_traffic packet_source
+
+.. zeek:id:: record_fields
+   :source-code: base/bif/zeek.bif.zeek 1126 1126
+
+   :Type: :zeek:type:`function` (rec: :zeek:type:`any`) : :zeek:type:`record_field_table`
+
+   Generates metadata about a record's fields. The returned information
+   includes the field name, whether it is logged, its value (if it has one),
+   and its default value (if specified).
+   
+
+   :param rec: The record value or type to inspect.
+   
+
+   :returns: A table that describes the fields of a record. The returned table has
+            the :zeek:attr:`&ordered` attribute set. Iterating over the table will
+            yield entries for the fields in the same order as the fields were
+            declared.
+
+.. zeek:id:: remask_addr
+   :source-code: base/bif/zeek.bif.zeek 1763 1763
+
+   :Type: :zeek:type:`function` (a1: :zeek:type:`addr`, a2: :zeek:type:`addr`, top_bits_from_a1: :zeek:type:`count`) : :zeek:type:`addr`
+
+   Takes some top bits (such as a subnet address) from one address and the other
+   bits (intra-subnet part) from a second address and merges them to get a new
+   address. This is useful for anonymizing at subnet level while preserving
+   serial scans.
+   
+
+   :param a1: The address to mask with *top_bits_from_a1*.
+   
+
+   :param a2: The address to take the remaining bits from.
+   
+
+   :param top_bits_from_a1: The number of top bits to keep in *a1*; must be greater
+                     than 0 and less than 129.  This value is always interpreted
+                     relative to the IPv6 bit width (v4-mapped addresses start
+                     at bit number 96).
+   
+
+   :returns: The address *a* masked down to *top_bits_to_keep* bits.
+   
+   .. zeek:see:: mask_addr
+
+.. zeek:id:: rename
+   :source-code: base/bif/zeek.bif.zeek 2237 2237
+
+   :Type: :zeek:type:`function` (src_f: :zeek:type:`string`, dst_f: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Renames a file from src_f to dst_f.
+   
+
+   :param src_f: the name of the file to rename.
+   
+
+   :param dest_f: the name of the file after the rename operation.
+   
+
+   :returns: True if the rename succeeds and false otherwise.
+   
+   .. zeek:see:: active_file open_for_append close write_file
+                get_file_name set_buf flush_all enable_raw_output
+                mkdir rmdir unlink
+
+.. zeek:id:: resize
+   :source-code: base/bif/zeek.bif.zeek 733 733
+
+   :Type: :zeek:type:`function` (aggr: :zeek:type:`any`, newsize: :zeek:type:`count`) : :zeek:type:`count`
+
+   Resizes a vector.
+   
+
+   :param aggr: The vector instance.
+   
+
+   :param newsize: The new size of *aggr*.
+   
+
+   :returns: The old size of *aggr*, or 0 if *aggr* is not a :zeek:type:`vector`.
+
+.. zeek:id:: rmdir
+   :source-code: base/bif/zeek.bif.zeek 2210 2210
+
+   :Type: :zeek:type:`function` (d: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Removes a directory.
+   
+
+   :param d: The directory name.
+   
+
+   :returns: True if the operation succeeds, and false if the
+            directory delete operation fails.
+   
+   .. zeek:see:: active_file open_for_append close write_file
+                get_file_name set_buf flush_all enable_raw_output
+                mkdir unlink rename
+
+.. zeek:id:: rotate_file
+   :source-code: base/bif/zeek.bif.zeek 2268 2268
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`file`) : :zeek:type:`rotate_info`
+
+   Rotates a file.
+   
+
+   :param f: An open file handle.
+   
+
+   :returns: Rotation statistics which include the original file name, the name
+            after the rotation, and the time when *f* was opened/closed.
+   
+   .. zeek:see:: rotate_file_by_name calc_next_rotate
+
+.. zeek:id:: rotate_file_by_name
+   :source-code: base/bif/zeek.bif.zeek 2279 2279
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`string`) : :zeek:type:`rotate_info`
+
+   Rotates a file identified by its name.
+   
+
+   :param f: The name of the file to rotate
+   
+
+   :returns: Rotation statistics which include the original file name, the name
+            after the rotation, and the time when *f* was opened/closed.
+   
+   .. zeek:see:: rotate_file calc_next_rotate
+
+.. zeek:id:: routing0_data_to_addrs
+   :source-code: base/bif/zeek.bif.zeek 1236 1236
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`addr_vec`
+
+   Converts the *data* field of :zeek:type:`ip6_routing` records that have
+   *rtype* of 0 into a vector of addresses.
+   
+
+   :param s: The *data* field of an :zeek:type:`ip6_routing` record that has
+      an *rtype* of 0.
+   
+
+   :returns: The vector of addresses contained in the routing header data.
+
+.. zeek:id:: same_object
+   :source-code: base/bif/zeek.bif.zeek 723 723
+
+   :Type: :zeek:type:`function` (o1: :zeek:type:`any`, o2: :zeek:type:`any`) : :zeek:type:`bool`
+
+   Checks whether two objects reference the same internal object. This function
+   uses equality comparison of C++ raw pointer values to determine if the two
+   objects are the same.
+   
+
+   :param o1: The first object.
+   
+
+   :param o2: The second object.
+   
+
+   :returns: True if *o1* and *o2* are equal.
+
+.. zeek:id:: set_buf
+   :source-code: base/bif/zeek.bif.zeek 2173 2173
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`file`, buffered: :zeek:type:`bool`) : :zeek:type:`any`
+
+   Alters the buffering behavior of a file.
+   
+
+   :param f: A :zeek:type:`file` handle to an open file.
+   
+
+   :param buffered: When true, *f* is fully buffered, i.e., bytes are saved in a
+             buffer until the block size has been reached. When
+             false, *f* is line buffered, i.e., bytes are saved up until a
+             newline occurs.
+   
+   .. zeek:see:: active_file open open_for_append close
+                get_file_name write_file flush_all mkdir enable_raw_output
+                rmdir unlink rename
+
+.. zeek:id:: set_inactivity_timeout
+   :source-code: base/bif/zeek.bif.zeek 2100 2100
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, t: :zeek:type:`interval`) : :zeek:type:`interval`
+
+   Sets an individual inactivity timeout for a connection and thus
+   overrides the global inactivity timeout.
+   
+
+   :param cid: The connection ID.
+   
+
+   :param t: The new inactivity timeout for the connection identified by *cid*.
+   
+
+   :returns: The previous timeout interval.
+
+.. zeek:id:: set_network_time
+   :source-code: base/bif/zeek.bif.zeek 53 53
+
+   :Type: :zeek:type:`function` (nt: :zeek:type:`time`) : :zeek:type:`bool`
+
+   Sets the timestamp associated with the last packet processed. Used for
+   event replaying.
+   
+
+   :param nt: The time to which to set "network time".
+   
+
+   :returns: The timestamp of the packet processed.
+   
+   .. zeek:see:: current_time network_time
+
+.. zeek:id:: set_record_packets
+   :source-code: base/bif/zeek.bif.zeek 2089 2089
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`, do_record: :zeek:type:`bool`) : :zeek:type:`bool`
+
+   Controls whether packet contents belonging to a connection should be
+   recorded (when ``-w`` option is provided on the command line).
+   
+
+   :param cid: The connection identifier.
+   
+
+   :param do_record: True to enable packet contents, and false to disable for the
+              connection identified by *cid*.
+   
+
+   :returns: False if *cid* does not point to an active connection, and true
+            otherwise.
+   
+   .. zeek:see:: skip_further_processing
+   
+   .. note::
+   
+       This is independent of whether Zeek processes the packets of this
+       connection, which is controlled separately by
+       :zeek:id:`skip_further_processing`.
+   
+   .. zeek:see:: get_contents_file set_contents_file
+
+.. zeek:id:: setenv
+   :source-code: base/bif/zeek.bif.zeek 122 122
+
+   :Type: :zeek:type:`function` (var: :zeek:type:`string`, val: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Sets a system environment variable.
+   
+
+   :param var: The name of the variable.
+   
+
+   :param val: The (new) value of the variable *var*.
+   
+
+   :returns: True on success.
+   
+   .. zeek:see:: getenv
+
+.. zeek:id:: sha1_hash
+   :source-code: base/bif/zeek.bif.zeek 239 239
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`string`
+
+   Computes the SHA1 hash value of the provided list of arguments.
+   
+
+   :returns: The SHA1 hash value of the concatenated arguments.
+   
+   .. zeek:see:: md5_hash md5_hmac md5_hash_init md5_hash_update md5_hash_finish
+      sha1_hash_init sha1_hash_update sha1_hash_finish
+      sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish
+   
+   .. note::
+   
+        This function performs a one-shot computation of its arguments.
+        For incremental hash computation, see :zeek:id:`sha1_hash_init` and
+        friends.
+
+.. zeek:id:: sha1_hash_finish
+   :source-code: base/bif/zeek.bif.zeek 402 402
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of sha1) : :zeek:type:`string`
+
+   Returns the final SHA1 digest of an incremental hash computation.
+   
+
+   :param handle: The opaque handle associated with this hash computation.
+   
+
+   :returns: The hash value associated with the computation of *handle*.
+   
+   .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish
+      sha1_hash sha1_hash_init sha1_hash_update
+      sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish
+
+.. zeek:id:: sha1_hash_init
+   :source-code: base/bif/zeek.bif.zeek 309 309
+
+   :Type: :zeek:type:`function` () : :zeek:type:`opaque` of sha1
+
+   Constructs an SHA1 handle to enable incremental hash computation. You can
+   feed data to the returned opaque value with :zeek:id:`sha1_hash_update` and
+   finally need to call :zeek:id:`sha1_hash_finish` to finish the computation
+   and get the hash digest.
+   
+   For example, when computing incremental SHA1 values of transferred files in
+   multiple concurrent HTTP connections, one keeps an optional handle in the
+   HTTP session record. Then, one would call
+   ``c$http$sha1_handle = sha1_hash_init()`` once before invoking
+   ``sha1_hash_update(c$http$sha1_handle, some_more_data)`` in the
+   :zeek:id:`http_entity_data` event handler. When all data has arrived, a call
+   to :zeek:id:`sha1_hash_finish` returns the final hash value.
+   
+
+   :returns: The opaque handle associated with this hash computation.
+   
+   .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish
+      sha1_hash sha1_hash_update sha1_hash_finish
+      sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish
+
+.. zeek:id:: sha1_hash_update
+   :source-code: base/bif/zeek.bif.zeek 362 362
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of sha1, data: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Updates the SHA1 value associated with a given index. It is required to
+   call :zeek:id:`sha1_hash_init` once before calling this
+   function.
+   
+
+   :param handle: The opaque handle associated with this hash computation.
+   
+
+   :param data: The data to add to the hash computation.
+   
+
+   :returns: True on success.
+   
+   .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish
+      sha1_hash sha1_hash_init sha1_hash_finish
+      sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish
+
+.. zeek:id:: sha256_hash
+   :source-code: base/bif/zeek.bif.zeek 255 255
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`string`
+
+   Computes the SHA256 hash value of the provided list of arguments.
+   
+
+   :returns: The SHA256 hash value of the concatenated arguments.
+   
+   .. zeek:see:: md5_hash md5_hmac md5_hash_init md5_hash_update md5_hash_finish
+      sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish
+      sha256_hash_init sha256_hash_update sha256_hash_finish
+   
+   .. note::
+   
+        This function performs a one-shot computation of its arguments.
+        For incremental hash computation, see :zeek:id:`sha256_hash_init` and
+        friends.
+
+.. zeek:id:: sha256_hash_finish
+   :source-code: base/bif/zeek.bif.zeek 414 414
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of sha256) : :zeek:type:`string`
+
+   Returns the final SHA256 digest of an incremental hash computation.
+   
+
+   :param handle: The opaque handle associated with this hash computation.
+   
+
+   :returns: The hash value associated with the computation of *handle*.
+   
+   .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish
+      sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish
+      sha256_hash sha256_hash_init sha256_hash_update
+
+.. zeek:id:: sha256_hash_init
+   :source-code: base/bif/zeek.bif.zeek 330 330
+
+   :Type: :zeek:type:`function` () : :zeek:type:`opaque` of sha256
+
+   Constructs an SHA256 handle to enable incremental hash computation. You can
+   feed data to the returned opaque value with :zeek:id:`sha256_hash_update` and
+   finally need to call :zeek:id:`sha256_hash_finish` to finish the computation
+   and get the hash digest.
+   
+   For example, when computing incremental SHA256 values of transferred files in
+   multiple concurrent HTTP connections, one keeps an optional handle in the
+   HTTP session record. Then, one would call
+   ``c$http$sha256_handle = sha256_hash_init()`` once before invoking
+   ``sha256_hash_update(c$http$sha256_handle, some_more_data)`` in the
+   :zeek:id:`http_entity_data` event handler. When all data has arrived, a call
+   to :zeek:id:`sha256_hash_finish` returns the final hash value.
+   
+
+   :returns: The opaque handle associated with this hash computation.
+   
+   .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish
+      sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish
+      sha256_hash sha256_hash_update sha256_hash_finish
+
+.. zeek:id:: sha256_hash_update
+   :source-code: base/bif/zeek.bif.zeek 378 378
+
+   :Type: :zeek:type:`function` (handle: :zeek:type:`opaque` of sha256, data: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Updates the SHA256 value associated with a given index. It is required to
+   call :zeek:id:`sha256_hash_init` once before calling this
+   function.
+   
+
+   :param handle: The opaque handle associated with this hash computation.
+   
+
+   :param data: The data to add to the hash computation.
+   
+
+   :returns: True on success.
+   
+   .. zeek:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish
+      sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish
+      sha256_hash sha256_hash_init sha256_hash_finish
+
+.. zeek:id:: skip_further_processing
+   :source-code: base/bif/zeek.bif.zeek 2066 2066
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`bool`
+
+   Informs Zeek that it should skip any further processing of the contents of
+   a given connection. In particular, Zeek will refrain from reassembling the
+   TCP byte stream and from generating events relating to any analyzers that
+   have been processing the connection.
+   
+
+   :param cid: The connection ID.
+   
+
+   :returns: False if *cid* does not point to an active connection, and true
+            otherwise.
+   
+   .. note::
+   
+       Zeek will still generate connection-oriented events such as
+       :zeek:id:`connection_finished`.
+
+.. zeek:id:: sleep
+   :source-code: base/bif/zeek.bif.zeek 205 205
+
+   :Type: :zeek:type:`function` (i: :zeek:type:`interval`) : :zeek:type:`interval`
+
+   Sleeps for the given amount of time.
+   
+
+   :param i: The time interval to sleep for.
+   
+
+   :returns: The :zeek:type:`interval` Zeek actually slept for.
+   
+   .. note::
+   
+        This is a blocking sleep! Zeek will not run most of its processing
+        during that time. You almost certainly DO NOT WANT THIS outside
+        of specific testing/troubleshooting scenarios. To sleep asynchronously,
+        :zeek:see:`schedule` an event, or consider :zeek:id:`Exec::run`.
+
+.. zeek:id:: sort
+   :source-code: base/bif/zeek.bif.zeek 775 775
+
+   :Type: :zeek:type:`function` (...) : :zeek:type:`any`
+
+   Sorts a vector in place. The second argument is a comparison function that
+   takes two arguments: if the vector type is ``vector of T``, then the
+   comparison function must be ``function(a: T, b: T): int``, which returns
+   a value less than zero if ``a < b`` for some type-specific notion of the
+   less-than operator.  The comparison function is optional if the type
+   is a numeric type (int, count, double, time, etc.).
+   
+
+   :param v: The vector instance to sort.
+   
+
+   :returns: The vector, sorted from minimum to maximum value. If the vector
+            could not be sorted, then the original vector is returned instead.
+   
+   .. zeek:see:: order
+
+.. zeek:id:: sqrt
+   :source-code: base/bif/zeek.bif.zeek 910 910
+
+   :Type: :zeek:type:`function` (x: :zeek:type:`double`) : :zeek:type:`double`
+
+   Computes the square root of a :zeek:type:`double`.
+   
+
+   :param x: The number to compute the square root of.
+   
+
+   :returns: The square root of *x*.
+   
+   .. zeek:see:: floor ceil exp ln log2 log10 pow
+
+.. zeek:id:: srand
+   :source-code: base/bif/zeek.bif.zeek 514 514
+
+   :Type: :zeek:type:`function` (seed: :zeek:type:`count`) : :zeek:type:`any`
+
+   Sets the seed for subsequent :zeek:id:`rand` calls.
+   
+
+   :param seed: The seed for the PRNG.
+   
+   .. zeek:see:: rand
+   
+   .. note::
+   
+        This function is a wrapper about the function ``srandom``
+        provided by the OS.
+
+.. zeek:id:: strftime
+   :source-code: base/bif/zeek.bif.zeek 1710 1710
+
+   :Type: :zeek:type:`function` (fmt: :zeek:type:`string`, d: :zeek:type:`time`) : :zeek:type:`string`
+
+   Formats a given time value according to a format string.
+   
+
+   :param fmt: The format string. See ``man strftime`` for the syntax.
+   
+
+   :param d: The time value.
+   
+
+   :returns: The time *d* formatted according to *fmt*.
+
+.. zeek:id:: string_to_pattern
+   :source-code: base/bif/zeek.bif.zeek 1700 1700
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`, convert: :zeek:type:`bool`) : :zeek:type:`pattern`
+
+   Converts a :zeek:type:`string` into a :zeek:type:`pattern`.
+   
+
+   :param s: The string to convert.
+   
+
+   :param convert: If true, *s* is first passed through the function
+            :zeek:id:`convert_for_pattern` to escape special characters of
+            patterns.
+   
+
+   :returns: *s* as :zeek:type:`pattern`.
+   
+   .. zeek:see:: convert_for_pattern
+
+.. zeek:id:: strptime
+   :source-code: base/bif/zeek.bif.zeek 1722 1722
+
+   :Type: :zeek:type:`function` (fmt: :zeek:type:`string`, d: :zeek:type:`string`) : :zeek:type:`time`
+
+   Parse a textual representation of a date/time value into a ``time`` type value.
+   
+
+   :param fmt: The format string used to parse the following *d* argument. See ``man strftime``
+        for the syntax.
+   
+
+   :param d: The string representing the time.
+   
+
+   :returns: The time value calculated from parsing *d* with *fmt*.
+
+.. zeek:id:: subnet_to_addr
+   :source-code: base/bif/zeek.bif.zeek 1466 1466
+
+   :Type: :zeek:type:`function` (sn: :zeek:type:`subnet`) : :zeek:type:`addr`
+
+   Converts a :zeek:type:`subnet` to an :zeek:type:`addr` by
+   extracting the prefix.
+   
+
+   :param sn: The subnet to convert.
+   
+
+   :returns: The subnet as an :zeek:type:`addr`.
+   
+   .. zeek:see:: to_subnet
+
+.. zeek:id:: subnet_width
+   :source-code: base/bif/zeek.bif.zeek 1476 1476
+
+   :Type: :zeek:type:`function` (sn: :zeek:type:`subnet`) : :zeek:type:`count`
+
+   Returns the width of a :zeek:type:`subnet`.
+   
+
+   :param sn: The subnet.
+   
+
+   :returns: The width of the subnet.
+   
+   .. zeek:see:: to_subnet
+
+.. zeek:id:: suspend_processing
+   :source-code: base/bif/zeek.bif.zeek 2515 2515
+
+   :Type: :zeek:type:`function` () : :zeek:type:`any`
+
+   Stops Zeek's packet processing. This function is used to synchronize
+   distributed trace processing with communication enabled
+   (*pseudo-realtime* mode).
+   
+   .. zeek:see:: continue_processing
+                 is_processing_suspended
+
+.. zeek:id:: syslog
+   :source-code: base/bif/zeek.bif.zeek 522 522
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`any`
+
+   Send a string to syslog.
+   
+
+   :param s: The string to log via syslog
+
+.. zeek:id:: system
+   :source-code: base/bif/zeek.bif.zeek 161 161
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`int`
+
+   Invokes a command via the ``system`` function of the OS.
+   The command runs in the background with ``stdout`` redirecting to
+   ``stderr``. Here is a usage example:
+   ``system(fmt("rm %s", safe_shell_quote(sniffed_data)));``
+   
+
+   :param str: The command to execute.
+   
+
+   :returns: The return value from the OS ``system`` function.
+   
+   .. zeek:see:: system_env safe_shell_quote piped_exec
+   
+   .. note::
+   
+        Note that this corresponds to the status of backgrounding the
+        given command, not to the exit status of the command itself. A
+        value of 127 corresponds to a failure to execute ``sh``, and -1
+        to an internal system failure.
+
+.. zeek:id:: system_env
+   :source-code: base/bif/zeek.bif.zeek 177 177
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, env: :zeek:type:`table_string_of_string`) : :zeek:type:`int`
+
+   Invokes a command via the ``system`` function of the OS with a prepared
+   environment. The function is essentially the same as :zeek:id:`system`,
+   but changes the environment before invoking the command.
+   
+
+   :param str: The command to execute.
+   
+
+   :param env: A :zeek:type:`table` with the environment variables in the form
+        of key-value pairs. Each specified environment variable name
+        will be automatically prepended with ``ZEEK_ARG_``.
+   
+
+   :returns: The return value from the OS ``system`` function.
+   
+   .. zeek:see:: system safe_shell_quote piped_exec
+
+.. zeek:id:: table_keys
+   :source-code: base/bif/zeek.bif.zeek 678 678
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`any`) : :zeek:type:`any`
+
+   Gets all keys from a table.
+   
+
+   :param t: The :zeek:type:`table`
+   
+
+   :returns: A ``set of T`` of all the keys in t.
+   
+   .. zeek:see:: table_values
+
+.. zeek:id:: table_pattern_matcher_stats
+   :source-code: base/bif/zeek.bif.zeek 2802 2802
+
+   :Type: :zeek:type:`function` (tbl: :zeek:type:`any`) : :zeek:type:`MatcherStats`
+
+   Return MatcherStats for a table[pattern] or set[pattern] value.
+   
+   This returns a MatcherStats objects that can be used for introspection
+   of the DFA used for such a table. Statistics reset whenever elements are
+   added or removed to the table as these operations result in the underlying
+   DFA being rebuilt.
+   
+   This function iterates over all states of the DFA. Calling it at a high
+   frequency is likely detrimental to performance.
+   
+
+   :param tbl: The table to get stats for.
+   
+
+   :returns: A record with matcher statistics.
+
+.. zeek:id:: table_values
+   :source-code: base/bif/zeek.bif.zeek 668 668
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`any`) : :zeek:type:`any_vec`
+
+   Gets all values from a table.
+   
+
+   :param t: The :zeek:type:`table`
+   
+
+   :returns: A ``vector of T`` of all the values in t.
+   
+   .. zeek:see:: table_keys
+
+.. zeek:id:: terminate
+   :source-code: base/bif/zeek.bif.zeek 139 139
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+   Gracefully shut down Zeek by terminating outstanding processing.
+   
+
+   :returns: True after successful termination and false when Zeek is still in
+            the process of shutting down.
+   
+   .. zeek:see:: exit zeek_is_terminating
+
+.. zeek:id:: time_to_double
+   :source-code: base/bif/zeek.bif.zeek 1363 1363
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`time`) : :zeek:type:`double`
+
+   Converts a :zeek:type:`time` value to a :zeek:type:`double`.
+   
+
+   :param t: The :zeek:type:`time` to convert.
+   
+
+   :returns: The :zeek:type:`time` value *t* as :zeek:type:`double`.
+   
+   .. zeek:see:: double_to_time
+
+.. zeek:id:: to_addr
+   :source-code: base/bif/zeek.bif.zeek 1417 1417
+
+   :Type: :zeek:type:`function` (ip: :zeek:type:`string`) : :zeek:type:`addr`
+
+   Converts a :zeek:type:`string` to an :zeek:type:`addr`.
+   
+
+   :param ip: The :zeek:type:`string` to convert.
+   
+
+   :returns: The :zeek:type:`string` *ip* as :zeek:type:`addr`, or the unspecified
+            address ``::`` if the input string does not parse correctly.
+   
+   .. zeek:see:: to_count to_int to_port count_to_v4_addr raw_bytes_to_v4_addr raw_bytes_to_v6_addr
+      to_subnet
+
+.. zeek:id:: to_count
+   :source-code: base/bif/zeek.bif.zeek 1323 1323
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, base: :zeek:type:`count` :zeek:attr:`&default` = ``10`` :zeek:attr:`&optional`) : :zeek:type:`count`
+
+   Converts a :zeek:type:`string` to a :zeek:type:`count`. For values where
+   ``base`` is set to 16, a prefix of ``0x`` or ``0X`` will be ignored.
+   
+
+   :param str: The :zeek:type:`string` to convert.
+   
+
+   :param base: The :zeek:type:`count` to use as the numeric base.
+   
+
+   :returns: The :zeek:type:`string` *str* as unsigned integer, or 0 if *str* has
+            an invalid format.
+   
+   .. zeek:see:: to_addr to_int to_port to_subnet
+
+.. zeek:id:: to_double
+   :source-code: base/bif/zeek.bif.zeek 1486 1486
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`double`
+
+   Converts a :zeek:type:`string` to a :zeek:type:`double`.
+   
+
+   :param str: The :zeek:type:`string` to convert.
+   
+
+   :returns: The :zeek:type:`string` *str* as double, or 0 if *str* has
+            an invalid format.
+   
+
+.. zeek:id:: to_int
+   :source-code: base/bif/zeek.bif.zeek 1279 1279
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`, base: :zeek:type:`count` :zeek:attr:`&default` = ``10`` :zeek:attr:`&optional`) : :zeek:type:`int`
+
+   Converts a :zeek:type:`string` to an :zeek:type:`int`. For values where
+   ``base`` is set to 16, a prefix of ``0x`` or ``0X`` will be ignored.
+   
+
+   :param str: The :zeek:type:`string` to convert.
+   
+
+   :param base: The :zeek:type:`count` to use as the numeric base.
+   
+
+   :returns: The :zeek:type:`string` *str* as :zeek:type:`int`.
+   
+   .. zeek:see:: to_addr to_port to_subnet
+
+.. zeek:id:: to_json
+   :source-code: base/bif/zeek.bif.zeek 2642 2642
+
+   :Type: :zeek:type:`function` (val: :zeek:type:`any`, only_loggable: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`, field_escape_pattern: :zeek:type:`pattern` :zeek:attr:`&default` = ``/^?(^_)$?/`` :zeek:attr:`&optional`, interval_as_double: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   A function to convert arbitrary Zeek data into a JSON string.
+   
+
+   :param v: The value to convert to JSON.  Typically a record.
+   
+
+   :param only_loggable: If the v value is a record this will only cause
+                  fields with the &log attribute to be included in the JSON.
+   
+
+   :param field_escape_pattern: If the v value is a record, the given pattern is
+                         matched against the field names of its type, and
+                         the first match, if any, is stripped from the
+                         rendered name. The default pattern strips a leading
+                         underscore.
+   
+
+   :param interval_as_double: If T, interval values will be logged as doubles
+                       instead of the broken-out version with units as strings.
+   
+
+   :param returns: a JSON formatted string.
+   
+   .. zeek:see:: fmt cat cat_sep string_cat print_raw from_json
+
+.. zeek:id:: to_port
+   :source-code: base/bif/zeek.bif.zeek 1530 1530
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`port`
+
+   Converts a :zeek:type:`string` to a :zeek:type:`port`.
+   
+
+   :param s: The :zeek:type:`string` to convert.
+   
+
+   :returns: A :zeek:type:`port` converted from *s*.
+   
+   .. zeek:see:: to_addr to_count to_int to_subnet
+
+.. zeek:id:: to_subnet
+   :source-code: base/bif/zeek.bif.zeek 1445 1445
+
+   :Type: :zeek:type:`function` (sn: :zeek:type:`string`) : :zeek:type:`subnet`
+
+   Converts a :zeek:type:`string` to a :zeek:type:`subnet`.
+   
+
+   :param sn: The subnet to convert.
+   
+
+   :returns: The *sn* string as a :zeek:type:`subnet`, or the unspecified subnet
+            ``::/0`` if the input string does not parse correctly.
+   
+   .. zeek:see:: to_count to_int to_port count_to_v4_addr raw_bytes_to_v4_addr raw_bytes_to_v6_addr
+      to_addr
+
+.. zeek:id:: type_aliases
+   :source-code: base/bif/zeek.bif.zeek 1026 1026
+
+   :Type: :zeek:type:`function` (x: :zeek:type:`any`) : :zeek:type:`string_set`
+
+   Returns all type name aliases of a value or type.
+   
+
+   :param x: An arbitrary value or type.
+   
+
+   :returns: The set of all type name aliases of *x* (or the type of *x*
+            if it's a value instead of a type).  For primitive values
+            and types like :zeek:type:`string` or :zeek:type:`count`,
+            this returns an empty set.  For types with user-defined
+            names like :zeek:type:`record` or :zeek:type:`enum`, the
+            returned set contains the original user-defined name for the
+            type along with all aliases.  For other compound types, like
+            :zeek:type:`table`, the returned set is empty unless
+            explicitly requesting aliases for a user-defined type alias
+            or a value that was explicitly created using a type alias
+            (as opposed to originating from an "anonymous" constructor
+            or initializer for that compound type).
+
+.. zeek:id:: type_name
+   :source-code: base/bif/zeek.bif.zeek 1005 1005
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`any`) : :zeek:type:`string`
+
+   Returns the type name of an arbitrary Zeek variable.
+   
+
+   :param t: An arbitrary object.
+   
+
+   :returns: The type name of *t*.
+
+.. zeek:id:: uninstall_dst_addr_filter
+   :source-code: base/bif/zeek.bif.zeek 2481 2481
+
+   :Type: :zeek:type:`function` (ip: :zeek:type:`addr`) : :zeek:type:`bool`
+
+   Removes a destination address filter.
+   
+
+   :param ip: The IP address for which a destination filter was previously installed.
+   
+
+   :returns: True on success.
+   
+   .. zeek:see:: Pcap::precompile_pcap_filter
+                Pcap::install_pcap_filter
+                install_src_addr_filter
+                install_src_net_filter
+                uninstall_src_addr_filter
+                uninstall_src_net_filter
+                install_dst_addr_filter
+                install_dst_net_filter
+                uninstall_dst_net_filter
+                Pcap::error
+
+.. zeek:id:: uninstall_dst_net_filter
+   :source-code: base/bif/zeek.bif.zeek 2500 2500
+
+   :Type: :zeek:type:`function` (snet: :zeek:type:`subnet`) : :zeek:type:`bool`
+
+   Removes a destination subnet filter.
+   
+
+   :param snet: The subnet for which a destination filter was previously installed.
+   
+
+   :returns: True on success.
+   
+   .. zeek:see:: Pcap::precompile_pcap_filter
+                Pcap::install_pcap_filter
+                install_src_addr_filter
+                install_src_net_filter
+                uninstall_src_addr_filter
+                uninstall_src_net_filter
+                install_dst_addr_filter
+                install_dst_net_filter
+                uninstall_dst_addr_filter
+                Pcap::error
+
+.. zeek:id:: uninstall_src_addr_filter
+   :source-code: base/bif/zeek.bif.zeek 2386 2386
+
+   :Type: :zeek:type:`function` (ip: :zeek:type:`addr`) : :zeek:type:`bool`
+
+   Removes a source address filter.
+   
+
+   :param ip: The IP address for which a source filter was previously installed.
+   
+
+   :returns: True on success.
+   
+   .. zeek:see:: Pcap::precompile_pcap_filter
+                Pcap::install_pcap_filter
+                install_src_addr_filter
+                install_src_net_filter
+                uninstall_src_net_filter
+                install_dst_addr_filter
+                install_dst_net_filter
+                uninstall_dst_addr_filter
+                uninstall_dst_net_filter
+                Pcap::error
+
+.. zeek:id:: uninstall_src_net_filter
+   :source-code: base/bif/zeek.bif.zeek 2405 2405
+
+   :Type: :zeek:type:`function` (snet: :zeek:type:`subnet`) : :zeek:type:`bool`
+
+   Removes a source subnet filter.
+   
+
+   :param snet: The subnet for which a source filter was previously installed.
+   
+
+   :returns: True on success.
+   
+   .. zeek:see:: Pcap::precompile_pcap_filter
+                Pcap::install_pcap_filter
+                install_src_addr_filter
+                install_src_net_filter
+                uninstall_src_addr_filter
+                install_dst_addr_filter
+                install_dst_net_filter
+                uninstall_dst_addr_filter
+                uninstall_dst_net_filter
+                Pcap::error
+
+.. zeek:id:: unique_id
+   :source-code: base/bif/zeek.bif.zeek 634 634
+
+   :Type: :zeek:type:`function` (prefix: :zeek:type:`string`) : :zeek:type:`string`
+
+   Creates an identifier that is unique with high probability.
+   
+
+   :param prefix: A custom string prepended to the result.
+   
+
+   :returns: A string identifier that is unique.
+   
+   .. zeek:see:: unique_id_from
+
+.. zeek:id:: unique_id_from
+   :source-code: base/bif/zeek.bif.zeek 646 646
+
+   :Type: :zeek:type:`function` (pool: :zeek:type:`int`, prefix: :zeek:type:`string`) : :zeek:type:`string`
+
+   Creates an identifier that is unique with high probability.
+   
+
+   :param pool: A seed for determinism.
+   
+
+   :param prefix: A custom string prepended to the result.
+   
+
+   :returns: A string identifier that is unique.
+   
+   .. zeek:see:: unique_id
+
+.. zeek:id:: unlink
+   :source-code: base/bif/zeek.bif.zeek 2223 2223
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Removes a file from a directory.
+   
+
+   :param f: the file to delete.
+   
+
+   :returns: True if the operation succeeds and the file was deleted,
+            and false if the deletion fails.
+   
+   .. zeek:see:: active_file open_for_append close write_file
+                get_file_name set_buf flush_all enable_raw_output
+                mkdir rmdir rename
+
+.. zeek:id:: uuid_to_string
+   :source-code: base/bif/zeek.bif.zeek 1670 1670
+
+   :Type: :zeek:type:`function` (uuid: :zeek:type:`string`) : :zeek:type:`string`
+
+   Converts a bytes representation of a UUID into its string form. For example,
+   given a string of 16 bytes, it produces an output string in this format:
+   ``550e8400-e29b-41d4-a716-446655440000``.
+   See `<http://en.wikipedia.org/wiki/Universally_unique_identifier>`_.
+   
+
+   :param uuid: The 16 bytes of the UUID.
+   
+
+   :returns: The string representation of *uuid*.
+
+.. zeek:id:: val_footprint
+   :source-code: base/bif/zeek.bif.zeek 1087 1087
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`any`) : :zeek:type:`count`
+
+   Computes a value's "footprint": the number of objects the value contains
+   either directly or indirectly.  The number is not meant to be precise, but
+   rather comparable: larger footprint correlates with more memory consumption.
+   
+
+   :returns: the footprint.
+   
+   .. zeek:see:: global_container_footprints
+
+.. zeek:id:: write_file
+   :source-code: base/bif/zeek.bif.zeek 2158 2158
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`file`, data: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Writes data to an open file.
+   
+
+   :param f: A :zeek:type:`file` handle to an open file.
+   
+
+   :param data: The data to write to *f*.
+   
+
+   :returns: True on success.
+   
+   .. zeek:see:: active_file open open_for_append close
+                get_file_name set_buf flush_all mkdir enable_raw_output
+                rmdir unlink rename
+
+.. zeek:id:: zeek_args
+   :source-code: base/bif/zeek.bif.zeek 1039 1039
+
+   :Type: :zeek:type:`function` () : :zeek:type:`string_vec`
+
+
+   :returns: list of command-line arguments (``argv``) used to run Zeek.
+
+.. zeek:id:: zeek_is_terminating
+   :source-code: base/bif/zeek.bif.zeek 1172 1172
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+   Checks if Zeek is terminating.
+   
+
+   :returns: True if Zeek is in the process of shutting down.
+   
+   .. zeek:see:: terminate
+
+.. zeek:id:: zeek_version
+   :source-code: base/bif/zeek.bif.zeek 989 989
+
+   :Type: :zeek:type:`function` () : :zeek:type:`string`
+
+   Returns the Zeek version string.
+   
+
+   :returns: Zeek's version, e.g., 2.0-beta-47-debug.
+
+
diff --git a/doc/scripts/base/bif/zeekygen.bif.zeek.rst b/doc/scripts/base/bif/zeekygen.bif.zeek.rst
new file mode 100644
index 0000000000..b4af8615d5
--- /dev/null
+++ b/doc/scripts/base/bif/zeekygen.bif.zeek.rst
@@ -0,0 +1,133 @@
+:tocdepth: 3
+
+base/bif/zeekygen.bif.zeek
+==========================
+.. zeek:namespace:: GLOBAL
+
+Functions for querying script, package, or variable documentation.
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+=================================================================== =============================================================================
+:zeek:id:`get_identifier_comments`: :zeek:type:`function`           Retrieve the Zeekygen-style comments (``##``) associated with an identifier
+                                                                    (e.g.
+:zeek:id:`get_identifier_declaring_script`: :zeek:type:`function`   Retrieve the declaring script associated with an identifier
+                                                                    (e.g.
+:zeek:id:`get_package_readme`: :zeek:type:`function`                Retrieve the contents of a Zeek script package's README file.
+:zeek:id:`get_record_field_comments`: :zeek:type:`function`         Retrieve the Zeekygen-style comments (``##``) associated with a record field.
+:zeek:id:`get_record_field_declaring_script`: :zeek:type:`function` Retrieve the declaring script associated with a record field.
+:zeek:id:`get_script_comments`: :zeek:type:`function`               Retrieve the Zeekygen-style summary comments (``##!``) associated with
+                                                                    a Zeek script.
+=================================================================== =============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: get_identifier_comments
+   :source-code: base/bif/zeekygen.bif.zeek 17 17
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`string`
+
+   Retrieve the Zeekygen-style comments (``##``) associated with an identifier
+   (e.g. a variable or type).
+   
+
+   :param name: a script-level identifier for which to retrieve comments.
+   
+
+   :returns: comments associated with *name*.  If *name* is not a known
+            script-level identifier, an empty string is returned.
+
+.. zeek:id:: get_identifier_declaring_script
+   :source-code: base/bif/zeekygen.bif.zeek 29 29
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`string`
+
+   Retrieve the declaring script associated with an identifier
+   (e.g. a variable or type).
+   
+
+   :param name: a script-level identifier
+   
+
+   :returns: declaring script associated with *name*. If *name* is not a known
+            script-level identifier, an empty string is returned.
+   
+   .. zeek:see:: get_record_field_declaring_script
+
+.. zeek:id:: get_package_readme
+   :source-code: base/bif/zeekygen.bif.zeek 51 51
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`string`
+
+   Retrieve the contents of a Zeek script package's README file.
+   
+
+   :param name: the name of a Zeek script package.  It must be a relative path
+         to where it is located within a particular component of ZEEKPATH.
+   
+
+   :returns: contents of the package's README file.  If *name* is not a known
+            package, an empty string is returned.
+
+.. zeek:id:: get_record_field_comments
+   :source-code: base/bif/zeekygen.bif.zeek 62 62
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`string`
+
+   Retrieve the Zeekygen-style comments (``##``) associated with a record field.
+   
+
+   :param name: the name of a script-level record type and a field within it formatted
+         like a typical record field access: "<record_type>$<field>".
+   
+
+   :returns: comments associated with the record field.  If *name* does
+            not point to a known script-level record type or a known field within
+            a record type, an empty string is returned.
+
+.. zeek:id:: get_record_field_declaring_script
+   :source-code: base/bif/zeekygen.bif.zeek 78 78
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`string`
+
+   Retrieve the declaring script associated with a record field.
+   
+   The declaring script for a field is different from the declaring script
+   of the record type itself when fields were added via redef.
+   
+
+   :param name: the name of a script-level record type and a field within it formatted
+         like a typical record field access: "<record_type>$<field>".
+   
+
+   :returns: the declaring script associated with the record field.  If *name* does
+            not point to a known script-level record type or a known field within
+            a record type, an empty string is returned.
+   
+   .. zeek:see:: get_identifier_declaring_script
+
+.. zeek:id:: get_script_comments
+   :source-code: base/bif/zeekygen.bif.zeek 41 41
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`string`
+
+   Retrieve the Zeekygen-style summary comments (``##!``) associated with
+   a Zeek script.
+   
+
+   :param name: the name of a Zeek script.  It must be a relative path to where
+         it is located within a particular component of ZEEKPATH and use
+         the same file name extension/suffix as the actual file (e.g. ".zeek").
+   
+
+   :returns: summary comments associated with script with *name*.  If
+            *name* is not a known script, an empty string is returned.
+
+
diff --git a/doc/scripts/base/files/extract/__load__.zeek.rst b/doc/scripts/base/files/extract/__load__.zeek.rst
new file mode 100644
index 0000000000..d7e951bc76
--- /dev/null
+++ b/doc/scripts/base/files/extract/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/files/extract/__load__.zeek
+================================
+
+
+:Imports: :doc:`base/files/extract/main.zeek </scripts/base/files/extract/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/files/extract/index.rst b/doc/scripts/base/files/extract/index.rst
new file mode 100644
index 0000000000..1ef71a1cc6
--- /dev/null
+++ b/doc/scripts/base/files/extract/index.rst
@@ -0,0 +1,13 @@
+:orphan:
+
+Package: base/files/extract
+===========================
+
+Support for extracting files with the file analysis framework.
+
+:doc:`/scripts/base/files/extract/__load__.zeek`
+
+
+:doc:`/scripts/base/files/extract/main.zeek`
+
+
diff --git a/doc/scripts/base/files/extract/main.zeek.rst b/doc/scripts/base/files/extract/main.zeek.rst
new file mode 100644
index 0000000000..c71e9984fe
--- /dev/null
+++ b/doc/scripts/base/files/extract/main.zeek.rst
@@ -0,0 +1,127 @@
+:tocdepth: 3
+
+base/files/extract/main.zeek
+============================
+.. zeek:namespace:: FileExtract
+
+
+:Namespace: FileExtract
+:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+============================================================================================= ================================================================
+:zeek:id:`FileExtract::default_limit`: :zeek:type:`count` :zeek:attr:`&redef`                 The default max size for extracted files (they won't exceed this
+                                                                                              number of bytes).
+:zeek:id:`FileExtract::default_limit_includes_missing`: :zeek:type:`bool` :zeek:attr:`&redef` This setting configures if the file extract limit is inclusive
+                                                                                              of missing bytes.
+============================================================================================= ================================================================
+
+Redefinable Options
+###################
+======================================================================= ========================================
+:zeek:id:`FileExtract::prefix`: :zeek:type:`string` :zeek:attr:`&redef` The prefix where files are extracted to.
+======================================================================= ========================================
+
+Redefinitions
+#############
+========================================================================= ==========================================================================================================================================================
+:zeek:type:`Files::AnalyzerArgs`: :zeek:type:`record` :zeek:attr:`&redef` 
+                                                                          
+                                                                          :New Fields: :zeek:type:`Files::AnalyzerArgs`
+                                                                          
+                                                                            extract_filename: :zeek:type:`string` :zeek:attr:`&optional`
+                                                                              The local filename to which to write an extracted file.
+                                                                          
+                                                                            extract_limit: :zeek:type:`count` :zeek:attr:`&default` = :zeek:see:`FileExtract::default_limit` :zeek:attr:`&optional`
+                                                                              The maximum allowed file size in bytes of *extract_filename*.
+                                                                          
+                                                                            extract_limit_includes_missing: :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`FileExtract::default_limit_includes_missing` :zeek:attr:`&optional`
+                                                                              By default, missing bytes in files count towards the extract file size.
+:zeek:type:`Files::Info`: :zeek:type:`record` :zeek:attr:`&redef`         
+                                                                          
+                                                                          :New Fields: :zeek:type:`Files::Info`
+                                                                          
+                                                                            extracted: :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+                                                                              Local filename of extracted file.
+                                                                          
+                                                                            extracted_cutoff: :zeek:type:`bool` :zeek:attr:`&optional` :zeek:attr:`&log`
+                                                                              Set to true if the file being extracted was cut off
+                                                                              so the whole file was not logged.
+                                                                          
+                                                                            extracted_size: :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+                                                                              The number of bytes extracted to disk.
+========================================================================= ==========================================================================================================================================================
+
+Functions
+#########
+======================================================== =============================================
+:zeek:id:`FileExtract::set_limit`: :zeek:type:`function` Sets the maximum allowed extracted file size.
+======================================================== =============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: FileExtract::default_limit
+   :source-code: base/files/extract/main.zeek 12 12
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``104857600``
+
+   The default max size for extracted files (they won't exceed this
+   number of bytes). A value of zero means unlimited. Defaults to 100MB.
+
+.. zeek:id:: FileExtract::default_limit_includes_missing
+   :source-code: base/files/extract/main.zeek 21 21
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   This setting configures if the file extract limit is inclusive
+   of missing bytes. By default, missing bytes do count towards the
+   limit.
+   Setting this option to false changes this behavior so that missing
+   bytes no longer count towards these limits. Files with
+   missing bytes are created as sparse files on disk. Their apparent size
+   can exceed this file size limit.
+
+Redefinable Options
+###################
+.. zeek:id:: FileExtract::prefix
+   :source-code: base/files/extract/main.zeek 8 8
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"./extract_files/"``
+
+   The prefix where files are extracted to.
+
+Functions
+#########
+.. zeek:id:: FileExtract::set_limit
+   :source-code: base/files/extract/main.zeek 72 75
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`, args: :zeek:type:`Files::AnalyzerArgs`, n: :zeek:type:`count`) : :zeek:type:`bool`
+
+   Sets the maximum allowed extracted file size.
+   
+
+   :param f: A file that's being extracted.
+   
+
+   :param args: Arguments that identify a file extraction analyzer.
+   
+
+   :param n: Allowed number of bytes to be extracted.
+   
+
+   :returns: false if a file extraction analyzer wasn't active for
+            the file, else true.
+
+
diff --git a/doc/scripts/base/files/hash/__load__.zeek.rst b/doc/scripts/base/files/hash/__load__.zeek.rst
new file mode 100644
index 0000000000..53136fc956
--- /dev/null
+++ b/doc/scripts/base/files/hash/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/files/hash/__load__.zeek
+=============================
+
+
+:Imports: :doc:`base/files/hash/main.zeek </scripts/base/files/hash/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/files/hash/index.rst b/doc/scripts/base/files/hash/index.rst
new file mode 100644
index 0000000000..bb9d93f50b
--- /dev/null
+++ b/doc/scripts/base/files/hash/index.rst
@@ -0,0 +1,13 @@
+:orphan:
+
+Package: base/files/hash
+========================
+
+Support for file hashes with the file analysis framework.
+
+:doc:`/scripts/base/files/hash/__load__.zeek`
+
+
+:doc:`/scripts/base/files/hash/main.zeek`
+
+
diff --git a/doc/scripts/base/files/hash/main.zeek.rst b/doc/scripts/base/files/hash/main.zeek.rst
new file mode 100644
index 0000000000..1cf1359220
--- /dev/null
+++ b/doc/scripts/base/files/hash/main.zeek.rst
@@ -0,0 +1,33 @@
+:tocdepth: 3
+
+base/files/hash/main.zeek
+=========================
+.. zeek:namespace:: FileHash
+
+
+:Namespace: FileHash
+:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+================================================================= ======================================================================
+:zeek:type:`Files::Info`: :zeek:type:`record` :zeek:attr:`&redef` 
+                                                                  
+                                                                  :New Fields: :zeek:type:`Files::Info`
+                                                                  
+                                                                    md5: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                      An MD5 digest of the file contents.
+                                                                  
+                                                                    sha1: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                      A SHA1 digest of the file contents.
+                                                                  
+                                                                    sha256: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                      A SHA256 digest of the file contents.
+================================================================= ======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/files/pe/__load__.zeek.rst b/doc/scripts/base/files/pe/__load__.zeek.rst
new file mode 100644
index 0000000000..3ce6f2a4f2
--- /dev/null
+++ b/doc/scripts/base/files/pe/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/files/pe/__load__.zeek
+===========================
+
+
+:Imports: :doc:`base/files/pe/consts.zeek </scripts/base/files/pe/consts.zeek>`, :doc:`base/files/pe/main.zeek </scripts/base/files/pe/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/files/pe/consts.zeek.rst b/doc/scripts/base/files/pe/consts.zeek.rst
new file mode 100644
index 0000000000..40615622dc
--- /dev/null
+++ b/doc/scripts/base/files/pe/consts.zeek.rst
@@ -0,0 +1,297 @@
+:tocdepth: 3
+
+base/files/pe/consts.zeek
+=========================
+.. zeek:namespace:: PE
+
+
+:Namespace: PE
+
+Summary
+~~~~~~~
+Constants
+#########
+======================================================================================================== =
+:zeek:id:`PE::directories`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`             
+:zeek:id:`PE::dll_characteristics`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`     
+:zeek:id:`PE::file_characteristics`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`    
+:zeek:id:`PE::machine_types`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`           
+:zeek:id:`PE::os_versions`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`             
+:zeek:id:`PE::section_characteristics`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` 
+:zeek:id:`PE::section_descs`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`           
+:zeek:id:`PE::windows_subsystems`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`      
+======================================================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: PE::directories
+   :source-code: base/files/pe/consts.zeek 73 73
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "Resource Table",
+            [14] = "CLR Runtime Header",
+            [15] = "Reserved",
+            [6] = "Debug",
+            [8] = "Global Ptr",
+            [9] = "TLS Table",
+            [1] = "Import Table",
+            [11] = "Bound Import",
+            [7] = "Architecture",
+            [5] = "Base Relocation Table",
+            [10] = "Load Config Table",
+            [4] = "Certificate Table",
+            [13] = "Delay Import Descriptor",
+            [12] = "IAT",
+            [3] = "Exception Table",
+            [0] = "Export Table"
+         }
+
+
+
+.. zeek:id:: PE::dll_characteristics
+   :source-code: base/files/pe/consts.zeek 48 48
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [512] = "NO_ISOLATION",
+            [8192] = "WDM_DRIVER",
+            [32768] = "TERMINAL_SERVER_AWARE",
+            [64] = "DYNAMIC_BASE",
+            [1024] = "NO_SEH",
+            [2048] = "NO_BIND",
+            [256] = "NX_COMPAT",
+            [128] = "FORCE_INTEGRITY"
+         }
+
+
+
+.. zeek:id:: PE::file_characteristics
+   :source-code: base/files/pe/consts.zeek 30 30
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [32768] = "BYTES_REVERSED_HI",
+            [2] = "EXECUTABLE_IMAGE",
+            [16384] = "UP_SYSTEM_ONLY",
+            [16] = "AGGRESSIVE_WS_TRIM",
+            [4] = "LINE_NUMS_STRIPPED",
+            [256] = "32BIT_MACHINE",
+            [4096] = "SYSTEM",
+            [128] = "BYTES_REVERSED_LO",
+            [32] = "LARGE_ADDRESS_AWARE",
+            [512] = "DEBUG_STRIPPED",
+            [8192] = "DLL",
+            [8] = "LOCAL_SYMS_STRIPPED",
+            [1024] = "REMOVABLE_RUN_FROM_SWAP",
+            [2048] = "NET_RUN_FROM_SWAP",
+            [1] = "RELOCS_STRIPPED"
+         }
+
+
+
+.. zeek:id:: PE::machine_types
+   :source-code: base/files/pe/consts.zeek 5 5
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [332] = "I386",
+            [448] = "ARM",
+            [419] = "SH3DSP",
+            [34404] = "AMD64",
+            [1126] = "MIPSFPU16",
+            [36929] = "M32R",
+            [512] = "IA64",
+            [424] = "SH5",
+            [870] = "MIPSFPU",
+            [496] = "POWERPC",
+            [450] = "THUMB",
+            [422] = "SH4",
+            [3772] = "EBC",
+            [467] = "AM33",
+            [452] = "ARMNT",
+            [614] = "MIPS16",
+            [497] = "POWERPCFP",
+            [358] = "R4000",
+            [418] = "SH3",
+            [0] = "UNKNOWN",
+            [361] = "WCEMIPSV2",
+            [43620] = "ARM64"
+         }
+
+
+
+.. zeek:id:: PE::os_versions
+   :source-code: base/files/pe/consts.zeek 129 129
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`, :zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2, 11] = "Windows 2.11",
+            [6, 2] = "Windows 8 or Server 2012",
+            [5, 0] = "Windows 2000",
+            [3, 51] = "Windows NT 3.51",
+            [2, 0] = "Windows 2.0",
+            [3, 11] = "Windows for Workgroups 3.11",
+            [5, 1] = "Windows XP",
+            [3, 0] = "Windows 3.0",
+            [1, 0] = "Windows 1.0",
+            [10, 0] = "Windows 10",
+            [4, 90] = "Windows Me",
+            [5, 2] = "Windows XP x64 or Server 2003",
+            [6, 1] = "Windows 7 or Server 2008 R2",
+            [3, 50] = "Windows NT 3.5",
+            [4, 10] = "Windows 98",
+            [2, 10] = "Windows 2.10",
+            [1, 1] = "Windows 1.01",
+            [1, 4] = "Windows 1.04",
+            [6, 3] = "Windows 8.1 or Server 2012 R2",
+            [6, 0] = "Windows Vista or Server 2008",
+            [3, 10] = "Windows 3.1 or NT 3.1",
+            [6, 4] = "Windows 10 Technical Preview",
+            [3, 2] = "Windows 3.2",
+            [1, 3] = "Windows 1.03",
+            [4, 0] = "Windows 95 or NT 4.0"
+         }
+
+
+
+.. zeek:id:: PE::section_characteristics
+   :source-code: base/files/pe/consts.zeek 92 92
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [1048576] = "ALIGN_1BYTES",
+            [131072] = "MEM_16BIT",
+            [64] = "CNT_INITIALIZED_DATA",
+            [12582912] = "ALIGN_2048BYTES",
+            [8] = "TYPE_NO_PAD",
+            [7340032] = "ALIGN_64BYTES",
+            [13631488] = "ALIGN_4096BYTES",
+            [2147483648] = "MEM_WRITE",
+            [536870912] = "MEM_EXECUTE",
+            [128] = "CNT_UNINITIALIZED_DATA",
+            [32] = "CNT_CODE",
+            [14680064] = "ALIGN_8192BYTES",
+            [6291456] = "ALIGN_32BYTES",
+            [4194304] = "ALIGN_8BYTES",
+            [67108864] = "MEM_NOT_CACHED",
+            [5242880] = "ALIGN_16BYTES",
+            [32768] = "GPREL",
+            [9437184] = "ALIGN_256BYTES",
+            [4096] = "LNK_COMDAT",
+            [524288] = "MEM_PRELOAD",
+            [16777216] = "LNK_NRELOC_OVFL",
+            [33554432] = "MEM_DISCARDABLE",
+            [512] = "LNK_INFO",
+            [11534336] = "ALIGN_1024BYTES",
+            [262144] = "MEM_LOCKED",
+            [3145728] = "ALIGN_4BYTES",
+            [256] = "LNK_OTHER",
+            [268435456] = "MEM_SHARED",
+            [1073741824] = "MEM_READ",
+            [2048] = "LNK_REMOVE",
+            [10485760] = "ALIGN_512BYTES",
+            [8388608] = "ALIGN_128BYTES",
+            [2097152] = "ALIGN_2BYTES",
+            [134217728] = "MEM_NOT_PAGED"
+         }
+
+
+
+.. zeek:id:: PE::section_descs
+   :source-code: base/files/pe/consts.zeek 157 157
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [".debug$P"] = "Precompiled debug types",
+            [".drective"] = "Linker options",
+            [".text"] = "Executable code",
+            [".idata"] = "Import tables",
+            [".sbss"] = "GP-relative uninitialized data",
+            [".idlsym"] = "Includes registered SEH to support IDL attributes",
+            [".edata"] = "Export tables",
+            [".sdata"] = "GP-relative initialized data",
+            [".rdata"] = "Read-only initialized data",
+            [".pdata"] = "Exception information",
+            [".debug$S"] = "Debug symbols",
+            [".tls$"] = "Thread-local storage",
+            [".reloc"] = "Image relocations",
+            [".debug$F"] = "Generated FPO debug information",
+            [".bss"] = "Uninitialized data",
+            [".debug$T"] = "Debug types",
+            [".cormeta"] = "CLR metadata that indicates that the object file contains managed code",
+            [".tls"] = "Thread-local storage",
+            [".sxdata"] = "Registered exception handler data",
+            [".vsdata"] = "GP-relative initialized data",
+            [".rsrc"] = "Resource directory",
+            [".srdata"] = "GP-relative read-only data",
+            [".data"] = "Initialized data",
+            [".xdata"] = "Exception information"
+         }
+
+
+
+.. zeek:id:: PE::windows_subsystems
+   :source-code: base/files/pe/consts.zeek 59 59
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "WINDOWS_GUI",
+            [11] = "EFI_BOOT_SERVICE_DRIVER",
+            [7] = "POSIX_CUI",
+            [10] = "EFI_APPLICATION",
+            [14] = "XBOX",
+            [13] = "EFI_ROM",
+            [12] = "EFI_RUNTIME_DRIVER",
+            [3] = "WINDOWS_CUI",
+            [9] = "WINDOWS_CE_GUI",
+            [0] = "UNKNOWN",
+            [1] = "NATIVE"
+         }
+
+
+
+
diff --git a/doc/scripts/base/files/pe/index.rst b/doc/scripts/base/files/pe/index.rst
new file mode 100644
index 0000000000..5197e99702
--- /dev/null
+++ b/doc/scripts/base/files/pe/index.rst
@@ -0,0 +1,16 @@
+:orphan:
+
+Package: base/files/pe
+======================
+
+Support for Portable Executable (PE) file analysis.
+
+:doc:`/scripts/base/files/pe/__load__.zeek`
+
+
+:doc:`/scripts/base/files/pe/consts.zeek`
+
+
+:doc:`/scripts/base/files/pe/main.zeek`
+
+
diff --git a/doc/scripts/base/files/pe/main.zeek.rst b/doc/scripts/base/files/pe/main.zeek.rst
new file mode 100644
index 0000000000..cf842df78d
--- /dev/null
+++ b/doc/scripts/base/files/pe/main.zeek.rst
@@ -0,0 +1,166 @@
+:tocdepth: 3
+
+base/files/pe/main.zeek
+=======================
+.. zeek:namespace:: PE
+
+
+:Namespace: PE
+:Imports: :doc:`base/files/pe/consts.zeek </scripts/base/files/pe/consts.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+========================================== =
+:zeek:type:`PE::Info`: :zeek:type:`record` 
+========================================== =
+
+Redefinitions
+#############
+============================================================= ==================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                       
+                                                              
+                                                              * :zeek:enum:`PE::LOG`
+:zeek:type:`fa_file`: :zeek:type:`record` :zeek:attr:`&redef` 
+                                                              
+                                                              :New Fields: :zeek:type:`fa_file`
+                                                              
+                                                                pe: :zeek:type:`PE::Info` :zeek:attr:`&optional`
+============================================================= ==================================================
+
+Events
+######
+========================================= ===================================
+:zeek:id:`PE::log_pe`: :zeek:type:`event` Event for accessing logged records.
+========================================= ===================================
+
+Hooks
+#####
+======================================================= ====================================================
+:zeek:id:`PE::log_policy`: :zeek:type:`Log::PolicyHook` 
+:zeek:id:`PE::set_file`: :zeek:type:`hook`              A hook that gets called when we first see a PE file.
+======================================================= ====================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: PE::Info
+   :source-code: base/files/pe/main.zeek 10 45
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Current timestamp.
+
+
+   .. zeek:field:: id :zeek:type:`string` :zeek:attr:`&log`
+
+      File id of this portable executable file.
+
+
+   .. zeek:field:: machine :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The target machine that the file was compiled for.
+
+
+   .. zeek:field:: compile_ts :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The time that the file was created at.
+
+
+   .. zeek:field:: os :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The required operating system.
+
+
+   .. zeek:field:: subsystem :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The subsystem that is required to run this file.
+
+
+   .. zeek:field:: is_exe :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
+
+      Is the file an executable, or just an object file?
+
+
+   .. zeek:field:: is_64bit :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
+
+      Is the file a 64-bit executable?
+
+
+   .. zeek:field:: uses_aslr :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Does the file support Address Space Layout Randomization?
+
+
+   .. zeek:field:: uses_dep :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Does the file support Data Execution Prevention?
+
+
+   .. zeek:field:: uses_code_integrity :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Does the file enforce code integrity checks?
+
+
+   .. zeek:field:: uses_seh :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
+
+      Does the file use structured exception handing?
+
+
+   .. zeek:field:: has_import_table :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Does the file have an import table?
+
+
+   .. zeek:field:: has_export_table :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Does the file have an export table?
+
+
+   .. zeek:field:: has_cert_table :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Does the file have an attribute certificate table?
+
+
+   .. zeek:field:: has_debug_data :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Does the file have a debug table?
+
+
+   .. zeek:field:: section_names :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The names of the sections, in order.
+
+
+
+Events
+######
+.. zeek:id:: PE::log_pe
+   :source-code: base/files/pe/main.zeek 48 48
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`PE::Info`)
+
+   Event for accessing logged records.
+
+Hooks
+#####
+.. zeek:id:: PE::log_policy
+   :source-code: base/files/pe/main.zeek 8 8
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+.. zeek:id:: PE::set_file
+   :source-code: base/files/pe/main.zeek 66 70
+
+   :Type: :zeek:type:`hook` (f: :zeek:type:`fa_file`) : :zeek:type:`bool`
+
+   A hook that gets called when we first see a PE file.
+
+
diff --git a/doc/scripts/base/files/x509/__load__.zeek.rst b/doc/scripts/base/files/x509/__load__.zeek.rst
new file mode 100644
index 0000000000..b036aec524
--- /dev/null
+++ b/doc/scripts/base/files/x509/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/files/x509/__load__.zeek
+=============================
+
+
+:Imports: :doc:`base/files/x509/certificate-event-cache.zeek </scripts/base/files/x509/certificate-event-cache.zeek>`, :doc:`base/files/x509/log-ocsp.zeek </scripts/base/files/x509/log-ocsp.zeek>`, :doc:`base/files/x509/main.zeek </scripts/base/files/x509/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/files/x509/certificate-event-cache.zeek.rst b/doc/scripts/base/files/x509/certificate-event-cache.zeek.rst
new file mode 100644
index 0000000000..025a5d9806
--- /dev/null
+++ b/doc/scripts/base/files/x509/certificate-event-cache.zeek.rst
@@ -0,0 +1,102 @@
+:tocdepth: 3
+
+base/files/x509/certificate-event-cache.zeek
+============================================
+.. zeek:namespace:: X509
+
+This script sets up the certificate event cache handling of Zeek.
+
+The Zeek core provided a method to skip certificate processing for known certificates.
+For more details about this functionality, see :zeek:see:`x509_set_certificate_cache`.
+
+This script uses this feature to lower the amount of processing that has to be performed
+by Zeek by caching all certificate events for common certificates. For these certificates,
+the parsing of certificate information in the core is disabled. Instead, the cached events
+and data structures from the previous certificates are used.
+
+:Namespace: X509
+:Imports: :doc:`base/files/x509/main.zeek </scripts/base/files/x509/main.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+======================================================================================================= =====================================================================
+:zeek:id:`X509::caching_required_encounters`: :zeek:type:`count` :zeek:attr:`&redef`                    How often do you have to encounter a certificate before
+                                                                                                        caching the events for it.
+:zeek:id:`X509::caching_required_encounters_interval`: :zeek:type:`interval` :zeek:attr:`&redef`        The timespan over which caching_required_encounters has to be reached
+:zeek:id:`X509::certificate_cache_max_entries`: :zeek:type:`count` :zeek:attr:`&redef`                  Maximum size of the certificate event cache
+:zeek:id:`X509::certificate_cache_minimum_eviction_interval`: :zeek:type:`interval` :zeek:attr:`&redef` After a certificate has not been encountered for this time, it
+                                                                                                        may be evicted from the certificate event cache.
+======================================================================================================= =====================================================================
+
+Hooks
+#####
+================================================================= ===================================================================
+:zeek:id:`X509::x509_certificate_cache_replay`: :zeek:type:`hook` This hook performs event-replays in case a certificate that already
+                                                                  is in the cache is encountered.
+================================================================= ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: X509::caching_required_encounters
+   :source-code: base/files/x509/certificate-event-cache.zeek 18 18
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10``
+
+   How often do you have to encounter a certificate before
+   caching the events for it. Set to 0 to disable caching of certificates.
+
+.. zeek:id:: X509::caching_required_encounters_interval
+   :source-code: base/files/x509/certificate-event-cache.zeek 21 21
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 min 2.0 secs``
+
+   The timespan over which caching_required_encounters has to be reached
+
+.. zeek:id:: X509::certificate_cache_max_entries
+   :source-code: base/files/x509/certificate-event-cache.zeek 28 28
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10000``
+   :Redefinition: from :doc:`/scripts/policy/files/x509/disable-certificate-events-known-certs.zeek`
+
+      ``=``::
+
+         100000
+
+
+   Maximum size of the certificate event cache
+
+.. zeek:id:: X509::certificate_cache_minimum_eviction_interval
+   :source-code: base/files/x509/certificate-event-cache.zeek 25 25
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 min 2.0 secs``
+
+   After a certificate has not been encountered for this time, it
+   may be evicted from the certificate event cache.
+
+Hooks
+#####
+.. zeek:id:: X509::x509_certificate_cache_replay
+   :source-code: base/files/x509/certificate-event-cache.zeek 35 35
+
+   :Type: :zeek:type:`hook` (f: :zeek:type:`fa_file`, e: :zeek:type:`X509::Info`, sha256: :zeek:type:`string`) : :zeek:type:`bool`
+
+   This hook performs event-replays in case a certificate that already
+   is in the cache is encountered.
+   
+   It is possible to change this behavior/skip sending the events by
+   installing a higher priority hook instead.
+
+
diff --git a/doc/scripts/base/files/x509/index.rst b/doc/scripts/base/files/x509/index.rst
new file mode 100644
index 0000000000..989593f86d
--- /dev/null
+++ b/doc/scripts/base/files/x509/index.rst
@@ -0,0 +1,30 @@
+:orphan:
+
+Package: base/files/x509
+========================
+
+Support for X509 certificates with the file analysis framework.
+Also supports parsing OCSP requests and responses.
+
+:doc:`/scripts/base/files/x509/__load__.zeek`
+
+
+:doc:`/scripts/base/files/x509/main.zeek`
+
+
+:doc:`/scripts/base/files/x509/certificate-event-cache.zeek`
+
+   This script sets up the certificate event cache handling of Zeek.
+   
+   The Zeek core provided a method to skip certificate processing for known certificates.
+   For more details about this functionality, see :zeek:see:`x509_set_certificate_cache`.
+   
+   This script uses this feature to lower the amount of processing that has to be performed
+   by Zeek by caching all certificate events for common certificates. For these certificates,
+   the parsing of certificate information in the core is disabled. Instead, the cached events
+   and data structures from the previous certificates are used.
+
+:doc:`/scripts/base/files/x509/log-ocsp.zeek`
+
+   Enable logging of OCSP responses.
+
diff --git a/doc/scripts/base/files/x509/log-ocsp.zeek.rst b/doc/scripts/base/files/x509/log-ocsp.zeek.rst
new file mode 100644
index 0000000000..9566c1eda8
--- /dev/null
+++ b/doc/scripts/base/files/x509/log-ocsp.zeek.rst
@@ -0,0 +1,126 @@
+:tocdepth: 3
+
+base/files/x509/log-ocsp.zeek
+=============================
+.. zeek:namespace:: OCSP
+
+Enable logging of OCSP responses.
+
+:Namespace: OCSP
+
+Summary
+~~~~~~~
+Types
+#####
+============================================ ==========================================================
+:zeek:type:`OCSP::Info`: :zeek:type:`record` The record type which contains the fields of the OCSP log.
+============================================ ==========================================================
+
+Redefinitions
+#############
+======================================= ========================
+:zeek:type:`Log::ID`: :zeek:type:`enum` 
+                                        
+                                        * :zeek:enum:`OCSP::LOG`
+======================================= ========================
+
+Events
+######
+============================================= ===================================================
+:zeek:id:`OCSP::log_ocsp`: :zeek:type:`event` Event that can be handled to access the OCSP record
+                                              as it is sent to the logging framework.
+============================================= ===================================================
+
+Hooks
+#####
+========================================================= =
+:zeek:id:`OCSP::log_policy`: :zeek:type:`Log::PolicyHook` 
+========================================================= =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: OCSP::Info
+   :source-code: base/files/x509/log-ocsp.zeek 11 34
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Time when the OCSP reply was encountered.
+
+
+   .. zeek:field:: id :zeek:type:`string` :zeek:attr:`&log`
+
+      File id of the OCSP reply.
+
+
+   .. zeek:field:: hashAlgorithm :zeek:type:`string` :zeek:attr:`&log`
+
+      Hash algorithm used to generate issuerNameHash and issuerKeyHash.
+
+
+   .. zeek:field:: issuerNameHash :zeek:type:`string` :zeek:attr:`&log`
+
+      Hash of the issuer's distinguished name.
+
+
+   .. zeek:field:: issuerKeyHash :zeek:type:`string` :zeek:attr:`&log`
+
+      Hash of the issuer's public key.
+
+
+   .. zeek:field:: serialNumber :zeek:type:`string` :zeek:attr:`&log`
+
+      Serial number of the affected certificate.
+
+
+   .. zeek:field:: certStatus :zeek:type:`string` :zeek:attr:`&log`
+
+      Status of the affected certificate.
+
+
+   .. zeek:field:: revoketime :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Time at which the certificate was revoked.
+
+
+   .. zeek:field:: revokereason :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Reason for which the certificate was revoked.
+
+
+   .. zeek:field:: thisUpdate :zeek:type:`time` :zeek:attr:`&log`
+
+      The time at which the status being shows is known to have been correct.
+
+
+   .. zeek:field:: nextUpdate :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The latest time at which new information about the status of the certificate will be available.
+
+
+   The record type which contains the fields of the OCSP log.
+
+Events
+######
+.. zeek:id:: OCSP::log_ocsp
+   :source-code: base/files/x509/log-ocsp.zeek 38 38
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`OCSP::Info`)
+
+   Event that can be handled to access the OCSP record
+   as it is sent to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: OCSP::log_policy
+   :source-code: base/files/x509/log-ocsp.zeek 8 8
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/files/x509/main.zeek.rst b/doc/scripts/base/files/x509/main.zeek.rst
new file mode 100644
index 0000000000..aa4abead72
--- /dev/null
+++ b/doc/scripts/base/files/x509/main.zeek.rst
@@ -0,0 +1,375 @@
+:tocdepth: 3
+
+base/files/x509/main.zeek
+=========================
+.. zeek:namespace:: X509
+
+
+:Namespace: X509
+:Imports: :doc:`base/files/hash </scripts/base/files/hash/index>`, :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+========================================================================================== ===================================================================
+:zeek:id:`X509::known_log_certs_maximum_size`: :zeek:type:`count` :zeek:attr:`&redef`      Maximum size of the known_log_certs table
+:zeek:id:`X509::log_x509_in_files_log`: :zeek:type:`bool` :zeek:attr:`&redef`              This option specifies if X.509 certificates are logged in file.log.
+:zeek:id:`X509::relog_known_certificates_after`: :zeek:type:`interval` :zeek:attr:`&redef` By default, x509 certificates are deduplicated.
+========================================================================================== ===================================================================
+
+Redefinable Options
+###################
+============================================================================================= ========================================================================
+:zeek:id:`X509::default_max_field_container_elements`: :zeek:type:`count` :zeek:attr:`&redef` The maximum number of elements a single container field can contain when
+                                                                                              logging.
+:zeek:id:`X509::default_max_field_string_bytes`: :zeek:type:`count` :zeek:attr:`&redef`       The maximum number of bytes that a single string field can contain when
+                                                                                              logging.
+:zeek:id:`X509::default_max_total_container_elements`: :zeek:type:`count` :zeek:attr:`&redef` The maximum total number of container elements a record may log.
+============================================================================================= ========================================================================
+
+State Variables
+###############
+================================================================================================================================= ===========================================================================================
+:zeek:id:`X509::known_log_certs`: :zeek:type:`set` :zeek:attr:`&create_expire` = :zeek:see:`X509::relog_known_certificates_after` The set that stores information about certificates that already have been logged and should
+                                                                                                                                  not be logged again.
+:zeek:id:`X509::known_log_certs_use_broker`: :zeek:type:`bool`                                                                    Use broker stores to deduplicate certificates across the whole cluster.
+================================================================================================================================= ===========================================================================================
+
+Types
+#####
+=================================================== ===================================================================================
+:zeek:type:`X509::Info`: :zeek:type:`record`        The record type which contains the fields of the X.509 log.
+:zeek:type:`X509::LogCertHash`: :zeek:type:`record` Type that is used to decide which certificates are duplicates for logging purposes.
+:zeek:type:`X509::SctInfo`: :zeek:type:`record`     This record is used to store information about the SCTs that are
+                                                    encountered in Certificates.
+=================================================== ===================================================================================
+
+Redefinitions
+#############
+================================================================= ======================================================
+:zeek:type:`Files::Info`: :zeek:type:`record` :zeek:attr:`&redef` 
+                                                                  
+                                                                  :New Fields: :zeek:type:`Files::Info`
+                                                                  
+                                                                    x509: :zeek:type:`X509::Info` :zeek:attr:`&optional`
+                                                                      Information about X509 certificates.
+:zeek:type:`Log::ID`: :zeek:type:`enum`                           
+                                                                  
+                                                                  * :zeek:enum:`X509::LOG`
+================================================================= ======================================================
+
+Events
+######
+============================================= ===================================
+:zeek:id:`X509::log_x509`: :zeek:type:`event` Event for accessing logged records.
+============================================= ===================================
+
+Hooks
+#####
+============================================================== =======================================================================
+:zeek:id:`X509::create_deduplication_index`: :zeek:type:`hook` Hook that is used to create the index value used for log deduplication.
+:zeek:id:`X509::log_policy`: :zeek:type:`Log::PolicyHook`      
+============================================================== =======================================================================
+
+Functions
+#########
+========================================================================= ==============================================
+:zeek:id:`X509::hash_function`: :zeek:type:`function` :zeek:attr:`&redef` The hash function used for certificate hashes.
+========================================================================= ==============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: X509::known_log_certs_maximum_size
+   :source-code: base/files/x509/main.zeek 98 98
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1000000``
+
+   Maximum size of the known_log_certs table
+
+.. zeek:id:: X509::log_x509_in_files_log
+   :source-code: base/files/x509/main.zeek 20 20
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   This option specifies if X.509 certificates are logged in file.log. Typically, there
+   is not much value to having the entry in files.log - especially since, by default, the
+   file ID is not present in the X509 log.
+
+.. zeek:id:: X509::relog_known_certificates_after
+   :source-code: base/files/x509/main.zeek 91 91
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 day``
+
+   By default, x509 certificates are deduplicated. This configuration option configures
+   the maximum time after which certificates are re-logged. Note - depending on other configuration
+   options, this setting might only apply on a per-worker basis and you still might see certificates
+   logged several times.
+   
+   To disable deduplication completely, set this to 0secs.
+
+Redefinable Options
+###################
+.. zeek:id:: X509::default_max_field_container_elements
+   :source-code: base/files/x509/main.zeek 121 121
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``500``
+
+   The maximum number of elements a single container field can contain when
+   logging. If a container reaches this limit, the log output for the field will
+   be truncated. Setting this to zero disables the limiting.
+   
+   .. zeek:see:: Log::default_max_field_container_elements
+
+.. zeek:id:: X509::default_max_field_string_bytes
+   :source-code: base/files/x509/main.zeek 114 114
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``4096``
+   :Redefinition: from :doc:`/scripts/policy/protocols/ssl/log-certs-base64.zeek`
+
+      ``=``::
+
+         0
+
+
+   The maximum number of bytes that a single string field can contain when
+   logging. If a string reaches this limit, the log output for the field will be
+   truncated. Setting this to zero disables the limiting.
+   
+   .. zeek:see:: Log::default_max_field_string_bytes
+
+.. zeek:id:: X509::default_max_total_container_elements
+   :source-code: base/files/x509/main.zeek 130 130
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1500``
+
+   The maximum total number of container elements a record may log. This is the
+   sum of all container elements logged for the record. If this limit is reached,
+   all further containers will be logged as empty containers. If the limit is
+   reached while processing a container, the container will be truncated in the
+   output. Setting this to zero disables the limiting.
+   
+   .. zeek:see:: Log::default_max_total_container_elements
+
+State Variables
+###############
+.. zeek:id:: X509::known_log_certs
+   :source-code: base/files/x509/main.zeek 95 95
+
+   :Type: :zeek:type:`set` [:zeek:type:`X509::LogCertHash`]
+   :Attributes: :zeek:attr:`&create_expire` = :zeek:see:`X509::relog_known_certificates_after`
+   :Default: ``{}``
+
+   The set that stores information about certificates that already have been logged and should
+   not be logged again.
+
+.. zeek:id:: X509::known_log_certs_use_broker
+   :source-code: base/files/x509/main.zeek 104 104
+
+   :Type: :zeek:type:`bool`
+   :Default: ``T``
+
+   Use broker stores to deduplicate certificates across the whole cluster. This will cause log-deduplication
+   to work cluster wide, but come at a slightly higher cost of memory and inter-node-communication.
+   
+   This setting is ignored if Zeek is run in standalone mode.
+
+Types
+#####
+.. zeek:type:: X509::Info
+   :source-code: base/files/x509/main.zeek 34 60
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Current timestamp.
+
+
+   .. zeek:field:: fingerprint :zeek:type:`string` :zeek:attr:`&log`
+
+      Fingerprint of the certificate - uses chosen algorithm.
+
+
+   .. zeek:field:: certificate :zeek:type:`X509::Certificate` :zeek:attr:`&log`
+
+      Basic information about the certificate.
+
+
+   .. zeek:field:: handle :zeek:type:`opaque` of x509
+
+      The opaque wrapping the certificate. Mainly used
+      for the verify operations.
+
+
+   .. zeek:field:: extensions :zeek:type:`vector` of :zeek:type:`X509::Extension` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+
+      All extensions that were encountered in the certificate.
+
+
+   .. zeek:field:: san :zeek:type:`X509::SubjectAlternativeName` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Subject alternative name extension of the certificate.
+
+
+   .. zeek:field:: basic_constraints :zeek:type:`X509::BasicConstraints` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Basic constraints extension of the certificate.
+
+
+   .. zeek:field:: extensions_cache :zeek:type:`vector` of :zeek:type:`any` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+
+      All extensions in the order they were raised.
+      This is used for caching certificates that are commonly
+      encountered and should not be relied on in user scripts.
+
+
+   .. zeek:field:: host_cert :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Indicates if this certificate was a end-host certificate, or sent as part of a chain
+
+
+   .. zeek:field:: client_cert :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Indicates if this certificate was sent from the client
+
+
+   .. zeek:field:: deduplication_index :zeek:type:`X509::LogCertHash` :zeek:attr:`&optional`
+
+      Record that is used to deduplicate log entries.
+
+
+   .. zeek:field:: always_raise_x509_events :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/files/x509/disable-certificate-events-known-certs.zeek` is loaded)
+
+      Set to true to force certificate events to always be raised for this certificate.
+
+
+   .. zeek:field:: cert :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/log-certs-base64.zeek` is loaded)
+
+      Base64 encoded X.509 certificate.
+
+
+   The record type which contains the fields of the X.509 log.
+
+.. zeek:type:: X509::LogCertHash
+   :source-code: base/files/x509/main.zeek 24 31
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: fingerprint :zeek:type:`string`
+
+      Certificate fingerprint
+
+
+   .. zeek:field:: host_cert :zeek:type:`bool`
+
+      Indicates if this certificate was a end-host certificate, or sent as part of a chain
+
+
+   .. zeek:field:: client_cert :zeek:type:`bool`
+
+      Indicates if this certificate was sent from the client
+
+
+   Type that is used to decide which certificates are duplicates for logging purposes.
+   When adding entries to this, also change the create_deduplication_index to update them.
+
+.. zeek:type:: X509::SctInfo
+   :source-code: base/files/x509/main.zeek 67 83
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: version :zeek:type:`count`
+
+      The version of the encountered SCT (should always be 0 for v1).
+
+
+   .. zeek:field:: logid :zeek:type:`string`
+
+      The ID of the log issuing this SCT.
+
+
+   .. zeek:field:: timestamp :zeek:type:`count`
+
+      The timestamp at which this SCT was issued measured since the
+      epoch (January 1, 1970, 00:00), ignoring leap seconds, in
+      milliseconds. Not converted to a Zeek timestamp because we need
+      the exact value for validation.
+
+
+   .. zeek:field:: hash_alg :zeek:type:`count`
+
+      The hash algorithm used for this sct.
+
+
+   .. zeek:field:: sig_alg :zeek:type:`count`
+
+      The signature algorithm used for this sct.
+
+
+   .. zeek:field:: signature :zeek:type:`string`
+
+      The signature of this SCT.
+
+
+   This record is used to store information about the SCTs that are
+   encountered in Certificates.
+
+Events
+######
+.. zeek:id:: X509::log_x509
+   :source-code: base/files/x509/main.zeek 107 107
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`X509::Info`)
+
+   Event for accessing logged records.
+
+Hooks
+#####
+.. zeek:id:: X509::create_deduplication_index
+   :source-code: base/files/x509/main.zeek 186 192
+
+   :Type: :zeek:type:`hook` (c: :zeek:type:`X509::Info`) : :zeek:type:`bool`
+
+   Hook that is used to create the index value used for log deduplication.
+
+.. zeek:id:: X509::log_policy
+   :source-code: policy/protocols/ssl/log-hostcerts-only.zeek 9 13
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+Functions
+#########
+.. zeek:id:: X509::hash_function
+   :source-code: base/files/x509/main.zeek 15 15
+
+   :Type: :zeek:type:`function` (cert: :zeek:type:`string`) : :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+
+   The hash function used for certificate hashes. By default this is sha256; you can use
+   any other hash function and the hashes will change in ssl.log and in x509.log.
+
+
diff --git a/doc/scripts/base/frameworks/analyzer/__load__.zeek.rst b/doc/scripts/base/frameworks/analyzer/__load__.zeek.rst
new file mode 100644
index 0000000000..2735b7e48c
--- /dev/null
+++ b/doc/scripts/base/frameworks/analyzer/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/analyzer/__load__.zeek
+======================================
+
+
+:Imports: :doc:`base/frameworks/analyzer/dpd.zeek </scripts/base/frameworks/analyzer/dpd.zeek>`, :doc:`base/frameworks/analyzer/logging.zeek </scripts/base/frameworks/analyzer/logging.zeek>`, :doc:`base/frameworks/analyzer/main.zeek </scripts/base/frameworks/analyzer/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/analyzer/dpd.zeek.rst b/doc/scripts/base/frameworks/analyzer/dpd.zeek.rst
new file mode 100644
index 0000000000..5c7615002c
--- /dev/null
+++ b/doc/scripts/base/frameworks/analyzer/dpd.zeek.rst
@@ -0,0 +1,85 @@
+:tocdepth: 3
+
+base/frameworks/analyzer/dpd.zeek
+=================================
+.. zeek:namespace:: DPD
+
+Disables analyzers if protocol violations occur, and adds service information
+to connection log.
+
+:Namespace: DPD
+:Imports: :doc:`base/frameworks/analyzer/main.zeek </scripts/base/frameworks/analyzer/main.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=========================================================================================== ===============================================================
+:zeek:id:`DPD::ignore_violations`: :zeek:type:`set` :zeek:attr:`&redef`                     Analyzers which you don't want to remove on violations.
+:zeek:id:`DPD::ignore_violations_after`: :zeek:type:`count` :zeek:attr:`&redef`             Ignore violations which go this many bytes into the connection.
+:zeek:id:`DPD::track_removed_services_in_connection`: :zeek:type:`bool` :zeek:attr:`&redef` Change behavior of service field in conn.log:
+                                                                                            Failed services are no longer removed.
+=========================================================================================== ===============================================================
+
+Redefinitions
+#############
+============================================ ==================================================================================================================
+:zeek:type:`connection`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`connection`
+                                             
+                                               failed_analyzers: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+                                                 The set of prototol analyzers that were removed due to a protocol
+                                                 violation after the same analyzer had previously been confirmed.
+============================================ ==================================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: DPD::ignore_violations
+   :source-code: base/frameworks/analyzer/dpd.zeek 10 10
+
+   :Type: :zeek:type:`set` [:zeek:type:`Analyzer::Tag`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+   :Redefinition: from :doc:`/scripts/base/protocols/dce-rpc/main.zeek`
+
+      ``+=``::
+
+         Analyzer::ANALYZER_DCE_RPC
+
+   :Redefinition: from :doc:`/scripts/base/protocols/ntlm/main.zeek`
+
+      ``+=``::
+
+         Analyzer::ANALYZER_NTLM
+
+
+   Analyzers which you don't want to remove on violations.
+
+.. zeek:id:: DPD::ignore_violations_after
+   :source-code: base/frameworks/analyzer/dpd.zeek 14 14
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10240``
+
+   Ignore violations which go this many bytes into the connection.
+   Set to 0 to never ignore protocol violations.
+
+.. zeek:id:: DPD::track_removed_services_in_connection
+   :source-code: base/frameworks/analyzer/dpd.zeek 21 21
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Change behavior of service field in conn.log:
+   Failed services are no longer removed. Instead, for a failed
+   service, a second entry with a "-" in front of it is added.
+   E.g. a http connection with a violation would be logged as
+   "http,-http".
+
+
diff --git a/doc/scripts/base/frameworks/analyzer/index.rst b/doc/scripts/base/frameworks/analyzer/index.rst
new file mode 100644
index 0000000000..91a9657472
--- /dev/null
+++ b/doc/scripts/base/frameworks/analyzer/index.rst
@@ -0,0 +1,42 @@
+:orphan:
+
+Package: base/frameworks/analyzer
+=================================
+
+The analyzer framework allows to dynamically enable or disable Zeek's
+protocol analyzers, as well as to manage the well-known ports which
+automatically activate a particular analyzer for new connections.
+
+:doc:`/scripts/base/frameworks/analyzer/main.zeek`
+
+   Framework for managing Zeek's protocol analyzers.
+   
+   The analyzer framework allows to dynamically enable or disable analyzers, as
+   well as to manage the well-known ports which automatically activate a
+   particular analyzer for new connections.
+   
+   Protocol analyzers are identified by unique tags of type
+   :zeek:type:`Analyzer::Tag`, such as :zeek:enum:`Analyzer::ANALYZER_HTTP`.
+   These tags are defined internally by
+   the analyzers themselves, and documented in their analyzer-specific
+   description along with the events that they generate.
+   
+   Analyzer tags are also inserted into a global :zeek:type:`AllAnalyzers::Tag` enum
+   type. This type contains duplicates of all of the :zeek:type:`Analyzer::Tag`,
+   :zeek:type:`PacketAnalyzer::Tag` and :zeek:type:`Files::Tag` enum values
+   and can be used for arguments to function/hook/event definitions where they
+   need to handle any analyzer type. See :zeek:id:`Analyzer::register_for_ports`
+   for an example.
+
+:doc:`/scripts/base/frameworks/analyzer/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/analyzer/dpd.zeek`
+
+   Disables analyzers if protocol violations occur, and adds service information
+   to connection log.
+
+:doc:`/scripts/base/frameworks/analyzer/logging.zeek`
+
+   Logging analyzer  violations into analyzer.log
+
diff --git a/doc/scripts/base/frameworks/analyzer/logging.zeek.rst b/doc/scripts/base/frameworks/analyzer/logging.zeek.rst
new file mode 100644
index 0000000000..2cc7d04342
--- /dev/null
+++ b/doc/scripts/base/frameworks/analyzer/logging.zeek.rst
@@ -0,0 +1,148 @@
+:tocdepth: 3
+
+base/frameworks/analyzer/logging.zeek
+=====================================
+.. zeek:namespace:: Analyzer::Logging
+
+Logging analyzer  violations into analyzer.log
+
+:Namespace: Analyzer::Logging
+:Imports: :doc:`base/frameworks/analyzer/main.zeek </scripts/base/frameworks/analyzer/main.zeek>`, :doc:`base/frameworks/logging </scripts/base/frameworks/logging/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=========================================================================================== ==============================================================
+:zeek:id:`Analyzer::Logging::failure_data_max_size`: :zeek:type:`count` :zeek:attr:`&redef` If a violation contains information about the data causing it,
+                                                                                            include at most this many bytes of it in the log.
+=========================================================================================== ==============================================================
+
+Types
+#####
+========================================================= ===========================================================================
+:zeek:type:`Analyzer::Logging::Info`: :zeek:type:`record` The record type defining the columns to log in the analyzer logging stream.
+========================================================= ===========================================================================
+
+Redefinitions
+#############
+======================================= ===========================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` Add the analyzer logging stream identifier.
+                                        
+                                        * :zeek:enum:`Analyzer::Logging::LOG`
+======================================= ===========================================
+
+Events
+######
+============================================================== ===============================================================================
+:zeek:id:`Analyzer::Logging::log_analyzer`: :zeek:type:`event` An event that can be handled to access the :zeek:type:`Analyzer::Logging::Info`
+                                                               record as it is sent on to the logging framework.
+============================================================== ===============================================================================
+
+Hooks
+#####
+====================================================================== =============================================
+:zeek:id:`Analyzer::Logging::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
+====================================================================== =============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Analyzer::Logging::failure_data_max_size
+   :source-code: base/frameworks/analyzer/logging.zeek 39 39
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``40``
+
+   If a violation contains information about the data causing it,
+   include at most this many bytes of it in the log.
+
+Types
+#####
+.. zeek:type:: Analyzer::Logging::Info
+   :source-code: base/frameworks/analyzer/logging.zeek 13 35
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp of the violation.
+
+
+   .. zeek:field:: analyzer_kind :zeek:type:`string` :zeek:attr:`&log`
+
+      The kind of analyzer involved. Currently "packet", "file"
+      or "protocol".
+
+
+   .. zeek:field:: analyzer_name :zeek:type:`string` :zeek:attr:`&log`
+
+      The name of the analyzer as produced by :zeek:see:`Analyzer::name`
+      for the analyzer's tag.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Connection UID if available.
+
+
+   .. zeek:field:: fuid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      File UID if available.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Connection identifier if available.
+
+
+   .. zeek:field:: proto :zeek:type:`transport_proto` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Transport protocol for the violation, if available.
+
+
+   .. zeek:field:: failure_reason :zeek:type:`string` :zeek:attr:`&log`
+
+      Failure or violation reason, if available.
+
+
+   .. zeek:field:: failure_data :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Data causing failure or violation if available. Truncated
+      to :zeek:see:`Analyzer::Logging::failure_data_max_size`.
+
+
+   .. zeek:field:: packet_segment :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      (present if :doc:`/scripts/policy/frameworks/analyzer/packet-segment-logging.zeek` is loaded)
+
+      A chunk of the payload that most likely resulted in the
+      analyzer violation.
+
+
+   The record type defining the columns to log in the analyzer logging stream.
+
+Events
+######
+.. zeek:id:: Analyzer::Logging::log_analyzer
+   :source-code: base/frameworks/analyzer/logging.zeek 43 43
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Analyzer::Logging::Info`)
+
+   An event that can be handled to access the :zeek:type:`Analyzer::Logging::Info`
+   record as it is sent on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: Analyzer::Logging::log_policy
+   :source-code: policy/frameworks/analyzer/packet-segment-logging.zeek 38 50
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+
diff --git a/doc/scripts/base/frameworks/analyzer/main.zeek.rst b/doc/scripts/base/frameworks/analyzer/main.zeek.rst
new file mode 100644
index 0000000000..b6f420e23d
--- /dev/null
+++ b/doc/scripts/base/frameworks/analyzer/main.zeek.rst
@@ -0,0 +1,364 @@
+:tocdepth: 3
+
+base/frameworks/analyzer/main.zeek
+==================================
+.. zeek:namespace:: Analyzer
+
+Framework for managing Zeek's protocol analyzers.
+
+The analyzer framework allows to dynamically enable or disable analyzers, as
+well as to manage the well-known ports which automatically activate a
+particular analyzer for new connections.
+
+Protocol analyzers are identified by unique tags of type
+:zeek:type:`Analyzer::Tag`, such as :zeek:enum:`Analyzer::ANALYZER_HTTP`.
+These tags are defined internally by
+the analyzers themselves, and documented in their analyzer-specific
+description along with the events that they generate.
+
+Analyzer tags are also inserted into a global :zeek:type:`AllAnalyzers::Tag` enum
+type. This type contains duplicates of all of the :zeek:type:`Analyzer::Tag`,
+:zeek:type:`PacketAnalyzer::Tag` and :zeek:type:`Files::Tag` enum values
+and can be used for arguments to function/hook/event definitions where they
+need to handle any analyzer type. See :zeek:id:`Analyzer::register_for_ports`
+for an example.
+
+:Namespace: Analyzer
+:Imports: :doc:`base/bif/analyzer.bif.zeek </scripts/base/bif/analyzer.bif.zeek>`, :doc:`base/bif/file_analysis.bif.zeek </scripts/base/bif/file_analysis.bif.zeek>`, :doc:`base/bif/packet_analysis.bif.zeek </scripts/base/bif/packet_analysis.bif.zeek>`, :doc:`base/frameworks/packet-filter/utils.zeek </scripts/base/frameworks/packet-filter/utils.zeek>`
+
+Summary
+~~~~~~~
+State Variables
+###############
+============================================================================== ===================================================================
+:zeek:id:`Analyzer::disable_all`: :zeek:type:`bool` :zeek:attr:`&redef`        If true, all available analyzers are initially disabled at startup.
+:zeek:id:`Analyzer::disabled_analyzers`: :zeek:type:`set` :zeek:attr:`&redef`  A set of analyzers to disable by default at startup.
+:zeek:id:`Analyzer::ports`: :zeek:type:`table`                                 A table of ports mapped to analyzers that handle those ports.
+:zeek:id:`Analyzer::requested_analyzers`: :zeek:type:`set` :zeek:attr:`&redef` A set of protocol, packet or file analyzer tags requested to
+                                                                               be enabled during startup.
+============================================================================== ===================================================================
+
+Events
+######
+======================================================== ========================================================================
+:zeek:id:`Analyzer::analyzer_failed`: :zeek:type:`event` Event that is raised when an analyzer raised a service violation and was
+                                                         removed.
+======================================================== ========================================================================
+
+Functions
+#########
+================================================================ =======================================================================
+:zeek:id:`Analyzer::all_registered_ports`: :zeek:type:`function` Returns a table of all ports-to-analyzer mappings currently registered.
+:zeek:id:`Analyzer::analyzer_to_bpf`: :zeek:type:`function`      Automatically creates a BPF filter for the specified protocol based
+                                                                 on the data supplied for the protocol through the
+                                                                 :zeek:see:`Analyzer::register_for_ports` function.
+:zeek:id:`Analyzer::disable_analyzer`: :zeek:type:`function`     Disables an analyzer.
+:zeek:id:`Analyzer::enable_analyzer`: :zeek:type:`function`      Enables an analyzer.
+:zeek:id:`Analyzer::get_bpf`: :zeek:type:`function`              Create a BPF filter which matches all of the ports defined
+                                                                 by the various protocol analysis scripts as "registered ports"
+                                                                 for the protocol.
+:zeek:id:`Analyzer::get_tag`: :zeek:type:`function`              Translates an analyzer's name to a tag enum value.
+:zeek:id:`Analyzer::has_tag`: :zeek:type:`function`              Check whether the given analyzer name exists.
+:zeek:id:`Analyzer::kind`: :zeek:type:`function`                 Translates an analyzer type to a string with the analyzer's type.
+:zeek:id:`Analyzer::name`: :zeek:type:`function`                 Translates an analyzer type to a string with the analyzer's name.
+:zeek:id:`Analyzer::register_for_port`: :zeek:type:`function`    Registers an individual well-known port for an analyzer.
+:zeek:id:`Analyzer::register_for_ports`: :zeek:type:`function`   Registers a set of well-known ports for an analyzer.
+:zeek:id:`Analyzer::registered_ports`: :zeek:type:`function`     Returns a set of all well-known ports currently registered for a
+                                                                 specific analyzer.
+:zeek:id:`Analyzer::schedule_analyzer`: :zeek:type:`function`    Schedules an analyzer for a future connection originating from a
+                                                                 given IP address and port.
+================================================================ =======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+State Variables
+###############
+.. zeek:id:: Analyzer::disable_all
+   :source-code: base/frameworks/analyzer/main.zeek 28 28
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If true, all available analyzers are initially disabled at startup.
+   One can then selectively enable them with
+   :zeek:id:`Analyzer::enable_analyzer`.
+
+.. zeek:id:: Analyzer::disabled_analyzers
+   :source-code: base/frameworks/analyzer/main.zeek 156 156
+
+   :Type: :zeek:type:`set` [:zeek:type:`AllAnalyzers::Tag`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS
+         }
+
+
+   A set of analyzers to disable by default at startup. The default set
+   contains legacy analyzers that are no longer supported.
+
+.. zeek:id:: Analyzer::ports
+   :source-code: base/frameworks/analyzer/main.zeek 164 164
+
+   :Type: :zeek:type:`table` [:zeek:type:`AllAnalyzers::Tag`] of :zeek:type:`set` [:zeek:type:`port`]
+   :Default: ``{}``
+
+   A table of ports mapped to analyzers that handle those ports. This is
+   used by BPF filtering and DPD. Session analyzers can add to this using
+   Analyzer::register_for_port(s) and packet analyzers can add to this
+   using PacketAnalyzer::register_for_port(s).
+
+.. zeek:id:: Analyzer::requested_analyzers
+   :source-code: base/frameworks/analyzer/main.zeek 174 174
+
+   :Type: :zeek:type:`set` [:zeek:type:`AllAnalyzers::Tag`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   A set of protocol, packet or file analyzer tags requested to
+   be enabled during startup.
+   
+   By default, all analyzers in Zeek are enabled. When all analyzers
+   are disabled through :zeek:see:`Analyzer::disable_all`, this set
+   set allows to record analyzers to be enabled during Zeek startup.
+   
+   This set can be added to via :zeek:see:`redef`.
+
+Events
+######
+.. zeek:id:: Analyzer::analyzer_failed
+   :source-code: base/frameworks/analyzer/main.zeek 191 191
+
+   :Type: :zeek:type:`event` (ts: :zeek:type:`time`, atype: :zeek:type:`AllAnalyzers::Tag`, info: :zeek:type:`AnalyzerViolationInfo`)
+
+   Event that is raised when an analyzer raised a service violation and was
+   removed.
+   
+   The event is also raised if the analyzer already was no longer active by
+   the time that the violation was handled - so if it happens at the very
+   end of a connection.
+   
+   Currently this event is only raised for protocol analyzers, as packet
+   and file analyzers are never actively removed/disabled.
+   
+
+   :param ts: time at which the violation occurred
+   
+
+   :param atype: atype: The analyzer tag, such as ``Analyzer::ANALYZER_HTTP``.
+   
+
+   :param info: Details about the violation. This record should include a :zeek:type:`connection`
+
+Functions
+#########
+.. zeek:id:: Analyzer::all_registered_ports
+   :source-code: base/frameworks/analyzer/main.zeek 265 268
+
+   :Type: :zeek:type:`function` () : :zeek:type:`table` [:zeek:type:`AllAnalyzers::Tag`] of :zeek:type:`set` [:zeek:type:`port`]
+
+   Returns a table of all ports-to-analyzer mappings currently registered.
+   
+
+   :returns: A table mapping each analyzer to the set of ports
+            registered for it.
+
+.. zeek:id:: Analyzer::analyzer_to_bpf
+   :source-code: base/frameworks/analyzer/main.zeek 304 314
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Analyzer::Tag`) : :zeek:type:`string`
+
+   Automatically creates a BPF filter for the specified protocol based
+   on the data supplied for the protocol through the
+   :zeek:see:`Analyzer::register_for_ports` function.
+   
+
+   :param tag: The analyzer tag.
+   
+
+   :returns: BPF filter string.
+
+.. zeek:id:: Analyzer::disable_analyzer
+   :source-code: base/frameworks/analyzer/main.zeek 224 233
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`AllAnalyzers::Tag`) : :zeek:type:`bool`
+
+   Disables an analyzer. Once disabled, the analyzer will not be used
+   further for analysis of future connections.
+   
+
+   :param tag: The tag of the analyzer to disable.
+   
+
+   :returns: True if the analyzer was successfully disabled.
+
+.. zeek:id:: Analyzer::enable_analyzer
+   :source-code: base/frameworks/analyzer/main.zeek 213 222
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`AllAnalyzers::Tag`) : :zeek:type:`bool`
+
+   Enables an analyzer. Once enabled, the analyzer may be used for analysis
+   of future connections as decided by Zeek's dynamic protocol detection.
+   
+
+   :param tag: The tag of the analyzer to enable.
+   
+
+   :returns: True if the analyzer was successfully enabled.
+
+.. zeek:id:: Analyzer::get_bpf
+   :source-code: base/frameworks/analyzer/main.zeek 316 324
+
+   :Type: :zeek:type:`function` () : :zeek:type:`string`
+
+   Create a BPF filter which matches all of the ports defined
+   by the various protocol analysis scripts as "registered ports"
+   for the protocol.
+
+.. zeek:id:: Analyzer::get_tag
+   :source-code: base/frameworks/analyzer/main.zeek 293 296
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`AllAnalyzers::Tag`
+
+   Translates an analyzer's name to a tag enum value.
+   
+   The analyzer is assumed to exist; call
+   :zeek:see:`Analyzer::has_tag` first to verify that name is a
+   valid analyzer name.
+   
+
+   :param name: The analyzer name.
+   
+
+   :returns: The analyzer tag corresponding to the name.
+
+.. zeek:id:: Analyzer::has_tag
+   :source-code: base/frameworks/analyzer/main.zeek 288 291
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Check whether the given analyzer name exists.
+   
+   This can be used before calling :zeek:see:`Analyzer::get_tag` to
+   verify that the given name as string is a valid analyzer name.
+   
+
+   :param name: The analyzer name.
+   
+
+   :returns: True if the given name is a valid analyzer, else false.
+
+.. zeek:id:: Analyzer::kind
+   :source-code: base/frameworks/analyzer/main.zeek 275 286
+
+   :Type: :zeek:type:`function` (atype: :zeek:type:`AllAnalyzers::Tag`) : :zeek:type:`string`
+
+   Translates an analyzer type to a string with the analyzer's type.
+   
+   Possible values are "protocol", "packet", "file", or "unknown".
+   
+
+   :param tag: The analyzer tag.
+   
+
+   :returns: The analyzer kind corresponding to the tag.
+
+.. zeek:id:: Analyzer::name
+   :source-code: base/frameworks/analyzer/main.zeek 270 273
+
+   :Type: :zeek:type:`function` (atype: :zeek:type:`AllAnalyzers::Tag`) : :zeek:type:`string`
+
+   Translates an analyzer type to a string with the analyzer's name.
+   
+
+   :param tag: The analyzer tag.
+   
+
+   :returns: The analyzer name corresponding to the tag.
+
+.. zeek:id:: Analyzer::register_for_port
+   :source-code: base/frameworks/analyzer/main.zeek 248 258
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Analyzer::Tag`, p: :zeek:type:`port`) : :zeek:type:`bool`
+
+   Registers an individual well-known port for an analyzer. If a future
+   connection on this port is seen, the analyzer will be automatically
+   assigned to parsing it. The function *adds* to all ports already
+   registered, it doesn't replace them.
+   
+
+   :param tag: The tag of the analyzer.
+   
+
+   :param p: The well-known port to associate with the analyzer.
+   
+
+   :returns: True if the port was successfully registered.
+
+.. zeek:id:: Analyzer::register_for_ports
+   :source-code: base/frameworks/analyzer/main.zeek 235 246
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Analyzer::Tag`, ports: :zeek:type:`set` [:zeek:type:`port`]) : :zeek:type:`bool`
+
+   Registers a set of well-known ports for an analyzer. If a future
+   connection on one of these ports is seen, the analyzer will be
+   automatically assigned to parsing it. The function *adds* to all ports
+   already registered, it doesn't replace them.
+   
+
+   :param tag: The tag of the analyzer.
+   
+
+   :param ports: The set of well-known ports to associate with the analyzer.
+   
+
+   :returns: True if the ports were successfully registered.
+
+.. zeek:id:: Analyzer::registered_ports
+   :source-code: base/frameworks/analyzer/main.zeek 260 263
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`AllAnalyzers::Tag`) : :zeek:type:`set` [:zeek:type:`port`]
+
+   Returns a set of all well-known ports currently registered for a
+   specific analyzer.
+   
+
+   :param tag: The tag of the analyzer.
+   
+
+   :returns: The set of ports.
+
+.. zeek:id:: Analyzer::schedule_analyzer
+   :source-code: base/frameworks/analyzer/main.zeek 299 302
+
+   :Type: :zeek:type:`function` (orig: :zeek:type:`addr`, resp: :zeek:type:`addr`, resp_p: :zeek:type:`port`, analyzer: :zeek:type:`Analyzer::Tag`, tout: :zeek:type:`interval`) : :zeek:type:`bool`
+
+   Schedules an analyzer for a future connection originating from a
+   given IP address and port.
+   
+
+   :param orig: The IP address originating a connection in the future.
+         0.0.0.0 can be used as a wildcard to match any originator address.
+   
+
+   :param resp: The IP address responding to a connection from *orig*.
+   
+
+   :param resp_p: The destination port at *resp*.
+   
+
+   :param analyzer: The analyzer ID.
+   
+
+   :param tout: A timeout interval after which the scheduling request will be
+         discarded if the connection has not yet been seen.
+   
+
+   :returns: True if successful.
+
+
diff --git a/doc/scripts/base/frameworks/broker/__load__.zeek.rst b/doc/scripts/base/frameworks/broker/__load__.zeek.rst
new file mode 100644
index 0000000000..732badf8c1
--- /dev/null
+++ b/doc/scripts/base/frameworks/broker/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/broker/__load__.zeek
+====================================
+
+
+:Imports: :doc:`base/frameworks/broker/backpressure.zeek </scripts/base/frameworks/broker/backpressure.zeek>`, :doc:`base/frameworks/broker/log.zeek </scripts/base/frameworks/broker/log.zeek>`, :doc:`base/frameworks/broker/main.zeek </scripts/base/frameworks/broker/main.zeek>`, :doc:`base/frameworks/broker/store.zeek </scripts/base/frameworks/broker/store.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/broker/backpressure.zeek.rst b/doc/scripts/base/frameworks/broker/backpressure.zeek.rst
new file mode 100644
index 0000000000..5d78d0b236
--- /dev/null
+++ b/doc/scripts/base/frameworks/broker/backpressure.zeek.rst
@@ -0,0 +1,24 @@
+:tocdepth: 3
+
+base/frameworks/broker/backpressure.zeek
+========================================
+
+This handles Broker peers that fall so far behind in handling messages that
+this node sends it that the local Broker endpoint decides to unpeer them.
+Zeek captures this as follows:
+
+- In broker.log, with a regular "peer-removed" entry indicating CAF's reason.
+- Via eventing through :zeek:see:`Broker::peer_removed` as done in this script.
+
+The cluster framework additionally captures the unpeering as follows:
+
+- In cluster.log, with a higher-level message indicating the node names involved.
+- Via telemetry, using a labeled counter.
+
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/broker/index.rst b/doc/scripts/base/frameworks/broker/index.rst
new file mode 100644
index 0000000000..269b378455
--- /dev/null
+++ b/doc/scripts/base/frameworks/broker/index.rst
@@ -0,0 +1,36 @@
+:orphan:
+
+Package: base/frameworks/broker
+===============================
+
+The Broker communication framework facilitates connecting to remote Zeek
+instances to share state and transfer events.
+
+:doc:`/scripts/base/frameworks/broker/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/broker/main.zeek`
+
+   The Broker-based communication API and its various options.
+
+:doc:`/scripts/base/frameworks/broker/store.zeek`
+
+   The Broker-based data store API and its various options.
+
+:doc:`/scripts/base/frameworks/broker/log.zeek`
+
+
+:doc:`/scripts/base/frameworks/broker/backpressure.zeek`
+
+   This handles Broker peers that fall so far behind in handling messages that
+   this node sends it that the local Broker endpoint decides to unpeer them.
+   Zeek captures this as follows:
+   
+   - In broker.log, with a regular "peer-removed" entry indicating CAF's reason.
+   - Via eventing through :zeek:see:`Broker::peer_removed` as done in this script.
+   
+   The cluster framework additionally captures the unpeering as follows:
+   
+   - In cluster.log, with a higher-level message indicating the node names involved.
+   - Via telemetry, using a labeled counter.
+
diff --git a/doc/scripts/base/frameworks/broker/log.zeek.rst b/doc/scripts/base/frameworks/broker/log.zeek.rst
new file mode 100644
index 0000000000..7b134f2bc6
--- /dev/null
+++ b/doc/scripts/base/frameworks/broker/log.zeek.rst
@@ -0,0 +1,121 @@
+:tocdepth: 3
+
+base/frameworks/broker/log.zeek
+===============================
+.. zeek:namespace:: Broker
+
+
+:Namespace: Broker
+:Imports: :doc:`base/frameworks/broker/main.zeek </scripts/base/frameworks/broker/main.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+============================================== =============================================================
+:zeek:type:`Broker::Info`: :zeek:type:`record` A record type containing the column fields of the Broker log.
+:zeek:type:`Broker::Type`: :zeek:type:`enum`   The type of a Broker activity being logged.
+============================================== =============================================================
+
+Redefinitions
+#############
+======================================= =====================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` The Broker logging stream identifier.
+                                        
+                                        * :zeek:enum:`Broker::LOG`
+======================================= =====================================
+
+Hooks
+#####
+=========================================================== =============================================
+:zeek:id:`Broker::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
+=========================================================== =============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Broker::Info
+   :source-code: base/frameworks/broker/log.zeek 33 45
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      The network time at which a Broker event occurred.
+
+
+   .. zeek:field:: ty :zeek:type:`Broker::Type` :zeek:attr:`&log`
+
+      The type of the Broker event.
+
+
+   .. zeek:field:: ev :zeek:type:`string` :zeek:attr:`&log`
+
+      The event being logged.
+
+
+   .. zeek:field:: peer :zeek:type:`Broker::NetworkInfo` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The peer (if any) with which a Broker event is
+      concerned.
+
+
+   .. zeek:field:: message :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      An optional message describing the Broker event in more detail
+
+
+   A record type containing the column fields of the Broker log.
+
+.. zeek:type:: Broker::Type
+   :source-code: base/frameworks/broker/log.zeek 13 31
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Broker::STATUS Broker::Type
+
+         An informational status update.
+
+      .. zeek:enum:: Broker::ERROR Broker::Type
+
+         An error situation.
+
+      .. zeek:enum:: Broker::CRITICAL_EVENT Broker::Type
+
+         Fatal event, normal operation has most likely broken down.
+
+      .. zeek:enum:: Broker::ERROR_EVENT Broker::Type
+
+         Unrecoverable event that imparts at least part of the system.
+
+      .. zeek:enum:: Broker::WARNING_EVENT Broker::Type
+
+         Unexpected or conspicuous event that may still be recoverable.
+
+      .. zeek:enum:: Broker::INFO_EVENT Broker::Type
+
+         Noteworthy event during normal operation.
+
+      .. zeek:enum:: Broker::VERBOSE_EVENT Broker::Type
+
+         Information that might be relevant for a user to understand system behavior.
+
+      .. zeek:enum:: Broker::DEBUG_EVENT Broker::Type
+
+         An event that is relevant only for troubleshooting and debugging.
+
+   The type of a Broker activity being logged.
+
+Hooks
+#####
+.. zeek:id:: Broker::log_policy
+   :source-code: base/frameworks/broker/log.zeek 10 10
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+
diff --git a/doc/scripts/base/frameworks/broker/main.zeek.rst b/doc/scripts/base/frameworks/broker/main.zeek.rst
new file mode 100644
index 0000000000..cb1a926cf6
--- /dev/null
+++ b/doc/scripts/base/frameworks/broker/main.zeek.rst
@@ -0,0 +1,995 @@
+:tocdepth: 3
+
+base/frameworks/broker/main.zeek
+================================
+.. zeek:namespace:: Broker
+
+The Broker-based communication API and its various options.
+
+:Namespace: Broker
+:Imports: :doc:`base/bif/comm.bif.zeek </scripts/base/bif/comm.bif.zeek>`, :doc:`base/bif/messaging.bif.zeek </scripts/base/bif/messaging.bif.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+================================================================================= =================================================================
+:zeek:id:`Broker::peer_counts_as_iosource`: :zeek:type:`bool` :zeek:attr:`&redef` Whether calling :zeek:see:`Broker::peer` will register the Broker
+                                                                                  system as an I/O source that will block the process from shutting
+                                                                                  down.
+================================================================================= =================================================================
+
+Redefinable Options
+###################
+======================================================================================================= ===========================================================================
+:zeek:id:`Broker::aggressive_interval`: :zeek:type:`count` :zeek:attr:`&redef`                          Frequency of work-stealing polling attempts for Broker/CAF threads
+                                                                                                        in "aggressive" mode.
+:zeek:id:`Broker::aggressive_polls`: :zeek:type:`count` :zeek:attr:`&redef`                             Number of work-stealing polling attempts for Broker/CAF threads
+                                                                                                        in "aggressive" mode.
+:zeek:id:`Broker::buffer_stats_reset_interval`: :zeek:type:`interval` :zeek:attr:`&redef`               How frequently Zeek resets some peering/client buffer statistics,
+                                                                                                        such as ``max_queued_recently`` in :zeek:see:`BrokerPeeringStats`.
+:zeek:id:`Broker::default_connect_retry`: :zeek:type:`interval` :zeek:attr:`&redef`                     Default interval to retry connecting to a peer if it cannot be made to
+                                                                                                        work initially, or if it ever becomes disconnected.
+:zeek:id:`Broker::default_listen_address`: :zeek:type:`string` :zeek:attr:`&redef`                      Default address on which to listen.
+:zeek:id:`Broker::default_listen_address_websocket`: :zeek:type:`string` :zeek:attr:`&redef`            Default address on which to listen for WebSocket connections.
+:zeek:id:`Broker::default_listen_retry`: :zeek:type:`interval` :zeek:attr:`&redef`                      Default interval to retry listening on a port if it's currently in
+                                                                                                        use already.
+:zeek:id:`Broker::default_log_topic_prefix`: :zeek:type:`string` :zeek:attr:`&redef`                    The default topic prefix where logs will be published.
+:zeek:id:`Broker::default_port`: :zeek:type:`port` :zeek:attr:`&redef`                                  Default port for native Broker communication.
+:zeek:id:`Broker::default_port_websocket`: :zeek:type:`port` :zeek:attr:`&redef`                        Default port for Broker WebSocket communication.
+:zeek:id:`Broker::disable_ssl`: :zeek:type:`bool` :zeek:attr:`&redef`                                   If true, do not use SSL for network connections.
+:zeek:id:`Broker::forward_messages`: :zeek:type:`bool` :zeek:attr:`&redef`                              Forward all received messages to subscribing peers.
+:zeek:id:`Broker::log_batch_interval`: :zeek:type:`interval` :zeek:attr:`&redef`                        Max time to buffer log messages before sending the current set out as a
+                                                                                                        batch.
+:zeek:id:`Broker::log_batch_size`: :zeek:type:`count` :zeek:attr:`&redef`                               The max number of log entries per log stream to batch together when
+                                                                                                        sending log messages to a remote logger.
+:zeek:id:`Broker::log_severity_level`: :zeek:type:`Broker::LogSeverityLevel` :zeek:attr:`&redef`        The log event severity level for the Broker log output.
+:zeek:id:`Broker::log_stderr_severity_level`: :zeek:type:`Broker::LogSeverityLevel` :zeek:attr:`&redef` Event severity level for also printing the Broker log output to stderr.
+:zeek:id:`Broker::max_threads`: :zeek:type:`count` :zeek:attr:`&redef`                                  Max number of threads to use for Broker/CAF functionality.
+:zeek:id:`Broker::moderate_interval`: :zeek:type:`count` :zeek:attr:`&redef`                            Frequency of work-stealing polling attempts for Broker/CAF threads
+                                                                                                        in "moderate" mode.
+:zeek:id:`Broker::moderate_polls`: :zeek:type:`count` :zeek:attr:`&redef`                               Number of work-stealing polling attempts for Broker/CAF threads
+                                                                                                        in "moderate" mode.
+:zeek:id:`Broker::moderate_sleep`: :zeek:type:`interval` :zeek:attr:`&redef`                            Interval of time for under-utilized Broker/CAF threads to sleep
+                                                                                                        when in "moderate" mode.
+:zeek:id:`Broker::peer_buffer_size`: :zeek:type:`count` :zeek:attr:`&redef`                             Max number of items we buffer at most per peer.
+:zeek:id:`Broker::peer_overflow_policy`: :zeek:type:`string` :zeek:attr:`&redef`                        Configures how Broker responds to peers that cannot keep up with the
+                                                                                                        incoming message rate.
+:zeek:id:`Broker::relaxed_interval`: :zeek:type:`count` :zeek:attr:`&redef`                             Frequency of work-stealing polling attempts for Broker/CAF threads
+                                                                                                        in "relaxed" mode.
+:zeek:id:`Broker::relaxed_sleep`: :zeek:type:`interval` :zeek:attr:`&redef`                             Interval of time for under-utilized Broker/CAF threads to sleep
+                                                                                                        when in "relaxed" mode.
+:zeek:id:`Broker::scheduler_policy`: :zeek:type:`string` :zeek:attr:`&redef`                            The CAF scheduling policy to use.
+:zeek:id:`Broker::ssl_cafile`: :zeek:type:`string` :zeek:attr:`&redef`                                  Path to a file containing concatenated trusted certificates
+                                                                                                        in PEM format.
+:zeek:id:`Broker::ssl_capath`: :zeek:type:`string` :zeek:attr:`&redef`                                  Path to an OpenSSL-style directory of trusted certificates.
+:zeek:id:`Broker::ssl_certificate`: :zeek:type:`string` :zeek:attr:`&redef`                             Path to a file containing a X.509 certificate for this
+                                                                                                        node in PEM format.
+:zeek:id:`Broker::ssl_keyfile`: :zeek:type:`string` :zeek:attr:`&redef`                                 Path to the file containing the private key for this node's
+                                                                                                        certificate.
+:zeek:id:`Broker::ssl_passphrase`: :zeek:type:`string` :zeek:attr:`&redef`                              Passphrase to decrypt the private key specified by
+                                                                                                        :zeek:see:`Broker::ssl_keyfile`.
+:zeek:id:`Broker::web_socket_buffer_size`: :zeek:type:`count` :zeek:attr:`&redef`                       Same as :zeek:see:`Broker::peer_buffer_size` but for WebSocket clients.
+:zeek:id:`Broker::web_socket_overflow_policy`: :zeek:type:`string` :zeek:attr:`&redef`                  Same as :zeek:see:`Broker::peer_overflow_policy` but for WebSocket clients.
+======================================================================================================= ===========================================================================
+
+Types
+#####
+======================================================== ====================================================================
+:zeek:type:`Broker::Data`: :zeek:type:`record`           Opaque communication data.
+:zeek:type:`Broker::DataVector`: :zeek:type:`vector`     Opaque communication data sequence.
+:zeek:type:`Broker::EndpointInfo`: :zeek:type:`record`   
+:zeek:type:`Broker::ErrorCode`: :zeek:type:`enum`        Enumerates the possible error types.
+:zeek:type:`Broker::Event`: :zeek:type:`record`          Opaque event communication data.
+:zeek:type:`Broker::LogSeverityLevel`: :zeek:type:`enum` The possible log event severity levels for Broker.
+:zeek:type:`Broker::NetworkInfo`: :zeek:type:`record`    
+:zeek:type:`Broker::PeerInfo`: :zeek:type:`record`       
+:zeek:type:`Broker::PeerInfos`: :zeek:type:`vector`      
+:zeek:type:`Broker::PeerStatus`: :zeek:type:`enum`       The possible states of a peer endpoint.
+:zeek:type:`Broker::TableItem`: :zeek:type:`record`      Opaque communication data used as a convenient way to wrap key-value
+                                                         pairs that comprise table entries.
+======================================================== ====================================================================
+
+Functions
+#########
+======================================================================= =======================================================================
+:zeek:id:`Broker::default_log_topic`: :zeek:type:`function`             The default implementation for :zeek:see:`Broker::log_topic`.
+:zeek:id:`Broker::flush_logs`: :zeek:type:`function`                    Sends all pending log messages to remote peers.
+:zeek:id:`Broker::forward`: :zeek:type:`function`                       Register a topic prefix subscription for events that should only be
+                                                                        forwarded to any subscribing peers and not raise any event handlers
+                                                                        on the receiving/forwarding node.
+:zeek:id:`Broker::is_outbound_peering`: :zeek:type:`function`           Whether the local node originally initiated the peering with the
+                                                                        given endpoint.
+:zeek:id:`Broker::listen`: :zeek:type:`function`                        Listen for remote connections using the native Broker protocol.
+:zeek:id:`Broker::log_topic`: :zeek:type:`function` :zeek:attr:`&redef` A function that will be called for each log entry to determine what
+                                                                        broker topic string will be used for sending it to peers.
+:zeek:id:`Broker::node_id`: :zeek:type:`function`                       Get a unique identifier for the local broker endpoint.
+:zeek:id:`Broker::peer`: :zeek:type:`function`                          Initiate a remote connection.
+:zeek:id:`Broker::peering_stats`: :zeek:type:`function`                 Obtain each peering's send-buffer statistics.
+:zeek:id:`Broker::peers`: :zeek:type:`function`                         Get a list of all peer connections.
+:zeek:id:`Broker::publish_id`: :zeek:type:`function`                    Publishes the value of an identifier to a given topic.
+:zeek:id:`Broker::subscribe`: :zeek:type:`function`                     Register interest in all peer event messages that use a certain topic
+                                                                        prefix.
+:zeek:id:`Broker::unpeer`: :zeek:type:`function`                        Remove a remote connection.
+:zeek:id:`Broker::unsubscribe`: :zeek:type:`function`                   Unregister interest in all peer event messages that use a topic prefix.
+======================================================================= =======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Broker::peer_counts_as_iosource
+   :source-code: base/frameworks/broker/main.zeek 153 153
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Whether calling :zeek:see:`Broker::peer` will register the Broker
+   system as an I/O source that will block the process from shutting
+   down.  For example, set this to false when you are reading pcaps,
+   but also want to initiate a Broker peering and still shutdown after
+   done reading the pcap.
+
+Redefinable Options
+###################
+.. zeek:id:: Broker::aggressive_interval
+   :source-code: base/frameworks/broker/main.zeek 135 135
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``4``
+
+   Frequency of work-stealing polling attempts for Broker/CAF threads
+   in "aggressive" mode.  Only used for the "stealing" scheduler policy.
+
+.. zeek:id:: Broker::aggressive_polls
+   :source-code: base/frameworks/broker/main.zeek 127 127
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5``
+
+   Number of work-stealing polling attempts for Broker/CAF threads
+   in "aggressive" mode.  Only used for the "stealing" scheduler policy.
+
+.. zeek:id:: Broker::buffer_stats_reset_interval
+   :source-code: base/frameworks/broker/main.zeek 104 104
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 min``
+
+   How frequently Zeek resets some peering/client buffer statistics,
+   such as ``max_queued_recently`` in :zeek:see:`BrokerPeeringStats`.
+
+.. zeek:id:: Broker::default_connect_retry
+   :source-code: base/frameworks/broker/main.zeek 39 39
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 sec``
+
+   Default interval to retry connecting to a peer if it cannot be made to
+   work initially, or if it ever becomes disconnected.  Use of the
+   ZEEK_DEFAULT_CONNECT_RETRY environment variable (set as number of
+   seconds) will override this option and also any values given to
+   :zeek:see:`Broker::peer`.
+
+.. zeek:id:: Broker::default_listen_address
+   :source-code: base/frameworks/broker/main.zeek 27 27
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+   :Redefinition: from :doc:`/scripts/policy/frameworks/management/agent/boot.zeek`
+
+      ``=``::
+
+         127.0.0.1
+
+
+   Default address on which to listen.
+   
+   .. zeek:see:: Broker::listen
+
+.. zeek:id:: Broker::default_listen_address_websocket
+   :source-code: base/frameworks/broker/main.zeek 32 32
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Default address on which to listen for WebSocket connections.
+   
+   .. zeek:see:: Cluster::listen_websocket
+
+.. zeek:id:: Broker::default_listen_retry
+   :source-code: base/frameworks/broker/main.zeek 22 22
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 sec``
+
+   Default interval to retry listening on a port if it's currently in
+   use already.  Use of the ZEEK_DEFAULT_LISTEN_RETRY environment variable
+   (set as a number of seconds) will override this option and also
+   any values given to :zeek:see:`Broker::listen`.
+
+.. zeek:id:: Broker::default_log_topic_prefix
+   :source-code: base/frameworks/broker/main.zeek 157 157
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek/logs/"``
+
+   The default topic prefix where logs will be published.  The log's stream
+   id is appended when writing to a particular stream.
+
+.. zeek:id:: Broker::default_port
+   :source-code: base/frameworks/broker/main.zeek 8 8
+
+   :Type: :zeek:type:`port`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``9999/tcp``
+
+   Default port for native Broker communication. Where not specified
+   otherwise, this is the port to connect to and listen on.
+
+.. zeek:id:: Broker::default_port_websocket
+   :source-code: base/frameworks/broker/main.zeek 16 16
+
+   :Type: :zeek:type:`port`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``9997/tcp``
+
+   Default port for Broker WebSocket communication. Where not specified
+   otherwise, this is the port to connect to and listen on for
+   WebSocket connections.
+   
+   See the Broker documentation for a specification of the message
+   format over WebSocket connections.
+
+.. zeek:id:: Broker::disable_ssl
+   :source-code: base/frameworks/broker/main.zeek 45 45
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If true, do not use SSL for network connections. By default, SSL will
+   even be used if no certificates / CAs have been configured. In that case
+   (which is the default) the communication will be encrypted, but not
+   authenticated.
+
+.. zeek:id:: Broker::forward_messages
+   :source-code: base/frameworks/broker/main.zeek 146 146
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Forward all received messages to subscribing peers.
+
+.. zeek:id:: Broker::log_batch_interval
+   :source-code: base/frameworks/broker/main.zeek 78 78
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 sec``
+
+   Max time to buffer log messages before sending the current set out as a
+   batch.
+
+.. zeek:id:: Broker::log_batch_size
+   :source-code: base/frameworks/broker/main.zeek 74 74
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``400``
+
+   The max number of log entries per log stream to batch together when
+   sending log messages to a remote logger.
+
+.. zeek:id:: Broker::log_severity_level
+   :source-code: base/frameworks/broker/main.zeek 195 195
+
+   :Type: :zeek:type:`Broker::LogSeverityLevel`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``Broker::LOG_WARNING``
+
+   The log event severity level for the Broker log output.
+
+.. zeek:id:: Broker::log_stderr_severity_level
+   :source-code: base/frameworks/broker/main.zeek 198 198
+
+   :Type: :zeek:type:`Broker::LogSeverityLevel`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``Broker::LOG_CRITICAL``
+
+   Event severity level for also printing the Broker log output to stderr.
+
+.. zeek:id:: Broker::max_threads
+   :source-code: base/frameworks/broker/main.zeek 82 82
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1``
+
+   Max number of threads to use for Broker/CAF functionality.  The
+   ``ZEEK_BROKER_MAX_THREADS`` environment variable overrides this setting.
+
+.. zeek:id:: Broker::moderate_interval
+   :source-code: base/frameworks/broker/main.zeek 139 139
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``2``
+
+   Frequency of work-stealing polling attempts for Broker/CAF threads
+   in "moderate" mode.  Only used for the "stealing" scheduler policy.
+
+.. zeek:id:: Broker::moderate_polls
+   :source-code: base/frameworks/broker/main.zeek 131 131
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5``
+
+   Number of work-stealing polling attempts for Broker/CAF threads
+   in "moderate" mode.  Only used for the "stealing" scheduler policy.
+
+.. zeek:id:: Broker::moderate_sleep
+   :source-code: base/frameworks/broker/main.zeek 119 119
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``16.0 msecs``
+
+   Interval of time for under-utilized Broker/CAF threads to sleep
+   when in "moderate" mode.  Only used for the "stealing" scheduler policy.
+
+.. zeek:id:: Broker::peer_buffer_size
+   :source-code: base/frameworks/broker/main.zeek 87 87
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``8192``
+
+   Max number of items we buffer at most per peer. What action to take when
+   the buffer reaches its maximum size is determined by
+   :zeek:see:`Broker::peer_overflow_policy`.
+
+.. zeek:id:: Broker::peer_overflow_policy
+   :source-code: base/frameworks/broker/main.zeek 94 94
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"drop_oldest"``
+
+   Configures how Broker responds to peers that cannot keep up with the
+   incoming message rate. Available strategies:
+   - disconnect: drop the connection to the unresponsive peer
+   - drop_newest: replace the newest message in the buffer
+   - drop_oldest: removed the olsted message from the buffer, then append
+
+.. zeek:id:: Broker::relaxed_interval
+   :source-code: base/frameworks/broker/main.zeek 143 143
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1``
+
+   Frequency of work-stealing polling attempts for Broker/CAF threads
+   in "relaxed" mode.  Only used for the "stealing" scheduler policy.
+
+.. zeek:id:: Broker::relaxed_sleep
+   :source-code: base/frameworks/broker/main.zeek 123 123
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``64.0 msecs``
+
+   Interval of time for under-utilized Broker/CAF threads to sleep
+   when in "relaxed" mode.  Only used for the "stealing" scheduler policy.
+
+.. zeek:id:: Broker::scheduler_policy
+   :source-code: base/frameworks/broker/main.zeek 115 115
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"sharing"``
+
+   The CAF scheduling policy to use.  Available options are "sharing" and
+   "stealing".  The "sharing" policy uses a single, global work queue along
+   with mutex and condition variable used for accessing it, which may be
+   better for cases that don't require much concurrency or need lower power
+   consumption.  The "stealing" policy uses multiple work queues protected
+   by spinlocks, which may be better for use-cases that have more
+   concurrency needs.  E.g. may be worth testing the "stealing" policy
+   along with dedicating more threads if a lot of data store processing is
+   required.
+
+.. zeek:id:: Broker::ssl_cafile
+   :source-code: base/frameworks/broker/main.zeek 50 50
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Path to a file containing concatenated trusted certificates
+   in PEM format. If set, Zeek will require valid certificates for
+   all peers.
+
+.. zeek:id:: Broker::ssl_capath
+   :source-code: base/frameworks/broker/main.zeek 55 55
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Path to an OpenSSL-style directory of trusted certificates.
+   If set, Zeek will require valid certificates for
+   all peers.
+
+.. zeek:id:: Broker::ssl_certificate
+   :source-code: base/frameworks/broker/main.zeek 60 60
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Path to a file containing a X.509 certificate for this
+   node in PEM format. If set, Zeek will require valid certificates for
+   all peers.
+
+.. zeek:id:: Broker::ssl_keyfile
+   :source-code: base/frameworks/broker/main.zeek 70 70
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Path to the file containing the private key for this node's
+   certificate. If set, Zeek will require valid certificates for
+   all peers.
+
+.. zeek:id:: Broker::ssl_passphrase
+   :source-code: base/frameworks/broker/main.zeek 65 65
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Passphrase to decrypt the private key specified by
+   :zeek:see:`Broker::ssl_keyfile`. If set, Zeek will require valid
+   certificates for all peers.
+
+.. zeek:id:: Broker::web_socket_buffer_size
+   :source-code: base/frameworks/broker/main.zeek 97 97
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``8192``
+
+   Same as :zeek:see:`Broker::peer_buffer_size` but for WebSocket clients.
+
+.. zeek:id:: Broker::web_socket_overflow_policy
+   :source-code: base/frameworks/broker/main.zeek 100 100
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"drop_oldest"``
+
+   Same as :zeek:see:`Broker::peer_overflow_policy` but for WebSocket clients.
+
+Types
+#####
+.. zeek:type:: Broker::Data
+   :source-code: base/frameworks/broker/main.zeek 275 277
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: data :zeek:type:`opaque` of Broker::Data :zeek:attr:`&optional`
+
+
+   Opaque communication data.
+
+.. zeek:type:: Broker::DataVector
+   :source-code: base/frameworks/broker/main.zeek 280 280
+
+   :Type: :zeek:type:`vector` of :zeek:type:`Broker::Data`
+
+   Opaque communication data sequence.
+
+.. zeek:type:: Broker::EndpointInfo
+   :source-code: base/frameworks/broker/main.zeek 256 261
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`string`
+
+      A unique identifier of the node.
+
+
+   .. zeek:field:: network :zeek:type:`Broker::NetworkInfo` :zeek:attr:`&optional`
+
+      Network-level information.
+
+
+
+.. zeek:type:: Broker::ErrorCode
+   :source-code: base/frameworks/broker/main.zeek 200 200
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Broker::NO_ERROR Broker::ErrorCode
+
+         (present if :doc:`/scripts/base/bif/comm.bif.zeek` is loaded)
+
+
+      .. zeek:enum:: Broker::UNSPECIFIED Broker::ErrorCode
+
+         The unspecified default error code.
+
+      .. zeek:enum:: Broker::PEER_INCOMPATIBLE Broker::ErrorCode
+
+         Version incompatibility.
+
+      .. zeek:enum:: Broker::PEER_INVALID Broker::ErrorCode
+
+         Referenced peer does not exist.
+
+      .. zeek:enum:: Broker::PEER_UNAVAILABLE Broker::ErrorCode
+
+         Remote peer not listening.
+
+      .. zeek:enum:: Broker::PEER_DISCONNECT_DURING_HANDSHAKE Broker::ErrorCode
+
+         Remote peer disconnected during the handshake.
+
+      .. zeek:enum:: Broker::PEER_TIMEOUT Broker::ErrorCode
+
+         A peering request timed out.
+
+      .. zeek:enum:: Broker::MASTER_EXISTS Broker::ErrorCode
+
+         Master with given name already exists.
+
+      .. zeek:enum:: Broker::NO_SUCH_MASTER Broker::ErrorCode
+
+         Master with given name does not exist.
+
+      .. zeek:enum:: Broker::NO_SUCH_KEY Broker::ErrorCode
+
+         The given data store key does not exist.
+
+      .. zeek:enum:: Broker::REQUEST_TIMEOUT Broker::ErrorCode
+
+         The store operation timed out.
+
+      .. zeek:enum:: Broker::TYPE_CLASH Broker::ErrorCode
+
+         The operation expected a different type than provided.
+
+      .. zeek:enum:: Broker::INVALID_DATA Broker::ErrorCode
+
+         The data value cannot be used to carry out the desired operation.
+
+      .. zeek:enum:: Broker::BACKEND_FAILURE Broker::ErrorCode
+
+         The storage backend failed to execute the operation.
+
+      .. zeek:enum:: Broker::STALE_DATA Broker::ErrorCode
+
+         The storage backend failed to execute the operation.
+
+      .. zeek:enum:: Broker::CANNOT_OPEN_FILE Broker::ErrorCode
+
+         (present if :doc:`/scripts/base/bif/comm.bif.zeek` is loaded)
+
+
+      .. zeek:enum:: Broker::CANNOT_WRITE_FILE Broker::ErrorCode
+
+         (present if :doc:`/scripts/base/bif/comm.bif.zeek` is loaded)
+
+
+      .. zeek:enum:: Broker::INVALID_TOPIC_KEY Broker::ErrorCode
+
+         (present if :doc:`/scripts/base/bif/comm.bif.zeek` is loaded)
+
+
+      .. zeek:enum:: Broker::END_OF_FILE Broker::ErrorCode
+
+         (present if :doc:`/scripts/base/bif/comm.bif.zeek` is loaded)
+
+
+      .. zeek:enum:: Broker::INVALID_TAG Broker::ErrorCode
+
+         (present if :doc:`/scripts/base/bif/comm.bif.zeek` is loaded)
+
+
+      .. zeek:enum:: Broker::INVALID_STATUS Broker::ErrorCode
+
+         (present if :doc:`/scripts/base/bif/comm.bif.zeek` is loaded)
+
+
+      .. zeek:enum:: Broker::CAF_ERROR Broker::ErrorCode
+
+         Catch-all for a CAF-level problem.
+
+   Enumerates the possible error types.
+
+.. zeek:type:: Broker::Event
+   :source-code: base/frameworks/broker/main.zeek 283 288
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The name of the event.  Not set if invalid event or arguments.
+
+
+   .. zeek:field:: args :zeek:type:`Broker::DataVector`
+
+      The arguments to the event.
+
+
+   Opaque event communication data.
+
+.. zeek:type:: Broker::LogSeverityLevel
+   :source-code: base/frameworks/broker/main.zeek 179 193
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Broker::LOG_CRITICAL Broker::LogSeverityLevel
+
+         Fatal event, normal operation has most likely broken down.
+
+      .. zeek:enum:: Broker::LOG_ERROR Broker::LogSeverityLevel
+
+         Unrecoverable event that imparts at least part of the system.
+
+      .. zeek:enum:: Broker::LOG_WARNING Broker::LogSeverityLevel
+
+         Unexpected or conspicuous event that may still be recoverable.
+
+      .. zeek:enum:: Broker::LOG_INFO Broker::LogSeverityLevel
+
+         Noteworthy event during normal operation.
+
+      .. zeek:enum:: Broker::LOG_VERBOSE Broker::LogSeverityLevel
+
+         Information that might be relevant for a user to understand system behavior.
+
+      .. zeek:enum:: Broker::LOG_DEBUG Broker::LogSeverityLevel
+
+         An event that is relevant only for troubleshooting and debugging.
+
+   The possible log event severity levels for Broker.
+
+.. zeek:type:: Broker::NetworkInfo
+   :source-code: base/frameworks/broker/main.zeek 249 254
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: address :zeek:type:`string` :zeek:attr:`&log`
+
+      The IP address or hostname where the endpoint listens.
+
+
+   .. zeek:field:: bound_port :zeek:type:`port` :zeek:attr:`&log`
+
+      The port where the endpoint is bound to.
+
+
+
+.. zeek:type:: Broker::PeerInfo
+   :source-code: base/frameworks/broker/main.zeek 263 270
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: peer :zeek:type:`Broker::EndpointInfo`
+
+
+   .. zeek:field:: status :zeek:type:`Broker::PeerStatus`
+
+
+   .. zeek:field:: is_outbound :zeek:type:`bool`
+
+      Whether the local node created the peering, as opposed to a
+      remote establishing it by connecting to us.
+
+
+
+.. zeek:type:: Broker::PeerInfos
+   :source-code: base/frameworks/broker/main.zeek 272 272
+
+   :Type: :zeek:type:`vector` of :zeek:type:`Broker::PeerInfo`
+
+
+.. zeek:type:: Broker::PeerStatus
+   :source-code: base/frameworks/broker/main.zeek 234 234
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Broker::INITIALIZING Broker::PeerStatus
+
+         The peering process is initiated.
+
+      .. zeek:enum:: Broker::CONNECTING Broker::PeerStatus
+
+         Connection establishment in process.
+
+      .. zeek:enum:: Broker::CONNECTED Broker::PeerStatus
+
+         Connection established, peering pending.
+
+      .. zeek:enum:: Broker::PEERED Broker::PeerStatus
+
+         Successfully peered.
+
+      .. zeek:enum:: Broker::DISCONNECTED Broker::PeerStatus
+
+         Connection to remote peer lost.
+
+      .. zeek:enum:: Broker::RECONNECTING Broker::PeerStatus
+
+         Reconnecting to peer after a lost connection.
+
+   The possible states of a peer endpoint.
+
+.. zeek:type:: Broker::TableItem
+   :source-code: base/frameworks/broker/main.zeek 292 295
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: key :zeek:type:`Broker::Data`
+
+
+   .. zeek:field:: val :zeek:type:`Broker::Data`
+
+
+   Opaque communication data used as a convenient way to wrap key-value
+   pairs that comprise table entries.
+
+Functions
+#########
+.. zeek:id:: Broker::default_log_topic
+   :source-code: base/frameworks/broker/main.zeek 160 163
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, path: :zeek:type:`string`) : :zeek:type:`string`
+
+   The default implementation for :zeek:see:`Broker::log_topic`.
+
+.. zeek:id:: Broker::flush_logs
+   :source-code: base/frameworks/broker/main.zeek 498 501
+
+   :Type: :zeek:type:`function` () : :zeek:type:`count`
+
+   Sends all pending log messages to remote peers.  This normally
+   doesn't need to be used except for test cases that are time-sensitive.
+
+.. zeek:id:: Broker::forward
+   :source-code: base/frameworks/broker/main.zeek 513 516
+
+   :Type: :zeek:type:`function` (topic_prefix: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Register a topic prefix subscription for events that should only be
+   forwarded to any subscribing peers and not raise any event handlers
+   on the receiving/forwarding node.  i.e. it's the same as
+   :zeek:see:`Broker::subscribe` except matching events are not raised
+   on the receiver, just forwarded.  Use :zeek:see:`Broker::unsubscribe`
+   with the same argument to undo this operation.
+   
+
+   :param topic_prefix: a prefix to match against remote message topics.
+                 e.g. an empty prefix matches everything and "a" matches
+                 "alice" and "amy" but not "bob".
+   
+
+   :returns: true if a new event forwarding/subscription is now registered.
+
+.. zeek:id:: Broker::is_outbound_peering
+   :source-code: base/frameworks/broker/main.zeek 478 481
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`string`, p: :zeek:type:`port`) : :zeek:type:`bool`
+
+   Whether the local node originally initiated the peering with the
+   given endpoint.
+   
+
+   :param a: the address used in previous successful call to :zeek:see:`Broker::peer`.
+   
+
+   :param p: the port used in previous successful call to :zeek:see:`Broker::peer`.
+   
+   Returns:: True if this node initiated the peering.
+
+.. zeek:id:: Broker::listen
+   :source-code: base/frameworks/broker/main.zeek 450 466
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`string` :zeek:attr:`&default` = :zeek:see:`Broker::default_listen_address` :zeek:attr:`&optional`, p: :zeek:type:`port` :zeek:attr:`&default` = :zeek:see:`Broker::default_port` :zeek:attr:`&optional`, retry: :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`Broker::default_listen_retry` :zeek:attr:`&optional`) : :zeek:type:`port`
+
+   Listen for remote connections using the native Broker protocol.
+   
+
+   :param a: an address string on which to accept connections, e.g.
+      "127.0.0.1".  An empty string refers to INADDR_ANY.
+   
+
+   :param p: the TCP port to listen on. The value 0 means that the OS should choose
+      the next available free port.
+   
+
+   :param retry: If non-zero, retries listening in regular intervals if the port cannot be
+          acquired immediately. 0 disables retries.  If the
+          ZEEK_DEFAULT_LISTEN_RETRY environment variable is set (as number
+          of seconds), it overrides any value given here.
+   
+
+   :returns: the bound port or 0/? on failure.
+   
+   .. zeek:see:: Broker::status
+
+.. zeek:id:: Broker::log_topic
+   :source-code: base/frameworks/broker/main.zeek 160 163
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, path: :zeek:type:`string`) : :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+
+   A function that will be called for each log entry to determine what
+   broker topic string will be used for sending it to peers.  The
+   default implementation will return a value based on
+   :zeek:see:`Broker::default_log_topic_prefix`.
+   
+
+   :param id: the ID associated with the log stream entry that will be sent.
+   
+
+   :param path: the path to which the log stream entry will be output.
+   
+
+   :returns: a string representing the broker topic to which the log
+            will be sent.
+
+.. zeek:id:: Broker::node_id
+   :source-code: base/frameworks/broker/main.zeek 488 491
+
+   :Type: :zeek:type:`function` () : :zeek:type:`string`
+
+   Get a unique identifier for the local broker endpoint.
+   
+
+   :returns: a unique identifier for the local broker endpoint.
+
+.. zeek:id:: Broker::peer
+   :source-code: base/frameworks/broker/main.zeek 468 471
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`string`, p: :zeek:type:`port` :zeek:attr:`&default` = :zeek:see:`Broker::default_port` :zeek:attr:`&optional`, retry: :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`Broker::default_connect_retry` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Initiate a remote connection.
+   
+
+   :param a: an address to connect to, e.g. "localhost" or "127.0.0.1".
+   
+
+   :param p: the TCP port on which the remote side is listening.
+   
+
+   :param retry: an interval at which to retry establishing the
+          connection with the remote peer if it cannot be made initially, or
+          if it ever becomes disconnected.  If the
+          ZEEK_DEFAULT_CONNECT_RETRY environment variable is set (as number
+          of seconds), it overrides any value given here.
+   
+
+   :returns: true if it's possible to try connecting with the peer and
+            it's a new peer. The actual connection may not be established
+            until a later point in time.
+   
+   .. zeek:see:: Broker::status
+
+.. zeek:id:: Broker::peering_stats
+   :source-code: base/frameworks/broker/main.zeek 493 496
+
+   :Type: :zeek:type:`function` () : :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`BrokerPeeringStats`
+
+   Obtain each peering's send-buffer statistics. The keys are Broker
+   endpoint IDs.
+   
+
+   :returns: per-peering statistics.
+
+.. zeek:id:: Broker::peers
+   :source-code: base/frameworks/broker/main.zeek 483 486
+
+   :Type: :zeek:type:`function` () : :zeek:type:`vector` of :zeek:type:`Broker::PeerInfo`
+
+   Get a list of all peer connections.
+   
+
+   :returns: a list of all peer connections.
+
+.. zeek:id:: Broker::publish_id
+   :source-code: base/frameworks/broker/main.zeek 503 506
+
+   :Type: :zeek:type:`function` (topic: :zeek:type:`string`, id: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Publishes the value of an identifier to a given topic.  The subscribers
+   will update their local value for that identifier on receipt.
+   
+
+   :param topic: a topic associated with the message.
+   
+
+   :param id: the identifier to publish.
+   
+
+   :returns: true if the message is sent.
+
+.. zeek:id:: Broker::subscribe
+   :source-code: base/frameworks/broker/main.zeek 508 511
+
+   :Type: :zeek:type:`function` (topic_prefix: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Register interest in all peer event messages that use a certain topic
+   prefix.  Note that subscriptions may not be altered immediately after
+   calling (except during :zeek:see:`zeek_init`).
+   
+
+   :param topic_prefix: a prefix to match against remote message topics.
+                 e.g. an empty prefix matches everything and "a" matches
+                 "alice" and "amy" but not "bob".
+   
+
+   :returns: true if it's a new event subscription and it is now registered.
+
+.. zeek:id:: Broker::unpeer
+   :source-code: base/frameworks/broker/main.zeek 473 476
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`string`, p: :zeek:type:`port`) : :zeek:type:`bool`
+
+   Remove a remote connection.
+   
+   Note that this does not terminate the connection to the peer, it
+   just means that we won't exchange any further information with it
+   unless peering resumes later.
+   
+
+   :param a: the address used in previous successful call to :zeek:see:`Broker::peer`.
+   
+
+   :param p: the port used in previous successful call to :zeek:see:`Broker::peer`.
+   
+
+   :returns: true if the arguments match a previously successful call to
+            :zeek:see:`Broker::peer`.
+   
+
+   :param TODO: We do not have a function yet to terminate a connection.
+
+.. zeek:id:: Broker::unsubscribe
+   :source-code: base/frameworks/broker/main.zeek 518 521
+
+   :Type: :zeek:type:`function` (topic_prefix: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Unregister interest in all peer event messages that use a topic prefix.
+   Note that subscriptions may not be altered immediately after calling
+   (except during :zeek:see:`zeek_init`).
+   
+
+   :param topic_prefix: a prefix previously supplied to a successful call to
+                 :zeek:see:`Broker::subscribe` or :zeek:see:`Broker::forward`.
+   
+
+   :returns: true if interest in the topic prefix is no longer advertised.
+
+
diff --git a/doc/scripts/base/frameworks/broker/store.zeek.rst b/doc/scripts/base/frameworks/broker/store.zeek.rst
new file mode 100644
index 0000000000..ab48b1103c
--- /dev/null
+++ b/doc/scripts/base/frameworks/broker/store.zeek.rst
@@ -0,0 +1,1377 @@
+:tocdepth: 3
+
+base/frameworks/broker/store.zeek
+=================================
+.. zeek:namespace:: Broker
+
+The Broker-based data store API and its various options.
+
+:Namespace: Broker
+:Imports: :doc:`base/bif/data.bif.zeek </scripts/base/bif/data.bif.zeek>`, :doc:`base/bif/store.bif.zeek </scripts/base/bif/store.bif.zeek>`, :doc:`base/frameworks/broker/main.zeek </scripts/base/frameworks/broker/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+==================================================================================================== ==========================================================================
+:zeek:id:`Broker::default_clone_mutation_buffer_interval`: :zeek:type:`interval` :zeek:attr:`&redef` The maximum amount of time that a disconnected clone will
+                                                                                                     buffer data store mutation commands.
+:zeek:id:`Broker::default_clone_resync_interval`: :zeek:type:`interval` :zeek:attr:`&redef`          The default frequency at which clones will attempt to
+                                                                                                     reconnect/resynchronize with their master in the event that they become
+                                                                                                     disconnected.
+:zeek:id:`Broker::default_clone_stale_interval`: :zeek:type:`interval` :zeek:attr:`&redef`           The duration after which a clone that is disconnected from its master
+                                                                                                     will begin to treat its local cache as stale.
+:zeek:id:`Broker::table_store_db_directory`: :zeek:type:`string` :zeek:attr:`&redef`                 The directory used for storing persistent database files when using Broker
+                                                                                                     store backed Zeek tables.
+:zeek:id:`Broker::table_store_master`: :zeek:type:`bool` :zeek:attr:`&redef`                         If set to true, the current node is the master node for Broker stores
+                                                                                                     backing Zeek tables.
+==================================================================================================== ==========================================================================
+
+Types
+#####
+========================================================= =============================================================
+:zeek:type:`Broker::BackendOptions`: :zeek:type:`record`  Options to tune the particular storage backends.
+:zeek:type:`Broker::BackendType`: :zeek:type:`enum`       Enumerates the possible storage backends.
+:zeek:type:`Broker::QueryResult`: :zeek:type:`record`     The result of a data store query.
+:zeek:type:`Broker::QueryStatus`: :zeek:type:`enum`       Whether a data store query could be completed or not.
+:zeek:type:`Broker::SQLiteFailureMode`: :zeek:type:`enum` Behavior when the SQLite database file is found to be corrupt
+                                                          or otherwise fails to open or initialize.
+:zeek:type:`Broker::SQLiteJournalMode`: :zeek:type:`enum` Values supported for SQLite's PRAGMA journal_mode statement.
+:zeek:type:`Broker::SQLiteOptions`: :zeek:type:`record`   Options to tune the SQLite storage backend.
+:zeek:type:`Broker::SQLiteSynchronous`: :zeek:type:`enum` Values supported for SQLite's PRAGMA synchronous statement.
+========================================================= =============================================================
+
+Functions
+#########
+=============================================================== =============================================================================
+:zeek:id:`Broker::append`: :zeek:type:`function`                Extends an existing string with another.
+:zeek:id:`Broker::clear`: :zeek:type:`function`                 Deletes all of a store's content, it will be empty afterwards.
+:zeek:id:`Broker::close`: :zeek:type:`function`                 Close a data store.
+:zeek:id:`Broker::create_clone`: :zeek:type:`function`          Create a clone of a master data store which may live with a remote peer.
+:zeek:id:`Broker::create_master`: :zeek:type:`function`         Create a master data store which contains key-value pairs.
+:zeek:id:`Broker::data`: :zeek:type:`function`                  Convert any Zeek value to communication data.
+:zeek:id:`Broker::data_type`: :zeek:type:`function`             Retrieve the type of data associated with communication data.
+:zeek:id:`Broker::decrement`: :zeek:type:`function`             Decrements an existing value by a given amount.
+:zeek:id:`Broker::erase`: :zeek:type:`function`                 Remove a key-value pair from the store.
+:zeek:id:`Broker::exists`: :zeek:type:`function`                Check if a key exists in a data store.
+:zeek:id:`Broker::get`: :zeek:type:`function`                   Lookup the value associated with a key in a data store.
+:zeek:id:`Broker::get_index_from_value`: :zeek:type:`function`  Retrieve a specific index from an existing container value.
+:zeek:id:`Broker::increment`: :zeek:type:`function`             Increments an existing value by a given amount.
+:zeek:id:`Broker::insert_into_set`: :zeek:type:`function`       Inserts an element into an existing set.
+:zeek:id:`Broker::insert_into_table`: :zeek:type:`function`     Inserts an element into an existing table.
+:zeek:id:`Broker::is_closed`: :zeek:type:`function`             Check if a store is closed or not.
+:zeek:id:`Broker::keys`: :zeek:type:`function`                  Returns a set with all of a store's keys.
+:zeek:id:`Broker::pop`: :zeek:type:`function`                   Removes the last element of an existing vector.
+:zeek:id:`Broker::push`: :zeek:type:`function`                  Appends an element to an existing vector.
+:zeek:id:`Broker::put`: :zeek:type:`function`                   Insert a key-value pair into the store.
+:zeek:id:`Broker::put_unique`: :zeek:type:`function`            Insert a key-value pair into the store, but only if the key does not
+                                                                already exist.
+:zeek:id:`Broker::record_assign`: :zeek:type:`function`         Replace a field in a record at a particular position.
+:zeek:id:`Broker::record_create`: :zeek:type:`function`         Create communication data of type "record".
+:zeek:id:`Broker::record_iterator`: :zeek:type:`function`       Create an iterator for a record.
+:zeek:id:`Broker::record_iterator_last`: :zeek:type:`function`  Check if there are no more elements to iterate over.
+:zeek:id:`Broker::record_iterator_next`: :zeek:type:`function`  Advance an iterator.
+:zeek:id:`Broker::record_iterator_value`: :zeek:type:`function` Retrieve the data at an iterator's current position.
+:zeek:id:`Broker::record_lookup`: :zeek:type:`function`         Lookup a field in a record at a particular position.
+:zeek:id:`Broker::record_size`: :zeek:type:`function`           Get the number of fields within a record.
+:zeek:id:`Broker::remove_from`: :zeek:type:`function`           Removes an element from an existing set or table.
+:zeek:id:`Broker::set_clear`: :zeek:type:`function`             Remove all elements within a set.
+:zeek:id:`Broker::set_contains`: :zeek:type:`function`          Check if a set contains a particular element.
+:zeek:id:`Broker::set_create`: :zeek:type:`function`            Create communication data of type "set".
+:zeek:id:`Broker::set_insert`: :zeek:type:`function`            Insert an element into a set.
+:zeek:id:`Broker::set_iterator`: :zeek:type:`function`          Create an iterator for a set.
+:zeek:id:`Broker::set_iterator_last`: :zeek:type:`function`     Check if there are no more elements to iterate over.
+:zeek:id:`Broker::set_iterator_next`: :zeek:type:`function`     Advance an iterator.
+:zeek:id:`Broker::set_iterator_value`: :zeek:type:`function`    Retrieve the data at an iterator's current position.
+:zeek:id:`Broker::set_remove`: :zeek:type:`function`            Remove an element from a set.
+:zeek:id:`Broker::set_size`: :zeek:type:`function`              Get the number of elements within a set.
+:zeek:id:`Broker::store_name`: :zeek:type:`function`            Get the name of a store.
+:zeek:id:`Broker::table_clear`: :zeek:type:`function`           Remove all elements within a table.
+:zeek:id:`Broker::table_contains`: :zeek:type:`function`        Check if a table contains a particular key.
+:zeek:id:`Broker::table_create`: :zeek:type:`function`          Create communication data of type "table".
+:zeek:id:`Broker::table_insert`: :zeek:type:`function`          Insert a key-value pair into a table.
+:zeek:id:`Broker::table_iterator`: :zeek:type:`function`        Create an iterator for a table.
+:zeek:id:`Broker::table_iterator_last`: :zeek:type:`function`   Check if there are no more elements to iterate over.
+:zeek:id:`Broker::table_iterator_next`: :zeek:type:`function`   Advance an iterator.
+:zeek:id:`Broker::table_iterator_value`: :zeek:type:`function`  Retrieve the data at an iterator's current position.
+:zeek:id:`Broker::table_lookup`: :zeek:type:`function`          Retrieve a value from a table.
+:zeek:id:`Broker::table_remove`: :zeek:type:`function`          Remove a key-value pair from a table.
+:zeek:id:`Broker::table_size`: :zeek:type:`function`            Get the number of elements within a table.
+:zeek:id:`Broker::vector_clear`: :zeek:type:`function`          Remove all elements within a vector.
+:zeek:id:`Broker::vector_create`: :zeek:type:`function`         Create communication data of type "vector".
+:zeek:id:`Broker::vector_insert`: :zeek:type:`function`         Insert an element into a vector at a particular position, possibly displacing
+                                                                existing elements (insertion always grows the size of the vector by one).
+:zeek:id:`Broker::vector_iterator`: :zeek:type:`function`       Create an iterator for a vector.
+:zeek:id:`Broker::vector_iterator_last`: :zeek:type:`function`  Check if there are no more elements to iterate over.
+:zeek:id:`Broker::vector_iterator_next`: :zeek:type:`function`  Advance an iterator.
+:zeek:id:`Broker::vector_iterator_value`: :zeek:type:`function` Retrieve the data at an iterator's current position.
+:zeek:id:`Broker::vector_lookup`: :zeek:type:`function`         Lookup an element in a vector at a particular position.
+:zeek:id:`Broker::vector_remove`: :zeek:type:`function`         Remove an element from a vector at a particular position.
+:zeek:id:`Broker::vector_replace`: :zeek:type:`function`        Replace an element in a vector at a particular position.
+:zeek:id:`Broker::vector_size`: :zeek:type:`function`           Get the number of elements within a vector.
+=============================================================== =============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Broker::default_clone_mutation_buffer_interval
+   :source-code: base/frameworks/broker/store.zeek 26 26
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``2.0 mins``
+
+   The maximum amount of time that a disconnected clone will
+   buffer data store mutation commands.  If the clone reconnects before
+   this time, it will replay all stored commands.  Note that this doesn't
+   completely prevent the loss of store updates: all mutation messages
+   are fire-and-forget and not explicitly acknowledged by the master.
+   A negative/zero value indicates to never buffer commands.
+
+.. zeek:id:: Broker::default_clone_resync_interval
+   :source-code: base/frameworks/broker/store.zeek 12 12
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10.0 secs``
+
+   The default frequency at which clones will attempt to
+   reconnect/resynchronize with their master in the event that they become
+   disconnected.
+
+.. zeek:id:: Broker::default_clone_stale_interval
+   :source-code: base/frameworks/broker/store.zeek 18 18
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5.0 mins``
+
+   The duration after which a clone that is disconnected from its master
+   will begin to treat its local cache as stale.  In the stale state,
+   queries to the cache will timeout.  A negative value indicates that
+   the local cache is never treated as stale.
+
+.. zeek:id:: Broker::table_store_db_directory
+   :source-code: base/frameworks/broker/store.zeek 36 36
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"."``
+
+   The directory used for storing persistent database files when using Broker
+   store backed Zeek tables.
+
+.. zeek:id:: Broker::table_store_master
+   :source-code: base/frameworks/broker/store.zeek 32 32
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   If set to true, the current node is the master node for Broker stores
+   backing Zeek tables. By default this value will be automatically set to
+   true in standalone mode, and on the manager node of a cluster. This value
+   should not typically be changed manually.
+
+Types
+#####
+.. zeek:type:: Broker::BackendOptions
+   :source-code: base/frameworks/broker/store.zeek 119 121
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: sqlite :zeek:type:`Broker::SQLiteOptions` :zeek:attr:`&default` = *...* :zeek:attr:`&optional`
+
+
+   Options to tune the particular storage backends.
+
+.. zeek:type:: Broker::BackendType
+   :source-code: base/frameworks/broker/store.zeek 55 55
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Broker::MEMORY Broker::BackendType
+
+      .. zeek:enum:: Broker::SQLITE Broker::BackendType
+
+   Enumerates the possible storage backends.
+
+.. zeek:type:: Broker::QueryResult
+   :source-code: base/frameworks/broker/store.zeek 45 52
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: status :zeek:type:`Broker::QueryStatus`
+
+      Whether the query completed or not.
+
+
+   .. zeek:field:: result :zeek:type:`Broker::Data`
+
+      The result of the query.  Certain queries may use a particular
+      data type (e.g. querying store size always returns a count, but
+      a lookup may return various data types).
+
+
+   The result of a data store query.
+
+.. zeek:type:: Broker::QueryStatus
+   :source-code: base/frameworks/broker/store.zeek 39 43
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Broker::SUCCESS Broker::QueryStatus
+
+      .. zeek:enum:: Broker::FAILURE Broker::QueryStatus
+
+   Whether a data store query could be completed or not.
+
+.. zeek:type:: Broker::SQLiteFailureMode
+   :source-code: base/frameworks/broker/store.zeek 62 66
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Broker::SQLITE_FAILURE_MODE_FAIL Broker::SQLiteFailureMode
+
+         Fail during initialization.
+
+      .. zeek:enum:: Broker::SQLITE_FAILURE_MODE_DELETE Broker::SQLiteFailureMode
+
+         Attempt to delete the database file and retry.
+
+   Behavior when the SQLite database file is found to be corrupt
+   or otherwise fails to open or initialize.
+
+.. zeek:type:: Broker::SQLiteJournalMode
+   :source-code: base/frameworks/broker/store.zeek 76 80
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Broker::SQLITE_JOURNAL_MODE_DELETE Broker::SQLiteJournalMode
+
+      .. zeek:enum:: Broker::SQLITE_JOURNAL_MODE_WAL Broker::SQLiteJournalMode
+
+   Values supported for SQLite's PRAGMA journal_mode statement.
+
+.. zeek:type:: Broker::SQLiteOptions
+   :source-code: base/frameworks/broker/store.zeek 82 116
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: path :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      File system path of the database.
+      If left empty, will be derived from the name of the store,
+      and use the '.sqlite' file suffix.
+
+
+   .. zeek:field:: synchronous :zeek:type:`Broker::SQLiteSynchronous` :zeek:attr:`&optional`
+
+      If set, runs the PRAGMA synchronous statement with the
+      provided value after connecting to the SQLite database. See
+      `SQLite's synchronous documentation <https://www.sqlite.org/pragma.html#pragma_synchronous>`_
+      for more details around performance and data safety trade offs.
+
+
+   .. zeek:field:: journal_mode :zeek:type:`Broker::SQLiteJournalMode` :zeek:attr:`&optional`
+
+      If set, runs the PRAGMA journal_mode statement with the
+      provided value after connecting to the SQLite database. See
+      `SQLite's journal_mode documentation <https://www.sqlite.org/pragma.html#pragma_journal_mode>`_
+      for more details around performance, data safety trade offs
+      and interaction with the PRAGMA synchronous statement.
+
+
+   .. zeek:field:: failure_mode :zeek:type:`Broker::SQLiteFailureMode` :zeek:attr:`&default` = ``Broker::SQLITE_FAILURE_MODE_FAIL`` :zeek:attr:`&optional`
+
+      What to do when the database is found corrupt during
+      initialization. When set to SQLITE_FAILURE_MODE_DELETE,
+      the old file is deleted to allow creation of a new and empty
+      database. By default, an error is reported, the corrupt
+      database file left in place and the data store is in a
+      non-functional state.
+
+
+   .. zeek:field:: integrity_check :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      When true, run the PRAGMA integrity_check statement after
+      opening the database and fail according to ``failure_mode``.
+      PRAGMA integrity_check may take a non-negligible amount of time,
+      so you are advised to experiment with the expected sizes
+      of your databases if that is acceptable. Corrupted databases
+      should be reliably detected when this setting is ``T``.
+
+
+   Options to tune the SQLite storage backend.
+
+.. zeek:type:: Broker::SQLiteSynchronous
+   :source-code: base/frameworks/broker/store.zeek 68 74
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Broker::SQLITE_SYNCHRONOUS_OFF Broker::SQLiteSynchronous
+
+      .. zeek:enum:: Broker::SQLITE_SYNCHRONOUS_NORMAL Broker::SQLiteSynchronous
+
+      .. zeek:enum:: Broker::SQLITE_SYNCHRONOUS_FULL Broker::SQLiteSynchronous
+
+      .. zeek:enum:: Broker::SQLITE_SYNCHRONOUS_EXTRA Broker::SQLiteSynchronous
+
+   Values supported for SQLite's PRAGMA synchronous statement.
+
+Functions
+#########
+.. zeek:id:: Broker::append
+   :source-code: base/frameworks/broker/store.zeek 853 856
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, s: :zeek:type:`string`, e: :zeek:type:`interval` :zeek:attr:`&default` = ``0 secs`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Extends an existing string with another.
+   
+
+   :param h: the handle of the store to modify.
+   
+
+   :param k: the key whose associated value is to be modified. The key must
+      already exist.
+   
+
+   :param s: the string to append.
+   
+
+   :param e: the new expiration interval of the modified key. If null, the
+      current expiration time isn't changed.
+   
+
+   :returns: false if the store handle was not valid.
+
+.. zeek:id:: Broker::clear
+   :source-code: base/frameworks/broker/store.zeek 883 886
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store) : :zeek:type:`bool`
+
+   Deletes all of a store's content, it will be empty afterwards.
+   
+
+   :returns: false if the store handle was not valid.
+
+.. zeek:id:: Broker::close
+   :source-code: base/frameworks/broker/store.zeek 792 795
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store) : :zeek:type:`bool`
+
+   Close a data store.
+   
+
+   :param h: a data store handle.
+   
+
+   :returns: true if store was valid and is now closed.  The handle can no
+            longer be used for data store operations.
+
+.. zeek:id:: Broker::create_clone
+   :source-code: base/frameworks/broker/store.zeek 786 790
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`, resync_interval: :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`Broker::default_clone_resync_interval` :zeek:attr:`&optional`, stale_interval: :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`Broker::default_clone_stale_interval` :zeek:attr:`&optional`, mutation_buffer_interval: :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`Broker::default_clone_mutation_buffer_interval` :zeek:attr:`&optional`) : :zeek:type:`opaque` of Broker::Store
+
+   Create a clone of a master data store which may live with a remote peer.
+   A clone automatically synchronizes to the master by
+   receiving modifications and applying them locally.  Direct modifications
+   are not possible, they must be sent through the master store, which then
+   automatically broadcasts the changes out to clones.  But queries may be
+   made directly against the local cloned copy, which may be resolved
+   quicker than reaching out to a remote master store.
+   
+
+   :param name: the unique name which identifies the master data store.
+   
+
+   :param resync_interval: the frequency at which a clone that is disconnected from
+                    its master attempts to reconnect with it.
+   
+
+   :param stale_interval: the duration after which a clone that is disconnected
+                   from its master will begin to treat its local cache as
+                   stale.  In this state, queries to the clone will timeout.
+                   A negative value indicates that the local cache is never
+                   treated as stale.
+   
+
+   :param mutation_buffer_interval: the amount of time to buffer data store update
+                             messages once a clone detects its master is
+                             unavailable.  If the clone reconnects before
+                             this time, it will replay all buffered
+                             commands.  Note that this doesn't completely
+                             prevent the loss of store updates: all mutation
+                             messages are fire-and-forget and not explicitly
+                             acknowledged by the master.  A negative/zero
+                             value indicates that commands never buffer.
+   
+
+   :returns: a handle to the data store for which a subsequent call to
+            :zeek:see:`Broker::is_closed` will return true if the store
+            could not be created/opened.
+
+.. zeek:id:: Broker::create_master
+   :source-code: base/frameworks/broker/store.zeek 778 781
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`, b: :zeek:type:`Broker::BackendType` :zeek:attr:`&default` = ``Broker::MEMORY`` :zeek:attr:`&optional`, options: :zeek:type:`Broker::BackendOptions` :zeek:attr:`&default` = *[sqlite=[path=, synchronous=<uninitialized>, journal_mode=<uninitialized>, failure_mode=Broker::SQLITE_FAILURE_MODE_FAIL, integrity_check=F]]* :zeek:attr:`&optional`) : :zeek:type:`opaque` of Broker::Store
+
+   Create a master data store which contains key-value pairs.
+   
+
+   :param name: a unique name for the data store.
+   
+
+   :param b: the storage backend to use.
+   
+
+   :param options: tunes how some storage backends operate.
+   
+
+   :returns: a handle to the data store for which a subsequent call to
+            :zeek:see:`Broker::is_closed` will return true if the store
+            could not be created/opened.
+
+.. zeek:id:: Broker::data
+   :source-code: base/frameworks/broker/store.zeek 893 896
+
+   :Type: :zeek:type:`function` (d: :zeek:type:`any`) : :zeek:type:`Broker::Data`
+
+   Convert any Zeek value to communication data.
+   
+   .. note:: Normally you won't need to use this function as data
+      conversion happens implicitly when passing Zeek values into Broker
+      functions.
+   
+
+   :param d: any Zeek value to attempt to convert (not all types are supported).
+   
+
+   :returns: the converted communication data.  If the supplied Zeek data
+            type does not support conversion to communication data, the
+            returned record's optional field will not be set.
+
+.. zeek:id:: Broker::data_type
+   :source-code: base/frameworks/broker/store.zeek 888 891
+
+   :Type: :zeek:type:`function` (d: :zeek:type:`Broker::Data`) : :zeek:type:`Broker::DataType`
+
+   Retrieve the type of data associated with communication data.
+   
+
+   :param d: the communication data.
+   
+
+   :returns: The data type associated with the communication data.
+            Note that Broker represents records in the same way as
+            vectors, so there is no "record" type.
+
+.. zeek:id:: Broker::decrement
+   :source-code: base/frameworks/broker/store.zeek 848 851
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, a: :zeek:type:`any` :zeek:attr:`&default` = ``1`` :zeek:attr:`&optional`, e: :zeek:type:`interval` :zeek:attr:`&default` = ``0 secs`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Decrements an existing value by a given amount. This is supported for all
+   numerical types, as well as for timestamps.
+   
+
+   :param h: the handle of the store to modify.
+   
+
+   :param k: the key whose associated value is to be modified. The key must
+      already exist.
+   
+
+   :param amount: the amount to decrement the value by.
+   
+
+   :param e: the new expiration interval of the modified key. If null, the current
+      expiration time isn't changed.
+   
+
+   :returns: false if the store handle was not valid.
+
+.. zeek:id:: Broker::erase
+   :source-code: base/frameworks/broker/store.zeek 838 841
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`) : :zeek:type:`bool`
+
+   Remove a key-value pair from the store.
+   
+
+   :param h: the handle of the store to modify.
+   
+
+   :param k: the key to remove.
+   
+
+   :returns: false if the store handle was not valid.
+
+.. zeek:id:: Broker::exists
+   :source-code: base/frameworks/broker/store.zeek 807 810
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`) : :zeek:type:`Broker::QueryResult`
+
+   Check if a key exists in a data store.
+   
+
+   :param h: the handle of the store to query.
+   
+
+   :param k: the key to lookup.
+   
+
+   :returns: True if the key exists in the data store.
+
+.. zeek:id:: Broker::get
+   :source-code: base/frameworks/broker/store.zeek 812 815
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`) : :zeek:type:`Broker::QueryResult`
+
+   Lookup the value associated with a key in a data store.
+   
+
+   :param h: the handle of the store to query.
+   
+
+   :param k: the key to lookup.
+   
+
+   :returns: the result of the query.
+
+.. zeek:id:: Broker::get_index_from_value
+   :source-code: base/frameworks/broker/store.zeek 823 826
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, i: :zeek:type:`any`) : :zeek:type:`Broker::QueryResult`
+
+   Retrieve a specific index from an existing container value. This
+   is supported for values of types set, table, and vector.
+   
+
+   :param h: the handle of the store to query.
+   
+
+   :param k: the key of the container value to lookup.
+   
+
+   :param i: the index to retrieve from the container value.
+   
+
+   :returns: For tables and vectors, the value at the given index, or
+            failure if the index doesn't exist. For sets, a boolean
+            indicating whether the index exists. Returns failure if the key
+            does not exist at all.
+
+.. zeek:id:: Broker::increment
+   :source-code: base/frameworks/broker/store.zeek 843 846
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, a: :zeek:type:`any` :zeek:attr:`&default` = ``1`` :zeek:attr:`&optional`, e: :zeek:type:`interval` :zeek:attr:`&default` = ``0 secs`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Increments an existing value by a given amount. This is supported for all
+   numerical types, as well as for timestamps.
+   
+
+   :param h: the handle of the store to modify.
+   
+
+   :param k: the key whose associated value is to be modified. The key must
+      already exist.
+   
+
+   :param a: the amount to increment the value by.
+   
+
+   :param e: the new expiration interval of the modified key. If null, the
+      current expiration time isn't changed.
+   
+
+   :returns: false if the store handle was not valid.
+
+.. zeek:id:: Broker::insert_into_set
+   :source-code: base/frameworks/broker/store.zeek 858 861
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, i: :zeek:type:`any`, e: :zeek:type:`interval` :zeek:attr:`&default` = ``0 secs`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Inserts an element into an existing set.
+   
+
+   :param h: the handle of the store to modify.
+   
+
+   :param k: the key whose associated value is to be modified. The key must
+      already exist.
+   
+
+   :param i: the index to insert into the set.
+   
+
+   :param e: the new expiration interval of the modified key. If null, the
+      current expiration time isn't changed.
+   
+
+   :returns: false if the store handle was not valid.
+
+.. zeek:id:: Broker::insert_into_table
+   :source-code: base/frameworks/broker/store.zeek 863 866
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, i: :zeek:type:`any`, v: :zeek:type:`any`, e: :zeek:type:`interval` :zeek:attr:`&default` = ``0 secs`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Inserts an element into an existing table.
+   
+
+   :param h: the handle of the store to modify.
+   
+
+   :param k: the key whose associated value is to be modified. The key must
+      already exist.
+   
+
+   :param i: the index to insert into the table
+   
+
+   :param v: the value to associate with the index.
+   
+
+   :param e: the new expiration interval of the modified key. If null, the
+      current expiration time isn't changed.
+   
+
+   :returns: false if the store handle was not valid.
+
+.. zeek:id:: Broker::is_closed
+   :source-code: base/frameworks/broker/store.zeek 797 800
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store) : :zeek:type:`bool`
+
+   Check if a store is closed or not.
+   
+
+   :returns: true if the store is closed.
+
+.. zeek:id:: Broker::keys
+   :source-code: base/frameworks/broker/store.zeek 828 831
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store) : :zeek:type:`Broker::QueryResult`
+
+   Returns a set with all of a store's keys. The results reflect a snapshot
+   in time that may diverge from reality soon afterwards.   When accessing
+   any of the element, it may no longer actually be there. The function is
+   also expensive for large stores, as it copies the complete set.
+   
+
+   :returns: a set with the keys.  If you expect the keys to be of
+            non-uniform type, consider using
+            :zeek:see:`Broker::set_iterator` to iterate over the result.
+
+.. zeek:id:: Broker::pop
+   :source-code: base/frameworks/broker/store.zeek 878 881
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, e: :zeek:type:`interval` :zeek:attr:`&default` = ``0 secs`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Removes the last element of an existing vector.
+   
+
+   :param h: the handle of the store to modify.
+   
+
+   :param k: the key whose associated value is to be modified. The key must
+      already exist.
+   
+
+   :param e: the new expiration interval of the modified key. If null, the
+      current expiration time isn't changed.
+   
+
+   :returns: false if the store handle was not valid.
+
+.. zeek:id:: Broker::push
+   :source-code: base/frameworks/broker/store.zeek 873 876
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, v: :zeek:type:`any`, e: :zeek:type:`interval` :zeek:attr:`&default` = ``0 secs`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Appends an element to an existing vector.
+   
+
+   :param h: the handle of the store to modify.
+   
+
+   :param k: the key whose associated value is to be modified. The key must
+      already exist.
+   
+
+   :param b: the value to append to the vector.
+   
+
+   :param e: the new expiration interval of the modified key. If null, the
+      current expiration time isn't changed.
+   
+
+   :returns: false if the store handle was not valid.
+
+.. zeek:id:: Broker::put
+   :source-code: base/frameworks/broker/store.zeek 833 836
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, v: :zeek:type:`any`, e: :zeek:type:`interval` :zeek:attr:`&default` = ``0 secs`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Insert a key-value pair into the store.
+   
+
+   :param h: the handle of the store to modify.
+   
+
+   :param k: the key to insert.
+   
+
+   :param v: the value to insert.
+   
+
+   :param e: the expiration interval of the key-value pair.
+   
+
+   :returns: false if the store handle was not valid.
+
+.. zeek:id:: Broker::put_unique
+   :source-code: base/frameworks/broker/store.zeek 818 821
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, v: :zeek:type:`any`, e: :zeek:type:`interval` :zeek:attr:`&default` = ``0 secs`` :zeek:attr:`&optional`) : :zeek:type:`Broker::QueryResult`
+
+   Insert a key-value pair into the store, but only if the key does not
+   already exist.
+   
+
+   :param h: the handle of the store to modify.
+   
+
+   :param k: the key to insert.
+   
+
+   :param v: the value to insert.
+   
+
+   :param e: the expiration interval of the key-value pair.
+   
+
+   :returns: the result of the query which is a boolean data value that is
+            true if the insertion happened, or false if it was rejected
+            due to the key already existing.
+
+.. zeek:id:: Broker::record_assign
+   :source-code: base/frameworks/broker/store.zeek 1068 1071
+
+   :Type: :zeek:type:`function` (r: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`, d: :zeek:type:`any`) : :zeek:type:`bool`
+
+   Replace a field in a record at a particular position.
+   
+
+   :param r: the record to modify.
+   
+
+   :param d: the new field value to assign.
+   
+
+   :param idx: the index to replace.
+   
+
+   :returns: false if the index was larger than any valid index, else true.
+
+.. zeek:id:: Broker::record_create
+   :source-code: base/frameworks/broker/store.zeek 1058 1061
+
+   :Type: :zeek:type:`function` (sz: :zeek:type:`count`) : :zeek:type:`Broker::Data`
+
+   Create communication data of type "record".
+   
+
+   :param sz: the number of fields in the record.
+   
+
+   :returns: record data, with all fields uninitialized.
+
+.. zeek:id:: Broker::record_iterator
+   :source-code: base/frameworks/broker/store.zeek 1078 1081
+
+   :Type: :zeek:type:`function` (r: :zeek:type:`Broker::Data`) : :zeek:type:`opaque` of Broker::RecordIterator
+
+   Create an iterator for a record.  Note that this makes a copy of the record
+   internally to ensure the iterator is always valid.
+   
+
+   :param r: the record to iterate over.
+   
+
+   :returns: an iterator.
+
+.. zeek:id:: Broker::record_iterator_last
+   :source-code: base/frameworks/broker/store.zeek 1083 1086
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::RecordIterator) : :zeek:type:`bool`
+
+   Check if there are no more elements to iterate over.
+   
+
+   :param it: an iterator.
+   
+
+   :returns: true if there are no more elements to iterator over, i.e.
+            the iterator is one-past-the-final-element.
+
+.. zeek:id:: Broker::record_iterator_next
+   :source-code: base/frameworks/broker/store.zeek 1088 1091
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::RecordIterator) : :zeek:type:`bool`
+
+   Advance an iterator.
+   
+
+   :param it: an iterator.
+   
+
+   :returns: true if the iterator, after advancing, still references an element
+            in the collection.  False if the iterator, after advancing, is
+            one-past-the-final-element.
+
+.. zeek:id:: Broker::record_iterator_value
+   :source-code: base/frameworks/broker/store.zeek 1093 1096
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::RecordIterator) : :zeek:type:`Broker::Data`
+
+   Retrieve the data at an iterator's current position.
+   
+
+   :param it: an iterator.
+   
+
+   :returns: element in the collection that the iterator currently references.
+
+.. zeek:id:: Broker::record_lookup
+   :source-code: base/frameworks/broker/store.zeek 1073 1076
+
+   :Type: :zeek:type:`function` (r: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`) : :zeek:type:`Broker::Data`
+
+   Lookup a field in a record at a particular position.
+   
+
+   :param r: the record to query.
+   
+
+   :param idx: the index to lookup.
+   
+
+   :returns: the value at the index.  The optional field of the returned record
+            may not be set if the field of the record has no value or if the
+            index was not valid.
+
+.. zeek:id:: Broker::record_size
+   :source-code: base/frameworks/broker/store.zeek 1063 1066
+
+   :Type: :zeek:type:`function` (r: :zeek:type:`Broker::Data`) : :zeek:type:`count`
+
+   Get the number of fields within a record.
+   
+
+   :param r: the record to query.
+   
+
+   :returns: the number of fields in the record.
+
+.. zeek:id:: Broker::remove_from
+   :source-code: base/frameworks/broker/store.zeek 868 871
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store, k: :zeek:type:`any`, i: :zeek:type:`any`, e: :zeek:type:`interval` :zeek:attr:`&default` = ``0 secs`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Removes an element from an existing set or table.
+   
+
+   :param h: the handle of the store to modify.
+   
+
+   :param k: the key whose associated value is to be modified. The key must
+      already exist.
+   
+
+   :param i: the index to remove from the set or table.
+   
+
+   :param e: the new expiration interval of the modified key. If null, the
+      current expiration time isn't changed.
+   
+
+   :returns: false if the store handle was not valid.
+
+.. zeek:id:: Broker::set_clear
+   :source-code: base/frameworks/broker/store.zeek 903 906
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`) : :zeek:type:`bool`
+
+   Remove all elements within a set.
+   
+
+   :param s: the set to clear.
+   
+
+   :returns: always true.
+
+.. zeek:id:: Broker::set_contains
+   :source-code: base/frameworks/broker/store.zeek 913 916
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`bool`
+
+   Check if a set contains a particular element.
+   
+
+   :param s: the set to query.
+   
+
+   :param key: the element to check for existence.
+   
+
+   :returns: true if the key exists in the set.
+
+.. zeek:id:: Broker::set_create
+   :source-code: base/frameworks/broker/store.zeek 898 901
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Broker::Data`
+
+   Create communication data of type "set".
+
+.. zeek:id:: Broker::set_insert
+   :source-code: base/frameworks/broker/store.zeek 918 921
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`bool`
+
+   Insert an element into a set.
+   
+
+   :param s: the set to modify.
+   
+
+   :param key: the element to insert.
+   
+
+   :returns: true if the key was inserted, or false if it already existed.
+
+.. zeek:id:: Broker::set_iterator
+   :source-code: base/frameworks/broker/store.zeek 928 931
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`) : :zeek:type:`opaque` of Broker::SetIterator
+
+   Create an iterator for a set.  Note that this makes a copy of the set
+   internally to ensure the iterator is always valid.
+   
+
+   :param s: the set to iterate over.
+   
+
+   :returns: an iterator.
+
+.. zeek:id:: Broker::set_iterator_last
+   :source-code: base/frameworks/broker/store.zeek 933 936
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::SetIterator) : :zeek:type:`bool`
+
+   Check if there are no more elements to iterate over.
+   
+
+   :param it: an iterator.
+   
+
+   :returns: true if there are no more elements to iterator over, i.e.
+            the iterator is one-past-the-final-element.
+
+.. zeek:id:: Broker::set_iterator_next
+   :source-code: base/frameworks/broker/store.zeek 938 941
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::SetIterator) : :zeek:type:`bool`
+
+   Advance an iterator.
+   
+
+   :param it: an iterator.
+   
+
+   :returns: true if the iterator, after advancing, still references an element
+            in the collection.  False if the iterator, after advancing, is
+            one-past-the-final-element.
+
+.. zeek:id:: Broker::set_iterator_value
+   :source-code: base/frameworks/broker/store.zeek 943 946
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::SetIterator) : :zeek:type:`Broker::Data`
+
+   Retrieve the data at an iterator's current position.
+   
+
+   :param it: an iterator.
+   
+
+   :returns: element in the collection that the iterator currently references.
+
+.. zeek:id:: Broker::set_remove
+   :source-code: base/frameworks/broker/store.zeek 923 926
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`bool`
+
+   Remove an element from a set.
+   
+
+   :param s: the set to modify.
+   
+
+   :param key: the element to remove.
+   
+
+   :returns: true if the element existed in the set and is now removed.
+
+.. zeek:id:: Broker::set_size
+   :source-code: base/frameworks/broker/store.zeek 908 911
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`Broker::Data`) : :zeek:type:`count`
+
+   Get the number of elements within a set.
+   
+
+   :param s: the set to query.
+   
+
+   :returns: the number of elements in the set.
+
+.. zeek:id:: Broker::store_name
+   :source-code: base/frameworks/broker/store.zeek 802 805
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`opaque` of Broker::Store) : :zeek:type:`string`
+
+   Get the name of a store.
+   
+
+   :returns: the name of the store.
+
+.. zeek:id:: Broker::table_clear
+   :source-code: base/frameworks/broker/store.zeek 953 956
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`) : :zeek:type:`bool`
+
+   Remove all elements within a table.
+   
+
+   :param t: the table to clear.
+   
+
+   :returns: always true.
+
+.. zeek:id:: Broker::table_contains
+   :source-code: base/frameworks/broker/store.zeek 963 966
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`bool`
+
+   Check if a table contains a particular key.
+   
+
+   :param t: the table to query.
+   
+
+   :param key: the key to check for existence.
+   
+
+   :returns: true if the key exists in the table.
+
+.. zeek:id:: Broker::table_create
+   :source-code: base/frameworks/broker/store.zeek 948 951
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Broker::Data`
+
+   Create communication data of type "table".
+
+.. zeek:id:: Broker::table_insert
+   :source-code: base/frameworks/broker/store.zeek 968 971
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`, key: :zeek:type:`any`, val: :zeek:type:`any`) : :zeek:type:`Broker::Data`
+
+   Insert a key-value pair into a table.
+   
+
+   :param t: the table to modify.
+   
+
+   :param key: the key at which to insert the value.
+   
+
+   :param val: the value to insert.
+   
+
+   :returns: true if the key-value pair was inserted, or false if the key
+            already existed in the table.
+
+.. zeek:id:: Broker::table_iterator
+   :source-code: base/frameworks/broker/store.zeek 983 986
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`) : :zeek:type:`opaque` of Broker::TableIterator
+
+   Create an iterator for a table.  Note that this makes a copy of the table
+   internally to ensure the iterator is always valid.
+   
+
+   :param t: the table to iterate over.
+   
+
+   :returns: an iterator.
+
+.. zeek:id:: Broker::table_iterator_last
+   :source-code: base/frameworks/broker/store.zeek 988 991
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::TableIterator) : :zeek:type:`bool`
+
+   Check if there are no more elements to iterate over.
+   
+
+   :param it: an iterator.
+   
+
+   :returns: true if there are no more elements to iterator over, i.e.
+            the iterator is one-past-the-final-element.
+
+.. zeek:id:: Broker::table_iterator_next
+   :source-code: base/frameworks/broker/store.zeek 993 996
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::TableIterator) : :zeek:type:`bool`
+
+   Advance an iterator.
+   
+
+   :param it: an iterator.
+   
+
+   :returns: true if the iterator, after advancing, still references an element
+            in the collection.  False if the iterator, after advancing, is
+            one-past-the-final-element.
+
+.. zeek:id:: Broker::table_iterator_value
+   :source-code: base/frameworks/broker/store.zeek 998 1001
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::TableIterator) : :zeek:type:`Broker::TableItem`
+
+   Retrieve the data at an iterator's current position.
+   
+
+   :param it: an iterator.
+   
+
+   :returns: element in the collection that the iterator currently references.
+
+.. zeek:id:: Broker::table_lookup
+   :source-code: base/frameworks/broker/store.zeek 978 981
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`Broker::Data`
+
+   Retrieve a value from a table.
+   
+
+   :param t: the table to query.
+   
+
+   :param key: the key to lookup.
+   
+
+   :returns: the value associated with the key.  If the key did not exist, then
+            the optional field of the returned record is not set.
+
+.. zeek:id:: Broker::table_remove
+   :source-code: base/frameworks/broker/store.zeek 973 976
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`, key: :zeek:type:`any`) : :zeek:type:`Broker::Data`
+
+   Remove a key-value pair from a table.
+   
+
+   :param t: the table to modify.
+   
+
+   :param key: the key to remove from the table.
+   
+
+   :returns: the value associated with the key.  If the key did not exist, then
+            the optional field of the returned record is not set.
+
+.. zeek:id:: Broker::table_size
+   :source-code: base/frameworks/broker/store.zeek 958 961
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`Broker::Data`) : :zeek:type:`count`
+
+   Get the number of elements within a table.
+   
+
+   :param t: the table to query.
+   
+
+   :returns: the number of elements in the table.
+
+.. zeek:id:: Broker::vector_clear
+   :source-code: base/frameworks/broker/store.zeek 1008 1011
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`) : :zeek:type:`bool`
+
+   Remove all elements within a vector.
+   
+
+   :param v: the vector to clear.
+   
+
+   :returns: always true.
+
+.. zeek:id:: Broker::vector_create
+   :source-code: base/frameworks/broker/store.zeek 1003 1006
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Broker::Data`
+
+   Create communication data of type "vector".
+
+.. zeek:id:: Broker::vector_insert
+   :source-code: base/frameworks/broker/store.zeek 1018 1021
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`, d: :zeek:type:`any`) : :zeek:type:`bool`
+
+   Insert an element into a vector at a particular position, possibly displacing
+   existing elements (insertion always grows the size of the vector by one).
+   
+
+   :param v: the vector to modify.
+   
+
+   :param d: the element to insert.
+   
+
+   :param idx: the index at which to insert the data.  If it is greater than the
+        current size of the vector, the element is inserted at the end.
+   
+
+   :returns: always true.
+
+.. zeek:id:: Broker::vector_iterator
+   :source-code: base/frameworks/broker/store.zeek 1038 1041
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`) : :zeek:type:`opaque` of Broker::VectorIterator
+
+   Create an iterator for a vector.  Note that this makes a copy of the vector
+   internally to ensure the iterator is always valid.
+   
+
+   :param v: the vector to iterate over.
+   
+
+   :returns: an iterator.
+
+.. zeek:id:: Broker::vector_iterator_last
+   :source-code: base/frameworks/broker/store.zeek 1043 1046
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::VectorIterator) : :zeek:type:`bool`
+
+   Check if there are no more elements to iterate over.
+   
+
+   :param it: an iterator.
+   
+
+   :returns: true if there are no more elements to iterator over, i.e.
+            the iterator is one-past-the-final-element.
+
+.. zeek:id:: Broker::vector_iterator_next
+   :source-code: base/frameworks/broker/store.zeek 1048 1051
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::VectorIterator) : :zeek:type:`bool`
+
+   Advance an iterator.
+   
+
+   :param it: an iterator.
+   
+
+   :returns: true if the iterator, after advancing, still references an element
+            in the collection.  False if the iterator, after advancing, is
+            one-past-the-final-element.
+
+.. zeek:id:: Broker::vector_iterator_value
+   :source-code: base/frameworks/broker/store.zeek 1053 1056
+
+   :Type: :zeek:type:`function` (it: :zeek:type:`opaque` of Broker::VectorIterator) : :zeek:type:`Broker::Data`
+
+   Retrieve the data at an iterator's current position.
+   
+
+   :param it: an iterator.
+   
+
+   :returns: element in the collection that the iterator currently references.
+
+.. zeek:id:: Broker::vector_lookup
+   :source-code: base/frameworks/broker/store.zeek 1033 1036
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`) : :zeek:type:`Broker::Data`
+
+   Lookup an element in a vector at a particular position.
+   
+
+   :param v: the vector to query.
+   
+
+   :param idx: the index to lookup.
+   
+
+   :returns: the value at the index.  If the index was larger than any
+            valid index, the optional field of the returned record is not set.
+
+.. zeek:id:: Broker::vector_remove
+   :source-code: base/frameworks/broker/store.zeek 1028 1031
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`) : :zeek:type:`Broker::Data`
+
+   Remove an element from a vector at a particular position.
+   
+
+   :param v: the vector to modify.
+   
+
+   :param idx: the index to remove.
+   
+
+   :returns: the value that was just evicted.  If the index was larger than any
+            valid index, the optional field of the returned record is not set.
+
+.. zeek:id:: Broker::vector_replace
+   :source-code: base/frameworks/broker/store.zeek 1023 1026
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`, idx: :zeek:type:`count`, d: :zeek:type:`any`) : :zeek:type:`Broker::Data`
+
+   Replace an element in a vector at a particular position.
+   
+
+   :param v: the vector to modify.
+   
+
+   :param d: the element to insert.
+   
+
+   :param idx: the index to replace.
+   
+
+   :returns: the value that was just evicted.  If the index was larger than any
+            valid index, the optional field of the returned record is not set.
+
+.. zeek:id:: Broker::vector_size
+   :source-code: base/frameworks/broker/store.zeek 1013 1016
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`Broker::Data`) : :zeek:type:`count`
+
+   Get the number of elements within a vector.
+   
+
+   :param v: the vector to query.
+   
+
+   :returns: the number of elements in the vector.
+
+
diff --git a/doc/scripts/base/frameworks/cluster/__load__.zeek.rst b/doc/scripts/base/frameworks/cluster/__load__.zeek.rst
new file mode 100644
index 0000000000..e5e95641c1
--- /dev/null
+++ b/doc/scripts/base/frameworks/cluster/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/cluster/__load__.zeek
+=====================================
+
+
+:Imports: :doc:`base/frameworks/cluster/main.zeek </scripts/base/frameworks/cluster/main.zeek>`, :doc:`base/frameworks/cluster/pools.zeek </scripts/base/frameworks/cluster/pools.zeek>`, :doc:`base/frameworks/cluster/telemetry.zeek </scripts/base/frameworks/cluster/telemetry.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/cluster/index.rst b/doc/scripts/base/frameworks/cluster/index.rst
new file mode 100644
index 0000000000..d7aa78a5eb
--- /dev/null
+++ b/doc/scripts/base/frameworks/cluster/index.rst
@@ -0,0 +1,38 @@
+:orphan:
+
+Package: base/frameworks/cluster
+================================
+
+The cluster framework provides for establishing and controlling a cluster
+of Zeek instances.
+
+:doc:`/scripts/base/frameworks/cluster/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/cluster/main.zeek`
+
+   A framework for establishing and controlling a cluster of Zeek instances.
+   In order to use the cluster framework, a script named
+   ``cluster-layout.zeek`` must exist somewhere in Zeek's script search path
+   which has a cluster definition of the :zeek:id:`Cluster::nodes` variable.
+   The ``CLUSTER_NODE`` environment variable or :zeek:id:`Cluster::node`
+   must also be sent and the cluster framework loaded as a package like
+   ``@load base/frameworks/cluster``.
+   
+   .. warning::
+   
+       The file ``cluster-layout.zeek`` should only contain the definition
+       of :zeek:id:`Cluster::nodes`. Specifically, avoid loading other Zeek
+       scripts or using :zeek:see:`redef` for anything but :zeek:id:`Cluster::nodes`.
+   
+       Due to ``cluster-layout.zeek`` being loaded very early, it is easy to
+       introduce circular loading issues.
+
+:doc:`/scripts/base/frameworks/cluster/pools.zeek`
+
+   Defines an interface for managing pools of cluster nodes.  Pools are
+   a useful way to distribute work or data among nodes within a cluster.
+
+:doc:`/scripts/base/frameworks/cluster/telemetry.zeek`
+
+
diff --git a/doc/scripts/base/frameworks/cluster/main.zeek.rst b/doc/scripts/base/frameworks/cluster/main.zeek.rst
new file mode 100644
index 0000000000..afca9298dc
--- /dev/null
+++ b/doc/scripts/base/frameworks/cluster/main.zeek.rst
@@ -0,0 +1,999 @@
+:tocdepth: 3
+
+base/frameworks/cluster/main.zeek
+=================================
+.. zeek:namespace:: Cluster
+
+A framework for establishing and controlling a cluster of Zeek instances.
+In order to use the cluster framework, a script named
+``cluster-layout.zeek`` must exist somewhere in Zeek's script search path
+which has a cluster definition of the :zeek:id:`Cluster::nodes` variable.
+The ``CLUSTER_NODE`` environment variable or :zeek:id:`Cluster::node`
+must also be sent and the cluster framework loaded as a package like
+``@load base/frameworks/cluster``.
+
+.. warning::
+
+    The file ``cluster-layout.zeek`` should only contain the definition
+    of :zeek:id:`Cluster::nodes`. Specifically, avoid loading other Zeek
+    scripts or using :zeek:see:`redef` for anything but :zeek:id:`Cluster::nodes`.
+
+    Due to ``cluster-layout.zeek`` being loaded very early, it is easy to
+    introduce circular loading issues.
+
+:Namespace: Cluster
+:Imports: :doc:`base/bif/cluster.bif.zeek </scripts/base/bif/cluster.bif.zeek>`, :doc:`base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek </scripts/base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek>`, :doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`, :doc:`base/frameworks/control </scripts/base/frameworks/control/index>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+==================================================================================================== ===============================================================================
+:zeek:id:`Cluster::default_backend`: :zeek:type:`Broker::BackendType` :zeek:attr:`&redef`            The type of data store backend that will be used for all data stores if
+                                                                                                     no other has already been specified by the user in :zeek:see:`Cluster::stores`.
+:zeek:id:`Cluster::default_master_node`: :zeek:type:`string` :zeek:attr:`&redef`                     Name of the node on which master data stores will be created if no other
+                                                                                                     has already been specified by the user in :zeek:see:`Cluster::stores`.
+:zeek:id:`Cluster::default_persistent_backend`: :zeek:type:`Broker::BackendType` :zeek:attr:`&redef` The type of persistent data store backend that will be used for all data
+                                                                                                     stores if no other has already been specified by the user in
+                                                                                                     :zeek:see:`Cluster::stores`.
+:zeek:id:`Cluster::default_store_dir`: :zeek:type:`string` :zeek:attr:`&redef`                       Setting a default dir will, for persistent backends that have not
+                                                                                                     been given an explicit file path via :zeek:see:`Cluster::stores`,
+                                                                                                     automatically create a path within this dir that is based on the name of
+                                                                                                     the data store.
+:zeek:id:`Cluster::default_websocket_max_event_queue_size`: :zeek:type:`count` :zeek:attr:`&redef`   The default maximum queue size for WebSocket event dispatcher instances.
+:zeek:id:`Cluster::default_websocket_ping_interval`: :zeek:type:`interval` :zeek:attr:`&redef`       The default ping interval for WebSocket clients.
+:zeek:id:`Cluster::enable_round_robin_logging`: :zeek:type:`bool` :zeek:attr:`&redef`                Whether to distribute log messages among available logging nodes.
+:zeek:id:`Cluster::logger_topic`: :zeek:type:`string` :zeek:attr:`&redef`                            The topic name used for exchanging messages that are relevant to
+                                                                                                     logger nodes in a cluster.
+:zeek:id:`Cluster::manager_is_logger`: :zeek:type:`bool` :zeek:attr:`&redef`                         Indicates whether or not the manager will act as the logger and receive
+                                                                                                     logs.
+:zeek:id:`Cluster::manager_topic`: :zeek:type:`string` :zeek:attr:`&redef`                           The topic name used for exchanging messages that are relevant to
+                                                                                                     manager nodes in a cluster.
+:zeek:id:`Cluster::node`: :zeek:type:`string` :zeek:attr:`&redef`                                    This is usually supplied on the command line for each instance
+                                                                                                     of the cluster that is started up.
+:zeek:id:`Cluster::node_topic_prefix`: :zeek:type:`string` :zeek:attr:`&redef`                       The topic prefix used for exchanging messages that are relevant to
+                                                                                                     a named node in a cluster.
+:zeek:id:`Cluster::nodeid_topic_prefix`: :zeek:type:`string` :zeek:attr:`&redef`                     The topic prefix used for exchanging messages that are relevant to
+                                                                                                     a unique node in a cluster.
+:zeek:id:`Cluster::nodes`: :zeek:type:`table` :zeek:attr:`&redef`                                    The cluster layout definition.
+:zeek:id:`Cluster::proxy_topic`: :zeek:type:`string` :zeek:attr:`&redef`                             The topic name used for exchanging messages that are relevant to
+                                                                                                     proxy nodes in a cluster.
+:zeek:id:`Cluster::retry_interval`: :zeek:type:`interval` :zeek:attr:`&redef`                        Interval for retrying failed connections between cluster nodes.
+:zeek:id:`Cluster::worker_topic`: :zeek:type:`string` :zeek:attr:`&redef`                            The topic name used for exchanging messages that are relevant to
+                                                                                                     worker nodes in a cluster.
+==================================================================================================== ===============================================================================
+
+Constants
+#########
+====================================================== ==================================================================
+:zeek:id:`Cluster::broadcast_topics`: :zeek:type:`set` A set of topic names to be used for broadcasting messages that are
+                                                       relevant to all nodes in a cluster.
+====================================================== ==================================================================
+
+State Variables
+###############
+================================================================================================ ======================================================================
+:zeek:id:`Cluster::stores`: :zeek:type:`table` :zeek:attr:`&default` = *...* :zeek:attr:`&redef` A table of cluster-enabled data stores that have been created, indexed
+                                                                                                 by their name.
+================================================================================================ ======================================================================
+
+Types
+#####
+================================================================= ==========================================================================
+:zeek:type:`Cluster::EndpointInfo`: :zeek:type:`record`           Information about a WebSocket endpoint.
+:zeek:type:`Cluster::Event`: :zeek:type:`record`                  An event instance for cluster pub/sub.
+:zeek:type:`Cluster::Info`: :zeek:type:`record` :zeek:attr:`&log` The record type which contains the column fields of the cluster log.
+:zeek:type:`Cluster::NamedNode`: :zeek:type:`record`              Record to represent a cluster node including its name.
+:zeek:type:`Cluster::NetworkInfo`: :zeek:type:`record`            Network information of an endpoint.
+:zeek:type:`Cluster::Node`: :zeek:type:`record`                   Record type to indicate a node in a cluster.
+:zeek:type:`Cluster::NodeType`: :zeek:type:`enum`                 Types of nodes that are allowed to participate in the cluster
+                                                                  configuration.
+:zeek:type:`Cluster::StoreInfo`: :zeek:type:`record`              Information regarding a cluster-enabled data store.
+:zeek:type:`Cluster::WebSocketServerOptions`: :zeek:type:`record` WebSocket server options to pass to :zeek:see:`Cluster::listen_websocket`.
+:zeek:type:`Cluster::WebSocketTLSOptions`: :zeek:type:`record`    The TLS options for a WebSocket server.
+:zeek:type:`Cluster::BackendTag`: :zeek:type:`enum`               
+:zeek:type:`Cluster::EventSerializerTag`: :zeek:type:`enum`       
+:zeek:type:`Cluster::LogSerializerTag`: :zeek:type:`enum`         
+================================================================= ==========================================================================
+
+Redefinitions
+#############
+======================================= ======================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` The cluster logging stream identifier.
+                                        
+                                        * :zeek:enum:`Cluster::LOG`
+======================================= ======================================
+
+Events
+######
+================================================= =======================================================================
+:zeek:id:`Cluster::hello`: :zeek:type:`event`     When using broker-enabled cluster framework, nodes broadcast this event
+                                                  to exchange their user-defined name along with a string that uniquely
+                                                  identifies it for the duration of its lifetime.
+:zeek:id:`Cluster::node_down`: :zeek:type:`event` When using broker-enabled cluster framework, this event will be emitted
+                                                  locally whenever a connected cluster node becomes disconnected.
+:zeek:id:`Cluster::node_up`: :zeek:type:`event`   When using broker-enabled cluster framework, this event will be emitted
+                                                  locally whenever a cluster node connects or reconnects.
+================================================= =======================================================================
+
+Hooks
+#####
+============================================================ =============================================================
+:zeek:id:`Cluster::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
+:zeek:id:`Cluster::on_subscribe`: :zeek:type:`hook`          A hook invoked for every :zeek:see:`Cluster::subscribe` call.
+:zeek:id:`Cluster::on_unsubscribe`: :zeek:type:`hook`        A hook invoked for every :zeek:see:`Cluster::subscribe` call.
+============================================================ =============================================================
+
+Functions
+#########
+=========================================================================== =====================================================================
+:zeek:id:`Cluster::create_store`: :zeek:type:`function`                     Sets up a cluster-enabled data store.
+:zeek:id:`Cluster::get_active_node_count`: :zeek:type:`function`            Returns the number of nodes per type, the calling node is currently
+                                                                            connected to.
+:zeek:id:`Cluster::get_node_count`: :zeek:type:`function`                   Returns the number of nodes defined in the cluster layout for a given
+                                                                            node type.
+:zeek:id:`Cluster::init`: :zeek:type:`function`                             Initialize the cluster backend.
+:zeek:id:`Cluster::is_enabled`: :zeek:type:`function`                       This function can be called at any time to determine if the cluster
+                                                                            framework is being enabled for this run.
+:zeek:id:`Cluster::listen_websocket`: :zeek:type:`function`                 Start listening on a WebSocket address.
+:zeek:id:`Cluster::local_node_metrics_port`: :zeek:type:`function`          This function can be called at any time to determine the configured
+                                                                            metrics port for Prometheus being used by current Zeek instance.
+:zeek:id:`Cluster::local_node_type`: :zeek:type:`function`                  This function can be called at any time to determine what type of
+                                                                            cluster node the current Zeek instance is going to be acting as.
+:zeek:id:`Cluster::log`: :zeek:type:`function`                              Write a message to the cluster logging stream.
+:zeek:id:`Cluster::node_id`: :zeek:type:`function` :zeek:attr:`&redef`      Function returning this node's identifier.
+:zeek:id:`Cluster::node_topic`: :zeek:type:`function` :zeek:attr:`&redef`   Retrieve the topic associated with a specific node in the cluster.
+:zeek:id:`Cluster::nodeid_to_node`: :zeek:type:`function`                   Retrieve the cluster-level naming of a node based on its node ID,
+                                                                            a backend-specific identifier.
+:zeek:id:`Cluster::nodeid_topic`: :zeek:type:`function` :zeek:attr:`&redef` Retrieve the topic associated with a specific node in the cluster.
+:zeek:id:`Cluster::subscribe`: :zeek:type:`function`                        Subscribe to the given topic.
+:zeek:id:`Cluster::unsubscribe`: :zeek:type:`function`                      Unsubscribe from the given topic.
+=========================================================================== =====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Cluster::default_backend
+   :source-code: base/frameworks/cluster/main.zeek 70 70
+
+   :Type: :zeek:type:`Broker::BackendType`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``Broker::MEMORY``
+
+   The type of data store backend that will be used for all data stores if
+   no other has already been specified by the user in :zeek:see:`Cluster::stores`.
+
+.. zeek:id:: Cluster::default_master_node
+   :source-code: base/frameworks/cluster/main.zeek 66 66
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Name of the node on which master data stores will be created if no other
+   has already been specified by the user in :zeek:see:`Cluster::stores`.
+   An empty value means "use whatever name corresponds to the manager
+   node".
+
+.. zeek:id:: Cluster::default_persistent_backend
+   :source-code: base/frameworks/cluster/main.zeek 76 76
+
+   :Type: :zeek:type:`Broker::BackendType`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``Broker::SQLITE``
+
+   The type of persistent data store backend that will be used for all data
+   stores if no other has already been specified by the user in
+   :zeek:see:`Cluster::stores`.  This will be used when script authors call
+   :zeek:see:`Cluster::create_store` with the *persistent* argument set true.
+
+.. zeek:id:: Cluster::default_store_dir
+   :source-code: base/frameworks/cluster/main.zeek 95 95
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Setting a default dir will, for persistent backends that have not
+   been given an explicit file path via :zeek:see:`Cluster::stores`,
+   automatically create a path within this dir that is based on the name of
+   the data store.
+
+.. zeek:id:: Cluster::default_websocket_max_event_queue_size
+   :source-code: base/frameworks/cluster/main.zeek 86 86
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``32``
+
+   The default maximum queue size for WebSocket event dispatcher instances.
+   
+   If the maximum queue size is reached, events from external WebSocket
+   clients will be stalled and processed once the queue has been drained.
+   
+   An internal metric named ``cluster_onloop_queue_stalls`` and
+   labeled with a ``WebSocketEventDispatcher:<host>:<port>`` tag
+   is incremented when the maximum queue size is reached.
+
+.. zeek:id:: Cluster::default_websocket_ping_interval
+   :source-code: base/frameworks/cluster/main.zeek 89 89
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5.0 secs``
+
+   The default ping interval for WebSocket clients.
+
+.. zeek:id:: Cluster::enable_round_robin_logging
+   :source-code: base/frameworks/cluster/main.zeek 25 25
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Whether to distribute log messages among available logging nodes.
+
+.. zeek:id:: Cluster::logger_topic
+   :source-code: base/frameworks/cluster/main.zeek 29 29
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek/cluster/logger"``
+   :Redefinition: from :doc:`/scripts/policy/frameworks/cluster/backend/zeromq/main.zeek`
+
+      ``=``::
+
+         zeek.cluster.logger
+
+
+   The topic name used for exchanging messages that are relevant to
+   logger nodes in a cluster.  Used with broker-enabled cluster communication.
+
+.. zeek:id:: Cluster::manager_is_logger
+   :source-code: base/frameworks/cluster/main.zeek 252 252
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Indicates whether or not the manager will act as the logger and receive
+   logs.  This value should be set in the cluster-layout.zeek script (the
+   value should be true only if no logger is specified in Cluster::nodes).
+   Note that ZeekControl handles this automatically.
+
+.. zeek:id:: Cluster::manager_topic
+   :source-code: base/frameworks/cluster/main.zeek 33 33
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek/cluster/manager"``
+   :Redefinition: from :doc:`/scripts/policy/frameworks/cluster/backend/zeromq/main.zeek`
+
+      ``=``::
+
+         zeek.cluster.manager
+
+
+   The topic name used for exchanging messages that are relevant to
+   manager nodes in a cluster.  Used with broker-enabled cluster communication.
+
+.. zeek:id:: Cluster::node
+   :source-code: base/frameworks/cluster/main.zeek 256 256
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   This is usually supplied on the command line for each instance
+   of the cluster that is started up.
+
+.. zeek:id:: Cluster::node_topic_prefix
+   :source-code: base/frameworks/cluster/main.zeek 56 56
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek/cluster/node/"``
+
+   The topic prefix used for exchanging messages that are relevant to
+   a named node in a cluster.  Used with broker-enabled cluster communication.
+
+.. zeek:id:: Cluster::nodeid_topic_prefix
+   :source-code: base/frameworks/cluster/main.zeek 60 60
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek/cluster/nodeid/"``
+
+   The topic prefix used for exchanging messages that are relevant to
+   a unique node in a cluster.  Used with broker-enabled cluster communication.
+
+.. zeek:id:: Cluster::nodes
+   :source-code: base/frameworks/cluster/main.zeek 237 237
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`Cluster::Node`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   The cluster layout definition.  This should be placed into a filter
+   named cluster-layout.zeek somewhere in the ZEEKPATH.  It will be
+   automatically loaded if the CLUSTER_NODE environment variable is set.
+   Note that ZeekControl handles all of this automatically.
+   The table is typically indexed by node names/labels (e.g. "manager"
+   or "worker-1").
+
+.. zeek:id:: Cluster::proxy_topic
+   :source-code: base/frameworks/cluster/main.zeek 37 37
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek/cluster/proxy"``
+   :Redefinition: from :doc:`/scripts/policy/frameworks/cluster/backend/zeromq/main.zeek`
+
+      ``=``::
+
+         zeek.cluster.proxy
+
+
+   The topic name used for exchanging messages that are relevant to
+   proxy nodes in a cluster.  Used with broker-enabled cluster communication.
+
+.. zeek:id:: Cluster::retry_interval
+   :source-code: base/frameworks/cluster/main.zeek 268 268
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 sec``
+
+   Interval for retrying failed connections between cluster nodes.
+   If set, the ZEEK_DEFAULT_CONNECT_RETRY (given in number of seconds)
+   environment variable overrides this option.
+
+.. zeek:id:: Cluster::worker_topic
+   :source-code: base/frameworks/cluster/main.zeek 41 41
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek/cluster/worker"``
+   :Redefinition: from :doc:`/scripts/policy/frameworks/cluster/backend/zeromq/main.zeek`
+
+      ``=``::
+
+         zeek.cluster.worker
+
+
+   The topic name used for exchanging messages that are relevant to
+   worker nodes in a cluster.  Used with broker-enabled cluster communication.
+
+Constants
+#########
+.. zeek:id:: Cluster::broadcast_topics
+   :source-code: base/frameworks/cluster/main.zeek 47 47
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Default:
+
+      ::
+
+         {
+            "zeek/cluster/manager",
+            "zeek/cluster/logger",
+            "zeek/cluster/proxy",
+            "zeek/cluster/worker"
+         }
+
+
+   A set of topic names to be used for broadcasting messages that are
+   relevant to all nodes in a cluster. Currently, there is not a common
+   topic to broadcast to, because enabling implicit Broker forwarding would
+   cause a routing loop for this topic.
+
+State Variables
+###############
+.. zeek:id:: Cluster::stores
+   :source-code: base/frameworks/cluster/main.zeek 130 130
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`Cluster::StoreInfo`
+   :Attributes: :zeek:attr:`&default` = *[name=<uninitialized>, store=<uninitialized>, master_node=, master=F, backend=Broker::MEMORY, options=[sqlite=[path=, synchronous=<uninitialized>, journal_mode=<uninitialized>, failure_mode=Broker::SQLITE_FAILURE_MODE_FAIL, integrity_check=F]], clone_resync_interval=10.0 secs, clone_stale_interval=5.0 mins, clone_mutation_buffer_interval=2.0 mins]* :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   A table of cluster-enabled data stores that have been created, indexed
+   by their name.  This table will be populated automatically by
+   :zeek:see:`Cluster::create_store`, but if you need to customize
+   the options related to a particular data store, you may redef this
+   table.  Calls to :zeek:see:`Cluster::create_store` will first check
+   the table for an entry of the same name and, if found, will use the
+   predefined options there when setting up the store.
+
+Types
+#####
+.. zeek:type:: Cluster::EndpointInfo
+   :source-code: base/frameworks/cluster/main.zeek 396 401
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`string`
+
+
+   .. zeek:field:: network :zeek:type:`Cluster::NetworkInfo`
+
+
+   .. zeek:field:: application_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The value of the X-Application-Name HTTP header, if any.
+
+
+   Information about a WebSocket endpoint.
+
+.. zeek:type:: Cluster::Event
+   :source-code: base/frameworks/cluster/main.zeek 337 342
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ev :zeek:type:`any`
+
+      The event handler to be invoked on the remote node.
+
+
+   .. zeek:field:: args :zeek:type:`vector` of :zeek:type:`any`
+
+      The arguments for the event.
+
+
+   An event instance for cluster pub/sub.
+   
+   See :zeek:see:`Cluster::publish` and :zeek:see:`Cluster::make_event`.
+
+.. zeek:type:: Cluster::Info
+   :source-code: base/frameworks/cluster/main.zeek 151 158
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      The time at which a cluster message was generated.
+
+
+   .. zeek:field:: node :zeek:type:`string` :zeek:attr:`&log`
+
+      The name of the node that is creating the log record.
+
+
+   .. zeek:field:: message :zeek:type:`string` :zeek:attr:`&log`
+
+      A message indicating information about the cluster's operation.
+
+   :Attributes: :zeek:attr:`&log`
+
+   The record type which contains the column fields of the cluster log.
+
+.. zeek:type:: Cluster::NamedNode
+   :source-code: base/frameworks/cluster/main.zeek 204 207
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+
+   .. zeek:field:: node :zeek:type:`Cluster::Node`
+
+
+   Record to represent a cluster node including its name.
+
+.. zeek:type:: Cluster::NetworkInfo
+   :source-code: base/frameworks/cluster/main.zeek 388 393
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: address :zeek:type:`string`
+
+      The IP address or hostname where the endpoint listens.
+
+
+   .. zeek:field:: bound_port :zeek:type:`port`
+
+      The port where the endpoint is bound to.
+
+
+   Network information of an endpoint.
+
+.. zeek:type:: Cluster::Node
+   :source-code: base/frameworks/cluster/main.zeek 181 201
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: node_type :zeek:type:`Cluster::NodeType`
+
+      Identifies the type of cluster node in this node's configuration.
+
+
+   .. zeek:field:: ip :zeek:type:`addr`
+
+      The IP address of the cluster node.
+
+
+   .. zeek:field:: zone_id :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      If the *ip* field is a non-global IPv6 address, this field
+      can specify a particular :rfc:`4007` ``zone_id``.
+
+
+   .. zeek:field:: p :zeek:type:`port` :zeek:attr:`&default` = ``0/unknown`` :zeek:attr:`&optional`
+
+      The port that this node will listen on for peer connections.
+      A value of ``0/unknown`` means the node is not pre-configured to listen.
+
+
+   .. zeek:field:: manager :zeek:type:`string` :zeek:attr:`&optional`
+
+      Name of the manager node this node uses.  For workers and proxies.
+
+
+   .. zeek:field:: id :zeek:type:`string` :zeek:attr:`&optional`
+
+      A unique identifier assigned to the node by the broker framework.
+      This field is only set while a node is connected.
+
+
+   .. zeek:field:: metrics_port :zeek:type:`port` :zeek:attr:`&optional`
+
+      The port used to expose metrics to Prometheus. Setting this in a cluster
+      configuration will override the setting for Telemetry::metrics_port for
+      the node.
+
+
+   Record type to indicate a node in a cluster.
+
+.. zeek:type:: Cluster::NodeType
+   :source-code: base/frameworks/cluster/main.zeek 162 179
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Cluster::NONE Cluster::NodeType
+
+         A dummy node type indicating the local node is not operating
+         within a cluster.
+
+      .. zeek:enum:: Cluster::CONTROL Cluster::NodeType
+
+         A node type which is allowed to view/manipulate the configuration
+         of other nodes in the cluster.
+
+      .. zeek:enum:: Cluster::LOGGER Cluster::NodeType
+
+         A node type responsible for log management.
+
+      .. zeek:enum:: Cluster::MANAGER Cluster::NodeType
+
+         A node type responsible for policy management.
+
+      .. zeek:enum:: Cluster::PROXY Cluster::NodeType
+
+         A node type for relaying worker node communication and synchronizing
+         worker node state.
+
+      .. zeek:enum:: Cluster::WORKER Cluster::NodeType
+
+         The node type doing all the actual traffic analysis.
+
+   Types of nodes that are allowed to participate in the cluster
+   configuration.
+
+.. zeek:type:: Cluster::StoreInfo
+   :source-code: base/frameworks/cluster/main.zeek 98 121
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The name of the data store.
+
+
+   .. zeek:field:: store :zeek:type:`opaque` of Broker::Store :zeek:attr:`&optional`
+
+      The store handle.
+
+
+   .. zeek:field:: master_node :zeek:type:`string` :zeek:attr:`&default` = :zeek:see:`Cluster::default_master_node` :zeek:attr:`&optional`
+
+      The name of the cluster node on which the master version of the data
+      store resides.
+
+
+   .. zeek:field:: master :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Whether the data store is the master version or a clone.
+
+
+   .. zeek:field:: backend :zeek:type:`Broker::BackendType` :zeek:attr:`&default` = :zeek:see:`Cluster::default_backend` :zeek:attr:`&optional`
+
+      The type of backend used for storing data.
+
+
+   .. zeek:field:: options :zeek:type:`Broker::BackendOptions` :zeek:attr:`&default` = *...* :zeek:attr:`&optional`
+
+      Parameters used for configuring the backend.
+
+
+   .. zeek:field:: clone_resync_interval :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`Broker::default_clone_resync_interval` :zeek:attr:`&optional`
+
+      A resync/reconnect interval to pass through to
+      :zeek:see:`Broker::create_clone`.
+
+
+   .. zeek:field:: clone_stale_interval :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`Broker::default_clone_stale_interval` :zeek:attr:`&optional`
+
+      A staleness duration to pass through to
+      :zeek:see:`Broker::create_clone`.
+
+
+   .. zeek:field:: clone_mutation_buffer_interval :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`Broker::default_clone_mutation_buffer_interval` :zeek:attr:`&optional`
+
+      A mutation buffer interval to pass through to
+      :zeek:see:`Broker::create_clone`.
+
+
+   Information regarding a cluster-enabled data store.
+
+.. zeek:type:: Cluster::WebSocketServerOptions
+   :source-code: base/frameworks/cluster/main.zeek 364 378
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: listen_addr :zeek:type:`addr` :zeek:attr:`&optional`
+
+      The address to listen on, cannot be used together with ``listen_host``.
+
+
+   .. zeek:field:: listen_port :zeek:type:`port`
+
+      The port the WebSocket server is supposed to listen on.
+
+
+   .. zeek:field:: max_event_queue_size :zeek:type:`count` :zeek:attr:`&default` = :zeek:see:`Cluster::default_websocket_max_event_queue_size` :zeek:attr:`&optional`
+
+      The maximum event queue size for this server.
+
+
+   .. zeek:field:: ping_interval :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`Cluster::default_websocket_ping_interval` :zeek:attr:`&optional`
+
+      Ping interval to use. A WebSocket client not responding to
+      the pings will be disconnected. Set to a negative value to
+      disable pings. Subsecond intervals are currently not supported.
+
+
+   .. zeek:field:: tls_options :zeek:type:`Cluster::WebSocketTLSOptions` :zeek:attr:`&default` = *...* :zeek:attr:`&optional`
+
+      The TLS options used for this WebSocket server. By default,
+      TLS is disabled. See also :zeek:see:`Cluster::WebSocketTLSOptions`.
+
+
+   WebSocket server options to pass to :zeek:see:`Cluster::listen_websocket`.
+
+.. zeek:type:: Cluster::WebSocketTLSOptions
+   :source-code: base/frameworks/cluster/main.zeek 348 361
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: cert_file :zeek:type:`string` :zeek:attr:`&optional`
+
+      The cert file to use.
+
+
+   .. zeek:field:: key_file :zeek:type:`string` :zeek:attr:`&optional`
+
+      The key file to use.
+
+
+   .. zeek:field:: enable_peer_verification :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Expect peers to send client certificates.
+
+
+   .. zeek:field:: ca_file :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      The CA certificate or CA bundle used for peer verification.
+      Empty will use the implementations's default when
+      ``enable_peer_verification`` is T.
+
+
+   .. zeek:field:: ciphers :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      The ciphers to use. Empty will use the implementation's defaults.
+
+
+   The TLS options for a WebSocket server.
+   
+   If cert_file and key_file are set, TLS is enabled. If both
+   are unset, TLS is disabled. Any other combination is an error.
+
+.. zeek:type:: Cluster::BackendTag
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Cluster::CLUSTER_BACKEND_BROKER Cluster::BackendTag
+
+      .. zeek:enum:: Cluster::CLUSTER_BACKEND_BROKER_WEBSOCKET_SHIM Cluster::BackendTag
+
+      .. zeek:enum:: Cluster::CLUSTER_BACKEND_ZEROMQ Cluster::BackendTag
+
+
+.. zeek:type:: Cluster::EventSerializerTag
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Cluster::EVENT_SERIALIZER_BROKER_BIN_V1 Cluster::EventSerializerTag
+
+      .. zeek:enum:: Cluster::EVENT_SERIALIZER_BROKER_JSON_V1 Cluster::EventSerializerTag
+
+
+.. zeek:type:: Cluster::LogSerializerTag
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Cluster::LOG_SERIALIZER_ZEEK_BIN_V1 Cluster::LogSerializerTag
+
+
+Events
+######
+.. zeek:id:: Cluster::hello
+   :source-code: base/frameworks/cluster/main.zeek 510 535
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, id: :zeek:type:`string`)
+
+   When using broker-enabled cluster framework, nodes broadcast this event
+   to exchange their user-defined name along with a string that uniquely
+   identifies it for the duration of its lifetime.  This string may change
+   if the node dies and has to reconnect later.
+
+.. zeek:id:: Cluster::node_down
+   :source-code: base/frameworks/cluster/main.zeek 282 282
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, id: :zeek:type:`string`)
+
+   When using broker-enabled cluster framework, this event will be emitted
+   locally whenever a connected cluster node becomes disconnected.
+
+.. zeek:id:: Cluster::node_up
+   :source-code: base/frameworks/cluster/main.zeek 278 278
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, id: :zeek:type:`string`)
+
+   When using broker-enabled cluster framework, this event will be emitted
+   locally whenever a cluster node connects or reconnects.
+
+Hooks
+#####
+.. zeek:id:: Cluster::log_policy
+   :source-code: base/frameworks/cluster/main.zeek 148 148
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+.. zeek:id:: Cluster::on_subscribe
+   :source-code: base/frameworks/cluster/main.zeek 408 408
+
+   :Type: :zeek:type:`hook` (topic: :zeek:type:`string`) : :zeek:type:`bool`
+
+   A hook invoked for every :zeek:see:`Cluster::subscribe` call.
+   
+   Breaking from this hook has no effect.
+   
+
+   :param topic: The topic string as given to :zeek:see:`Cluster::subscribe`.
+
+.. zeek:id:: Cluster::on_unsubscribe
+   :source-code: base/frameworks/cluster/main.zeek 415 415
+
+   :Type: :zeek:type:`hook` (topic: :zeek:type:`string`) : :zeek:type:`bool`
+
+   A hook invoked for every :zeek:see:`Cluster::subscribe` call.
+   
+   Breaking from this hook has no effect.
+   
+
+   :param topic: The topic string as given to :zeek:see:`Cluster::subscribe`.
+
+Functions
+#########
+.. zeek:id:: Cluster::create_store
+   :source-code: base/frameworks/cluster/main.zeek 590 665
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`, persistent: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`) : :zeek:type:`Cluster::StoreInfo`
+
+   Sets up a cluster-enabled data store.  They will also still properly
+   function for uses that are not operating a cluster.
+   
+
+   :param name: the name of the data store to create.
+   
+
+   :param persistent: whether the data store must be persistent.
+   
+
+   :returns: the store's information.  For master stores, the store will be
+            ready to use immediately.  For clones, the store field will not
+            be set until the node containing the master store has connected.
+
+.. zeek:id:: Cluster::get_active_node_count
+   :source-code: base/frameworks/cluster/main.zeek 454 457
+
+   :Type: :zeek:type:`function` (node_type: :zeek:type:`Cluster::NodeType`) : :zeek:type:`count`
+
+   Returns the number of nodes per type, the calling node is currently
+   connected to. This is primarily intended for use by the manager to find
+   out how many nodes should be responding to requests.
+
+.. zeek:id:: Cluster::get_node_count
+   :source-code: base/frameworks/cluster/main.zeek 441 452
+
+   :Type: :zeek:type:`function` (node_type: :zeek:type:`Cluster::NodeType`) : :zeek:type:`count`
+
+   Returns the number of nodes defined in the cluster layout for a given
+   node type.
+
+.. zeek:id:: Cluster::init
+   :source-code: base/frameworks/cluster/main.zeek 672 675
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+   Initialize the cluster backend.
+   
+   Cluster backends usually invoke this from a :zeek:see:`zeek_init` handler.
+   
+
+   :returns: T on success, else F.
+
+.. zeek:id:: Cluster::is_enabled
+   :source-code: base/frameworks/cluster/main.zeek 459 462
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+   This function can be called at any time to determine if the cluster
+   framework is being enabled for this run.
+   
+
+   :returns: True if :zeek:id:`Cluster::node` has been set.
+
+.. zeek:id:: Cluster::listen_websocket
+   :source-code: base/frameworks/cluster/main.zeek 687 690
+
+   :Type: :zeek:type:`function` (options: :zeek:type:`Cluster::WebSocketServerOptions`) : :zeek:type:`bool`
+
+   Start listening on a WebSocket address.
+   
+
+   :param options: The server :zeek:see:`Cluster::WebSocketServerOptions` to use.
+   
+
+   :returns: T on success, else F.
+
+.. zeek:id:: Cluster::local_node_metrics_port
+   :source-code: base/frameworks/cluster/main.zeek 475 487
+
+   :Type: :zeek:type:`function` () : :zeek:type:`port`
+
+   This function can be called at any time to determine the configured
+   metrics port for Prometheus being used by current Zeek instance. If
+   :zeek:id:`Cluster::is_enabled` returns false or the node isn't found,
+   ``0/unknown`` is returned.
+   
+
+   :returns: The metrics port used by the calling node.
+
+.. zeek:id:: Cluster::local_node_type
+   :source-code: base/frameworks/cluster/main.zeek 464 473
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Cluster::NodeType`
+
+   This function can be called at any time to determine what type of
+   cluster node the current Zeek instance is going to be acting as.
+   If :zeek:id:`Cluster::is_enabled` returns false, then
+   :zeek:enum:`Cluster::NONE` is returned.
+   
+
+   :returns: The :zeek:type:`Cluster::NodeType` the calling node acts as.
+
+.. zeek:id:: Cluster::log
+   :source-code: base/frameworks/cluster/main.zeek 667 670
+
+   :Type: :zeek:type:`function` (msg: :zeek:type:`string`) : :zeek:type:`void`
+
+   Write a message to the cluster logging stream.
+
+.. zeek:id:: Cluster::node_id
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 355 357
+
+   :Type: :zeek:type:`function` () : :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+
+   Function returning this node's identifier.
+   
+   By default this is :zeek:see:`Broker::node_id`, but can be
+   redefined by other cluster backends. This identifier should be
+   a short lived identifier that resets when a node is restarted.
+
+.. zeek:id:: Cluster::node_topic
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 340 342
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+
+   Retrieve the topic associated with a specific node in the cluster.
+   
+
+   :param name: the name of the cluster node (e.g. "manager").
+   
+
+   :returns: a topic string that may used to send a message exclusively to
+            a given cluster node.
+
+.. zeek:id:: Cluster::nodeid_to_node
+   :source-code: base/frameworks/cluster/main.zeek 499 508
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`string`) : :zeek:type:`Cluster::NamedNode`
+
+   Retrieve the cluster-level naming of a node based on its node ID,
+   a backend-specific identifier.
+   
+
+   :param id: the node ID of a peer.
+   
+
+   :returns: the :zeek:see:`Cluster::NamedNode` for the requested node, if
+            known, otherwise a "null" instance with an empty name field.
+
+.. zeek:id:: Cluster::nodeid_topic
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 344 346
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`string`) : :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+
+   Retrieve the topic associated with a specific node in the cluster.
+   
+
+   :param id: the id of the cluster node (from :zeek:see:`Broker::EndpointInfo`
+       or :zeek:see:`Broker::node_id`.
+   
+
+   :returns: a topic string that may used to send a message exclusively to
+            a given cluster node.
+
+.. zeek:id:: Cluster::subscribe
+   :source-code: base/frameworks/cluster/main.zeek 677 680
+
+   :Type: :zeek:type:`function` (topic: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Subscribe to the given topic.
+   
+
+   :param topic: The topic to subscribe to.
+   
+
+   :returns: T on success, else F.
+
+.. zeek:id:: Cluster::unsubscribe
+   :source-code: base/frameworks/cluster/main.zeek 682 685
+
+   :Type: :zeek:type:`function` (topic: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Unsubscribe from the given topic.
+   
+
+   :param topic: The topic to unsubscribe from.
+   
+
+   :returns: T on success, else F.
+
+
diff --git a/doc/scripts/base/frameworks/cluster/pools.zeek.rst b/doc/scripts/base/frameworks/cluster/pools.zeek.rst
new file mode 100644
index 0000000000..f23a95e49f
--- /dev/null
+++ b/doc/scripts/base/frameworks/cluster/pools.zeek.rst
@@ -0,0 +1,352 @@
+:tocdepth: 3
+
+base/frameworks/cluster/pools.zeek
+==================================
+.. zeek:namespace:: Cluster
+
+Defines an interface for managing pools of cluster nodes.  Pools are
+a useful way to distribute work or data among nodes within a cluster.
+
+:Namespace: Cluster
+:Imports: :doc:`base/frameworks/cluster/main.zeek </scripts/base/frameworks/cluster/main.zeek>`, :doc:`base/utils/hash_hrw.zeek </scripts/base/utils/hash_hrw.zeek>`
+
+Summary
+~~~~~~~
+State Variables
+###############
+======================================================================================== =======================================================
+:zeek:id:`Cluster::logger_pool`: :zeek:type:`Cluster::Pool`                              A pool containing all the logger nodes of a cluster.
+:zeek:id:`Cluster::logger_pool_spec`: :zeek:type:`Cluster::PoolSpec` :zeek:attr:`&redef` The specification for :zeek:see:`Cluster::logger_pool`.
+:zeek:id:`Cluster::proxy_pool`: :zeek:type:`Cluster::Pool`                               A pool containing all the proxy nodes of a cluster.
+:zeek:id:`Cluster::proxy_pool_spec`: :zeek:type:`Cluster::PoolSpec` :zeek:attr:`&redef`  The specification for :zeek:see:`Cluster::proxy_pool`.
+:zeek:id:`Cluster::worker_pool`: :zeek:type:`Cluster::Pool`                              A pool containing all the worker nodes of a cluster.
+:zeek:id:`Cluster::worker_pool_spec`: :zeek:type:`Cluster::PoolSpec` :zeek:attr:`&redef` The specification for :zeek:see:`Cluster::worker_pool`.
+======================================================================================== =======================================================
+
+Types
+#####
+========================================================= ===========================================================
+:zeek:type:`Cluster::PoolNode`: :zeek:type:`record`       Store state of a cluster within the context of a work pool.
+:zeek:type:`Cluster::PoolNodeTable`: :zeek:type:`table`   
+:zeek:type:`Cluster::PoolSpec`: :zeek:type:`record`       A pool specification.
+:zeek:type:`Cluster::RoundRobinTable`: :zeek:type:`table` 
+========================================================= ===========================================================
+
+Functions
+#########
+======================================================== ======================================================================
+:zeek:id:`Cluster::hrw_topic`: :zeek:type:`function`     Retrieve the topic associated with the node mapped via Rendezvous hash
+                                                         of an arbitrary key.
+:zeek:id:`Cluster::register_pool`: :zeek:type:`function` Registers and initializes a pool.
+:zeek:id:`Cluster::rr_log_topic`: :zeek:type:`function`  Distributes log message topics among logger nodes via round-robin.
+:zeek:id:`Cluster::rr_topic`: :zeek:type:`function`      Retrieve the topic associated with the node in a round-robin fashion.
+======================================================== ======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+State Variables
+###############
+.. zeek:id:: Cluster::logger_pool
+   :source-code: base/frameworks/cluster/pools.zeek 91 91
+
+   :Type: :zeek:type:`Cluster::Pool`
+   :Default:
+
+      ::
+
+         {
+            spec=[topic=<uninitialized>, node_type=<uninitialized>, max_nodes=<uninitialized>, exclusive=F]
+            nodes={
+
+            }
+            node_list=[]
+            hrw_pool=[sites={
+
+            }]
+            rr_key_seq={
+
+            }
+            alive_count=0
+         }
+
+
+   A pool containing all the logger nodes of a cluster.
+   The pool's node membership/availability is automatically
+   maintained by the cluster framework.
+
+.. zeek:id:: Cluster::logger_pool_spec
+   :source-code: base/frameworks/cluster/pools.zeek 74 74
+
+   :Type: :zeek:type:`Cluster::PoolSpec`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            topic="zeek/cluster/pool/logger"
+            node_type=Cluster::LOGGER
+            max_nodes=<uninitialized>
+            exclusive=F
+         }
+
+   :Redefinition: from :doc:`/scripts/policy/frameworks/cluster/backend/zeromq/main.zeek`
+
+      ``=``::
+
+         Cluster::PoolSpec($topic=zeek.cluster.pool.logger, $node_type=Cluster::LOGGER)
+
+
+   The specification for :zeek:see:`Cluster::logger_pool`.
+
+.. zeek:id:: Cluster::proxy_pool
+   :source-code: base/frameworks/cluster/pools.zeek 81 81
+
+   :Type: :zeek:type:`Cluster::Pool`
+   :Default:
+
+      ::
+
+         {
+            spec=[topic=<uninitialized>, node_type=<uninitialized>, max_nodes=<uninitialized>, exclusive=F]
+            nodes={
+
+            }
+            node_list=[]
+            hrw_pool=[sites={
+
+            }]
+            rr_key_seq={
+
+            }
+            alive_count=0
+         }
+
+
+   A pool containing all the proxy nodes of a cluster.
+   The pool's node membership/availability is automatically
+   maintained by the cluster framework.
+
+.. zeek:id:: Cluster::proxy_pool_spec
+   :source-code: base/frameworks/cluster/pools.zeek 64 64
+
+   :Type: :zeek:type:`Cluster::PoolSpec`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            topic="zeek/cluster/pool/proxy"
+            node_type=Cluster::PROXY
+            max_nodes=<uninitialized>
+            exclusive=F
+         }
+
+   :Redefinition: from :doc:`/scripts/policy/frameworks/cluster/backend/zeromq/main.zeek`
+
+      ``=``::
+
+         Cluster::PoolSpec($topic=zeek.cluster.pool.proxy, $node_type=Cluster::PROXY)
+
+
+   The specification for :zeek:see:`Cluster::proxy_pool`.
+
+.. zeek:id:: Cluster::worker_pool
+   :source-code: base/frameworks/cluster/pools.zeek 86 86
+
+   :Type: :zeek:type:`Cluster::Pool`
+   :Default:
+
+      ::
+
+         {
+            spec=[topic=<uninitialized>, node_type=<uninitialized>, max_nodes=<uninitialized>, exclusive=F]
+            nodes={
+
+            }
+            node_list=[]
+            hrw_pool=[sites={
+
+            }]
+            rr_key_seq={
+
+            }
+            alive_count=0
+         }
+
+
+   A pool containing all the worker nodes of a cluster.
+   The pool's node membership/availability is automatically
+   maintained by the cluster framework.
+
+.. zeek:id:: Cluster::worker_pool_spec
+   :source-code: base/frameworks/cluster/pools.zeek 69 69
+
+   :Type: :zeek:type:`Cluster::PoolSpec`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            topic="zeek/cluster/pool/worker"
+            node_type=Cluster::WORKER
+            max_nodes=<uninitialized>
+            exclusive=F
+         }
+
+   :Redefinition: from :doc:`/scripts/policy/frameworks/cluster/backend/zeromq/main.zeek`
+
+      ``=``::
+
+         Cluster::PoolSpec($topic=zeek.cluster.pool.worker, $node_type=Cluster::WORKER)
+
+
+   The specification for :zeek:see:`Cluster::worker_pool`.
+
+Types
+#####
+.. zeek:type:: Cluster::PoolNode
+   :source-code: base/frameworks/cluster/pools.zeek 11 23
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      The node name (e.g. "manager").
+
+
+   .. zeek:field:: alias :zeek:type:`string`
+
+      An alias of *name* used to prevent hashing collisions when creating
+      *site_id*.
+
+
+   .. zeek:field:: site_id :zeek:type:`count`
+
+      A 32-bit unique identifier for the pool node, derived from name/alias.
+
+
+   .. zeek:field:: alive :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Whether the node is currently alive and can receive work.
+
+
+   .. zeek:field:: topic :zeek:type:`string`
+
+      The pre-computed result from Cluster::node_topic
+
+
+   Store state of a cluster within the context of a work pool.
+
+.. zeek:type:: Cluster::PoolNodeTable
+   :source-code: base/frameworks/cluster/pools.zeek 42 42
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`Cluster::PoolNode`
+
+
+.. zeek:type:: Cluster::PoolSpec
+   :source-code: base/frameworks/cluster/pools.zeek 26 40
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: topic :zeek:type:`string`
+
+      A topic string that can be used to reach all nodes within a pool.
+
+
+   .. zeek:field:: node_type :zeek:type:`Cluster::NodeType`
+
+      The type of nodes that are contained within the pool.
+
+
+   .. zeek:field:: max_nodes :zeek:type:`count` :zeek:attr:`&optional`
+
+      The maximum number of nodes that may belong to the pool.
+      If not set, then all available nodes will be added to the pool,
+      else the cluster framework will automatically limit the pool
+      membership according to the threshold.
+
+
+   .. zeek:field:: exclusive :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Whether the pool requires exclusive access to nodes.  If true,
+      then *max_nodes* nodes will not be assigned to any other pool.
+      When using this flag, *max_nodes* must also be set.
+
+
+   A pool specification.
+
+.. zeek:type:: Cluster::RoundRobinTable
+   :source-code: base/frameworks/cluster/pools.zeek 43 43
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`int`
+
+
+Functions
+#########
+.. zeek:id:: Cluster::hrw_topic
+   :source-code: base/frameworks/cluster/pools.zeek 170 178
+
+   :Type: :zeek:type:`function` (pool: :zeek:type:`Cluster::Pool`, key: :zeek:type:`any`) : :zeek:type:`string`
+
+   Retrieve the topic associated with the node mapped via Rendezvous hash
+   of an arbitrary key.
+   
+
+   :param pool: the pool of nodes to consider.
+   
+
+   :param key: data used for input to the hashing function that will uniformly
+        distribute keys among available nodes.
+   
+
+   :returns: a topic string associated with a cluster node that is alive
+            or an empty string if nothing is alive.
+
+.. zeek:id:: Cluster::register_pool
+   :source-code: base/frameworks/cluster/pools.zeek 163 168
+
+   :Type: :zeek:type:`function` (spec: :zeek:type:`Cluster::PoolSpec`) : :zeek:type:`Cluster::Pool`
+
+   Registers and initializes a pool.
+
+.. zeek:id:: Cluster::rr_log_topic
+   :source-code: base/frameworks/cluster/pools.zeek 216 225
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, path: :zeek:type:`string`) : :zeek:type:`string`
+
+   Distributes log message topics among logger nodes via round-robin.
+   This will be automatically assigned to :zeek:see:`Broker::log_topic`
+   if :zeek:see:`Cluster::enable_round_robin_logging` is enabled.
+   If no logger nodes are active, then this will return the value
+   of :zeek:see:`Broker::default_log_topic`.
+
+.. zeek:id:: Cluster::rr_topic
+   :source-code: base/frameworks/cluster/pools.zeek 180 214
+
+   :Type: :zeek:type:`function` (pool: :zeek:type:`Cluster::Pool`, key: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Retrieve the topic associated with the node in a round-robin fashion.
+   
+
+   :param pool: the pool of nodes to consider.
+   
+
+   :param key: an arbitrary string to identify the purpose for which you're
+        requesting the topic.  e.g. consider using a name-spaced key
+        like "Intel::cluster_rr_key" if you need to guarantee that
+        a group of messages get distributed in a well-defined pattern
+        without other messages being interleaved within the round-robin.
+        Usually sharing the default key is fine for load-balancing
+        purposes.
+   
+
+   :returns: a topic string associated with a cluster node that is alive,
+            or an empty string if nothing is alive.
+
+
diff --git a/doc/scripts/base/frameworks/cluster/telemetry.zeek.rst b/doc/scripts/base/frameworks/cluster/telemetry.zeek.rst
new file mode 100644
index 0000000000..308e093547
--- /dev/null
+++ b/doc/scripts/base/frameworks/cluster/telemetry.zeek.rst
@@ -0,0 +1,127 @@
+:tocdepth: 3
+
+base/frameworks/cluster/telemetry.zeek
+======================================
+.. zeek:namespace:: Cluster::Telemetry
+
+
+:Namespace: Cluster::Telemetry
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+================================================================================================================= =================================================================
+:zeek:id:`Cluster::Telemetry::core_metrics`: :zeek:type:`set` :zeek:attr:`&redef`                                 The telemetry types to enable for the core backend.
+:zeek:id:`Cluster::Telemetry::message_size_bounds`: :zeek:type:`vector` :zeek:attr:`&redef`                       For the DEBUG metrics, the histogram buckets to use.
+:zeek:id:`Cluster::Telemetry::topic_normalizations`: :zeek:type:`table` :zeek:attr:`&ordered` :zeek:attr:`&redef` Table used for normalizing topic names that contain random parts.
+:zeek:id:`Cluster::Telemetry::websocket_metrics`: :zeek:type:`set` :zeek:attr:`&redef`                            The telemetry types to enable for WebSocket backends.
+================================================================================================================= =================================================================
+
+Types
+#####
+======================================================== =============================
+:zeek:type:`Cluster::Telemetry::Type`: :zeek:type:`enum` Module for cluster telemetry.
+======================================================== =============================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Cluster::Telemetry::core_metrics
+   :source-code: base/frameworks/cluster/telemetry.zeek 19 19
+
+   :Type: :zeek:type:`set` [:zeek:type:`Cluster::Telemetry::Type`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            Cluster::Telemetry::INFO
+         }
+
+
+   The telemetry types to enable for the core backend.
+
+.. zeek:id:: Cluster::Telemetry::message_size_bounds
+   :source-code: base/frameworks/cluster/telemetry.zeek 36 36
+
+   :Type: :zeek:type:`vector` of :zeek:type:`double`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         [10.0, 50.0, 100.0, 500.0, 1000.0, 5000.0, 10000.0, 50000.0]
+
+
+   For the DEBUG metrics, the histogram buckets to use.
+
+.. zeek:id:: Cluster::Telemetry::topic_normalizations
+   :source-code: base/frameworks/cluster/telemetry.zeek 31 31
+
+   :Type: :zeek:type:`table` [:zeek:type:`pattern`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&ordered` :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            [/^?(^zeek\/cluster\/nodeid\/.*)$?/] = "zeek/cluster/nodeid/__normalized__"
+         }
+
+   :Redefinition: from :doc:`/scripts/policy/frameworks/cluster/backend/zeromq/main.zeek`
+
+      ``+=``::
+
+         /^?(^zeek\.cluster\.nodeid\..*)$?/ = zeek.cluster.nodeid.__normalized__
+
+
+   Table used for normalizing topic names that contain random parts.
+   Map to an empty string to skip recording a specific metric
+   completely.
+
+.. zeek:id:: Cluster::Telemetry::websocket_metrics
+   :source-code: base/frameworks/cluster/telemetry.zeek 24 24
+
+   :Type: :zeek:type:`set` [:zeek:type:`Cluster::Telemetry::Type`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            Cluster::Telemetry::INFO
+         }
+
+
+   The telemetry types to enable for WebSocket backends.
+
+Types
+#####
+.. zeek:type:: Cluster::Telemetry::Type
+   :source-code: base/frameworks/cluster/telemetry.zeek 5 17
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Cluster::Telemetry::INFO Cluster::Telemetry::Type
+
+         Creates counter metrics for incoming and for outgoing
+         events without labels.
+
+      .. zeek:enum:: Cluster::Telemetry::VERBOSE Cluster::Telemetry::Type
+
+         Creates counter metrics for incoming and outgoing events
+         labeled with handler and normalized topic names.
+
+      .. zeek:enum:: Cluster::Telemetry::DEBUG Cluster::Telemetry::Type
+
+         Creates histogram metrics using the serialized message size
+         for events, labeled by topic, handler and script location
+         (outgoing only).
+
+   Module for cluster telemetry.
+
+
diff --git a/doc/scripts/base/frameworks/config/__load__.zeek.rst b/doc/scripts/base/frameworks/config/__load__.zeek.rst
new file mode 100644
index 0000000000..a1970a485a
--- /dev/null
+++ b/doc/scripts/base/frameworks/config/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/config/__load__.zeek
+====================================
+
+
+:Imports: :doc:`base/frameworks/config/input.zeek </scripts/base/frameworks/config/input.zeek>`, :doc:`base/frameworks/config/main.zeek </scripts/base/frameworks/config/main.zeek>`, :doc:`base/frameworks/config/weird.zeek </scripts/base/frameworks/config/weird.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/config/index.rst b/doc/scripts/base/frameworks/config/index.rst
new file mode 100644
index 0000000000..8201a08a54
--- /dev/null
+++ b/doc/scripts/base/frameworks/config/index.rst
@@ -0,0 +1,25 @@
+:orphan:
+
+Package: base/frameworks/config
+===============================
+
+The configuration framework provides a way to change the Zeek configuration
+in "option" values at run-time.
+
+:doc:`/scripts/base/frameworks/config/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/config/main.zeek`
+
+   The configuration framework provides a way to change Zeek options
+   (as specified by the "option" keyword) at runtime. It also logs runtime
+   changes to options to config.log.
+
+:doc:`/scripts/base/frameworks/config/input.zeek`
+
+   File input for the configuration framework using the input framework.
+
+:doc:`/scripts/base/frameworks/config/weird.zeek`
+
+   This script sets up the config framework change handlers for weirds.
+
diff --git a/doc/scripts/base/frameworks/config/input.zeek.rst b/doc/scripts/base/frameworks/config/input.zeek.rst
new file mode 100644
index 0000000000..180fb0404e
--- /dev/null
+++ b/doc/scripts/base/frameworks/config/input.zeek.rst
@@ -0,0 +1,56 @@
+:tocdepth: 3
+
+base/frameworks/config/input.zeek
+=================================
+.. zeek:namespace:: Config
+
+File input for the configuration framework using the input framework.
+
+:Namespace: Config
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/config/main.zeek </scripts/base/frameworks/config/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+===================================================================== ===============================================
+:zeek:id:`Config::config_files`: :zeek:type:`set` :zeek:attr:`&redef` Configuration files that will be read off disk.
+===================================================================== ===============================================
+
+Functions
+#########
+===================================================== ===================================================================
+:zeek:id:`Config::read_config`: :zeek:type:`function` Read specified configuration file and apply values; updates to file
+                                                      are not tracked.
+===================================================== ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Config::config_files
+   :source-code: base/frameworks/config/input.zeek 15 15
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Configuration files that will be read off disk. Files are reread
+   every time they are updated so updates should be atomic with "mv"
+   instead of writing the file in place.
+   
+   If the same configuration option is defined in several files with
+   different values, behavior is unspecified.
+
+Functions
+#########
+.. zeek:id:: Config::read_config
+   :source-code: base/frameworks/config/input.zeek 61 77
+
+   :Type: :zeek:type:`function` (filename: :zeek:type:`string`) : :zeek:type:`void`
+
+   Read specified configuration file and apply values; updates to file
+   are not tracked.
+
+
diff --git a/doc/scripts/base/frameworks/config/main.zeek.rst b/doc/scripts/base/frameworks/config/main.zeek.rst
new file mode 100644
index 0000000000..907c93515d
--- /dev/null
+++ b/doc/scripts/base/frameworks/config/main.zeek.rst
@@ -0,0 +1,132 @@
+:tocdepth: 3
+
+base/frameworks/config/main.zeek
+================================
+.. zeek:namespace:: Config
+
+The configuration framework provides a way to change Zeek options
+(as specified by the "option" keyword) at runtime. It also logs runtime
+changes to options to config.log.
+
+:Namespace: Config
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`
+
+Summary
+~~~~~~~
+Types
+#####
+============================================== ==================================
+:zeek:type:`Config::Info`: :zeek:type:`record` Represents the data in config.log.
+============================================== ==================================
+
+Redefinitions
+#############
+======================================= =====================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` The config logging stream identifier.
+                                        
+                                        * :zeek:enum:`Config::LOG`
+======================================= =====================================
+
+Events
+######
+================================================= =================================================================
+:zeek:id:`Config::log_config`: :zeek:type:`event` Event that can be handled to access the :zeek:type:`Config::Info`
+                                                  record as it is sent on to the logging framework.
+================================================= =================================================================
+
+Hooks
+#####
+=========================================================== =============================================
+:zeek:id:`Config::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
+=========================================================== =============================================
+
+Functions
+#########
+=================================================== ==================================================================
+:zeek:id:`Config::set_value`: :zeek:type:`function` This function is the config framework layer around the lower-level
+                                                    :zeek:see:`Option::set` call.
+=================================================== ==================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Config::Info
+   :source-code: base/frameworks/config/main.zeek 17 28
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp at which the configuration change occurred.
+
+
+   .. zeek:field:: id :zeek:type:`string` :zeek:attr:`&log`
+
+      ID of the value that was changed.
+
+
+   .. zeek:field:: old_value :zeek:type:`string` :zeek:attr:`&log`
+
+      Value before the change.
+
+
+   .. zeek:field:: new_value :zeek:type:`string` :zeek:attr:`&log`
+
+      Value after the change.
+
+
+   .. zeek:field:: location :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Optional location that triggered the change.
+
+
+   Represents the data in config.log.
+
+Events
+######
+.. zeek:id:: Config::log_config
+   :source-code: base/frameworks/config/main.zeek 32 32
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Config::Info`)
+
+   Event that can be handled to access the :zeek:type:`Config::Info`
+   record as it is sent on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: Config::log_policy
+   :source-code: base/frameworks/config/main.zeek 14 14
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+Functions
+#########
+.. zeek:id:: Config::set_value
+   :source-code: base/frameworks/config/main.zeek 99 102
+
+   :Type: :zeek:type:`function` (ID: :zeek:type:`string`, val: :zeek:type:`any`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   This function is the config framework layer around the lower-level
+   :zeek:see:`Option::set` call. Config::set_value will set the configuration
+   value for all nodes in the cluster, no matter where it was called. Note
+   that :zeek:see:`Option::set` does not distribute configuration changes
+   to other nodes.
+   
+
+   :param ID: The ID of the option to update.
+   
+
+   :param val: The new value of the option.
+   
+
+   :param location: Optional parameter detailing where this change originated from.
+   
+
+   :returns: true on success, false when an error occurs.
+
+
diff --git a/doc/scripts/base/frameworks/config/weird.zeek.rst b/doc/scripts/base/frameworks/config/weird.zeek.rst
new file mode 100644
index 0000000000..66633c8fbe
--- /dev/null
+++ b/doc/scripts/base/frameworks/config/weird.zeek.rst
@@ -0,0 +1,17 @@
+:tocdepth: 3
+
+base/frameworks/config/weird.zeek
+=================================
+.. zeek:namespace:: Config
+
+This script sets up the config framework change handlers for weirds.
+
+:Namespace: Config
+:Imports: :doc:`base/frameworks/config/main.zeek </scripts/base/frameworks/config/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/control/__load__.zeek.rst b/doc/scripts/base/frameworks/control/__load__.zeek.rst
new file mode 100644
index 0000000000..49ab28fdf1
--- /dev/null
+++ b/doc/scripts/base/frameworks/control/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/control/__load__.zeek
+=====================================
+
+
+:Imports: :doc:`base/frameworks/control/main.zeek </scripts/base/frameworks/control/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/control/index.rst b/doc/scripts/base/frameworks/control/index.rst
new file mode 100644
index 0000000000..3c4c2b3b92
--- /dev/null
+++ b/doc/scripts/base/frameworks/control/index.rst
@@ -0,0 +1,18 @@
+:orphan:
+
+Package: base/frameworks/control
+================================
+
+The control framework provides the foundation for providing "commands"
+that can be taken remotely at runtime to modify a running Zeek instance
+or collect information from the running instance.
+
+:doc:`/scripts/base/frameworks/control/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/control/main.zeek`
+
+   The control framework provides the foundation for providing "commands"
+   that can be taken remotely at runtime to modify a running Zeek instance
+   or collect information from the running instance.
+
diff --git a/doc/scripts/base/frameworks/control/main.zeek.rst b/doc/scripts/base/frameworks/control/main.zeek.rst
new file mode 100644
index 0000000000..ebd7f3e83a
--- /dev/null
+++ b/doc/scripts/base/frameworks/control/main.zeek.rst
@@ -0,0 +1,239 @@
+:tocdepth: 3
+
+base/frameworks/control/main.zeek
+=================================
+.. zeek:namespace:: Control
+
+The control framework provides the foundation for providing "commands"
+that can be taken remotely at runtime to modify a running Zeek instance
+or collect information from the running instance.
+
+:Namespace: Control
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+============================================================================ ================================================================
+:zeek:id:`Control::arg`: :zeek:type:`string` :zeek:attr:`&redef`             This can be used by commands that take an argument.
+:zeek:id:`Control::cmd`: :zeek:type:`string` :zeek:attr:`&redef`             The command that is being done.
+:zeek:id:`Control::commands`: :zeek:type:`set` :zeek:attr:`&redef`           The commands that can currently be given on the command line for
+                                                                             remote control.
+:zeek:id:`Control::controllee_listen`: :zeek:type:`bool` :zeek:attr:`&redef` Whether the controllee should call :zeek:see:`Broker::listen`.
+:zeek:id:`Control::host`: :zeek:type:`addr` :zeek:attr:`&redef`              The address of the host that will be controlled.
+:zeek:id:`Control::host_port`: :zeek:type:`port` :zeek:attr:`&redef`         The port of the host that will be controlled.
+:zeek:id:`Control::zone_id`: :zeek:type:`string` :zeek:attr:`&redef`         If :zeek:id:`Control::host` is a non-global IPv6 address and
+                                                                             requires a specific :rfc:`4007` ``zone_id``, it can be set here.
+============================================================================ ================================================================
+
+Constants
+#########
+===================================================== =================================================================
+:zeek:id:`Control::ignore_ids`: :zeek:type:`set`      Variable IDs that are to be ignored by the update process.
+:zeek:id:`Control::topic_prefix`: :zeek:type:`string` The topic prefix used for exchanging control messages via Broker.
+===================================================== =================================================================
+
+Events
+######
+===================================================================== =====================================================================
+:zeek:id:`Control::configuration_update`: :zeek:type:`event`          This event is a wrapper and alias for the
+                                                                      :zeek:id:`Control::configuration_update_request` event.
+:zeek:id:`Control::configuration_update_request`: :zeek:type:`event`  Inform the remote Zeek instance that it's configuration may have been
+                                                                      updated.
+:zeek:id:`Control::configuration_update_response`: :zeek:type:`event` Message in response to a configuration update request.
+:zeek:id:`Control::id_value_request`: :zeek:type:`event`              Event for requesting the value of an ID (a variable).
+:zeek:id:`Control::id_value_response`: :zeek:type:`event`             Event for returning the value of an ID after an
+                                                                      :zeek:id:`Control::id_value_request` event.
+:zeek:id:`Control::net_stats_request`: :zeek:type:`event`             Requests the current net_stats.
+:zeek:id:`Control::net_stats_response`: :zeek:type:`event`            Returns the current net_stats.
+:zeek:id:`Control::peer_status_request`: :zeek:type:`event`           Requests the current communication status.
+:zeek:id:`Control::peer_status_response`: :zeek:type:`event`          Returns the current communication status.
+:zeek:id:`Control::shutdown_request`: :zeek:type:`event`              Requests that the Zeek instance begins shutting down.
+:zeek:id:`Control::shutdown_response`: :zeek:type:`event`             Message in response to a shutdown request.
+===================================================================== =====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Control::arg
+   :source-code: base/frameworks/control/main.zeek 30 30
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   This can be used by commands that take an argument.
+
+.. zeek:id:: Control::cmd
+   :source-code: base/frameworks/control/main.zeek 27 27
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   The command that is being done.  It's typically set on the
+   command line.
+
+.. zeek:id:: Control::commands
+   :source-code: base/frameworks/control/main.zeek 34 34
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            "peer_status",
+            "id_value",
+            "net_stats",
+            "configuration_update",
+            "shutdown"
+         }
+
+
+   The commands that can currently be given on the command line for
+   remote control.
+
+.. zeek:id:: Control::controllee_listen
+   :source-code: base/frameworks/control/main.zeek 13 13
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Whether the controllee should call :zeek:see:`Broker::listen`.
+   In a cluster, this isn't needed since the setup process calls it.
+
+.. zeek:id:: Control::host
+   :source-code: base/frameworks/control/main.zeek 16 16
+
+   :Type: :zeek:type:`addr`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0.0.0.0``
+
+   The address of the host that will be controlled.
+
+.. zeek:id:: Control::host_port
+   :source-code: base/frameworks/control/main.zeek 19 19
+
+   :Type: :zeek:type:`port`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0/tcp``
+
+   The port of the host that will be controlled.
+
+.. zeek:id:: Control::zone_id
+   :source-code: base/frameworks/control/main.zeek 23 23
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   If :zeek:id:`Control::host` is a non-global IPv6 address and
+   requires a specific :rfc:`4007` ``zone_id``, it can be set here.
+
+Constants
+#########
+.. zeek:id:: Control::ignore_ids
+   :source-code: base/frameworks/control/main.zeek 43 43
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Default: ``{}``
+
+   Variable IDs that are to be ignored by the update process.
+
+.. zeek:id:: Control::topic_prefix
+   :source-code: base/frameworks/control/main.zeek 9 9
+
+   :Type: :zeek:type:`string`
+   :Default: ``"zeek/control"``
+
+   The topic prefix used for exchanging control messages via Broker.
+
+Events
+######
+.. zeek:id:: Control::configuration_update
+   :source-code: policy/frameworks/software/vulnerable.zeek 125 128
+
+   :Type: :zeek:type:`event` ()
+
+   This event is a wrapper and alias for the
+   :zeek:id:`Control::configuration_update_request` event.
+   This event is also a primary hooking point for the control framework.
+
+.. zeek:id:: Control::configuration_update_request
+   :source-code: policy/frameworks/control/controllee.zeek 63 74
+
+   :Type: :zeek:type:`event` ()
+
+   Inform the remote Zeek instance that it's configuration may have been
+   updated.
+
+.. zeek:id:: Control::configuration_update_response
+   :source-code: policy/frameworks/control/controller.zeek 45 48
+
+   :Type: :zeek:type:`event` ()
+
+   Message in response to a configuration update request.
+
+.. zeek:id:: Control::id_value_request
+   :source-code: policy/frameworks/control/controllee.zeek 26 31
+
+   :Type: :zeek:type:`event` (id: :zeek:type:`string`)
+
+   Event for requesting the value of an ID (a variable).
+
+.. zeek:id:: Control::id_value_response
+   :source-code: policy/frameworks/control/controller.zeek 30 33
+
+   :Type: :zeek:type:`event` (id: :zeek:type:`string`, val: :zeek:type:`string`)
+
+   Event for returning the value of an ID after an
+   :zeek:id:`Control::id_value_request` event.
+
+.. zeek:id:: Control::net_stats_request
+   :source-code: policy/frameworks/control/controllee.zeek 54 61
+
+   :Type: :zeek:type:`event` ()
+
+   Requests the current net_stats.
+
+.. zeek:id:: Control::net_stats_response
+   :source-code: policy/frameworks/control/controller.zeek 40 43
+
+   :Type: :zeek:type:`event` (s: :zeek:type:`string`)
+
+   Returns the current net_stats.
+
+.. zeek:id:: Control::peer_status_request
+   :source-code: policy/frameworks/control/controllee.zeek 33 52
+
+   :Type: :zeek:type:`event` ()
+
+   Requests the current communication status.
+
+.. zeek:id:: Control::peer_status_response
+   :source-code: policy/frameworks/control/controller.zeek 35 38
+
+   :Type: :zeek:type:`event` (s: :zeek:type:`string`)
+
+   Returns the current communication status.
+
+.. zeek:id:: Control::shutdown_request
+   :source-code: policy/frameworks/control/controllee.zeek 76 83
+
+   :Type: :zeek:type:`event` ()
+
+   Requests that the Zeek instance begins shutting down.
+
+.. zeek:id:: Control::shutdown_response
+   :source-code: policy/frameworks/control/controller.zeek 50 53
+
+   :Type: :zeek:type:`event` ()
+
+   Message in response to a shutdown request.
+
+
diff --git a/doc/scripts/base/frameworks/files/__load__.zeek.rst b/doc/scripts/base/frameworks/files/__load__.zeek.rst
new file mode 100644
index 0000000000..e305b2ae00
--- /dev/null
+++ b/doc/scripts/base/frameworks/files/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/files/__load__.zeek
+===================================
+
+
+:Imports: :doc:`base/frameworks/files/magic </scripts/base/frameworks/files/magic/index>`, :doc:`base/frameworks/files/main.zeek </scripts/base/frameworks/files/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/files/index.rst b/doc/scripts/base/frameworks/files/index.rst
new file mode 100644
index 0000000000..cc910e7f00
--- /dev/null
+++ b/doc/scripts/base/frameworks/files/index.rst
@@ -0,0 +1,20 @@
+:orphan:
+
+Package: base/frameworks/files
+==============================
+
+The file analysis framework provides an interface for driving the analysis
+of files, possibly independent of any network protocol over which they're
+transported.
+
+:doc:`/scripts/base/frameworks/files/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/files/main.zeek`
+
+   An interface for driving the analysis of files, possibly independent of
+   any network protocol over which they're transported.
+
+:doc:`/scripts/base/frameworks/files/magic/__load__.zeek`
+
+
diff --git a/doc/scripts/base/frameworks/files/magic/__load__.zeek.rst b/doc/scripts/base/frameworks/files/magic/__load__.zeek.rst
new file mode 100644
index 0000000000..bfdf1ca525
--- /dev/null
+++ b/doc/scripts/base/frameworks/files/magic/__load__.zeek.rst
@@ -0,0 +1,13 @@
+:tocdepth: 3
+
+base/frameworks/files/magic/__load__.zeek
+=========================================
+
+
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/files/magic/index.rst b/doc/scripts/base/frameworks/files/magic/index.rst
new file mode 100644
index 0000000000..f25b0eea68
--- /dev/null
+++ b/doc/scripts/base/frameworks/files/magic/index.rst
@@ -0,0 +1,9 @@
+:orphan:
+
+Package: base/frameworks/files/magic
+====================================
+
+
+:doc:`/scripts/base/frameworks/files/magic/__load__.zeek`
+
+
diff --git a/doc/scripts/base/frameworks/files/main.zeek.rst b/doc/scripts/base/frameworks/files/main.zeek.rst
new file mode 100644
index 0000000000..be73e53c04
--- /dev/null
+++ b/doc/scripts/base/frameworks/files/main.zeek.rst
@@ -0,0 +1,732 @@
+:tocdepth: 3
+
+base/frameworks/files/main.zeek
+===============================
+.. zeek:namespace:: Files
+
+An interface for driving the analysis of files, possibly independent of
+any network protocol over which they're transported.
+
+:Namespace: Files
+:Imports: :doc:`base/bif/file_analysis.bif.zeek </scripts/base/bif/file_analysis.bif.zeek>`, :doc:`base/frameworks/analyzer </scripts/base/frameworks/analyzer/index>`, :doc:`base/frameworks/logging </scripts/base/frameworks/logging/index>`, :doc:`base/utils/site.zeek </scripts/base/utils/site.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=========================================================================== ========================================
+:zeek:id:`Files::enable_reassembler`: :zeek:type:`bool` :zeek:attr:`&redef` The default setting for file reassembly.
+=========================================================================== ========================================
+
+Redefinable Options
+###################
+=========================================================================================== ================================================================
+:zeek:id:`Files::analyze_by_mime_type_automatically`: :zeek:type:`bool` :zeek:attr:`&redef` Decide if you want to automatically attached analyzers to
+                                                                                            files based on the detected mime type of the file.
+:zeek:id:`Files::disable`: :zeek:type:`table` :zeek:attr:`&redef`                           A table that can be used to disable file analysis completely for
+                                                                                            any files transferred over given network protocol analyzers.
+:zeek:id:`Files::reassembly_buffer_size`: :zeek:type:`count` :zeek:attr:`&redef`            The default per-file reassembly buffer size.
+=========================================================================================== ================================================================
+
+Types
+#####
+========================================================================= ==============================================================
+:zeek:type:`Files::AnalyzerArgs`: :zeek:type:`record` :zeek:attr:`&redef` A structure which parameterizes a type of file analysis.
+:zeek:type:`Files::Info`: :zeek:type:`record` :zeek:attr:`&redef`         Contains all metadata related to the analysis of a given file.
+:zeek:type:`Files::ProtoRegistration`: :zeek:type:`record`                
+========================================================================= ==============================================================
+
+Redefinitions
+#############
+============================================================= =======================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                       
+                                                              
+                                                              * :zeek:enum:`Files::LOG`:
+                                                                Logging stream for file analysis.
+:zeek:type:`fa_file`: :zeek:type:`record` :zeek:attr:`&redef` 
+                                                              
+                                                              :New Fields: :zeek:type:`fa_file`
+                                                              
+                                                                info: :zeek:type:`Files::Info` :zeek:attr:`&optional`
+============================================================= =======================================================
+
+Events
+######
+=============================================== ====================================================================
+:zeek:id:`Files::log_files`: :zeek:type:`event` Event that can be handled to access the Info record as it is sent on
+                                                to the logging framework.
+=============================================== ====================================================================
+
+Hooks
+#####
+========================================================== =============================================
+:zeek:id:`Files::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
+========================================================== =============================================
+
+Functions
+#########
+======================================================================= =============================================================================
+:zeek:id:`Files::add_analyzer`: :zeek:type:`function`                   Adds an analyzer to the analysis of a given file.
+:zeek:id:`Files::all_registered_mime_types`: :zeek:type:`function`      Returns a table of all MIME-type-to-analyzer mappings currently registered.
+:zeek:id:`Files::analyzer_enabled`: :zeek:type:`function`               Checks whether a file analyzer is generally enabled.
+:zeek:id:`Files::analyzer_name`: :zeek:type:`function`                  Translates a file analyzer enum value to a string with the
+                                                                        analyzer's name.
+:zeek:id:`Files::describe`: :zeek:type:`function`                       Provides a text description regarding metadata of the file.
+:zeek:id:`Files::disable_analyzer`: :zeek:type:`function`               Disables a file analyzer.
+:zeek:id:`Files::disable_reassembly`: :zeek:type:`function`             Disables the file reassembler on this file.
+:zeek:id:`Files::enable_analyzer`: :zeek:type:`function`                Enables a file analyzer.
+:zeek:id:`Files::enable_reassembly`: :zeek:type:`function`              Allows the file reassembler to be used if it's necessary because the
+                                                                        file is transferred out of order.
+:zeek:id:`Files::file_exists`: :zeek:type:`function`                    Lookup to see if a particular file id exists and is still valid.
+:zeek:id:`Files::lookup_file`: :zeek:type:`function`                    Lookup an :zeek:see:`fa_file` record with the file id.
+:zeek:id:`Files::register_analyzer_add_callback`: :zeek:type:`function` Register a callback for file analyzers to use if they need to do some
+                                                                        manipulation when they are being added to a file before the core code
+                                                                        takes over.
+:zeek:id:`Files::register_for_mime_type`: :zeek:type:`function`         Registers a MIME type for an analyzer.
+:zeek:id:`Files::register_for_mime_types`: :zeek:type:`function`        Registers a set of MIME types for an analyzer.
+:zeek:id:`Files::register_protocol`: :zeek:type:`function`              Register callbacks for protocols that work with the Files framework.
+:zeek:id:`Files::registered_mime_types`: :zeek:type:`function`          Returns a set of all MIME types currently registered for a specific analyzer.
+:zeek:id:`Files::remove_analyzer`: :zeek:type:`function`                Removes an analyzer from the analysis of a given file.
+:zeek:id:`Files::set_reassembly_buffer_size`: :zeek:type:`function`     Set the maximum size the reassembly buffer is allowed to grow
+                                                                        for the given file.
+:zeek:id:`Files::set_timeout_interval`: :zeek:type:`function`           Sets the *timeout_interval* field of :zeek:see:`fa_file`, which is
+                                                                        used to determine the length of inactivity that is allowed for a file
+                                                                        before internal state related to it is cleaned up.
+:zeek:id:`Files::stop`: :zeek:type:`function`                           Stops/ignores any further analysis of a given file.
+======================================================================= =============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Files::enable_reassembler
+   :source-code: base/frameworks/files/main.zeek 127 127
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   The default setting for file reassembly.
+
+Redefinable Options
+###################
+.. zeek:id:: Files::analyze_by_mime_type_automatically
+   :source-code: base/frameworks/files/main.zeek 124 124
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Decide if you want to automatically attached analyzers to
+   files based on the detected mime type of the file.
+
+.. zeek:id:: Files::disable
+   :source-code: base/frameworks/files/main.zeek 120 120
+
+   :Type: :zeek:type:`table` [:zeek:type:`Files::Tag`] of :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   A table that can be used to disable file analysis completely for
+   any files transferred over given network protocol analyzers.
+
+.. zeek:id:: Files::reassembly_buffer_size
+   :source-code: base/frameworks/files/main.zeek 130 130
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``524288``
+
+   The default per-file reassembly buffer size.
+
+Types
+#####
+.. zeek:type:: Files::AnalyzerArgs
+   :source-code: base/frameworks/files/main.zeek 21 32
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: chunk_event :zeek:type:`event` (f: :zeek:type:`fa_file`, data: :zeek:type:`string`, off: :zeek:type:`count`) :zeek:attr:`&optional`
+
+      An event which will be generated for all new file contents,
+      chunk-wise.  Used when *tag* (in the
+      :zeek:see:`Files::add_analyzer` function) is
+      :zeek:see:`Files::ANALYZER_DATA_EVENT`.
+
+
+   .. zeek:field:: stream_event :zeek:type:`event` (f: :zeek:type:`fa_file`, data: :zeek:type:`string`) :zeek:attr:`&optional`
+
+      An event which will be generated for all new file contents,
+      stream-wise.  Used when *tag* is
+      :zeek:see:`Files::ANALYZER_DATA_EVENT`.
+
+
+   .. zeek:field:: extract_filename :zeek:type:`string` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/files/extract/main.zeek` is loaded)
+
+      The local filename to which to write an extracted file.
+      This field is used in the core by the extraction plugin
+      to know where to write the file to.  If not specified, then
+      a filename in the format "extract-<source>-<id>" is
+      automatically assigned (using the *source* and *id*
+      fields of :zeek:see:`fa_file`).
+
+
+   .. zeek:field:: extract_limit :zeek:type:`count` :zeek:attr:`&default` = :zeek:see:`FileExtract::default_limit` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/files/extract/main.zeek` is loaded)
+
+      The maximum allowed file size in bytes of *extract_filename*.
+      Once reached, a :zeek:see:`file_extraction_limit` event is
+      raised and the analyzer will be removed unless
+      :zeek:see:`FileExtract::set_limit` is called to increase the
+      limit.  A value of zero means "no limit".
+
+
+   .. zeek:field:: extract_limit_includes_missing :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`FileExtract::default_limit_includes_missing` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/files/extract/main.zeek` is loaded)
+
+      By default, missing bytes in files count towards the extract file size.
+      Missing bytes can, e.g., occur due to missed traffic, or offsets
+      used when downloading files.
+      Setting this option to false changes this behavior so that holes
+      in files do no longer count towards these limits. Files with
+      holes are created as sparse files on disk. Their apparent size
+      can exceed this file size limit.
+
+   :Attributes: :zeek:attr:`&redef`
+
+   A structure which parameterizes a type of file analysis.
+
+.. zeek:type:: Files::Info
+   :source-code: base/frameworks/files/main.zeek 37 116
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      The time when the file was first seen.
+
+
+   .. zeek:field:: fuid :zeek:type:`string` :zeek:attr:`&log`
+
+      An identifier associated with a single file.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      If this file, or parts of it, were transferred over a
+      network connection, this is the uid for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      If this file, or parts of it, were transferred over a
+      network connection, this shows the connection.
+
+
+   .. zeek:field:: source :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      An identification of the source of the file data.  E.g. it
+      may be a network protocol over which it was transferred, or a
+      local file path which was read, or some other input source.
+
+
+   .. zeek:field:: depth :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      A value to represent the depth of this file in relation
+      to its source.  In SMTP, it is the depth of the MIME
+      attachment on the message.  In HTTP, it is the depth of the
+      request within the TCP connection.
+
+
+   .. zeek:field:: analyzers :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      A set of analysis types done during the file analysis.
+
+
+   .. zeek:field:: mime_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      A mime type provided by the strongest file magic signature
+      match against the *bof_buffer* field of :zeek:see:`fa_file`,
+      or in the cases where no buffering of the beginning of file
+      occurs, an initial guess of the mime type based on the first
+      data seen.
+
+
+   .. zeek:field:: filename :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      A filename for the file if one is available from the source
+      for the file.  These will frequently come from
+      "Content-Disposition" headers in network protocols.
+
+
+   .. zeek:field:: duration :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&default` = ``0 secs`` :zeek:attr:`&optional`
+
+      The duration the file was analyzed for.
+
+
+   .. zeek:field:: local_orig :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      If the source of this file is a network connection, this field
+      indicates if the data originated from the local network or not as
+      determined by the configured :zeek:see:`Site::local_nets`.
+
+
+   .. zeek:field:: is_orig :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      If the source of this file is a network connection, this field
+      indicates if the file is being sent by the originator of the
+      connection or the responder.
+
+
+   .. zeek:field:: seen_bytes :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Number of bytes provided to the file analysis engine for the file.
+      The value refers to the total number of bytes processed for this
+      file across all connections seen by the current Zeek instance.
+
+
+   .. zeek:field:: total_bytes :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Total number of bytes that are supposed to comprise the full file.
+
+
+   .. zeek:field:: missing_bytes :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      The number of bytes in the file stream that were completely missed
+      during the process of analysis e.g. due to dropped packets.
+      The value refers to number of bytes missed for this file
+      across all connections seen by the current Zeek instance.
+
+
+   .. zeek:field:: overflow_bytes :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      The number of bytes in the file stream that were not delivered to
+      stream file analyzers.  This could be overlapping bytes or
+      bytes that couldn't be reassembled.
+
+
+   .. zeek:field:: timedout :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Whether the file analysis timed out at least once for the file.
+
+
+   .. zeek:field:: parent_fuid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Identifier associated with a container file from which this one was
+      extracted as part of the file analysis.
+
+
+   .. zeek:field:: md5 :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/files/hash/main.zeek` is loaded)
+
+      An MD5 digest of the file contents.
+
+
+   .. zeek:field:: sha1 :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/files/hash/main.zeek` is loaded)
+
+      A SHA1 digest of the file contents.
+
+
+   .. zeek:field:: sha256 :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/files/hash/main.zeek` is loaded)
+
+      A SHA256 digest of the file contents.
+
+
+   .. zeek:field:: x509 :zeek:type:`X509::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/files/x509/main.zeek` is loaded)
+
+      Information about X509 certificates. This is used to keep
+      certificate information until all events have been received.
+
+
+   .. zeek:field:: extracted :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      (present if :doc:`/scripts/base/files/extract/main.zeek` is loaded)
+
+      Local filename of extracted file.
+
+
+   .. zeek:field:: extracted_cutoff :zeek:type:`bool` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      (present if :doc:`/scripts/base/files/extract/main.zeek` is loaded)
+
+      Set to true if the file being extracted was cut off
+      so the whole file was not logged.
+
+
+   .. zeek:field:: extracted_size :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      (present if :doc:`/scripts/base/files/extract/main.zeek` is loaded)
+
+      The number of bytes extracted to disk.
+
+
+   .. zeek:field:: entropy :zeek:type:`double` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/files/entropy-test-all-files.zeek` is loaded)
+
+      The information density of the contents of the file,
+      expressed as a number of bits per character.
+
+   :Attributes: :zeek:attr:`&redef`
+
+   Contains all metadata related to the analysis of a given file.
+   For the most part, fields here are derived from ones of the same name
+   in :zeek:see:`fa_file`.
+
+.. zeek:type:: Files::ProtoRegistration
+   :source-code: base/frameworks/files/main.zeek 255 265
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: get_file_handle :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
+
+      A callback to generate a file handle on demand when
+      one is needed by the core.
+
+
+   .. zeek:field:: describe :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`string` :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&optional`
+
+      A callback to "describe" a file.  In the case of an HTTP
+      transfer the most obvious description would be the URL.
+      It's like an extremely compressed version of the normal log.
+
+
+
+Events
+######
+.. zeek:id:: Files::log_files
+   :source-code: base/frameworks/files/main.zeek 326 326
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Files::Info`)
+
+   Event that can be handled to access the Info record as it is sent on
+   to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: Files::log_policy
+   :source-code: base/files/x509/main.zeek 180 184
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+Functions
+#########
+.. zeek:id:: Files::add_analyzer
+   :source-code: base/frameworks/files/main.zeek 415 431
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`, tag: :zeek:type:`Files::Tag`, args: :zeek:type:`Files::AnalyzerArgs` :zeek:attr:`&default` = *[chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=104857600, extract_limit_includes_missing=T]* :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Adds an analyzer to the analysis of a given file.
+   
+
+   :param f: the file.
+   
+
+   :param tag: the analyzer type.
+   
+
+   :param args: any parameters the analyzer takes.
+   
+
+   :returns: true if the analyzer will be added, or false if analysis
+            for the file isn't currently active or the *args*
+            were invalid for the analyzer type.
+
+.. zeek:id:: Files::all_registered_mime_types
+   :source-code: base/frameworks/files/main.zeek 495 498
+
+   :Type: :zeek:type:`function` () : :zeek:type:`table` [:zeek:type:`Files::Tag`] of :zeek:type:`set` [:zeek:type:`string`]
+
+   Returns a table of all MIME-type-to-analyzer mappings currently registered.
+   
+
+   :returns: A table mapping each analyzer to the set of MIME types
+            registered for it.
+
+.. zeek:id:: Files::analyzer_enabled
+   :source-code: base/frameworks/files/main.zeek 410 413
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`) : :zeek:type:`bool`
+
+   Checks whether a file analyzer is generally enabled.
+   
+
+   :param tag: the analyzer type to check.
+   
+
+   :returns: true if the analyzer is generally enabled, else false.
+
+.. zeek:id:: Files::analyzer_name
+   :source-code: base/frameworks/files/main.zeek 448 451
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`) : :zeek:type:`string`
+
+   Translates a file analyzer enum value to a string with the
+   analyzer's name.
+   
+
+   :param tag: The analyzer tag.
+   
+
+   :returns: The analyzer name corresponding to the tag.
+
+.. zeek:id:: Files::describe
+   :source-code: base/frameworks/files/main.zeek 500 511
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`string`
+
+   Provides a text description regarding metadata of the file.
+   For example, with HTTP it would return a URL.
+   
+
+   :param f: The file to be described.
+   
+
+   :returns: a text description regarding metadata of the file.
+
+.. zeek:id:: Files::disable_analyzer
+   :source-code: base/frameworks/files/main.zeek 405 408
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`) : :zeek:type:`bool`
+
+   Disables a file analyzer.
+   
+
+   :param tag: the analyzer type to disable.
+   
+
+   :returns: false if the analyzer tag could not be found, else true.
+
+.. zeek:id:: Files::disable_reassembly
+   :source-code: base/frameworks/files/main.zeek 390 393
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`void`
+
+   Disables the file reassembler on this file.  If the file is not
+   transferred out of order this will have no effect.
+   
+
+   :param f: the file.
+
+.. zeek:id:: Files::enable_analyzer
+   :source-code: base/frameworks/files/main.zeek 400 403
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`) : :zeek:type:`bool`
+
+   Enables a file analyzer.
+   
+
+   :param tag: the analyzer type to enable.
+   
+
+   :returns: false if the analyzer tag could not be found, else true.
+
+.. zeek:id:: Files::enable_reassembly
+   :source-code: base/frameworks/files/main.zeek 385 388
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`void`
+
+   Allows the file reassembler to be used if it's necessary because the
+   file is transferred out of order.
+   
+
+   :param f: the file.
+
+.. zeek:id:: Files::file_exists
+   :source-code: base/frameworks/files/main.zeek 370 373
+
+   :Type: :zeek:type:`function` (fuid: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Lookup to see if a particular file id exists and is still valid.
+   
+
+   :param fuid: the file id.
+   
+
+   :returns: T if the file uid is known.
+
+.. zeek:id:: Files::lookup_file
+   :source-code: base/frameworks/files/main.zeek 375 378
+
+   :Type: :zeek:type:`function` (fuid: :zeek:type:`string`) : :zeek:type:`fa_file`
+
+   Lookup an :zeek:see:`fa_file` record with the file id.
+   
+
+   :param fuid: the file id.
+   
+
+   :returns: the associated :zeek:see:`fa_file` record.
+
+.. zeek:id:: Files::register_analyzer_add_callback
+   :source-code: base/frameworks/files/main.zeek 433 436
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`, callback: :zeek:type:`function` (f: :zeek:type:`fa_file`, args: :zeek:type:`Files::AnalyzerArgs`) : :zeek:type:`void`) : :zeek:type:`void`
+
+   Register a callback for file analyzers to use if they need to do some
+   manipulation when they are being added to a file before the core code
+   takes over.  This is unlikely to be interesting for users and should
+   only be called by file analyzer authors but is *not required*.
+   
+
+   :param tag: Tag for the file analyzer.
+   
+
+   :param callback: Function to execute when the given file analyzer is being added.
+
+.. zeek:id:: Files::register_for_mime_type
+   :source-code: base/frameworks/files/main.zeek 473 488
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`, mt: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Registers a MIME type for an analyzer. If a future file with this type is seen,
+   the analyzer will be automatically assigned to parsing it. The function *adds*
+   to all MIME types already registered, it doesn't replace them.
+   
+
+   :param tag: The tag of the analyzer.
+   
+
+   :param mt: The MIME type in the form "foo/bar" (case-insensitive).
+   
+
+   :returns: True if the MIME type was successfully registered.
+
+.. zeek:id:: Files::register_for_mime_types
+   :source-code: base/frameworks/files/main.zeek 460 471
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`, mime_types: :zeek:type:`set` [:zeek:type:`string`]) : :zeek:type:`bool`
+
+   Registers a set of MIME types for an analyzer. If a future connection on one of
+   these types is seen, the analyzer will be automatically assigned to parsing it.
+   The function *adds* to all MIME types already registered, it doesn't replace
+   them.
+   
+
+   :param tag: The tag of the analyzer.
+   
+
+   :param mts: The set of MIME types, each in the form "foo/bar" (case-insensitive).
+   
+
+   :returns: True if the MIME types were successfully registered.
+
+.. zeek:id:: Files::register_protocol
+   :source-code: base/frameworks/files/main.zeek 453 458
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Analyzer::Tag`, reg: :zeek:type:`Files::ProtoRegistration`) : :zeek:type:`bool`
+
+   Register callbacks for protocols that work with the Files framework.
+   The callbacks must uniquely identify a file and each protocol can
+   only have a single callback registered for it.
+   
+
+   :param tag: Tag for the protocol analyzer having a callback being registered.
+   
+
+   :param reg: A :zeek:see:`Files::ProtoRegistration` record.
+   
+
+   :returns: true if the protocol being registered was not previously registered.
+
+.. zeek:id:: Files::registered_mime_types
+   :source-code: base/frameworks/files/main.zeek 490 493
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`) : :zeek:type:`set` [:zeek:type:`string`]
+
+   Returns a set of all MIME types currently registered for a specific analyzer.
+   
+
+   :param tag: The tag of the analyzer.
+   
+
+   :returns: The set of MIME types.
+
+.. zeek:id:: Files::remove_analyzer
+   :source-code: base/frameworks/files/main.zeek 438 441
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`, tag: :zeek:type:`Files::Tag`, args: :zeek:type:`Files::AnalyzerArgs` :zeek:attr:`&default` = *[chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=104857600, extract_limit_includes_missing=T]* :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Removes an analyzer from the analysis of a given file.
+   
+
+   :param f: the file.
+   
+
+   :param tag: the analyzer type.
+   
+
+   :param args: the analyzer (type and args) to remove.
+   
+
+   :returns: true if the analyzer will be removed, or false if analysis
+            for the file isn't currently active.
+
+.. zeek:id:: Files::set_reassembly_buffer_size
+   :source-code: base/frameworks/files/main.zeek 395 398
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`, max: :zeek:type:`count`) : :zeek:type:`void`
+
+   Set the maximum size the reassembly buffer is allowed to grow
+   for the given file.
+   
+
+   :param f: the file.
+   
+
+   :param max: Maximum allowed size of the reassembly buffer.
+
+.. zeek:id:: Files::set_timeout_interval
+   :source-code: base/frameworks/files/main.zeek 380 383
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`, t: :zeek:type:`interval`) : :zeek:type:`bool`
+
+   Sets the *timeout_interval* field of :zeek:see:`fa_file`, which is
+   used to determine the length of inactivity that is allowed for a file
+   before internal state related to it is cleaned up.  When used within
+   a :zeek:see:`file_timeout` handler, the analysis will delay timing out
+   again for the period specified by *t*.
+   
+
+   :param f: the file.
+   
+
+   :param t: the amount of time the file can remain inactive before discarding.
+   
+
+   :returns: true if the timeout interval was set, or false if analysis
+            for the file isn't currently active.
+
+.. zeek:id:: Files::stop
+   :source-code: base/frameworks/files/main.zeek 443 446
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`bool`
+
+   Stops/ignores any further analysis of a given file.
+   
+
+   :param f: the file.
+   
+
+   :returns: true if analysis for the given file will be ignored for the
+            rest of its contents, or false if analysis for the file
+            isn't currently active.
+
+
diff --git a/doc/scripts/base/frameworks/input/__load__.zeek.rst b/doc/scripts/base/frameworks/input/__load__.zeek.rst
new file mode 100644
index 0000000000..14e683d2aa
--- /dev/null
+++ b/doc/scripts/base/frameworks/input/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/input/__load__.zeek
+===================================
+
+
+:Imports: :doc:`base/frameworks/input/main.zeek </scripts/base/frameworks/input/main.zeek>`, :doc:`base/frameworks/input/readers/ascii.zeek </scripts/base/frameworks/input/readers/ascii.zeek>`, :doc:`base/frameworks/input/readers/benchmark.zeek </scripts/base/frameworks/input/readers/benchmark.zeek>`, :doc:`base/frameworks/input/readers/binary.zeek </scripts/base/frameworks/input/readers/binary.zeek>`, :doc:`base/frameworks/input/readers/config.zeek </scripts/base/frameworks/input/readers/config.zeek>`, :doc:`base/frameworks/input/readers/raw.zeek </scripts/base/frameworks/input/readers/raw.zeek>`, :doc:`base/frameworks/input/readers/sqlite.zeek </scripts/base/frameworks/input/readers/sqlite.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/input/index.rst b/doc/scripts/base/frameworks/input/index.rst
new file mode 100644
index 0000000000..598a0072dc
--- /dev/null
+++ b/doc/scripts/base/frameworks/input/index.rst
@@ -0,0 +1,50 @@
+:orphan:
+
+Package: base/frameworks/input
+==============================
+
+The input framework provides a way to read previously stored data either as
+an event stream or into a Zeek table.
+
+:doc:`/scripts/base/frameworks/input/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/input/main.zeek`
+
+   The input framework provides a way to read previously stored data either
+   as an event stream or into a Zeek table.
+
+:doc:`/scripts/base/frameworks/input/readers/ascii.zeek`
+
+   Interface for the ascii input reader.
+   
+   The defaults are set to match Zeek's ASCII output.
+
+:doc:`/scripts/base/frameworks/input/readers/raw.zeek`
+
+   Interface for the raw input reader.
+
+:doc:`/scripts/base/frameworks/input/readers/benchmark.zeek`
+
+   Interface for the benchmark input reader.
+
+:doc:`/scripts/base/frameworks/input/readers/binary.zeek`
+
+   Interface for the binary input reader.
+
+:doc:`/scripts/base/frameworks/input/readers/config.zeek`
+
+   Interface for the config input reader.
+
+:doc:`/scripts/base/frameworks/input/readers/sqlite.zeek`
+
+   Interface for the SQLite input reader. Redefinable options are available
+   to tweak the input format of the SQLite reader.
+   
+   See :doc:`/frameworks/logging-input-sqlite` for an introduction on how to
+   use the SQLite reader.
+   
+   When using the SQLite reader, you have to specify the SQL query that returns
+   the desired data by setting ``query`` in the ``config`` table. See the
+   introduction mentioned above for an example.
+
diff --git a/doc/scripts/base/frameworks/input/main.zeek.rst b/doc/scripts/base/frameworks/input/main.zeek.rst
new file mode 100644
index 0000000000..eec6bbddbe
--- /dev/null
+++ b/doc/scripts/base/frameworks/input/main.zeek.rst
@@ -0,0 +1,492 @@
+:tocdepth: 3
+
+base/frameworks/input/main.zeek
+===============================
+.. zeek:namespace:: Input
+
+The input framework provides a way to read previously stored data either
+as an event stream or into a Zeek table.
+
+:Namespace: Input
+:Imports: :doc:`base/bif/input.bif.zeek </scripts/base/bif/input.bif.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+================================================================================ ==============================
+:zeek:id:`Input::default_mode`: :zeek:type:`Input::Mode` :zeek:attr:`&redef`     The default reader mode used.
+:zeek:id:`Input::default_reader`: :zeek:type:`Input::Reader` :zeek:attr:`&redef` The default input reader used.
+================================================================================ ==============================
+
+Redefinable Options
+###################
+================================================================================= =========================================================
+:zeek:id:`Input::accept_unsupported_types`: :zeek:type:`bool` :zeek:attr:`&redef` Flag that controls if the input framework accepts records
+                                                                                  that contain types that are not supported (at the moment
+                                                                                  file and function).
+:zeek:id:`Input::empty_field`: :zeek:type:`string` :zeek:attr:`&redef`            String to use for empty fields.
+:zeek:id:`Input::separator`: :zeek:type:`string` :zeek:attr:`&redef`              Separator between fields.
+:zeek:id:`Input::set_separator`: :zeek:type:`string` :zeek:attr:`&redef`          Separator between set elements.
+:zeek:id:`Input::unset_field`: :zeek:type:`string` :zeek:attr:`&redef`            String to use for an unset &optional field.
+================================================================================= =========================================================
+
+Types
+#####
+============================================================ ===================================================================
+:zeek:type:`Input::AnalysisDescription`: :zeek:type:`record` A file analysis input stream type used to forward input data to the
+                                                             file analysis framework.
+:zeek:type:`Input::Event`: :zeek:type:`enum`                 Type that describes what kind of change occurred.
+:zeek:type:`Input::EventDescription`: :zeek:type:`record`    An event input stream type used to send input data to a Zeek event.
+:zeek:type:`Input::Mode`: :zeek:type:`enum`                  Type that defines the input stream read mode.
+:zeek:type:`Input::TableDescription`: :zeek:type:`record`    A table input stream type used to send data to a Zeek table.
+:zeek:type:`Input::Reader`: :zeek:type:`enum`                
+============================================================ ===================================================================
+
+Events
+######
+================================================= ====================================================================
+:zeek:id:`Input::end_of_data`: :zeek:type:`event` Event that is called when the end of a data source has been reached,
+                                                  including after an update.
+================================================= ====================================================================
+
+Functions
+#########
+===================================================== ============================================================
+:zeek:id:`Input::add_analysis`: :zeek:type:`function` Create a new file analysis input stream from a given source.
+:zeek:id:`Input::add_event`: :zeek:type:`function`    Create a new event input stream from a given source.
+:zeek:id:`Input::add_table`: :zeek:type:`function`    Create a new table input stream from a given source.
+:zeek:id:`Input::force_update`: :zeek:type:`function` Forces the current input to be checked for changes.
+:zeek:id:`Input::remove`: :zeek:type:`function`       Remove an input stream.
+===================================================== ============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Input::default_mode
+   :source-code: base/frameworks/input/main.zeek 31 31
+
+   :Type: :zeek:type:`Input::Mode`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``Input::MANUAL``
+
+   The default reader mode used. Defaults to :zeek:see:`Input::MANUAL`.
+
+.. zeek:id:: Input::default_reader
+   :source-code: base/frameworks/input/main.zeek 28 28
+
+   :Type: :zeek:type:`Input::Reader`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``Input::READER_ASCII``
+
+   The default input reader used. Defaults to :zeek:see:`Input::READER_ASCII`.
+
+Redefinable Options
+###################
+.. zeek:id:: Input::accept_unsupported_types
+   :source-code: base/frameworks/input/main.zeek 56 56
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Flag that controls if the input framework accepts records
+   that contain types that are not supported (at the moment
+   file and function). If true, the input framework will
+   warn in these cases, but continue. If false, it will
+   abort. Defaults to false (abort).
+
+.. zeek:id:: Input::empty_field
+   :source-code: base/frameworks/input/main.zeek 45 45
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"(empty)"``
+
+   String to use for empty fields.
+   Individual readers can use a different value.
+
+.. zeek:id:: Input::separator
+   :source-code: base/frameworks/input/main.zeek 36 36
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"\x09"``
+
+   Separator between fields.
+   Please note that the separator has to be exactly one character long.
+   Individual readers can use a different value.
+
+.. zeek:id:: Input::set_separator
+   :source-code: base/frameworks/input/main.zeek 41 41
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``","``
+
+   Separator between set elements.
+   Please note that the separator has to be exactly one character long.
+   Individual readers can use a different value.
+
+.. zeek:id:: Input::unset_field
+   :source-code: base/frameworks/input/main.zeek 49 49
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"-"``
+
+   String to use for an unset &optional field.
+   Individual readers can use a different value.
+
+Types
+#####
+.. zeek:type:: Input::AnalysisDescription
+   :source-code: base/frameworks/input/main.zeek 180 204
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: source :zeek:type:`string`
+
+      String that allows the reader to find the source.
+      For :zeek:see:`Input::READER_ASCII`, this is the filename.
+
+
+   .. zeek:field:: reader :zeek:type:`Input::Reader` :zeek:attr:`&default` = ``Input::READER_BINARY`` :zeek:attr:`&optional`
+
+      Reader to use for this stream.  Compatible readers must be
+      able to accept a filter of a single string type (i.e.
+      they read a byte stream).
+
+
+   .. zeek:field:: mode :zeek:type:`Input::Mode` :zeek:attr:`&default` = :zeek:see:`Input::default_mode` :zeek:attr:`&optional`
+
+      Read mode to use for this stream.
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      Descriptive name that uniquely identifies the input source.
+      Can be used to remove a stream at a later time.
+      This will also be used for the unique *source* field of
+      :zeek:see:`fa_file`.  Most of the time, the best choice for this
+      field will be the same value as the *source* field.
+
+
+   .. zeek:field:: config :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string` :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      A key/value table that will be passed to the reader.
+      Interpretation of the values is left to the reader, but
+      usually they will be used for configuration purposes.
+
+
+   A file analysis input stream type used to forward input data to the
+   file analysis framework.
+
+.. zeek:type:: Input::Event
+   :source-code: base/frameworks/input/main.zeek 8 8
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Input::EVENT_NEW Input::Event
+
+         New data has been imported.
+
+      .. zeek:enum:: Input::EVENT_CHANGED Input::Event
+
+         Existing data has been changed.
+
+      .. zeek:enum:: Input::EVENT_REMOVED Input::Event
+
+         Previously existing data has been removed.
+
+   Type that describes what kind of change occurred.
+
+.. zeek:type:: Input::EventDescription
+   :source-code: base/frameworks/input/main.zeek 125 176
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: source :zeek:type:`string`
+
+      String that allows the reader to find the source.
+      For :zeek:see:`Input::READER_ASCII`, this is the filename.
+
+
+   .. zeek:field:: reader :zeek:type:`Input::Reader` :zeek:attr:`&default` = :zeek:see:`Input::default_reader` :zeek:attr:`&optional`
+
+      Reader to use for this stream.
+
+
+   .. zeek:field:: mode :zeek:type:`Input::Mode` :zeek:attr:`&default` = :zeek:see:`Input::default_mode` :zeek:attr:`&optional`
+
+      Read mode to use for this stream.
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      Descriptive name. Used to remove a stream at a later time.
+
+
+   .. zeek:field:: fields :zeek:type:`any`
+
+      Record type describing the fields to be retrieved from the input
+      source.
+
+
+   .. zeek:field:: want_record :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
+
+      If this is false, the event receives each value in *fields* as a
+      separate argument.
+      If this is set to true (default), the event receives all fields in
+      a single record value.
+
+
+   .. zeek:field:: ev :zeek:type:`any`
+
+      The event that is raised each time a new line is received from the
+      reader. The event will receive an :zeek:see:`Input::EventDescription` record
+      as the first argument, an :zeek:see:`Input::Event` enum as the second
+      argument, and the fields (as specified in *fields*) as the following
+      arguments (this will either be a single record value containing
+      all fields, or each field value as a separate argument).
+
+
+   .. zeek:field:: error_ev :zeek:type:`any` :zeek:attr:`&optional`
+
+      Error event that is raised when an information, warning or error
+      is raised by the input stream. If the level is error, the stream will automatically
+      be closed.
+      The event receives the :zeek:see:`Input::EventDescription` as the first argument, the
+      message as the second argument and the :zeek:see:`Reporter::Level` as the third argument.
+      
+      The event is raised like it had been declared as follows:
+      error_ev: function(desc: EventDescription, message: string, level: Reporter::Level) &optional;
+      The actual declaration uses the :zeek:type:`any` type because of deficiencies of the Zeek type system.
+
+
+   .. zeek:field:: config :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string` :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      A key/value table that will be passed to the reader.
+      Interpretation of the values is left to the reader, but
+      usually they will be used for configuration purposes.
+
+
+   An event input stream type used to send input data to a Zeek event.
+
+.. zeek:type:: Input::Mode
+   :source-code: base/frameworks/input/main.zeek 18 26
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Input::MANUAL Input::Mode
+
+         Do not automatically reread the file after it has been read.
+
+      .. zeek:enum:: Input::REREAD Input::Mode
+
+         Reread the entire file each time a change is found.
+
+      .. zeek:enum:: Input::STREAM Input::Mode
+
+         Read data from end of file each time new data is appended.
+
+   Type that defines the input stream read mode.
+
+.. zeek:type:: Input::TableDescription
+   :source-code: base/frameworks/input/main.zeek 59 122
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: source :zeek:type:`string`
+
+      String that allows the reader to find the source of the data.
+      For :zeek:see:`Input::READER_ASCII`, this is the filename.
+
+
+   .. zeek:field:: reader :zeek:type:`Input::Reader` :zeek:attr:`&default` = :zeek:see:`Input::default_reader` :zeek:attr:`&optional`
+
+      Reader to use for this stream.
+
+
+   .. zeek:field:: mode :zeek:type:`Input::Mode` :zeek:attr:`&default` = :zeek:see:`Input::default_mode` :zeek:attr:`&optional`
+
+      Read mode to use for this stream.
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      Name of the input stream.  This is used by some functions to
+      manipulate the stream.
+
+
+   .. zeek:field:: destination :zeek:type:`any`
+
+      Table which will receive the data read by the input framework.
+
+
+   .. zeek:field:: idx :zeek:type:`any`
+
+      Record that defines the values used as the index of the table.
+
+
+   .. zeek:field:: val :zeek:type:`any` :zeek:attr:`&optional`
+
+      Record that defines the values used as the elements of the table.
+      If this is undefined, then *destination* must be a set.
+
+
+   .. zeek:field:: want_record :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
+
+      Defines if the value of the table is a record (default), or a single
+      value. When this is set to false, then *val* can only contain one
+      element.
+
+
+   .. zeek:field:: ev :zeek:type:`any` :zeek:attr:`&optional`
+
+      The event that is raised each time a value is added to, changed in,
+      or removed from the table. The event will receive an
+      Input::TableDescription as the first argument, an Input::Event
+      enum as the second argument, the *idx* record as the third argument
+      and the value (record) as the fourth argument.
+
+
+   .. zeek:field:: pred :zeek:type:`function` (typ: :zeek:type:`Input::Event`, left: :zeek:type:`any`, right: :zeek:type:`any`) : :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Predicate function that can decide if an insertion, update or removal
+      should really be executed. Parameters have same meaning as for the
+      event.
+      If true is returned, the update is performed. If false is returned,
+      it is skipped.
+
+
+   .. zeek:field:: error_ev :zeek:type:`any` :zeek:attr:`&optional`
+
+      Error event that is raised when an information, warning or error
+      is raised by the input stream. If the level is error, the stream will automatically
+      be closed.
+      The event receives the Input::TableDescription as the first argument, the
+      message as the second argument and the Reporter::Level as the third argument.
+      
+      The event is raised like if it had been declared as follows:
+      error_ev: function(desc: TableDescription, message: string, level: Reporter::Level) &optional;
+      The actual declaration uses the :zeek:type:`any` type because of deficiencies of the Zeek type system.
+
+
+   .. zeek:field:: config :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string` :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      A key/value table that will be passed to the reader.
+      Interpretation of the values is left to the reader, but
+      usually they will be used for configuration purposes.
+
+
+   A table input stream type used to send data to a Zeek table.
+
+.. zeek:type:: Input::Reader
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Input::READER_ASCII Input::Reader
+
+      .. zeek:enum:: Input::READER_BENCHMARK Input::Reader
+
+      .. zeek:enum:: Input::READER_BINARY Input::Reader
+
+      .. zeek:enum:: Input::READER_CONFIG Input::Reader
+
+      .. zeek:enum:: Input::READER_RAW Input::Reader
+
+      .. zeek:enum:: Input::READER_SQLITE Input::Reader
+
+
+Events
+######
+.. zeek:id:: Input::end_of_data
+   :source-code: base/utils/exec.zeek 96 127
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, source: :zeek:type:`string`)
+
+   Event that is called when the end of a data source has been reached,
+   including after an update.
+   
+
+   :param name: Name of the input stream.
+   
+
+   :param source: String that identifies the data source (such as the filename).
+
+Functions
+#########
+.. zeek:id:: Input::add_analysis
+   :source-code: base/frameworks/input/main.zeek 267 270
+
+   :Type: :zeek:type:`function` (description: :zeek:type:`Input::AnalysisDescription`) : :zeek:type:`bool`
+
+   Create a new file analysis input stream from a given source.  Data read
+   from the source is automatically forwarded to the file analysis
+   framework.
+   
+
+   :param description: A record describing the source.
+   
+
+   :returns: true on success.
+
+.. zeek:id:: Input::add_event
+   :source-code: base/frameworks/input/main.zeek 262 265
+
+   :Type: :zeek:type:`function` (description: :zeek:type:`Input::EventDescription`) : :zeek:type:`bool`
+
+   Create a new event input stream from a given source.
+   
+
+   :param description: :zeek:see:`Input::EventDescription` record describing the source.
+   
+
+   :returns: true on success.
+
+.. zeek:id:: Input::add_table
+   :source-code: base/frameworks/input/main.zeek 257 260
+
+   :Type: :zeek:type:`function` (description: :zeek:type:`Input::TableDescription`) : :zeek:type:`bool`
+
+   Create a new table input stream from a given source.
+   
+
+   :param description: :zeek:see:`Input::TableDescription` record describing the source.
+   
+
+   :returns: true on success.
+
+.. zeek:id:: Input::force_update
+   :source-code: base/frameworks/input/main.zeek 277 280
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Forces the current input to be checked for changes.
+   
+
+   :param id: string value identifying the stream.
+   
+
+   :returns: true on success and false if the named stream was not found.
+
+.. zeek:id:: Input::remove
+   :source-code: base/frameworks/input/main.zeek 272 275
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Remove an input stream.
+   
+
+   :param id: string value identifying the stream to be removed.
+   
+
+   :returns: true on success and false if the named stream was not found.
+
+
diff --git a/doc/scripts/base/frameworks/input/readers/ascii.zeek.rst b/doc/scripts/base/frameworks/input/readers/ascii.zeek.rst
new file mode 100644
index 0000000000..6d8deb7d3d
--- /dev/null
+++ b/doc/scripts/base/frameworks/input/readers/ascii.zeek.rst
@@ -0,0 +1,124 @@
+:tocdepth: 3
+
+base/frameworks/input/readers/ascii.zeek
+========================================
+.. zeek:namespace:: InputAscii
+
+Interface for the ascii input reader.
+
+The defaults are set to match Zeek's ASCII output.
+
+:Namespace: InputAscii
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+=================================================================================== ==================================================================
+:zeek:id:`InputAscii::empty_field`: :zeek:type:`string` :zeek:attr:`&redef`         String to use for empty fields.
+:zeek:id:`InputAscii::fail_on_file_problem`: :zeek:type:`bool` :zeek:attr:`&redef`  Fail on file read problems.
+:zeek:id:`InputAscii::fail_on_invalid_lines`: :zeek:type:`bool` :zeek:attr:`&redef` Fail on invalid lines.
+:zeek:id:`InputAscii::path_prefix`: :zeek:type:`string` :zeek:attr:`&redef`         On input streams with a pathless or relative-path source filename,
+                                                                                    prefix the following path.
+:zeek:id:`InputAscii::separator`: :zeek:type:`string` :zeek:attr:`&redef`           Separator between fields.
+:zeek:id:`InputAscii::set_separator`: :zeek:type:`string` :zeek:attr:`&redef`       Separator between set and vector elements.
+:zeek:id:`InputAscii::unset_field`: :zeek:type:`string` :zeek:attr:`&redef`         String to use for an unset &optional field.
+=================================================================================== ==================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: InputAscii::empty_field
+   :source-code: base/frameworks/input/readers/ascii.zeek 17 17
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"(empty)"``
+
+   String to use for empty fields.
+
+.. zeek:id:: InputAscii::fail_on_file_problem
+   :source-code: base/frameworks/input/readers/ascii.zeek 49 49
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Fail on file read problems. If set to true, the ascii
+   input reader will fail when encountering any problems
+   while reading a file different from invalid lines.
+   Examples of such problems are permission problems, or
+   missing files.
+   When set to false, these problems will be ignored. This
+   has an especially big effect for the REREAD mode, which will
+   seamlessly recover from read errors when a file is
+   only temporarily inaccessible. For MANUAL or STREAM files,
+   errors will most likely still be fatal since no automatic
+   re-reading of the file is attempted.
+   Individual readers can use a different value using
+   the $config table.
+   fail_on_file_problem = T was the default behavior
+   until Bro 2.6.
+
+.. zeek:id:: InputAscii::fail_on_invalid_lines
+   :source-code: base/frameworks/input/readers/ascii.zeek 32 32
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Fail on invalid lines. If set to false, the ascii
+   input reader will jump over invalid lines, reporting
+   warnings in reporter.log. If set to true, errors in
+   input lines will be handled as fatal errors for the
+   reader thread; reading will abort immediately and
+   an error will be logged to reporter.log.
+   Individual readers can use a different value using
+   the $config table.
+   fail_on_invalid_lines = T was the default behavior
+   until Bro 2.6.
+
+.. zeek:id:: InputAscii::path_prefix
+   :source-code: base/frameworks/input/readers/ascii.zeek 55 55
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   On input streams with a pathless or relative-path source filename,
+   prefix the following path. This prefix can, but need not be, absolute.
+   The default is to leave any filenames unchanged. This prefix has no
+   effect if the source already is an absolute path.
+
+.. zeek:id:: InputAscii::separator
+   :source-code: base/frameworks/input/readers/ascii.zeek 10 10
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"\x09"``
+
+   Separator between fields.
+   Please note that the separator has to be exactly one character long.
+
+.. zeek:id:: InputAscii::set_separator
+   :source-code: base/frameworks/input/readers/ascii.zeek 14 14
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``","``
+
+   Separator between set and vector elements.
+   Please note that the separator has to be exactly one character long.
+
+.. zeek:id:: InputAscii::unset_field
+   :source-code: base/frameworks/input/readers/ascii.zeek 20 20
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"-"``
+
+   String to use for an unset &optional field.
+
+
diff --git a/doc/scripts/base/frameworks/input/readers/benchmark.zeek.rst b/doc/scripts/base/frameworks/input/readers/benchmark.zeek.rst
new file mode 100644
index 0000000000..fa212bf3d8
--- /dev/null
+++ b/doc/scripts/base/frameworks/input/readers/benchmark.zeek.rst
@@ -0,0 +1,83 @@
+:tocdepth: 3
+
+base/frameworks/input/readers/benchmark.zeek
+============================================
+.. zeek:namespace:: InputBenchmark
+
+Interface for the benchmark input reader.
+
+:Namespace: InputBenchmark
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+=============================================================================== =========================================================
+:zeek:id:`InputBenchmark::addfactor`: :zeek:type:`count` :zeek:attr:`&redef`    Addition factor for each heartbeat.
+:zeek:id:`InputBenchmark::autospread`: :zeek:type:`double` :zeek:attr:`&redef`  Spreading where usleep = 1000000 / autospread * num_lines
+:zeek:id:`InputBenchmark::factor`: :zeek:type:`double` :zeek:attr:`&redef`      Multiplication factor for each second.
+:zeek:id:`InputBenchmark::spread`: :zeek:type:`count` :zeek:attr:`&redef`       Spread factor between lines.
+:zeek:id:`InputBenchmark::stopspreadat`: :zeek:type:`count` :zeek:attr:`&redef` Stop spreading at x lines per heartbeat.
+:zeek:id:`InputBenchmark::timedspread`: :zeek:type:`double` :zeek:attr:`&redef` 1 -> enable timed spreading.
+=============================================================================== =========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: InputBenchmark::addfactor
+   :source-code: base/frameworks/input/readers/benchmark.zeek 16 16
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0``
+
+   Addition factor for each heartbeat.
+
+.. zeek:id:: InputBenchmark::autospread
+   :source-code: base/frameworks/input/readers/benchmark.zeek 13 13
+
+   :Type: :zeek:type:`double`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0.0``
+
+   Spreading where usleep = 1000000 / autospread * num_lines
+
+.. zeek:id:: InputBenchmark::factor
+   :source-code: base/frameworks/input/readers/benchmark.zeek 7 7
+
+   :Type: :zeek:type:`double`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0``
+
+   Multiplication factor for each second.
+
+.. zeek:id:: InputBenchmark::spread
+   :source-code: base/frameworks/input/readers/benchmark.zeek 10 10
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0``
+
+   Spread factor between lines.
+
+.. zeek:id:: InputBenchmark::stopspreadat
+   :source-code: base/frameworks/input/readers/benchmark.zeek 19 19
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0``
+
+   Stop spreading at x lines per heartbeat.
+
+.. zeek:id:: InputBenchmark::timedspread
+   :source-code: base/frameworks/input/readers/benchmark.zeek 22 22
+
+   :Type: :zeek:type:`double`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0.0``
+
+   1 -> enable timed spreading.
+
+
diff --git a/doc/scripts/base/frameworks/input/readers/binary.zeek.rst b/doc/scripts/base/frameworks/input/readers/binary.zeek.rst
new file mode 100644
index 0000000000..bf8e22f39c
--- /dev/null
+++ b/doc/scripts/base/frameworks/input/readers/binary.zeek.rst
@@ -0,0 +1,47 @@
+:tocdepth: 3
+
+base/frameworks/input/readers/binary.zeek
+=========================================
+.. zeek:namespace:: InputBinary
+
+Interface for the binary input reader.
+
+:Namespace: InputBinary
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+============================================================================ ==================================================================
+:zeek:id:`InputBinary::chunk_size`: :zeek:type:`count` :zeek:attr:`&redef`   Size of data chunks to read from the input file at a time.
+:zeek:id:`InputBinary::path_prefix`: :zeek:type:`string` :zeek:attr:`&redef` On input streams with a pathless or relative-path source filename,
+                                                                             prefix the following path.
+============================================================================ ==================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: InputBinary::chunk_size
+   :source-code: base/frameworks/input/readers/binary.zeek 7 7
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1024``
+
+   Size of data chunks to read from the input file at a time.
+
+.. zeek:id:: InputBinary::path_prefix
+   :source-code: base/frameworks/input/readers/binary.zeek 13 13
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   On input streams with a pathless or relative-path source filename,
+   prefix the following path. This prefix can, but need not be, absolute.
+   The default is to leave any filenames unchanged. This prefix has no
+   effect if the source already is an absolute path.
+
+
diff --git a/doc/scripts/base/frameworks/input/readers/config.zeek.rst b/doc/scripts/base/frameworks/input/readers/config.zeek.rst
new file mode 100644
index 0000000000..284a592b68
--- /dev/null
+++ b/doc/scripts/base/frameworks/input/readers/config.zeek.rst
@@ -0,0 +1,99 @@
+:tocdepth: 3
+
+base/frameworks/input/readers/config.zeek
+=========================================
+.. zeek:namespace:: InputConfig
+
+Interface for the config input reader.
+
+:Namespace: InputConfig
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+=================================================================================== ==========================================
+:zeek:id:`InputConfig::empty_field`: :zeek:type:`string` :zeek:attr:`&redef`        String to use for empty fields.
+:zeek:id:`InputConfig::fail_on_file_problem`: :zeek:type:`bool` :zeek:attr:`&redef` Fail on file read problems.
+:zeek:id:`InputConfig::set_separator`: :zeek:type:`string` :zeek:attr:`&redef`      Separator between set and vector elements.
+=================================================================================== ==========================================
+
+Events
+######
+===================================================== ==============================================================
+:zeek:id:`InputConfig::new_value`: :zeek:type:`event` Event that is called when a config option is added or changes.
+===================================================== ==============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: InputConfig::empty_field
+   :source-code: base/frameworks/input/readers/config.zeek 13 13
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   String to use for empty fields.
+   By default this is the empty string, meaning that an empty input field
+   will result in an empty set.
+
+.. zeek:id:: InputConfig::fail_on_file_problem
+   :source-code: base/frameworks/input/readers/config.zeek 28 28
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Fail on file read problems. If set to true, the config
+   input reader will fail when encountering any problems
+   while reading a file different from invalid lines.
+   Examples of such problems are permission problems, or
+   missing files.
+   When set to false, these problems will be ignored. This
+   has an especially big effect for the REREAD mode, which will
+   seamlessly recover from read errors when a file is
+   only temporarily inaccessible. For MANUAL or STREAM files,
+   errors will most likely still be fatal since no automatic
+   re-reading of the file is attempted.
+   Individual readers can use a different value using
+   the $config table.
+
+.. zeek:id:: InputConfig::set_separator
+   :source-code: base/frameworks/input/readers/config.zeek 8 8
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``","``
+
+   Separator between set and vector elements.
+   Please note that the separator has to be exactly one character long.
+
+Events
+######
+.. zeek:id:: InputConfig::new_value
+   :source-code: base/frameworks/config/input.zeek 53 59
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, source: :zeek:type:`string`, id: :zeek:type:`string`, value: :zeek:type:`any`)
+
+   Event that is called when a config option is added or changes.
+   
+   Note - this does not track the reason for a change (new, changed),
+   and also does not track removals. If you need this, combine the event
+   with a table reader.
+   
+
+   :param name: Name of the input stream.
+   
+
+   :param source: Source of the input stream.
+   
+
+   :param id: ID of the configuration option being set.
+   
+
+   :param value: New value of the configuration option being set.
+
+
diff --git a/doc/scripts/base/frameworks/input/readers/raw.zeek.rst b/doc/scripts/base/frameworks/input/readers/raw.zeek.rst
new file mode 100644
index 0000000000..9715472043
--- /dev/null
+++ b/doc/scripts/base/frameworks/input/readers/raw.zeek.rst
@@ -0,0 +1,60 @@
+:tocdepth: 3
+
+base/frameworks/input/readers/raw.zeek
+======================================
+.. zeek:namespace:: InputRaw
+
+Interface for the raw input reader.
+
+:Namespace: InputRaw
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+============================================================================== ================================
+:zeek:id:`InputRaw::record_separator`: :zeek:type:`string` :zeek:attr:`&redef` Separator between input records.
+============================================================================== ================================
+
+Events
+######
+========================================================= ====================================================================
+:zeek:id:`InputRaw::process_finished`: :zeek:type:`event` Event that is called when a process created by the raw reader exits.
+========================================================= ====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: InputRaw::record_separator
+   :source-code: base/frameworks/input/readers/raw.zeek 8 8
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"\x0a"``
+
+   Separator between input records.
+   Please note that the separator has to be exactly one character long.
+
+Events
+######
+.. zeek:id:: InputRaw::process_finished
+   :source-code: base/utils/exec.zeek 129 151
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, source: :zeek:type:`string`, exit_code: :zeek:type:`count`, signal_exit: :zeek:type:`bool`)
+
+   Event that is called when a process created by the raw reader exits.
+   
+
+   :param name: name of the input stream.
+
+   :param source: source of the input stream.
+
+   :param exit_code: exit code of the program, or number of the signal that forced
+              the program to exit.
+
+   :param signal_exit: false when program exited normally, true when program was
+                forced to exit by a signal.
+
+
diff --git a/doc/scripts/base/frameworks/input/readers/sqlite.zeek.rst b/doc/scripts/base/frameworks/input/readers/sqlite.zeek.rst
new file mode 100644
index 0000000000..be172e8d4f
--- /dev/null
+++ b/doc/scripts/base/frameworks/input/readers/sqlite.zeek.rst
@@ -0,0 +1,62 @@
+:tocdepth: 3
+
+base/frameworks/input/readers/sqlite.zeek
+=========================================
+.. zeek:namespace:: InputSQLite
+
+Interface for the SQLite input reader. Redefinable options are available
+to tweak the input format of the SQLite reader.
+
+See :doc:`/frameworks/logging-input-sqlite` for an introduction on how to
+use the SQLite reader.
+
+When using the SQLite reader, you have to specify the SQL query that returns
+the desired data by setting ``query`` in the ``config`` table. See the
+introduction mentioned above for an example.
+
+:Namespace: InputSQLite
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+============================================================================== ===========================================
+:zeek:id:`InputSQLite::empty_field`: :zeek:type:`string` :zeek:attr:`&redef`   String to use for empty fields.
+:zeek:id:`InputSQLite::set_separator`: :zeek:type:`string` :zeek:attr:`&redef` Separator between set elements.
+:zeek:id:`InputSQLite::unset_field`: :zeek:type:`string` :zeek:attr:`&redef`   String to use for an unset &optional field.
+============================================================================== ===========================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: InputSQLite::empty_field
+   :source-code: base/frameworks/input/readers/sqlite.zeek 22 22
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"(empty)"``
+
+   String to use for empty fields.
+
+.. zeek:id:: InputSQLite::set_separator
+   :source-code: base/frameworks/input/readers/sqlite.zeek 16 16
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``","``
+
+   Separator between set elements.
+   Please note that the separator has to be exactly one character long.
+
+.. zeek:id:: InputSQLite::unset_field
+   :source-code: base/frameworks/input/readers/sqlite.zeek 19 19
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"-"``
+
+   String to use for an unset &optional field.
+
+
diff --git a/doc/scripts/base/frameworks/intel/__load__.zeek.rst b/doc/scripts/base/frameworks/intel/__load__.zeek.rst
new file mode 100644
index 0000000000..877454fc63
--- /dev/null
+++ b/doc/scripts/base/frameworks/intel/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/intel/__load__.zeek
+===================================
+
+
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/intel/files.zeek </scripts/base/frameworks/intel/files.zeek>`, :doc:`base/frameworks/intel/input.zeek </scripts/base/frameworks/intel/input.zeek>`, :doc:`base/frameworks/intel/main.zeek </scripts/base/frameworks/intel/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/intel/files.zeek.rst b/doc/scripts/base/frameworks/intel/files.zeek.rst
new file mode 100644
index 0000000000..258f1edd98
--- /dev/null
+++ b/doc/scripts/base/frameworks/intel/files.zeek.rst
@@ -0,0 +1,55 @@
+:tocdepth: 3
+
+base/frameworks/intel/files.zeek
+================================
+.. zeek:namespace:: Intel
+
+File analysis framework integration for the intelligence framework. This
+script manages file information in intelligence framework data structures.
+
+:Namespace: Intel
+:Imports: :doc:`base/frameworks/intel/main.zeek </scripts/base/frameworks/intel/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================= ==============================================================================
+:zeek:type:`Intel::Info`: :zeek:type:`record` Record used for the logging framework representing a positive
+                                              hit within the intelligence framework.
+                                              
+                                              :New Fields: :zeek:type:`Intel::Info`
+                                              
+                                                fuid: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                  If a file was associated with this intelligence hit,
+                                                  this is the uid for the file.
+                                              
+                                                file_mime_type: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                  A mime type if the intelligence hit is related to a file.
+                                              
+                                                file_desc: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                  Frequently files can be "described" to give a bit more context.
+:zeek:type:`Intel::Seen`: :zeek:type:`record` Information about a piece of "seen" data.
+                                              
+                                              :New Fields: :zeek:type:`Intel::Seen`
+                                              
+                                                f: :zeek:type:`fa_file` :zeek:attr:`&optional`
+                                                  If the data was discovered within a file, the file record
+                                                  should go here to provide context to the data.
+                                              
+                                                fuid: :zeek:type:`string` :zeek:attr:`&optional`
+                                                  If the data was discovered within a file, the file uid should
+                                                  go here to provide context to the data.
+:zeek:type:`Intel::Type`: :zeek:type:`enum`   Enum type to represent various types of intelligence data.
+                                              
+                                              * :zeek:enum:`Intel::FILE_HASH`:
+                                                File hash which is non-hash type specific.
+                                              
+                                              * :zeek:enum:`Intel::FILE_NAME`:
+                                                File name.
+============================================= ==============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/intel/index.rst b/doc/scripts/base/frameworks/intel/index.rst
new file mode 100644
index 0000000000..32ef3663d3
--- /dev/null
+++ b/doc/scripts/base/frameworks/intel/index.rst
@@ -0,0 +1,29 @@
+:orphan:
+
+Package: base/frameworks/intel
+==============================
+
+The intelligence framework provides a way to store and query intelligence
+data (such as IP addresses or strings). Metadata can also be associated
+with the intelligence.
+
+:doc:`/scripts/base/frameworks/intel/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/intel/main.zeek`
+
+   The intelligence framework provides a way to store and query intelligence
+   data (e.g. IP addresses, URLs and hashes). The intelligence items can be
+   associated with metadata to allow informed decisions about matching and
+   handling.
+
+:doc:`/scripts/base/frameworks/intel/files.zeek`
+
+   File analysis framework integration for the intelligence framework. This
+   script manages file information in intelligence framework data structures.
+
+:doc:`/scripts/base/frameworks/intel/input.zeek`
+
+   Input handling for the intelligence framework. This script implements the
+   import of intelligence data from files using the input framework.
+
diff --git a/doc/scripts/base/frameworks/intel/input.zeek.rst b/doc/scripts/base/frameworks/intel/input.zeek.rst
new file mode 100644
index 0000000000..a735b38374
--- /dev/null
+++ b/doc/scripts/base/frameworks/intel/input.zeek.rst
@@ -0,0 +1,103 @@
+:tocdepth: 3
+
+base/frameworks/intel/input.zeek
+================================
+.. zeek:namespace:: Intel
+
+Input handling for the intelligence framework. This script implements the
+import of intelligence data from files using the input framework.
+
+:Namespace: Intel
+:Imports: :doc:`base/frameworks/intel/main.zeek </scripts/base/frameworks/intel/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+====================================================================== ==============================================
+:zeek:id:`Intel::path_prefix`: :zeek:type:`string` :zeek:attr:`&redef` An optional path prefix for intel files.
+:zeek:id:`Intel::read_files`: :zeek:type:`set` :zeek:attr:`&redef`     Intelligence files that will be read off disk.
+====================================================================== ==============================================
+
+Events
+######
+================================================ ===================================================================
+:zeek:id:`Intel::read_entry`: :zeek:type:`event` This event is raised each time the intel framework reads a new line
+                                                 from an intel file.
+:zeek:id:`Intel::read_error`: :zeek:type:`event` This event is raised each time the input framework detects an error
+                                                 while reading the intel file.
+================================================ ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Intel::path_prefix
+   :source-code: base/frameworks/intel/input.zeek 22 22
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   An optional path prefix for intel files. This prefix can, but
+   need not be, absolute. The default is to leave any filenames
+   unchanged. This prefix has no effect if a read_file entry is
+   an absolute path. This prefix gets applied _before_ entering
+   the input framework, so if the prefix is absolute, the input
+   framework won't munge it further. If it is relative, then
+   any path_prefix specified in the input framework will apply
+   additionally.
+
+.. zeek:id:: Intel::read_files
+   :source-code: base/frameworks/intel/input.zeek 12 12
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Intelligence files that will be read off disk. The files are
+   reread every time they are updated so updates must be atomic
+   with "mv" instead of writing the file in place.
+
+Events
+######
+.. zeek:id:: Intel::read_entry
+   :source-code: base/frameworks/intel/input.zeek 49 52
+
+   :Type: :zeek:type:`event` (desc: :zeek:type:`Input::EventDescription`, tpe: :zeek:type:`Input::Event`, item: :zeek:type:`Intel::Item`)
+
+   This event is raised each time the intel framework reads a new line
+   from an intel file. It is used in the intel framework but can
+   also be used in custom scripts for further checks.
+   
+
+   :param desc: The :zeek:type:`Input::EventDescription` record which generated the event.
+   
+
+   :param tpe: The type of input event.
+   
+
+   :param item: The intel item being read (of type :zeek:type:`Intel::Item`).
+   
+
+.. zeek:id:: Intel::read_error
+   :source-code: base/frameworks/intel/input.zeek 46 46
+
+   :Type: :zeek:type:`event` (desc: :zeek:type:`Input::EventDescription`, message: :zeek:type:`string`, level: :zeek:type:`Reporter::Level`)
+
+   This event is raised each time the input framework detects an error
+   while reading the intel file. It can be used to implement further checks
+   in custom scripts. Errors can be of different levels (information, warning, errors).
+   
+
+   :param desc: The :zeek:type:`Input::EventDescription` record which generated the error.
+   
+
+   :param message: An error message.
+   
+
+   :param level: The :zeek:type:`Reporter::Level` of the error.
+   
+
+
diff --git a/doc/scripts/base/frameworks/intel/main.zeek.rst b/doc/scripts/base/frameworks/intel/main.zeek.rst
new file mode 100644
index 0000000000..b67ef821a6
--- /dev/null
+++ b/doc/scripts/base/frameworks/intel/main.zeek.rst
@@ -0,0 +1,754 @@
+:tocdepth: 3
+
+base/frameworks/intel/main.zeek
+===============================
+.. zeek:namespace:: Intel
+
+The intelligence framework provides a way to store and query intelligence
+data (e.g. IP addresses, URLs and hashes). The intelligence items can be
+associated with metadata to allow informed decisions about matching and
+handling.
+
+:Namespace: Intel
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+============================================================================ ==============================================
+:zeek:id:`Intel::item_expiration`: :zeek:type:`interval` :zeek:attr:`&redef` The expiration timeout for intelligence items.
+============================================================================ ==============================================
+
+Types
+#####
+================================================= ==============================================================
+:zeek:type:`Intel::Info`: :zeek:type:`record`     Record used for the logging framework representing a positive
+                                                  hit within the intelligence framework.
+:zeek:type:`Intel::Item`: :zeek:type:`record`     Represents a piece of intelligence.
+:zeek:type:`Intel::MetaData`: :zeek:type:`record` Data about an :zeek:type:`Intel::Item`.
+:zeek:type:`Intel::Seen`: :zeek:type:`record`     Information about a piece of "seen" data.
+:zeek:type:`Intel::Type`: :zeek:type:`enum`       Enum type to represent various types of intelligence data.
+:zeek:type:`Intel::TypeSet`: :zeek:type:`set`     Set of intelligence data types.
+:zeek:type:`Intel::Where`: :zeek:type:`enum`      Enum to represent where data came from when it was discovered.
+================================================= ==============================================================
+
+Redefinitions
+#############
+======================================= =========================
+:zeek:type:`Log::ID`: :zeek:type:`enum` 
+                                        
+                                        * :zeek:enum:`Intel::LOG`
+======================================= =========================
+
+Events
+######
+=============================================== ==================================================================
+:zeek:id:`Intel::log_intel`: :zeek:type:`event` 
+:zeek:id:`Intel::match`: :zeek:type:`event`     Event to represent a match in the intelligence data from data that
+                                                was seen.
+=============================================== ==================================================================
+
+Hooks
+#####
+========================================================== =======================================================================
+:zeek:id:`Intel::extend_match`: :zeek:type:`hook`          This hook can be used to influence the logging of intelligence hits
+                                                           (e.g.
+:zeek:id:`Intel::filter_item`: :zeek:type:`hook`           This hook can be used to filter intelligence items that are about to be
+                                                           inserted into the internal data store.
+:zeek:id:`Intel::indicator_inserted`: :zeek:type:`hook`    This hook is invoked when a new indicator has been inserted into
+                                                           the min data store for the first time.
+:zeek:id:`Intel::indicator_removed`: :zeek:type:`hook`     This hook is invoked when an indicator has been removed from
+                                                           the min data store.
+:zeek:id:`Intel::item_expired`: :zeek:type:`hook`          This hook can be used to handle expiration of intelligence items.
+:zeek:id:`Intel::log_policy`: :zeek:type:`Log::PolicyHook` 
+:zeek:id:`Intel::seen_policy`: :zeek:type:`hook`           Hook to modify and intercept :zeek:see:`Intel::seen` behavior.
+========================================================== =======================================================================
+
+Functions
+#########
+=============================================== ==================================================================
+:zeek:id:`Intel::insert`: :zeek:type:`function` Function to insert intelligence data.
+:zeek:id:`Intel::remove`: :zeek:type:`function` Function to remove intelligence data.
+:zeek:id:`Intel::seen`: :zeek:type:`function`   Function to declare discovery of a piece of data in order to check
+                                                it against known intelligence for matches.
+=============================================== ==================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Intel::item_expiration
+   :source-code: base/frameworks/intel/main.zeek 187 187
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``-1.0 min``
+   :Redefinition: from :doc:`/scripts/policy/frameworks/intel/do_expire.zeek`
+
+      ``=``::
+
+         10.0 mins
+
+
+   The expiration timeout for intelligence items. Once an item expires, the
+   :zeek:id:`Intel::item_expired` hook is called. Reinsertion of an item
+   resets the timeout. A negative value disables expiration of intelligence
+   items.
+
+Types
+#####
+.. zeek:type:: Intel::Info
+   :source-code: base/frameworks/intel/main.zeek 104 121
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp when the data was discovered.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      If a connection was associated with this intelligence hit,
+      this is the uid for the connection
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      If a connection was associated with this intelligence hit,
+      this is the conn_id for the connection.
+
+
+   .. zeek:field:: seen :zeek:type:`Intel::Seen` :zeek:attr:`&log`
+
+      Where the data was seen.
+
+
+   .. zeek:field:: matched :zeek:type:`Intel::TypeSet` :zeek:attr:`&log`
+
+      Which indicator types matched.
+
+
+   .. zeek:field:: sources :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      Sources which supplied data that resulted in this match.
+
+
+   .. zeek:field:: fuid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/intel/files.zeek` is loaded)
+
+      If a file was associated with this intelligence hit,
+      this is the uid for the file.
+
+
+   .. zeek:field:: file_mime_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/intel/files.zeek` is loaded)
+
+      A mime type if the intelligence hit is related to a file.
+      If the $f field is provided this will be automatically filled
+      out.
+
+
+   .. zeek:field:: file_desc :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/intel/files.zeek` is loaded)
+
+      Frequently files can be "described" to give a bit more context.
+      If the $f field is provided this field will be automatically
+      filled out.
+
+
+   .. zeek:field:: cif :zeek:type:`Intel::CIF` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/integration/collective-intel/main.zeek` is loaded)
+
+
+   Record used for the logging framework representing a positive
+   hit within the intelligence framework.
+
+.. zeek:type:: Intel::Item
+   :source-code: base/frameworks/intel/main.zeek 54 64
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: indicator :zeek:type:`string`
+
+      The intelligence indicator.
+
+
+   .. zeek:field:: indicator_type :zeek:type:`Intel::Type`
+
+      The type of data that the indicator field represents.
+
+
+   .. zeek:field:: meta :zeek:type:`Intel::MetaData`
+
+      Metadata for the item. Typically represents more deeply
+      descriptive data for a piece of intelligence.
+
+
+   Represents a piece of intelligence.
+
+.. zeek:type:: Intel::MetaData
+   :source-code: base/frameworks/intel/main.zeek 42 51
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: source :zeek:type:`string`
+
+      An arbitrary string value representing the data source. This
+      value is used as unique key to identify a metadata record in
+      the scope of a single intelligence item.
+
+
+   .. zeek:field:: desc :zeek:type:`string` :zeek:attr:`&optional`
+
+      A freeform description for the data.
+
+
+   .. zeek:field:: url :zeek:type:`string` :zeek:attr:`&optional`
+
+      A URL for more information about the data.
+
+
+   .. zeek:field:: do_notice :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/intel/do_notice.zeek` is loaded)
+
+      A boolean value to allow the data itself to represent
+      if the indicator that this metadata is attached to
+      is notice worthy.
+
+
+   .. zeek:field:: if_in :zeek:type:`Intel::Where` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/intel/do_notice.zeek` is loaded)
+
+      Restrictions on when notices are created to only create
+      them if the *do_notice* field is T and the notice was
+      seen in the indicated location.
+
+
+   .. zeek:field:: whitelist :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/intel/whitelist.zeek` is loaded)
+
+      A boolean value to indicate whether the item is whitelisted.
+
+
+   .. zeek:field:: remove :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/intel/removal.zeek` is loaded)
+
+      A boolean value to indicate whether the item should be removed.
+
+
+   .. zeek:field:: cif_tags :zeek:type:`string` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/integration/collective-intel/main.zeek` is loaded)
+
+      Maps to the 'tags' fields in CIF
+
+
+   .. zeek:field:: cif_confidence :zeek:type:`double` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/integration/collective-intel/main.zeek` is loaded)
+
+      Maps to the 'confidence' field in CIF
+
+
+   .. zeek:field:: cif_source :zeek:type:`string` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/integration/collective-intel/main.zeek` is loaded)
+
+      Maps to the 'source' field in CIF
+
+
+   .. zeek:field:: cif_description :zeek:type:`string` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/integration/collective-intel/main.zeek` is loaded)
+
+      Maps to the 'description' field in CIF
+
+
+   .. zeek:field:: cif_firstseen :zeek:type:`string` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/integration/collective-intel/main.zeek` is loaded)
+
+      Maps to the 'firstseen' field in CIF
+
+
+   .. zeek:field:: cif_lastseen :zeek:type:`string` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/integration/collective-intel/main.zeek` is loaded)
+
+      Maps to the 'lastseen' field in CIF
+
+
+   Data about an :zeek:type:`Intel::Item`.
+
+.. zeek:type:: Intel::Seen
+   :source-code: base/frameworks/intel/main.zeek 74 100
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: indicator :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The string if the data is about a string.
+
+
+   .. zeek:field:: indicator_type :zeek:type:`Intel::Type` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The type of data that the indicator represents.
+
+
+   .. zeek:field:: host :zeek:type:`addr` :zeek:attr:`&optional`
+
+      If the indicator type was :zeek:enum:`Intel::ADDR`, then this
+      field will be present.
+
+
+   .. zeek:field:: where :zeek:type:`Intel::Where` :zeek:attr:`&log`
+
+      Where the data was discovered.
+
+
+   .. zeek:field:: node :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      The name of the node where the match was discovered.
+
+
+   .. zeek:field:: conn :zeek:type:`connection` :zeek:attr:`&optional`
+
+      If the data was discovered within a connection, the
+      connection record should go here to give context to the data.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&optional`
+
+      If the data was discovered within a connection, the
+      connection uid should go here to give context to the data.
+      If the *conn* field is provided, this will be automatically
+      filled out.
+
+
+   .. zeek:field:: f :zeek:type:`fa_file` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/intel/files.zeek` is loaded)
+
+      If the data was discovered within a file, the file record
+      should go here to provide context to the data.
+
+
+   .. zeek:field:: fuid :zeek:type:`string` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/intel/files.zeek` is loaded)
+
+      If the data was discovered within a file, the file uid should
+      go here to provide context to the data. If the file record *f*
+      is provided, this will be automatically filled out.
+
+
+   Information about a piece of "seen" data.
+
+.. zeek:type:: Intel::Type
+   :source-code: base/frameworks/intel/main.zeek 16 37
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Intel::ADDR Intel::Type
+
+         An IP address.
+
+      .. zeek:enum:: Intel::SUBNET Intel::Type
+
+         A subnet in CIDR notation.
+
+      .. zeek:enum:: Intel::URL Intel::Type
+
+         A complete URL without the prefix ``"http://"``.
+
+      .. zeek:enum:: Intel::SOFTWARE Intel::Type
+
+         Software name.
+
+      .. zeek:enum:: Intel::EMAIL Intel::Type
+
+         Email address.
+
+      .. zeek:enum:: Intel::DOMAIN Intel::Type
+
+         DNS domain name.
+
+      .. zeek:enum:: Intel::USER_NAME Intel::Type
+
+         A user name.
+
+      .. zeek:enum:: Intel::CERT_HASH Intel::Type
+
+         Certificate SHA-1 hash.
+
+      .. zeek:enum:: Intel::PUBKEY_HASH Intel::Type
+
+         Public key MD5 hash, formatted as hexadecimal digits delimited by colons.
+         (SSH server host keys are a good example.)
+
+      .. zeek:enum:: Intel::FILE_HASH Intel::Type
+
+         (present if :doc:`/scripts/base/frameworks/intel/files.zeek` is loaded)
+
+
+         File hash which is non-hash type specific.  It's up to the
+         user to query for any relevant hash types.
+
+      .. zeek:enum:: Intel::FILE_NAME Intel::Type
+
+         (present if :doc:`/scripts/base/frameworks/intel/files.zeek` is loaded)
+
+
+         File name.  Typically with protocols with definite
+         indications of a file name.
+
+   Enum type to represent various types of intelligence data.
+
+.. zeek:type:: Intel::TypeSet
+   :source-code: base/frameworks/intel/main.zeek 39 39
+
+   :Type: :zeek:type:`set` [:zeek:type:`Intel::Type`]
+
+   Set of intelligence data types.
+
+.. zeek:type:: Intel::Where
+   :source-code: base/frameworks/intel/main.zeek 68 72
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Intel::IN_ANYWHERE Intel::Where
+
+         A catchall value to represent data of unknown provenance.
+
+      .. zeek:enum:: Conn::IN_ORIG Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: Conn::IN_RESP Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: Files::IN_HASH Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: Files::IN_NAME Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: DNS::IN_REQUEST Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: DNS::IN_RESPONSE Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: HTTP::IN_HOST_HEADER Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: HTTP::IN_REFERRER_HEADER Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: HTTP::IN_USER_AGENT_HEADER Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: HTTP::IN_X_FORWARDED_FOR_HEADER Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: HTTP::IN_URL Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: SMTP::IN_MAIL_FROM Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: SMTP::IN_RCPT_TO Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: SMTP::IN_FROM Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: SMTP::IN_TO Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: SMTP::IN_CC Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: SMTP::IN_RECEIVED_HEADER Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: SMTP::IN_REPLY_TO Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: SMTP::IN_X_ORIGINATING_IP_HEADER Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: SMTP::IN_MESSAGE Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: SSH::IN_SERVER_HOST_KEY Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: SSL::IN_SERVER_NAME Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: SMTP::IN_HEADER Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: X509::IN_CERT Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: SMB::IN_FILE_NAME Intel::Where
+
+         (present if :doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek` is loaded)
+
+
+      .. zeek:enum:: SSH::SUCCESSFUL_LOGIN Intel::Where
+
+         (present if :doc:`/scripts/policy/protocols/ssh/detect-bruteforcing.zeek` is loaded)
+
+
+         An indicator of the login for the intel framework.
+
+   Enum to represent where data came from when it was discovered.
+   The convention is to prefix the name with ``IN_``.
+
+Events
+######
+.. zeek:id:: Intel::log_intel
+   :source-code: base/frameworks/intel/main.zeek 239 239
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Intel::Info`)
+
+
+.. zeek:id:: Intel::match
+   :source-code: base/frameworks/intel/main.zeek 146 146
+
+   :Type: :zeek:type:`event` (s: :zeek:type:`Intel::Seen`, items: :zeek:type:`set` [:zeek:type:`Intel::Item`])
+
+   Event to represent a match in the intelligence data from data that
+   was seen. On clusters there is no assurance as to when this event
+   will be generated so do not assume that arbitrary global state beyond
+   the given data will be available.
+   
+   This is the primary mechanism where a user may take actions based on
+   data provided by the intelligence framework.
+   
+   .. zeek::see:: Intel::seen_policy
+
+Hooks
+#####
+.. zeek:id:: Intel::extend_match
+   :source-code: base/frameworks/intel/main.zeek 160 160
+
+   :Type: :zeek:type:`hook` (info: :zeek:type:`Intel::Info`, s: :zeek:type:`Intel::Seen`, items: :zeek:type:`set` [:zeek:type:`Intel::Item`]) : :zeek:type:`bool`
+
+   This hook can be used to influence the logging of intelligence hits
+   (e.g. by adding data to the Info record). The default information is
+   added with a priority of 5.
+   
+
+   :param info: The Info record that will be logged.
+   
+
+   :param s: Information about the data seen.
+   
+
+   :param items: The intel items that match the seen data.
+   
+   In case the hook execution is terminated using break, the match will
+   not be logged.
+
+.. zeek:id:: Intel::filter_item
+   :source-code: policy/frameworks/intel/removal.zeek 14 22
+
+   :Type: :zeek:type:`hook` (item: :zeek:type:`Intel::Item`) : :zeek:type:`bool`
+
+   This hook can be used to filter intelligence items that are about to be
+   inserted into the internal data store. In case the hook execution is
+   terminated using break, the item will not be (re)added to the internal
+   data store.
+   
+
+   :param item: The intel item that should be inserted.
+
+.. zeek:id:: Intel::indicator_inserted
+   :source-code: policy/frameworks/intel/seen/manage-event-groups.zeek 42 57
+
+   :Type: :zeek:type:`hook` (indicator: :zeek:type:`string`, indiator_type: :zeek:type:`Intel::Type`) : :zeek:type:`bool`
+
+   This hook is invoked when a new indicator has been inserted into
+   the min data store for the first time.
+   
+   Calls to :zeek:see:`Intel::seen` with a matching indicator value
+   and type will result in matches.
+   
+   Subsequent inserts of the same indicator type and value do not
+   invoke this hook. Breaking from this hook has no effect.
+   
+
+   :param indicator: The indicator value.
+   
+
+   :param indicator_type: The indicator type.
+   
+   .. zeek::see:: Intel::indicator_removed
+
+.. zeek:id:: Intel::indicator_removed
+   :source-code: policy/frameworks/intel/seen/manage-event-groups.zeek 59 74
+
+   :Type: :zeek:type:`hook` (indicator: :zeek:type:`string`, indiator_type: :zeek:type:`Intel::Type`) : :zeek:type:`bool`
+
+   This hook is invoked when an indicator has been removed from
+   the min data store.
+   
+   After this hooks runs, :zeek:see:`Intel::seen` for the indicator
+   will not return any matches. Breaking from this hook has no effect.
+   
+
+   :param indicator: The indicator value.
+   
+
+   :param indicator_type: The indicator type.
+   
+   .. zeek::see:: Intel::indicator_inserted
+
+.. zeek:id:: Intel::item_expired
+   :source-code: policy/frameworks/intel/do_expire.zeek 10 14
+
+   :Type: :zeek:type:`hook` (indicator: :zeek:type:`string`, indicator_type: :zeek:type:`Intel::Type`, metas: :zeek:type:`set` [:zeek:type:`Intel::MetaData`]) : :zeek:type:`bool`
+
+   This hook can be used to handle expiration of intelligence items.
+   
+
+   :param indicator: The indicator of the expired item.
+   
+
+   :param indicator_type: The indicator type of the expired item.
+   
+
+   :param metas: The set of metadata describing the expired item.
+   
+   If all hook handlers are executed, the expiration timeout will be reset.
+   Otherwise, if one of the handlers terminates using break, the item will
+   be removed.
+
+.. zeek:id:: Intel::log_policy
+   :source-code: base/frameworks/intel/main.zeek 13 13
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+.. zeek:id:: Intel::seen_policy
+   :source-code: base/frameworks/intel/main.zeek 181 181
+
+   :Type: :zeek:type:`hook` (s: :zeek:type:`Intel::Seen`, found: :zeek:type:`bool`) : :zeek:type:`bool`
+
+   Hook to modify and intercept :zeek:see:`Intel::seen` behavior.
+   
+   This hook is invoked after the Intel datastore was searched for
+   a given :zeek:see:`Intel::Seen` instance. If a matching entry was
+   found, the *found* argument is set to ``T``, else ``F``.
+   
+   Breaking from this hook suppresses :zeek:see:`Intel::match`
+   event generation and any subsequent logging.
+   
+   Note that this hook only runs on the Zeek node where :zeek:see:`Intel::seen`
+   is invoked. In a cluster configuration that is usually on the worker nodes.
+   This is in contrast to :zeek:see:`Intel::match` that usually runs
+   centrally on the the manager node instead.
+   
+
+   :param s: The :zeek:see:`Intel::Seen` instance passed to the :zeek:see:`Intel::seen` function.
+   
+
+   :param found: ``T`` if Intel datastore contained *s*, else ``F``.
+   
+   .. zeek::see:: Intel::match
+
+Functions
+#########
+.. zeek:id:: Intel::insert
+   :source-code: base/frameworks/intel/main.zeek 596 603
+
+   :Type: :zeek:type:`function` (item: :zeek:type:`Intel::Item`) : :zeek:type:`void`
+
+   Function to insert intelligence data. If the indicator is already
+   present, the associated metadata will be added to the indicator. If
+   the indicator already contains a metadata record from the same source,
+   the existing metadata record will be updated.
+
+.. zeek:id:: Intel::remove
+   :source-code: base/frameworks/intel/main.zeek 649 688
+
+   :Type: :zeek:type:`function` (item: :zeek:type:`Intel::Item`, purge_indicator: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`) : :zeek:type:`void`
+
+   Function to remove intelligence data. If purge_indicator is set, the
+   given metadata is ignored and the indicator is removed completely.
+
+.. zeek:id:: Intel::seen
+   :source-code: base/frameworks/intel/main.zeek 405 433
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`Intel::Seen`) : :zeek:type:`void`
+
+   Function to declare discovery of a piece of data in order to check
+   it against known intelligence for matches.
+
+
diff --git a/doc/scripts/base/frameworks/logging/__load__.zeek.rst b/doc/scripts/base/frameworks/logging/__load__.zeek.rst
new file mode 100644
index 0000000000..74f79346ac
--- /dev/null
+++ b/doc/scripts/base/frameworks/logging/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/logging/__load__.zeek
+=====================================
+
+
+:Imports: :doc:`base/frameworks/logging/main.zeek </scripts/base/frameworks/logging/main.zeek>`, :doc:`base/frameworks/logging/postprocessors </scripts/base/frameworks/logging/postprocessors/index>`, :doc:`base/frameworks/logging/writers/ascii.zeek </scripts/base/frameworks/logging/writers/ascii.zeek>`, :doc:`base/frameworks/logging/writers/none.zeek </scripts/base/frameworks/logging/writers/none.zeek>`, :doc:`base/frameworks/logging/writers/sqlite.zeek </scripts/base/frameworks/logging/writers/sqlite.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/logging/index.rst b/doc/scripts/base/frameworks/logging/index.rst
new file mode 100644
index 0000000000..8c317d7dea
--- /dev/null
+++ b/doc/scripts/base/frameworks/logging/index.rst
@@ -0,0 +1,87 @@
+:orphan:
+
+Package: base/frameworks/logging
+================================
+
+The logging framework provides a flexible key-value based logging interface.
+
+:doc:`/scripts/base/frameworks/logging/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/logging/main.zeek`
+
+   The Zeek logging interface.
+   
+   See :doc:`/frameworks/logging` for an introduction to Zeek's
+   logging framework.
+
+:doc:`/scripts/base/frameworks/logging/postprocessors/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/logging/postprocessors/scp.zeek`
+
+   This script defines a postprocessing function that can be applied
+   to a logging filter in order to automatically SCP (secure copy)
+   a log stream (or a subset of it) to a remote host at configurable
+   rotation time intervals.  Generally, to use this functionality
+   you must handle the :zeek:id:`zeek_init` event and do the following
+   in your handler:
+   
+   1) Create a new :zeek:type:`Log::Filter` record that defines a name/path,
+      rotation interval, and set the ``postprocessor`` to
+      :zeek:id:`Log::scp_postprocessor`.
+   2) Add the filter to a logging stream using :zeek:id:`Log::add_filter`.
+   3) Add a table entry to :zeek:id:`Log::scp_destinations` for the filter's
+      writer/path pair which defines a set of :zeek:type:`Log::SCPDestination`
+      records.
+
+:doc:`/scripts/base/frameworks/logging/postprocessors/sftp.zeek`
+
+   This script defines a postprocessing function that can be applied
+   to a logging filter in order to automatically SFTP
+   a log stream (or a subset of it) to a remote host at configurable
+   rotation time intervals.  Generally, to use this functionality
+   you must handle the :zeek:id:`zeek_init` event and do the following
+   in your handler:
+   
+   1) Create a new :zeek:type:`Log::Filter` record that defines a name/path,
+      rotation interval, and set the ``postprocessor`` to
+      :zeek:id:`Log::sftp_postprocessor`.
+   2) Add the filter to a logging stream using :zeek:id:`Log::add_filter`.
+   3) Add a table entry to :zeek:id:`Log::sftp_destinations` for the filter's
+      writer/path pair which defines a set of :zeek:type:`Log::SFTPDestination`
+      records.
+
+:doc:`/scripts/base/frameworks/logging/writers/ascii.zeek`
+
+   Interface for the ASCII log writer.  Redefinable options are available
+   to tweak the output format of ASCII logs.
+   
+   The ASCII writer currently supports one writer-specific per-filter config
+   option: setting ``tsv`` to the string ``T`` turns the output into
+   "tab-separated-value" mode where only a single header row with the column
+   names is printed out as meta information, with no "# fields" prepended; no
+   other meta data gets included in that mode.  Example filter using this::
+   
+      local f = Log::Filter($name = "my-filter",
+                            $writer = Log::WRITER_ASCII,
+                            $config = table(["tsv"] = "T"));
+   
+
+:doc:`/scripts/base/frameworks/logging/writers/sqlite.zeek`
+
+   Interface for the SQLite log writer. Redefinable options are available
+   to tweak the output format of the SQLite reader.
+   
+   See :doc:`/frameworks/logging-input-sqlite` for an introduction on how to
+   use the SQLite log writer.
+   
+   The SQL writer currently supports one writer-specific filter option via
+   ``config``: setting ``tablename`` sets the name of the table that is used
+   or created in the SQLite database. An example for this is given in the
+   introduction mentioned above.
+
+:doc:`/scripts/base/frameworks/logging/writers/none.zeek`
+
+   Interface for the None log writer. This writer is mainly for debugging.
+
diff --git a/doc/scripts/base/frameworks/logging/main.zeek.rst b/doc/scripts/base/frameworks/logging/main.zeek.rst
new file mode 100644
index 0000000000..cf67474836
--- /dev/null
+++ b/doc/scripts/base/frameworks/logging/main.zeek.rst
@@ -0,0 +1,1825 @@
+:tocdepth: 3
+
+base/frameworks/logging/main.zeek
+=================================
+.. zeek:namespace:: Log
+
+The Zeek logging interface.
+
+See :doc:`/frameworks/logging` for an introduction to Zeek's
+logging framework.
+
+:Namespace: Log
+:Imports: :doc:`base/bif/logging.bif.zeek </scripts/base/bif/logging.bif.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+============================================================================================== ==================================================================
+:zeek:id:`Log::default_rotation_dir`: :zeek:type:`string` :zeek:attr:`&redef`                  Default rotation directory to use for the *dir* field of
+                                                                                               :zeek:see:`Log::RotationPath` during calls to
+                                                                                               :zeek:see:`Log::rotation_format_func`.
+:zeek:id:`Log::default_rotation_postprocessor_cmd_env`: :zeek:type:`table` :zeek:attr:`&redef` This table contains environment variables to be used for the
+                                                                                               :zeek:see:`Log::default_rotation_postprocessor_cmd` command
+                                                                                               when executed via :zeek:see:`Log::run_rotation_postprocessor_cmd`.
+============================================================================================== ==================================================================
+
+Redefinable Options
+###################
+=========================================================================================== =====================================================================
+:zeek:id:`Log::default_ext_prefix`: :zeek:type:`string` :zeek:attr:`&redef`                 A prefix for extension fields which can be optionally prefixed
+                                                                                            on all log lines by setting the ``ext_func`` field in the
+                                                                                            log filter.
+:zeek:id:`Log::default_field_name_map`: :zeek:type:`table` :zeek:attr:`&redef`              Default field name mapping for renaming fields in a logging framework
+                                                                                            filter.
+:zeek:id:`Log::default_logdir`: :zeek:type:`string` :zeek:attr:`&redef`                     Default logging directory.
+:zeek:id:`Log::default_mail_alarms_interval`: :zeek:type:`interval` :zeek:attr:`&redef`     Default alarm summary mail interval.
+:zeek:id:`Log::default_max_delay_interval`: :zeek:type:`interval` :zeek:attr:`&redef`       Maximum default log write delay for a stream.
+:zeek:id:`Log::default_max_delay_queue_size`: :zeek:type:`count` :zeek:attr:`&redef`        The maximum length of the write delay queue per stream.
+:zeek:id:`Log::default_rotation_date_format`: :zeek:type:`string` :zeek:attr:`&redef`       Default naming format for timestamps embedded into filenames.
+:zeek:id:`Log::default_rotation_interval`: :zeek:type:`interval` :zeek:attr:`&redef`        Default rotation interval to use for filters that do not specify
+                                                                                            an interval.
+:zeek:id:`Log::default_rotation_postprocessor_cmd`: :zeek:type:`string` :zeek:attr:`&redef` Default shell command to run on rotated files.
+:zeek:id:`Log::default_rotation_postprocessors`: :zeek:type:`table` :zeek:attr:`&redef`     Specifies the default postprocessor function per writer type.
+:zeek:id:`Log::default_scope_sep`: :zeek:type:`string` :zeek:attr:`&redef`                  Default separator for log field scopes when logs are unrolled and
+                                                                                            flattened.
+:zeek:id:`Log::default_writer`: :zeek:type:`Log::Writer` :zeek:attr:`&redef`                Default writer to use if a filter does not specify anything else.
+:zeek:id:`Log::empty_field`: :zeek:type:`string` :zeek:attr:`&redef`                        Default string to use for empty fields.
+:zeek:id:`Log::enable_local_logging`: :zeek:type:`bool` :zeek:attr:`&redef`                 If true, local logging is by default enabled for all filters.
+:zeek:id:`Log::enable_remote_logging`: :zeek:type:`bool` :zeek:attr:`&redef`                If true, remote logging is by default enabled for all filters.
+:zeek:id:`Log::print_log_path`: :zeek:type:`string` :zeek:attr:`&redef`                     If :zeek:see:`Log::print_to_log` is enabled to write to a print log,
+                                                                                            this is the path to which the print Log Stream writes to
+:zeek:id:`Log::print_to_log`: :zeek:type:`Log::PrintLogType` :zeek:attr:`&redef`            Set configuration for ``print`` statements redirected to logs.
+:zeek:id:`Log::separator`: :zeek:type:`string` :zeek:attr:`&redef`                          Default separator to use between fields.
+:zeek:id:`Log::set_separator`: :zeek:type:`string` :zeek:attr:`&redef`                      Default separator to use between elements of a set.
+:zeek:id:`Log::unset_field`: :zeek:type:`string` :zeek:attr:`&redef`                        Default string to use for an unset &optional field.
+=========================================================================================== =====================================================================
+
+Constants
+#########
+=================================================== =========================================================================
+:zeek:id:`Log::no_filter`: :zeek:type:`Log::Filter` Sentinel value for indicating that a filter was not found when looked up.
+=================================================== =========================================================================
+
+State Variables
+###############
+================================================== ========================================================
+:zeek:id:`Log::active_streams`: :zeek:type:`table` The streams which are currently active and not disabled.
+================================================== ========================================================
+
+Types
+#####
+================================================================== ==============================================================================
+:zeek:type:`Log::DelayToken`: :zeek:type:`opaque`                  Type of the opaque value returned by :zeek:see:`Log::delay`.
+:zeek:type:`Log::Filter`: :zeek:type:`record`                      A filter type describes how to customize logging streams.
+:zeek:type:`Log::ID`: :zeek:type:`enum`                            Type that defines an ID unique to each log stream.
+:zeek:type:`Log::PolicyHook`: :zeek:type:`hook`                    A hook type to implement filtering policy at log filter
+                                                                   granularity.
+:zeek:type:`Log::PostDelayCallback`: :zeek:type:`function`         Type of function to invoke when delaying a log write has completed.
+:zeek:type:`Log::PrintLogInfo`: :zeek:type:`record`                If :zeek:see:`Log::print_to_log` is set to redirect, ``print`` statements will
+                                                                   automatically populate log entries with the fields contained in this record.
+:zeek:type:`Log::PrintLogType`: :zeek:type:`enum`                  Configurations for :zeek:see:`Log::print_to_log`
+:zeek:type:`Log::RotationFmtInfo`: :zeek:type:`record`             Information passed into rotation format callback function given by
+                                                                   :zeek:see:`Log::rotation_format_func`.
+:zeek:type:`Log::RotationInfo`: :zeek:type:`record`                Information passed into rotation callback functions.
+:zeek:type:`Log::RotationPath`: :zeek:type:`record`                A log file rotation path specification that's returned by the
+                                                                   user-customizable :zeek:see:`Log::rotation_format_func`.
+:zeek:type:`Log::RotationPostProcessorFunc`: :zeek:type:`function` The function type for log rotation post processors.
+:zeek:type:`Log::Stream`: :zeek:type:`record`                      Type defining the content of a logging stream.
+:zeek:type:`Log::StreamPolicyHook`: :zeek:type:`hook`              A hook type to implement filtering policy.
+:zeek:type:`Log::Writer`: :zeek:type:`enum`                        
+================================================================== ==============================================================================
+
+Redefinitions
+#############
+======================================================================================= =============================================================
+:zeek:type:`Log::Filter`: :zeek:type:`record`                                           
+                                                                                        
+                                                                                        :New Fields: :zeek:type:`Log::Filter`
+                                                                                        
+                                                                                          policy: :zeek:type:`Log::PolicyHook` :zeek:attr:`&optional`
+                                                                                            Policy hooks can adjust log entry values and veto
+                                                                                            the writing of a log entry for the record passed
+                                                                                            into it.
+:zeek:id:`Log::default_rotation_postprocessors`: :zeek:type:`table` :zeek:attr:`&redef` 
+======================================================================================= =============================================================
+
+Events
+######
+============================================= =========================================
+:zeek:id:`Log::log_print`: :zeek:type:`event` Event for accessing logged print records.
+============================================= =========================================
+
+Hooks
+#####
+===================================================================== ===========================
+:zeek:id:`Log::log_stream_policy`: :zeek:type:`Log::StreamPolicyHook` The global log policy hook.
+===================================================================== ===========================
+
+Functions
+#########
+=============================================================================== ==========================================================================
+:zeek:id:`Log::add_default_filter`: :zeek:type:`function`                       Adds a default :zeek:type:`Log::Filter` record with ``name`` field
+                                                                                set as "default" to a given logging stream.
+:zeek:id:`Log::add_filter`: :zeek:type:`function`                               Adds a custom filter to an existing logging stream.
+:zeek:id:`Log::create_stream`: :zeek:type:`function`                            Creates a new logging stream with the default filter.
+:zeek:id:`Log::default_ext_func`: :zeek:type:`function` :zeek:attr:`&redef`     Default log extension function in the case that you would like to
+                                                                                apply the same extensions to all logs.
+:zeek:id:`Log::default_path_func`: :zeek:type:`function` :zeek:attr:`&redef`    Builds the default path values for log filters if not otherwise
+                                                                                specified by a filter.
+:zeek:id:`Log::delay`: :zeek:type:`function`                                    Delay a log write.
+:zeek:id:`Log::delay_finish`: :zeek:type:`function`                             Release a delay reference taken with :zeek:see:`Log::delay`.
+:zeek:id:`Log::disable_stream`: :zeek:type:`function`                           Disables a currently enabled logging stream.
+:zeek:id:`Log::empty_post_delay_cb`: :zeek:type:`function`                      Represents a post delay callback that simply returns T.
+:zeek:id:`Log::enable_stream`: :zeek:type:`function`                            Enables a previously disabled logging stream.
+:zeek:id:`Log::flush`: :zeek:type:`function`                                    Flushes any currently buffered output for all the writers of a given
+                                                                                logging stream.
+:zeek:id:`Log::get_delay_queue_size`: :zeek:type:`function`                     Get the current size of the delay queue for a stream.
+:zeek:id:`Log::get_filter`: :zeek:type:`function`                               Gets a filter associated with an existing logging stream.
+:zeek:id:`Log::get_filter_names`: :zeek:type:`function`                         Gets the names of all filters associated with an existing
+                                                                                logging stream.
+:zeek:id:`Log::remove_default_filter`: :zeek:type:`function`                    Removes the :zeek:type:`Log::Filter` with ``name`` field equal to
+                                                                                "default".
+:zeek:id:`Log::remove_filter`: :zeek:type:`function`                            Removes a filter from an existing logging stream.
+:zeek:id:`Log::remove_stream`: :zeek:type:`function`                            Removes a logging stream completely, stopping all the threads.
+:zeek:id:`Log::rotation_format_func`: :zeek:type:`function` :zeek:attr:`&redef` A function that one may use to customize log file rotation paths.
+:zeek:id:`Log::run_rotation_postprocessor_cmd`: :zeek:type:`function`           Runs a command given by :zeek:id:`Log::default_rotation_postprocessor_cmd`
+                                                                                on a rotated file.
+:zeek:id:`Log::set_buf`: :zeek:type:`function`                                  Sets the buffering status for all the writers of a given logging stream.
+:zeek:id:`Log::set_max_delay_interval`: :zeek:type:`function`                   Set the maximum delay for a stream.
+:zeek:id:`Log::set_max_delay_queue_size`: :zeek:type:`function`                 Set the given stream's delay queue size.
+:zeek:id:`Log::write`: :zeek:type:`function`                                    Writes a new log line/entry to a logging stream.
+=============================================================================== ==========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Log::default_rotation_dir
+   :source-code: base/frameworks/logging/main.zeek 141 141
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+   :Redefinition: from :doc:`/scripts/policy/frameworks/management/persistence.zeek`
+
+      ``=``::
+
+         build_path(Management::get_spool_dir(), log-queue)
+
+
+   Default rotation directory to use for the *dir* field of
+   :zeek:see:`Log::RotationPath` during calls to
+   :zeek:see:`Log::rotation_format_func`.  An empty string implies
+   using the current working directory;
+
+.. zeek:id:: Log::default_rotation_postprocessor_cmd_env
+   :source-code: base/frameworks/logging/main.zeek 181 181
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   This table contains environment variables to be used for the
+   :zeek:see:`Log::default_rotation_postprocessor_cmd` command
+   when executed via :zeek:see:`Log::run_rotation_postprocessor_cmd`.
+   
+   The entries in this table will be prepended with ``ZEEK_ARG_``
+   as done by :zeek:see:`system_env`.
+
+Redefinable Options
+###################
+.. zeek:id:: Log::default_ext_prefix
+   :source-code: base/frameworks/logging/main.zeek 208 208
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"_"``
+
+   A prefix for extension fields which can be optionally prefixed
+   on all log lines by setting the ``ext_func`` field in the
+   log filter.
+
+.. zeek:id:: Log::default_field_name_map
+   :source-code: base/frameworks/logging/main.zeek 197 197
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Default field name mapping for renaming fields in a logging framework
+   filter.  This is typically used to ease integration with external
+   data storage and analysis systems.
+
+.. zeek:id:: Log::default_logdir
+   :source-code: base/frameworks/logging/main.zeek 35 35
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Default logging directory. An empty string implies using the
+   current working directory.
+   
+   This directory is also used for rotated logs in cases where
+   :zeek:see:`Log::rotation_format_func` returns a record with
+   an empty or unset ``dir`` field.
+
+.. zeek:id:: Log::default_mail_alarms_interval
+   :source-code: base/frameworks/logging/main.zeek 192 192
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0 secs``
+
+   Default alarm summary mail interval. Zero disables alarm summary
+   mails.
+   
+   Note that this is overridden by the ZeekControl MailAlarmsInterval
+   option.
+
+.. zeek:id:: Log::default_max_delay_interval
+   :source-code: base/frameworks/logging/main.zeek 221 221
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``200.0 msecs``
+
+   Maximum default log write delay for a stream. A :zeek:see:`Log::write`
+   operation is delayed by at most this interval if :zeek:see:`Log::delay`
+   is called within :zeek:see:`Log::log_stream_policy`.
+
+.. zeek:id:: Log::default_max_delay_queue_size
+   :source-code: base/frameworks/logging/main.zeek 227 227
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1000``
+
+   The maximum length of the write delay queue per stream. If exceeded,
+   an attempt is made to evict the oldest writes from the queue. If
+   post delay callbacks re-delay a write operation, the maximum queue
+   size may be exceeded.
+
+.. zeek:id:: Log::default_rotation_date_format
+   :source-code: base/frameworks/logging/main.zeek 170 170
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"%Y-%m-%d-%H-%M-%S"``
+
+   Default naming format for timestamps embedded into filenames.
+   Uses a ``strftime()`` style.
+
+.. zeek:id:: Log::default_rotation_interval
+   :source-code: base/frameworks/logging/main.zeek 135 135
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0 secs``
+
+   Default rotation interval to use for filters that do not specify
+   an interval. Zero disables rotation.
+   
+   Note that this is overridden by the ZeekControl LogRotationInterval
+   option.
+
+.. zeek:id:: Log::default_rotation_postprocessor_cmd
+   :source-code: base/frameworks/logging/main.zeek 173 173
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Default shell command to run on rotated files. Empty for none.
+
+.. zeek:id:: Log::default_rotation_postprocessors
+   :source-code: base/frameworks/logging/main.zeek 185 185
+
+   :Type: :zeek:type:`table` [:zeek:type:`Log::Writer`] of :zeek:type:`function` (info: :zeek:type:`Log::RotationInfo`) : :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+   :Redefinition: from :doc:`/scripts/base/frameworks/logging/main.zeek`
+
+      ``+=``::
+
+         Log::WRITER_ASCII = Log::default_ascii_rotation_postprocessor_func
+
+   :Redefinition: from :doc:`/scripts/base/frameworks/logging/writers/none.zeek`
+
+      ``+=``::
+
+         Log::WRITER_NONE = LogNone::default_rotation_postprocessor_func
+
+
+   Specifies the default postprocessor function per writer type.
+   Entries in this table are initialized by each writer type.
+
+.. zeek:id:: Log::default_scope_sep
+   :source-code: base/frameworks/logging/main.zeek 203 203
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"."``
+
+   Default separator for log field scopes when logs are unrolled and
+   flattened.  This will be the string between field name components.
+   For example, setting this to ``_`` will cause the typical field
+   ``id.orig_h`` to turn into ``id_orig_h``.
+
+.. zeek:id:: Log::default_writer
+   :source-code: base/frameworks/logging/main.zeek 27 27
+
+   :Type: :zeek:type:`Log::Writer`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``Log::WRITER_ASCII``
+
+   Default writer to use if a filter does not specify anything else.
+
+.. zeek:id:: Log::empty_field
+   :source-code: base/frameworks/logging/main.zeek 48 48
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"(empty)"``
+
+   Default string to use for empty fields. This should be different
+   from *unset_field* to make the output unambiguous.
+   Individual writers can use a different value.
+
+.. zeek:id:: Log::enable_local_logging
+   :source-code: base/frameworks/logging/main.zeek 21 21
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   If true, local logging is by default enabled for all filters.
+
+.. zeek:id:: Log::enable_remote_logging
+   :source-code: base/frameworks/logging/main.zeek 24 24
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   If true, remote logging is by default enabled for all filters.
+
+.. zeek:id:: Log::print_log_path
+   :source-code: base/frameworks/logging/main.zeek 101 101
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"print"``
+
+   If :zeek:see:`Log::print_to_log` is enabled to write to a print log,
+   this is the path to which the print Log Stream writes to
+
+.. zeek:id:: Log::print_to_log
+   :source-code: base/frameworks/logging/main.zeek 97 97
+
+   :Type: :zeek:type:`Log::PrintLogType`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``Log::REDIRECT_NONE``
+
+   Set configuration for ``print`` statements redirected to logs.
+
+.. zeek:id:: Log::separator
+   :source-code: base/frameworks/logging/main.zeek 39 39
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"\x09"``
+
+   Default separator to use between fields.
+   Individual writers can use a different value.
+
+.. zeek:id:: Log::set_separator
+   :source-code: base/frameworks/logging/main.zeek 43 43
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``","``
+
+   Default separator to use between elements of a set.
+   Individual writers can use a different value.
+
+.. zeek:id:: Log::unset_field
+   :source-code: base/frameworks/logging/main.zeek 52 52
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"-"``
+
+   Default string to use for an unset &optional field.
+   Individual writers can use a different value.
+
+Constants
+#########
+.. zeek:id:: Log::no_filter
+   :source-code: base/frameworks/logging/main.zeek 448 448
+
+   :Type: :zeek:type:`Log::Filter`
+   :Default:
+
+      ::
+
+         {
+            name="<not found>"
+            writer=Log::WRITER_ASCII
+            path=<uninitialized>
+            path_func=<uninitialized>
+            include=<uninitialized>
+            exclude=<uninitialized>
+            log_local=T
+            log_remote=T
+            field_name_map={
+
+            }
+            scope_sep="."
+            ext_prefix="_"
+            ext_func=lambda_<4692973652431675528>: function(path:string) : void
+            ;
+            interv=0 secs
+            postprocessor=<uninitialized>
+            config={
+
+            }
+            policy=<uninitialized>
+         }
+
+
+   Sentinel value for indicating that a filter was not found when looked up.
+
+State Variables
+###############
+.. zeek:id:: Log::active_streams
+   :source-code: base/frameworks/logging/main.zeek 646 646
+
+   :Type: :zeek:type:`table` [:zeek:type:`Log::ID`] of :zeek:type:`Log::Stream`
+   :Default: ``{}``
+
+   The streams which are currently active and not disabled.
+   This table is not meant to be modified by users!  Only use it for
+   examining which streams are active.
+
+Types
+#####
+.. zeek:type:: Log::DelayToken
+   :source-code: base/frameworks/logging/main.zeek 667 667
+
+   :Type: :zeek:type:`opaque` of LogDelayToken
+
+   Type of the opaque value returned by :zeek:see:`Log::delay`. These
+   values can be passed to :zeek:see:`Log::delay_finish` to release a
+   delayed write operation.
+
+.. zeek:type:: Log::Filter
+   :source-code: base/frameworks/logging/main.zeek 230 323
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      Descriptive name to reference this filter.
+
+
+   .. zeek:field:: writer :zeek:type:`Log::Writer` :zeek:attr:`&default` = :zeek:see:`Log::default_writer` :zeek:attr:`&optional`
+
+      The logging writer implementation to use.
+
+
+   .. zeek:field:: path :zeek:type:`string` :zeek:attr:`&optional`
+
+      Output path for recording entries matching this
+      filter.
+      
+      The specific interpretation of the string is up to the
+      logging writer, and may for example be the destination
+      file name. Generally, filenames are expected to be given
+      without any extensions; writers will add appropriate
+      extensions automatically.
+      
+      If this path is found to conflict with another filter's
+      for the same writer type, it is automatically corrected
+      by appending "-N", where N is the smallest integer greater
+      or equal to 2 that allows the corrected path name to not
+      conflict with another filter's.
+
+
+   .. zeek:field:: path_func :zeek:type:`function` (id: :zeek:type:`Log::ID`, path: :zeek:type:`string`, rec: :zeek:type:`any`) : :zeek:type:`string` :zeek:attr:`&optional`
+
+      A function returning the output path for recording entries
+      matching this filter. This is similar to *path* yet allows
+      to compute the string dynamically. It is ok to return
+      different strings for separate calls, but be careful: it's
+      easy to flood the disk by returning a new string for each
+      connection.  Upon adding a filter to a stream, if neither
+      ``path`` nor ``path_func`` is explicitly set by them, then
+      :zeek:see:`Log::default_path_func` is used.
+      
+
+      :param id: The ID associated with the log stream.
+      
+
+      :param path: A suggested path value, which may be either the filter's
+            ``path`` if defined, else a previous result from the
+            function.  If no ``path`` is defined for the filter,
+            then the first call to the function will contain an
+            empty string.
+      
+
+      :param rec: An instance of the stream's ``columns`` type with its
+           fields set to the values to be logged.
+      
+
+      :returns: The path to be used for the filter, which will be
+               subject to the same automatic correction rules as
+               the *path* field of :zeek:type:`Log::Filter` in the
+               case of conflicts with other filters trying to use
+               the same writer/path pair.
+
+
+   .. zeek:field:: include :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&optional`
+
+      Subset of column names to record. If not given, all
+      columns are recorded.
+
+
+   .. zeek:field:: exclude :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&optional`
+
+      Subset of column names to exclude from recording. If not
+      given, all columns are recorded.
+
+
+   .. zeek:field:: log_local :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`Log::enable_local_logging` :zeek:attr:`&optional`
+
+      If true, entries are recorded locally.
+
+
+   .. zeek:field:: log_remote :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`Log::enable_remote_logging` :zeek:attr:`&optional`
+
+      If true, entries are passed on to remote peers.
+
+
+   .. zeek:field:: field_name_map :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string` :zeek:attr:`&default` = :zeek:see:`Log::default_field_name_map` :zeek:attr:`&optional`
+
+      Field name map to rename fields before the fields are written
+      to the output.
+
+
+   .. zeek:field:: scope_sep :zeek:type:`string` :zeek:attr:`&default` = :zeek:see:`Log::default_scope_sep` :zeek:attr:`&optional`
+
+      A string that is used for unrolling and flattening field names
+      for nested record types.
+
+
+   .. zeek:field:: ext_prefix :zeek:type:`string` :zeek:attr:`&default` = :zeek:see:`Log::default_ext_prefix` :zeek:attr:`&optional`
+
+      Default prefix for all extension fields. It's typically
+      prudent to set this to something that Zeek's logging
+      framework can't normally write out in a field name.
+
+
+   .. zeek:field:: ext_func :zeek:type:`function` (path: :zeek:type:`string`) : :zeek:type:`any` :zeek:attr:`&default` = :zeek:see:`Log::default_ext_func` :zeek:attr:`&optional`
+
+      Function to collect a log extension value.  If not specified,
+      no log extension will be provided for the log.
+      The return value from the function *must* be a record.
+
+
+   .. zeek:field:: interv :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`Log::default_rotation_interval` :zeek:attr:`&optional`
+
+      Rotation interval. Zero disables rotation.
+
+
+   .. zeek:field:: postprocessor :zeek:type:`function` (info: :zeek:type:`Log::RotationInfo`) : :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Callback function to trigger for rotated files. If not set, the
+      default comes out of :zeek:id:`Log::default_rotation_postprocessors`.
+
+
+   .. zeek:field:: config :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string` :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      A key/value table that will be passed on to the writer.
+      Interpretation of the values is left to the writer, but
+      usually they will be used for configuration purposes.
+
+
+   .. zeek:field:: policy :zeek:type:`Log::PolicyHook` :zeek:attr:`&optional`
+
+      Policy hooks can adjust log entry values and veto
+      the writing of a log entry for the record passed
+      into it. Any hook that breaks from its body signals
+      that Zeek won't log the entry passed into it.
+      
+      When no policy hook is defined, the filter inherits
+      the hook from the stream it's associated with.
+
+
+   A filter type describes how to customize logging streams.
+
+.. zeek:type:: Log::ID
+   :source-code: base/frameworks/logging/main.zeek 13 19
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Log::UNKNOWN Log::ID
+
+         Dummy place-holder.
+
+      .. zeek:enum:: Log::PRINTLOG Log::ID
+
+         Print statements that have been redirected to a log stream.
+
+      .. zeek:enum:: Broker::LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/broker/log.zeek` is loaded)
+
+
+      .. zeek:enum:: Cluster::LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/cluster/main.zeek` is loaded)
+
+
+      .. zeek:enum:: Config::LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/config/main.zeek` is loaded)
+
+
+      .. zeek:enum:: Analyzer::Logging::LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/analyzer/logging.zeek` is loaded)
+
+
+      .. zeek:enum:: Files::LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/files/main.zeek` is loaded)
+
+
+         Logging stream for file analysis.
+
+      .. zeek:enum:: Reporter::LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/reporter/main.zeek` is loaded)
+
+
+      .. zeek:enum:: Notice::LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/notice/main.zeek` is loaded)
+
+
+         This is the primary logging stream for notices.
+
+      .. zeek:enum:: Notice::ALARM_LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/notice/main.zeek` is loaded)
+
+
+         This is the alarm stream.
+
+      .. zeek:enum:: Weird::LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/notice/weird.zeek` is loaded)
+
+
+      .. zeek:enum:: Signatures::LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/signatures/main.zeek` is loaded)
+
+
+      .. zeek:enum:: PacketFilter::LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/packet-filter/main.zeek` is loaded)
+
+
+      .. zeek:enum:: Software::LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/software/main.zeek` is loaded)
+
+
+      .. zeek:enum:: Intel::LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/intel/main.zeek` is loaded)
+
+
+      .. zeek:enum:: Tunnel::LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/tunnels/main.zeek` is loaded)
+
+
+      .. zeek:enum:: OpenFlow::LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/openflow/plugins/log.zeek` is loaded)
+
+
+      .. zeek:enum:: NetControl::LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/netcontrol/main.zeek` is loaded)
+
+
+      .. zeek:enum:: NetControl::DROP_LOG Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/netcontrol/drop.zeek` is loaded)
+
+
+      .. zeek:enum:: NetControl::SHUNT Log::ID
+
+         (present if :doc:`/scripts/base/frameworks/netcontrol/shunt.zeek` is loaded)
+
+
+      .. zeek:enum:: Conn::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/conn/main.zeek` is loaded)
+
+
+      .. zeek:enum:: DCE_RPC::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/dce-rpc/main.zeek` is loaded)
+
+
+      .. zeek:enum:: DHCP::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/dhcp/main.zeek` is loaded)
+
+
+      .. zeek:enum:: DNP3::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/dnp3/main.zeek` is loaded)
+
+
+      .. zeek:enum:: DNS::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/dns/main.zeek` is loaded)
+
+
+      .. zeek:enum:: FTP::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/ftp/main.zeek` is loaded)
+
+
+      .. zeek:enum:: SSL::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/ssl/main.zeek` is loaded)
+
+
+      .. zeek:enum:: X509::LOG Log::ID
+
+         (present if :doc:`/scripts/base/files/x509/main.zeek` is loaded)
+
+
+      .. zeek:enum:: OCSP::LOG Log::ID
+
+         (present if :doc:`/scripts/base/files/x509/log-ocsp.zeek` is loaded)
+
+
+      .. zeek:enum:: HTTP::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/http/main.zeek` is loaded)
+
+
+      .. zeek:enum:: IRC::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/irc/main.zeek` is loaded)
+
+
+      .. zeek:enum:: KRB::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/krb/main.zeek` is loaded)
+
+
+      .. zeek:enum:: LDAP::LDAP_LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/ldap/main.zeek` is loaded)
+
+
+      .. zeek:enum:: LDAP::LDAP_SEARCH_LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/ldap/main.zeek` is loaded)
+
+
+      .. zeek:enum:: Modbus::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/modbus/main.zeek` is loaded)
+
+
+      .. zeek:enum:: MQTT::CONNECT_LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/mqtt/main.zeek` is loaded)
+
+
+      .. zeek:enum:: MQTT::SUBSCRIBE_LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/mqtt/main.zeek` is loaded)
+
+
+      .. zeek:enum:: MQTT::PUBLISH_LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/mqtt/main.zeek` is loaded)
+
+
+      .. zeek:enum:: mysql::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/mysql/main.zeek` is loaded)
+
+
+      .. zeek:enum:: NTLM::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/ntlm/main.zeek` is loaded)
+
+
+      .. zeek:enum:: NTP::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/ntp/main.zeek` is loaded)
+
+
+      .. zeek:enum:: PostgreSQL::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/postgresql/main.zeek` is loaded)
+
+
+      .. zeek:enum:: QUIC::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/quic/main.zeek` is loaded)
+
+
+      .. zeek:enum:: RADIUS::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/radius/main.zeek` is loaded)
+
+
+      .. zeek:enum:: RDP::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/rdp/main.zeek` is loaded)
+
+
+      .. zeek:enum:: Redis::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/redis/main.zeek` is loaded)
+
+
+      .. zeek:enum:: RFB::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/rfb/main.zeek` is loaded)
+
+
+      .. zeek:enum:: SIP::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/sip/main.zeek` is loaded)
+
+
+      .. zeek:enum:: SNMP::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/snmp/main.zeek` is loaded)
+
+
+      .. zeek:enum:: SMB::MAPPING_LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/smb/main.zeek` is loaded)
+
+
+      .. zeek:enum:: SMB::FILES_LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/smb/main.zeek` is loaded)
+
+
+      .. zeek:enum:: SMTP::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/smtp/main.zeek` is loaded)
+
+
+      .. zeek:enum:: SOCKS::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/socks/main.zeek` is loaded)
+
+
+      .. zeek:enum:: SSH::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/ssh/main.zeek` is loaded)
+
+
+      .. zeek:enum:: Syslog::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/syslog/main.zeek` is loaded)
+
+
+      .. zeek:enum:: WebSocket::LOG Log::ID
+
+         (present if :doc:`/scripts/base/protocols/websocket/main.zeek` is loaded)
+
+
+      .. zeek:enum:: PE::LOG Log::ID
+
+         (present if :doc:`/scripts/base/files/pe/main.zeek` is loaded)
+
+
+      .. zeek:enum:: Analyzer::DebugLogging::LOG Log::ID
+
+         (present if :doc:`/scripts/policy/frameworks/analyzer/debug-logging.zeek` is loaded)
+
+
+      .. zeek:enum:: Management::Log::LOG Log::ID
+
+         (present if :doc:`/scripts/policy/frameworks/management/log.zeek` is loaded)
+
+
+      .. zeek:enum:: NetControl::CATCH_RELEASE Log::ID
+
+         (present if :doc:`/scripts/policy/frameworks/netcontrol/catch-and-release.zeek` is loaded)
+
+
+      .. zeek:enum:: Telemetry::LOG Log::ID
+
+         (present if :doc:`/scripts/policy/frameworks/telemetry/log.zeek` is loaded)
+
+
+      .. zeek:enum:: Telemetry::LOG_HISTOGRAM Log::ID
+
+         (present if :doc:`/scripts/policy/frameworks/telemetry/log.zeek` is loaded)
+
+
+      .. zeek:enum:: CaptureLoss::LOG Log::ID
+
+         (present if :doc:`/scripts/policy/misc/capture-loss.zeek` is loaded)
+
+
+      .. zeek:enum:: Traceroute::LOG Log::ID
+
+         (present if :doc:`/scripts/policy/misc/detect-traceroute/main.zeek` is loaded)
+
+
+      .. zeek:enum:: LoadedScripts::LOG Log::ID
+
+         (present if :doc:`/scripts/policy/misc/loaded-scripts.zeek` is loaded)
+
+
+      .. zeek:enum:: Stats::LOG Log::ID
+
+         (present if :doc:`/scripts/policy/misc/stats.zeek` is loaded)
+
+
+      .. zeek:enum:: WeirdStats::LOG Log::ID
+
+         (present if :doc:`/scripts/policy/misc/weird-stats.zeek` is loaded)
+
+
+      .. zeek:enum:: UnknownProtocol::LOG Log::ID
+
+         (present if :doc:`/scripts/policy/misc/unknown-protocols.zeek` is loaded)
+
+
+      .. zeek:enum:: Known::HOSTS_LOG Log::ID
+
+         (present if :doc:`/scripts/policy/protocols/conn/known-hosts.zeek` is loaded)
+
+
+      .. zeek:enum:: Known::SERVICES_LOG Log::ID
+
+         (present if :doc:`/scripts/policy/protocols/conn/known-services.zeek` is loaded)
+
+
+      .. zeek:enum:: Known::MODBUS_LOG Log::ID
+
+         (present if :doc:`/scripts/policy/protocols/modbus/known-masters-slaves.zeek` is loaded)
+
+
+      .. zeek:enum:: Modbus::REGISTER_CHANGE_LOG Log::ID
+
+         (present if :doc:`/scripts/policy/protocols/modbus/track-memmap.zeek` is loaded)
+
+
+      .. zeek:enum:: SMB::CMD_LOG Log::ID
+
+         (present if :doc:`/scripts/policy/protocols/smb/log-cmds.zeek` is loaded)
+
+
+      .. zeek:enum:: Known::CERTS_LOG Log::ID
+
+         (present if :doc:`/scripts/policy/protocols/ssl/known-certs.zeek` is loaded)
+
+
+      .. zeek:enum:: ZeekygenExample::LOG Log::ID
+
+         (present if :doc:`/scripts/zeekygen/example.zeek` is loaded)
+
+
+   Type that defines an ID unique to each log stream. Scripts creating new
+   log streams need to redef this enum to add their own specific log ID.
+   The log ID implicitly determines the default name of the generated log
+   file.
+
+.. zeek:type:: Log::PolicyHook
+   :source-code: base/frameworks/logging/main.zeek 353 353
+
+   :Type: :zeek:type:`hook` (rec: :zeek:type:`any`, id: :zeek:type:`Log::ID`, filter: :zeek:type:`Log::Filter`) : :zeek:type:`bool`
+
+   A hook type to implement filtering policy at log filter
+   granularity. Like :zeek:see:`Log::StreamPolicyHook`, these can
+   implement added functionality, alter it prior to logging, or
+   veto the write. These hooks run at log filter granularity,
+   so get a :zeek:see:`Log::Filter` instance as additional
+   argument. You can pass additional state into the hook via the
+   the filter$config table.
+   
+
+   :param rec: An instance of the stream's ``columns`` type with its
+        fields set to the values to be logged.
+   
+
+   :param id: The ID associated with the logging stream the filter
+       belongs to.
+   
+
+   :param filter: The :zeek:type:`Log::Filter` instance that steers
+           the output of the given log record.
+
+.. zeek:type:: Log::PostDelayCallback
+   :source-code: base/frameworks/logging/main.zeek 662 662
+
+   :Type: :zeek:type:`function` (rec: :zeek:type:`any`, id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
+
+   Type of function to invoke when delaying a log write has completed.
+   
+   Functions of this type take the same arguments as :zeek:see:`Log::StreamPolicyHook`
+   and act as a callback passed to :zeek:see:`Log::delay`. They execute
+   just before the record is forwarded to the individual log filters.
+   
+   Returning ``F`` from a post delay callback discards the log write.
+
+.. zeek:type:: Log::PrintLogInfo
+   :source-code: base/frameworks/logging/main.zeek 75 80
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      The network time at which the print statement was executed.
+
+
+   .. zeek:field:: vals :zeek:type:`string_vec` :zeek:attr:`&log`
+
+      Set of strings passed to the print statement.
+
+
+   If :zeek:see:`Log::print_to_log` is set to redirect, ``print`` statements will
+   automatically populate log entries with the fields contained in this record.
+
+.. zeek:type:: Log::PrintLogType
+   :source-code: base/frameworks/logging/main.zeek 83 83
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Log::REDIRECT_NONE Log::PrintLogType
+
+         No redirection of ``print`` statements.
+
+      .. zeek:enum:: Log::REDIRECT_STDOUT Log::PrintLogType
+
+         Redirection of those ``print`` statements that were being logged to stdout,
+         leaving behind those set to go to other specific files.
+
+      .. zeek:enum:: Log::REDIRECT_ALL Log::PrintLogType
+
+         Redirection of all ``print`` statements.
+
+   Configurations for :zeek:see:`Log::print_to_log`
+
+.. zeek:type:: Log::RotationFmtInfo
+   :source-code: base/frameworks/logging/main.zeek 120 128
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: writer :zeek:type:`Log::Writer`
+
+      The log writer being used.
+
+
+   .. zeek:field:: path :zeek:type:`string`
+
+      Original path value.
+
+
+   .. zeek:field:: open :zeek:type:`time`
+
+      Time when opened.
+
+
+   .. zeek:field:: close :zeek:type:`time`
+
+      Time when closed.
+
+
+   .. zeek:field:: terminating :zeek:type:`bool`
+
+      True if rotation occurred due to Zeek shutting down.
+
+
+   .. zeek:field:: postprocessor :zeek:type:`Log::RotationPostProcessorFunc` :zeek:attr:`&optional`
+
+      The postprocessor function that will be called after rotation.
+
+
+   Information passed into rotation format callback function given by
+   :zeek:see:`Log::rotation_format_func`.
+
+.. zeek:type:: Log::RotationInfo
+   :source-code: base/frameworks/logging/main.zeek 106 113
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: writer :zeek:type:`Log::Writer`
+
+      The log writer being used.
+
+
+   .. zeek:field:: fname :zeek:type:`string`
+
+      Full name of the rotated file.
+
+
+   .. zeek:field:: path :zeek:type:`string`
+
+      Original path value.
+
+
+   .. zeek:field:: open :zeek:type:`time`
+
+      Time when opened.
+
+
+   .. zeek:field:: close :zeek:type:`time`
+
+      Time when closed.
+
+
+   .. zeek:field:: terminating :zeek:type:`bool`
+
+      True if rotation occurred due to Zeek shutting down.
+
+
+   Information passed into rotation callback functions.
+
+.. zeek:type:: Log::RotationPath
+   :source-code: base/frameworks/logging/main.zeek 145 163
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: dir :zeek:type:`string` :zeek:attr:`&default` = :zeek:see:`Log::default_rotation_dir` :zeek:attr:`&optional`
+
+      A directory to rotate the log to.  This directory is created
+      just-in-time, as the log rotation is about to happen.  If it
+      cannot be created, an error is emitted and the rotation process
+      tries to proceed with rotation inside the working directory.  When
+      setting this field, beware that renaming files across file systems
+      will generally fail.
+
+
+   .. zeek:field:: file_basename :zeek:type:`string`
+
+      A base name to use for the rotated log.  Log writers may later
+      append a file extension of their choosing to this user-chosen
+      base (e.g. if using the default ASCII writer and you want
+      rotated files of the format "foo-<date>.log", then this basename
+      can be set to "foo-<date>" and the ".log" is added later (there's
+      also generally means of customizing the file extension, too,
+      like the ``ZEEK_LOG_SUFFIX`` environment variable or
+      writer-dependent configuration options.
+
+
+   A log file rotation path specification that's returned by the
+   user-customizable :zeek:see:`Log::rotation_format_func`.
+
+.. zeek:type:: Log::RotationPostProcessorFunc
+   :source-code: base/frameworks/logging/main.zeek 116 116
+
+   :Type: :zeek:type:`function` (info: :zeek:type:`Log::RotationInfo`) : :zeek:type:`bool`
+
+   The function type for log rotation post processors.
+
+.. zeek:type:: Log::Stream
+   :source-code: base/frameworks/logging/main.zeek 370 445
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: columns :zeek:type:`any`
+
+      A record type defining the log's columns.
+
+
+   .. zeek:field:: ev :zeek:type:`any` :zeek:attr:`&optional`
+
+      Event that will be raised once for each log entry.
+      The event receives a single same parameter, an instance of
+      type ``columns``.
+
+
+   .. zeek:field:: path :zeek:type:`string` :zeek:attr:`&optional`
+
+      A path that will be inherited by any filters added to the
+      stream which do not already specify their own path.
+
+
+   .. zeek:field:: policy :zeek:type:`Log::PolicyHook` :zeek:attr:`&optional`
+
+      Policy hooks can adjust log records and veto their
+      writing. Any hook handler that breaks from its body
+      signals that Zeek won't log the entry passed into
+      it. You can pass arbitrary state into the hook via
+      the filter instance and its config table.
+      
+      New Filters created for this stream will inherit
+      this policy hook, unless they provide their own.
+
+
+   .. zeek:field:: event_groups :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      Event groups associated with this stream that are disabled
+      when :zeek:see:`Log::disable_stream` is invoked and
+      re-enabled during :zeek:see:`Log::enable_stream`.
+      
+      This field can be used to short-circuit event handlers that
+      are solely responsible for logging functionality at runtime
+      when a log stream is disabled.
+      
+      This field allows for both, attribute event groups and module
+      event groups. If the given group names exists as attribute
+      or module or either event group, they are disabled when the
+      log stream is disabled and enabled when the stream is
+      enabled again.
+
+
+   .. zeek:field:: max_delay_interval :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`Log::default_max_delay_interval` :zeek:attr:`&optional`
+
+      Maximum delay interval for this stream.
+      
+      This value can be increased using :zeek:see:`Log::set_max_delay_interval`
+      after the stream has been created.
+      
+      .. :zeek:see:`Log::default_max_delay_interval`
+      .. :zeek:see:`Log::set_max_delay_interval`
+
+
+   .. zeek:field:: max_delay_queue_size :zeek:type:`count` :zeek:attr:`&default` = :zeek:see:`Log::default_max_delay_queue_size` :zeek:attr:`&optional`
+
+      Maximum delay queue size of this stream.
+      
+      This value can be changed using :zeek:see:`Log::set_max_delay_queue_size`
+      after the stream has been created.
+      
+      .. :zeek:see:`Log::default_max_delay_queue_size`
+      .. :zeek:see:`Log::set_max_delay_queue_size`
+
+
+   .. zeek:field:: max_field_string_bytes :zeek:type:`count` :zeek:attr:`&default` = :zeek:see:`Log::default_max_field_string_bytes` :zeek:attr:`&optional`
+
+      Maximum string size for field in a log record from this stream.
+      
+      .. :zeek:see:`Log::default_max_field_string_bytes`
+
+
+   .. zeek:field:: max_total_string_bytes :zeek:type:`count` :zeek:attr:`&default` = :zeek:see:`Log::default_max_total_string_bytes` :zeek:attr:`&optional`
+
+      Maximum total string size in a log record from this stream.
+      
+      .. :zeek:see:`Log::default_max_total_string_bytes`
+
+
+   .. zeek:field:: max_field_container_elements :zeek:type:`count` :zeek:attr:`&default` = :zeek:see:`Log::default_max_field_container_elements` :zeek:attr:`&optional`
+
+      Maximum container elements for field in a log record from this stream.
+      
+      .. :zeek:see:`Log::default_max_field_container_elements`
+
+
+   .. zeek:field:: max_total_container_elements :zeek:type:`count` :zeek:attr:`&default` = :zeek:see:`Log::default_max_total_container_elements` :zeek:attr:`&optional`
+
+      Maximum total container elements in a log record from this stream.
+      
+      .. :zeek:see:`Log::default_max_total_container_elements`
+
+
+   Type defining the content of a logging stream.
+
+.. zeek:type:: Log::StreamPolicyHook
+   :source-code: base/frameworks/logging/main.zeek 335 335
+
+   :Type: :zeek:type:`hook` (rec: :zeek:type:`any`, id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
+
+   A hook type to implement filtering policy. Hook handlers run
+   on each log record. They can implement arbitrary per-record
+   processing, alter the log record, or veto the writing of the
+   given record by breaking from the hook handler.
+   
+
+   :param rec: An instance of the stream's ``columns`` type with its
+        fields set to the values to be logged.
+   
+
+   :param id: The ID associated with the logging stream the filter
+       belongs to.
+
+.. zeek:type:: Log::Writer
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Log::WRITER_ASCII Log::Writer
+
+      .. zeek:enum:: Log::WRITER_NONE Log::Writer
+
+      .. zeek:enum:: Log::WRITER_SQLITE Log::Writer
+
+
+Events
+######
+.. zeek:id:: Log::log_print
+   :source-code: base/frameworks/logging/main.zeek 94 94
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Log::PrintLogInfo`)
+
+   Event for accessing logged print records.
+
+Hooks
+#####
+.. zeek:id:: Log::log_stream_policy
+   :source-code: base/frameworks/logging/main.zeek 653 653
+
+   :Type: :zeek:type:`Log::StreamPolicyHook`
+
+   The global log policy hook. The framework invokes this hook for any
+   log write, prior to iterating over the stream's associated filters.
+   As with filter-specific hooks, breaking from the hook vetoes writing
+   of the given log record. Note that filter-level policy hooks still get
+   invoked after the global hook vetoes, but they cannot "un-veto" the write.
+
+Functions
+#########
+.. zeek:id:: Log::add_default_filter
+   :source-code: base/frameworks/logging/main.zeek 1018 1021
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
+
+   Adds a default :zeek:type:`Log::Filter` record with ``name`` field
+   set as "default" to a given logging stream.
+   
+
+   :param id: The ID associated with a logging stream for which to add a default
+       filter.
+   
+
+   :returns: The status of a call to :zeek:id:`Log::add_filter` using a
+            default :zeek:type:`Log::Filter` argument with ``name`` field
+            set to "default".
+   
+   .. zeek:see:: Log::add_filter Log::remove_filter
+      Log::remove_default_filter
+
+.. zeek:id:: Log::add_filter
+   :source-code: base/frameworks/logging/main.zeek 958 975
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, filter: :zeek:type:`Log::Filter`) : :zeek:type:`bool`
+
+   Adds a custom filter to an existing logging stream.  If a filter
+   with a matching ``name`` field already exists for the stream, it
+   is removed when the new filter is successfully added.
+   
+
+   :param id: The ID associated with the logging stream to filter.
+   
+
+   :param filter: A record describing the desired logging parameters.
+   
+
+   :returns: True if the filter was successfully added, false if
+            the filter was not added or the *filter* argument was not
+            the correct type.
+   
+   .. zeek:see:: Log::remove_filter Log::add_default_filter
+      Log::remove_default_filter Log::get_filter Log::get_filter_names
+
+.. zeek:id:: Log::create_stream
+   :source-code: base/frameworks/logging/main.zeek 883 892
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, stream: :zeek:type:`Log::Stream`) : :zeek:type:`bool`
+
+   Creates a new logging stream with the default filter.
+   
+
+   :param id: The ID enum to be associated with the new logging stream.
+   
+
+   :param stream: A record defining the content that the new stream will log.
+   
+
+   :returns: True if a new logging stream was successfully created and
+            a default filter added to it.
+   
+   .. zeek:see:: Log::add_default_filter Log::remove_default_filter
+
+.. zeek:id:: Log::default_ext_func
+   :source-code: base/frameworks/logging/main.zeek 216 217
+
+   :Type: :zeek:type:`function` (path: :zeek:type:`string`) : :zeek:type:`any`
+   :Attributes: :zeek:attr:`&redef`
+
+   Default log extension function in the case that you would like to
+   apply the same extensions to all logs.  The function *must* return
+   a record with all of the fields to be included in the log. The
+   default function included here does not return a value, which indicates
+   that no extensions are added.
+
+.. zeek:id:: Log::default_path_func
+   :source-code: base/frameworks/logging/main.zeek 780 816
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, path: :zeek:type:`string`, rec: :zeek:type:`any`) : :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+
+   Builds the default path values for log filters if not otherwise
+   specified by a filter. The default implementation uses *id*
+   to derive a name.  Upon adding a filter to a stream, if neither
+   ``path`` nor ``path_func`` is explicitly set by them, then
+   this function is used as the ``path_func``.
+   
+
+   :param id: The ID associated with the log stream.
+   
+
+   :param path: A suggested path value, which may be either the filter's
+         ``path`` if defined, else a previous result from the function.
+         If no ``path`` is defined for the filter, then the first call
+         to the function will contain an empty string.
+   
+
+   :param rec: An instance of the stream's ``columns`` type with its
+        fields set to the values to be logged.
+   
+
+   :returns: The path to be used for the filter.
+
+.. zeek:id:: Log::delay
+   :source-code: base/frameworks/logging/main.zeek 1038 1041
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, rec: :zeek:type:`any`, post_delay_cb: :zeek:type:`Log::PostDelayCallback` :zeek:attr:`&default` = :zeek:see:`Log::empty_post_delay_cb` :zeek:attr:`&optional`) : :zeek:type:`Log::DelayToken`
+
+   Delay a log write.
+   
+   Calling this function is currently only allowed within the execution
+   of a :zeek:see:`Log::log_stream_policy` hook and requires the caller
+   to provide the stream ID and log record of the active write operation
+   as parameters.
+   
+   Conceptually, the delay is inserted between the execution of the
+   :zeek:see:`Log::log_stream_policy` hook and the policy hooks of filters.
+   
+   Calling this function increments a reference count that can subsequently
+   be decremented using :zeek:see:`Log::delay_finish`.
+   The delay completes when either the reference count reaches zero, or
+   the configured maximum delay interval for the stream expires. The
+   optional *post_delay_cb* is invoked when the delay completed.
+   
+   The *post_delay_cb* function can extend the delay by invoking
+   :zeek:see:`Log::delay` again. There's no limit to how often a write
+   can be re-delayed. Further, it can discard the log record altogether
+   by returning ``F``. If *post_delay_cb* is not provided, the behavior
+   is equivalent to a no-op callback solely returning ``T``.
+   
+
+   :param id: The ID associated with a logging stream.
+   
+
+   :param rec: The log record.
+   
+
+   :param post_delay_cb: A callback to invoke when the delay completed.
+   
+
+   :returns: An opaque token of type :zeek:see:`Log::DelayToken`
+            to be passed to :zeek:see:`Log::delay_finish`.
+
+.. zeek:id:: Log::delay_finish
+   :source-code: base/frameworks/logging/main.zeek 1043 1046
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, rec: :zeek:type:`any`, token: :zeek:type:`Log::DelayToken`) : :zeek:type:`bool`
+
+   Release a delay reference taken with :zeek:see:`Log::delay`.
+   
+   When the last reference is released, :zeek:see:`Log::delay_finish`
+   synchronously resumes the delayed :zeek:see:`Log::write` operation.
+   
+
+   :param id: The ID associated with a logging stream.
+   
+
+   :param rec: The log record.
+   
+
+   :param token: The opaque token as returned by :zeek:see:`Log::delay`.
+   
+
+   :returns: ``T`` on success, ``F`` if an inconsistent combination of
+            *id*, *rec* and *token* was provided.
+
+.. zeek:id:: Log::disable_stream
+   :source-code: base/frameworks/logging/main.zeek 909 926
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
+
+   Disables a currently enabled logging stream.  Disabled streams
+   will not be written to until they are enabled again.  New streams
+   are enabled by default.
+   
+
+   :param id: The ID associated with the logging stream to disable.
+   
+
+   :returns: True if the stream is now disabled or was already disabled.
+   
+   .. zeek:see:: Log::enable_stream
+
+.. zeek:id:: Log::empty_post_delay_cb
+   :source-code: base/frameworks/logging/main.zeek 1034 1036
+
+   :Type: :zeek:type:`function` (rec: :zeek:type:`any`, id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
+
+   Represents a post delay callback that simply returns T. This is used
+   as a default value for :zeek:see:`Log::delay` and ignored internally.
+
+.. zeek:id:: Log::enable_stream
+   :source-code: base/frameworks/logging/main.zeek 928 947
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
+
+   Enables a previously disabled logging stream.  Disabled streams
+   will not be written to until they are enabled again.  New streams
+   are enabled by default.
+   
+
+   :param id: The ID associated with the logging stream to enable.
+   
+
+   :returns: True if the stream is re-enabled or was not previously disabled.
+   
+   .. zeek:see:: Log::disable_stream
+
+.. zeek:id:: Log::flush
+   :source-code: base/frameworks/logging/main.zeek 1013 1016
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
+
+   Flushes any currently buffered output for all the writers of a given
+   logging stream.
+   
+
+   :param id: The ID associated with a logging stream for which to flush buffered
+       data.
+   
+
+   :returns: True if all writers of a log stream were signalled to flush
+            buffered data or if the logging stream is disabled,
+            false if the logging stream does not exist.
+   
+   .. zeek:see:: Log::set_buf Log::enable_stream Log::disable_stream
+
+.. zeek:id:: Log::get_delay_queue_size
+   :source-code: base/frameworks/logging/main.zeek 1079 1082
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`int`
+
+   Get the current size of the delay queue for a stream.
+   
+
+   :param id: The ID associated with a logging stream.
+   
+
+   :returns: The current size of the delay queue, or -1 on error.
+
+.. zeek:id:: Log::get_filter
+   :source-code: base/frameworks/logging/main.zeek 987 993
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, name: :zeek:type:`string`) : :zeek:type:`Log::Filter`
+
+   Gets a filter associated with an existing logging stream.
+   
+
+   :param id: The ID associated with a logging stream from which to
+       obtain one of its filters.
+   
+
+   :param name: A string to match against the ``name`` field of a
+         :zeek:type:`Log::Filter` for identification purposes.
+   
+
+   :returns: A filter attached to the logging stream *id* matching
+            *name* or, if no matches are found returns the
+            :zeek:id:`Log::no_filter` sentinel value.
+   
+   .. zeek:see:: Log::add_filter Log::remove_filter Log::add_default_filter
+                Log::remove_default_filter Log::get_filter_names
+
+.. zeek:id:: Log::get_filter_names
+   :source-code: base/frameworks/logging/main.zeek 995 1001
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`set` [:zeek:type:`string`]
+
+   Gets the names of all filters associated with an existing
+   logging stream.
+   
+
+   :param id: The ID of a logging stream from which to obtain the list
+       of filter names.
+   
+
+   :returns: The set of filter names associated with the stream.
+   
+   .. zeek:see:: Log::remove_filter Log::add_default_filter
+                 Log::remove_default_filter Log::get_filter
+
+.. zeek:id:: Log::remove_default_filter
+   :source-code: base/frameworks/logging/main.zeek 1023 1026
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
+
+   Removes the :zeek:type:`Log::Filter` with ``name`` field equal to
+   "default".
+   
+
+   :param id: The ID associated with a logging stream from which to remove the
+       default filter.
+   
+
+   :returns: The status of a call to :zeek:id:`Log::remove_filter` using
+            "default" as the argument.
+   
+   .. zeek:see:: Log::add_filter Log::remove_filter Log::add_default_filter
+
+.. zeek:id:: Log::remove_filter
+   :source-code: base/frameworks/logging/main.zeek 977 985
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, name: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Removes a filter from an existing logging stream.
+   
+
+   :param id: The ID associated with the logging stream from which to
+       remove a filter.
+   
+
+   :param name: A string to match against the ``name`` field of a
+         :zeek:type:`Log::Filter` for identification purposes.
+   
+
+   :returns: True if the logging stream's filter was removed or
+            if no filter associated with *name* was found.
+   
+   .. zeek:see:: Log::remove_filter Log::add_default_filter
+      Log::remove_default_filter Log::get_filter Log::get_filter_names
+
+.. zeek:id:: Log::remove_stream
+   :source-code: base/frameworks/logging/main.zeek 894 907
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`) : :zeek:type:`bool`
+
+   Removes a logging stream completely, stopping all the threads.
+   
+
+   :param id: The ID associated with the logging stream.
+   
+
+   :returns: True if the stream was successfully removed.
+   
+   .. zeek:see:: Log::create_stream
+
+.. zeek:id:: Log::rotation_format_func
+   :source-code: base/frameworks/logging/main.zeek 856 881
+
+   :Type: :zeek:type:`function` (ri: :zeek:type:`Log::RotationFmtInfo`) : :zeek:type:`Log::RotationPath`
+   :Attributes: :zeek:attr:`&redef`
+
+   A function that one may use to customize log file rotation paths.
+
+.. zeek:id:: Log::run_rotation_postprocessor_cmd
+   :source-code: base/frameworks/logging/main.zeek 819 842
+
+   :Type: :zeek:type:`function` (info: :zeek:type:`Log::RotationInfo`, npath: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Runs a command given by :zeek:id:`Log::default_rotation_postprocessor_cmd`
+   on a rotated file.  Meant to be called from postprocessor functions
+   that are added to :zeek:id:`Log::default_rotation_postprocessors`.
+   
+
+   :param info: A record holding meta-information about the log being rotated.
+   
+
+   :param npath: The new path of the file (after already being rotated/processed
+          by writer-specific postprocessor as defined in
+          :zeek:id:`Log::default_rotation_postprocessors`).
+   
+
+   :returns: True when :zeek:id:`Log::default_rotation_postprocessor_cmd`
+            is empty or the system command given by it has been invoked
+            to postprocess a rotated log file.
+   
+   .. zeek:see:: Log::default_rotation_date_format
+      Log::default_rotation_postprocessor_cmd_env
+      Log::default_rotation_postprocessor_cmd
+      Log::default_rotation_postprocessors
+
+.. zeek:id:: Log::set_buf
+   :source-code: base/frameworks/logging/main.zeek 1008 1011
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, buffered: :zeek:type:`bool`) : :zeek:type:`bool`
+
+   Sets the buffering status for all the writers of a given logging stream.
+   A given writer implementation may or may not support buffering and if
+   it doesn't then toggling buffering with this function has no effect.
+   
+
+   :param id: The ID associated with a logging stream for which to
+       enable/disable buffering.
+   
+
+   :param buffered: Whether to enable or disable log buffering.
+   
+
+   :returns: True if buffering status was set, false if the logging stream
+            does not exist.
+   
+   .. zeek:see:: Log::flush
+
+.. zeek:id:: Log::set_max_delay_interval
+   :source-code: base/frameworks/logging/main.zeek 1048 1064
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, max_delay: :zeek:type:`interval`) : :zeek:type:`bool`
+
+   Set the maximum delay for a stream.
+   
+   Multiple calls to this function will only ever increase the maximum
+   delay, the delay cannot be lowered. The default maximum delay for a
+   stream is :zeek:see:`Log::default_max_delay_interval`.
+   
+   When a stream is removed and re-created via :zeek:see:`Log::create_stream`,
+   the new stream is re-configured with the previously used maximum delay.
+   
+
+   :param id: The ID associated with a logging stream.
+   
+
+   :param max_delay: The maximum delay interval for this stream.
+   
+
+   :returns: ``T`` on success, else ``F``.
+
+.. zeek:id:: Log::set_max_delay_queue_size
+   :source-code: base/frameworks/logging/main.zeek 1066 1077
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, max_size: :zeek:type:`count`) : :zeek:type:`bool`
+
+   Set the given stream's delay queue size.
+   
+   If the queue holds more records than the given *queue_size*, these are
+   attempted to be evicted at the time of the call.
+   
+   When a stream is removed and re-created via :zeek:see:`Log::create_stream`,
+   the new stream is re-configured with the most recently used queue size.
+   
+
+   :param id: The ID associated with a logging stream.
+   
+
+   :param max_delay: The maximum delay interval of this stream.
+   
+
+   :returns: ``T`` on success, else ``F``.
+
+.. zeek:id:: Log::write
+   :source-code: base/frameworks/logging/main.zeek 1003 1006
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`Log::ID`, columns: :zeek:type:`any`) : :zeek:type:`bool`
+
+   Writes a new log line/entry to a logging stream.
+   
+
+   :param id: The ID associated with a logging stream to be written to.
+   
+
+   :param columns: A record value describing the values of each field/column
+            to write to the log stream.
+   
+
+   :returns: True if the stream was found and no error occurred in writing
+            to it or if the stream was disabled and nothing was written.
+            False if the stream was not found, or the *columns*
+            argument did not match what the stream was initially defined
+            to handle, or one of the stream's filters has an invalid
+            ``path_func``.
+   
+   .. zeek:see:: Log::enable_stream Log::disable_stream
+
+
diff --git a/doc/scripts/base/frameworks/logging/postprocessors/__load__.zeek.rst b/doc/scripts/base/frameworks/logging/postprocessors/__load__.zeek.rst
new file mode 100644
index 0000000000..7381dd0a38
--- /dev/null
+++ b/doc/scripts/base/frameworks/logging/postprocessors/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/logging/postprocessors/__load__.zeek
+====================================================
+
+
+:Imports: :doc:`base/frameworks/logging/postprocessors/scp.zeek </scripts/base/frameworks/logging/postprocessors/scp.zeek>`, :doc:`base/frameworks/logging/postprocessors/sftp.zeek </scripts/base/frameworks/logging/postprocessors/sftp.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/logging/postprocessors/index.rst b/doc/scripts/base/frameworks/logging/postprocessors/index.rst
new file mode 100644
index 0000000000..dcb83cc2d5
--- /dev/null
+++ b/doc/scripts/base/frameworks/logging/postprocessors/index.rst
@@ -0,0 +1,44 @@
+:orphan:
+
+Package: base/frameworks/logging/postprocessors
+===============================================
+
+Support for postprocessors in the logging framework.
+
+:doc:`/scripts/base/frameworks/logging/postprocessors/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/logging/postprocessors/scp.zeek`
+
+   This script defines a postprocessing function that can be applied
+   to a logging filter in order to automatically SCP (secure copy)
+   a log stream (or a subset of it) to a remote host at configurable
+   rotation time intervals.  Generally, to use this functionality
+   you must handle the :zeek:id:`zeek_init` event and do the following
+   in your handler:
+   
+   1) Create a new :zeek:type:`Log::Filter` record that defines a name/path,
+      rotation interval, and set the ``postprocessor`` to
+      :zeek:id:`Log::scp_postprocessor`.
+   2) Add the filter to a logging stream using :zeek:id:`Log::add_filter`.
+   3) Add a table entry to :zeek:id:`Log::scp_destinations` for the filter's
+      writer/path pair which defines a set of :zeek:type:`Log::SCPDestination`
+      records.
+
+:doc:`/scripts/base/frameworks/logging/postprocessors/sftp.zeek`
+
+   This script defines a postprocessing function that can be applied
+   to a logging filter in order to automatically SFTP
+   a log stream (or a subset of it) to a remote host at configurable
+   rotation time intervals.  Generally, to use this functionality
+   you must handle the :zeek:id:`zeek_init` event and do the following
+   in your handler:
+   
+   1) Create a new :zeek:type:`Log::Filter` record that defines a name/path,
+      rotation interval, and set the ``postprocessor`` to
+      :zeek:id:`Log::sftp_postprocessor`.
+   2) Add the filter to a logging stream using :zeek:id:`Log::add_filter`.
+   3) Add a table entry to :zeek:id:`Log::sftp_destinations` for the filter's
+      writer/path pair which defines a set of :zeek:type:`Log::SFTPDestination`
+      records.
+
diff --git a/doc/scripts/base/frameworks/logging/postprocessors/scp.zeek.rst b/doc/scripts/base/frameworks/logging/postprocessors/scp.zeek.rst
new file mode 100644
index 0000000000..c411a3f37a
--- /dev/null
+++ b/doc/scripts/base/frameworks/logging/postprocessors/scp.zeek.rst
@@ -0,0 +1,132 @@
+:tocdepth: 3
+
+base/frameworks/logging/postprocessors/scp.zeek
+===============================================
+.. zeek:namespace:: Log
+
+This script defines a postprocessing function that can be applied
+to a logging filter in order to automatically SCP (secure copy)
+a log stream (or a subset of it) to a remote host at configurable
+rotation time intervals.  Generally, to use this functionality
+you must handle the :zeek:id:`zeek_init` event and do the following
+in your handler:
+
+1) Create a new :zeek:type:`Log::Filter` record that defines a name/path,
+   rotation interval, and set the ``postprocessor`` to
+   :zeek:id:`Log::scp_postprocessor`.
+2) Add the filter to a logging stream using :zeek:id:`Log::add_filter`.
+3) Add a table entry to :zeek:id:`Log::scp_destinations` for the filter's
+   writer/path pair which defines a set of :zeek:type:`Log::SCPDestination`
+   records.
+
+:Namespace: Log
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+================================================================================= ================================================================
+:zeek:id:`Log::scp_rotation_date_format`: :zeek:type:`string` :zeek:attr:`&redef` Default naming format for timestamps embedded into log filenames
+                                                                                  that use the SCP rotator.
+================================================================================= ================================================================
+
+State Variables
+###############
+==================================================== =======================================================================
+:zeek:id:`Log::scp_destinations`: :zeek:type:`table` A table indexed by a particular log writer and filter path, that yields
+                                                     a set of remote destinations.
+==================================================== =======================================================================
+
+Types
+#####
+===================================================== =====================================================================
+:zeek:type:`Log::SCPDestination`: :zeek:type:`record` A container that describes the remote destination for the SCP command
+                                                      argument as ``user@host:path``.
+===================================================== =====================================================================
+
+Functions
+#########
+======================================================== ============================================================
+:zeek:id:`Log::scp_postprocessor`: :zeek:type:`function` Secure-copies the rotated log to all the remote hosts
+                                                         defined in :zeek:id:`Log::scp_destinations` and then deletes
+                                                         the local copy of the rotated log.
+======================================================== ============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Log::scp_rotation_date_format
+   :source-code: base/frameworks/logging/postprocessors/scp.zeek 53 53
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"%Y-%m-%d-%H-%M-%S"``
+
+   Default naming format for timestamps embedded into log filenames
+   that use the SCP rotator.
+
+State Variables
+###############
+.. zeek:id:: Log::scp_destinations
+   :source-code: base/frameworks/logging/postprocessors/scp.zeek 49 49
+
+   :Type: :zeek:type:`table` [:zeek:type:`Log::Writer`, :zeek:type:`string`] of :zeek:type:`set` [:zeek:type:`Log::SCPDestination`]
+   :Default: ``{}``
+
+   A table indexed by a particular log writer and filter path, that yields
+   a set of remote destinations.  The :zeek:id:`Log::scp_postprocessor`
+   function queries this table upon log rotation and performs a secure
+   copy of the rotated log to each destination in the set.  This
+   table can be modified at run-time.
+
+Types
+#####
+.. zeek:type:: Log::SCPDestination
+   :source-code: base/frameworks/logging/postprocessors/scp.zeek 34 42
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: user :zeek:type:`string`
+
+      The remote user to log in as.  A trust mechanism should be
+      pre-established.
+
+
+   .. zeek:field:: host :zeek:type:`string`
+
+      The remote host to which to transfer logs.
+
+
+   .. zeek:field:: path :zeek:type:`string`
+
+      The path/directory on the remote host to send logs.
+
+
+   A container that describes the remote destination for the SCP command
+   argument as ``user@host:path``.
+
+Functions
+#########
+.. zeek:id:: Log::scp_postprocessor
+   :source-code: base/frameworks/logging/postprocessors/scp.zeek 56 72
+
+   :Type: :zeek:type:`function` (info: :zeek:type:`Log::RotationInfo`) : :zeek:type:`bool`
+
+   Secure-copies the rotated log to all the remote hosts
+   defined in :zeek:id:`Log::scp_destinations` and then deletes
+   the local copy of the rotated log.  It's not active when
+   reading from trace files.
+   
+
+   :param info: A record holding meta-information about the log file to be
+         postprocessed.
+   
+
+   :returns: True if secure-copy system command was initiated or
+            if no destination was configured for the log as described
+            by *info*.
+
+
diff --git a/doc/scripts/base/frameworks/logging/postprocessors/sftp.zeek.rst b/doc/scripts/base/frameworks/logging/postprocessors/sftp.zeek.rst
new file mode 100644
index 0000000000..14df41a764
--- /dev/null
+++ b/doc/scripts/base/frameworks/logging/postprocessors/sftp.zeek.rst
@@ -0,0 +1,137 @@
+:tocdepth: 3
+
+base/frameworks/logging/postprocessors/sftp.zeek
+================================================
+.. zeek:namespace:: Log
+
+This script defines a postprocessing function that can be applied
+to a logging filter in order to automatically SFTP
+a log stream (or a subset of it) to a remote host at configurable
+rotation time intervals.  Generally, to use this functionality
+you must handle the :zeek:id:`zeek_init` event and do the following
+in your handler:
+
+1) Create a new :zeek:type:`Log::Filter` record that defines a name/path,
+   rotation interval, and set the ``postprocessor`` to
+   :zeek:id:`Log::sftp_postprocessor`.
+2) Add the filter to a logging stream using :zeek:id:`Log::add_filter`.
+3) Add a table entry to :zeek:id:`Log::sftp_destinations` for the filter's
+   writer/path pair which defines a set of :zeek:type:`Log::SFTPDestination`
+   records.
+
+:Namespace: Log
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+================================================================================== ================================================================
+:zeek:id:`Log::sftp_rotation_date_format`: :zeek:type:`string` :zeek:attr:`&redef` Default naming format for timestamps embedded into log filenames
+                                                                                   that use the SFTP rotator.
+================================================================================== ================================================================
+
+State Variables
+###############
+===================================================== =======================================================================
+:zeek:id:`Log::sftp_destinations`: :zeek:type:`table` A table indexed by a particular log writer and filter path, that yields
+                                                      a set of remote destinations.
+===================================================== =======================================================================
+
+Types
+#####
+====================================================== =======================================================================
+:zeek:type:`Log::SFTPDestination`: :zeek:type:`record` A container that describes the remote destination for the SFTP command,
+                                                       comprised of the username, host, and path at which to upload the file.
+====================================================== =======================================================================
+
+Functions
+#########
+========================================================= =============================================================
+:zeek:id:`Log::sftp_postprocessor`: :zeek:type:`function` Securely transfers the rotated log to all the remote hosts
+                                                          defined in :zeek:id:`Log::sftp_destinations` and then deletes
+                                                          the local copy of the rotated log.
+========================================================= =============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Log::sftp_rotation_date_format
+   :source-code: base/frameworks/logging/postprocessors/sftp.zeek 55 55
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"%Y-%m-%d-%H-%M-%S"``
+
+   Default naming format for timestamps embedded into log filenames
+   that use the SFTP rotator.
+
+State Variables
+###############
+.. zeek:id:: Log::sftp_destinations
+   :source-code: base/frameworks/logging/postprocessors/sftp.zeek 51 51
+
+   :Type: :zeek:type:`table` [:zeek:type:`Log::Writer`, :zeek:type:`string`] of :zeek:type:`set` [:zeek:type:`Log::SFTPDestination`]
+   :Default: ``{}``
+
+   A table indexed by a particular log writer and filter path, that yields
+   a set of remote destinations.  The :zeek:id:`Log::sftp_postprocessor`
+   function queries this table upon log rotation and performs a secure
+   transfer of the rotated log to each destination in the set.  This
+   table can be modified at run-time.
+
+Types
+#####
+.. zeek:type:: Log::SFTPDestination
+   :source-code: base/frameworks/logging/postprocessors/sftp.zeek 34 44
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: user :zeek:type:`string`
+
+      The remote user to log in as.  A trust mechanism should be
+      pre-established.
+
+
+   .. zeek:field:: host :zeek:type:`string`
+
+      The remote host to which to transfer logs.
+
+
+   .. zeek:field:: host_port :zeek:type:`count` :zeek:attr:`&default` = ``22`` :zeek:attr:`&optional`
+
+      The port to connect to. Defaults to 22
+
+
+   .. zeek:field:: path :zeek:type:`string`
+
+      The path/directory on the remote host to send logs.
+
+
+   A container that describes the remote destination for the SFTP command,
+   comprised of the username, host, and path at which to upload the file.
+
+Functions
+#########
+.. zeek:id:: Log::sftp_postprocessor
+   :source-code: base/frameworks/logging/postprocessors/sftp.zeek 58 75
+
+   :Type: :zeek:type:`function` (info: :zeek:type:`Log::RotationInfo`) : :zeek:type:`bool`
+
+   Securely transfers the rotated log to all the remote hosts
+   defined in :zeek:id:`Log::sftp_destinations` and then deletes
+   the local copy of the rotated log.  It's not active when
+   reading from trace files.
+   
+
+   :param info: A record holding meta-information about the log file to be
+         postprocessed.
+   
+
+   :returns: True if sftp system command was initiated or
+            if no destination was configured for the log as described
+            by *info*.
+
+
diff --git a/doc/scripts/base/frameworks/logging/writers/ascii.zeek.rst b/doc/scripts/base/frameworks/logging/writers/ascii.zeek.rst
new file mode 100644
index 0000000000..eb93aa11a7
--- /dev/null
+++ b/doc/scripts/base/frameworks/logging/writers/ascii.zeek.rst
@@ -0,0 +1,229 @@
+:tocdepth: 3
+
+base/frameworks/logging/writers/ascii.zeek
+==========================================
+.. zeek:namespace:: LogAscii
+
+Interface for the ASCII log writer.  Redefinable options are available
+to tweak the output format of ASCII logs.
+
+The ASCII writer currently supports one writer-specific per-filter config
+option: setting ``tsv`` to the string ``T`` turns the output into
+"tab-separated-value" mode where only a single header row with the column
+names is printed out as meta information, with no "# fields" prepended; no
+other meta data gets included in that mode.  Example filter using this::
+
+   local f = Log::Filter($name = "my-filter",
+                         $writer = Log::WRITER_ASCII,
+                         $config = table(["tsv"] = "T"));
+
+
+:Namespace: LogAscii
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+============================================================================================ =====================================================================
+:zeek:id:`LogAscii::empty_field`: :zeek:type:`string` :zeek:attr:`&redef`                    String to use for empty fields.
+:zeek:id:`LogAscii::enable_leftover_log_rotation`: :zeek:type:`bool` :zeek:attr:`&redef`     If true, detect log files that did not get properly rotated
+                                                                                             by a previous Zeek process (e.g.
+:zeek:id:`LogAscii::enable_utf_8`: :zeek:type:`bool` :zeek:attr:`&redef`                     If true, valid UTF-8 sequences will pass through unescaped and be
+                                                                                             written into logs.
+:zeek:id:`LogAscii::gzip_file_extension`: :zeek:type:`string` :zeek:attr:`&redef`            Define the file extension used when compressing log files when
+                                                                                             they are created with the :zeek:see:`LogAscii::gzip_level` option.
+:zeek:id:`LogAscii::gzip_level`: :zeek:type:`count` :zeek:attr:`&redef`                      Define the gzip level to compress the logs.
+:zeek:id:`LogAscii::include_meta`: :zeek:type:`bool` :zeek:attr:`&redef`                     If true, include lines with log meta information such as column names
+                                                                                             with types, the values of ASCII logging options that are in use, and
+                                                                                             the time when the file was opened and closed (the latter at the end).
+:zeek:id:`LogAscii::json_include_unset_fields`: :zeek:type:`bool` :zeek:attr:`&redef`        Handling of optional fields when writing out JSON.
+:zeek:id:`LogAscii::json_timestamps`: :zeek:type:`JSON::TimestampFormat` :zeek:attr:`&redef` Format of timestamps when writing out JSON.
+:zeek:id:`LogAscii::meta_prefix`: :zeek:type:`string` :zeek:attr:`&redef`                    Prefix for lines with meta information.
+:zeek:id:`LogAscii::output_to_stdout`: :zeek:type:`bool` :zeek:attr:`&redef`                 If true, output everything to stdout rather than
+                                                                                             into files.
+:zeek:id:`LogAscii::separator`: :zeek:type:`string` :zeek:attr:`&redef`                      Separator between fields.
+:zeek:id:`LogAscii::set_separator`: :zeek:type:`string` :zeek:attr:`&redef`                  Separator between set elements.
+:zeek:id:`LogAscii::unset_field`: :zeek:type:`string` :zeek:attr:`&redef`                    String to use for an unset &optional field.
+:zeek:id:`LogAscii::use_json`: :zeek:type:`bool` :zeek:attr:`&redef`                         If true, the default will be to write logs in a JSON format.
+============================================================================================ =====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: LogAscii::empty_field
+   :source-code: base/frameworks/logging/writers/ascii.zeek 95 95
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"(empty)"``
+
+   String to use for empty fields. This should be different from
+   *unset_field* to make the output unambiguous.
+   
+   This option is also available as a per-filter ``$config`` option.
+
+.. zeek:id:: LogAscii::enable_leftover_log_rotation
+   :source-code: base/frameworks/logging/writers/ascii.zeek 35 35
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If true, detect log files that did not get properly rotated
+   by a previous Zeek process (e.g. due to crash) and rotate them.
+   
+   This requires a positive rotation interval to be configured
+   to have an effect.  E.g. via :zeek:see:`Log::default_rotation_interval`
+   or the *interv* field of a :zeek:see:`Log::Filter`.
+
+.. zeek:id:: LogAscii::enable_utf_8
+   :source-code: base/frameworks/logging/writers/ascii.zeek 41 41
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   If true, valid UTF-8 sequences will pass through unescaped and be
+   written into logs.
+   
+   This option is also available as a per-filter ``$config`` option.
+
+.. zeek:id:: LogAscii::gzip_file_extension
+   :source-code: base/frameworks/logging/writers/ascii.zeek 55 55
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"gz"``
+
+   Define the file extension used when compressing log files when
+   they are created with the :zeek:see:`LogAscii::gzip_level` option.
+   
+   This option is also available as a per-filter ``$config`` option.
+
+.. zeek:id:: LogAscii::gzip_level
+   :source-code: base/frameworks/logging/writers/ascii.zeek 49 49
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0``
+
+   Define the gzip level to compress the logs.  If 0, then no gzip
+   compression is performed. Enabling compression also changes
+   the log file name extension to include the value of
+   :zeek:see:`LogAscii::gzip_file_extension`.
+   
+   This option is also available as a per-filter ``$config`` option.
+
+.. zeek:id:: LogAscii::include_meta
+   :source-code: base/frameworks/logging/writers/ascii.zeek 74 74
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   If true, include lines with log meta information such as column names
+   with types, the values of ASCII logging options that are in use, and
+   the time when the file was opened and closed (the latter at the end).
+   
+   If writing in JSON format, this is implicitly disabled.
+
+.. zeek:id:: LogAscii::json_include_unset_fields
+   :source-code: base/frameworks/logging/writers/ascii.zeek 67 67
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Handling of optional fields when writing out JSON. By default the
+   JSON formatter skips key and val when the field is absent. Setting
+   the following field to T includes the key, with a null value.
+
+.. zeek:id:: LogAscii::json_timestamps
+   :source-code: base/frameworks/logging/writers/ascii.zeek 62 62
+
+   :Type: :zeek:type:`JSON::TimestampFormat`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``JSON::TS_EPOCH``
+
+   Format of timestamps when writing out JSON. By default, the JSON
+   formatter will use double values for timestamps which represent the
+   number of seconds from the UNIX epoch.
+   
+   This option is also available as a per-filter ``$config`` option.
+
+.. zeek:id:: LogAscii::meta_prefix
+   :source-code: base/frameworks/logging/writers/ascii.zeek 79 79
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"#"``
+
+   Prefix for lines with meta information.
+   
+   This option is also available as a per-filter ``$config`` option.
+
+.. zeek:id:: LogAscii::output_to_stdout
+   :source-code: base/frameworks/logging/writers/ascii.zeek 22 22
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If true, output everything to stdout rather than
+   into files. This is primarily for debugging purposes.
+   
+   This option is also available as a per-filter ``$config`` option.
+
+.. zeek:id:: LogAscii::separator
+   :source-code: base/frameworks/logging/writers/ascii.zeek 84 84
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"\x09"``
+
+   Separator between fields.
+   
+   This option is also available as a per-filter ``$config`` option.
+
+.. zeek:id:: LogAscii::set_separator
+   :source-code: base/frameworks/logging/writers/ascii.zeek 89 89
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``","``
+
+   Separator between set elements.
+   
+   This option is also available as a per-filter ``$config`` option.
+
+.. zeek:id:: LogAscii::unset_field
+   :source-code: base/frameworks/logging/writers/ascii.zeek 100 100
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"-"``
+
+   String to use for an unset &optional field.
+   
+   This option is also available as a per-filter ``$config`` option.
+
+.. zeek:id:: LogAscii::use_json
+   :source-code: base/frameworks/logging/writers/ascii.zeek 27 27
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+   :Redefinition: from :doc:`/scripts/policy/tuning/json-logs.zeek`
+
+      ``=``::
+
+         T
+
+
+   If true, the default will be to write logs in a JSON format.
+   
+   This option is also available as a per-filter ``$config`` option.
+
+
diff --git a/doc/scripts/base/frameworks/logging/writers/none.zeek.rst b/doc/scripts/base/frameworks/logging/writers/none.zeek.rst
new file mode 100644
index 0000000000..627b0f2d84
--- /dev/null
+++ b/doc/scripts/base/frameworks/logging/writers/none.zeek.rst
@@ -0,0 +1,41 @@
+:tocdepth: 3
+
+base/frameworks/logging/writers/none.zeek
+=========================================
+.. zeek:namespace:: LogNone
+
+Interface for the None log writer. This writer is mainly for debugging.
+
+:Namespace: LogNone
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+================================================================ ============================================================
+:zeek:id:`LogNone::debug`: :zeek:type:`bool` :zeek:attr:`&redef` If true, output debugging output that can be useful for unit
+                                                                 testing the logging framework.
+================================================================ ============================================================
+
+Redefinitions
+#############
+======================================================================================= =
+:zeek:id:`Log::default_rotation_postprocessors`: :zeek:type:`table` :zeek:attr:`&redef` 
+======================================================================================= =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: LogNone::debug
+   :source-code: base/frameworks/logging/writers/none.zeek 8 8
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If true, output debugging output that can be useful for unit
+   testing the logging framework.
+
+
diff --git a/doc/scripts/base/frameworks/logging/writers/sqlite.zeek.rst b/doc/scripts/base/frameworks/logging/writers/sqlite.zeek.rst
new file mode 100644
index 0000000000..95528eae1e
--- /dev/null
+++ b/doc/scripts/base/frameworks/logging/writers/sqlite.zeek.rst
@@ -0,0 +1,141 @@
+:tocdepth: 3
+
+base/frameworks/logging/writers/sqlite.zeek
+===========================================
+.. zeek:namespace:: LogSQLite
+
+Interface for the SQLite log writer. Redefinable options are available
+to tweak the output format of the SQLite reader.
+
+See :doc:`/frameworks/logging-input-sqlite` for an introduction on how to
+use the SQLite log writer.
+
+The SQL writer currently supports one writer-specific filter option via
+``config``: setting ``tablename`` sets the name of the table that is used
+or created in the SQLite database. An example for this is given in the
+introduction mentioned above.
+
+:Namespace: LogSQLite
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+================================================================================================= ==========================================================================
+:zeek:id:`LogSQLite::empty_field`: :zeek:type:`string` :zeek:attr:`&redef`                        String to use for empty fields.
+:zeek:id:`LogSQLite::journal_mode`: :zeek:type:`LogSQLite::SQLiteJournalMode` :zeek:attr:`&redef` If changed from SQLITE_JOURNAL_MODE_DEFAULT, runs the PRAGMA
+                                                                                                  journal_mode statement with the provided value after connecting to
+                                                                                                  the SQLite database.
+:zeek:id:`LogSQLite::set_separator`: :zeek:type:`string` :zeek:attr:`&redef`                      Separator between set elements.
+:zeek:id:`LogSQLite::synchronous`: :zeek:type:`LogSQLite::SQLiteSynchronous` :zeek:attr:`&redef`  If changed from SQLITE_SYNCHRONOUS_DEFAULT, runs the PRAGMA synchronous
+                                                                                                  statement with the provided value after connecting to the SQLite database.
+:zeek:id:`LogSQLite::unset_field`: :zeek:type:`string` :zeek:attr:`&redef`                        String to use for an unset &optional field.
+================================================================================================= ==========================================================================
+
+Types
+#####
+============================================================ ============================================================
+:zeek:type:`LogSQLite::SQLiteJournalMode`: :zeek:type:`enum` Values supported for SQLite's PRAGMA journal_mode statement.
+:zeek:type:`LogSQLite::SQLiteSynchronous`: :zeek:type:`enum` Values supported for SQLite's PRAGMA synchronous statement.
+============================================================ ============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: LogSQLite::empty_field
+   :source-code: base/frameworks/logging/writers/sqlite.zeek 23 23
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"(empty)"``
+
+   String to use for empty fields. This should be different from
+   *unset_field* to make the output unambiguous.
+
+.. zeek:id:: LogSQLite::journal_mode
+   :source-code: base/frameworks/logging/writers/sqlite.zeek 57 57
+
+   :Type: :zeek:type:`LogSQLite::SQLiteJournalMode`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``LogSQLite::SQLITE_JOURNAL_MODE_DEFAULT``
+
+   If changed from SQLITE_JOURNAL_MODE_DEFAULT, runs the PRAGMA
+   journal_mode statement with the provided value after connecting to
+   the SQLite database.
+   `SQLite's journal_mode documentation <https://www.sqlite.org/pragma.html#pragma_journal_mode>`_
+   for more details around performance, data safety trade offs
+   and interaction with the PRAGMA synchronous statement.
+
+.. zeek:id:: LogSQLite::set_separator
+   :source-code: base/frameworks/logging/writers/sqlite.zeek 16 16
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``","``
+
+   Separator between set elements.
+
+.. zeek:id:: LogSQLite::synchronous
+   :source-code: base/frameworks/logging/writers/sqlite.zeek 49 49
+
+   :Type: :zeek:type:`LogSQLite::SQLiteSynchronous`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``LogSQLite::SQLITE_SYNCHRONOUS_DEFAULT``
+
+   If changed from SQLITE_SYNCHRONOUS_DEFAULT, runs the PRAGMA synchronous
+   statement with the provided value after connecting to the SQLite database. See
+   `SQLite's synchronous documentation <https://www.sqlite.org/pragma.html#pragma_synchronous>`_
+   for more details around performance and data safety trade offs.
+
+.. zeek:id:: LogSQLite::unset_field
+   :source-code: base/frameworks/logging/writers/sqlite.zeek 19 19
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"-"``
+
+   String to use for an unset &optional field.
+
+Types
+#####
+.. zeek:type:: LogSQLite::SQLiteJournalMode
+   :source-code: base/frameworks/logging/writers/sqlite.zeek 35 35
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: LogSQLite::SQLITE_JOURNAL_MODE_DEFAULT LogSQLite::SQLiteJournalMode
+
+      .. zeek:enum:: LogSQLite::SQLITE_JOURNAL_MODE_DELETE LogSQLite::SQLiteJournalMode
+
+      .. zeek:enum:: LogSQLite::SQLITE_JOURNAL_MODE_TRUNCATE LogSQLite::SQLiteJournalMode
+
+      .. zeek:enum:: LogSQLite::SQLITE_JOURNAL_MODE_PERSIST LogSQLite::SQLiteJournalMode
+
+      .. zeek:enum:: LogSQLite::SQLITE_JOURNAL_MODE_MEMORY LogSQLite::SQLiteJournalMode
+
+      .. zeek:enum:: LogSQLite::SQLITE_JOURNAL_MODE_WAL LogSQLite::SQLiteJournalMode
+
+      .. zeek:enum:: LogSQLite::SQLITE_JOURNAL_MODE_OFF LogSQLite::SQLiteJournalMode
+
+   Values supported for SQLite's PRAGMA journal_mode statement.
+
+.. zeek:type:: LogSQLite::SQLiteSynchronous
+   :source-code: base/frameworks/logging/writers/sqlite.zeek 26 26
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: LogSQLite::SQLITE_SYNCHRONOUS_DEFAULT LogSQLite::SQLiteSynchronous
+
+      .. zeek:enum:: LogSQLite::SQLITE_SYNCHRONOUS_OFF LogSQLite::SQLiteSynchronous
+
+      .. zeek:enum:: LogSQLite::SQLITE_SYNCHRONOUS_NORMAL LogSQLite::SQLiteSynchronous
+
+      .. zeek:enum:: LogSQLite::SQLITE_SYNCHRONOUS_FULL LogSQLite::SQLiteSynchronous
+
+      .. zeek:enum:: LogSQLite::SQLITE_SYNCHRONOUS_EXTRA LogSQLite::SQLiteSynchronous
+
+   Values supported for SQLite's PRAGMA synchronous statement.
+
+
diff --git a/doc/scripts/base/frameworks/netcontrol/__load__.zeek.rst b/doc/scripts/base/frameworks/netcontrol/__load__.zeek.rst
new file mode 100644
index 0000000000..053c7ce850
--- /dev/null
+++ b/doc/scripts/base/frameworks/netcontrol/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/netcontrol/__load__.zeek
+========================================
+
+
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/netcontrol/drop.zeek </scripts/base/frameworks/netcontrol/drop.zeek>`, :doc:`base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>`, :doc:`base/frameworks/netcontrol/non-cluster.zeek </scripts/base/frameworks/netcontrol/non-cluster.zeek>`, :doc:`base/frameworks/netcontrol/plugins </scripts/base/frameworks/netcontrol/plugins/index>`, :doc:`base/frameworks/netcontrol/shunt.zeek </scripts/base/frameworks/netcontrol/shunt.zeek>`, :doc:`base/frameworks/netcontrol/types.zeek </scripts/base/frameworks/netcontrol/types.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/netcontrol/drop.zeek.rst b/doc/scripts/base/frameworks/netcontrol/drop.zeek.rst
new file mode 100644
index 0000000000..9dbc8cd8f5
--- /dev/null
+++ b/doc/scripts/base/frameworks/netcontrol/drop.zeek.rst
@@ -0,0 +1,171 @@
+:tocdepth: 3
+
+base/frameworks/netcontrol/drop.zeek
+====================================
+.. zeek:namespace:: NetControl
+
+Implementation of the drop functionality for NetControl.
+
+:Namespace: NetControl
+:Imports: :doc:`base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+====================================================== =
+:zeek:type:`NetControl::DropInfo`: :zeek:type:`record` 
+====================================================== =
+
+Redefinitions
+#############
+======================================= ===================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` 
+                                        
+                                        * :zeek:enum:`NetControl::DROP_LOG`
+======================================= ===================================
+
+Events
+######
+============================================================== ==========================================================================
+:zeek:id:`NetControl::log_netcontrol_drop`: :zeek:type:`event` Event that can be handled to access the :zeek:type:`NetControl::ShuntInfo`
+                                                               record as it is sent on to the logging framework.
+============================================================== ==========================================================================
+
+Hooks
+#####
+==================================================================== =======================================================================
+:zeek:id:`NetControl::drop_rule_policy`: :zeek:type:`hook`           Hook that allows the modification of rules passed to drop_* before they
+                                                                     are passed on.
+:zeek:id:`NetControl::log_policy_drop`: :zeek:type:`Log::PolicyHook` 
+==================================================================== =======================================================================
+
+Functions
+#########
+============================================================= ======================================================================
+:zeek:id:`NetControl::drop_address`: :zeek:type:`function`    Stops all packets involving an IP address from being forwarded.
+:zeek:id:`NetControl::drop_connection`: :zeek:type:`function` Stops all packets involving a connection address from being forwarded.
+============================================================= ======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: NetControl::DropInfo
+   :source-code: base/frameworks/netcontrol/drop.zeek 34 47
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Time at which the recorded activity occurred.
+
+
+   .. zeek:field:: rule_id :zeek:type:`string` :zeek:attr:`&log`
+
+      ID of the rule; unique during each Zeek run.
+
+
+   .. zeek:field:: orig_h :zeek:type:`addr` :zeek:attr:`&log`
+
+      The originator's IP address.
+
+
+   .. zeek:field:: orig_p :zeek:type:`port` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The originator's port number.
+
+
+   .. zeek:field:: resp_h :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The responder's IP address.
+
+
+   .. zeek:field:: resp_p :zeek:type:`port` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The responder's port number.
+
+
+   .. zeek:field:: expire :zeek:type:`interval` :zeek:attr:`&log`
+
+      Expiry time of the shunt.
+
+
+   .. zeek:field:: location :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Location where the underlying action was triggered.
+
+
+
+Events
+######
+.. zeek:id:: NetControl::log_netcontrol_drop
+   :source-code: base/frameworks/netcontrol/drop.zeek 57 57
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`NetControl::DropInfo`)
+
+   Event that can be handled to access the :zeek:type:`NetControl::ShuntInfo`
+   record as it is sent on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: NetControl::drop_rule_policy
+   :source-code: base/frameworks/netcontrol/drop.zeek 53 53
+
+   :Type: :zeek:type:`hook` (r: :zeek:type:`NetControl::Rule`) : :zeek:type:`bool`
+
+   Hook that allows the modification of rules passed to drop_* before they
+   are passed on. If one of the hooks uses break, the rule is ignored.
+   
+
+   :param r: The rule to be added.
+
+.. zeek:id:: NetControl::log_policy_drop
+   :source-code: base/frameworks/netcontrol/drop.zeek 10 10
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+Functions
+#########
+.. zeek:id:: NetControl::drop_address
+   :source-code: base/frameworks/netcontrol/drop.zeek 89 111
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`, t: :zeek:type:`interval`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Stops all packets involving an IP address from being forwarded.
+   
+
+   :param a: The address to be dropped.
+   
+
+   :param t: How long to drop it, with 0 being indefinitely.
+   
+
+   :param location: An optional string describing where the drop was triggered.
+   
+
+   :returns: The id of the inserted rule on success and zero on failure.
+
+.. zeek:id:: NetControl::drop_connection
+   :source-code: base/frameworks/netcontrol/drop.zeek 65 87
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`conn_id`, t: :zeek:type:`interval`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Stops all packets involving a connection address from being forwarded.
+   
+
+   :param c: The connection to be dropped.
+   
+
+   :param t: How long to drop it, with 0 being indefinitely.
+   
+
+   :param location: An optional string describing where the drop was triggered.
+   
+
+   :returns: The id of the inserted rule on success and zero on failure.
+
+
diff --git a/doc/scripts/base/frameworks/netcontrol/index.rst b/doc/scripts/base/frameworks/netcontrol/index.rst
new file mode 100644
index 0000000000..ca09216636
--- /dev/null
+++ b/doc/scripts/base/frameworks/netcontrol/index.rst
@@ -0,0 +1,77 @@
+:orphan:
+
+Package: base/frameworks/netcontrol
+===================================
+
+The NetControl framework provides a way for Zeek to interact with networking
+hard- and software, e.g. for dropping and shunting IP addresses/connections,
+etc.
+
+:doc:`/scripts/base/frameworks/netcontrol/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/netcontrol/types.zeek`
+
+   This file defines the types that are used by the NetControl framework.
+   
+   The most important type defined in this file is :zeek:see:`NetControl::Rule`,
+   which is used to describe all rules that can be expressed by the NetControl framework.
+
+:doc:`/scripts/base/frameworks/netcontrol/main.zeek`
+
+   Zeek's NetControl framework.
+   
+   This plugin-based framework allows to control the traffic that Zeek monitors
+   as well as, if having access to the forwarding path, the traffic the network
+   forwards. By default, the framework lets everything through, to both Zeek
+   itself as well as on the network. Scripts can then add rules to impose
+   restrictions on entities, such as specific connections or IP addresses.
+   
+   This framework has two APIs: a high-level and low-level. The high-level API
+   provides convenience functions for a set of common operations. The
+   low-level API provides full flexibility.
+
+:doc:`/scripts/base/frameworks/netcontrol/plugin.zeek`
+
+   This file defines the plugin interface for NetControl.
+
+:doc:`/scripts/base/frameworks/netcontrol/plugins/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/netcontrol/plugins/debug.zeek`
+
+   Debugging plugin for the NetControl framework, providing insight into
+   executed operations.
+
+:doc:`/scripts/base/frameworks/netcontrol/plugins/openflow.zeek`
+
+   OpenFlow plugin for the NetControl framework.
+
+:doc:`/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek`
+
+   NetControl plugin for the process-level PacketFilter that comes with
+   Zeek. Since the PacketFilter in Zeek is quite limited in scope
+   and can only add/remove filters for addresses, this is quite
+   limited in scope at the moment.
+
+:doc:`/scripts/base/frameworks/netcontrol/plugins/broker.zeek`
+
+   Broker plugin for the NetControl framework. Sends the raw data structures
+   used in NetControl on to Broker to allow for easy handling, e.g., of
+   command-line scripts.
+
+:doc:`/scripts/base/frameworks/netcontrol/plugins/acld.zeek`
+
+   Acld plugin for the netcontrol framework.
+
+:doc:`/scripts/base/frameworks/netcontrol/drop.zeek`
+
+   Implementation of the drop functionality for NetControl.
+
+:doc:`/scripts/base/frameworks/netcontrol/shunt.zeek`
+
+   Implementation of the shunt functionality for NetControl.
+
+:doc:`/scripts/base/frameworks/netcontrol/non-cluster.zeek`
+
+
diff --git a/doc/scripts/base/frameworks/netcontrol/main.zeek.rst b/doc/scripts/base/frameworks/netcontrol/main.zeek.rst
new file mode 100644
index 0000000000..5f3ab3be21
--- /dev/null
+++ b/doc/scripts/base/frameworks/netcontrol/main.zeek.rst
@@ -0,0 +1,649 @@
+:tocdepth: 3
+
+base/frameworks/netcontrol/main.zeek
+====================================
+.. zeek:namespace:: NetControl
+
+Zeek's NetControl framework.
+
+This plugin-based framework allows to control the traffic that Zeek monitors
+as well as, if having access to the forwarding path, the traffic the network
+forwards. By default, the framework lets everything through, to both Zeek
+itself as well as on the network. Scripts can then add rules to impose
+restrictions on entities, such as specific connections or IP addresses.
+
+This framework has two APIs: a high-level and low-level. The high-level API
+provides convenience functions for a set of common operations. The
+low-level API provides full flexibility.
+
+:Namespace: NetControl
+:Imports: :doc:`base/frameworks/netcontrol/plugin.zeek </scripts/base/frameworks/netcontrol/plugin.zeek>`, :doc:`base/frameworks/netcontrol/types.zeek </scripts/base/frameworks/netcontrol/types.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+======================================================== =================================================================
+:zeek:type:`NetControl::Info`: :zeek:type:`record`       The record type defining the column fields of the NetControl log.
+:zeek:type:`NetControl::InfoCategory`: :zeek:type:`enum` Type of an entry in the NetControl log.
+:zeek:type:`NetControl::InfoState`: :zeek:type:`enum`    State of an entry in the NetControl log.
+======================================================== =================================================================
+
+Redefinitions
+#############
+================================================== ===================================================================================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`            The framework's logging stream identifier.
+                                                   
+                                                   * :zeek:enum:`NetControl::LOG`
+:zeek:type:`NetControl::Rule`: :zeek:type:`record` 
+                                                   
+                                                   :New Fields: :zeek:type:`NetControl::Rule`
+                                                   
+                                                     _plugin_ids: :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+                                                       Internally set to the plugins handling the rule.
+                                                   
+                                                     _active_plugin_ids: :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+                                                       Internally set to the plugins on which the rule is currently active.
+                                                   
+                                                     _no_expire_plugins: :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+                                                       Internally set to plugins where the rule should not be removed upon timeout.
+                                                   
+                                                     _added: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+                                                       Track if the rule was added successfully by all responsible plugins.
+================================================== ===================================================================================================================
+
+Events
+######
+========================================================= ===========================================================================
+:zeek:id:`NetControl::init`: :zeek:type:`event`           Event that is used to initialize plugins.
+:zeek:id:`NetControl::init_done`: :zeek:type:`event`      Event that is raised once all plugins activated in ``NetControl::init``
+                                                          have finished their initialization.
+:zeek:id:`NetControl::log_netcontrol`: :zeek:type:`event` Event that can be handled to access the :zeek:type:`NetControl::Info`
+                                                          record as it is sent on to the logging framework.
+:zeek:id:`NetControl::rule_added`: :zeek:type:`event`     Confirms that a rule was put in place by a plugin.
+:zeek:id:`NetControl::rule_destroyed`: :zeek:type:`event` This event is raised when a rule is deleted from the NetControl framework,
+                                                          because it is no longer in use.
+:zeek:id:`NetControl::rule_error`: :zeek:type:`event`     Reports an error when operating on a rule.
+:zeek:id:`NetControl::rule_exists`: :zeek:type:`event`    Signals that a rule that was supposed to be put in place was already
+                                                          existing at the specified plugin.
+:zeek:id:`NetControl::rule_new`: :zeek:type:`event`       This event is raised when a new rule is created by the NetControl framework
+                                                          due to a call to add_rule.
+:zeek:id:`NetControl::rule_removed`: :zeek:type:`event`   Reports that a plugin reports a rule was removed due to a
+                                                          remove_rule function call.
+:zeek:id:`NetControl::rule_timeout`: :zeek:type:`event`   Reports that a rule was removed from a plugin due to a timeout.
+========================================================= ===========================================================================
+
+Hooks
+#####
+=============================================================== =============================================================================
+:zeek:id:`NetControl::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
+:zeek:id:`NetControl::rule_added_policy`: :zeek:type:`hook`     Hook that allows the modification of rule states after they are returned from
+                                                                the plugins and have been added to the rules database.
+:zeek:id:`NetControl::rule_policy`: :zeek:type:`hook`           Hook that allows the modification of rules passed to add_rule before they
+                                                                are passed on to the plugins.
+=============================================================== =============================================================================
+
+Functions
+#########
+=============================================================== ===============================================================================================
+:zeek:id:`NetControl::activate`: :zeek:type:`function`          Activates a plugin.
+:zeek:id:`NetControl::add_rule`: :zeek:type:`function`          Installs a rule.
+:zeek:id:`NetControl::clear`: :zeek:type:`function`             Flushes all state by calling :zeek:see:`NetControl::remove_rule` on all currently active rules.
+:zeek:id:`NetControl::delete_rule`: :zeek:type:`function`       Deletes a rule without removing it from the backends to which it has been
+                                                                added before.
+:zeek:id:`NetControl::find_rules_addr`: :zeek:type:`function`   Searches all rules affecting a certain IP address.
+:zeek:id:`NetControl::find_rules_subnet`: :zeek:type:`function` Searches all rules affecting a certain subnet.
+:zeek:id:`NetControl::plugin_activated`: :zeek:type:`function`  Function called by plugins once they finished their activation.
+:zeek:id:`NetControl::quarantine_host`: :zeek:type:`function`   Quarantines a host.
+:zeek:id:`NetControl::redirect_flow`: :zeek:type:`function`     Redirects a uni-directional flow to another port.
+:zeek:id:`NetControl::remove_rule`: :zeek:type:`function`       Removes a rule.
+:zeek:id:`NetControl::whitelist_address`: :zeek:type:`function` Allows all traffic involving a specific IP address to be forwarded.
+:zeek:id:`NetControl::whitelist_subnet`: :zeek:type:`function`  Allows all traffic involving a specific IP subnet to be forwarded.
+=============================================================== ===============================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: NetControl::Info
+   :source-code: base/frameworks/netcontrol/main.zeek 308 339
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Time at which the recorded activity occurred.
+
+
+   .. zeek:field:: rule_id :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      ID of the rule; unique during each Zeek run.
+
+
+   .. zeek:field:: category :zeek:type:`NetControl::InfoCategory` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Type of the log entry.
+
+
+   .. zeek:field:: cmd :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The command the log entry is about.
+
+
+   .. zeek:field:: state :zeek:type:`NetControl::InfoState` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      State the log entry reflects.
+
+
+   .. zeek:field:: action :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      String describing an action the entry is about.
+
+
+   .. zeek:field:: target :zeek:type:`NetControl::TargetType` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The target type of the action.
+
+
+   .. zeek:field:: entity_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Type of the entity the log entry is about.
+
+
+   .. zeek:field:: entity :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      String describing the entity the log entry is about.
+
+
+   .. zeek:field:: mod :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      String describing the optional modification of the entry (e.h. redirect)
+
+
+   .. zeek:field:: msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      String with an additional message.
+
+
+   .. zeek:field:: priority :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Number describing the priority of the log entry.
+
+
+   .. zeek:field:: expire :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Expiry time of the log entry.
+
+
+   .. zeek:field:: location :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Location where the underlying action was triggered.
+
+
+   .. zeek:field:: plugin :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Plugin triggering the log entry.
+
+
+   The record type defining the column fields of the NetControl log.
+
+.. zeek:type:: NetControl::InfoCategory
+   :source-code: base/frameworks/netcontrol/main.zeek 288 296
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: NetControl::MESSAGE NetControl::InfoCategory
+
+         A log entry reflecting a framework message.
+
+      .. zeek:enum:: NetControl::ERROR NetControl::InfoCategory
+
+         A log entry reflecting a framework message.
+
+      .. zeek:enum:: NetControl::RULE NetControl::InfoCategory
+
+         A log entry about a rule.
+
+   Type of an entry in the NetControl log.
+
+.. zeek:type:: NetControl::InfoState
+   :source-code: base/frameworks/netcontrol/main.zeek 298 306
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: NetControl::REQUESTED NetControl::InfoState
+
+         The request to add/remove a rule was sent to the respective backend.
+
+      .. zeek:enum:: NetControl::SUCCEEDED NetControl::InfoState
+
+         A rule was successfully added by a backend.
+
+      .. zeek:enum:: NetControl::EXISTS NetControl::InfoState
+
+         A backend reported that a rule was already existing.
+
+      .. zeek:enum:: NetControl::FAILED NetControl::InfoState
+
+         A rule addition failed.
+
+      .. zeek:enum:: NetControl::REMOVED NetControl::InfoState
+
+         A rule was successfully removed by a backend.
+
+      .. zeek:enum:: NetControl::TIMEOUT NetControl::InfoState
+
+         A rule timeout was triggered by the NetControl framework or a backend.
+
+   State of an entry in the NetControl log.
+
+Events
+######
+.. zeek:id:: NetControl::init
+   :source-code: base/frameworks/netcontrol/main.zeek 642 650
+
+   :Type: :zeek:type:`event` ()
+
+   Event that is used to initialize plugins. Place all plugin initialization
+   related functionality in this event.
+
+.. zeek:id:: NetControl::init_done
+   :source-code: base/frameworks/netcontrol/main.zeek 43 43
+
+   :Type: :zeek:type:`event` ()
+
+   Event that is raised once all plugins activated in ``NetControl::init``
+   have finished their initialization.
+
+.. zeek:id:: NetControl::log_netcontrol
+   :source-code: base/frameworks/netcontrol/main.zeek 343 343
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`NetControl::Info`)
+
+   Event that can be handled to access the :zeek:type:`NetControl::Info`
+   record as it is sent on to the logging framework.
+
+.. zeek:id:: NetControl::rule_added
+   :source-code: base/frameworks/netcontrol/main.zeek 191 191
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`NetControl::Rule`, p: :zeek:type:`NetControl::PluginState`, msg: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`)
+
+   Confirms that a rule was put in place by a plugin.
+   
+
+   :param r: The rule now in place.
+   
+
+   :param p: The state for the plugin that put it into place.
+   
+
+   :param msg: An optional informational message by the plugin.
+
+.. zeek:id:: NetControl::rule_destroyed
+   :source-code: base/frameworks/netcontrol/main.zeek 256 256
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`NetControl::Rule`)
+
+   This event is raised when a rule is deleted from the NetControl framework,
+   because it is no longer in use. This can be caused by the fact that a rule
+   was removed by all plugins to which it was added, by the fact that it timed out
+   or due to rule errors.
+   
+   To get the cause of a rule remove, catch the rule_removed, rule_timeout and
+   rule_error events.
+
+.. zeek:id:: NetControl::rule_error
+   :source-code: base/frameworks/netcontrol/main.zeek 236 236
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`NetControl::Rule`, p: :zeek:type:`NetControl::PluginState`, msg: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`)
+
+   Reports an error when operating on a rule.
+   
+
+   :param r: The rule that encountered an error.
+   
+
+   :param p: The state for the plugin that reported the error.
+   
+
+   :param msg: An optional informational message by the plugin.
+
+.. zeek:id:: NetControl::rule_exists
+   :source-code: base/frameworks/netcontrol/main.zeek 204 204
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`NetControl::Rule`, p: :zeek:type:`NetControl::PluginState`, msg: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`)
+
+   Signals that a rule that was supposed to be put in place was already
+   existing at the specified plugin. Rules that already have been existing
+   continue to be tracked like normal, but no timeout calls will be sent
+   to the specified plugins. Removal of the rule from the hardware can
+   still be forced by manually issuing a remove_rule call.
+   
+
+   :param r: The rule that was already in place.
+   
+
+   :param p: The plugin that reported that the rule already was in place.
+   
+
+   :param msg: An optional informational message by the plugin.
+
+.. zeek:id:: NetControl::rule_new
+   :source-code: base/frameworks/netcontrol/main.zeek 247 247
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`NetControl::Rule`)
+
+   This event is raised when a new rule is created by the NetControl framework
+   due to a call to add_rule. From this moment, until the rule_destroyed event
+   is raised, the rule is tracked internally by the NetControl framework.
+   
+   Note that this event does not mean that a rule was successfully added by
+   any backend; it just means that the rule has been accepted and addition
+   to the specified backend is queued. To get information when rules are actually
+   installed by the hardware, use the rule_added, rule_exists, rule_removed, rule_timeout
+   and rule_error events.
+
+.. zeek:id:: NetControl::rule_removed
+   :source-code: base/frameworks/netcontrol/non-cluster.zeek 47 50
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`NetControl::Rule`, p: :zeek:type:`NetControl::PluginState`, msg: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`)
+
+   Reports that a plugin reports a rule was removed due to a
+   remove_rule function call.
+   
+
+   :param r: The rule now removed.
+   
+
+   :param p: The state for the plugin that had the rule in place and now
+      removed it.
+   
+
+   :param msg: An optional informational message by the plugin.
+
+.. zeek:id:: NetControl::rule_timeout
+   :source-code: base/frameworks/netcontrol/main.zeek 227 227
+
+   :Type: :zeek:type:`event` (r: :zeek:type:`NetControl::Rule`, i: :zeek:type:`NetControl::FlowInfo`, p: :zeek:type:`NetControl::PluginState`)
+
+   Reports that a rule was removed from a plugin due to a timeout.
+   
+
+   :param r: The rule now removed.
+   
+
+   :param i: Additional flow information, if supported by the protocol.
+   
+
+   :param p: The state for the plugin that had the rule in place and now
+      removed it.
+   
+
+   :param msg: An optional informational message by the plugin.
+
+Hooks
+#####
+.. zeek:id:: NetControl::log_policy
+   :source-code: base/frameworks/netcontrol/main.zeek 23 23
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+.. zeek:id:: NetControl::rule_added_policy
+   :source-code: base/frameworks/netcontrol/main.zeek 277 277
+
+   :Type: :zeek:type:`hook` (r: :zeek:type:`NetControl::Rule`, p: :zeek:type:`NetControl::PluginState`, exists: :zeek:type:`bool`, msg: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Hook that allows the modification of rule states after they are returned from
+   the plugins and have been added to the rules database. This allows low-level
+   modification of the handling of rules like, e.g., changing rule expiration depending
+   on context.
+   
+
+   :param r: The rule now in place.
+   
+
+   :param p: The state for the plugin that put it into place.
+   
+
+   :param exists: If the adding plugin flagged the rule as already existing.
+   
+
+   :param msg: An optional informational message by the plugin.
+
+.. zeek:id:: NetControl::rule_policy
+   :source-code: base/frameworks/netcontrol/main.zeek 263 263
+
+   :Type: :zeek:type:`hook` (r: :zeek:type:`NetControl::Rule`) : :zeek:type:`bool`
+
+   Hook that allows the modification of rules passed to add_rule before they
+   are passed on to the plugins. If one of the hooks uses break, the rule is
+   ignored and not passed on to any plugin.
+   
+
+   :param r: The rule to be added.
+
+Functions
+#########
+.. zeek:id:: NetControl::activate
+   :source-code: base/frameworks/netcontrol/non-cluster.zeek 6 9
+
+   :Type: :zeek:type:`function` (p: :zeek:type:`NetControl::PluginState`, priority: :zeek:type:`int`) : :zeek:type:`void`
+
+   Activates a plugin.
+   
+
+   :param p: The plugin to activate.
+   
+
+   :param priority: The higher the priority, the earlier this plugin will be checked
+             whether it supports an operation, relative to other plugins.
+
+.. zeek:id:: NetControl::add_rule
+   :source-code: base/frameworks/netcontrol/non-cluster.zeek 11 14
+
+   :Type: :zeek:type:`function` (r: :zeek:type:`NetControl::Rule`) : :zeek:type:`string`
+
+   Installs a rule.
+   
+
+   :param r: The rule to install.
+   
+
+   :returns: If successful, returns an ID string unique to the rule that can
+            later be used to refer to it. If unsuccessful, returns an empty
+            string. The ID is also assigned to ``r$id``. Note that
+            "successful" means "a plugin knew how to handle the rule", it
+            doesn't necessarily mean that it was indeed successfully put in
+            place, because that might happen asynchronously and thus fail
+            only later.
+
+.. zeek:id:: NetControl::clear
+   :source-code: base/frameworks/netcontrol/main.zeek 1075 1079
+
+   :Type: :zeek:type:`function` () : :zeek:type:`void`
+
+   Flushes all state by calling :zeek:see:`NetControl::remove_rule` on all currently active rules.
+
+.. zeek:id:: NetControl::delete_rule
+   :source-code: base/frameworks/netcontrol/non-cluster.zeek 16 19
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`string`, reason: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Deletes a rule without removing it from the backends to which it has been
+   added before. This means that no messages will be sent to the switches to which
+   the rule has been added; if it is not removed from them by a separate mechanism,
+   it will stay installed and not be removed later.
+   
+
+   :param id: The rule to delete, specified as the ID returned by :zeek:see:`NetControl::add_rule`.
+   
+
+   :param reason: Optional string argument giving information on why the rule was deleted.
+   
+
+   :returns: True if removal is successful, or sent to manager.
+            False if the rule could not be found.
+
+.. zeek:id:: NetControl::find_rules_addr
+   :source-code: base/frameworks/netcontrol/main.zeek 763 766
+
+   :Type: :zeek:type:`function` (ip: :zeek:type:`addr`) : :zeek:type:`vector` of :zeek:type:`NetControl::Rule`
+
+   Searches all rules affecting a certain IP address.
+   
+   This function works on both the manager and workers of a cluster. Note that on
+   the worker, the internal rule variables (starting with _) will not reflect the
+   current state.
+   
+
+   :param ip: The ip address to search for.
+   
+
+   :returns: vector of all rules affecting the IP address.
+
+.. zeek:id:: NetControl::find_rules_subnet
+   :source-code: base/frameworks/netcontrol/main.zeek 741 761
+
+   :Type: :zeek:type:`function` (sn: :zeek:type:`subnet`) : :zeek:type:`vector` of :zeek:type:`NetControl::Rule`
+
+   Searches all rules affecting a certain subnet.
+   
+   A rule affects a subnet, if it covers the whole subnet. Note especially that
+   this function will not reveal all rules that are covered by a subnet.
+   
+   For example, a search for 192.168.17.0/8 will reveal a rule that exists for
+   192.168.0.0/16, since this rule affects the subnet. However, it will not reveal
+   a more specific rule for 192.168.17.1/32, which does not directly affect the whole
+   subnet.
+   
+   This function works on both the manager and workers of a cluster. Note that on
+   the worker, the internal rule variables (starting with _) will not reflect the
+   current state.
+   
+
+   :param sn: The subnet to search for.
+   
+
+   :returns: vector of all rules affecting the subnet.
+
+.. zeek:id:: NetControl::plugin_activated
+   :source-code: base/frameworks/netcontrol/main.zeek 617 635
+
+   :Type: :zeek:type:`function` (p: :zeek:type:`NetControl::PluginState`) : :zeek:type:`void`
+
+   Function called by plugins once they finished their activation. After all
+   plugins defined in zeek_init finished to activate, rules will start to be sent
+   to the plugins. Rules that scripts try to set before the backends are ready
+   will be discarded.
+
+.. zeek:id:: NetControl::quarantine_host
+   :source-code: base/frameworks/netcontrol/main.zeek 570 590
+
+   :Type: :zeek:type:`function` (infected: :zeek:type:`addr`, dns: :zeek:type:`addr`, quarantine: :zeek:type:`addr`, t: :zeek:type:`interval`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`vector` of :zeek:type:`string`
+
+   Quarantines a host. This requires a special quarantine server, which runs a HTTP server explaining
+   the quarantine and a DNS server which resolves all requests to the quarantine server. DNS queries
+   from the host to the network DNS server will be rewritten and will be sent to the quarantine server
+   instead. Only http communication infected to quarantinehost is allowed. All other network communication
+   is blocked.
+   
+
+   :param infected: the host to quarantine.
+   
+
+   :param dns: the network dns server.
+   
+
+   :param quarantine: the quarantine server running a dns and a web server.
+   
+
+   :param t: how long to leave the quarantine in place.
+   
+
+   :returns: Vector of inserted rules on success, empty list on failure.
+
+.. zeek:id:: NetControl::redirect_flow
+   :source-code: base/frameworks/netcontrol/main.zeek 556 568
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`flow_id`, out_port: :zeek:type:`count`, t: :zeek:type:`interval`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Redirects a uni-directional flow to another port.
+   
+
+   :param f: The flow to redirect.
+   
+
+   :param out_port: Port to redirect the flow to.
+   
+
+   :param t: How long to leave the redirect in place, with 0 being indefinitely.
+   
+
+   :param location: An optional string describing where the redirect was triggered.
+   
+
+   :returns: The id of the inserted rule on success and zero on failure.
+
+.. zeek:id:: NetControl::remove_rule
+   :source-code: base/frameworks/netcontrol/non-cluster.zeek 21 24
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`string`, reason: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Removes a rule.
+   
+
+   :param id: The rule to remove, specified as the ID returned by :zeek:see:`NetControl::add_rule`.
+   
+
+   :param reason: Optional string argument giving information on why the rule was removed.
+   
+
+   :returns: True if successful, the relevant plugin indicated that it knew
+            how to handle the removal. Note that again "success" means the
+            plugin accepted the removal. It might still fail to put it
+            into effect, as that might happen asynchronously and thus go
+            wrong at that point.
+
+.. zeek:id:: NetControl::whitelist_address
+   :source-code: base/frameworks/netcontrol/main.zeek 539 545
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`, t: :zeek:type:`interval`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Allows all traffic involving a specific IP address to be forwarded.
+   
+
+   :param a: The address to be whitelisted.
+   
+
+   :param t: How long to whitelist it, with 0 being indefinitely.
+   
+
+   :param location: An optional string describing whitelist was triggered.
+   
+
+   :returns: The id of the inserted rule on success and zero on failure.
+
+.. zeek:id:: NetControl::whitelist_subnet
+   :source-code: base/frameworks/netcontrol/main.zeek 547 553
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`subnet`, t: :zeek:type:`interval`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Allows all traffic involving a specific IP subnet to be forwarded.
+   
+
+   :param s: The subnet to be whitelisted.
+   
+
+   :param t: How long to whitelist it, with 0 being indefinitely.
+   
+
+   :param location: An optional string describing whitelist was triggered.
+   
+
+   :returns: The id of the inserted rule on success and zero on failure.
+
+
diff --git a/doc/scripts/base/frameworks/netcontrol/non-cluster.zeek.rst b/doc/scripts/base/frameworks/netcontrol/non-cluster.zeek.rst
new file mode 100644
index 0000000000..af84fd9218
--- /dev/null
+++ b/doc/scripts/base/frameworks/netcontrol/non-cluster.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/frameworks/netcontrol/non-cluster.zeek
+===========================================
+.. zeek:namespace:: NetControl
+
+
+:Namespace: NetControl
+:Imports: :doc:`base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/netcontrol/plugin.zeek.rst b/doc/scripts/base/frameworks/netcontrol/plugin.zeek.rst
new file mode 100644
index 0000000000..f3e24582e9
--- /dev/null
+++ b/doc/scripts/base/frameworks/netcontrol/plugin.zeek.rst
@@ -0,0 +1,179 @@
+:tocdepth: 3
+
+base/frameworks/netcontrol/plugin.zeek
+======================================
+.. zeek:namespace:: NetControl
+
+This file defines the plugin interface for NetControl.
+
+:Namespace: NetControl
+:Imports: :doc:`base/frameworks/netcontrol/types.zeek </scripts/base/frameworks/netcontrol/types.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+========================================================= =====================================================
+:zeek:type:`NetControl::Plugin`: :zeek:type:`record`      Definition of a plugin.
+:zeek:type:`NetControl::PluginState`: :zeek:type:`record` This record keeps the per instance state of a plugin.
+========================================================= =====================================================
+
+Redefinitions
+#############
+========================================================= ========================================================================
+:zeek:type:`NetControl::PluginState`: :zeek:type:`record` Table for a plugin to store instance-specific configuration information.
+                                                          
+                                                          :New Fields: :zeek:type:`NetControl::PluginState`
+                                                          
+                                                            plugin: :zeek:type:`NetControl::Plugin` :zeek:attr:`&optional`
+                                                              The plugin that the state belongs to.
+========================================================= ========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: NetControl::Plugin
+   :source-code: base/frameworks/netcontrol/plugin.zeek 38 72
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`function` (state: :zeek:type:`NetControl::PluginState`) : :zeek:type:`string`
+
+      Returns a descriptive name of the plugin instance, suitable for use in logging
+      messages. Note that this function is not optional.
+
+
+   .. zeek:field:: can_expire :zeek:type:`bool`
+
+      If true, plugin can expire rules itself. If false, the NetControl
+      framework will manage rule expiration.
+
+
+   .. zeek:field:: init :zeek:type:`function` (state: :zeek:type:`NetControl::PluginState`) : :zeek:type:`void` :zeek:attr:`&optional`
+
+      One-time initialization function called when plugin gets registered, and
+      before any other methods are called.
+      
+      If this function is provided, NetControl assumes that the plugin has to
+      perform, potentially lengthy, initialization before the plugin will become
+      active. In this case, the plugin has to call ``NetControl::plugin_activated``,
+      once initialization finishes.
+
+
+   .. zeek:field:: done :zeek:type:`function` (state: :zeek:type:`NetControl::PluginState`) : :zeek:type:`void` :zeek:attr:`&optional`
+
+      One-time finalization function called when a plugin is shutdown; no further
+      functions will be called afterwards.
+
+
+   .. zeek:field:: add_rule :zeek:type:`function` (state: :zeek:type:`NetControl::PluginState`, r: :zeek:type:`NetControl::Rule`) : :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Implements the add_rule() operation. If the plugin accepts the rule,
+      it returns true, false otherwise. The rule will already have its
+      ``id`` field set, which the plugin may use for identification
+      purposes.
+
+
+   .. zeek:field:: remove_rule :zeek:type:`function` (state: :zeek:type:`NetControl::PluginState`, r: :zeek:type:`NetControl::Rule`, reason: :zeek:type:`string`) : :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Implements the remove_rule() operation. This will only be called for
+      rules that the plugin has previously accepted with add_rule(). The
+      ``id`` field will match that of the add_rule() call.  Generally,
+      a plugin that accepts an add_rule() should also accept the
+      remove_rule().
+
+
+   Definition of a plugin.
+   
+   Generally a plugin needs to implement only what it can support.  By
+   returning failure, it indicates that it can't support something and
+   the framework will then try another plugin, if available; or inform the
+   that the operation failed. If a function isn't implemented by a plugin,
+   that's considered an implicit failure to support the operation.
+   
+   If plugin accepts a rule operation, it *must* generate one of the reporting
+   events ``rule_{added,remove,error}`` to signal if it indeed worked out;
+   this is separate from accepting the operation because often a plugin
+   will only know later (i.e., asynchronously) if that was an error for
+   something it thought it could handle.
+
+.. zeek:type:: NetControl::PluginState
+   :source-code: base/frameworks/netcontrol/plugin.zeek 11 23
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: config :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string` :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      Table for a plugin to store custom, instance-specific state.
+
+
+   .. zeek:field:: _id :zeek:type:`count` :zeek:attr:`&optional`
+
+      Unique plugin identifier -- used for backlookup of plugins from Rules. Set internally.
+
+
+   .. zeek:field:: _priority :zeek:type:`int` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Set internally.
+
+
+   .. zeek:field:: _activated :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Set internally. Signifies if the plugin has returned that it has activated successfully.
+
+
+   .. zeek:field:: plugin :zeek:type:`NetControl::Plugin` :zeek:attr:`&optional`
+
+      The plugin that the state belongs to. (Defined separately
+      because of cyclic type dependency.)
+
+
+   .. zeek:field:: of_controller :zeek:type:`OpenFlow::Controller` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/netcontrol/plugins/openflow.zeek` is loaded)
+
+      OpenFlow controller for NetControl OpenFlow plugin.
+
+
+   .. zeek:field:: of_config :zeek:type:`NetControl::OfConfig` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/netcontrol/plugins/openflow.zeek` is loaded)
+
+      OpenFlow configuration record that is passed on initialization.
+
+
+   .. zeek:field:: broker_config :zeek:type:`NetControl::BrokerConfig` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/netcontrol/plugins/broker.zeek` is loaded)
+
+      OpenFlow controller for NetControl Broker plugin.
+
+
+   .. zeek:field:: broker_id :zeek:type:`count` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/netcontrol/plugins/broker.zeek` is loaded)
+
+      The ID of this broker instance - for the mapping to PluginStates.
+
+
+   .. zeek:field:: acld_config :zeek:type:`NetControl::AcldConfig` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/netcontrol/plugins/acld.zeek` is loaded)
+
+
+   .. zeek:field:: acld_id :zeek:type:`count` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/netcontrol/plugins/acld.zeek` is loaded)
+
+      The ID of this acld instance - for the mapping to PluginStates.
+
+
+   This record keeps the per instance state of a plugin.
+   
+   Individual plugins commonly extend this record to suit their needs.
+
+
diff --git a/doc/scripts/base/frameworks/netcontrol/plugins/__load__.zeek.rst b/doc/scripts/base/frameworks/netcontrol/plugins/__load__.zeek.rst
new file mode 100644
index 0000000000..b536b32a0a
--- /dev/null
+++ b/doc/scripts/base/frameworks/netcontrol/plugins/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/netcontrol/plugins/__load__.zeek
+================================================
+
+
+:Imports: :doc:`base/frameworks/netcontrol/plugins/acld.zeek </scripts/base/frameworks/netcontrol/plugins/acld.zeek>`, :doc:`base/frameworks/netcontrol/plugins/broker.zeek </scripts/base/frameworks/netcontrol/plugins/broker.zeek>`, :doc:`base/frameworks/netcontrol/plugins/debug.zeek </scripts/base/frameworks/netcontrol/plugins/debug.zeek>`, :doc:`base/frameworks/netcontrol/plugins/openflow.zeek </scripts/base/frameworks/netcontrol/plugins/openflow.zeek>`, :doc:`base/frameworks/netcontrol/plugins/packetfilter.zeek </scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/netcontrol/plugins/acld.zeek.rst b/doc/scripts/base/frameworks/netcontrol/plugins/acld.zeek.rst
new file mode 100644
index 0000000000..12b64cdb54
--- /dev/null
+++ b/doc/scripts/base/frameworks/netcontrol/plugins/acld.zeek.rst
@@ -0,0 +1,197 @@
+:tocdepth: 3
+
+base/frameworks/netcontrol/plugins/acld.zeek
+============================================
+.. zeek:namespace:: NetControl
+
+Acld plugin for the netcontrol framework.
+
+:Namespace: NetControl
+:Imports: :doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`, :doc:`base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>`, :doc:`base/frameworks/netcontrol/plugin.zeek </scripts/base/frameworks/netcontrol/plugin.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+======================================================== =
+:zeek:type:`NetControl::AclRule`: :zeek:type:`record`    
+:zeek:type:`NetControl::AcldConfig`: :zeek:type:`record` 
+======================================================== =
+
+Redefinitions
+#############
+========================================================= =========================================================================
+:zeek:type:`NetControl::PluginState`: :zeek:type:`record` 
+                                                          
+                                                          :New Fields: :zeek:type:`NetControl::PluginState`
+                                                          
+                                                            acld_config: :zeek:type:`NetControl::AcldConfig` :zeek:attr:`&optional`
+                                                          
+                                                            acld_id: :zeek:type:`count` :zeek:attr:`&optional`
+                                                              The ID of this acld instance - for the mapping to PluginStates.
+========================================================= =========================================================================
+
+Events
+######
+============================================================ =======================================
+:zeek:id:`NetControl::acld_add_rule`: :zeek:type:`event`     Events that are sent from us to Broker.
+:zeek:id:`NetControl::acld_remove_rule`: :zeek:type:`event`  
+:zeek:id:`NetControl::acld_rule_added`: :zeek:type:`event`   Events that are sent from Broker to us.
+:zeek:id:`NetControl::acld_rule_error`: :zeek:type:`event`   
+:zeek:id:`NetControl::acld_rule_exists`: :zeek:type:`event`  
+:zeek:id:`NetControl::acld_rule_removed`: :zeek:type:`event` 
+============================================================ =======================================
+
+Hooks
+#####
+========================================================== ==============================================================
+:zeek:id:`NetControl::acld_rule_policy`: :zeek:type:`hook` Hook that is called after a rule is converted to an acld rule.
+========================================================== ==============================================================
+
+Functions
+#########
+========================================================= =============================
+:zeek:id:`NetControl::create_acld`: :zeek:type:`function` Instantiates the acld plugin.
+========================================================= =============================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: NetControl::AclRule
+   :source-code: base/frameworks/netcontrol/plugins/acld.zeek 10 15
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: command :zeek:type:`string`
+
+
+   .. zeek:field:: cookie :zeek:type:`count`
+
+
+   .. zeek:field:: arg :zeek:type:`string`
+
+
+   .. zeek:field:: comment :zeek:type:`string` :zeek:attr:`&optional`
+
+
+
+.. zeek:type:: NetControl::AcldConfig
+   :source-code: base/frameworks/netcontrol/plugins/acld.zeek 17 37
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: acld_topic :zeek:type:`string`
+
+      The acld topic to send events to.
+
+
+   .. zeek:field:: acld_host :zeek:type:`addr`
+
+      Broker host to connect to.
+
+
+   .. zeek:field:: acld_port :zeek:type:`port`
+
+      Broker port to connect to.
+
+
+   .. zeek:field:: monitor :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Do we accept rules for the monitor path? Default false.
+
+
+   .. zeek:field:: forward :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
+
+      Do we accept rules for the forward path? Default true.
+
+
+   .. zeek:field:: check_pred :zeek:type:`function` (p: :zeek:type:`NetControl::PluginState`, r: :zeek:type:`NetControl::Rule`) : :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Predicate that is called on rule insertion or removal.
+      
+
+      :param p: Current plugin state.
+      
+
+      :param r: The rule to be inserted or removed.
+      
+
+      :returns: T if the rule can be handled by the current backend, F otherwise.
+
+
+
+Events
+######
+.. zeek:id:: NetControl::acld_add_rule
+   :source-code: base/frameworks/netcontrol/plugins/acld.zeek 61 61
+
+   :Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, ar: :zeek:type:`NetControl::AclRule`)
+
+   Events that are sent from us to Broker.
+
+.. zeek:id:: NetControl::acld_remove_rule
+   :source-code: base/frameworks/netcontrol/plugins/acld.zeek 62 62
+
+   :Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, ar: :zeek:type:`NetControl::AclRule`)
+
+
+.. zeek:id:: NetControl::acld_rule_added
+   :source-code: base/frameworks/netcontrol/plugins/acld.zeek 90 101
+
+   :Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, msg: :zeek:type:`string`)
+
+   Events that are sent from Broker to us.
+
+.. zeek:id:: NetControl::acld_rule_error
+   :source-code: base/frameworks/netcontrol/plugins/acld.zeek 129 140
+
+   :Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, msg: :zeek:type:`string`)
+
+
+.. zeek:id:: NetControl::acld_rule_exists
+   :source-code: base/frameworks/netcontrol/plugins/acld.zeek 103 114
+
+   :Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, msg: :zeek:type:`string`)
+
+
+.. zeek:id:: NetControl::acld_rule_removed
+   :source-code: base/frameworks/netcontrol/plugins/acld.zeek 116 127
+
+   :Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, msg: :zeek:type:`string`)
+
+
+Hooks
+#####
+.. zeek:id:: NetControl::acld_rule_policy
+   :source-code: base/frameworks/netcontrol/plugins/acld.zeek 58 58
+
+   :Type: :zeek:type:`hook` (p: :zeek:type:`NetControl::PluginState`, r: :zeek:type:`NetControl::Rule`, ar: :zeek:type:`NetControl::AclRule`) : :zeek:type:`bool`
+
+   Hook that is called after a rule is converted to an acld rule.
+   The hook may modify the rule before it is sent to acld.
+   Setting the acld command to F will cause the rule to be rejected
+   by the plugin.
+   
+
+   :param p: Current plugin state.
+   
+
+   :param r: The rule to be inserted or removed.
+   
+
+   :param ar: The acld rule to be inserted or removed.
+
+Functions
+#########
+.. zeek:id:: NetControl::create_acld
+   :source-code: base/frameworks/netcontrol/plugins/acld.zeek 298 317
+
+   :Type: :zeek:type:`function` (config: :zeek:type:`NetControl::AcldConfig`) : :zeek:type:`NetControl::PluginState`
+
+   Instantiates the acld plugin.
+
+
diff --git a/doc/scripts/base/frameworks/netcontrol/plugins/broker.zeek.rst b/doc/scripts/base/frameworks/netcontrol/plugins/broker.zeek.rst
new file mode 100644
index 0000000000..32076937c0
--- /dev/null
+++ b/doc/scripts/base/frameworks/netcontrol/plugins/broker.zeek.rst
@@ -0,0 +1,159 @@
+:tocdepth: 3
+
+base/frameworks/netcontrol/plugins/broker.zeek
+==============================================
+.. zeek:namespace:: NetControl
+
+Broker plugin for the NetControl framework. Sends the raw data structures
+used in NetControl on to Broker to allow for easy handling, e.g., of
+command-line scripts.
+
+:Namespace: NetControl
+:Imports: :doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`, :doc:`base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>`, :doc:`base/frameworks/netcontrol/plugin.zeek </scripts/base/frameworks/netcontrol/plugin.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+========================================================== ================================================================================================
+:zeek:type:`NetControl::BrokerConfig`: :zeek:type:`record` This record specifies the configuration that is passed to :zeek:see:`NetControl::create_broker`.
+========================================================== ================================================================================================
+
+Redefinitions
+#############
+========================================================= =============================================================================
+:zeek:type:`NetControl::PluginState`: :zeek:type:`record` 
+                                                          
+                                                          :New Fields: :zeek:type:`NetControl::PluginState`
+                                                          
+                                                            broker_config: :zeek:type:`NetControl::BrokerConfig` :zeek:attr:`&optional`
+                                                              OpenFlow controller for NetControl Broker plugin.
+                                                          
+                                                            broker_id: :zeek:type:`count` :zeek:attr:`&optional`
+                                                              The ID of this broker instance - for the mapping to PluginStates.
+========================================================= =============================================================================
+
+Events
+######
+============================================================== =
+:zeek:id:`NetControl::broker_add_rule`: :zeek:type:`event`     
+:zeek:id:`NetControl::broker_remove_rule`: :zeek:type:`event`  
+:zeek:id:`NetControl::broker_rule_added`: :zeek:type:`event`   
+:zeek:id:`NetControl::broker_rule_error`: :zeek:type:`event`   
+:zeek:id:`NetControl::broker_rule_exists`: :zeek:type:`event`  
+:zeek:id:`NetControl::broker_rule_removed`: :zeek:type:`event` 
+:zeek:id:`NetControl::broker_rule_timeout`: :zeek:type:`event` 
+============================================================== =
+
+Functions
+#########
+=========================================================== ===============================
+:zeek:id:`NetControl::create_broker`: :zeek:type:`function` Instantiates the broker plugin.
+=========================================================== ===============================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: NetControl::BrokerConfig
+   :source-code: base/frameworks/netcontrol/plugins/broker.zeek 13 34
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: topic :zeek:type:`string` :zeek:attr:`&optional`
+
+      The broker topic to send events to.
+
+
+   .. zeek:field:: host :zeek:type:`addr` :zeek:attr:`&optional`
+
+      Broker host to connect to.
+
+
+   .. zeek:field:: bport :zeek:type:`port` :zeek:attr:`&optional`
+
+      Broker port to connect to.
+
+
+   .. zeek:field:: monitor :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
+
+      Do we accept rules for the monitor path? Default true.
+
+
+   .. zeek:field:: forward :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
+
+      Do we accept rules for the forward path? Default true.
+
+
+   .. zeek:field:: check_pred :zeek:type:`function` (p: :zeek:type:`NetControl::PluginState`, r: :zeek:type:`NetControl::Rule`) : :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Predicate that is called on rule insertion or removal.
+      
+
+      :param p: Current plugin state.
+      
+
+      :param r: The rule to be inserted or removed.
+      
+
+      :returns: T if the rule can be handled by the current backend, F otherwise.
+
+
+   This record specifies the configuration that is passed to :zeek:see:`NetControl::create_broker`.
+
+Events
+######
+.. zeek:id:: NetControl::broker_add_rule
+   :source-code: base/frameworks/netcontrol/plugins/broker.zeek 46 46
+
+   :Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`)
+
+
+.. zeek:id:: NetControl::broker_remove_rule
+   :source-code: base/frameworks/netcontrol/plugins/broker.zeek 47 47
+
+   :Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, reason: :zeek:type:`string`)
+
+
+.. zeek:id:: NetControl::broker_rule_added
+   :source-code: base/frameworks/netcontrol/plugins/broker.zeek 61 72
+
+   :Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, msg: :zeek:type:`string`)
+
+
+.. zeek:id:: NetControl::broker_rule_error
+   :source-code: base/frameworks/netcontrol/plugins/broker.zeek 100 111
+
+   :Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, msg: :zeek:type:`string`)
+
+
+.. zeek:id:: NetControl::broker_rule_exists
+   :source-code: base/frameworks/netcontrol/plugins/broker.zeek 74 85
+
+   :Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, msg: :zeek:type:`string`)
+
+
+.. zeek:id:: NetControl::broker_rule_removed
+   :source-code: base/frameworks/netcontrol/plugins/broker.zeek 87 98
+
+   :Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, msg: :zeek:type:`string`)
+
+
+.. zeek:id:: NetControl::broker_rule_timeout
+   :source-code: base/frameworks/netcontrol/plugins/broker.zeek 113 124
+
+   :Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, i: :zeek:type:`NetControl::FlowInfo`)
+
+
+Functions
+#########
+.. zeek:id:: NetControl::create_broker
+   :source-code: base/frameworks/netcontrol/plugins/broker.zeek 198 220
+
+   :Type: :zeek:type:`function` (config: :zeek:type:`NetControl::BrokerConfig`, can_expire: :zeek:type:`bool`) : :zeek:type:`NetControl::PluginState`
+
+   Instantiates the broker plugin.
+
+
diff --git a/doc/scripts/base/frameworks/netcontrol/plugins/debug.zeek.rst b/doc/scripts/base/frameworks/netcontrol/plugins/debug.zeek.rst
new file mode 100644
index 0000000000..a70a17e643
--- /dev/null
+++ b/doc/scripts/base/frameworks/netcontrol/plugins/debug.zeek.rst
@@ -0,0 +1,65 @@
+:tocdepth: 3
+
+base/frameworks/netcontrol/plugins/debug.zeek
+=============================================
+.. zeek:namespace:: NetControl
+
+Debugging plugin for the NetControl framework, providing insight into
+executed operations.
+
+:Namespace: NetControl
+:Imports: :doc:`base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>`, :doc:`base/frameworks/netcontrol/plugin.zeek </scripts/base/frameworks/netcontrol/plugin.zeek>`
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================================= =========================================================
+:zeek:id:`NetControl::create_debug`: :zeek:type:`function`        Instantiates a debug plugin for the NetControl framework.
+:zeek:id:`NetControl::create_debug_error`: :zeek:type:`function`  Instantiates a debug plugin for the NetControl framework.
+:zeek:id:`NetControl::create_debug_exists`: :zeek:type:`function` Instantiates a debug plugin for the NetControl framework.
+================================================================= =========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: NetControl::create_debug
+   :source-code: base/frameworks/netcontrol/plugins/debug.zeek 118 131
+
+   :Type: :zeek:type:`function` (do_something: :zeek:type:`bool`, name: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`NetControl::PluginState`
+
+   Instantiates a debug plugin for the NetControl framework. The debug
+   plugin simply logs the operations it receives.
+   
+
+   :param do_something: If true, the plugin will claim it supports all operations; if
+                 false, it will indicate it doesn't support any.
+   
+
+   :param name: Optional name that for the plugin.
+
+.. zeek:id:: NetControl::create_debug_error
+   :source-code: base/frameworks/netcontrol/plugins/debug.zeek 133 140
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`NetControl::PluginState`
+
+   Instantiates a debug plugin for the NetControl framework. This variation
+   of the plugin will return "error" to any rule operations.
+   
+
+   :param name: Name of this plugin.
+
+.. zeek:id:: NetControl::create_debug_exists
+   :source-code: base/frameworks/netcontrol/plugins/debug.zeek 142 149
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`NetControl::PluginState`
+
+   Instantiates a debug plugin for the NetControl framework. This variation
+   of the plugin will return "exists" to any rule operations.
+   
+
+   :param name: Name of this plugin.
+
+
diff --git a/doc/scripts/base/frameworks/netcontrol/plugins/index.rst b/doc/scripts/base/frameworks/netcontrol/plugins/index.rst
new file mode 100644
index 0000000000..13036cbea0
--- /dev/null
+++ b/doc/scripts/base/frameworks/netcontrol/plugins/index.rst
@@ -0,0 +1,36 @@
+:orphan:
+
+Package: base/frameworks/netcontrol/plugins
+===========================================
+
+Plugins for the NetControl framework.
+
+:doc:`/scripts/base/frameworks/netcontrol/plugins/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/netcontrol/plugins/debug.zeek`
+
+   Debugging plugin for the NetControl framework, providing insight into
+   executed operations.
+
+:doc:`/scripts/base/frameworks/netcontrol/plugins/openflow.zeek`
+
+   OpenFlow plugin for the NetControl framework.
+
+:doc:`/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek`
+
+   NetControl plugin for the process-level PacketFilter that comes with
+   Zeek. Since the PacketFilter in Zeek is quite limited in scope
+   and can only add/remove filters for addresses, this is quite
+   limited in scope at the moment.
+
+:doc:`/scripts/base/frameworks/netcontrol/plugins/broker.zeek`
+
+   Broker plugin for the NetControl framework. Sends the raw data structures
+   used in NetControl on to Broker to allow for easy handling, e.g., of
+   command-line scripts.
+
+:doc:`/scripts/base/frameworks/netcontrol/plugins/acld.zeek`
+
+   Acld plugin for the netcontrol framework.
+
diff --git a/doc/scripts/base/frameworks/netcontrol/plugins/openflow.zeek.rst b/doc/scripts/base/frameworks/netcontrol/plugins/openflow.zeek.rst
new file mode 100644
index 0000000000..c8e45c3f36
--- /dev/null
+++ b/doc/scripts/base/frameworks/netcontrol/plugins/openflow.zeek.rst
@@ -0,0 +1,195 @@
+:tocdepth: 3
+
+base/frameworks/netcontrol/plugins/openflow.zeek
+================================================
+.. zeek:namespace:: NetControl
+
+OpenFlow plugin for the NetControl framework.
+
+:Namespace: NetControl
+:Imports: :doc:`base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>`, :doc:`base/frameworks/netcontrol/plugin.zeek </scripts/base/frameworks/netcontrol/plugin.zeek>`, :doc:`base/frameworks/openflow </scripts/base/frameworks/openflow/index>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+========================================================================================== ===============================================================================
+:zeek:id:`NetControl::openflow_flow_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`    The time interval after we consider a flow timed out.
+:zeek:id:`NetControl::openflow_message_timeout`: :zeek:type:`interval` :zeek:attr:`&redef` The time interval after which an openflow message is considered to be timed out
+                                                                                           and we delete it from our internal tracking.
+========================================================================================== ===============================================================================
+
+Types
+#####
+====================================================== ==================================================================================================
+:zeek:type:`NetControl::OfConfig`: :zeek:type:`record` This record specifies the configuration that is passed to :zeek:see:`NetControl::create_openflow`.
+:zeek:type:`NetControl::OfTable`: :zeek:type:`record`  
+====================================================== ==================================================================================================
+
+Redefinitions
+#############
+========================================================= =========================================================================
+:zeek:type:`NetControl::PluginState`: :zeek:type:`record` 
+                                                          
+                                                          :New Fields: :zeek:type:`NetControl::PluginState`
+                                                          
+                                                            of_controller: :zeek:type:`OpenFlow::Controller` :zeek:attr:`&optional`
+                                                              OpenFlow controller for NetControl OpenFlow plugin.
+                                                          
+                                                            of_config: :zeek:type:`NetControl::OfConfig` :zeek:attr:`&optional`
+                                                              OpenFlow configuration record that is passed on initialization.
+========================================================= =========================================================================
+
+Functions
+#########
+============================================================= =============================================================
+:zeek:id:`NetControl::create_openflow`: :zeek:type:`function` Instantiates an openflow plugin for the NetControl framework.
+============================================================= =============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: NetControl::openflow_flow_timeout
+   :source-code: base/frameworks/netcontrol/plugins/openflow.zeek 76 76
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 day``
+
+   The time interval after we consider a flow timed out. This should be fairly high (or
+   even disabled) if you expect a lot of long flows. However, one also will have state
+   buildup for quite a while if keeping this around...
+
+.. zeek:id:: NetControl::openflow_message_timeout
+   :source-code: base/frameworks/netcontrol/plugins/openflow.zeek 71 71
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``20.0 secs``
+
+   The time interval after which an openflow message is considered to be timed out
+   and we delete it from our internal tracking.
+
+Types
+#####
+.. zeek:type:: NetControl::OfConfig
+   :source-code: base/frameworks/netcontrol/plugins/openflow.zeek 11 51
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: monitor :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
+
+      Accept rules that target the monitor path.
+
+
+   .. zeek:field:: forward :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
+
+      Accept rules that target the forward path.
+
+
+   .. zeek:field:: idle_timeout :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Default OpenFlow idle timeout.
+
+
+   .. zeek:field:: table_id :zeek:type:`count` :zeek:attr:`&optional`
+
+      Default OpenFlow table ID.
+
+
+   .. zeek:field:: priority_offset :zeek:type:`int` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Add this to all rule priorities. Can be useful if you want the openflow priorities be offset from the netcontrol priorities without having to write a filter function.
+
+
+   .. zeek:field:: check_pred :zeek:type:`function` (p: :zeek:type:`NetControl::PluginState`, r: :zeek:type:`NetControl::Rule`) : :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Predicate that is called on rule insertion or removal.
+      
+
+      :param p: Current plugin state.
+      
+
+      :param r: The rule to be inserted or removed.
+      
+
+      :returns: T if the rule can be handled by the current backend, F otherwise.
+
+
+   .. zeek:field:: match_pred :zeek:type:`function` (p: :zeek:type:`NetControl::PluginState`, e: :zeek:type:`NetControl::Entity`, m: :zeek:type:`vector` of :zeek:type:`OpenFlow::ofp_match`) : :zeek:type:`vector` of :zeek:type:`OpenFlow::ofp_match` :zeek:attr:`&optional`
+
+      This predicate is called each time an OpenFlow match record is created.
+      The predicate can modify the match structure before it is sent on to the
+      device.
+      
+
+      :param p: Current plugin state.
+      
+
+      :param r: The rule to be inserted or removed.
+      
+
+      :param m: The openflow match structures that were generated for this rules.
+      
+
+      :returns: The modified OpenFlow match structures that will be used in place of the structures passed in m.
+
+
+   .. zeek:field:: flow_mod_pred :zeek:type:`function` (p: :zeek:type:`NetControl::PluginState`, r: :zeek:type:`NetControl::Rule`, m: :zeek:type:`OpenFlow::ofp_flow_mod`) : :zeek:type:`OpenFlow::ofp_flow_mod` :zeek:attr:`&optional`
+
+      This predicate is called before a FlowMod message is sent to the OpenFlow
+      device. It can modify the FlowMod message before it is passed on.
+      
+
+      :param p: Current plugin state.
+      
+
+      :param r: The rule to be inserted or removed.
+      
+
+      :param m: The OpenFlow FlowMod message.
+      
+
+      :returns: The modified FlowMod message that is used in lieu of m.
+
+
+   This record specifies the configuration that is passed to :zeek:see:`NetControl::create_openflow`.
+
+.. zeek:type:: NetControl::OfTable
+   :source-code: base/frameworks/netcontrol/plugins/openflow.zeek 60 67
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: p :zeek:type:`NetControl::PluginState`
+
+
+   .. zeek:field:: r :zeek:type:`NetControl::Rule`
+
+
+   .. zeek:field:: c :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: packet_count :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: byte_count :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: duration_sec :zeek:type:`double` :zeek:attr:`&default` = ``0.0`` :zeek:attr:`&optional`
+
+
+
+Functions
+#########
+.. zeek:id:: NetControl::create_openflow
+   :source-code: base/frameworks/netcontrol/plugins/openflow.zeek 448 453
+
+   :Type: :zeek:type:`function` (controller: :zeek:type:`OpenFlow::Controller`, config: :zeek:type:`NetControl::OfConfig` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`) : :zeek:type:`NetControl::PluginState`
+
+   Instantiates an openflow plugin for the NetControl framework.
+
+
diff --git a/doc/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek.rst b/doc/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek.rst
new file mode 100644
index 0000000000..fc7ef92cec
--- /dev/null
+++ b/doc/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek.rst
@@ -0,0 +1,35 @@
+:tocdepth: 3
+
+base/frameworks/netcontrol/plugins/packetfilter.zeek
+====================================================
+.. zeek:namespace:: NetControl
+
+NetControl plugin for the process-level PacketFilter that comes with
+Zeek. Since the PacketFilter in Zeek is quite limited in scope
+and can only add/remove filters for addresses, this is quite
+limited in scope at the moment.
+
+:Namespace: NetControl
+:Imports: :doc:`base/frameworks/netcontrol/plugin.zeek </scripts/base/frameworks/netcontrol/plugin.zeek>`
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================================= =====================================
+:zeek:id:`NetControl::create_packetfilter`: :zeek:type:`function` Instantiates the packetfilter plugin.
+================================================================= =====================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: NetControl::create_packetfilter
+   :source-code: base/frameworks/netcontrol/plugins/packetfilter.zeek 107 112
+
+   :Type: :zeek:type:`function` () : :zeek:type:`NetControl::PluginState`
+
+   Instantiates the packetfilter plugin.
+
+
diff --git a/doc/scripts/base/frameworks/netcontrol/shunt.zeek.rst b/doc/scripts/base/frameworks/netcontrol/shunt.zeek.rst
new file mode 100644
index 0000000000..21f665e363
--- /dev/null
+++ b/doc/scripts/base/frameworks/netcontrol/shunt.zeek.rst
@@ -0,0 +1,123 @@
+:tocdepth: 3
+
+base/frameworks/netcontrol/shunt.zeek
+=====================================
+.. zeek:namespace:: NetControl
+
+Implementation of the shunt functionality for NetControl.
+
+:Namespace: NetControl
+:Imports: :doc:`base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+======================================================= =
+:zeek:type:`NetControl::ShuntInfo`: :zeek:type:`record` 
+======================================================= =
+
+Redefinitions
+#############
+======================================= ================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` 
+                                        
+                                        * :zeek:enum:`NetControl::SHUNT`
+======================================= ================================
+
+Events
+######
+=============================================================== ==========================================================================
+:zeek:id:`NetControl::log_netcontrol_shunt`: :zeek:type:`event` Event that can be handled to access the :zeek:type:`NetControl::ShuntInfo`
+                                                                record as it is sent on to the logging framework.
+=============================================================== ==========================================================================
+
+Hooks
+#####
+===================================================================== =
+:zeek:id:`NetControl::log_policy_shunt`: :zeek:type:`Log::PolicyHook` 
+===================================================================== =
+
+Functions
+#########
+======================================================== ==========================================================
+:zeek:id:`NetControl::shunt_flow`: :zeek:type:`function` Stops forwarding a uni-directional flow's packets to Zeek.
+======================================================== ==========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: NetControl::ShuntInfo
+   :source-code: base/frameworks/netcontrol/shunt.zeek 23 34
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Time at which the recorded activity occurred.
+
+
+   .. zeek:field:: rule_id :zeek:type:`string` :zeek:attr:`&log`
+
+      ID of the rule; unique during each Zeek run.
+
+
+   .. zeek:field:: f :zeek:type:`flow_id` :zeek:attr:`&log`
+
+      Flow ID of the shunted flow.
+
+
+   .. zeek:field:: expire :zeek:type:`interval` :zeek:attr:`&log`
+
+      Expiry time of the shunt.
+
+
+   .. zeek:field:: location :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Location where the underlying action was triggered.
+
+
+
+Events
+######
+.. zeek:id:: NetControl::log_netcontrol_shunt
+   :source-code: base/frameworks/netcontrol/shunt.zeek 38 38
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`NetControl::ShuntInfo`)
+
+   Event that can be handled to access the :zeek:type:`NetControl::ShuntInfo`
+   record as it is sent on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: NetControl::log_policy_shunt
+   :source-code: base/frameworks/netcontrol/shunt.zeek 10 10
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+Functions
+#########
+.. zeek:id:: NetControl::shunt_flow
+   :source-code: base/frameworks/netcontrol/shunt.zeek 46 70
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`flow_id`, t: :zeek:type:`interval`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`string`
+
+   Stops forwarding a uni-directional flow's packets to Zeek.
+   
+
+   :param f: The flow to shunt.
+   
+
+   :param t: How long to leave the shunt in place, with 0 being indefinitely.
+   
+
+   :param location: An optional string describing where the shunt was triggered.
+   
+
+   :returns: The id of the inserted rule on success and zero on failure.
+
+
diff --git a/doc/scripts/base/frameworks/netcontrol/types.zeek.rst b/doc/scripts/base/frameworks/netcontrol/types.zeek.rst
new file mode 100644
index 0000000000..ec57ed9b37
--- /dev/null
+++ b/doc/scripts/base/frameworks/netcontrol/types.zeek.rst
@@ -0,0 +1,380 @@
+:tocdepth: 3
+
+base/frameworks/netcontrol/types.zeek
+=====================================
+.. zeek:namespace:: NetControl
+
+This file defines the types that are used by the NetControl framework.
+
+The most important type defined in this file is :zeek:see:`NetControl::Rule`,
+which is used to describe all rules that can be expressed by the NetControl framework.
+
+:Namespace: NetControl
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+============================================================================= ======================================================
+:zeek:id:`NetControl::default_priority`: :zeek:type:`int` :zeek:attr:`&redef` The default priority that is used when creating rules.
+============================================================================= ======================================================
+
+Redefinable Options
+###################
+=============================================================================== =====================================================================================
+:zeek:id:`NetControl::whitelist_priority`: :zeek:type:`int` :zeek:attr:`&redef` The default priority that is used when using the high-level functions to
+                                                                                push whitelist entries to the backends (:zeek:see:`NetControl::whitelist_address` and
+                                                                                :zeek:see:`NetControl::whitelist_subnet`).
+=============================================================================== =====================================================================================
+
+Types
+#####
+====================================================== ======================================================================================================
+:zeek:type:`NetControl::Entity`: :zeek:type:`record`   Type defining the entity a rule is operating on.
+:zeek:type:`NetControl::EntityType`: :zeek:type:`enum` Type defining the entity that a rule applies to.
+:zeek:type:`NetControl::Flow`: :zeek:type:`record`     Flow is used in :zeek:type:`NetControl::Entity` together with :zeek:enum:`NetControl::FLOW` to specify
+                                                       a uni-directional flow that a rule applies to.
+:zeek:type:`NetControl::FlowInfo`: :zeek:type:`record` Information of a flow that can be provided by switches when the flow times out.
+:zeek:type:`NetControl::FlowMod`: :zeek:type:`record`  Type for defining a flow modification action.
+:zeek:type:`NetControl::Rule`: :zeek:type:`record`     A rule for the framework to put in place.
+:zeek:type:`NetControl::RuleType`: :zeek:type:`enum`   Type of rules that the framework supports.
+:zeek:type:`NetControl::TargetType`: :zeek:type:`enum` Type defining the target of a rule.
+====================================================== ======================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: NetControl::default_priority
+   :source-code: base/frameworks/netcontrol/types.zeek 10 10
+
+   :Type: :zeek:type:`int`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0``
+
+   The default priority that is used when creating rules.
+
+Redefinable Options
+###################
+.. zeek:id:: NetControl::whitelist_priority
+   :source-code: base/frameworks/netcontrol/types.zeek 18 18
+
+   :Type: :zeek:type:`int`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5``
+
+   The default priority that is used when using the high-level functions to
+   push whitelist entries to the backends (:zeek:see:`NetControl::whitelist_address` and
+   :zeek:see:`NetControl::whitelist_subnet`).
+   
+   Note that this priority is not automatically used when manually creating rules
+   that have a :zeek:see:`NetControl::RuleType` of :zeek:enum:`NetControl::WHITELIST`.
+
+Types
+#####
+.. zeek:type:: NetControl::Entity
+   :source-code: base/frameworks/netcontrol/types.zeek 42 48
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ty :zeek:type:`NetControl::EntityType`
+
+      Type of entity.
+
+
+   .. zeek:field:: conn :zeek:type:`conn_id` :zeek:attr:`&optional`
+
+      Used with :zeek:enum:`NetControl::CONNECTION`.
+
+
+   .. zeek:field:: flow :zeek:type:`NetControl::Flow` :zeek:attr:`&optional`
+
+      Used with :zeek:enum:`NetControl::FLOW`.
+
+
+   .. zeek:field:: ip :zeek:type:`subnet` :zeek:attr:`&optional`
+
+      Used with :zeek:enum:`NetControl::ADDRESS` to specify a CIDR subnet.
+
+
+   .. zeek:field:: mac :zeek:type:`string` :zeek:attr:`&optional`
+
+      Used with :zeek:enum:`NetControl::MAC`.
+
+
+   Type defining the entity a rule is operating on.
+
+.. zeek:type:: NetControl::EntityType
+   :source-code: base/frameworks/netcontrol/types.zeek 21 27
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: NetControl::ADDRESS NetControl::EntityType
+
+         Activity involving a specific IP address.
+
+      .. zeek:enum:: NetControl::CONNECTION NetControl::EntityType
+
+         Activity involving all of a bi-directional connection's activity.
+
+      .. zeek:enum:: NetControl::FLOW NetControl::EntityType
+
+         Activity involving a uni-directional flow's activity. Can contain wildcards.
+
+      .. zeek:enum:: NetControl::MAC NetControl::EntityType
+
+         Activity involving a MAC address.
+
+   Type defining the entity that a rule applies to.
+
+.. zeek:type:: NetControl::Flow
+   :source-code: base/frameworks/netcontrol/types.zeek 32 39
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: src_h :zeek:type:`subnet` :zeek:attr:`&optional`
+
+      The source IP address/subnet.
+
+
+   .. zeek:field:: src_p :zeek:type:`port` :zeek:attr:`&optional`
+
+      The source port number.
+
+
+   .. zeek:field:: dst_h :zeek:type:`subnet` :zeek:attr:`&optional`
+
+      The destination IP address/subnet.
+
+
+   .. zeek:field:: dst_p :zeek:type:`port` :zeek:attr:`&optional`
+
+      The destination port number.
+
+
+   .. zeek:field:: src_m :zeek:type:`string` :zeek:attr:`&optional`
+
+      The source MAC address.
+
+
+   .. zeek:field:: dst_m :zeek:type:`string` :zeek:attr:`&optional`
+
+      The destination MAC address.
+
+
+   Flow is used in :zeek:type:`NetControl::Entity` together with :zeek:enum:`NetControl::FLOW` to specify
+   a uni-directional flow that a rule applies to.
+   
+   If optional fields are not set, they are interpreted as wildcarded.
+
+.. zeek:type:: NetControl::FlowInfo
+   :source-code: base/frameworks/netcontrol/types.zeek 122 126
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: duration :zeek:type:`interval` :zeek:attr:`&optional`
+
+      Total duration of the rule.
+
+
+   .. zeek:field:: packet_count :zeek:type:`count` :zeek:attr:`&optional`
+
+      Number of packets exchanged over connections matched by the rule.
+
+
+   .. zeek:field:: byte_count :zeek:type:`count` :zeek:attr:`&optional`
+
+      Total bytes exchanged over connections matched by the rule.
+
+
+   Information of a flow that can be provided by switches when the flow times out.
+   Currently this is heavily influenced by the data that OpenFlow returns by default.
+   That being said - their design makes sense and this is probably the data one
+   can expect to be available.
+
+.. zeek:type:: NetControl::FlowMod
+   :source-code: base/frameworks/netcontrol/types.zeek 90 98
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: src_h :zeek:type:`addr` :zeek:attr:`&optional`
+
+      The source IP address.
+
+
+   .. zeek:field:: src_p :zeek:type:`count` :zeek:attr:`&optional`
+
+      The source port number.
+
+
+   .. zeek:field:: dst_h :zeek:type:`addr` :zeek:attr:`&optional`
+
+      The destination IP address.
+
+
+   .. zeek:field:: dst_p :zeek:type:`count` :zeek:attr:`&optional`
+
+      The destination port number.
+
+
+   .. zeek:field:: src_m :zeek:type:`string` :zeek:attr:`&optional`
+
+      The source MAC address.
+
+
+   .. zeek:field:: dst_m :zeek:type:`string` :zeek:attr:`&optional`
+
+      The destination MAC address.
+
+
+   .. zeek:field:: redirect_port :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   Type for defining a flow modification action.
+
+.. zeek:type:: NetControl::Rule
+   :source-code: base/frameworks/netcontrol/types.zeek 103 116
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ty :zeek:type:`NetControl::RuleType`
+
+      Type of rule.
+
+
+   .. zeek:field:: target :zeek:type:`NetControl::TargetType`
+
+      Where to apply rule.
+
+
+   .. zeek:field:: entity :zeek:type:`NetControl::Entity`
+
+      Entity to apply rule to.
+
+
+   .. zeek:field:: expire :zeek:type:`interval` :zeek:attr:`&optional`
+
+      Timeout after which to expire the rule.
+
+
+   .. zeek:field:: priority :zeek:type:`int` :zeek:attr:`&default` = :zeek:see:`NetControl::default_priority` :zeek:attr:`&optional`
+
+      Priority if multiple rules match an entity (larger value is higher priority).
+
+
+   .. zeek:field:: location :zeek:type:`string` :zeek:attr:`&optional`
+
+      Optional string describing where/what installed the rule.
+
+
+   .. zeek:field:: out_port :zeek:type:`count` :zeek:attr:`&optional`
+
+      Argument for :zeek:enum:`NetControl::REDIRECT` rules.
+
+
+   .. zeek:field:: mod :zeek:type:`NetControl::FlowMod` :zeek:attr:`&optional`
+
+      Argument for :zeek:enum:`NetControl::MODIFY` rules.
+
+
+   .. zeek:field:: id :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      Internally determined unique ID for this rule. Will be set when added.
+
+
+   .. zeek:field:: cid :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Internally determined unique numeric ID for this rule. Set when added.
+
+
+   .. zeek:field:: _plugin_ids :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/netcontrol/main.zeek` is loaded)
+
+      Internally set to the plugins handling the rule.
+
+
+   .. zeek:field:: _active_plugin_ids :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/netcontrol/main.zeek` is loaded)
+
+      Internally set to the plugins on which the rule is currently active.
+
+
+   .. zeek:field:: _no_expire_plugins :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/netcontrol/main.zeek` is loaded)
+
+      Internally set to plugins where the rule should not be removed upon timeout.
+
+
+   .. zeek:field:: _added :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/netcontrol/main.zeek` is loaded)
+
+      Track if the rule was added successfully by all responsible plugins.
+
+
+   A rule for the framework to put in place. Of all rules currently in
+   place, the first match will be taken, sorted by priority. All
+   further rules will be ignored.
+
+.. zeek:type:: NetControl::RuleType
+   :source-code: base/frameworks/netcontrol/types.zeek 65 88
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: NetControl::DROP NetControl::RuleType
+
+         Stop forwarding all packets matching the entity.
+         
+         No additional arguments.
+
+      .. zeek:enum:: NetControl::MODIFY NetControl::RuleType
+
+         Modify all packets matching entity. The packets
+         will be modified according to the `mod` entry of
+         the rule.
+         
+
+      .. zeek:enum:: NetControl::REDIRECT NetControl::RuleType
+
+         Redirect all packets matching entity to a different switch port,
+         given in the `out_port` argument of the rule.
+         
+
+      .. zeek:enum:: NetControl::WHITELIST NetControl::RuleType
+
+         Whitelists all packets of an entity, meaning no restrictions will be applied.
+         While whitelisting is the default if no rule matches, this type can be
+         used to override lower-priority rules that would otherwise take effect for the
+         entity.
+
+   Type of rules that the framework supports. Each type lists the extra
+   :zeek:type:`NetControl::Rule` fields it uses, if any.
+   
+   Plugins may extend this type to define their own.
+
+.. zeek:type:: NetControl::TargetType
+   :source-code: base/frameworks/netcontrol/types.zeek 56 60
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: NetControl::FORWARD NetControl::TargetType
+
+      .. zeek:enum:: NetControl::MONITOR NetControl::TargetType
+
+   Type defining the target of a rule.
+   
+   Rules can either be applied to the forward path, affecting all network traffic, or
+   on the monitor path, only affecting the traffic that is sent to Zeek. The second
+   is mostly used for shunting, which allows Zeek to tell the networking hardware that
+   it wants to no longer see traffic that it identified as benign.
+
+
diff --git a/doc/scripts/base/frameworks/notice/__load__.zeek.rst b/doc/scripts/base/frameworks/notice/__load__.zeek.rst
new file mode 100644
index 0000000000..eec2028152
--- /dev/null
+++ b/doc/scripts/base/frameworks/notice/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/notice/__load__.zeek
+====================================
+
+
+:Imports: :doc:`base/frameworks/notice/actions/add-geodata.zeek </scripts/base/frameworks/notice/actions/add-geodata.zeek>`, :doc:`base/frameworks/notice/actions/email_admin.zeek </scripts/base/frameworks/notice/actions/email_admin.zeek>`, :doc:`base/frameworks/notice/actions/page.zeek </scripts/base/frameworks/notice/actions/page.zeek>`, :doc:`base/frameworks/notice/actions/pp-alarms.zeek </scripts/base/frameworks/notice/actions/pp-alarms.zeek>`, :doc:`base/frameworks/notice/main.zeek </scripts/base/frameworks/notice/main.zeek>`, :doc:`base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/notice/actions/add-geodata.zeek.rst b/doc/scripts/base/frameworks/notice/actions/add-geodata.zeek.rst
new file mode 100644
index 0000000000..3c97a57413
--- /dev/null
+++ b/doc/scripts/base/frameworks/notice/actions/add-geodata.zeek.rst
@@ -0,0 +1,56 @@
+:tocdepth: 3
+
+base/frameworks/notice/actions/add-geodata.zeek
+===============================================
+.. zeek:namespace:: Notice
+
+This script adds geographic location data to notices for the "remote"
+host in a connection.  It does make the assumption that one of the
+addresses in a connection is "local" and one is "remote" which is
+probably a safe assumption to make in most cases.  If both addresses
+are remote, it will use the $src address.
+
+:Namespace: Notice
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/notice/main.zeek </scripts/base/frameworks/notice/main.zeek>`, :doc:`base/utils/site.zeek </scripts/base/utils/site.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+============================================================================== ===============================================================
+:zeek:id:`Notice::lookup_location_types`: :zeek:type:`set` :zeek:attr:`&redef` Notice types which should have the "remote" location looked up.
+============================================================================== ===============================================================
+
+Redefinitions
+#############
+============================================== =====================================================================================
+:zeek:type:`Notice::Action`: :zeek:type:`enum` 
+                                               
+                                               * :zeek:enum:`Notice::ACTION_ADD_GEODATA`:
+                                                 Indicates that the notice should have geodata added for the
+                                                 "remote" host.
+:zeek:type:`Notice::Info`: :zeek:type:`record` 
+                                               
+                                               :New Fields: :zeek:type:`Notice::Info`
+                                               
+                                                 remote_location: :zeek:type:`geo_location` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                   If GeoIP support is built in, notices can have geographic
+                                                   information attached to them.
+============================================== =====================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Notice::lookup_location_types
+   :source-code: base/frameworks/notice/actions/add-geodata.zeek 29 29
+
+   :Type: :zeek:type:`set` [:zeek:type:`Notice::Type`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Notice types which should have the "remote" location looked up.
+   If GeoIP support is not built in, this does nothing.
+
+
diff --git a/doc/scripts/base/frameworks/notice/actions/email_admin.zeek.rst b/doc/scripts/base/frameworks/notice/actions/email_admin.zeek.rst
new file mode 100644
index 0000000000..f5c2d6ae4f
--- /dev/null
+++ b/doc/scripts/base/frameworks/notice/actions/email_admin.zeek.rst
@@ -0,0 +1,32 @@
+:tocdepth: 3
+
+base/frameworks/notice/actions/email_admin.zeek
+===============================================
+.. zeek:namespace:: Notice
+
+Adds a new notice action type which can be used to email notices
+to the administrators of a particular address space as set by
+:zeek:id:`Site::local_admins` if the notice contains a source
+or destination address that lies within their space.
+
+:Namespace: Notice
+:Imports: :doc:`base/frameworks/notice/main.zeek </scripts/base/frameworks/notice/main.zeek>`, :doc:`base/utils/site.zeek </scripts/base/utils/site.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================== ==============================================================
+:zeek:type:`Notice::Action`: :zeek:type:`enum` 
+                                               
+                                               * :zeek:enum:`Notice::ACTION_EMAIL_ADMIN`:
+                                                 Indicate that the generated email should be addressed to the
+                                                 appropriate email addresses as found by the
+                                                 :zeek:id:`Site::get_emails` function based on the relevant
+                                                 address or addresses indicated in the notice.
+============================================== ==============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/notice/actions/page.zeek.rst b/doc/scripts/base/frameworks/notice/actions/page.zeek.rst
new file mode 100644
index 0000000000..41de24fa06
--- /dev/null
+++ b/doc/scripts/base/frameworks/notice/actions/page.zeek.rst
@@ -0,0 +1,47 @@
+:tocdepth: 3
+
+base/frameworks/notice/actions/page.zeek
+========================================
+.. zeek:namespace:: Notice
+
+Allows configuration of a pager email address to which notices can be sent.
+
+:Namespace: Notice
+:Imports: :doc:`base/frameworks/notice/main.zeek </scripts/base/frameworks/notice/main.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+========================================================================== =======================================================================
+:zeek:id:`Notice::mail_page_dest`: :zeek:type:`string` :zeek:attr:`&redef` Email address to send notices with the :zeek:enum:`Notice::ACTION_PAGE`
+                                                                           action.
+========================================================================== =======================================================================
+
+Redefinitions
+#############
+============================================== =============================================================
+:zeek:type:`Notice::Action`: :zeek:type:`enum` 
+                                               
+                                               * :zeek:enum:`Notice::ACTION_PAGE`:
+                                                 Indicates that the notice should be sent to the pager email
+                                                 address configured in the :zeek:id:`Notice::mail_page_dest`
+                                                 variable.
+============================================== =============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Notice::mail_page_dest
+   :source-code: base/frameworks/notice/actions/page.zeek 17 17
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Email address to send notices with the :zeek:enum:`Notice::ACTION_PAGE`
+   action.
+
+
diff --git a/doc/scripts/base/frameworks/notice/actions/pp-alarms.zeek.rst b/doc/scripts/base/frameworks/notice/actions/pp-alarms.zeek.rst
new file mode 100644
index 0000000000..a768afe157
--- /dev/null
+++ b/doc/scripts/base/frameworks/notice/actions/pp-alarms.zeek.rst
@@ -0,0 +1,97 @@
+:tocdepth: 3
+
+base/frameworks/notice/actions/pp-alarms.zeek
+=============================================
+.. zeek:namespace:: Notice
+
+Notice extension that mails out a pretty-printed version of notice_alarm.log
+in regular intervals, formatted for better human readability. If activated,
+that replaces the default summary mail having the raw log output.
+
+:Namespace: Notice
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/notice/main.zeek </scripts/base/frameworks/notice/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+==================================================================================== ==============================================
+:zeek:id:`Notice::mail_dest_pretty_printed`: :zeek:type:`string` :zeek:attr:`&redef` Address to send the pretty-printed reports to.
+:zeek:id:`Notice::pretty_print_alarms`: :zeek:type:`bool` :zeek:attr:`&redef`        Activate pretty-printed alarm summaries.
+==================================================================================== ==============================================
+
+State Variables
+###############
+=============================================================================== ==================================================================
+:zeek:id:`Notice::flag_nets`: :zeek:type:`set` :zeek:attr:`&redef`              If an address from one of these networks is reported, we mark
+                                                                                the entry with an additional quote symbol (i.e., ">").
+:zeek:id:`Notice::force_email_summaries`: :zeek:type:`bool` :zeek:attr:`&redef` Force generating mail file, even if reading from traces or no mail
+                                                                                destination is defined.
+=============================================================================== ==================================================================
+
+Functions
+#########
+================================================================================ =====================================
+:zeek:id:`Notice::pretty_print_alarm`: :zeek:type:`function` :zeek:attr:`&redef` Function that renders a single alarm.
+================================================================================ =====================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Notice::mail_dest_pretty_printed
+   :source-code: base/frameworks/notice/actions/pp-alarms.zeek 18 18
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Address to send the pretty-printed reports to. Default if not set is
+   :zeek:id:`Notice::mail_dest`.
+   
+   Note that this is overridden by the ZeekControl MailAlarmsTo option.
+
+.. zeek:id:: Notice::pretty_print_alarms
+   :source-code: base/frameworks/notice/actions/pp-alarms.zeek 12 12
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Activate pretty-printed alarm summaries.
+
+State Variables
+###############
+.. zeek:id:: Notice::flag_nets
+   :source-code: base/frameworks/notice/actions/pp-alarms.zeek 22 22
+
+   :Type: :zeek:type:`set` [:zeek:type:`subnet`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   If an address from one of these networks is reported, we mark
+   the entry with an additional quote symbol (i.e., ">"). Many MUAs
+   then highlight such lines differently.
+
+.. zeek:id:: Notice::force_email_summaries
+   :source-code: base/frameworks/notice/actions/pp-alarms.zeek 29 29
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Force generating mail file, even if reading from traces or no mail
+   destination is defined. This is mainly for testing.
+
+Functions
+#########
+.. zeek:id:: Notice::pretty_print_alarm
+   :source-code: base/frameworks/notice/actions/pp-alarms.zeek 152 254
+
+   :Type: :zeek:type:`function` (out: :zeek:type:`file`, n: :zeek:type:`Notice::Info`) : :zeek:type:`void`
+   :Attributes: :zeek:attr:`&redef`
+
+   Function that renders a single alarm. Can be overridden.
+
+
diff --git a/doc/scripts/base/frameworks/notice/index.rst b/doc/scripts/base/frameworks/notice/index.rst
new file mode 100644
index 0000000000..5031ca3eb1
--- /dev/null
+++ b/doc/scripts/base/frameworks/notice/index.rst
@@ -0,0 +1,57 @@
+:orphan:
+
+Package: base/frameworks/notice
+===============================
+
+The notice framework enables Zeek to "notice" things which are odd or
+potentially bad, leaving it to the local configuration to define which
+of them are actionable.  This decoupling of detection and reporting allows
+Zeek to be customized to the different needs that sites have.
+
+:doc:`/scripts/base/frameworks/notice/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/notice/main.zeek`
+
+   This is the notice framework which enables Zeek to "notice" things which
+   are odd or potentially bad.  Decisions of the meaning of various notices
+   need to be done per site because Zeek does not ship with assumptions about
+   what is bad activity for sites.  More extensive documentation about using
+   the notice framework can be found in :doc:`/frameworks/notice`.
+
+:doc:`/scripts/base/frameworks/notice/weird.zeek`
+
+   This script provides a default set of actions to take for "weird activity"
+   events generated from Zeek's event engine.  Weird activity is defined as
+   unusual or exceptional activity that can indicate malformed connections,
+   traffic that doesn't conform to a particular protocol, malfunctioning
+   or misconfigured hardware, or even an attacker attempting to avoid/confuse
+   a sensor.  Without context, it's hard to judge whether a particular
+   category of weird activity is interesting, but this script provides
+   a starting point for the user.
+
+:doc:`/scripts/base/frameworks/notice/actions/email_admin.zeek`
+
+   Adds a new notice action type which can be used to email notices
+   to the administrators of a particular address space as set by
+   :zeek:id:`Site::local_admins` if the notice contains a source
+   or destination address that lies within their space.
+
+:doc:`/scripts/base/frameworks/notice/actions/page.zeek`
+
+   Allows configuration of a pager email address to which notices can be sent.
+
+:doc:`/scripts/base/frameworks/notice/actions/add-geodata.zeek`
+
+   This script adds geographic location data to notices for the "remote"
+   host in a connection.  It does make the assumption that one of the
+   addresses in a connection is "local" and one is "remote" which is
+   probably a safe assumption to make in most cases.  If both addresses
+   are remote, it will use the $src address.
+
+:doc:`/scripts/base/frameworks/notice/actions/pp-alarms.zeek`
+
+   Notice extension that mails out a pretty-printed version of notice_alarm.log
+   in regular intervals, formatted for better human readability. If activated,
+   that replaces the default summary mail having the raw log output.
+
diff --git a/doc/scripts/base/frameworks/notice/main.zeek.rst b/doc/scripts/base/frameworks/notice/main.zeek.rst
new file mode 100644
index 0000000000..34fc711bc4
--- /dev/null
+++ b/doc/scripts/base/frameworks/notice/main.zeek.rst
@@ -0,0 +1,1156 @@
+:tocdepth: 3
+
+base/frameworks/notice/main.zeek
+================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: Notice
+
+This is the notice framework which enables Zeek to "notice" things which
+are odd or potentially bad.  Decisions of the meaning of various notices
+need to be done per site because Zeek does not ship with assumptions about
+what is bad activity for sites.  More extensive documentation about using
+the notice framework can be found in :doc:`/frameworks/notice`.
+
+:Namespaces: GLOBAL, Notice
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+========================================================================================== ======================================================================
+:zeek:id:`Notice::alarmed_types`: :zeek:type:`set` :zeek:attr:`&redef`                     Alarmed notice types.
+:zeek:id:`Notice::default_suppression_interval`: :zeek:type:`interval` :zeek:attr:`&redef` The notice framework is able to do automatic notice suppression by
+                                                                                           utilizing the *identifier* field in :zeek:type:`Notice::Info` records.
+:zeek:id:`Notice::emailed_types`: :zeek:type:`set` :zeek:attr:`&redef`                     Emailed notice types.
+:zeek:id:`Notice::ignored_types`: :zeek:type:`set` :zeek:attr:`&redef`                     Ignored notice types.
+:zeek:id:`Notice::mail_from`: :zeek:type:`string` :zeek:attr:`&redef`                      Address that emails will be from.
+:zeek:id:`Notice::mail_subject_prefix`: :zeek:type:`string` :zeek:attr:`&redef`            Text string prefixed to the subject of all emails sent out.
+:zeek:id:`Notice::not_suppressed_types`: :zeek:type:`set` :zeek:attr:`&redef`              Types that should be suppressed for the default suppression interval.
+:zeek:id:`Notice::reply_to`: :zeek:type:`string` :zeek:attr:`&redef`                       Reply-to address used in outbound email.
+:zeek:id:`Notice::sendmail`: :zeek:type:`string` :zeek:attr:`&redef`                       Local system sendmail program.
+========================================================================================== ======================================================================
+
+Redefinable Options
+###################
+===================================================================================== ====================================================================
+:zeek:id:`Notice::mail_dest`: :zeek:type:`string` :zeek:attr:`&redef`                 The default email address to send notices with the
+                                                                                      :zeek:enum:`Notice::ACTION_EMAIL` action or to send bulk alarm logs
+                                                                                      on rotation with :zeek:enum:`Notice::ACTION_ALARM`.
+:zeek:id:`Notice::max_email_delay`: :zeek:type:`interval` :zeek:attr:`&redef`         The maximum amount of time a plugin can delay email from being sent.
+:zeek:id:`Notice::type_suppression_intervals`: :zeek:type:`table` :zeek:attr:`&redef` This table can be used as a shorthand way to modify suppression
+                                                                                      intervals for entire notice types.
+===================================================================================== ====================================================================
+
+Types
+#####
+================================================== =====================================================================
+:zeek:type:`Notice::Action`: :zeek:type:`enum`     These are values representing actions that can be taken with notices.
+:zeek:type:`Notice::ActionSet`: :zeek:type:`set`   Type that represents a set of actions.
+:zeek:type:`Notice::FileInfo`: :zeek:type:`record` Contains a portion of :zeek:see:`fa_file` that's also contained in
+                                                   :zeek:see:`Notice::Info`.
+:zeek:type:`Notice::Info`: :zeek:type:`record`     The record type that is used for representing and logging notices.
+:zeek:type:`Notice::Type`: :zeek:type:`enum`       Scripts creating new notices need to redef this enum to add their
+                                                   own specific notice types which would then get used when they call
+                                                   the :zeek:id:`NOTICE` function.
+================================================== =====================================================================
+
+Redefinitions
+#############
+======================================= =================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` 
+                                        
+                                        * :zeek:enum:`Notice::ALARM_LOG`:
+                                          This is the alarm stream.
+                                        
+                                        * :zeek:enum:`Notice::LOG`:
+                                          This is the primary logging stream for notices.
+======================================= =================================================
+
+Events
+######
+======================================================== =================================================================
+:zeek:id:`Notice::begin_suppression`: :zeek:type:`event` This event is generated when a notice begins to be suppressed.
+:zeek:id:`Notice::log_notice`: :zeek:type:`event`        This event can be handled to access the :zeek:type:`Notice::Info`
+                                                         record as it is sent on to the logging framework.
+:zeek:id:`Notice::suppressed`: :zeek:type:`event`        This event is generated on each occurrence of an event being
+                                                         suppressed.
+======================================================== =================================================================
+
+Hooks
+#####
+================================================================= ==========================================================
+:zeek:id:`Notice::log_policy`: :zeek:type:`Log::PolicyHook`       Default logging policy hooks for the streams.
+:zeek:id:`Notice::log_policy_alarm`: :zeek:type:`Log::PolicyHook` 
+:zeek:id:`Notice::notice`: :zeek:type:`hook`                      This is the event that is called as the entry point to the
+                                                                  notice framework by the global :zeek:id:`NOTICE` function.
+:zeek:id:`Notice::policy`: :zeek:type:`hook`                      The hook to modify notice handling.
+================================================================= ==========================================================
+
+Functions
+#########
+=================================================================== ==========================================================================
+:zeek:id:`NOTICE`: :zeek:type:`function`                            
+:zeek:id:`Notice::apply_policy`: :zeek:type:`function`              This is an internal function to populate policy records.
+:zeek:id:`Notice::create_file_info`: :zeek:type:`function`          Creates a record containing a subset of a full :zeek:see:`fa_file` record.
+:zeek:id:`Notice::email_headers`: :zeek:type:`function`             Constructs mail headers to which an email body can be appended for
+                                                                    sending with sendmail.
+:zeek:id:`Notice::email_notice_to`: :zeek:type:`function`           Call this function to send a notice in an email.
+:zeek:id:`Notice::is_being_suppressed`: :zeek:type:`function`       A function to determine if an event is supposed to be suppressed.
+:zeek:id:`Notice::log_mailing_postprocessor`: :zeek:type:`function` A log postprocessing function that implements emailing the contents
+                                                                    of a log upon rotation to any configured :zeek:id:`Notice::mail_dest`.
+:zeek:id:`Notice::populate_file_info`: :zeek:type:`function`        Populates file-related fields in a notice info record.
+:zeek:id:`Notice::populate_file_info2`: :zeek:type:`function`       Populates file-related fields in a notice info record.
+=================================================================== ==========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Notice::alarmed_types
+   :source-code: base/frameworks/notice/main.zeek 187 187
+
+   :Type: :zeek:type:`set` [:zeek:type:`Notice::Type`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Alarmed notice types.
+
+.. zeek:id:: Notice::default_suppression_interval
+   :source-code: base/frameworks/notice/main.zeek 64 64
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 hr``
+
+   The notice framework is able to do automatic notice suppression by
+   utilizing the *identifier* field in :zeek:type:`Notice::Info` records.
+   Set this to "0secs" to completely disable automated notice
+   suppression.
+
+.. zeek:id:: Notice::emailed_types
+   :source-code: base/frameworks/notice/main.zeek 185 185
+
+   :Type: :zeek:type:`set` [:zeek:type:`Notice::Type`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Emailed notice types.
+
+.. zeek:id:: Notice::ignored_types
+   :source-code: base/frameworks/notice/main.zeek 183 183
+
+   :Type: :zeek:type:`set` [:zeek:type:`Notice::Type`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Ignored notice types.
+
+.. zeek:id:: Notice::mail_from
+   :source-code: base/frameworks/notice/main.zeek 212 212
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"Zeek <zeek@localhost>"``
+
+   Address that emails will be from.
+   
+   Note that this is overridden by the ZeekControl MailFrom option.
+
+.. zeek:id:: Notice::mail_subject_prefix
+   :source-code: base/frameworks/notice/main.zeek 219 219
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"[Zeek]"``
+
+   Text string prefixed to the subject of all emails sent out.
+   
+   Note that this is overridden by the ZeekControl MailSubjectPrefix
+   option.
+
+.. zeek:id:: Notice::not_suppressed_types
+   :source-code: base/frameworks/notice/main.zeek 189 189
+
+   :Type: :zeek:type:`set` [:zeek:type:`Notice::Type`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Types that should be suppressed for the default suppression interval.
+
+.. zeek:id:: Notice::reply_to
+   :source-code: base/frameworks/notice/main.zeek 214 214
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Reply-to address used in outbound email.
+
+.. zeek:id:: Notice::sendmail
+   :source-code: base/frameworks/notice/main.zeek 200 200
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"/usr/sbin/sendmail"``
+
+   Local system sendmail program.
+   
+   Note that this is overridden by the ZeekControl SendMail option.
+
+Redefinable Options
+###################
+.. zeek:id:: Notice::mail_dest
+   :source-code: base/frameworks/notice/main.zeek 207 207
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   The default email address to send notices with the
+   :zeek:enum:`Notice::ACTION_EMAIL` action or to send bulk alarm logs
+   on rotation with :zeek:enum:`Notice::ACTION_ALARM`.
+   
+   Note that this is overridden by the ZeekControl MailTo option or by
+   the ``email_dest`` field in the :zeek:see:`Notice::Info` record.
+
+.. zeek:id:: Notice::max_email_delay
+   :source-code: base/frameworks/notice/main.zeek 221 221
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``15.0 secs``
+
+   The maximum amount of time a plugin can delay email from being sent.
+
+.. zeek:id:: Notice::type_suppression_intervals
+   :source-code: base/frameworks/notice/main.zeek 192 192
+
+   :Type: :zeek:type:`table` [:zeek:type:`Notice::Type`] of :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   This table can be used as a shorthand way to modify suppression
+   intervals for entire notice types.
+
+Types
+#####
+.. zeek:type:: Notice::Action
+   :source-code: base/frameworks/notice/main.zeek 37 56
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Notice::ACTION_NONE Notice::Action
+
+         Indicates that there is no action to be taken.
+
+      .. zeek:enum:: Notice::ACTION_LOG Notice::Action
+
+         Indicates that the notice should be sent to the notice
+         logging stream.
+
+      .. zeek:enum:: Notice::ACTION_EMAIL Notice::Action
+
+         Indicates that the notice should be sent to the email
+         address(es) configured in the :zeek:id:`Notice::mail_dest`
+         variable.
+
+      .. zeek:enum:: Notice::ACTION_ALARM Notice::Action
+
+         Indicates that the notice should be alarmed.  A readable
+         ASCII version is saved in notice_alarm log, and emailed
+         in bulk to the address(es) configured in :zeek:id:`Notice::mail_dest`.
+
+      .. zeek:enum:: Notice::ACTION_DROP Notice::Action
+
+         Indicates that the notice should result in a drop action.
+         The exact action taken depends on loaded policy scripts;
+         see e.g. :zeek:see:`NetControl::acld_rule_policy`.
+
+      .. zeek:enum:: Notice::ACTION_EMAIL_ADMIN Notice::Action
+
+         (present if :doc:`/scripts/base/frameworks/notice/actions/email_admin.zeek` is loaded)
+
+
+         Indicate that the generated email should be addressed to the
+         appropriate email addresses as found by the
+         :zeek:id:`Site::get_emails` function based on the relevant
+         address or addresses indicated in the notice.
+
+      .. zeek:enum:: Notice::ACTION_PAGE Notice::Action
+
+         (present if :doc:`/scripts/base/frameworks/notice/actions/page.zeek` is loaded)
+
+
+         Indicates that the notice should be sent to the pager email
+         address configured in the :zeek:id:`Notice::mail_page_dest`
+         variable.
+
+      .. zeek:enum:: Notice::ACTION_ADD_GEODATA Notice::Action
+
+         (present if :doc:`/scripts/base/frameworks/notice/actions/add-geodata.zeek` is loaded)
+
+
+         Indicates that the notice should have geodata added for the
+         "remote" host.  :zeek:id:`Site::local_nets` must be defined
+         in order for this to work.
+
+   These are values representing actions that can be taken with notices.
+
+.. zeek:type:: Notice::ActionSet
+   :source-code: base/frameworks/notice/main.zeek 58 58
+
+   :Type: :zeek:type:`set` [:zeek:type:`Notice::Action`]
+
+   Type that represents a set of actions.
+
+.. zeek:type:: Notice::FileInfo
+   :source-code: base/frameworks/notice/main.zeek 225 232
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: fuid :zeek:type:`string`
+
+      File UID.
+
+
+   .. zeek:field:: desc :zeek:type:`string`
+
+      File description from e.g.
+      :zeek:see:`Files::describe`.
+
+
+   .. zeek:field:: mime :zeek:type:`string` :zeek:attr:`&optional`
+
+      Strongest mime type match for file.
+
+
+   .. zeek:field:: cid :zeek:type:`conn_id` :zeek:attr:`&optional`
+
+      Connection tuple over which file is sent.
+
+
+   .. zeek:field:: cuid :zeek:type:`string` :zeek:attr:`&optional`
+
+      Connection UID over which file is sent.
+
+
+   Contains a portion of :zeek:see:`fa_file` that's also contained in
+   :zeek:see:`Notice::Info`.
+
+.. zeek:type:: Notice::Info
+   :source-code: base/frameworks/notice/main.zeek 67 180
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      An absolute time indicating when the notice occurred,
+      defaults to the current network time.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      A connection UID which uniquely identifies the endpoints
+      concerned with the notice.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      A connection 4-tuple identifying the endpoints concerned
+      with the notice.
+
+
+   .. zeek:field:: conn :zeek:type:`connection` :zeek:attr:`&optional`
+
+      A shorthand way of giving the uid and id to a notice.  The
+      reference to the actual connection will be deleted after
+      applying the notice policy.
+
+
+   .. zeek:field:: f :zeek:type:`fa_file` :zeek:attr:`&optional`
+
+      A file record if the notice is related to a file.  The
+      reference to the actual fa_file record will be deleted after
+      applying the notice policy.
+
+
+   .. zeek:field:: fuid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      A file unique ID if this notice is related to a file.  If
+      the *f* field is provided, this will be automatically filled
+      out.
+
+
+   .. zeek:field:: file_mime_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      A mime type if the notice is related to a file.  If the *f*
+      field is provided, this will be automatically filled out.
+
+
+   .. zeek:field:: file_desc :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Frequently files can be "described" to give a bit more
+      context.  This field will typically be automatically filled
+      out from an fa_file record.  For example, if a notice was
+      related to a file over HTTP, the URL of the request would
+      be shown.
+
+
+   .. zeek:field:: proto :zeek:type:`transport_proto` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The transport protocol. Filled automatically when either
+      *conn* or *p* is specified.
+
+
+   .. zeek:field:: note :zeek:type:`Notice::Type` :zeek:attr:`&log`
+
+      The :zeek:type:`Notice::Type` of the notice.
+
+
+   .. zeek:field:: msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The human readable message for the notice.
+
+
+   .. zeek:field:: sub :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The human readable sub-message.
+
+
+   .. zeek:field:: src :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Source address, if we don't have a :zeek:type:`conn_id`.
+
+
+   .. zeek:field:: dst :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Destination address.
+
+
+   .. zeek:field:: p :zeek:type:`port` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Associated port, if we don't have a :zeek:type:`conn_id`.
+
+
+   .. zeek:field:: n :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Associated count, or perhaps a status code.
+
+
+   .. zeek:field:: peer_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      Name of remote peer that raised this notice.
+
+
+   .. zeek:field:: peer_descr :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Textual description for the peer that raised this notice,
+      including name, host address and port.
+
+
+   .. zeek:field:: actions :zeek:type:`Notice::ActionSet` :zeek:attr:`&log` :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      The actions which have been applied to this notice.
+
+
+   .. zeek:field:: email_dest :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      The email address(es) where to send this notice
+
+
+   .. zeek:field:: email_body_sections :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional`
+
+      By adding chunks of text into this element, other scripts
+      can expand on notices that are being emailed.  The normal
+      way to add text is to extend the vector by handling the
+      :zeek:id:`Notice::notice` event and modifying the notice in
+      place.
+
+
+   .. zeek:field:: email_delay_tokens :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&optional`
+
+      Adding a string "token" to this set will cause the notice
+      framework's built-in emailing functionality to delay sending
+      the email until either the token has been removed or the
+      email has been delayed for :zeek:id:`Notice::max_email_delay`.
+
+
+   .. zeek:field:: identifier :zeek:type:`string` :zeek:attr:`&optional`
+
+      This field is to be provided when a notice is generated for
+      the purpose of deduplicating notices.  The identifier string
+      should be unique for a single instance of the notice.  This
+      field should be filled out in almost all cases when
+      generating notices to define when a notice is conceptually
+      a duplicate of a previous notice.
+      
+      For example, an SSL certificate that is going to expire soon
+      should always have the same identifier no matter the client
+      IP address that connected and resulted in the certificate
+      being exposed.  In this case, the resp_h, resp_p, and hash
+      of the certificate would be used to create this value.  The
+      hash of the cert is included because servers can return
+      multiple certificates on the same port.
+      
+      Another example might be a host downloading a file which
+      triggered a notice because the MD5 sum of the file it
+      downloaded was known by some set of intelligence.  In that
+      case, the orig_h (client) and MD5 sum would be used in this
+      field to dedup because if the same file is downloaded over
+      and over again you really only want to know about it a
+      single time.  This makes it possible to send those notices
+      to email without worrying so much about sending thousands
+      of emails.
+
+
+   .. zeek:field:: suppress_for :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&default` = :zeek:see:`Notice::default_suppression_interval` :zeek:attr:`&optional`
+
+      This field indicates the length of time that this
+      unique notice should be suppressed.
+
+
+   .. zeek:field:: remote_location :zeek:type:`geo_location` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/notice/actions/add-geodata.zeek` is loaded)
+
+      If GeoIP support is built in, notices can have geographic
+      information attached to them.
+
+
+   .. zeek:field:: dropped :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/notice/actions/drop.zeek` is loaded)
+
+      Indicate if the $src IP address was dropped and denied
+      network access.
+
+
+   .. zeek:field:: community_id :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      (present if :doc:`/scripts/policy/frameworks/notice/community-id.zeek` is loaded)
+
+
+   The record type that is used for representing and logging notices.
+
+.. zeek:type:: Notice::Type
+   :source-code: base/frameworks/notice/main.zeek 31 35
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Notice::Tally Notice::Type
+
+         Notice reporting a count of how often a notice occurred.
+
+      .. zeek:enum:: Weird::Activity Notice::Type
+
+         (present if :doc:`/scripts/base/frameworks/notice/weird.zeek` is loaded)
+
+
+         Generic unusual but notice-worthy weird activity.
+
+      .. zeek:enum:: Signatures::Sensitive_Signature Notice::Type
+
+         (present if :doc:`/scripts/base/frameworks/signatures/main.zeek` is loaded)
+
+
+         Generic notice type for notice-worthy signature matches.
+
+      .. zeek:enum:: Signatures::Multiple_Signatures Notice::Type
+
+         (present if :doc:`/scripts/base/frameworks/signatures/main.zeek` is loaded)
+
+
+         Host has triggered many signatures on the same host.  The
+         number of signatures is defined by the
+         :zeek:id:`Signatures::vert_scan_thresholds` variable.
+
+      .. zeek:enum:: Signatures::Multiple_Sig_Responders Notice::Type
+
+         (present if :doc:`/scripts/base/frameworks/signatures/main.zeek` is loaded)
+
+
+         Host has triggered the same signature on multiple hosts as
+         defined by the :zeek:id:`Signatures::horiz_scan_thresholds`
+         variable.
+
+      .. zeek:enum:: Signatures::Count_Signature Notice::Type
+
+         (present if :doc:`/scripts/base/frameworks/signatures/main.zeek` is loaded)
+
+
+         The same signature has triggered multiple times for a host.
+         The number of times the signature has been triggered is
+         defined by the :zeek:id:`Signatures::count_thresholds`
+         variable. To generate this notice, the
+         :zeek:enum:`Signatures::SIG_COUNT_PER_RESP` action must be
+         set for the signature.
+
+      .. zeek:enum:: Signatures::Signature_Summary Notice::Type
+
+         (present if :doc:`/scripts/base/frameworks/signatures/main.zeek` is loaded)
+
+
+         Summarize the number of times a host triggered a signature.
+         The interval between summaries is defined by the
+         :zeek:id:`Signatures::summary_interval` variable.
+
+      .. zeek:enum:: PacketFilter::Compile_Failure Notice::Type
+
+         (present if :doc:`/scripts/base/frameworks/packet-filter/main.zeek` is loaded)
+
+
+         This notice is generated if a packet filter cannot be compiled.
+
+      .. zeek:enum:: PacketFilter::Install_Failure Notice::Type
+
+         (present if :doc:`/scripts/base/frameworks/packet-filter/main.zeek` is loaded)
+
+
+         Generated if a packet filter fails to install.
+
+      .. zeek:enum:: PacketFilter::Too_Long_To_Compile_Filter Notice::Type
+
+         (present if :doc:`/scripts/base/frameworks/packet-filter/main.zeek` is loaded)
+
+
+         Generated when a notice takes too long to compile.
+
+      .. zeek:enum:: PacketFilter::Dropped_Packets Notice::Type
+
+         (present if :doc:`/scripts/base/frameworks/packet-filter/netstats.zeek` is loaded)
+
+
+         Indicates packets were dropped by the packet filter.
+
+      .. zeek:enum:: Spicy::Spicy_Max_File_Depth_Exceeded Notice::Type
+
+         (present if :doc:`/scripts/base/frameworks/spicy/main.zeek` is loaded)
+
+
+      .. zeek:enum:: ProtocolDetector::Protocol_Found Notice::Type
+
+         (present if :doc:`/scripts/policy/frameworks/analyzer/detect-protocols.zeek` is loaded)
+
+
+      .. zeek:enum:: ProtocolDetector::Server_Found Notice::Type
+
+         (present if :doc:`/scripts/policy/frameworks/analyzer/detect-protocols.zeek` is loaded)
+
+
+      .. zeek:enum:: Intel::Notice Notice::Type
+
+         (present if :doc:`/scripts/policy/frameworks/intel/do_notice.zeek` is loaded)
+
+
+         This notice is generated when an intelligence
+         indicator is denoted to be notice-worthy.
+
+      .. zeek:enum:: TeamCymruMalwareHashRegistry::Match Notice::Type
+
+         (present if :doc:`/scripts/policy/frameworks/files/detect-MHR.zeek` is loaded)
+
+
+         The hash value of a file transferred over HTTP matched in the
+         malware hash registry.
+
+      .. zeek:enum:: PacketFilter::No_More_Conn_Shunts_Available Notice::Type
+
+         (present if :doc:`/scripts/policy/frameworks/packet-filter/shunt.zeek` is loaded)
+
+
+         Indicative that :zeek:id:`PacketFilter::max_bpf_shunts`
+         connections are already being shunted with BPF filters and
+         no more are allowed.
+
+      .. zeek:enum:: PacketFilter::Cannot_BPF_Shunt_Conn Notice::Type
+
+         (present if :doc:`/scripts/policy/frameworks/packet-filter/shunt.zeek` is loaded)
+
+
+         Limitations in BPF make shunting some connections with BPF
+         impossible. This notice encompasses those various cases.
+
+      .. zeek:enum:: Software::Software_Version_Change Notice::Type
+
+         (present if :doc:`/scripts/policy/frameworks/software/version-changes.zeek` is loaded)
+
+
+         For certain software, a version changing may matter.  In that
+         case, this notice will be generated.  Software that matters
+         if the version changes can be configured with the
+         :zeek:id:`Software::interesting_version_changes` variable.
+
+      .. zeek:enum:: Software::Vulnerable_Version Notice::Type
+
+         (present if :doc:`/scripts/policy/frameworks/software/vulnerable.zeek` is loaded)
+
+
+         Indicates that a vulnerable version of software was detected.
+
+      .. zeek:enum:: CaptureLoss::Too_Much_Loss Notice::Type
+
+         (present if :doc:`/scripts/policy/misc/capture-loss.zeek` is loaded)
+
+
+         Report if the detected capture loss exceeds the percentage
+         threshold defined in :zeek:id:`CaptureLoss::too_much_loss`.
+
+      .. zeek:enum:: CaptureLoss::Too_Little_Traffic Notice::Type
+
+         (present if :doc:`/scripts/policy/misc/capture-loss.zeek` is loaded)
+
+
+         Report if the traffic seen by a peer within a given watch
+         interval is less than :zeek:id:`CaptureLoss::minimum_acks`.
+
+      .. zeek:enum:: Traceroute::Detected Notice::Type
+
+         (present if :doc:`/scripts/policy/misc/detect-traceroute/main.zeek` is loaded)
+
+
+         Indicates that a host was seen running traceroutes.  For more
+         detail about specific traceroutes that we run, refer to the
+         traceroute.log.
+
+      .. zeek:enum:: Conn::Retransmission_Inconsistency Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/conn/weirds.zeek` is loaded)
+
+
+         Possible evasion; usually just chud.
+
+      .. zeek:enum:: Conn::Content_Gap Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/conn/weirds.zeek` is loaded)
+
+
+         Data has sequence hole; perhaps due to filtering.
+
+      .. zeek:enum:: DNS::External_Name Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/dns/detect-external-names.zeek` is loaded)
+
+
+         Raised when a non-local name is found to be pointing at a
+         local host.  The :zeek:id:`Site::local_zones` variable
+         **must** be set appropriately for this detection.
+
+      .. zeek:enum:: FTP::Bruteforcing Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ftp/detect-bruteforcing.zeek` is loaded)
+
+
+         Indicates a host bruteforcing FTP logins by watching for too
+         many rejected usernames or failed passwords.
+
+      .. zeek:enum:: FTP::Site_Exec_Success Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ftp/detect.zeek` is loaded)
+
+
+         Indicates that a successful response to a "SITE EXEC"
+         command/arg pair was seen.
+
+      .. zeek:enum:: HTTP::SQL_Injection_Attacker Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/http/detect-sql-injection.zeek` is loaded)
+
+
+         Indicates that a host performing SQL injection attacks was
+         detected.
+
+      .. zeek:enum:: HTTP::SQL_Injection_Victim Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/http/detect-sql-injection.zeek` is loaded)
+
+
+         Indicates that a host was seen to have SQL injection attacks
+         against it.  This is tracked by IP address as opposed to
+         hostname.
+
+      .. zeek:enum:: SMTP::Blocklist_Error_Message Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/smtp/blocklists.zeek` is loaded)
+
+
+         An SMTP server sent a reply mentioning an SMTP block list.
+
+      .. zeek:enum:: SMTP::Blocklist_Blocked_Host Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/smtp/blocklists.zeek` is loaded)
+
+
+         The originator's address is seen in the block list error message.
+         This is useful to detect local hosts sending SPAM with a high
+         positive rate.
+
+      .. zeek:enum:: SMTP::Suspicious_Origination Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek` is loaded)
+
+
+      .. zeek:enum:: SSH::Password_Guessing Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssh/detect-bruteforcing.zeek` is loaded)
+
+
+         Indicates that a host has been identified as crossing the
+         :zeek:id:`SSH::password_guesses_limit` threshold with
+         failed logins.
+
+      .. zeek:enum:: SSH::Login_By_Password_Guesser Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssh/detect-bruteforcing.zeek` is loaded)
+
+
+         Indicates that a host previously identified as a "password
+         guesser" has now had a successful login
+         attempt. This is not currently implemented.
+
+      .. zeek:enum:: SSH::Watched_Country_Login Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssh/geo-data.zeek` is loaded)
+
+
+         If an SSH login is seen to or from a "watched" country based
+         on the :zeek:id:`SSH::watched_countries` variable then this
+         notice will be generated.
+
+      .. zeek:enum:: SSH::Interesting_Hostname_Login Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssh/interesting-hostnames.zeek` is loaded)
+
+
+         Generated if a login originates or responds with a host where
+         the reverse hostname lookup resolves to a name matched by the
+         :zeek:id:`SSH::interesting_hostnames` regular expression.
+
+      .. zeek:enum:: SSL::Certificate_Expired Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssl/expiring-certs.zeek` is loaded)
+
+
+         Indicates that a certificate's NotValidAfter date has lapsed
+         and the certificate is now invalid.
+
+      .. zeek:enum:: SSL::Certificate_Expires_Soon Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssl/expiring-certs.zeek` is loaded)
+
+
+         Indicates that a certificate is going to expire within
+         :zeek:id:`SSL::notify_when_cert_expiring_in`.
+
+      .. zeek:enum:: SSL::Certificate_Not_Valid_Yet Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssl/expiring-certs.zeek` is loaded)
+
+
+         Indicates that a certificate's NotValidBefore date is future
+         dated.
+
+      .. zeek:enum:: Heartbleed::SSL_Heartbeat_Attack Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
+
+
+         Indicates that a host performed a heartbleed attack or scan.
+
+      .. zeek:enum:: Heartbleed::SSL_Heartbeat_Attack_Success Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
+
+
+         Indicates that a host performing a heartbleed attack was probably successful.
+
+      .. zeek:enum:: Heartbleed::SSL_Heartbeat_Odd_Length Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
+
+
+         Indicates we saw heartbeat requests with odd length. Probably an attack or scan.
+
+      .. zeek:enum:: Heartbleed::SSL_Heartbeat_Many_Requests Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
+
+
+         Indicates we saw many heartbeat requests without a reply. Might be an attack.
+
+      .. zeek:enum:: SSL::Invalid_Server_Cert Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssl/validate-certs.zeek` is loaded)
+
+
+         This notice indicates that the result of validating the
+         certificate along with its full certificate chain was
+         invalid.
+
+      .. zeek:enum:: SSL::Invalid_Ocsp_Response Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssl/validate-ocsp.zeek` is loaded)
+
+
+         This indicates that the OCSP response was not deemed
+         to be valid.
+
+      .. zeek:enum:: SSL::Weak_Key Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssl/weak-keys.zeek` is loaded)
+
+
+         Indicates that a server is using a potentially unsafe key.
+
+      .. zeek:enum:: SSL::Old_Version Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssl/weak-keys.zeek` is loaded)
+
+
+         Indicates that a server is using a potentially unsafe version
+
+      .. zeek:enum:: SSL::Weak_Cipher Notice::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssl/weak-keys.zeek` is loaded)
+
+
+         Indicates that a server is using a potentially unsafe cipher
+
+      .. zeek:enum:: ZeekygenExample::Zeekygen_One Notice::Type
+
+         (present if :doc:`/scripts/zeekygen/example.zeek` is loaded)
+
+
+         Any number of this type of comment
+         will document "Zeekygen_One".
+
+      .. zeek:enum:: ZeekygenExample::Zeekygen_Two Notice::Type
+
+         (present if :doc:`/scripts/zeekygen/example.zeek` is loaded)
+
+
+         Any number of this type of comment
+         will document "ZEEKYGEN_TWO".
+
+      .. zeek:enum:: ZeekygenExample::Zeekygen_Three Notice::Type
+
+         (present if :doc:`/scripts/zeekygen/example.zeek` is loaded)
+
+
+      .. zeek:enum:: ZeekygenExample::Zeekygen_Four Notice::Type
+
+         (present if :doc:`/scripts/zeekygen/example.zeek` is loaded)
+
+
+         Omitting comments is fine, and so is mixing ``##`` and ``##<``, but
+         it's probably best to use only one style consistently.
+
+   Scripts creating new notices need to redef this enum to add their
+   own specific notice types which would then get used when they call
+   the :zeek:id:`NOTICE` function.  The convention is to give a general
+   category along with the specific notice separating words with
+   underscores and using leading capitals on each word except for
+   abbreviations which are kept in all capitals. For example,
+   SSH::Password_Guessing is for hosts that have crossed a threshold of
+   failed SSH logins.
+
+Events
+######
+.. zeek:id:: Notice::begin_suppression
+   :source-code: base/frameworks/notice/main.zeek 549 553
+
+   :Type: :zeek:type:`event` (ts: :zeek:type:`time`, suppress_for: :zeek:type:`interval`, note: :zeek:type:`Notice::Type`, identifier: :zeek:type:`string`)
+
+   This event is generated when a notice begins to be suppressed.
+   
+
+   :param ts: time indicating then when the notice to be suppressed occurred.
+   
+
+   :param suppress_for: length of time that this notice should be suppressed.
+   
+
+   :param note: The :zeek:type:`Notice::Type` of the notice.
+   
+
+   :param identifier: The identifier string of the notice that should be suppressed.
+
+.. zeek:id:: Notice::log_notice
+   :source-code: base/frameworks/notice/main.zeek 323 323
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Notice::Info`)
+
+   This event can be handled to access the :zeek:type:`Notice::Info`
+   record as it is sent on to the logging framework.
+   
+
+   :param rec: The record containing notice data before it is logged.
+
+.. zeek:id:: Notice::suppressed
+   :source-code: base/frameworks/notice/main.zeek 294 294
+
+   :Type: :zeek:type:`event` (n: :zeek:type:`Notice::Info`)
+
+   This event is generated on each occurrence of an event being
+   suppressed.
+   
+
+   :param n: The record containing notice data regarding the notice type
+      being suppressed.
+
+Hooks
+#####
+.. zeek:id:: Notice::log_policy
+   :source-code: base/frameworks/notice/main.zeek 20 20
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   Default logging policy hooks for the streams.
+
+.. zeek:id:: Notice::log_policy_alarm
+   :source-code: base/frameworks/notice/main.zeek 21 21
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+.. zeek:id:: Notice::notice
+   :source-code: base/frameworks/notice/main.zeek 271 271
+
+   :Type: :zeek:type:`hook` (n: :zeek:type:`Notice::Info`) : :zeek:type:`bool`
+
+   This is the event that is called as the entry point to the
+   notice framework by the global :zeek:id:`NOTICE` function. By the
+   time this event is generated, default values have already been
+   filled out in the :zeek:type:`Notice::Info` record and the notice
+   policy has also been applied.
+   
+
+   :param n: The record containing notice data.
+
+.. zeek:id:: Notice::policy
+   :source-code: base/frameworks/notice/main.zeek 195 195
+
+   :Type: :zeek:type:`hook` (n: :zeek:type:`Notice::Info`) : :zeek:type:`bool`
+
+   The hook to modify notice handling.
+
+Functions
+#########
+.. zeek:id:: NOTICE
+   :source-code: base/frameworks/notice/main.zeek 331 341
+
+   :Type: :zeek:type:`function` (n: :zeek:type:`Notice::Info`) : :zeek:type:`void`
+
+
+.. zeek:id:: Notice::apply_policy
+   :source-code: base/frameworks/notice/main.zeek 611 663
+
+   :Type: :zeek:type:`function` (n: :zeek:type:`Notice::Info`) : :zeek:type:`void`
+
+   This is an internal function to populate policy records.
+
+.. zeek:id:: Notice::create_file_info
+   :source-code: base/frameworks/notice/main.zeek 566 584
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`Notice::FileInfo`
+
+   Creates a record containing a subset of a full :zeek:see:`fa_file` record.
+   
+
+   :param f: record containing metadata about a file.
+   
+
+   :returns: record containing a subset of fields copied from *f*.
+
+.. zeek:id:: Notice::email_headers
+   :source-code: base/frameworks/notice/main.zeek 396 406
+
+   :Type: :zeek:type:`function` (subject_desc: :zeek:type:`string`, dest: :zeek:type:`string`) : :zeek:type:`string`
+
+   Constructs mail headers to which an email body can be appended for
+   sending with sendmail.
+   
+
+   :param subject_desc: a subject string to use for the mail.
+   
+
+   :param dest: recipient string to use for the mail.
+   
+
+   :returns: a string of mail headers to which an email body can be
+            appended.
+
+.. zeek:id:: Notice::email_notice_to
+   :source-code: base/frameworks/notice/main.zeek 413 481
+
+   :Type: :zeek:type:`function` (n: :zeek:type:`Notice::Info`, dest: :zeek:type:`string`, extend: :zeek:type:`bool`) : :zeek:type:`void`
+
+   Call this function to send a notice in an email.  It is already used
+   by default with the built in :zeek:enum:`Notice::ACTION_EMAIL` and
+   :zeek:enum:`Notice::ACTION_PAGE` actions.
+   
+
+   :param n: The record of notice data to email.
+   
+
+   :param dest: The intended recipient of the notice email.
+   
+
+   :param extend: Whether to extend the email using the
+           ``email_body_sections`` field of *n*.
+
+.. zeek:id:: Notice::is_being_suppressed
+   :source-code: base/frameworks/notice/main.zeek 555 564
+
+   :Type: :zeek:type:`function` (n: :zeek:type:`Notice::Info`) : :zeek:type:`bool`
+
+   A function to determine if an event is supposed to be suppressed.
+   
+
+   :param n: The record containing the notice in question.
+
+.. zeek:id:: Notice::log_mailing_postprocessor
+   :source-code: base/frameworks/notice/main.zeek 365 380
+
+   :Type: :zeek:type:`function` (info: :zeek:type:`Log::RotationInfo`) : :zeek:type:`bool`
+
+   A log postprocessing function that implements emailing the contents
+   of a log upon rotation to any configured :zeek:id:`Notice::mail_dest`.
+   The rotated log is removed upon being sent.
+   
+
+   :param info: A record containing the rotated log file information.
+   
+
+   :returns: True.
+
+.. zeek:id:: Notice::populate_file_info
+   :source-code: base/frameworks/notice/main.zeek 586 589
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`, n: :zeek:type:`Notice::Info`) : :zeek:type:`void`
+
+   Populates file-related fields in a notice info record.
+   
+
+   :param f: record containing metadata about a file.
+   
+
+   :param n: a notice record that needs file-related fields populated.
+
+.. zeek:id:: Notice::populate_file_info2
+   :source-code: base/frameworks/notice/main.zeek 591 606
+
+   :Type: :zeek:type:`function` (fi: :zeek:type:`Notice::FileInfo`, n: :zeek:type:`Notice::Info`) : :zeek:type:`void`
+
+   Populates file-related fields in a notice info record.
+   
+
+   :param fi: record containing metadata about a file.
+   
+
+   :param n: a notice record that needs file-related fields populated.
+
+
diff --git a/doc/scripts/base/frameworks/notice/weird.zeek.rst b/doc/scripts/base/frameworks/notice/weird.zeek.rst
new file mode 100644
index 0000000000..9d864fbaf9
--- /dev/null
+++ b/doc/scripts/base/frameworks/notice/weird.zeek.rst
@@ -0,0 +1,482 @@
+:tocdepth: 3
+
+base/frameworks/notice/weird.zeek
+=================================
+.. zeek:namespace:: Weird
+
+This script provides a default set of actions to take for "weird activity"
+events generated from Zeek's event engine.  Weird activity is defined as
+unusual or exceptional activity that can indicate malformed connections,
+traffic that doesn't conform to a particular protocol, malfunctioning
+or misconfigured hardware, or even an attacker attempting to avoid/confuse
+a sensor.  Without context, it's hard to judge whether a particular
+category of weird activity is interesting, but this script provides
+a starting point for the user.
+
+:Namespace: Weird
+:Imports: :doc:`base/frameworks/notice/main.zeek </scripts/base/frameworks/notice/main.zeek>`, :doc:`base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>`, :doc:`base/utils/site.zeek </scripts/base/utils/site.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=================================================================================== ==============================================================
+:zeek:id:`Weird::ignore_hosts`: :zeek:type:`set` :zeek:attr:`&redef`                To completely ignore a specific weird for a host, add the host
+                                                                                    and weird name into this set.
+:zeek:id:`Weird::weird_do_not_ignore_repeats`: :zeek:type:`set` :zeek:attr:`&redef` Don't ignore repeats for weirds in this set.
+=================================================================================== ==============================================================
+
+Redefinable Options
+###################
+=============================================================================================================== ==============================================================
+:zeek:id:`Weird::actions`: :zeek:type:`table` :zeek:attr:`&default` = ``Weird::ACTION_LOG`` :zeek:attr:`&redef` A table specifying default/recommended actions per weird type.
+=============================================================================================================== ==============================================================
+
+State Variables
+###############
+================================================================================================================ ====================================================================
+:zeek:id:`Weird::did_log`: :zeek:type:`set` :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef`        A state set which tracks unique weirds solely by name to reduce
+                                                                                                                 duplicate logging.
+:zeek:id:`Weird::did_notice`: :zeek:type:`set` :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef`     A state set which tracks unique weirds solely by name to reduce
+                                                                                                                 duplicate notices from being raised.
+:zeek:id:`Weird::weird_ignore`: :zeek:type:`set` :zeek:attr:`&create_expire` = ``10.0 mins`` :zeek:attr:`&redef` This table is used to track identifier and name pairs that should be
+                                                                                                                 temporarily ignored because the problem has already been reported.
+================================================================================================================ ====================================================================
+
+Types
+#####
+============================================= =======================================================================
+:zeek:type:`Weird::Action`: :zeek:type:`enum` Types of actions that may be taken when handling weird activity events.
+:zeek:type:`Weird::Info`: :zeek:type:`record` The record which is used for representing and logging weirds.
+============================================= =======================================================================
+
+Redefinitions
+#############
+============================================ ===================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`      The weird logging stream identifier.
+                                             
+                                             * :zeek:enum:`Weird::LOG`
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`Weird::Activity`:
+                                               Generic unusual but notice-worthy weird activity.
+============================================ ===================================================
+
+Events
+######
+=============================================== ==============================================================
+:zeek:id:`Weird::log_weird`: :zeek:type:`event` Handlers of this event are invoked once per write to the weird
+                                                logging stream before the data is actually written.
+=============================================== ==============================================================
+
+Hooks
+#####
+========================================================== =============================================
+:zeek:id:`Weird::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
+========================================================== =============================================
+
+Functions
+#########
+============================================== =
+:zeek:id:`Weird::weird`: :zeek:type:`function` 
+============================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Weird::ignore_hosts
+   :source-code: base/frameworks/notice/weird.zeek 266 266
+
+   :Type: :zeek:type:`set` [:zeek:type:`addr`, :zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   To completely ignore a specific weird for a host, add the host
+   and weird name into this set.
+
+.. zeek:id:: Weird::weird_do_not_ignore_repeats
+   :source-code: base/frameworks/notice/weird.zeek 270 270
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            "bad_ICMP_checksum",
+            "bad_UDP_checksum",
+            "bad_TCP_checksum",
+            "bad_IP_checksum"
+         }
+
+
+   Don't ignore repeats for weirds in this set.  For example,
+   it's handy keeping track of clustered checksum errors.
+
+Redefinable Options
+###################
+.. zeek:id:: Weird::actions
+   :source-code: base/frameworks/notice/weird.zeek 95 95
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`Weird::Action`
+   :Attributes: :zeek:attr:`&default` = ``Weird::ACTION_LOG`` :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            ["bad_ICMP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
+            ["truncated_IP"] = Weird::ACTION_LOG,
+            ["data_after_reset"] = Weird::ACTION_LOG,
+            ["data_before_established"] = Weird::ACTION_LOG,
+            ["irc_invalid_oper_message_format"] = Weird::ACTION_LOG,
+            ["irc_invalid_whois_user_line"] = Weird::ACTION_LOG,
+            ["FTP_too_many_pending_commands"] = Weird::ACTION_LOG_PER_CONN,
+            ["DNS_label_len_gt_name_len"] = Weird::ACTION_LOG_PER_ORIG,
+            ["FTP_max_command_length_exceeded"] = Weird::ACTION_LOG_PER_CONN,
+            ["irc_invalid_dcc_message_format"] = Weird::ACTION_LOG,
+            ["netbios_server_session_request"] = Weird::ACTION_LOG,
+            ["RPC_rexmit_inconsistency"] = Weird::ACTION_LOG,
+            ["unpaired_RPC_response"] = Weird::ACTION_LOG,
+            ["SYN_inside_connection"] = Weird::ACTION_LOG,
+            ["excessively_large_fragment"] = Weird::ACTION_LOG,
+            ["truncated_header"] = Weird::ACTION_LOG,
+            ["contentline_size_exceeded"] = Weird::ACTION_LOG,
+            ["SMB_discarded_dce_rpc_analyzers"] = Weird::ACTION_LOG,
+            ["unescaped_%_in_URI"] = Weird::ACTION_LOG,
+            ["smtp_mail_transaction_invalid"] = Weird::ACTION_LOG_PER_CONN,
+            ["fragment_overlap"] = Weird::ACTION_LOG_PER_ORIG,
+            ["smb_tree_connect_andx_response_without_tree"] = Weird::ACTION_LOG_PER_CONN,
+            ["bad_TCP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
+            ["pop3_client_command_unknown"] = Weird::ACTION_LOG,
+            ["TCP_christmas"] = Weird::ACTION_LOG,
+            ["irc_invalid_notice_message_format"] = Weird::ACTION_LOG,
+            ["partial_RPC"] = Weird::ACTION_LOG_PER_ORIG,
+            ["irc_invalid_kick_message_format"] = Weird::ACTION_LOG,
+            ["excess_RPC"] = Weird::ACTION_LOG_PER_ORIG,
+            ["invalid_irc_global_users_reply"] = Weird::ACTION_LOG,
+            ["FTP_reply_msg_too_long"] = Weird::ACTION_LOG_PER_CONN,
+            ["bad_rsh_prolog"] = Weird::ACTION_LOG,
+            ["irc_line_too_short"] = Weird::ACTION_LOG,
+            ["UDP_datagram_length_mismatch"] = Weird::ACTION_LOG_PER_ORIG,
+            ["bad_ident_reply"] = Weird::ACTION_LOG,
+            ["fragment_with_DF"] = Weird::ACTION_LOG,
+            ["irc_invalid_invite_message_format"] = Weird::ACTION_LOG,
+            ["premature_connection_reuse"] = Weird::ACTION_LOG,
+            ["fragment_size_inconsistency"] = Weird::ACTION_LOG_PER_ORIG,
+            ["smtp_excessive_invalid_mail_transactions"] = Weird::ACTION_LOG_PER_CONN,
+            ["SYN_with_data"] = Weird::ACTION_LOG_PER_ORIG,
+            ["DNS_RR_length_mismatch"] = Weird::ACTION_LOG,
+            ["irc_invalid_whois_operator_line"] = Weird::ACTION_LOG,
+            ["bad_ident_port"] = Weird::ACTION_LOG,
+            ["base64_illegal_encoding"] = Weird::ACTION_LOG,
+            ["simultaneous_open"] = Weird::ACTION_LOG_PER_CONN,
+            ["ident_request_addendum"] = Weird::ACTION_LOG,
+            ["DNS_truncated_quest_too_short"] = Weird::ACTION_LOG,
+            ["illegal_%_at_end_of_URI"] = Weird::ACTION_LOG,
+            ["pop3_server_sending_client_commands"] = Weird::ACTION_LOG,
+            ["irc_invalid_mode_message_format"] = Weird::ACTION_LOG,
+            ["SYN_after_close"] = Weird::ACTION_LOG,
+            ["window_recision"] = Weird::ACTION_LOG,
+            ["inflate_failed"] = Weird::ACTION_LOG,
+            ["DNS_truncated_len_lt_hdr_len"] = Weird::ACTION_LOG,
+            ["irc_invalid_privmsg_message_format"] = Weird::ACTION_LOG,
+            ["pending_data_when_closed"] = Weird::ACTION_LOG,
+            ["excessive_data_without_further_acks"] = Weird::ACTION_LOG,
+            ["netbios_raw_session_msg"] = Weird::ACTION_LOG,
+            ["responder_RPC_call"] = Weird::ACTION_LOG_PER_ORIG,
+            ["SYN_after_reset"] = Weird::ACTION_LOG,
+            ["bad_SYN_ack"] = Weird::ACTION_LOG,
+            ["unsolicited_SYN_response"] = Weird::ACTION_IGNORE,
+            ["line_terminated_with_single_LF"] = Weird::ACTION_LOG,
+            ["irc_invalid_names_line"] = Weird::ACTION_LOG,
+            ["DNS_RR_unknown_type"] = Weird::ACTION_LOG,
+            ["repeated_SYN_reply_wo_ack"] = Weird::ACTION_LOG,
+            ["bad_HTTP_reply"] = Weird::ACTION_LOG,
+            ["FIN_storm"] = Weird::ACTION_NOTICE_PER_ORIG,
+            ["HTTP_response_before_request"] = Weird::ACTION_LOG,
+            ["NUL_in_line"] = Weird::ACTION_LOG,
+            ["pop3_server_command_unknown"] = Weird::ACTION_LOG,
+            ["fragment_inconsistency"] = Weird::ACTION_LOG_PER_ORIG,
+            ["FIN_advanced_last_seq"] = Weird::ACTION_LOG,
+            ["baroque_SYN"] = Weird::ACTION_LOG,
+            ["unexpected_multiple_HTTP_requests"] = Weird::ACTION_LOG,
+            ["unknown_netbios_type"] = Weird::ACTION_LOG,
+            ["FTP_user_too_long"] = Weird::ACTION_LOG_PER_CONN,
+            ["bad_RPC"] = Weird::ACTION_LOG_PER_ORIG,
+            ["incompletely_captured_fragment"] = Weird::ACTION_LOG,
+            ["irc_too_many_invalid"] = Weird::ACTION_LOG,
+            ["DNS_AAAA_neg_length"] = Weird::ACTION_LOG,
+            ["SYN_seq_jump"] = Weird::ACTION_LOG,
+            ["malformed_ssh_version"] = Weird::ACTION_LOG,
+            ["bad_rlogin_prolog"] = Weird::ACTION_LOG,
+            ["unmatched_HTTP_reply"] = Weird::ACTION_LOG,
+            ["possible_split_routing"] = Weird::ACTION_LOG,
+            ["irc_invalid_who_message_format"] = Weird::ACTION_LOG,
+            ["HTTP_chunked_transfer_for_multipart_message"] = Weird::ACTION_LOG,
+            ["irc_invalid_njoin_line"] = Weird::ACTION_LOG,
+            ["FTP_arg_too_long"] = Weird::ACTION_LOG_PER_CONN,
+            ["line_terminated_with_single_CR"] = Weird::ACTION_LOG,
+            ["HTTP_overlapping_messages"] = Weird::ACTION_LOG,
+            ["deficit_netbios_hdr_len"] = Weird::ACTION_LOG,
+            ["repeated_SYN_with_ack"] = Weird::ACTION_LOG,
+            ["irc_invalid_reply_number"] = Weird::ACTION_LOG,
+            ["malformed_ssh_identification"] = Weird::ACTION_LOG,
+            ["RPC_underflow"] = Weird::ACTION_LOG,
+            ["unexpected_server_HTTP_data"] = Weird::ACTION_LOG,
+            ["DNS_RR_bad_length"] = Weird::ACTION_LOG,
+            ["SSL_many_server_names"] = Weird::ACTION_LOG,
+            ["irc_invalid_whois_channel_line"] = Weird::ACTION_LOG,
+            ["DNS_label_len_gt_pkt"] = Weird::ACTION_LOG_PER_ORIG,
+            ["irc_line_size_exceeded"] = Weird::ACTION_LOG,
+            ["HTTP_excessive_pipelining"] = Weird::ACTION_LOG,
+            ["DNS_Conn_count_too_large"] = Weird::ACTION_LOG,
+            ["irc_invalid_command"] = Weird::ACTION_LOG,
+            ["inappropriate_FIN"] = Weird::ACTION_LOG,
+            ["transaction_subcmd_missing"] = Weird::ACTION_LOG,
+            ["HTTP_version_mismatch"] = Weird::ACTION_LOG,
+            ["irc_invalid_join_line"] = Weird::ACTION_LOG,
+            ["multiple_HTTP_request_elements"] = Weird::ACTION_LOG,
+            ["rlogin_text_after_rejected"] = Weird::ACTION_LOG,
+            ["spontaneous_RST"] = Weird::ACTION_IGNORE,
+            ["bad_IP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
+            ["no_smb_session_using_parsesambamsg"] = Weird::ACTION_LOG,
+            ["unexpected_client_HTTP_data"] = Weird::ACTION_LOG,
+            ["SMB_parsing_error"] = Weird::ACTION_LOG,
+            ["partial_ftp_request"] = Weird::ACTION_LOG,
+            ["double_%_in_URI"] = Weird::ACTION_LOG,
+            ["truncated_NTP"] = Weird::ACTION_LOG,
+            ["internally_truncated_header"] = Weird::ACTION_LOG,
+            ["partial_finger_request"] = Weird::ACTION_LOG,
+            ["irc_invalid_squery_message_format"] = Weird::ACTION_LOG,
+            ["DNS_label_forward_compress_offset"] = Weird::ACTION_LOG_PER_ORIG,
+            ["connection_originator_SYN_ack"] = Weird::ACTION_LOG_PER_ORIG,
+            ["excessively_small_fragment"] = Weird::ACTION_LOG_PER_ORIG,
+            ["irc_invalid_line"] = Weird::ACTION_LOG,
+            ["DNS_label_too_long"] = Weird::ACTION_LOG_PER_ORIG,
+            ["bad_ident_request"] = Weird::ACTION_LOG,
+            ["irc_invalid_who_line"] = Weird::ACTION_LOG,
+            ["DNS_truncated_ans_too_short"] = Weird::ACTION_LOG,
+            ["RST_with_data"] = Weird::ACTION_LOG,
+            ["FTP_password_too_long"] = Weird::ACTION_LOG_PER_CONN,
+            ["above_hole_data_without_any_acks"] = Weird::ACTION_LOG,
+            ["bad_UDP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
+            ["partial_ident_request"] = Weird::ACTION_LOG,
+            ["DNS_truncated_RR_rdlength_lt_len"] = Weird::ACTION_LOG,
+            ["bad_RPC_program"] = Weird::ACTION_LOG,
+            ["irc_invalid_topic_reply"] = Weird::ACTION_LOG,
+            ["unescaped_special_URI_char"] = Weird::ACTION_LOG,
+            ["successful_RPC_reply_to_invalid_request"] = Weird::ACTION_NOTICE_PER_ORIG,
+            ["smb_andx_command_failed_to_parse"] = Weird::ACTION_LOG,
+            ["SMB_discarded_messages_state"] = Weird::ACTION_LOG,
+            ["DNS_NAME_too_long"] = Weird::ACTION_LOG,
+            ["crud_trailing_HTTP_request"] = Weird::ACTION_LOG,
+            ["spontaneous_FIN"] = Weird::ACTION_IGNORE,
+            ["rsh_text_after_rejected"] = Weird::ACTION_LOG,
+            ["pop3_malformed_auth_plain"] = Weird::ACTION_LOG,
+            ["bad_HTTP_version"] = Weird::ACTION_LOG,
+            ["bad_TCP_header_len"] = Weird::ACTION_LOG,
+            ["unknown_HTTP_method"] = Weird::ACTION_LOG,
+            ["netbios_client_session_reply"] = Weird::ACTION_LOG,
+            ["SYN_after_partial"] = Weird::ACTION_NOTICE_PER_ORIG,
+            ["irc_invalid_whois_message_format"] = Weird::ACTION_LOG,
+            ["excess_netbios_hdr_len"] = Weird::ACTION_LOG,
+            ["pop3_client_sending_server_commands"] = Weird::ACTION_LOG,
+            ["RST_storm"] = Weird::ACTION_LOG,
+            ["fragment_protocol_inconsistency"] = Weird::ACTION_LOG,
+            ["originator_RPC_reply"] = Weird::ACTION_LOG_PER_ORIG,
+            ["FIN_after_reset"] = Weird::ACTION_IGNORE,
+            ["pop3_bad_base64_encoding"] = Weird::ACTION_LOG,
+            ["active_connection_reuse"] = Weird::ACTION_LOG,
+            ["truncated_ARP"] = Weird::ACTION_LOG,
+            ["HTTP_bad_chunk_size"] = Weird::ACTION_LOG
+         }
+
+
+   A table specifying default/recommended actions per weird type.
+
+State Variables
+###############
+.. zeek:id:: Weird::did_log
+   :source-code: base/frameworks/notice/weird.zeek 284 284
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`, :zeek:type:`string`]
+   :Attributes: :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   A state set which tracks unique weirds solely by name to reduce
+   duplicate logging.  This is deliberately not synchronized because it
+   could cause overload during storms.
+
+.. zeek:id:: Weird::did_notice
+   :source-code: base/frameworks/notice/weird.zeek 288 288
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`, :zeek:type:`string`]
+   :Attributes: :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   A state set which tracks unique weirds solely by name to reduce
+   duplicate notices from being raised.
+
+.. zeek:id:: Weird::weird_ignore
+   :source-code: base/frameworks/notice/weird.zeek 279 279
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`, :zeek:type:`string`]
+   :Attributes: :zeek:attr:`&create_expire` = ``10.0 mins`` :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   This table is used to track identifier and name pairs that should be
+   temporarily ignored because the problem has already been reported.
+   This helps reduce the volume of high volume weirds by only allowing
+   a unique weird every ``create_expire`` interval.
+
+Types
+#####
+.. zeek:type:: Weird::Action
+   :source-code: base/frameworks/notice/weird.zeek 70 93
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Weird::ACTION_UNSPECIFIED Weird::Action
+
+         A dummy action indicating the user does not care what
+         internal decision is made regarding a given type of weird.
+
+      .. zeek:enum:: Weird::ACTION_IGNORE Weird::Action
+
+         No action is to be taken.
+
+      .. zeek:enum:: Weird::ACTION_LOG Weird::Action
+
+         Log the weird event every time it occurs.
+
+      .. zeek:enum:: Weird::ACTION_LOG_ONCE Weird::Action
+
+         Log the weird event only once.
+
+      .. zeek:enum:: Weird::ACTION_LOG_PER_CONN Weird::Action
+
+         Log the weird event once per connection.
+
+      .. zeek:enum:: Weird::ACTION_LOG_PER_ORIG Weird::Action
+
+         Log the weird event once per originator host.
+
+      .. zeek:enum:: Weird::ACTION_NOTICE Weird::Action
+
+         Always generate a notice associated with the weird event.
+
+      .. zeek:enum:: Weird::ACTION_NOTICE_ONCE Weird::Action
+
+         Generate a notice associated with the weird event only once.
+
+      .. zeek:enum:: Weird::ACTION_NOTICE_PER_CONN Weird::Action
+
+         Generate a notice for the weird event once per connection.
+
+      .. zeek:enum:: Weird::ACTION_NOTICE_PER_ORIG Weird::Action
+
+         Generate a notice for the weird event once per originator host.
+
+   Types of actions that may be taken when handling weird activity events.
+
+.. zeek:type:: Weird::Info
+   :source-code: base/frameworks/notice/weird.zeek 29 67
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      The time when the weird occurred.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      If a connection is associated with this weird, this will be
+      the connection's unique ID.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      conn_id for the optional connection.
+
+
+   .. zeek:field:: conn :zeek:type:`connection` :zeek:attr:`&optional`
+
+      A shorthand way of giving the uid and id to a weird.
+
+
+   .. zeek:field:: name :zeek:type:`string` :zeek:attr:`&log`
+
+      The name of the weird that occurred.
+
+
+   .. zeek:field:: addl :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Additional information accompanying the weird if any.
+
+
+   .. zeek:field:: notice :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Indicate if this weird was also turned into a notice.
+
+
+   .. zeek:field:: peer :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = :zeek:see:`peer_description` :zeek:attr:`&optional`
+
+      The peer that originated this weird.  This is helpful in
+      cluster deployments if a particular cluster node is having
+      trouble to help identify which node is having trouble.
+
+
+   .. zeek:field:: source :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The source of the weird. When reported by an analyzer, this
+      should be the name of the analyzer.
+
+
+   .. zeek:field:: identifier :zeek:type:`string` :zeek:attr:`&optional`
+
+      This field is to be provided when a weird is generated for
+      the purpose of deduplicating weirds. The identifier string
+      should be unique for a single instance of the weird. This field
+      is used to define when a weird is conceptually a duplicate of
+      a previous weird.
+
+
+   The record which is used for representing and logging weirds.
+
+Events
+######
+.. zeek:id:: Weird::log_weird
+   :source-code: base/frameworks/notice/weird.zeek 294 294
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Weird::Info`)
+
+   Handlers of this event are invoked once per write to the weird
+   logging stream before the data is actually written.
+   
+
+   :param rec: The weird columns about to be logged to the weird stream.
+
+Hooks
+#####
+.. zeek:id:: Weird::log_policy
+   :source-code: base/frameworks/notice/weird.zeek 21 21
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+Functions
+#########
+.. zeek:id:: Weird::weird
+   :source-code: base/frameworks/notice/weird.zeek 329 417
+
+   :Type: :zeek:type:`function` (w: :zeek:type:`Weird::Info`) : :zeek:type:`void`
+
+
+
diff --git a/doc/scripts/base/frameworks/openflow/__load__.zeek.rst b/doc/scripts/base/frameworks/openflow/__load__.zeek.rst
new file mode 100644
index 0000000000..a89275ab5a
--- /dev/null
+++ b/doc/scripts/base/frameworks/openflow/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/openflow/__load__.zeek
+======================================
+
+
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/openflow/consts.zeek </scripts/base/frameworks/openflow/consts.zeek>`, :doc:`base/frameworks/openflow/main.zeek </scripts/base/frameworks/openflow/main.zeek>`, :doc:`base/frameworks/openflow/non-cluster.zeek </scripts/base/frameworks/openflow/non-cluster.zeek>`, :doc:`base/frameworks/openflow/plugins </scripts/base/frameworks/openflow/plugins/index>`, :doc:`base/frameworks/openflow/types.zeek </scripts/base/frameworks/openflow/types.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/openflow/consts.zeek.rst b/doc/scripts/base/frameworks/openflow/consts.zeek.rst
new file mode 100644
index 0000000000..014a489dee
--- /dev/null
+++ b/doc/scripts/base/frameworks/openflow/consts.zeek.rst
@@ -0,0 +1,623 @@
+:tocdepth: 3
+
+base/frameworks/openflow/consts.zeek
+====================================
+.. zeek:namespace:: OpenFlow
+
+Constants used by the OpenFlow framework.
+
+:Namespace: OpenFlow
+
+Summary
+~~~~~~~
+Constants
+#########
+=============================================================== ======================================================================
+:zeek:id:`OpenFlow::ETH_APPLETALK`: :zeek:type:`count`          
+:zeek:id:`OpenFlow::ETH_APPLETALK_ARP`: :zeek:type:`count`      
+:zeek:id:`OpenFlow::ETH_ARP`: :zeek:type:`count`                
+:zeek:id:`OpenFlow::ETH_EAP_OVER_LAN`: :zeek:type:`count`       
+:zeek:id:`OpenFlow::ETH_ETHER_FLOW_CONTROL`: :zeek:type:`count` 
+:zeek:id:`OpenFlow::ETH_IPX`: :zeek:type:`count`                
+:zeek:id:`OpenFlow::ETH_IPX_OLD`: :zeek:type:`count`            
+:zeek:id:`OpenFlow::ETH_IPv4`: :zeek:type:`count`               
+:zeek:id:`OpenFlow::ETH_IPv6`: :zeek:type:`count`               
+:zeek:id:`OpenFlow::ETH_JUMBO_FRAMES`: :zeek:type:`count`       
+:zeek:id:`OpenFlow::ETH_MAC_SECURITY`: :zeek:type:`count`       
+:zeek:id:`OpenFlow::ETH_MPLS_MULTICAST`: :zeek:type:`count`     
+:zeek:id:`OpenFlow::ETH_MPLS_UNICAST`: :zeek:type:`count`       
+:zeek:id:`OpenFlow::ETH_PPPOE_DISCOVERY`: :zeek:type:`count`    
+:zeek:id:`OpenFlow::ETH_PPPOE_SESSION`: :zeek:type:`count`      
+:zeek:id:`OpenFlow::ETH_PROVIDER_BRIDING`: :zeek:type:`count`   
+:zeek:id:`OpenFlow::ETH_QINQ`: :zeek:type:`count`               
+:zeek:id:`OpenFlow::ETH_RARP`: :zeek:type:`count`               
+:zeek:id:`OpenFlow::ETH_VLAN`: :zeek:type:`count`               
+:zeek:id:`OpenFlow::ETH_WOL`: :zeek:type:`count`                
+:zeek:id:`OpenFlow::INVALID_COOKIE`: :zeek:type:`count`         Return value for a cookie from a flow
+                                                                which is not added, modified or deleted
+                                                                from the Zeek openflow framework.
+:zeek:id:`OpenFlow::IP_CBT`: :zeek:type:`count`                 
+:zeek:id:`OpenFlow::IP_EGP`: :zeek:type:`count`                 
+:zeek:id:`OpenFlow::IP_ETHERIP`: :zeek:type:`count`             
+:zeek:id:`OpenFlow::IP_FC`: :zeek:type:`count`                  
+:zeek:id:`OpenFlow::IP_GGP`: :zeek:type:`count`                 
+:zeek:id:`OpenFlow::IP_GRE`: :zeek:type:`count`                 
+:zeek:id:`OpenFlow::IP_HOPOPT`: :zeek:type:`count`              
+:zeek:id:`OpenFlow::IP_ICMP`: :zeek:type:`count`                
+:zeek:id:`OpenFlow::IP_IGMP`: :zeek:type:`count`                
+:zeek:id:`OpenFlow::IP_IGP`: :zeek:type:`count`                 
+:zeek:id:`OpenFlow::IP_IPIP`: :zeek:type:`count`                
+:zeek:id:`OpenFlow::IP_IPv6`: :zeek:type:`count`                
+:zeek:id:`OpenFlow::IP_ISIS`: :zeek:type:`count`                
+:zeek:id:`OpenFlow::IP_L2TP`: :zeek:type:`count`                
+:zeek:id:`OpenFlow::IP_MPLS`: :zeek:type:`count`                
+:zeek:id:`OpenFlow::IP_MTP`: :zeek:type:`count`                 
+:zeek:id:`OpenFlow::IP_OSPF`: :zeek:type:`count`                
+:zeek:id:`OpenFlow::IP_RDP`: :zeek:type:`count`                 
+:zeek:id:`OpenFlow::IP_RSVP`: :zeek:type:`count`                
+:zeek:id:`OpenFlow::IP_ST`: :zeek:type:`count`                  
+:zeek:id:`OpenFlow::IP_TCP`: :zeek:type:`count`                 
+:zeek:id:`OpenFlow::IP_UDP`: :zeek:type:`count`                 
+:zeek:id:`OpenFlow::OFPFF_CHECK_OVERLAP`: :zeek:type:`count`    Check for overlapping entries first.
+:zeek:id:`OpenFlow::OFPFF_EMERG`: :zeek:type:`count`            Remark this is for emergency.
+:zeek:id:`OpenFlow::OFPFF_SEND_FLOW_REM`: :zeek:type:`count`    Send flow removed message when flow
+                                                                expires or is deleted.
+:zeek:id:`OpenFlow::OFPP_ALL`: :zeek:type:`count`               All physical ports except input port.
+:zeek:id:`OpenFlow::OFPP_ANY`: :zeek:type:`count`               Wildcard port used only for flow mod (delete) and flow stats requests.
+:zeek:id:`OpenFlow::OFPP_CONTROLLER`: :zeek:type:`count`        Send to controller.
+:zeek:id:`OpenFlow::OFPP_FLOOD`: :zeek:type:`count`             All physical ports except input port and
+                                                                those disabled by STP.
+:zeek:id:`OpenFlow::OFPP_IN_PORT`: :zeek:type:`count`           Send the packet out the input port.
+:zeek:id:`OpenFlow::OFPP_LOCAL`: :zeek:type:`count`             Local openflow "port".
+:zeek:id:`OpenFlow::OFPP_NORMAL`: :zeek:type:`count`            Process with normal L2/L3 switching.
+:zeek:id:`OpenFlow::OFPP_TABLE`: :zeek:type:`count`             Perform actions in flow table.
+:zeek:id:`OpenFlow::OFPTT_ALL`: :zeek:type:`count`              
+:zeek:id:`OpenFlow::OFP_NO_BUFFER`: :zeek:type:`count`          
+=============================================================== ======================================================================
+
+Types
+#####
+============================================================== ======================================
+:zeek:type:`OpenFlow::ofp_action_type`: :zeek:type:`enum`      Openflow action_type definitions.
+:zeek:type:`OpenFlow::ofp_config_flags`: :zeek:type:`enum`     Openflow config flag definitions.
+:zeek:type:`OpenFlow::ofp_flow_mod_command`: :zeek:type:`enum` Openflow flow_mod_command definitions.
+============================================================== ======================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: OpenFlow::ETH_APPLETALK
+   :source-code: base/frameworks/openflow/consts.zeek 38 38
+
+   :Type: :zeek:type:`count`
+   :Default: ``32923``
+
+
+.. zeek:id:: OpenFlow::ETH_APPLETALK_ARP
+   :source-code: base/frameworks/openflow/consts.zeek 40 40
+
+   :Type: :zeek:type:`count`
+   :Default: ``33011``
+
+
+.. zeek:id:: OpenFlow::ETH_ARP
+   :source-code: base/frameworks/openflow/consts.zeek 32 32
+
+   :Type: :zeek:type:`count`
+   :Default: ``2054``
+
+
+.. zeek:id:: OpenFlow::ETH_EAP_OVER_LAN
+   :source-code: base/frameworks/openflow/consts.zeek 62 62
+
+   :Type: :zeek:type:`count`
+   :Default: ``34958``
+
+
+.. zeek:id:: OpenFlow::ETH_ETHER_FLOW_CONTROL
+   :source-code: base/frameworks/openflow/consts.zeek 50 50
+
+   :Type: :zeek:type:`count`
+   :Default: ``34824``
+
+
+.. zeek:id:: OpenFlow::ETH_IPX
+   :source-code: base/frameworks/openflow/consts.zeek 46 46
+
+   :Type: :zeek:type:`count`
+   :Default: ``33080``
+
+
+.. zeek:id:: OpenFlow::ETH_IPX_OLD
+   :source-code: base/frameworks/openflow/consts.zeek 44 44
+
+   :Type: :zeek:type:`count`
+   :Default: ``33079``
+
+
+.. zeek:id:: OpenFlow::ETH_IPv4
+   :source-code: base/frameworks/openflow/consts.zeek 30 30
+
+   :Type: :zeek:type:`count`
+   :Default: ``2048``
+
+
+.. zeek:id:: OpenFlow::ETH_IPv6
+   :source-code: base/frameworks/openflow/consts.zeek 48 48
+
+   :Type: :zeek:type:`count`
+   :Default: ``34525``
+
+
+.. zeek:id:: OpenFlow::ETH_JUMBO_FRAMES
+   :source-code: base/frameworks/openflow/consts.zeek 60 60
+
+   :Type: :zeek:type:`count`
+   :Default: ``34928``
+
+
+.. zeek:id:: OpenFlow::ETH_MAC_SECURITY
+   :source-code: base/frameworks/openflow/consts.zeek 66 66
+
+   :Type: :zeek:type:`count`
+   :Default: ``35045``
+
+
+.. zeek:id:: OpenFlow::ETH_MPLS_MULTICAST
+   :source-code: base/frameworks/openflow/consts.zeek 54 54
+
+   :Type: :zeek:type:`count`
+   :Default: ``34888``
+
+
+.. zeek:id:: OpenFlow::ETH_MPLS_UNICAST
+   :source-code: base/frameworks/openflow/consts.zeek 52 52
+
+   :Type: :zeek:type:`count`
+   :Default: ``34887``
+
+
+.. zeek:id:: OpenFlow::ETH_PPPOE_DISCOVERY
+   :source-code: base/frameworks/openflow/consts.zeek 56 56
+
+   :Type: :zeek:type:`count`
+   :Default: ``34915``
+
+
+.. zeek:id:: OpenFlow::ETH_PPPOE_SESSION
+   :source-code: base/frameworks/openflow/consts.zeek 58 58
+
+   :Type: :zeek:type:`count`
+   :Default: ``34916``
+
+
+.. zeek:id:: OpenFlow::ETH_PROVIDER_BRIDING
+   :source-code: base/frameworks/openflow/consts.zeek 64 64
+
+   :Type: :zeek:type:`count`
+   :Default: ``34984``
+
+
+.. zeek:id:: OpenFlow::ETH_QINQ
+   :source-code: base/frameworks/openflow/consts.zeek 68 68
+
+   :Type: :zeek:type:`count`
+   :Default: ``37120``
+
+
+.. zeek:id:: OpenFlow::ETH_RARP
+   :source-code: base/frameworks/openflow/consts.zeek 36 36
+
+   :Type: :zeek:type:`count`
+   :Default: ``32821``
+
+
+.. zeek:id:: OpenFlow::ETH_VLAN
+   :source-code: base/frameworks/openflow/consts.zeek 42 42
+
+   :Type: :zeek:type:`count`
+   :Default: ``33024``
+
+
+.. zeek:id:: OpenFlow::ETH_WOL
+   :source-code: base/frameworks/openflow/consts.zeek 34 34
+
+   :Type: :zeek:type:`count`
+   :Default: ``2114``
+
+
+.. zeek:id:: OpenFlow::INVALID_COOKIE
+   :source-code: base/frameworks/openflow/consts.zeek 126 126
+
+   :Type: :zeek:type:`count`
+   :Default: ``9223372036854775807``
+
+   Return value for a cookie from a flow
+   which is not added, modified or deleted
+   from the Zeek openflow framework.
+
+.. zeek:id:: OpenFlow::IP_CBT
+   :source-code: base/frameworks/openflow/consts.zeek 89 89
+
+   :Type: :zeek:type:`count`
+   :Default: ``7``
+
+
+.. zeek:id:: OpenFlow::IP_EGP
+   :source-code: base/frameworks/openflow/consts.zeek 91 91
+
+   :Type: :zeek:type:`count`
+   :Default: ``8``
+
+
+.. zeek:id:: OpenFlow::IP_ETHERIP
+   :source-code: base/frameworks/openflow/consts.zeek 112 112
+
+   :Type: :zeek:type:`count`
+   :Default: ``97``
+
+
+.. zeek:id:: OpenFlow::IP_FC
+   :source-code: base/frameworks/openflow/consts.zeek 118 118
+
+   :Type: :zeek:type:`count`
+   :Default: ``133``
+
+
+.. zeek:id:: OpenFlow::IP_GGP
+   :source-code: base/frameworks/openflow/consts.zeek 81 81
+
+   :Type: :zeek:type:`count`
+   :Default: ``3``
+
+
+.. zeek:id:: OpenFlow::IP_GRE
+   :source-code: base/frameworks/openflow/consts.zeek 104 104
+
+   :Type: :zeek:type:`count`
+   :Default: ``47``
+
+
+.. zeek:id:: OpenFlow::IP_HOPOPT
+   :source-code: base/frameworks/openflow/consts.zeek 75 75
+
+   :Type: :zeek:type:`count`
+   :Default: ``0``
+
+
+.. zeek:id:: OpenFlow::IP_ICMP
+   :source-code: base/frameworks/openflow/consts.zeek 77 77
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+
+.. zeek:id:: OpenFlow::IP_IGMP
+   :source-code: base/frameworks/openflow/consts.zeek 79 79
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+
+.. zeek:id:: OpenFlow::IP_IGP
+   :source-code: base/frameworks/openflow/consts.zeek 94 94
+
+   :Type: :zeek:type:`count`
+   :Default: ``9``
+
+
+.. zeek:id:: OpenFlow::IP_IPIP
+   :source-code: base/frameworks/openflow/consts.zeek 83 83
+
+   :Type: :zeek:type:`count`
+   :Default: ``4``
+
+
+.. zeek:id:: OpenFlow::IP_IPv6
+   :source-code: base/frameworks/openflow/consts.zeek 100 100
+
+   :Type: :zeek:type:`count`
+   :Default: ``41``
+
+
+.. zeek:id:: OpenFlow::IP_ISIS
+   :source-code: base/frameworks/openflow/consts.zeek 116 116
+
+   :Type: :zeek:type:`count`
+   :Default: ``124``
+
+
+.. zeek:id:: OpenFlow::IP_L2TP
+   :source-code: base/frameworks/openflow/consts.zeek 114 114
+
+   :Type: :zeek:type:`count`
+   :Default: ``115``
+
+
+.. zeek:id:: OpenFlow::IP_MPLS
+   :source-code: base/frameworks/openflow/consts.zeek 120 120
+
+   :Type: :zeek:type:`count`
+   :Default: ``137``
+
+
+.. zeek:id:: OpenFlow::IP_MTP
+   :source-code: base/frameworks/openflow/consts.zeek 108 108
+
+   :Type: :zeek:type:`count`
+   :Default: ``92``
+
+
+.. zeek:id:: OpenFlow::IP_OSPF
+   :source-code: base/frameworks/openflow/consts.zeek 106 106
+
+   :Type: :zeek:type:`count`
+   :Default: ``89``
+
+
+.. zeek:id:: OpenFlow::IP_RDP
+   :source-code: base/frameworks/openflow/consts.zeek 98 98
+
+   :Type: :zeek:type:`count`
+   :Default: ``27``
+
+
+.. zeek:id:: OpenFlow::IP_RSVP
+   :source-code: base/frameworks/openflow/consts.zeek 102 102
+
+   :Type: :zeek:type:`count`
+   :Default: ``46``
+
+
+.. zeek:id:: OpenFlow::IP_ST
+   :source-code: base/frameworks/openflow/consts.zeek 85 85
+
+   :Type: :zeek:type:`count`
+   :Default: ``5``
+
+
+.. zeek:id:: OpenFlow::IP_TCP
+   :source-code: base/frameworks/openflow/consts.zeek 87 87
+
+   :Type: :zeek:type:`count`
+   :Default: ``6``
+
+
+.. zeek:id:: OpenFlow::IP_UDP
+   :source-code: base/frameworks/openflow/consts.zeek 96 96
+
+   :Type: :zeek:type:`count`
+   :Default: ``17``
+
+
+.. zeek:id:: OpenFlow::OFPFF_CHECK_OVERLAP
+   :source-code: base/frameworks/openflow/consts.zeek 155 155
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+   Check for overlapping entries first.
+
+.. zeek:id:: OpenFlow::OFPFF_EMERG
+   :source-code: base/frameworks/openflow/consts.zeek 159 159
+
+   :Type: :zeek:type:`count`
+   :Default: ``4``
+
+   Remark this is for emergency.
+   Flows added with this are only used
+   when the controller is disconnected.
+
+.. zeek:id:: OpenFlow::OFPFF_SEND_FLOW_REM
+   :source-code: base/frameworks/openflow/consts.zeek 153 153
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+   Send flow removed message when flow
+   expires or is deleted.
+
+.. zeek:id:: OpenFlow::OFPP_ALL
+   :source-code: base/frameworks/openflow/consts.zeek 142 142
+
+   :Type: :zeek:type:`count`
+   :Default: ``4294967292``
+
+   All physical ports except input port.
+
+.. zeek:id:: OpenFlow::OFPP_ANY
+   :source-code: base/frameworks/openflow/consts.zeek 148 148
+
+   :Type: :zeek:type:`count`
+   :Default: ``4294967295``
+
+   Wildcard port used only for flow mod (delete) and flow stats requests.
+
+.. zeek:id:: OpenFlow::OFPP_CONTROLLER
+   :source-code: base/frameworks/openflow/consts.zeek 144 144
+
+   :Type: :zeek:type:`count`
+   :Default: ``4294967293``
+
+   Send to controller.
+
+.. zeek:id:: OpenFlow::OFPP_FLOOD
+   :source-code: base/frameworks/openflow/consts.zeek 140 140
+
+   :Type: :zeek:type:`count`
+   :Default: ``4294967291``
+
+   All physical ports except input port and
+   those disabled by STP.
+
+.. zeek:id:: OpenFlow::OFPP_IN_PORT
+   :source-code: base/frameworks/openflow/consts.zeek 131 131
+
+   :Type: :zeek:type:`count`
+   :Default: ``4294967288``
+
+   Send the packet out the input port. This
+   virtual port must be explicitly used in
+   order to send back out of the input port.
+
+.. zeek:id:: OpenFlow::OFPP_LOCAL
+   :source-code: base/frameworks/openflow/consts.zeek 146 146
+
+   :Type: :zeek:type:`count`
+   :Default: ``4294967294``
+
+   Local openflow "port".
+
+.. zeek:id:: OpenFlow::OFPP_NORMAL
+   :source-code: base/frameworks/openflow/consts.zeek 137 137
+
+   :Type: :zeek:type:`count`
+   :Default: ``4294967290``
+
+   Process with normal L2/L3 switching.
+
+.. zeek:id:: OpenFlow::OFPP_TABLE
+   :source-code: base/frameworks/openflow/consts.zeek 135 135
+
+   :Type: :zeek:type:`count`
+   :Default: ``4294967289``
+
+   Perform actions in flow table.
+   NB: This can only be the destination port
+   for packet-out messages.
+
+.. zeek:id:: OpenFlow::OFPTT_ALL
+   :source-code: base/frameworks/openflow/consts.zeek 163 163
+
+   :Type: :zeek:type:`count`
+   :Default: ``255``
+
+
+.. zeek:id:: OpenFlow::OFP_NO_BUFFER
+   :source-code: base/frameworks/openflow/consts.zeek 150 150
+
+   :Type: :zeek:type:`count`
+   :Default: ``4294967295``
+
+
+Types
+#####
+.. zeek:type:: OpenFlow::ofp_action_type
+   :source-code: base/frameworks/openflow/consts.zeek 170 198
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: OpenFlow::OFPAT_OUTPUT OpenFlow::ofp_action_type
+
+         Output to switch port.
+
+      .. zeek:enum:: OpenFlow::OFPAT_SET_VLAN_VID OpenFlow::ofp_action_type
+
+         Set the 802.1q VLAN id.
+
+      .. zeek:enum:: OpenFlow::OFPAT_SET_VLAN_PCP OpenFlow::ofp_action_type
+
+         Set the 802.1q priority.
+
+      .. zeek:enum:: OpenFlow::OFPAT_STRIP_VLAN OpenFlow::ofp_action_type
+
+         Strip the 802.1q header.
+
+      .. zeek:enum:: OpenFlow::OFPAT_SET_DL_SRC OpenFlow::ofp_action_type
+
+         Ethernet source address.
+
+      .. zeek:enum:: OpenFlow::OFPAT_SET_DL_DST OpenFlow::ofp_action_type
+
+         Ethernet destination address.
+
+      .. zeek:enum:: OpenFlow::OFPAT_SET_NW_SRC OpenFlow::ofp_action_type
+
+         IP source address.
+
+      .. zeek:enum:: OpenFlow::OFPAT_SET_NW_DST OpenFlow::ofp_action_type
+
+         IP destination address.
+
+      .. zeek:enum:: OpenFlow::OFPAT_SET_NW_TOS OpenFlow::ofp_action_type
+
+         IP ToS (DSCP field, 6 bits).
+
+      .. zeek:enum:: OpenFlow::OFPAT_SET_TP_SRC OpenFlow::ofp_action_type
+
+         TCP/UDP source port.
+
+      .. zeek:enum:: OpenFlow::OFPAT_SET_TP_DST OpenFlow::ofp_action_type
+
+         TCP/UDP destination port.
+
+      .. zeek:enum:: OpenFlow::OFPAT_ENQUEUE OpenFlow::ofp_action_type
+
+         Output to queue.
+
+      .. zeek:enum:: OpenFlow::OFPAT_VENDOR OpenFlow::ofp_action_type
+
+         Vendor specific.
+
+   Openflow action_type definitions.
+   
+   The openflow action type defines
+   what actions openflow can take
+   to modify a packet
+
+.. zeek:type:: OpenFlow::ofp_config_flags
+   :source-code: base/frameworks/openflow/consts.zeek 219 228
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: OpenFlow::OFPC_FRAG_NORMAL OpenFlow::ofp_config_flags
+
+         No special handling for fragments.
+
+      .. zeek:enum:: OpenFlow::OFPC_FRAG_DROP OpenFlow::ofp_config_flags
+
+         Drop fragments.
+
+      .. zeek:enum:: OpenFlow::OFPC_FRAG_REASM OpenFlow::ofp_config_flags
+
+         Reassemble (only if OFPC_IP_REASM set).
+
+      .. zeek:enum:: OpenFlow::OFPC_FRAG_MASK OpenFlow::ofp_config_flags
+
+   Openflow config flag definitions.
+   
+   TODO: describe
+
+.. zeek:type:: OpenFlow::ofp_flow_mod_command
+   :source-code: base/frameworks/openflow/consts.zeek 203 215
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: OpenFlow::OFPFC_ADD OpenFlow::ofp_flow_mod_command
+
+         New flow.
+
+      .. zeek:enum:: OpenFlow::OFPFC_MODIFY OpenFlow::ofp_flow_mod_command
+
+         Modify all matching flows.
+
+      .. zeek:enum:: OpenFlow::OFPFC_MODIFY_STRICT OpenFlow::ofp_flow_mod_command
+
+         Modify entry strictly matching wildcards.
+
+      .. zeek:enum:: OpenFlow::OFPFC_DELETE OpenFlow::ofp_flow_mod_command
+
+         Delete all matching flows.
+
+      .. zeek:enum:: OpenFlow::OFPFC_DELETE_STRICT OpenFlow::ofp_flow_mod_command
+
+         Strictly matching wildcards and priority.
+
+   Openflow flow_mod_command definitions.
+   
+   The openflow flow_mod_command describes
+   of what kind an action is.
+
+
diff --git a/doc/scripts/base/frameworks/openflow/index.rst b/doc/scripts/base/frameworks/openflow/index.rst
new file mode 100644
index 0000000000..5a34cb88c5
--- /dev/null
+++ b/doc/scripts/base/frameworks/openflow/index.rst
@@ -0,0 +1,50 @@
+:orphan:
+
+Package: base/frameworks/openflow
+=================================
+
+The OpenFlow framework exposes the data structures and functions
+necessary to interface to OpenFlow capable hardware.
+
+:doc:`/scripts/base/frameworks/openflow/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/openflow/consts.zeek`
+
+   Constants used by the OpenFlow framework.
+
+:doc:`/scripts/base/frameworks/openflow/types.zeek`
+
+   Types used by the OpenFlow framework.
+
+:doc:`/scripts/base/frameworks/openflow/main.zeek`
+
+   Zeek's OpenFlow control framework.
+   
+   This plugin-based framework allows to control OpenFlow capable
+   switches by implementing communication to an OpenFlow controller
+   via plugins. The framework has to be instantiated via the new function
+   in one of the plugins. This framework only offers very low-level
+   functionality; if you want to use OpenFlow capable switches, e.g.,
+   for shunting, please look at the NetControl framework, which provides higher
+   level functions and can use the OpenFlow framework as a backend.
+
+:doc:`/scripts/base/frameworks/openflow/plugins/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/openflow/plugins/ryu.zeek`
+
+   OpenFlow plugin for the Ryu controller.
+
+:doc:`/scripts/base/frameworks/openflow/plugins/log.zeek`
+
+   OpenFlow plugin that outputs flow-modification commands
+   to a Zeek log file.
+
+:doc:`/scripts/base/frameworks/openflow/plugins/broker.zeek`
+
+   OpenFlow plugin for interfacing to controllers via Broker.
+
+:doc:`/scripts/base/frameworks/openflow/non-cluster.zeek`
+
+
diff --git a/doc/scripts/base/frameworks/openflow/main.zeek.rst b/doc/scripts/base/frameworks/openflow/main.zeek.rst
new file mode 100644
index 0000000000..198ae282e4
--- /dev/null
+++ b/doc/scripts/base/frameworks/openflow/main.zeek.rst
@@ -0,0 +1,279 @@
+:tocdepth: 3
+
+base/frameworks/openflow/main.zeek
+==================================
+.. zeek:namespace:: OpenFlow
+
+Zeek's OpenFlow control framework.
+
+This plugin-based framework allows to control OpenFlow capable
+switches by implementing communication to an OpenFlow controller
+via plugins. The framework has to be instantiated via the new function
+in one of the plugins. This framework only offers very low-level
+functionality; if you want to use OpenFlow capable switches, e.g.,
+for shunting, please look at the NetControl framework, which provides higher
+level functions and can use the OpenFlow framework as a backend.
+
+:Namespace: OpenFlow
+:Imports: :doc:`base/frameworks/openflow/consts.zeek </scripts/base/frameworks/openflow/consts.zeek>`, :doc:`base/frameworks/openflow/types.zeek </scripts/base/frameworks/openflow/types.zeek>`
+
+Summary
+~~~~~~~
+Events
+######
+============================================================= =============================================================================================
+:zeek:id:`OpenFlow::controller_activated`: :zeek:type:`event` Event that is raised once a controller finishes initialization
+                                                              and is completely activated.
+:zeek:id:`OpenFlow::flow_mod_failure`: :zeek:type:`event`     Reports an error while installing a flow Rule.
+:zeek:id:`OpenFlow::flow_mod_success`: :zeek:type:`event`     Event confirming successful modification of a flow rule.
+:zeek:id:`OpenFlow::flow_removed`: :zeek:type:`event`         Reports that a flow was removed by the switch because of either the hard or the idle timeout.
+============================================================= =============================================================================================
+
+Functions
+#########
+================================================================= =====================================================================
+:zeek:id:`OpenFlow::controller_init_done`: :zeek:type:`function`  Function to signal that a controller finished activation and is
+                                                                  ready to use.
+:zeek:id:`OpenFlow::flow_clear`: :zeek:type:`function`            Clear the current flow table of the controller.
+:zeek:id:`OpenFlow::flow_mod`: :zeek:type:`function`              Global flow_mod function.
+:zeek:id:`OpenFlow::generate_cookie`: :zeek:type:`function`       Function to generate a new cookie using our group id.
+:zeek:id:`OpenFlow::get_cookie_gid`: :zeek:type:`function`        Function to get the group id out of a given cookie.
+:zeek:id:`OpenFlow::get_cookie_uid`: :zeek:type:`function`        Function to get the unique id out of a given cookie.
+:zeek:id:`OpenFlow::lookup_controller`: :zeek:type:`function`     Function to lookup a controller instance by name.
+:zeek:id:`OpenFlow::match_conn`: :zeek:type:`function`            Convert a conn_id record into an ofp_match record that can be used to
+                                                                  create match objects for OpenFlow.
+:zeek:id:`OpenFlow::register_controller`: :zeek:type:`function`   Function to register a controller instance.
+:zeek:id:`OpenFlow::unregister_controller`: :zeek:type:`function` Function to unregister a controller instance.
+================================================================= =====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: OpenFlow::controller_activated
+   :source-code: base/frameworks/netcontrol/plugins/openflow.zeek 433 437
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, controller: :zeek:type:`OpenFlow::Controller`)
+
+   Event that is raised once a controller finishes initialization
+   and is completely activated.
+
+   :param name: Unique name of this controller instance.
+   
+
+   :param controller: The controller that finished activation.
+
+.. zeek:id:: OpenFlow::flow_mod_failure
+   :source-code: base/frameworks/netcontrol/plugins/openflow.zeek 383 394
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, match: :zeek:type:`OpenFlow::ofp_match`, flow_mod: :zeek:type:`OpenFlow::ofp_flow_mod`, msg: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`)
+
+   Reports an error while installing a flow Rule.
+   
+
+   :param name: The unique name of the OpenFlow controller from which this event originated.
+   
+
+   :param match: The ofp_match record which describes the flow to match.
+   
+
+   :param flow_mod: The openflow flow_mod record which describes the action to take.
+   
+
+   :param msg: Message to describe the event.
+
+.. zeek:id:: OpenFlow::flow_mod_success
+   :source-code: base/frameworks/netcontrol/plugins/openflow.zeek 356 381
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, match: :zeek:type:`OpenFlow::ofp_match`, flow_mod: :zeek:type:`OpenFlow::ofp_flow_mod`, msg: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`)
+
+   Event confirming successful modification of a flow rule.
+   
+
+   :param name: The unique name of the OpenFlow controller from which this event originated.
+   
+
+   :param match: The ofp_match record which describes the flow to match.
+   
+
+   :param flow_mod: The openflow flow_mod record which describes the action to take.
+   
+
+   :param msg: An optional informational message by the plugin.
+
+.. zeek:id:: OpenFlow::flow_removed
+   :source-code: base/frameworks/netcontrol/plugins/openflow.zeek 396 418
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, match: :zeek:type:`OpenFlow::ofp_match`, cookie: :zeek:type:`count`, priority: :zeek:type:`count`, reason: :zeek:type:`count`, duration_sec: :zeek:type:`count`, idle_timeout: :zeek:type:`count`, packet_count: :zeek:type:`count`, byte_count: :zeek:type:`count`)
+
+   Reports that a flow was removed by the switch because of either the hard or the idle timeout.
+   This message is only generated by controllers that indicate that they support flow removal
+   in supports_flow_removed.
+   
+
+   :param name: The unique name of the OpenFlow controller from which this event originated.
+   
+
+   :param match: The ofp_match record which was used to create the flow.
+   
+
+   :param cookie: The cookie that was specified when creating the flow.
+   
+
+   :param priority: The priority that was specified when creating the flow.
+   
+
+   :param reason: The reason for flow removal (OFPRR_*).
+   
+
+   :param duration_sec: Duration of the flow in seconds.
+   
+
+   :param packet_count: Packet count of the flow.
+   
+
+   :param byte_count: Byte count of the flow.
+
+Functions
+#########
+.. zeek:id:: OpenFlow::controller_init_done
+   :source-code: base/frameworks/openflow/main.zeek 242 252
+
+   :Type: :zeek:type:`function` (controller: :zeek:type:`OpenFlow::Controller`) : :zeek:type:`void`
+
+   Function to signal that a controller finished activation and is
+   ready to use. Will throw the ``OpenFlow::controller_activated``
+   event.
+
+.. zeek:id:: OpenFlow::flow_clear
+   :source-code: base/frameworks/openflow/non-cluster.zeek 17 26
+
+   :Type: :zeek:type:`function` (controller: :zeek:type:`OpenFlow::Controller`) : :zeek:type:`bool`
+
+   Clear the current flow table of the controller.
+   
+
+   :param controller: The controller which should execute the flow modification.
+   
+
+   :returns: F on error or if the plugin does not support the operation, T when the operation was queued.
+
+.. zeek:id:: OpenFlow::flow_mod
+   :source-code: base/frameworks/openflow/non-cluster.zeek 6 15
+
+   :Type: :zeek:type:`function` (controller: :zeek:type:`OpenFlow::Controller`, match: :zeek:type:`OpenFlow::ofp_match`, flow_mod: :zeek:type:`OpenFlow::ofp_flow_mod`) : :zeek:type:`bool`
+
+   Global flow_mod function.
+   
+
+   :param controller: The controller which should execute the flow modification.
+   
+
+   :param match: The ofp_match record which describes the flow to match.
+   
+
+   :param flow_mod: The openflow flow_mod record which describes the action to take.
+   
+
+   :returns: F on error or if the plugin does not support the operation, T when the operation was queued.
+
+.. zeek:id:: OpenFlow::generate_cookie
+   :source-code: base/frameworks/openflow/main.zeek 199 209
+
+   :Type: :zeek:type:`function` (cookie: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`) : :zeek:type:`count`
+
+   Function to generate a new cookie using our group id.
+   
+
+   :param cookie: The openflow match cookie.
+   
+
+   :returns: The cookie group id.
+
+.. zeek:id:: OpenFlow::get_cookie_gid
+   :source-code: base/frameworks/openflow/main.zeek 230 240
+
+   :Type: :zeek:type:`function` (cookie: :zeek:type:`count`) : :zeek:type:`count`
+
+   Function to get the group id out of a given cookie.
+   
+
+   :param cookie: The openflow match cookie.
+   
+
+   :returns: The cookie group id.
+
+.. zeek:id:: OpenFlow::get_cookie_uid
+   :source-code: base/frameworks/openflow/main.zeek 222 228
+
+   :Type: :zeek:type:`function` (cookie: :zeek:type:`count`) : :zeek:type:`count`
+
+   Function to get the unique id out of a given cookie.
+   
+
+   :param cookie: The openflow match cookie.
+   
+
+   :returns: The cookie unique id.
+
+.. zeek:id:: OpenFlow::lookup_controller
+   :source-code: base/frameworks/openflow/non-cluster.zeek 41 44
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`vector` of :zeek:type:`OpenFlow::Controller`
+
+   Function to lookup a controller instance by name.
+   
+
+   :param name: Unique name of the controller to look up.
+   
+
+   :returns: One element vector with controller, if found. Empty vector otherwise.
+
+.. zeek:id:: OpenFlow::match_conn
+   :source-code: base/frameworks/openflow/main.zeek 153 194
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`conn_id`, reverse: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`) : :zeek:type:`OpenFlow::ofp_match`
+
+   Convert a conn_id record into an ofp_match record that can be used to
+   create match objects for OpenFlow.
+   
+
+   :param id: The conn_id record that describes the record.
+   
+
+   :param reverse: Reverse the sources and destinations when creating the match record (default F).
+   
+
+   :returns: ofp_match object for the conn_id record.
+
+.. zeek:id:: OpenFlow::register_controller
+   :source-code: base/frameworks/openflow/non-cluster.zeek 28 34
+
+   :Type: :zeek:type:`function` (tpe: :zeek:type:`OpenFlow::Plugin`, name: :zeek:type:`string`, controller: :zeek:type:`OpenFlow::Controller`) : :zeek:type:`void`
+
+   Function to register a controller instance. This function
+   is called automatically by the plugin _new functions.
+   
+
+   :param tpe: Type of this plugin.
+   
+
+   :param name: Unique name of this controller instance.
+   
+
+   :param controller: The controller to register.
+
+.. zeek:id:: OpenFlow::unregister_controller
+   :source-code: base/frameworks/openflow/non-cluster.zeek 36 39
+
+   :Type: :zeek:type:`function` (controller: :zeek:type:`OpenFlow::Controller`) : :zeek:type:`void`
+
+   Function to unregister a controller instance. This function
+   should be called when a specific controller should no longer
+   be used.
+   
+
+   :param controller: The controller to unregister.
+
+
diff --git a/doc/scripts/base/frameworks/openflow/non-cluster.zeek.rst b/doc/scripts/base/frameworks/openflow/non-cluster.zeek.rst
new file mode 100644
index 0000000000..3c4b5297cc
--- /dev/null
+++ b/doc/scripts/base/frameworks/openflow/non-cluster.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/frameworks/openflow/non-cluster.zeek
+=========================================
+.. zeek:namespace:: OpenFlow
+
+
+:Namespace: OpenFlow
+:Imports: :doc:`base/frameworks/openflow/main.zeek </scripts/base/frameworks/openflow/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/openflow/plugins/__load__.zeek.rst b/doc/scripts/base/frameworks/openflow/plugins/__load__.zeek.rst
new file mode 100644
index 0000000000..ef5c429a8a
--- /dev/null
+++ b/doc/scripts/base/frameworks/openflow/plugins/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/openflow/plugins/__load__.zeek
+==============================================
+
+
+:Imports: :doc:`base/frameworks/openflow/plugins/broker.zeek </scripts/base/frameworks/openflow/plugins/broker.zeek>`, :doc:`base/frameworks/openflow/plugins/log.zeek </scripts/base/frameworks/openflow/plugins/log.zeek>`, :doc:`base/frameworks/openflow/plugins/ryu.zeek </scripts/base/frameworks/openflow/plugins/ryu.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/openflow/plugins/broker.zeek.rst b/doc/scripts/base/frameworks/openflow/plugins/broker.zeek.rst
new file mode 100644
index 0000000000..b040e4bcbc
--- /dev/null
+++ b/doc/scripts/base/frameworks/openflow/plugins/broker.zeek.rst
@@ -0,0 +1,91 @@
+:tocdepth: 3
+
+base/frameworks/openflow/plugins/broker.zeek
+============================================
+.. zeek:namespace:: OpenFlow
+
+OpenFlow plugin for interfacing to controllers via Broker.
+
+:Namespace: OpenFlow
+:Imports: :doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`, :doc:`base/frameworks/openflow </scripts/base/frameworks/openflow/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+=============================================================================== ==========================================================
+:zeek:type:`OpenFlow::ControllerState`: :zeek:type:`record` :zeek:attr:`&redef` 
+                                                                                
+                                                                                :New Fields: :zeek:type:`OpenFlow::ControllerState`
+                                                                                
+                                                                                  broker_host: :zeek:type:`addr` :zeek:attr:`&optional`
+                                                                                    Controller ip.
+                                                                                
+                                                                                  broker_port: :zeek:type:`port` :zeek:attr:`&optional`
+                                                                                    Controller listen port.
+                                                                                
+                                                                                  broker_dpid: :zeek:type:`count` :zeek:attr:`&optional`
+                                                                                    OpenFlow switch datapath id.
+                                                                                
+                                                                                  broker_topic: :zeek:type:`string` :zeek:attr:`&optional`
+                                                                                    Topic to send events for this controller to.
+:zeek:type:`OpenFlow::Plugin`: :zeek:type:`enum`                                
+                                                                                
+                                                                                * :zeek:enum:`OpenFlow::BROKER`
+=============================================================================== ==========================================================
+
+Events
+######
+========================================================== =
+:zeek:id:`OpenFlow::broker_flow_clear`: :zeek:type:`event` 
+:zeek:id:`OpenFlow::broker_flow_mod`: :zeek:type:`event`   
+========================================================== =
+
+Functions
+#########
+====================================================== ==============================
+:zeek:id:`OpenFlow::broker_new`: :zeek:type:`function` Broker controller constructor.
+====================================================== ==============================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: OpenFlow::broker_flow_clear
+   :source-code: base/frameworks/openflow/plugins/broker.zeek 38 38
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, dpid: :zeek:type:`count`)
+
+
+.. zeek:id:: OpenFlow::broker_flow_mod
+   :source-code: base/frameworks/openflow/plugins/broker.zeek 37 37
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, dpid: :zeek:type:`count`, match: :zeek:type:`OpenFlow::ofp_match`, flow_mod: :zeek:type:`OpenFlow::ofp_flow_mod`)
+
+
+Functions
+#########
+.. zeek:id:: OpenFlow::broker_new
+   :source-code: base/frameworks/openflow/plugins/broker.zeek 82 95
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`, host: :zeek:type:`addr`, host_port: :zeek:type:`port`, topic: :zeek:type:`string`, dpid: :zeek:type:`count`) : :zeek:type:`OpenFlow::Controller`
+
+   Broker controller constructor.
+   
+
+   :param host: Controller ip.
+   
+
+   :param host_port: Controller listen port.
+   
+
+   :param topic: Broker topic to send messages to.
+   
+
+   :param dpid: OpenFlow switch datapath id.
+   
+
+   :returns: OpenFlow::Controller record.
+
+
diff --git a/doc/scripts/base/frameworks/openflow/plugins/index.rst b/doc/scripts/base/frameworks/openflow/plugins/index.rst
new file mode 100644
index 0000000000..2cde50410f
--- /dev/null
+++ b/doc/scripts/base/frameworks/openflow/plugins/index.rst
@@ -0,0 +1,23 @@
+:orphan:
+
+Package: base/frameworks/openflow/plugins
+=========================================
+
+Plugins for the OpenFlow framework.
+
+:doc:`/scripts/base/frameworks/openflow/plugins/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/openflow/plugins/ryu.zeek`
+
+   OpenFlow plugin for the Ryu controller.
+
+:doc:`/scripts/base/frameworks/openflow/plugins/log.zeek`
+
+   OpenFlow plugin that outputs flow-modification commands
+   to a Zeek log file.
+
+:doc:`/scripts/base/frameworks/openflow/plugins/broker.zeek`
+
+   OpenFlow plugin for interfacing to controllers via Broker.
+
diff --git a/doc/scripts/base/frameworks/openflow/plugins/log.zeek.rst b/doc/scripts/base/frameworks/openflow/plugins/log.zeek.rst
new file mode 100644
index 0000000000..227eacb46b
--- /dev/null
+++ b/doc/scripts/base/frameworks/openflow/plugins/log.zeek.rst
@@ -0,0 +1,129 @@
+:tocdepth: 3
+
+base/frameworks/openflow/plugins/log.zeek
+=========================================
+.. zeek:namespace:: OpenFlow
+
+OpenFlow plugin that outputs flow-modification commands
+to a Zeek log file.
+
+:Namespace: OpenFlow
+:Imports: :doc:`base/frameworks/logging </scripts/base/frameworks/logging/index>`, :doc:`base/frameworks/openflow </scripts/base/frameworks/openflow/index>`
+
+Summary
+~~~~~~~
+Types
+#####
+================================================ =================================================================
+:zeek:type:`OpenFlow::Info`: :zeek:type:`record` The record type which contains column fields of the OpenFlow log.
+================================================ =================================================================
+
+Redefinitions
+#############
+=============================================================================== =============================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                                         
+                                                                                
+                                                                                * :zeek:enum:`OpenFlow::LOG`
+:zeek:type:`OpenFlow::ControllerState`: :zeek:type:`record` :zeek:attr:`&redef` 
+                                                                                
+                                                                                :New Fields: :zeek:type:`OpenFlow::ControllerState`
+                                                                                
+                                                                                  log_dpid: :zeek:type:`count` :zeek:attr:`&optional`
+                                                                                    OpenFlow switch datapath id.
+                                                                                
+                                                                                  log_success_event: :zeek:type:`bool` :zeek:attr:`&optional`
+                                                                                    Raise or do not raise success event.
+:zeek:type:`OpenFlow::Plugin`: :zeek:type:`enum`                                
+                                                                                
+                                                                                * :zeek:enum:`OpenFlow::OFLOG`
+=============================================================================== =============================================================
+
+Events
+######
+===================================================== ===================================================================
+:zeek:id:`OpenFlow::log_openflow`: :zeek:type:`event` Event that can be handled to access the :zeek:type:`OpenFlow::Info`
+                                                      record as it is sent on to the logging framework.
+===================================================== ===================================================================
+
+Hooks
+#####
+============================================================= =
+:zeek:id:`OpenFlow::log_policy`: :zeek:type:`Log::PolicyHook` 
+============================================================= =
+
+Functions
+#########
+=================================================== ===========================
+:zeek:id:`OpenFlow::log_new`: :zeek:type:`function` Log controller constructor.
+=================================================== ===========================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: OpenFlow::Info
+   :source-code: base/frameworks/openflow/plugins/log.zeek 35 44
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Network time.
+
+
+   .. zeek:field:: dpid :zeek:type:`count` :zeek:attr:`&log`
+
+      OpenFlow switch datapath id.
+
+
+   .. zeek:field:: match :zeek:type:`OpenFlow::ofp_match` :zeek:attr:`&log`
+
+      OpenFlow match fields.
+
+
+   .. zeek:field:: flow_mod :zeek:type:`OpenFlow::ofp_flow_mod` :zeek:attr:`&log`
+
+      OpenFlow modify flow entry message.
+
+
+   The record type which contains column fields of the OpenFlow log.
+
+Events
+######
+.. zeek:id:: OpenFlow::log_openflow
+   :source-code: base/frameworks/openflow/plugins/log.zeek 48 48
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`OpenFlow::Info`)
+
+   Event that can be handled to access the :zeek:type:`OpenFlow::Info`
+   record as it is sent on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: OpenFlow::log_policy
+   :source-code: base/frameworks/openflow/plugins/log.zeek 16 16
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+Functions
+#########
+.. zeek:id:: OpenFlow::log_new
+   :source-code: base/frameworks/openflow/plugins/log.zeek 70 78
+
+   :Type: :zeek:type:`function` (dpid: :zeek:type:`count`, success_event: :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`) : :zeek:type:`OpenFlow::Controller`
+
+   Log controller constructor.
+   
+
+   :param dpid: OpenFlow switch datapath id.
+   
+
+   :param success_event: If true, flow_mod_success is raised for each logged line.
+   
+
+   :returns: OpenFlow::Controller record.
+
+
diff --git a/doc/scripts/base/frameworks/openflow/plugins/ryu.zeek.rst b/doc/scripts/base/frameworks/openflow/plugins/ryu.zeek.rst
new file mode 100644
index 0000000000..9561538ce3
--- /dev/null
+++ b/doc/scripts/base/frameworks/openflow/plugins/ryu.zeek.rst
@@ -0,0 +1,67 @@
+:tocdepth: 3
+
+base/frameworks/openflow/plugins/ryu.zeek
+=========================================
+.. zeek:namespace:: OpenFlow
+
+OpenFlow plugin for the Ryu controller.
+
+:Namespace: OpenFlow
+:Imports: :doc:`base/frameworks/openflow </scripts/base/frameworks/openflow/index>`, :doc:`base/utils/active-http.zeek </scripts/base/utils/active-http.zeek>`, :doc:`base/utils/exec.zeek </scripts/base/utils/exec.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+=============================================================================== ===================================================================================
+:zeek:type:`OpenFlow::ControllerState`: :zeek:type:`record` :zeek:attr:`&redef` 
+                                                                                
+                                                                                :New Fields: :zeek:type:`OpenFlow::ControllerState`
+                                                                                
+                                                                                  ryu_host: :zeek:type:`addr` :zeek:attr:`&optional`
+                                                                                    Controller ip.
+                                                                                
+                                                                                  ryu_port: :zeek:type:`count` :zeek:attr:`&optional`
+                                                                                    Controller listen port.
+                                                                                
+                                                                                  ryu_dpid: :zeek:type:`count` :zeek:attr:`&optional`
+                                                                                    OpenFlow switch datapath id.
+                                                                                
+                                                                                  ryu_debug: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+                                                                                    Enable debug mode - output JSON to stdout; do not perform actions.
+:zeek:type:`OpenFlow::Plugin`: :zeek:type:`enum`                                
+                                                                                
+                                                                                * :zeek:enum:`OpenFlow::RYU`
+=============================================================================== ===================================================================================
+
+Functions
+#########
+=================================================== ===========================
+:zeek:id:`OpenFlow::ryu_new`: :zeek:type:`function` Ryu controller constructor.
+=================================================== ===========================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: OpenFlow::ryu_new
+   :source-code: base/frameworks/openflow/plugins/ryu.zeek 181 189
+
+   :Type: :zeek:type:`function` (host: :zeek:type:`addr`, host_port: :zeek:type:`count`, dpid: :zeek:type:`count`) : :zeek:type:`OpenFlow::Controller`
+
+   Ryu controller constructor.
+   
+
+   :param host: Controller ip.
+   
+
+   :param host_port: Controller listen port.
+   
+
+   :param dpid: OpenFlow switch datapath id.
+   
+
+   :returns: OpenFlow::Controller record.
+
+
diff --git a/doc/scripts/base/frameworks/openflow/types.zeek.rst b/doc/scripts/base/frameworks/openflow/types.zeek.rst
new file mode 100644
index 0000000000..b75d6f4d6d
--- /dev/null
+++ b/doc/scripts/base/frameworks/openflow/types.zeek.rst
@@ -0,0 +1,368 @@
+:tocdepth: 3
+
+base/frameworks/openflow/types.zeek
+===================================
+.. zeek:namespace:: OpenFlow
+
+Types used by the OpenFlow framework.
+
+:Namespace: OpenFlow
+:Imports: :doc:`base/frameworks/openflow/consts.zeek </scripts/base/frameworks/openflow/consts.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+=============================================================================== ===============================================================
+:zeek:type:`OpenFlow::Controller`: :zeek:type:`record`                          Controller record representing an openflow controller.
+:zeek:type:`OpenFlow::ControllerState`: :zeek:type:`record` :zeek:attr:`&redef` Controller related state.
+:zeek:type:`OpenFlow::Plugin`: :zeek:type:`enum`                                Available openflow plugins.
+:zeek:type:`OpenFlow::ofp_flow_action`: :zeek:type:`record` :zeek:attr:`&log`   The actions that can be taken in a flow.
+:zeek:type:`OpenFlow::ofp_flow_mod`: :zeek:type:`record` :zeek:attr:`&log`      Openflow flow_mod definition, describing the action to perform.
+:zeek:type:`OpenFlow::ofp_match`: :zeek:type:`record` :zeek:attr:`&log`         Openflow match definition.
+=============================================================================== ===============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: OpenFlow::Controller
+   :source-code: base/frameworks/openflow/types.zeek 116 131
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: state :zeek:type:`OpenFlow::ControllerState`
+
+      Controller related state.
+
+
+   .. zeek:field:: supports_flow_removed :zeek:type:`bool`
+
+      Does the controller support the flow_removed event?
+
+
+   .. zeek:field:: describe :zeek:type:`function` (state: :zeek:type:`OpenFlow::ControllerState`) : :zeek:type:`string`
+
+      Function that describes the controller. Has to be implemented.
+
+
+   .. zeek:field:: init :zeek:type:`function` (state: :zeek:type:`OpenFlow::ControllerState`) : :zeek:type:`void` :zeek:attr:`&optional`
+
+      One-time initialization function. If defined, controller_init_done has to be called once initialization finishes.
+
+
+   .. zeek:field:: destroy :zeek:type:`function` (state: :zeek:type:`OpenFlow::ControllerState`) : :zeek:type:`void` :zeek:attr:`&optional`
+
+      One-time destruction function.
+
+
+   .. zeek:field:: flow_mod :zeek:type:`function` (state: :zeek:type:`OpenFlow::ControllerState`, match: :zeek:type:`OpenFlow::ofp_match`, flow_mod: :zeek:type:`OpenFlow::ofp_flow_mod`) : :zeek:type:`bool` :zeek:attr:`&optional`
+
+      flow_mod function.
+
+
+   .. zeek:field:: flow_clear :zeek:type:`function` (state: :zeek:type:`OpenFlow::ControllerState`) : :zeek:type:`bool` :zeek:attr:`&optional`
+
+      flow_clear function.
+
+
+   Controller record representing an openflow controller.
+
+.. zeek:type:: OpenFlow::ControllerState
+   :source-code: base/frameworks/openflow/types.zeek 17 24
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: _plugin :zeek:type:`OpenFlow::Plugin` :zeek:attr:`&optional`
+
+      Internally set to the type of plugin used.
+
+
+   .. zeek:field:: _name :zeek:type:`string` :zeek:attr:`&optional`
+
+      Internally set to the unique name of the controller.
+
+
+   .. zeek:field:: _activated :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Internally set to true once the controller is activated.
+
+
+   .. zeek:field:: ryu_host :zeek:type:`addr` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/openflow/plugins/ryu.zeek` is loaded)
+
+      Controller ip.
+
+
+   .. zeek:field:: ryu_port :zeek:type:`count` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/openflow/plugins/ryu.zeek` is loaded)
+
+      Controller listen port.
+
+
+   .. zeek:field:: ryu_dpid :zeek:type:`count` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/openflow/plugins/ryu.zeek` is loaded)
+
+      OpenFlow switch datapath id.
+
+
+   .. zeek:field:: ryu_debug :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/openflow/plugins/ryu.zeek` is loaded)
+
+      Enable debug mode - output JSON to stdout; do not perform actions.
+
+
+   .. zeek:field:: log_dpid :zeek:type:`count` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/openflow/plugins/log.zeek` is loaded)
+
+      OpenFlow switch datapath id.
+
+
+   .. zeek:field:: log_success_event :zeek:type:`bool` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/openflow/plugins/log.zeek` is loaded)
+
+      Raise or do not raise success event.
+
+
+   .. zeek:field:: broker_host :zeek:type:`addr` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/openflow/plugins/broker.zeek` is loaded)
+
+      Controller ip.
+
+
+   .. zeek:field:: broker_port :zeek:type:`port` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/openflow/plugins/broker.zeek` is loaded)
+
+      Controller listen port.
+
+
+   .. zeek:field:: broker_dpid :zeek:type:`count` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/openflow/plugins/broker.zeek` is loaded)
+
+      OpenFlow switch datapath id.
+
+
+   .. zeek:field:: broker_topic :zeek:type:`string` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/openflow/plugins/broker.zeek` is loaded)
+
+      Topic to send events for this controller to.
+
+   :Attributes: :zeek:attr:`&redef`
+
+   Controller related state.
+   Can be redefined by plugins to
+   add state.
+
+.. zeek:type:: OpenFlow::Plugin
+   :source-code: base/frameworks/openflow/types.zeek 9 13
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: OpenFlow::INVALID OpenFlow::Plugin
+
+         Internal placeholder plugin.
+
+      .. zeek:enum:: OpenFlow::RYU OpenFlow::Plugin
+
+         (present if :doc:`/scripts/base/frameworks/openflow/plugins/ryu.zeek` is loaded)
+
+
+      .. zeek:enum:: OpenFlow::OFLOG OpenFlow::Plugin
+
+         (present if :doc:`/scripts/base/frameworks/openflow/plugins/log.zeek` is loaded)
+
+
+      .. zeek:enum:: OpenFlow::BROKER OpenFlow::Plugin
+
+         (present if :doc:`/scripts/base/frameworks/openflow/plugins/broker.zeek` is loaded)
+
+
+   Available openflow plugins.
+
+.. zeek:type:: OpenFlow::ofp_flow_action
+   :source-code: base/frameworks/openflow/types.zeek 62 85
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: out_ports :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Output ports to send data to.
+
+
+   .. zeek:field:: vlan_vid :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Set vlan vid to this value.
+
+
+   .. zeek:field:: vlan_pcp :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Set vlan priority to this value.
+
+
+   .. zeek:field:: vlan_strip :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Strip vlan tag.
+
+
+   .. zeek:field:: dl_src :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Set ethernet source address.
+
+
+   .. zeek:field:: dl_dst :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Set ethernet destination address.
+
+
+   .. zeek:field:: nw_tos :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Set ip tos to this value.
+
+
+   .. zeek:field:: nw_src :zeek:type:`addr` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Set source to this ip.
+
+
+   .. zeek:field:: nw_dst :zeek:type:`addr` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Set destination to this ip.
+
+
+   .. zeek:field:: tp_src :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Set tcp/udp source port.
+
+
+   .. zeek:field:: tp_dst :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Set tcp/udp destination port.
+
+   :Attributes: :zeek:attr:`&log`
+
+   The actions that can be taken in a flow.
+   (Separate record to make ofp_flow_mod less crowded)
+
+.. zeek:type:: OpenFlow::ofp_flow_mod
+   :source-code: base/frameworks/openflow/types.zeek 88 113
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: cookie :zeek:type:`count` :zeek:attr:`&log`
+
+      Opaque controller-issued identifier.
+
+
+   .. zeek:field:: table_id :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Table to put the flow in. OFPTT_ALL can be used for delete,
+      to delete flows from all matching tables.
+
+
+   .. zeek:field:: command :zeek:type:`OpenFlow::ofp_flow_mod_command` :zeek:attr:`&log`
+
+      One of OFPFC_*.
+
+
+   .. zeek:field:: idle_timeout :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Idle time before discarding (seconds).
+
+
+   .. zeek:field:: hard_timeout :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Max time before discarding (seconds).
+
+
+   .. zeek:field:: priority :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Priority level of flow entry.
+
+
+   .. zeek:field:: out_port :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      For OFPFC_DELETE* commands, require matching entry to include
+      this as an output port/group. OFPP_ANY/OFPG_ANY means no restrictions.
+
+
+   .. zeek:field:: out_group :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: flags :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Bitmap of the OFPFF_* flags
+
+
+   .. zeek:field:: actions :zeek:type:`OpenFlow::ofp_flow_action` :zeek:attr:`&default` = *...* :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Actions to take on match
+
+   :Attributes: :zeek:attr:`&log`
+
+   Openflow flow_mod definition, describing the action to perform.
+
+.. zeek:type:: OpenFlow::ofp_match
+   :source-code: base/frameworks/openflow/types.zeek 31 58
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: in_port :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: dl_src :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: dl_dst :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: dl_vlan :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: dl_vlan_pcp :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: dl_type :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: nw_tos :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: nw_proto :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: nw_src :zeek:type:`subnet` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: nw_dst :zeek:type:`subnet` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: tp_src :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: tp_dst :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+   :Attributes: :zeek:attr:`&log`
+
+   Openflow match definition.
+   
+   The openflow match record describes
+   which packets match to a specific
+   rule in a flow table.
+
+
diff --git a/doc/scripts/base/frameworks/packet-filter/__load__.zeek.rst b/doc/scripts/base/frameworks/packet-filter/__load__.zeek.rst
new file mode 100644
index 0000000000..86cbe3209b
--- /dev/null
+++ b/doc/scripts/base/frameworks/packet-filter/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/packet-filter/__load__.zeek
+===========================================
+
+
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/packet-filter/main.zeek </scripts/base/frameworks/packet-filter/main.zeek>`, :doc:`base/frameworks/packet-filter/netstats.zeek </scripts/base/frameworks/packet-filter/netstats.zeek>`, :doc:`base/frameworks/packet-filter/utils.zeek </scripts/base/frameworks/packet-filter/utils.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/packet-filter/index.rst b/doc/scripts/base/frameworks/packet-filter/index.rst
new file mode 100644
index 0000000000..a120933a17
--- /dev/null
+++ b/doc/scripts/base/frameworks/packet-filter/index.rst
@@ -0,0 +1,27 @@
+:orphan:
+
+Package: base/frameworks/packet-filter
+======================================
+
+The packet filter framework supports how Zeek sets its BPF capture filter.
+
+:doc:`/scripts/base/frameworks/packet-filter/utils.zeek`
+
+
+:doc:`/scripts/base/frameworks/packet-filter/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/packet-filter/main.zeek`
+
+   This script supports how Zeek sets its BPF capture filter.  By default
+   Zeek sets a capture filter that allows all traffic.  If a filter
+   is set on the command line, that filter takes precedence over the default
+   open filter and all filters defined in Zeek scripts with the
+   :zeek:id:`capture_filters` and :zeek:id:`restrict_filters` variables.
+
+:doc:`/scripts/base/frameworks/packet-filter/netstats.zeek`
+
+   This script reports on packet loss from the various packet sources.
+   When Zeek is reading input from trace files, this script will not
+   report any packet loss statistics.
+
diff --git a/doc/scripts/base/frameworks/packet-filter/main.zeek.rst b/doc/scripts/base/frameworks/packet-filter/main.zeek.rst
new file mode 100644
index 0000000000..3b91a75e80
--- /dev/null
+++ b/doc/scripts/base/frameworks/packet-filter/main.zeek.rst
@@ -0,0 +1,301 @@
+:tocdepth: 3
+
+base/frameworks/packet-filter/main.zeek
+=======================================
+.. zeek:namespace:: PacketFilter
+
+This script supports how Zeek sets its BPF capture filter.  By default
+Zeek sets a capture filter that allows all traffic.  If a filter
+is set on the command line, that filter takes precedence over the default
+open filter and all filters defined in Zeek scripts with the
+:zeek:id:`capture_filters` and :zeek:id:`restrict_filters` variables.
+
+:Namespace: PacketFilter
+:Imports: :doc:`base/frameworks/analyzer </scripts/base/frameworks/analyzer/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/packet-filter/utils.zeek </scripts/base/frameworks/packet-filter/utils.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+==================================================================================================== ===============================================================================
+:zeek:id:`PacketFilter::default_capture_filter`: :zeek:type:`string` :zeek:attr:`&redef`             The BPF filter that is used by default to define what traffic should
+                                                                                                     be captured.
+:zeek:id:`PacketFilter::enable_auto_protocol_capture_filters`: :zeek:type:`bool` :zeek:attr:`&redef` Enables the old filtering approach of "only watch common ports for
+                                                                                                     analyzed protocols".
+:zeek:id:`PacketFilter::max_filter_compile_time`: :zeek:type:`interval` :zeek:attr:`&redef`          The maximum amount of time that you'd like to allow for BPF filters to compile.
+:zeek:id:`PacketFilter::restricted_filter`: :zeek:type:`string` :zeek:attr:`&redef`                  Filter string which is unconditionally and'ed to the beginning of
+                                                                                                     every dynamically built filter.
+:zeek:id:`PacketFilter::unrestricted_filter`: :zeek:type:`string` :zeek:attr:`&redef`                Filter string which is unconditionally or'ed to the beginning of
+                                                                                                     every dynamically built filter.
+==================================================================================================== ===============================================================================
+
+State Variables
+###############
+============================================================ ===================================================================
+:zeek:id:`PacketFilter::current_filter`: :zeek:type:`string` This is where the default packet filter is stored and it should not
+                                                             normally be modified by users.
+============================================================ ===================================================================
+
+Types
+#####
+============================================================ ==================================================================
+:zeek:type:`PacketFilter::FilterPlugin`: :zeek:type:`record` A data structure to represent filter generating plugins.
+:zeek:type:`PacketFilter::Info`: :zeek:type:`record`         The record type defining columns to be logged in the packet filter
+                                                             logging stream.
+============================================================ ==================================================================
+
+Redefinitions
+#############
+============================================ =================================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`      Add the packet filter logging stream.
+                                             
+                                             * :zeek:enum:`PacketFilter::LOG`
+:zeek:type:`Notice::Type`: :zeek:type:`enum` Add notice types related to packet filter errors.
+                                             
+                                             * :zeek:enum:`PacketFilter::Compile_Failure`:
+                                               This notice is generated if a packet filter cannot be compiled.
+                                             
+                                             * :zeek:enum:`PacketFilter::Install_Failure`:
+                                               Generated if a packet filter fails to install.
+                                             
+                                             * :zeek:enum:`PacketFilter::Too_Long_To_Compile_Filter`:
+                                               Generated when a notice takes too long to compile.
+:zeek:type:`PcapFilterID`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`PacketFilter::DefaultPcapFilter`
+                                             
+                                             * :zeek:enum:`PacketFilter::FilterTester`
+============================================ =================================================================
+
+Hooks
+#####
+================================================================= =============================================
+:zeek:id:`PacketFilter::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
+================================================================= =============================================
+
+Functions
+#########
+====================================================================== ======================================================================
+:zeek:id:`PacketFilter::exclude`: :zeek:type:`function`                Install a BPF filter to exclude some traffic.
+:zeek:id:`PacketFilter::exclude_for`: :zeek:type:`function`            Install a temporary filter to traffic which should not be passed
+                                                                       through the BPF filter.
+:zeek:id:`PacketFilter::install`: :zeek:type:`function`                Call this function to build and install a new dynamically built
+                                                                       packet filter.
+:zeek:id:`PacketFilter::register_filter_plugin`: :zeek:type:`function` API function to register a new plugin for dynamic restriction filters.
+:zeek:id:`PacketFilter::remove_exclude`: :zeek:type:`function`         Remove a previously added exclude filter fragment by name.
+====================================================================== ======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: PacketFilter::default_capture_filter
+   :source-code: base/frameworks/packet-filter/main.zeek 59 59
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"ip or not ip"``
+
+   The BPF filter that is used by default to define what traffic should
+   be captured.  Filters defined in :zeek:id:`restrict_filters` will
+   still be applied to reduce the captured traffic.
+
+.. zeek:id:: PacketFilter::enable_auto_protocol_capture_filters
+   :source-code: base/frameworks/packet-filter/main.zeek 131 131
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Enables the old filtering approach of "only watch common ports for
+   analyzed protocols".
+   
+   Unless you know what you are doing, leave this set to F.
+
+.. zeek:id:: PacketFilter::max_filter_compile_time
+   :source-code: base/frameworks/packet-filter/main.zeek 74 74
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100.0 msecs``
+
+   The maximum amount of time that you'd like to allow for BPF filters to compile.
+   If this time is exceeded, compensation measures may be taken by the framework
+   to reduce the filter size.  This threshold being crossed also results
+   in the :zeek:see:`PacketFilter::Too_Long_To_Compile_Filter` notice.
+
+.. zeek:id:: PacketFilter::restricted_filter
+   :source-code: base/frameworks/packet-filter/main.zeek 68 68
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Filter string which is unconditionally and'ed to the beginning of
+   every dynamically built filter.  This is mostly used when a custom
+   filter is being used but MPLS or VLAN tags are on the traffic.
+
+.. zeek:id:: PacketFilter::unrestricted_filter
+   :source-code: base/frameworks/packet-filter/main.zeek 63 63
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Filter string which is unconditionally or'ed to the beginning of
+   every dynamically built filter.
+
+State Variables
+###############
+.. zeek:id:: PacketFilter::current_filter
+   :source-code: base/frameworks/packet-filter/main.zeek 135 135
+
+   :Type: :zeek:type:`string`
+   :Default: ``"<not set yet>"``
+
+   This is where the default packet filter is stored and it should not
+   normally be modified by users.
+
+Types
+#####
+.. zeek:type:: PacketFilter::FilterPlugin
+   :source-code: base/frameworks/packet-filter/main.zeek 119 122
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: func :zeek:type:`function` () : :zeek:type:`void`
+
+      A function that is directly called when generating the complete filter.
+
+
+   A data structure to represent filter generating plugins.
+
+.. zeek:type:: PacketFilter::Info
+   :source-code: base/frameworks/packet-filter/main.zeek 34 54
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      The time at which the packet filter installation attempt was made.
+
+
+   .. zeek:field:: node :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      This is a string representation of the node that applied this
+      packet filter.  It's mostly useful in the context of
+      dynamically changing filters on clusters.
+
+
+   .. zeek:field:: filter :zeek:type:`string` :zeek:attr:`&log`
+
+      The packet filter that is being set.
+
+
+   .. zeek:field:: init :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Indicate if this is the filter set during initialization.
+
+
+   .. zeek:field:: success :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
+
+      Indicate if the filter was applied successfully.
+
+
+   .. zeek:field:: failure_reason :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      A string reason why the filter failed to be created/installed.
+
+
+   The record type defining columns to be logged in the packet filter
+   logging stream.
+
+Hooks
+#####
+.. zeek:id:: PacketFilter::log_policy
+   :source-code: base/frameworks/packet-filter/main.zeek 18 18
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+Functions
+#########
+.. zeek:id:: PacketFilter::exclude
+   :source-code: base/frameworks/packet-filter/main.zeek 222 230
+
+   :Type: :zeek:type:`function` (filter_id: :zeek:type:`string`, filter: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Install a BPF filter to exclude some traffic.  The filter should
+   positively match what is to be excluded, it will be wrapped in
+   a "not".
+   
+
+   :param filter_id: An arbitrary string that can be used to identify
+              the filter.
+   
+
+   :param filter: A BPF expression of traffic that should be excluded.
+   
+
+   :returns: A boolean value to indicate if the filter was successfully
+            installed or not.
+
+.. zeek:id:: PacketFilter::exclude_for
+   :source-code: base/frameworks/packet-filter/main.zeek 232 240
+
+   :Type: :zeek:type:`function` (filter_id: :zeek:type:`string`, filter: :zeek:type:`string`, span: :zeek:type:`interval`) : :zeek:type:`bool`
+
+   Install a temporary filter to traffic which should not be passed
+   through the BPF filter.  The filter should match the traffic you
+   don't want to see (it will be wrapped in a "not" condition).
+   
+
+   :param filter_id: An arbitrary string that can be used to identify
+              the filter.
+   
+
+   :param filter: A BPF expression of traffic that should be excluded.
+   
+
+   :param length: The duration for which this filter should be put in place.
+   
+
+   :returns: A boolean value to indicate if the filter was successfully
+            installed or not.
+
+.. zeek:id:: PacketFilter::install
+   :source-code: base/frameworks/packet-filter/main.zeek 287 364
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+   Call this function to build and install a new dynamically built
+   packet filter.
+
+.. zeek:id:: PacketFilter::register_filter_plugin
+   :source-code: base/frameworks/packet-filter/main.zeek 201 204
+
+   :Type: :zeek:type:`function` (fp: :zeek:type:`PacketFilter::FilterPlugin`) : :zeek:type:`void`
+
+   API function to register a new plugin for dynamic restriction filters.
+
+.. zeek:id:: PacketFilter::remove_exclude
+   :source-code: base/frameworks/packet-filter/main.zeek 211 220
+
+   :Type: :zeek:type:`function` (filter_id: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Remove a previously added exclude filter fragment by name. The
+   traffic that was being filtered will be allowed through the filter
+   after calling this function.
+   
+
+   :param filter_id: The name given to the filter fragment which you'd like to remove.
+   
+
+   :returns: A boolean value to indicate if a filter fragment with the given name
+            actually installed.
+
+
diff --git a/doc/scripts/base/frameworks/packet-filter/netstats.zeek.rst b/doc/scripts/base/frameworks/packet-filter/netstats.zeek.rst
new file mode 100644
index 0000000000..30a1d2028c
--- /dev/null
+++ b/doc/scripts/base/frameworks/packet-filter/netstats.zeek.rst
@@ -0,0 +1,44 @@
+:tocdepth: 3
+
+base/frameworks/packet-filter/netstats.zeek
+===========================================
+.. zeek:namespace:: PacketFilter
+
+This script reports on packet loss from the various packet sources.
+When Zeek is reading input from trace files, this script will not
+report any packet loss statistics.
+
+:Namespace: PacketFilter
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
+
+Summary
+~~~~~~~
+Constants
+#########
+========================================================================= ==============================================================
+:zeek:id:`PacketFilter::stats_collection_interval`: :zeek:type:`interval` This is the interval between individual statistics collection.
+========================================================================= ==============================================================
+
+Redefinitions
+#############
+============================================ ======================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`PacketFilter::Dropped_Packets`:
+                                               Indicates packets were dropped by the packet filter.
+============================================ ======================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: PacketFilter::stats_collection_interval
+   :source-code: base/frameworks/packet-filter/netstats.zeek 16 16
+
+   :Type: :zeek:type:`interval`
+   :Default: ``5.0 mins``
+
+   This is the interval between individual statistics collection.
+
+
diff --git a/doc/scripts/base/frameworks/packet-filter/utils.zeek.rst b/doc/scripts/base/frameworks/packet-filter/utils.zeek.rst
new file mode 100644
index 0000000000..4fa827d965
--- /dev/null
+++ b/doc/scripts/base/frameworks/packet-filter/utils.zeek.rst
@@ -0,0 +1,76 @@
+:tocdepth: 3
+
+base/frameworks/packet-filter/utils.zeek
+========================================
+.. zeek:namespace:: PacketFilter
+
+
+:Namespace: PacketFilter
+
+Summary
+~~~~~~~
+Functions
+#########
+=============================================================== ==================================================================
+:zeek:id:`PacketFilter::combine_filters`: :zeek:type:`function` Combines two valid BPF filter strings with a string based operator
+                                                                to form a new filter.
+:zeek:id:`PacketFilter::port_to_bpf`: :zeek:type:`function`     Takes a :zeek:type:`port` and returns a BPF expression which will
+                                                                match the port.
+:zeek:id:`PacketFilter::sampling_filter`: :zeek:type:`function` Create a BPF filter to sample IPv4 and IPv6 traffic.
+=============================================================== ==================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: PacketFilter::combine_filters
+   :source-code: base/frameworks/packet-filter/utils.zeek 40 50
+
+   :Type: :zeek:type:`function` (lfilter: :zeek:type:`string`, op: :zeek:type:`string`, rfilter: :zeek:type:`string`) : :zeek:type:`string`
+
+   Combines two valid BPF filter strings with a string based operator
+   to form a new filter.
+   
+
+   :param lfilter: Filter which will go on the left side.
+   
+
+   :param op: Operation being applied (typically "or" or "and").
+   
+
+   :param rfilter: Filter which will go on the right side.
+   
+
+   :returns: A new string representing the two filters combined with
+            the operator.  Either filter being an empty string will
+            still result in a valid filter.
+
+.. zeek:id:: PacketFilter::port_to_bpf
+   :source-code: base/frameworks/packet-filter/utils.zeek 34 38
+
+   :Type: :zeek:type:`function` (p: :zeek:type:`port`) : :zeek:type:`string`
+
+   Takes a :zeek:type:`port` and returns a BPF expression which will
+   match the port.
+   
+
+   :param p: The port.
+   
+
+   :returns: A valid BPF filter string for matching the port.
+
+.. zeek:id:: PacketFilter::sampling_filter
+   :source-code: base/frameworks/packet-filter/utils.zeek 52 58
+
+   :Type: :zeek:type:`function` (num_parts: :zeek:type:`count`, this_part: :zeek:type:`count`) : :zeek:type:`string`
+
+   Create a BPF filter to sample IPv4 and IPv6 traffic.
+   
+
+   :param num_parts: The number of parts the traffic should be split into.
+   
+
+   :param this_part: The part of the traffic this filter will accept (0-based).
+
+
diff --git a/doc/scripts/base/frameworks/reporter/__load__.zeek.rst b/doc/scripts/base/frameworks/reporter/__load__.zeek.rst
new file mode 100644
index 0000000000..d1227aee04
--- /dev/null
+++ b/doc/scripts/base/frameworks/reporter/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/reporter/__load__.zeek
+======================================
+
+
+:Imports: :doc:`base/frameworks/reporter/main.zeek </scripts/base/frameworks/reporter/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/reporter/index.rst b/doc/scripts/base/frameworks/reporter/index.rst
new file mode 100644
index 0000000000..6c9244d1ea
--- /dev/null
+++ b/doc/scripts/base/frameworks/reporter/index.rst
@@ -0,0 +1,26 @@
+:orphan:
+
+Package: base/frameworks/reporter
+=================================
+
+This framework is intended to create an output and filtering path for
+internally generated messages/warnings/errors.
+
+:doc:`/scripts/base/frameworks/reporter/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/reporter/main.zeek`
+
+   This framework is intended to create an output and filtering path for
+   internal messages/warnings/errors.  It should typically be loaded to
+   log such messages to a file in a standard way.  For the options to
+   toggle whether messages are additionally written to STDERR, see
+   :zeek:see:`Reporter::info_to_stderr`,
+   :zeek:see:`Reporter::warnings_to_stderr`, and
+   :zeek:see:`Reporter::errors_to_stderr`.
+   
+   Note that this framework deals with the handling of internally generated
+   reporter messages, for the interface
+   into actually creating reporter messages from the scripting layer, use
+   the built-in functions in :doc:`/scripts/base/bif/reporter.bif.zeek`.
+
diff --git a/doc/scripts/base/frameworks/reporter/main.zeek.rst b/doc/scripts/base/frameworks/reporter/main.zeek.rst
new file mode 100644
index 0000000000..fc5b1904a9
--- /dev/null
+++ b/doc/scripts/base/frameworks/reporter/main.zeek.rst
@@ -0,0 +1,91 @@
+:tocdepth: 3
+
+base/frameworks/reporter/main.zeek
+==================================
+.. zeek:namespace:: Reporter
+
+This framework is intended to create an output and filtering path for
+internal messages/warnings/errors.  It should typically be loaded to
+log such messages to a file in a standard way.  For the options to
+toggle whether messages are additionally written to STDERR, see
+:zeek:see:`Reporter::info_to_stderr`,
+:zeek:see:`Reporter::warnings_to_stderr`, and
+:zeek:see:`Reporter::errors_to_stderr`.
+
+Note that this framework deals with the handling of internally generated
+reporter messages, for the interface
+into actually creating reporter messages from the scripting layer, use
+the built-in functions in :doc:`/scripts/base/bif/reporter.bif.zeek`.
+
+:Namespace: Reporter
+
+Summary
+~~~~~~~
+Types
+#####
+================================================ =====================================================================
+:zeek:type:`Reporter::Info`: :zeek:type:`record` The record type which contains the column fields of the reporter log.
+================================================ =====================================================================
+
+Redefinitions
+#############
+======================================= =======================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` The reporter logging stream identifier.
+                                        
+                                        * :zeek:enum:`Reporter::LOG`
+======================================= =======================================
+
+Hooks
+#####
+============================================================= =============================================
+:zeek:id:`Reporter::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
+============================================================= =============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Reporter::Info
+   :source-code: base/frameworks/reporter/main.zeek 24 38
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      The network time at which the reporter event was generated.
+
+
+   .. zeek:field:: level :zeek:type:`Reporter::Level` :zeek:attr:`&log`
+
+      The severity of the reporter message. Levels are INFO for informational
+      messages, not needing specific attention; WARNING for warning of a potential
+      problem, and ERROR for a non-fatal error that should be addressed, but doesn't
+      terminate program execution.
+
+
+   .. zeek:field:: message :zeek:type:`string` :zeek:attr:`&log`
+
+      An info/warning/error message that could have either been
+      generated from the internal Zeek core or at the scripting-layer.
+
+
+   .. zeek:field:: location :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      This is the location in a Zeek script where the message originated.
+      Not all reporter messages will have locations in them though.
+
+
+   The record type which contains the column fields of the reporter log.
+
+Hooks
+#####
+.. zeek:id:: Reporter::log_policy
+   :source-code: base/frameworks/reporter/main.zeek 21 21
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+
diff --git a/doc/scripts/base/frameworks/signatures/__load__.zeek.rst b/doc/scripts/base/frameworks/signatures/__load__.zeek.rst
new file mode 100644
index 0000000000..160208158a
--- /dev/null
+++ b/doc/scripts/base/frameworks/signatures/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/signatures/__load__.zeek
+========================================
+
+
+:Imports: :doc:`base/frameworks/signatures/main.zeek </scripts/base/frameworks/signatures/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/signatures/index.rst b/doc/scripts/base/frameworks/signatures/index.rst
new file mode 100644
index 0000000000..6371988849
--- /dev/null
+++ b/doc/scripts/base/frameworks/signatures/index.rst
@@ -0,0 +1,19 @@
+:orphan:
+
+Package: base/frameworks/signatures
+===================================
+
+The signature framework provides for doing low-level pattern matching.  While
+signatures are not Zeek's preferred detection tool, they sometimes come in
+handy and are closer to what many people are familiar with from using
+other NIDS.
+
+:doc:`/scripts/base/frameworks/signatures/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/signatures/main.zeek`
+
+   Script level signature support.  See the
+   :doc:`signature documentation </frameworks/signatures>` for more
+   information about Zeek's signature engine.
+
diff --git a/doc/scripts/base/frameworks/signatures/main.zeek.rst b/doc/scripts/base/frameworks/signatures/main.zeek.rst
new file mode 100644
index 0000000000..7dcda0cf57
--- /dev/null
+++ b/doc/scripts/base/frameworks/signatures/main.zeek.rst
@@ -0,0 +1,364 @@
+:tocdepth: 3
+
+base/frameworks/signatures/main.zeek
+====================================
+.. zeek:namespace:: Signatures
+
+Script level signature support.  See the
+:doc:`signature documentation </frameworks/signatures>` for more
+information about Zeek's signature engine.
+
+:Namespace: Signatures
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+================================================================================== ====================================================================
+:zeek:id:`Signatures::ignored_ids`: :zeek:type:`pattern` :zeek:attr:`&redef`       Signature IDs that should always be ignored.
+:zeek:id:`Signatures::summary_interval`: :zeek:type:`interval` :zeek:attr:`&redef` The interval between when :zeek:enum:`Signatures::Signature_Summary`
+                                                                                   notices are generated.
+================================================================================== ====================================================================
+
+Redefinable Options
+###################
+================================================================================== ====================================================================
+:zeek:id:`Signatures::count_thresholds`: :zeek:type:`set` :zeek:attr:`&redef`      Generate a notice if a :zeek:enum:`Signatures::SIG_COUNT_PER_RESP`
+                                                                                   signature is triggered as often as given by one of these thresholds.
+:zeek:id:`Signatures::horiz_scan_thresholds`: :zeek:type:`set` :zeek:attr:`&redef` Generate a notice if, for a pair [orig, signature], the number of
+                                                                                   different responders has reached one of the thresholds.
+:zeek:id:`Signatures::vert_scan_thresholds`: :zeek:type:`set` :zeek:attr:`&redef`  Generate a notice if, for a pair [orig, resp], the number of
+                                                                                   different signature matches has reached one of the thresholds.
+================================================================================== ====================================================================
+
+State Variables
+###############
+======================================================================================================================== ========================
+:zeek:id:`Signatures::actions`: :zeek:type:`table` :zeek:attr:`&redef` :zeek:attr:`&default` = ``Signatures::SIG_ALARM`` Actions for a signature.
+======================================================================================================================== ========================
+
+Types
+#####
+================================================== ======================================================================
+:zeek:type:`Signatures::Action`: :zeek:type:`enum` These are the default actions you can apply to signature matches.
+:zeek:type:`Signatures::Info`: :zeek:type:`record` The record type which contains the column fields of the signature log.
+================================================== ======================================================================
+
+Redefinitions
+#############
+============================================ =============================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`      The signature logging stream identifier.
+                                             
+                                             * :zeek:enum:`Signatures::LOG`
+:zeek:type:`Notice::Type`: :zeek:type:`enum` Add various signature-related notice types.
+                                             
+                                             * :zeek:enum:`Signatures::Count_Signature`:
+                                               The same signature has triggered multiple times for a host.
+                                             
+                                             * :zeek:enum:`Signatures::Multiple_Sig_Responders`:
+                                               Host has triggered the same signature on multiple hosts as
+                                               defined by the :zeek:id:`Signatures::horiz_scan_thresholds`
+                                               variable.
+                                             
+                                             * :zeek:enum:`Signatures::Multiple_Signatures`:
+                                               Host has triggered many signatures on the same host.
+                                             
+                                             * :zeek:enum:`Signatures::Sensitive_Signature`:
+                                               Generic notice type for notice-worthy signature matches.
+                                             
+                                             * :zeek:enum:`Signatures::Signature_Summary`:
+                                               Summarize the number of times a host triggered a signature.
+============================================ =============================================================
+
+Events
+######
+======================================================== =================================================================
+:zeek:id:`Signatures::log_signature`: :zeek:type:`event` This event can be handled to access/alter data about to be logged
+                                                         to the signature logging stream.
+======================================================== =================================================================
+
+Hooks
+#####
+=============================================================== =============================================
+:zeek:id:`Signatures::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
+=============================================================== =============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Signatures::ignored_ids
+   :source-code: base/frameworks/signatures/main.zeek 110 110
+
+   :Type: :zeek:type:`pattern`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         /^?(NO_DEFAULT_MATCHES)$?/
+
+   :Redefinition: from :doc:`/scripts/policy/misc/detect-traceroute/main.zeek`
+
+      ``+=``::
+
+         /^?(traceroute-detector.*)$?/
+
+   :Redefinition: from :doc:`/scripts/policy/protocols/http/detect-webapps.zeek`
+
+      ``+=``::
+
+         /^?(^webapp-)$?/
+
+
+   Signature IDs that should always be ignored.
+
+.. zeek:id:: Signatures::summary_interval
+   :source-code: base/frameworks/signatures/main.zeek 126 126
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 day``
+
+   The interval between when :zeek:enum:`Signatures::Signature_Summary`
+   notices are generated.
+
+Redefinable Options
+###################
+.. zeek:id:: Signatures::count_thresholds
+   :source-code: base/frameworks/signatures/main.zeek 122 122
+
+   :Type: :zeek:type:`set` [:zeek:type:`count`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            1000,
+            10000,
+            500,
+            5,
+            10,
+            100,
+            50,
+            1000000
+         }
+
+
+   Generate a notice if a :zeek:enum:`Signatures::SIG_COUNT_PER_RESP`
+   signature is triggered as often as given by one of these thresholds.
+
+.. zeek:id:: Signatures::horiz_scan_thresholds
+   :source-code: base/frameworks/signatures/main.zeek 114 114
+
+   :Type: :zeek:type:`set` [:zeek:type:`count`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            1000,
+            500,
+            5,
+            10,
+            100,
+            50
+         }
+
+
+   Generate a notice if, for a pair [orig, signature], the number of
+   different responders has reached one of the thresholds.
+
+.. zeek:id:: Signatures::vert_scan_thresholds
+   :source-code: base/frameworks/signatures/main.zeek 118 118
+
+   :Type: :zeek:type:`set` [:zeek:type:`count`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            1000,
+            500,
+            5,
+            10,
+            100,
+            50
+         }
+
+
+   Generate a notice if, for a pair [orig, resp], the number of
+   different signature matches has reached one of the thresholds.
+
+State Variables
+###############
+.. zeek:id:: Signatures::actions
+   :source-code: base/frameworks/signatures/main.zeek 105 105
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`Signatures::Action`
+   :Attributes: :zeek:attr:`&redef` :zeek:attr:`&default` = ``Signatures::SIG_ALARM``
+   :Default:
+
+      ::
+
+         {
+            ["unspecified"] = Signatures::SIG_IGNORE
+         }
+
+
+   Actions for a signature.  Can be updated dynamically.
+
+Types
+#####
+.. zeek:type:: Signatures::Action
+   :source-code: base/frameworks/signatures/main.zeek 44 70
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Signatures::SIG_IGNORE Signatures::Action
+
+         Ignore this signature completely (even for scan detection).
+         Don't write to the signatures logging stream.
+
+      .. zeek:enum:: Signatures::SIG_QUIET Signatures::Action
+
+         Process through the various aggregate techniques, but don't
+         report individually and don't write to the signatures logging
+         stream.
+
+      .. zeek:enum:: Signatures::SIG_LOG Signatures::Action
+
+         Generate a notice.
+
+      .. zeek:enum:: Signatures::SIG_FILE_BUT_NO_SCAN Signatures::Action
+
+         The same as :zeek:enum:`Signatures::SIG_LOG`, but ignore for
+         aggregate/scan processing.
+
+      .. zeek:enum:: Signatures::SIG_ALARM Signatures::Action
+
+         Generate a notice and set it to be alarmed upon.
+
+      .. zeek:enum:: Signatures::SIG_ALARM_PER_ORIG Signatures::Action
+
+         Alarm once per originator.
+
+      .. zeek:enum:: Signatures::SIG_ALARM_ONCE Signatures::Action
+
+         Alarm once and then never again.
+
+      .. zeek:enum:: Signatures::SIG_COUNT_PER_RESP Signatures::Action
+
+         Count signatures per responder host and alarm with the
+         :zeek:enum:`Signatures::Count_Signature` notice if a threshold
+         defined by :zeek:id:`Signatures::count_thresholds` is reached.
+
+      .. zeek:enum:: Signatures::SIG_SUMMARY Signatures::Action
+
+         Don't alarm, but generate per-orig summary.
+
+   These are the default actions you can apply to signature matches.
+   All of them write the signature record to the logging stream unless
+   declared otherwise.
+
+.. zeek:type:: Signatures::Info
+   :source-code: base/frameworks/signatures/main.zeek 72 102
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      The network time at which a signature matching type of event
+      to be logged has occurred.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      A unique identifier of the connection which triggered the
+      signature match event.
+
+
+   .. zeek:field:: src_addr :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The host which triggered the signature match event.
+
+
+   .. zeek:field:: src_port :zeek:type:`port` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The host port on which the signature-matching activity
+      occurred.
+
+
+   .. zeek:field:: dst_addr :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The destination host which was sent the payload that
+      triggered the signature match.
+
+
+   .. zeek:field:: dst_port :zeek:type:`port` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The destination host port which was sent the payload that
+      triggered the signature match.
+
+
+   .. zeek:field:: note :zeek:type:`Notice::Type` :zeek:attr:`&log`
+
+      Notice associated with signature event.
+
+
+   .. zeek:field:: sig_id :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The name of the signature that matched.
+
+
+   .. zeek:field:: event_msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      A more descriptive message of the signature-matching event.
+
+
+   .. zeek:field:: sub_msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Extracted payload data or extra message.
+
+
+   .. zeek:field:: sig_count :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Number of sigs, usually from summary count.
+
+
+   .. zeek:field:: host_count :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Number of hosts, from a summary count.
+
+
+   The record type which contains the column fields of the signature log.
+
+Events
+######
+.. zeek:id:: Signatures::log_signature
+   :source-code: base/frameworks/signatures/main.zeek 132 132
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Signatures::Info`)
+
+   This event can be handled to access/alter data about to be logged
+   to the signature logging stream.
+   
+
+   :param rec: The record of signature data about to be logged.
+
+Hooks
+#####
+.. zeek:id:: Signatures::log_policy
+   :source-code: base/frameworks/signatures/main.zeek 39 39
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+
diff --git a/doc/scripts/base/frameworks/software/__load__.zeek.rst b/doc/scripts/base/frameworks/software/__load__.zeek.rst
new file mode 100644
index 0000000000..61c915d4ae
--- /dev/null
+++ b/doc/scripts/base/frameworks/software/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/software/__load__.zeek
+======================================
+
+
+:Imports: :doc:`base/frameworks/software/main.zeek </scripts/base/frameworks/software/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/software/index.rst b/doc/scripts/base/frameworks/software/index.rst
new file mode 100644
index 0000000000..be1daf39de
--- /dev/null
+++ b/doc/scripts/base/frameworks/software/index.rst
@@ -0,0 +1,21 @@
+:orphan:
+
+Package: base/frameworks/software
+=================================
+
+The software framework provides infrastructure for maintaining a table
+of software versions seen on the network. The version parsing itself
+is carried out by external protocol-specific scripts that feed into
+this framework.
+
+:doc:`/scripts/base/frameworks/software/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/software/main.zeek`
+
+   This script provides the framework for software version detection and
+   parsing but doesn't actually do any detection on it's own.  It relies on
+   other protocol specific scripts to parse out software from the protocols
+   that they analyze.  The entry point for providing new software detections
+   to this framework is through the :zeek:id:`Software::found` function.
+
diff --git a/doc/scripts/base/frameworks/software/main.zeek.rst b/doc/scripts/base/frameworks/software/main.zeek.rst
new file mode 100644
index 0000000000..3176ead98c
--- /dev/null
+++ b/doc/scripts/base/frameworks/software/main.zeek.rst
@@ -0,0 +1,425 @@
+:tocdepth: 3
+
+base/frameworks/software/main.zeek
+==================================
+.. zeek:namespace:: Software
+
+This script provides the framework for software version detection and
+parsing but doesn't actually do any detection on it's own.  It relies on
+other protocol specific scripts to parse out software from the protocols
+that they analyze.  The entry point for providing new software detections
+to this framework is through the :zeek:id:`Software::found` function.
+
+:Namespace: Software
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`, :doc:`base/utils/numbers.zeek </scripts/base/utils/numbers.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+========================================================================== ====================================================
+:zeek:id:`Software::asset_tracking`: :zeek:type:`Host` :zeek:attr:`&redef` Hosts whose software should be detected and tracked.
+========================================================================== ====================================================
+
+State Variables
+###############
+====================================================================================================== =========================================================
+:zeek:id:`Software::alternate_names`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Sometimes software will expose itself on the network with
+                                                                                                       slight naming variations.
+:zeek:id:`Software::tracked`: :zeek:type:`table` :zeek:attr:`&create_expire` = ``1.0 day``             The set of software associated with an address.
+====================================================================================================== =========================================================
+
+Types
+#####
+===================================================================== ======================================================================
+:zeek:type:`Software::Info`: :zeek:type:`record`                      The record type that is used for representing and logging software.
+:zeek:type:`Software::SoftwareSet`: :zeek:type:`table`                Type to represent a collection of :zeek:type:`Software::Info` records.
+:zeek:type:`Software::Type`: :zeek:type:`enum`                        Scripts detecting new types of software need to redef this enum to add
+                                                                      their own specific software types which would then be used when they
+                                                                      create :zeek:type:`Software::Info` records.
+:zeek:type:`Software::Version`: :zeek:type:`record` :zeek:attr:`&log` A structure to represent the numeric version of software.
+===================================================================== ======================================================================
+
+Redefinitions
+#############
+======================================= =======================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` The software logging stream identifier.
+                                        
+                                        * :zeek:enum:`Software::LOG`
+======================================= =======================================
+
+Events
+######
+======================================================= ======================================================================
+:zeek:id:`Software::log_software`: :zeek:type:`event`   This event can be handled to access the :zeek:type:`Software::Info`
+                                                        record as it is sent on to the logging framework.
+:zeek:id:`Software::register`: :zeek:type:`event`       This event is raised when software is about to be registered for
+                                                        tracking in :zeek:see:`Software::tracked`.
+:zeek:id:`Software::version_change`: :zeek:type:`event` This event can be handled to access software information whenever it's
+                                                        version is found to have changed.
+======================================================= ======================================================================
+
+Hooks
+#####
+============================================================= =============================================
+:zeek:id:`Software::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
+============================================================= =============================================
+
+Functions
+#########
+======================================================== ==================================================================
+:zeek:id:`Software::cmp_versions`: :zeek:type:`function` Compare two version records.
+:zeek:id:`Software::found`: :zeek:type:`function`        Other scripts should call this function when they detect software.
+======================================================== ==================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Software::asset_tracking
+   :source-code: base/frameworks/software/main.zeek 74 74
+
+   :Type: :zeek:type:`Host`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``LOCAL_HOSTS``
+   :Redefinition: from :doc:`/scripts/policy/tuning/track-all-assets.zeek`
+
+      ``=``::
+
+         ALL_HOSTS
+
+
+   Hosts whose software should be detected and tracked.
+   Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
+
+State Variables
+###############
+.. zeek:id:: Software::alternate_names
+   :source-code: base/frameworks/software/main.zeek 98 98
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            ["Flash Player"] = "Flash"
+         }
+
+
+   Sometimes software will expose itself on the network with
+   slight naming variations.  This table provides a mechanism
+   for a piece of software to be renamed to a single name
+   even if it exposes itself with an alternate name.  The
+   yielded string is the name that will be logged and generally
+   used for everything.
+
+.. zeek:id:: Software::tracked
+   :source-code: base/frameworks/software/main.zeek 112 112
+
+   :Type: :zeek:type:`table` [:zeek:type:`addr`] of :zeek:type:`Software::SoftwareSet`
+   :Attributes: :zeek:attr:`&create_expire` = ``1.0 day``
+   :Default: ``{}``
+
+   The set of software associated with an address.  Data expires from
+   this table after one day by default so that a detected piece of
+   software will be logged once each day.  In a cluster, this table is
+   uniformly distributed among proxy nodes.
+
+Types
+#####
+.. zeek:type:: Software::Info
+   :source-code: base/frameworks/software/main.zeek 43 70
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The time at which the software was detected.
+
+
+   .. zeek:field:: host :zeek:type:`addr` :zeek:attr:`&log`
+
+      The IP address detected running the software.
+
+
+   .. zeek:field:: host_p :zeek:type:`port` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The port on which the software is running. Only sensible for
+      server software.
+
+
+   .. zeek:field:: software_type :zeek:type:`Software::Type` :zeek:attr:`&log` :zeek:attr:`&default` = ``Software::UNKNOWN`` :zeek:attr:`&optional`
+
+      The type of software detected (e.g. :zeek:enum:`HTTP::SERVER`).
+
+
+   .. zeek:field:: name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Name of the software (e.g. Apache).
+
+
+   .. zeek:field:: version :zeek:type:`Software::Version` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Version of the software.
+
+
+   .. zeek:field:: unparsed_version :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The full unparsed version string found because the version
+      parsing doesn't always work reliably in all cases and this
+      acts as a fallback in the logs.
+
+
+   .. zeek:field:: force_log :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      This can indicate that this software being detected should
+      definitely be sent onward to the logging framework.  By
+      default, only software that is "interesting" due to a change
+      in version or it being currently unknown is sent to the
+      logging framework.  This can be set to T to force the record
+      to be sent to the logging framework if some amount of this
+      tracking needs to happen in a specific way to the software.
+
+
+   .. zeek:field:: url :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      (present if :doc:`/scripts/policy/protocols/http/detect-webapps.zeek` is loaded)
+
+      Most root URL where the software was discovered.
+
+
+   The record type that is used for representing and logging software.
+
+.. zeek:type:: Software::SoftwareSet
+   :source-code: base/frameworks/software/main.zeek 106 106
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`Software::Info`
+
+   Type to represent a collection of :zeek:type:`Software::Info` records.
+   It's indexed with the name of a piece of software such as "Firefox"
+   and it yields a :zeek:type:`Software::Info` record with more
+   information about the software.
+
+.. zeek:type:: Software::Type
+   :source-code: base/frameworks/software/main.zeek 23 27
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Software::UNKNOWN Software::Type
+
+         A placeholder type for when the type of software is not known.
+
+      .. zeek:enum:: OS::WINDOWS Software::Type
+
+         (present if :doc:`/scripts/policy/frameworks/software/windows-version-detection.zeek` is loaded)
+
+
+         Identifier for Windows operating system versions
+
+      .. zeek:enum:: DHCP::SERVER Software::Type
+
+         (present if :doc:`/scripts/policy/protocols/dhcp/software.zeek` is loaded)
+
+
+         Identifier for web servers in the software framework.
+
+      .. zeek:enum:: DHCP::CLIENT Software::Type
+
+         (present if :doc:`/scripts/policy/protocols/dhcp/software.zeek` is loaded)
+
+
+         Identifier for web browsers in the software framework.
+
+      .. zeek:enum:: FTP::CLIENT Software::Type
+
+         (present if :doc:`/scripts/policy/protocols/ftp/software.zeek` is loaded)
+
+
+         Identifier for FTP clients in the software framework.
+
+      .. zeek:enum:: FTP::SERVER Software::Type
+
+         (present if :doc:`/scripts/policy/protocols/ftp/software.zeek` is loaded)
+
+
+         Not currently implemented.
+
+      .. zeek:enum:: HTTP::WEB_APPLICATION Software::Type
+
+         (present if :doc:`/scripts/policy/protocols/http/detect-webapps.zeek` is loaded)
+
+
+         Identifier for web applications in the software framework.
+
+      .. zeek:enum:: HTTP::BROWSER_PLUGIN Software::Type
+
+         (present if :doc:`/scripts/policy/protocols/http/software-browser-plugins.zeek` is loaded)
+
+
+         Identifier for browser plugins in the software framework.
+
+      .. zeek:enum:: HTTP::SERVER Software::Type
+
+         (present if :doc:`/scripts/policy/protocols/http/software.zeek` is loaded)
+
+
+         Identifier for web servers in the software framework.
+
+      .. zeek:enum:: HTTP::APPSERVER Software::Type
+
+         (present if :doc:`/scripts/policy/protocols/http/software.zeek` is loaded)
+
+
+         Identifier for app servers in the software framework.
+
+      .. zeek:enum:: HTTP::BROWSER Software::Type
+
+         (present if :doc:`/scripts/policy/protocols/http/software.zeek` is loaded)
+
+
+         Identifier for web browsers in the software framework.
+
+      .. zeek:enum:: MySQL::SERVER Software::Type
+
+         (present if :doc:`/scripts/policy/protocols/mysql/software.zeek` is loaded)
+
+
+         Identifier for MySQL servers in the software framework.
+
+      .. zeek:enum:: SMTP::MAIL_CLIENT Software::Type
+
+         (present if :doc:`/scripts/policy/protocols/smtp/software.zeek` is loaded)
+
+
+      .. zeek:enum:: SMTP::MAIL_SERVER Software::Type
+
+         (present if :doc:`/scripts/policy/protocols/smtp/software.zeek` is loaded)
+
+
+      .. zeek:enum:: SMTP::WEBMAIL_SERVER Software::Type
+
+         (present if :doc:`/scripts/policy/protocols/smtp/software.zeek` is loaded)
+
+
+      .. zeek:enum:: SSH::SERVER Software::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssh/software.zeek` is loaded)
+
+
+         Identifier for SSH clients in the software framework.
+
+      .. zeek:enum:: SSH::CLIENT Software::Type
+
+         (present if :doc:`/scripts/policy/protocols/ssh/software.zeek` is loaded)
+
+
+         Identifier for SSH servers in the software framework.
+
+   Scripts detecting new types of software need to redef this enum to add
+   their own specific software types which would then be used when they
+   create :zeek:type:`Software::Info` records.
+
+.. zeek:type:: Software::Version
+   :source-code: base/frameworks/software/main.zeek 29 40
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: major :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Major version number.
+
+
+   .. zeek:field:: minor :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Minor version number.
+
+
+   .. zeek:field:: minor2 :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Minor subversion number.
+
+
+   .. zeek:field:: minor3 :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Minor updates number.
+
+
+   .. zeek:field:: addl :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Additional version string (e.g. "beta42").
+
+   :Attributes: :zeek:attr:`&log`
+
+   A structure to represent the numeric version of software.
+
+Events
+######
+.. zeek:id:: Software::log_software
+   :source-code: policy/frameworks/software/vulnerable.zeek 130 146
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Software::Info`)
+
+   This event can be handled to access the :zeek:type:`Software::Info`
+   record as it is sent on to the logging framework.
+
+.. zeek:id:: Software::register
+   :source-code: base/frameworks/software/main.zeek 124 124
+
+   :Type: :zeek:type:`event` (info: :zeek:type:`Software::Info`)
+
+   This event is raised when software is about to be registered for
+   tracking in :zeek:see:`Software::tracked`.
+
+.. zeek:id:: Software::version_change
+   :source-code: policy/frameworks/software/version-changes.zeek 25 37
+
+   :Type: :zeek:type:`event` (old: :zeek:type:`Software::Info`, new: :zeek:type:`Software::Info`)
+
+   This event can be handled to access software information whenever it's
+   version is found to have changed.
+
+Hooks
+#####
+.. zeek:id:: Software::log_policy
+   :source-code: base/frameworks/software/main.zeek 18 18
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+Functions
+#########
+.. zeek:id:: Software::cmp_versions
+   :source-code: base/frameworks/software/main.zeek 380 456
+
+   :Type: :zeek:type:`function` (v1: :zeek:type:`Software::Version`, v2: :zeek:type:`Software::Version`) : :zeek:type:`int`
+
+   Compare two version records.
+   
+
+   :returns:  -1 for v1 < v2, 0 for v1 == v2, 1 for v1 > v2.
+             If the numerical version numbers match, the *addl* string
+             is compared lexicographically.
+
+.. zeek:id:: Software::found
+   :source-code: base/frameworks/software/main.zeek 521 550
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`conn_id`, info: :zeek:type:`Software::Info`) : :zeek:type:`bool`
+
+   Other scripts should call this function when they detect software.
+   
+
+   :param id: The connection id where the software was discovered.
+   
+
+   :param info: A record representing the software discovered.
+   
+
+   :returns: T if the software was logged, F otherwise.
+
+
diff --git a/doc/scripts/base/frameworks/spicy/__load__.zeek.rst b/doc/scripts/base/frameworks/spicy/__load__.zeek.rst
new file mode 100644
index 0000000000..4f7b404329
--- /dev/null
+++ b/doc/scripts/base/frameworks/spicy/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/spicy/__load__.zeek
+===================================
+
+
+:Imports: :doc:`base/frameworks/spicy/main.zeek </scripts/base/frameworks/spicy/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/spicy/index.rst b/doc/scripts/base/frameworks/spicy/index.rst
new file mode 100644
index 0000000000..e6c5278721
--- /dev/null
+++ b/doc/scripts/base/frameworks/spicy/index.rst
@@ -0,0 +1,18 @@
+:orphan:
+
+Package: base/frameworks/spicy
+==============================
+
+
+:doc:`/scripts/base/frameworks/spicy/init-bare.zeek`
+
+
+:doc:`/scripts/base/frameworks/spicy/init-framework.zeek`
+
+
+:doc:`/scripts/base/frameworks/spicy/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/spicy/main.zeek`
+
+
diff --git a/doc/scripts/base/frameworks/spicy/init-bare.zeek.rst b/doc/scripts/base/frameworks/spicy/init-bare.zeek.rst
new file mode 100644
index 0000000000..edca00a991
--- /dev/null
+++ b/doc/scripts/base/frameworks/spicy/init-bare.zeek.rst
@@ -0,0 +1,139 @@
+:tocdepth: 3
+
+base/frameworks/spicy/init-bare.zeek
+====================================
+.. zeek:namespace:: Spicy
+
+
+:Namespace: Spicy
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+============================================================================ ===============================================================
+:zeek:id:`Spicy::abort_on_exceptions`: :zeek:type:`bool` :zeek:attr:`&redef` abort() instead of throwing HILTI exceptions.
+:zeek:id:`Spicy::enable_print`: :zeek:type:`bool` :zeek:attr:`&redef`        Show output of Spicy print statements.
+:zeek:id:`Spicy::enable_profiling`: :zeek:type:`bool` :zeek:attr:`&redef`    
+:zeek:id:`Spicy::max_file_depth`: :zeek:type:`count` :zeek:attr:`&redef`     Maximum depth of recursive file analysis (Spicy analyzers only)
+:zeek:id:`Spicy::show_backtraces`: :zeek:type:`bool` :zeek:attr:`&redef`     Include backtraces when reporting unhandled exceptions.
+============================================================================ ===============================================================
+
+Constants
+#########
+============================================== ===========================================
+:zeek:id:`Spicy::available`: :zeek:type:`bool` Constant for testing if Spicy is available.
+============================================== ===========================================
+
+Types
+#####
+====================================================== ==================================================
+:zeek:type:`Spicy::ResourceUsage`: :zeek:type:`record` Result type for :zeek:see:`Spicy::resource_usage`.
+====================================================== ==================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Spicy::abort_on_exceptions
+   :source-code: base/frameworks/spicy/init-bare.zeek 16 16
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   abort() instead of throwing HILTI exceptions.
+
+.. zeek:id:: Spicy::enable_print
+   :source-code: base/frameworks/spicy/init-bare.zeek 10 10
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Show output of Spicy print statements.
+
+.. zeek:id:: Spicy::enable_profiling
+   :source-code: base/frameworks/spicy/init-bare.zeek 13 13
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+
+.. zeek:id:: Spicy::max_file_depth
+   :source-code: base/frameworks/spicy/init-bare.zeek 22 22
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5``
+
+   Maximum depth of recursive file analysis (Spicy analyzers only)
+
+.. zeek:id:: Spicy::show_backtraces
+   :source-code: base/frameworks/spicy/init-bare.zeek 19 19
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Include backtraces when reporting unhandled exceptions.
+
+Constants
+#########
+.. zeek:id:: Spicy::available
+   :source-code: base/frameworks/spicy/init-bare.zeek 7 7
+
+   :Type: :zeek:type:`bool`
+   :Default: ``T``
+
+   Constant for testing if Spicy is available.
+
+Types
+#####
+.. zeek:type:: Spicy::ResourceUsage
+   :source-code: base/frameworks/spicy/init-bare.zeek 28 36
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: user_time :zeek:type:`interval`
+
+      user CPU time of the Zeek process
+
+
+   .. zeek:field:: system_time :zeek:type:`interval`
+
+      system CPU time of the Zeek process
+
+
+   .. zeek:field:: memory_heap :zeek:type:`count`
+
+      memory allocated on the heap by the Zeek process
+
+
+   .. zeek:field:: num_fibers :zeek:type:`count`
+
+      number of fibers currently in use
+
+
+   .. zeek:field:: max_fibers :zeek:type:`count`
+
+      maximum number of fibers ever in use
+
+
+   .. zeek:field:: max_fiber_stack_size :zeek:type:`count`
+
+      maximum fiber stack size ever in use
+
+
+   .. zeek:field:: cached_fibers :zeek:type:`count`
+
+      number of fibers currently cached
+
+
+   Result type for :zeek:see:`Spicy::resource_usage`. The values reflect resource
+   usage as reported by the Spicy runtime system.
+
+
diff --git a/doc/scripts/base/frameworks/spicy/init-framework.zeek.rst b/doc/scripts/base/frameworks/spicy/init-framework.zeek.rst
new file mode 100644
index 0000000000..336a6c9c61
--- /dev/null
+++ b/doc/scripts/base/frameworks/spicy/init-framework.zeek.rst
@@ -0,0 +1,94 @@
+:tocdepth: 3
+
+base/frameworks/spicy/init-framework.zeek
+=========================================
+.. zeek:namespace:: Spicy
+
+
+:Namespace: Spicy
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================================== =======================================================================
+:zeek:id:`Spicy::disable_file_analyzer`: :zeek:type:`function`     Disable a specific Spicy file analyzer if not already inactive.
+:zeek:id:`Spicy::disable_protocol_analyzer`: :zeek:type:`function` Disable a specific Spicy protocol analyzer if not already inactive.
+:zeek:id:`Spicy::enable_file_analyzer`: :zeek:type:`function`      Enable a specific Spicy file analyzer if not already active.
+:zeek:id:`Spicy::enable_protocol_analyzer`: :zeek:type:`function`  Enable a specific Spicy protocol analyzer if not already active.
+:zeek:id:`Spicy::resource_usage`: :zeek:type:`function`            Returns current resource usage as reported by the Spicy runtime system.
+================================================================== =======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Spicy::disable_file_analyzer
+   :source-code: base/frameworks/spicy/init-framework.zeek 77 80
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`) : :zeek:type:`bool`
+
+   Disable a specific Spicy file analyzer if not already inactive. If
+   this analyzer replaces an standard analyzer, that one will automatically
+   be re-enabled.
+   
+
+   :param tag: analyzer to toggle
+   
+
+   :returns: true if the operation succeeded
+
+.. zeek:id:: Spicy::disable_protocol_analyzer
+   :source-code: base/frameworks/spicy/init-framework.zeek 67 70
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Analyzer::Tag`) : :zeek:type:`bool`
+
+   Disable a specific Spicy protocol analyzer if not already inactive. If
+   this analyzer replaces an standard analyzer, that one will automatically
+   be re-enabled.
+   
+
+   :param tag: analyzer to toggle
+   
+
+   :returns: true if the operation succeeded
+
+.. zeek:id:: Spicy::enable_file_analyzer
+   :source-code: base/frameworks/spicy/init-framework.zeek 72 75
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Files::Tag`) : :zeek:type:`bool`
+
+   Enable a specific Spicy file analyzer if not already active. If this
+   analyzer replaces an standard analyzer, that one will automatically be
+   disabled.
+   
+
+   :param tag: analyzer to toggle
+   
+
+   :returns: true if the operation succeeded
+
+.. zeek:id:: Spicy::enable_protocol_analyzer
+   :source-code: base/frameworks/spicy/init-framework.zeek 62 65
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`Analyzer::Tag`) : :zeek:type:`bool`
+
+   Enable a specific Spicy protocol analyzer if not already active. If this
+   analyzer replaces an standard analyzer, that one will automatically be
+   disabled.
+   
+
+   :param tag: analyzer to toggle
+   
+
+   :returns: true if the operation succeeded
+
+.. zeek:id:: Spicy::resource_usage
+   :source-code: base/frameworks/spicy/init-framework.zeek 82 85
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Spicy::ResourceUsage`
+
+   Returns current resource usage as reported by the Spicy runtime system.
+
+
diff --git a/doc/scripts/base/frameworks/spicy/main.zeek.rst b/doc/scripts/base/frameworks/spicy/main.zeek.rst
new file mode 100644
index 0000000000..5c5c71322a
--- /dev/null
+++ b/doc/scripts/base/frameworks/spicy/main.zeek.rst
@@ -0,0 +1,24 @@
+:tocdepth: 3
+
+base/frameworks/spicy/main.zeek
+===============================
+.. zeek:namespace:: Spicy
+
+
+:Namespace: Spicy
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================ ===================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`Spicy::Spicy_Max_File_Depth_Exceeded`
+============================================ ===================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/storage/__load__.zeek.rst b/doc/scripts/base/frameworks/storage/__load__.zeek.rst
new file mode 100644
index 0000000000..c48e9eb9ad
--- /dev/null
+++ b/doc/scripts/base/frameworks/storage/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/storage/__load__.zeek
+=====================================
+
+
+:Imports: :doc:`base/frameworks/storage/async.zeek </scripts/base/frameworks/storage/async.zeek>`, :doc:`base/frameworks/storage/main.zeek </scripts/base/frameworks/storage/main.zeek>`, :doc:`base/frameworks/storage/sync.zeek </scripts/base/frameworks/storage/sync.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/storage/async.zeek.rst b/doc/scripts/base/frameworks/storage/async.zeek.rst
new file mode 100644
index 0000000000..47d2ddde28
--- /dev/null
+++ b/doc/scripts/base/frameworks/storage/async.zeek.rst
@@ -0,0 +1,132 @@
+:tocdepth: 3
+
+base/frameworks/storage/async.zeek
+==================================
+.. zeek:namespace:: Storage::Async
+
+Asynchronous operation methods for the storage framework.
+
+:Namespace: Storage::Async
+:Imports: :doc:`base/frameworks/storage/main.zeek </scripts/base/frameworks/storage/main.zeek>`
+
+Summary
+~~~~~~~
+Functions
+#########
+=============================================================== ==============================================================================
+:zeek:id:`Storage::Async::close_backend`: :zeek:type:`function` Closes an existing backend connection asynchronously.
+:zeek:id:`Storage::Async::erase`: :zeek:type:`function`         Erases an entry from the backend asynchronously.
+:zeek:id:`Storage::Async::get`: :zeek:type:`function`           Gets an entry from the backend asynchronously.
+:zeek:id:`Storage::Async::open_backend`: :zeek:type:`function`  Opens a new backend connection based on a configuration object asynchronously.
+:zeek:id:`Storage::Async::put`: :zeek:type:`function`           Inserts a new entry into a backend asynchronously.
+=============================================================== ==============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Storage::Async::close_backend
+   :source-code: base/frameworks/storage/async.zeek 91 97
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle) : :zeek:type:`Storage::OperationResult`
+
+   Closes an existing backend connection asynchronously. This method must be
+   called via a :zeek:see:`when` condition or an error will be returned.
+   
+
+   :param backend: A handle to a backend connection.
+   
+
+   :returns: A record containing the status of the operation and an optional error
+            string for failures.
+
+.. zeek:id:: Storage::Async::erase
+   :source-code: base/frameworks/storage/async.zeek 120 126
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle, key: :zeek:type:`any`) : :zeek:type:`Storage::OperationResult`
+
+   Erases an entry from the backend asynchronously. This method must be called via
+   a :zeek:see:`when` condition or an error will be returned.
+   
+
+   :param backend: A handle to a backend connection.
+   
+
+   :param key: The key to erase.
+   
+
+   :returns: A record containing the status of the operation and an optional error
+            string for failures.
+
+.. zeek:id:: Storage::Async::get
+   :source-code: base/frameworks/storage/async.zeek 111 117
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle, key: :zeek:type:`any`) : :zeek:type:`Storage::OperationResult`
+
+   Gets an entry from the backend asynchronously. This method must be called via a
+   :zeek:see:`when` condition or an error will be returned.
+   
+
+   :param backend: A handle to a backend connection.
+   
+
+   :param key: The key to look up.
+   
+
+   :returns: A record containing the status of the operation, an optional error
+            string for failures, and an optional value for success. The value
+            returned here will be of the type passed into
+            :zeek:see:`Storage::Async::open_backend`.
+
+.. zeek:id:: Storage::Async::open_backend
+   :source-code: base/frameworks/storage/async.zeek 82 88
+
+   :Type: :zeek:type:`function` (btype: :zeek:type:`Storage::Backend`, options: :zeek:type:`Storage::BackendOptions`, key_type: :zeek:type:`any`, val_type: :zeek:type:`any`) : :zeek:type:`Storage::OperationResult`
+
+   Opens a new backend connection based on a configuration object asynchronously.
+   This method must be called via a :zeek:see:`when` condition or an error will
+   be returned.
+   
+
+   :param btype: A tag indicating what type of backend should be opened. These are
+          defined by the backend plugins loaded.
+   
+
+   :param options: A record containing the configuration for the connection.
+   
+
+   :param key_type: The script-level type of keys stored in the backend. Used for
+             validation of keys passed to other framework methods.
+   
+
+   :param val_type: The script-level type of keys stored in the backend. Used for
+             validation of values passed to :zeek:see:`Storage::Async::put` as
+             well as for type conversions for return values from
+             :zeek:see:`Storage::Async::get`.
+   
+
+   :returns: A record containing the status of the operation, and either an error
+            string on failure or a value on success. The value returned here will
+            be an ``opaque of BackendHandle``.
+
+.. zeek:id:: Storage::Async::put
+   :source-code: base/frameworks/storage/async.zeek 100 108
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle, args: :zeek:type:`Storage::PutArgs`) : :zeek:type:`Storage::OperationResult`
+
+   Inserts a new entry into a backend asynchronously. This method must be called
+   via a :zeek:see:`when` condition or an error will be returned.
+   
+
+   :param backend: A handle to a backend connection.
+   
+
+   :param args: A :zeek:see:`Storage::PutArgs` record containing the arguments for the
+         operation.
+   
+
+   :returns: A record containing the status of the operation and an optional error
+            string for failures.
+
+
diff --git a/doc/scripts/base/frameworks/storage/index.rst b/doc/scripts/base/frameworks/storage/index.rst
new file mode 100644
index 0000000000..8b8dc5eba5
--- /dev/null
+++ b/doc/scripts/base/frameworks/storage/index.rst
@@ -0,0 +1,21 @@
+:orphan:
+
+Package: base/frameworks/storage
+================================
+
+
+:doc:`/scripts/base/frameworks/storage/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/storage/async.zeek`
+
+   Asynchronous operation methods for the storage framework.
+
+:doc:`/scripts/base/frameworks/storage/main.zeek`
+
+   The storage framework provides a way to store long-term data to disk.
+
+:doc:`/scripts/base/frameworks/storage/sync.zeek`
+
+   Synchronous operation methods for the storage framework.
+
diff --git a/doc/scripts/base/frameworks/storage/main.zeek.rst b/doc/scripts/base/frameworks/storage/main.zeek.rst
new file mode 100644
index 0000000000..e075d7b1ef
--- /dev/null
+++ b/doc/scripts/base/frameworks/storage/main.zeek.rst
@@ -0,0 +1,140 @@
+:tocdepth: 3
+
+base/frameworks/storage/main.zeek
+=================================
+.. zeek:namespace:: Storage
+
+The storage framework provides a way to store long-term data to disk.
+
+:Namespace: Storage
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+================================================================================== =
+:zeek:id:`Storage::default_forced_sync`: :zeek:type:`bool` :zeek:attr:`&redef`     
+:zeek:id:`Storage::latency_metric_bounds`: :zeek:type:`vector` :zeek:attr:`&redef` 
+================================================================================== =
+
+Types
+#####
+========================================================= ===================================================================
+:zeek:type:`Storage::BackendOptions`: :zeek:type:`record` Base record for backend options that can be passed to
+                                                          :zeek:see:`Storage::Async::open_backend` and
+                                                          :zeek:see:`Storage::Sync::open_backend`.
+:zeek:type:`Storage::PutArgs`: :zeek:type:`record`        Record for passing arguments to :zeek:see:`Storage::Async::put` and
+                                                          :zeek:see:`Storage::Sync::put`.
+:zeek:type:`Storage::Backend`: :zeek:type:`enum`          
+:zeek:type:`Storage::Serializer`: :zeek:type:`enum`       
+========================================================= ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Storage::default_forced_sync
+   :source-code: base/frameworks/storage/main.zeek 7 7
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+
+.. zeek:id:: Storage::latency_metric_bounds
+   :source-code: base/frameworks/storage/main.zeek 42 42
+
+   :Type: :zeek:type:`vector` of :zeek:type:`double`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         [0.001, 0.01, 0.1, 1.0]
+
+
+
+Types
+#####
+.. zeek:type:: Storage::BackendOptions
+   :source-code: base/frameworks/storage/main.zeek 13 21
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: serializer :zeek:type:`Storage::Serializer` :zeek:attr:`&default` = ``Storage::STORAGE_SERIALIZER_JSON`` :zeek:attr:`&optional`
+
+      The serializer used for converting Zeek data.
+
+
+   .. zeek:field:: forced_sync :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`Storage::default_forced_sync` :zeek:attr:`&optional`
+
+      Sets the backend into forced-synchronous mode. All operations will run
+      in synchronous mode, even if the async functions are called.  This
+      should generally only be set to ``T`` during testing.
+
+
+   .. zeek:field:: redis :zeek:type:`Storage::Backend::Redis::Options` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/storage/backend/redis/main.zeek` is loaded)
+
+
+   .. zeek:field:: sqlite :zeek:type:`Storage::Backend::SQLite::Options` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/storage/backend/sqlite/main.zeek` is loaded)
+
+
+   Base record for backend options that can be passed to
+   :zeek:see:`Storage::Async::open_backend` and
+   :zeek:see:`Storage::Sync::open_backend`. Backend plugins can redef this record
+   to add relevant fields to it.
+
+.. zeek:type:: Storage::PutArgs
+   :source-code: base/frameworks/storage/main.zeek 25 39
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: key :zeek:type:`any`
+
+      The key to store the value under.
+
+
+   .. zeek:field:: value :zeek:type:`any`
+
+      The value to store associated with the key.
+
+
+   .. zeek:field:: overwrite :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
+
+      Indicates whether this value should overwrite an existing entry for the
+      key.
+
+
+   .. zeek:field:: expire_time :zeek:type:`interval` :zeek:attr:`&default` = ``0 secs`` :zeek:attr:`&optional`
+
+      An interval of time until the entry is automatically removed from the
+      backend.
+
+
+   Record for passing arguments to :zeek:see:`Storage::Async::put` and
+   :zeek:see:`Storage::Sync::put`.
+
+.. zeek:type:: Storage::Backend
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Storage::STORAGE_BACKEND_REDIS Storage::Backend
+
+      .. zeek:enum:: Storage::STORAGE_BACKEND_SQLITE Storage::Backend
+
+
+.. zeek:type:: Storage::Serializer
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Storage::STORAGE_SERIALIZER_JSON Storage::Serializer
+
+
+
diff --git a/doc/scripts/base/frameworks/storage/sync.zeek.rst b/doc/scripts/base/frameworks/storage/sync.zeek.rst
new file mode 100644
index 0000000000..1c6e3817aa
--- /dev/null
+++ b/doc/scripts/base/frameworks/storage/sync.zeek.rst
@@ -0,0 +1,126 @@
+:tocdepth: 3
+
+base/frameworks/storage/sync.zeek
+=================================
+.. zeek:namespace:: Storage::Sync
+
+Synchronous operation methods for the storage framework.
+
+:Namespace: Storage::Sync
+:Imports: :doc:`base/frameworks/storage/main.zeek </scripts/base/frameworks/storage/main.zeek>`
+
+Summary
+~~~~~~~
+Functions
+#########
+============================================================== ===============================================================
+:zeek:id:`Storage::Sync::close_backend`: :zeek:type:`function` Closes an existing backend connection.
+:zeek:id:`Storage::Sync::erase`: :zeek:type:`function`         Erases an entry from the backend.
+:zeek:id:`Storage::Sync::get`: :zeek:type:`function`           Gets an entry from the backend.
+:zeek:id:`Storage::Sync::open_backend`: :zeek:type:`function`  Opens a new backend connection based on a configuration object.
+:zeek:id:`Storage::Sync::put`: :zeek:type:`function`           Inserts a new entry into a backend.
+============================================================== ===============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Storage::Sync::close_backend
+   :source-code: base/frameworks/storage/sync.zeek 82 85
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle) : :zeek:type:`Storage::OperationResult`
+
+   Closes an existing backend connection.
+   
+
+   :param backend: A handle to a backend connection.
+   
+
+   :returns: A record containing the status of the operation and an optional error
+            string for failures.
+
+.. zeek:id:: Storage::Sync::erase
+   :source-code: base/frameworks/storage/sync.zeek 101 104
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle, key: :zeek:type:`any`) : :zeek:type:`Storage::OperationResult`
+
+   Erases an entry from the backend.
+   
+
+   :param backend: A handle to a backend connection.
+   
+
+   :param key: The key to erase.
+   
+
+   :returns: A record containing the status of the operation and an optional error
+            string for failures.
+
+.. zeek:id:: Storage::Sync::get
+   :source-code: base/frameworks/storage/sync.zeek 95 98
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle, key: :zeek:type:`any`) : :zeek:type:`Storage::OperationResult`
+
+   Gets an entry from the backend.
+   
+
+   :param backend: A handle to a backend connection.
+   
+
+   :param key: The key to look up.
+   
+
+   :returns: A record containing the status of the operation, an optional error
+            string for failures, and an optional value for success. The value
+            returned here will be of the type passed into
+            :zeek:see:`Storage::Sync::open_backend`.
+
+.. zeek:id:: Storage::Sync::open_backend
+   :source-code: base/frameworks/storage/sync.zeek 76 79
+
+   :Type: :zeek:type:`function` (btype: :zeek:type:`Storage::Backend`, options: :zeek:type:`Storage::BackendOptions`, key_type: :zeek:type:`any`, val_type: :zeek:type:`any`) : :zeek:type:`Storage::OperationResult`
+
+   Opens a new backend connection based on a configuration object.
+   
+
+   :param btype: A tag indicating what type of backend should be opened. These are
+          defined by the backend plugins loaded.
+   
+
+   :param options: A record containing the configuration for the connection.
+   
+
+   :param key_type: The script-level type of keys stored in the backend. Used for
+             validation of keys passed to other framework methods.
+   
+
+   :param val_type: The script-level type of keys stored in the backend. Used for
+             validation of values passed to :zeek:see:`Storage::Sync::put` as well
+             as for type conversions for return values from
+             :zeek:see:`Storage::Sync::get`.
+   
+
+   :returns: A record containing the status of the operation, and either an error
+            string on failure or a value on success. The value returned here will
+            be an ``opaque of BackendHandle``.
+
+.. zeek:id:: Storage::Sync::put
+   :source-code: base/frameworks/storage/sync.zeek 88 92
+
+   :Type: :zeek:type:`function` (backend: :zeek:type:`opaque` of Storage::BackendHandle, args: :zeek:type:`Storage::PutArgs`) : :zeek:type:`Storage::OperationResult`
+
+   Inserts a new entry into a backend.
+   
+
+   :param backend: A handle to a backend connection.
+   
+
+   :param args: A :zeek:see:`Storage::PutArgs` record containing the arguments for the
+         operation.
+   
+
+   :returns: A record containing the status of the operation and an optional error
+            string for failures.
+
+
diff --git a/doc/scripts/base/frameworks/sumstats/__load__.zeek.rst b/doc/scripts/base/frameworks/sumstats/__load__.zeek.rst
new file mode 100644
index 0000000000..27a78fb2a0
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/sumstats/__load__.zeek
+======================================
+
+
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/sumstats/main.zeek </scripts/base/frameworks/sumstats/main.zeek>`, :doc:`base/frameworks/sumstats/non-cluster.zeek </scripts/base/frameworks/sumstats/non-cluster.zeek>`, :doc:`base/frameworks/sumstats/plugins </scripts/base/frameworks/sumstats/plugins/index>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/sumstats/index.rst b/doc/scripts/base/frameworks/sumstats/index.rst
new file mode 100644
index 0000000000..cdc8280857
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/index.rst
@@ -0,0 +1,72 @@
+:orphan:
+
+Package: base/frameworks/sumstats
+=================================
+
+The summary statistics framework provides a way to summarize large streams
+of data into simple reduced measurements.
+
+:doc:`/scripts/base/frameworks/sumstats/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/sumstats/main.zeek`
+
+   The summary statistics framework provides a way to
+   summarize large streams of data into simple reduced
+   measurements.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/average.zeek`
+
+   Calculate the average.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/hll_unique.zeek`
+
+   Calculate the number of unique values (using the HyperLogLog algorithm).
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/last.zeek`
+
+   Keep the last X observations.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/max.zeek`
+
+   Find the maximum value.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/min.zeek`
+
+   Find the minimum value.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/sample.zeek`
+
+   Keep a random sample of values.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/std-dev.zeek`
+
+   Calculate the standard deviation.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/variance.zeek`
+
+   Calculate the variance.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/sum.zeek`
+
+   Calculate the sum.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/topk.zeek`
+
+   Keep the top-k (i.e., most frequently occurring) observations.
+   
+   This plugin uses a probabilistic algorithm to count the top-k elements.
+   The algorithm (called Space-Saving) is described in the paper Efficient
+   Computation of Frequent and Top-k Elements in Data Streams", by
+   Metwally et al. (2005).
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/unique.zeek`
+
+   Calculate the number of unique values.
+
+:doc:`/scripts/base/frameworks/sumstats/non-cluster.zeek`
+
+
diff --git a/doc/scripts/base/frameworks/sumstats/main.zeek.rst b/doc/scripts/base/frameworks/sumstats/main.zeek.rst
new file mode 100644
index 0000000000..ed62d984bf
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/main.zeek.rst
@@ -0,0 +1,628 @@
+:tocdepth: 3
+
+base/frameworks/sumstats/main.zeek
+==================================
+.. zeek:namespace:: SumStats
+
+The summary statistics framework provides a way to
+summarize large streams of data into simple reduced
+measurements.
+
+:Namespace: SumStats
+
+Summary
+~~~~~~~
+Types
+#####
+======================================================= ========================================================================
+:zeek:type:`SumStats::Calculation`: :zeek:type:`enum`   Type to represent the calculations that are available.
+:zeek:type:`SumStats::Key`: :zeek:type:`record`         Represents a thing which is having summarization
+                                                        results collected for it.
+:zeek:type:`SumStats::Observation`: :zeek:type:`record` Represents data being added for a single observation.
+:zeek:type:`SumStats::Reducer`: :zeek:type:`record`     Represents a reducer.
+:zeek:type:`SumStats::Result`: :zeek:type:`table`       Type to store a table of results for multiple reducers indexed by
+                                                        observation stream identifier.
+:zeek:type:`SumStats::ResultTable`: :zeek:type:`table`  Type to store a table of sumstats results indexed by keys.
+:zeek:type:`SumStats::ResultVal`: :zeek:type:`record`   Result calculated for an observation stream fed into a reducer.
+:zeek:type:`SumStats::SumStat`: :zeek:type:`record`     Represents a SumStat, which consists of an aggregation of reducers along
+                                                        with mechanisms to handle various situations like the epoch ending
+                                                        or thresholds being crossed.
+======================================================= ========================================================================
+
+Redefinitions
+#############
+=================================================== ==============================================================================================
+:zeek:type:`SumStats::Reducer`: :zeek:type:`record` 
+                                                    
+                                                    :New Fields: :zeek:type:`SumStats::Reducer`
+                                                    
+                                                      ssname: :zeek:type:`string` :zeek:attr:`&optional`
+                                                    
+                                                      calc_funcs: :zeek:type:`vector` of :zeek:type:`SumStats::Calculation` :zeek:attr:`&optional`
+=================================================== ==============================================================================================
+
+Functions
+#########
+======================================================= ==================================================================
+:zeek:id:`SumStats::create`: :zeek:type:`function`      Create a summary statistic.
+:zeek:id:`SumStats::key2str`: :zeek:type:`function`     Helper function to represent a :zeek:type:`SumStats::Key` value as
+                                                        a simple string.
+:zeek:id:`SumStats::next_epoch`: :zeek:type:`function`  Manually end the current epoch for a sumstat.
+:zeek:id:`SumStats::observe`: :zeek:type:`function`     Add data into an observation stream.
+:zeek:id:`SumStats::request_key`: :zeek:type:`function` Dynamically request a sumstat key.
+======================================================= ==================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: SumStats::Calculation
+   :source-code: base/frameworks/sumstats/main.zeek 10 13
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: SumStats::PLACEHOLDER SumStats::Calculation
+
+      .. zeek:enum:: SumStats::AVERAGE SumStats::Calculation
+
+         (present if :doc:`/scripts/base/frameworks/sumstats/plugins/average.zeek` is loaded)
+
+
+         Calculate the average of the values.
+
+      .. zeek:enum:: SumStats::HLL_UNIQUE SumStats::Calculation
+
+         (present if :doc:`/scripts/base/frameworks/sumstats/plugins/hll_unique.zeek` is loaded)
+
+
+         Calculate the number of unique values.
+
+      .. zeek:enum:: SumStats::LAST SumStats::Calculation
+
+         (present if :doc:`/scripts/base/frameworks/sumstats/plugins/last.zeek` is loaded)
+
+
+         Keep last X observations in a queue.
+
+      .. zeek:enum:: SumStats::MAX SumStats::Calculation
+
+         (present if :doc:`/scripts/base/frameworks/sumstats/plugins/max.zeek` is loaded)
+
+
+         Find the maximum value.
+
+      .. zeek:enum:: SumStats::MIN SumStats::Calculation
+
+         (present if :doc:`/scripts/base/frameworks/sumstats/plugins/min.zeek` is loaded)
+
+
+         Find the minimum value.
+
+      .. zeek:enum:: SumStats::SAMPLE SumStats::Calculation
+
+         (present if :doc:`/scripts/base/frameworks/sumstats/plugins/sample.zeek` is loaded)
+
+
+         Get uniquely distributed random samples from the observation
+         stream.
+
+      .. zeek:enum:: SumStats::VARIANCE SumStats::Calculation
+
+         (present if :doc:`/scripts/base/frameworks/sumstats/plugins/variance.zeek` is loaded)
+
+
+         Calculate the variance of the values.
+
+      .. zeek:enum:: SumStats::STD_DEV SumStats::Calculation
+
+         (present if :doc:`/scripts/base/frameworks/sumstats/plugins/std-dev.zeek` is loaded)
+
+
+         Calculate the standard deviation of the values.
+
+      .. zeek:enum:: SumStats::SUM SumStats::Calculation
+
+         (present if :doc:`/scripts/base/frameworks/sumstats/plugins/sum.zeek` is loaded)
+
+
+         Calculate the sum of the values.  For string values,
+         this will be the number of strings.
+
+      .. zeek:enum:: SumStats::TOPK SumStats::Calculation
+
+         (present if :doc:`/scripts/base/frameworks/sumstats/plugins/topk.zeek` is loaded)
+
+
+         Keep a top-k list of values.
+
+      .. zeek:enum:: SumStats::UNIQUE SumStats::Calculation
+
+         (present if :doc:`/scripts/base/frameworks/sumstats/plugins/unique.zeek` is loaded)
+
+
+         Calculate the number of unique values.
+
+   Type to represent the calculations that are available.  The calculations
+   are all defined as plugins.
+
+.. zeek:type:: SumStats::Key
+   :source-code: base/frameworks/sumstats/main.zeek 16 30
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: str :zeek:type:`string` :zeek:attr:`&optional`
+
+      A non-address related summarization or a sub-key for
+      an address based summarization. An example might be
+      successful SSH connections by client IP address
+      where the client string would be the key value.
+      Another example might be number of HTTP requests to
+      a particular value in a Host header.  This is an
+      example of a non-host based metric since multiple
+      IP addresses could respond for the same Host
+      header value.
+
+
+   .. zeek:field:: host :zeek:type:`addr` :zeek:attr:`&optional`
+
+      Host is the value to which this metric applies.
+
+
+   Represents a thing which is having summarization
+   results collected for it.
+
+.. zeek:type:: SumStats::Observation
+   :source-code: base/frameworks/sumstats/main.zeek 34 41
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: num :zeek:type:`count` :zeek:attr:`&optional`
+
+      Count value.
+
+
+   .. zeek:field:: dbl :zeek:type:`double` :zeek:attr:`&optional`
+
+      Double value.
+
+
+   .. zeek:field:: str :zeek:type:`string` :zeek:attr:`&optional`
+
+      String value.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/http/detect-sql-injection.zeek` is loaded)
+
+
+   Represents data being added for a single observation.
+   Only supply a single field at a time!
+
+.. zeek:type:: SumStats::Reducer
+   :source-code: base/frameworks/sumstats/main.zeek 44 59
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: stream :zeek:type:`string`
+
+      Observation stream identifier for the reducer
+      to attach to.
+
+
+   .. zeek:field:: apply :zeek:type:`set` [:zeek:type:`SumStats::Calculation`]
+
+      The calculations to perform on the data points.
+
+
+   .. zeek:field:: pred :zeek:type:`function` (key: :zeek:type:`SumStats::Key`, obs: :zeek:type:`SumStats::Observation`) : :zeek:type:`bool` :zeek:attr:`&optional`
+
+      A predicate so that you can decide per key if you
+      would like to accept the data being inserted.
+
+
+   .. zeek:field:: normalize_key :zeek:type:`function` (key: :zeek:type:`SumStats::Key`) : :zeek:type:`SumStats::Key` :zeek:attr:`&optional`
+
+      A function to normalize the key.  This can be used to
+      aggregate or normalize the entire key.
+
+
+   .. zeek:field:: ssname :zeek:type:`string` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: calc_funcs :zeek:type:`vector` of :zeek:type:`SumStats::Calculation` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: hll_error_margin :zeek:type:`double` :zeek:attr:`&default` = ``0.01`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/hll_unique.zeek` is loaded)
+
+      The error margin for HLL.
+
+
+   .. zeek:field:: hll_confidence :zeek:type:`double` :zeek:attr:`&default` = ``0.95`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/hll_unique.zeek` is loaded)
+
+      The confidence for HLL.
+
+
+   .. zeek:field:: num_last_elements :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/last.zeek` is loaded)
+
+      Number of elements to keep.
+
+
+   .. zeek:field:: num_samples :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/sample.zeek` is loaded)
+
+      The number of sample Observations to collect.
+
+
+   .. zeek:field:: topk_size :zeek:type:`count` :zeek:attr:`&default` = ``500`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/topk.zeek` is loaded)
+
+      Number of elements to keep in the top-k list.
+
+
+   .. zeek:field:: unique_max :zeek:type:`count` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/unique.zeek` is loaded)
+
+      Maximum number of unique values to store.
+
+
+   Represents a reducer.
+
+.. zeek:type:: SumStats::Result
+   :source-code: base/frameworks/sumstats/main.zeek 78 78
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`SumStats::ResultVal`
+
+   Type to store a table of results for multiple reducers indexed by
+   observation stream identifier.
+
+.. zeek:type:: SumStats::ResultTable
+   :source-code: base/frameworks/sumstats/main.zeek 81 81
+
+   :Type: :zeek:type:`table` [:zeek:type:`SumStats::Key`] of :zeek:type:`SumStats::Result`
+
+   Type to store a table of sumstats results indexed by keys.
+
+.. zeek:type:: SumStats::ResultVal
+   :source-code: base/frameworks/sumstats/main.zeek 63 74
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: begin :zeek:type:`time`
+
+      The time when the first observation was added to
+      this result value.
+
+
+   .. zeek:field:: end :zeek:type:`time`
+
+      The time when the last observation was added to
+      this result value.
+
+
+   .. zeek:field:: num :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      The number of observations received.
+
+
+   .. zeek:field:: average :zeek:type:`double` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/average.zeek` is loaded)
+
+      For numeric data, this is the average of all values.
+
+
+   .. zeek:field:: hll_unique :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/hll_unique.zeek` is loaded)
+
+      If cardinality is being tracked, the number of unique
+      items is tracked here.
+
+
+   .. zeek:field:: card :zeek:type:`opaque` of cardinality :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/hll_unique.zeek` is loaded)
+
+
+   .. zeek:field:: hll_error_margin :zeek:type:`double` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/hll_unique.zeek` is loaded)
+
+
+   .. zeek:field:: hll_confidence :zeek:type:`double` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/hll_unique.zeek` is loaded)
+
+
+   .. zeek:field:: last_elements :zeek:type:`Queue::Queue` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/last.zeek` is loaded)
+
+      This is the queue where elements are maintained.
+      Don't access this value directly, instead use the
+      :zeek:see:`SumStats::get_last` function to get a vector of
+      the current element values.
+
+
+   .. zeek:field:: max :zeek:type:`double` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/max.zeek` is loaded)
+
+      For numeric data, this tracks the maximum value.
+
+
+   .. zeek:field:: min :zeek:type:`double` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/min.zeek` is loaded)
+
+      For numeric data, this tracks the minimum value.
+
+
+   .. zeek:field:: samples :zeek:type:`vector` of :zeek:type:`SumStats::Observation` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/sample.zeek` is loaded)
+
+      This is the vector in which the samples are maintained.
+
+
+   .. zeek:field:: sample_elements :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/sample.zeek` is loaded)
+
+      Number of total observed elements.
+
+
+   .. zeek:field:: num_samples :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/sample.zeek` is loaded)
+
+
+   .. zeek:field:: variance :zeek:type:`double` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/variance.zeek` is loaded)
+
+      For numeric data, this is the variance.
+
+
+   .. zeek:field:: prev_avg :zeek:type:`double` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/variance.zeek` is loaded)
+
+
+   .. zeek:field:: var_s :zeek:type:`double` :zeek:attr:`&default` = ``0.0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/variance.zeek` is loaded)
+
+
+   .. zeek:field:: std_dev :zeek:type:`double` :zeek:attr:`&default` = ``0.0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/std-dev.zeek` is loaded)
+
+      For numeric data, this calculates the standard deviation.
+
+
+   .. zeek:field:: sum :zeek:type:`double` :zeek:attr:`&default` = ``0.0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/sum.zeek` is loaded)
+
+      For numeric data, this tracks the sum of all values.
+
+
+   .. zeek:field:: topk :zeek:type:`opaque` of topk :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/topk.zeek` is loaded)
+
+      A handle which can be passed to some built-in functions to get
+      the top-k results.
+
+
+   .. zeek:field:: unique :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/unique.zeek` is loaded)
+
+      If cardinality is being tracked, the number of unique
+      values is tracked here.
+
+
+   .. zeek:field:: unique_max :zeek:type:`count` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/unique.zeek` is loaded)
+
+
+   .. zeek:field:: unique_vals :zeek:type:`set` [:zeek:type:`SumStats::Observation`] :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/sumstats/plugins/unique.zeek` is loaded)
+
+
+   Result calculated for an observation stream fed into a reducer.
+   Most of the fields are added by plugins.
+
+.. zeek:type:: SumStats::SumStat
+   :source-code: base/frameworks/sumstats/main.zeek 91 144
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      An arbitrary name for the sumstat so that it can
+      be referred to later.
+
+
+   .. zeek:field:: epoch :zeek:type:`interval`
+
+      The interval at which this sumstat should be "broken"
+      and the *epoch_result* callback called. The
+      results are also reset at this time so any threshold
+      based detection needs to be set to a
+      value that should be expected to happen within
+      this epoch.
+      
+      Passing an epoch of zero (e.g. ``0 secs``) causes this
+      sumstat to be set to manual epochs. You will have to manually
+      end the epoch by calling :zeek:see:`SumStats::next_epoch`.
+
+
+   .. zeek:field:: reducers :zeek:type:`set` [:zeek:type:`SumStats::Reducer`]
+
+      The reducers for the SumStat.
+
+
+   .. zeek:field:: threshold_val :zeek:type:`function` (key: :zeek:type:`SumStats::Key`, result: :zeek:type:`SumStats::Result`) : :zeek:type:`double` :zeek:attr:`&optional`
+
+      A function that will be called once for each observation in order
+      to calculate a value from the :zeek:see:`SumStats::Result` structure
+      which will be used for thresholding.
+      This function is required if a *threshold* value or
+      a *threshold_series* is given.
+
+
+   .. zeek:field:: threshold :zeek:type:`double` :zeek:attr:`&optional`
+
+      The threshold value for calling the *threshold_crossed* callback.
+      If you need more than one threshold value, then use
+      *threshold_series* instead.
+
+
+   .. zeek:field:: threshold_series :zeek:type:`vector` of :zeek:type:`double` :zeek:attr:`&optional`
+
+      A series of thresholds for calling the *threshold_crossed*
+      callback.  These thresholds must be listed in ascending order,
+      because a threshold is not checked until the preceding one has
+      been crossed.
+
+
+   .. zeek:field:: threshold_crossed :zeek:type:`function` (key: :zeek:type:`SumStats::Key`, result: :zeek:type:`SumStats::Result`) : :zeek:type:`void` :zeek:attr:`&optional`
+
+      A callback that is called when a threshold is crossed.
+      A threshold is crossed when the value returned from *threshold_val*
+      is greater than or equal to the threshold value, but only the first
+      time this happens within an epoch.
+
+
+   .. zeek:field:: epoch_result :zeek:type:`function` (ts: :zeek:type:`time`, key: :zeek:type:`SumStats::Key`, result: :zeek:type:`SumStats::Result`) : :zeek:type:`void` :zeek:attr:`&optional`
+
+      A callback that receives each of the results at the
+      end of the analysis epoch.  The function will be
+      called once for each key.
+
+
+   .. zeek:field:: epoch_finished :zeek:type:`function` (ts: :zeek:type:`time`) : :zeek:type:`void` :zeek:attr:`&optional`
+
+      A callback that will be called when a single collection
+      interval is completed.  The *ts* value will be the time of
+      when the collection started.
+
+
+   Represents a SumStat, which consists of an aggregation of reducers along
+   with mechanisms to handle various situations like the epoch ending
+   or thresholds being crossed.
+   
+   It's best to not access any global state outside
+   of the variables given to the callbacks because there
+   is no assurance provided as to where the callbacks
+   will be executed on clusters.
+
+Functions
+#########
+.. zeek:id:: SumStats::create
+   :source-code: base/frameworks/sumstats/main.zeek 392 437
+
+   :Type: :zeek:type:`function` (ss: :zeek:type:`SumStats::SumStat`) : :zeek:type:`void`
+
+   Create a summary statistic.
+   
+
+   :param ss: The SumStat to create.
+
+.. zeek:id:: SumStats::key2str
+   :source-code: base/frameworks/sumstats/main.zeek 285 293
+
+   :Type: :zeek:type:`function` (key: :zeek:type:`SumStats::Key`) : :zeek:type:`string`
+
+   Helper function to represent a :zeek:type:`SumStats::Key` value as
+   a simple string.
+   
+
+   :param key: The metric key that is to be converted into a string.
+   
+
+   :returns: A string representation of the metric key.
+
+.. zeek:id:: SumStats::next_epoch
+   :source-code: base/frameworks/sumstats/main.zeek 272 283
+
+   :Type: :zeek:type:`function` (ss_name: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Manually end the current epoch for a sumstat. Calling this function will
+   cause the end of the epoch processing of sumstats to start. Note that the
+   epoch will not end immediately - especially in a cluster settings, a number
+   of messages need to be exchanged between the cluster nodes.
+   
+   Note that this function only can be called if the sumstat was created with
+   an epoch time of zero (manual epochs).
+   
+   In a cluster, this function must be called on the manager; it will not have
+   any effect when called on workers.
+   
+
+   :param ss_name: SumStat name.
+   
+
+   :returns: true on success, false on failure. Failures can be: sumstat not found,
+            or sumstat not created for manual epochs.
+
+.. zeek:id:: SumStats::observe
+   :source-code: base/frameworks/sumstats/main.zeek 439 503
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`string`, orig_key: :zeek:type:`SumStats::Key`, obs: :zeek:type:`SumStats::Observation`) : :zeek:type:`void`
+
+   Add data into an observation stream. This should be
+   called when a script has measured some point value.
+   
+
+   :param id: The observation stream identifier that the data
+       point represents.
+   
+
+   :param key: The key that the value is related to.
+   
+
+   :param obs: The data point to send into the stream.
+
+.. zeek:id:: SumStats::request_key
+   :source-code: base/frameworks/sumstats/non-cluster.zeek 90 100
+
+   :Type: :zeek:type:`function` (ss_name: :zeek:type:`string`, key: :zeek:type:`SumStats::Key`) : :zeek:type:`SumStats::Result`
+
+   Dynamically request a sumstat key.  This function should be
+   used sparingly and not as a replacement for the callbacks
+   from the :zeek:see:`SumStats::SumStat` record. The function is only
+   available for use within "when" statements as an asynchronous
+   function.
+   
+
+   :param ss_name: SumStat name.
+   
+
+   :param key: The SumStat key being requested.
+   
+
+   :returns: The result for the requested sumstat key.
+
+
diff --git a/doc/scripts/base/frameworks/sumstats/non-cluster.zeek.rst b/doc/scripts/base/frameworks/sumstats/non-cluster.zeek.rst
new file mode 100644
index 0000000000..2e29860c6a
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/non-cluster.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/frameworks/sumstats/non-cluster.zeek
+=========================================
+.. zeek:namespace:: SumStats
+
+
+:Namespace: SumStats
+:Imports: :doc:`base/frameworks/sumstats/main.zeek </scripts/base/frameworks/sumstats/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/sumstats/plugins/__load__.zeek.rst b/doc/scripts/base/frameworks/sumstats/plugins/__load__.zeek.rst
new file mode 100644
index 0000000000..e0b23b6077
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/plugins/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/sumstats/plugins/__load__.zeek
+==============================================
+
+
+:Imports: :doc:`base/frameworks/sumstats/plugins/average.zeek </scripts/base/frameworks/sumstats/plugins/average.zeek>`, :doc:`base/frameworks/sumstats/plugins/hll_unique.zeek </scripts/base/frameworks/sumstats/plugins/hll_unique.zeek>`, :doc:`base/frameworks/sumstats/plugins/last.zeek </scripts/base/frameworks/sumstats/plugins/last.zeek>`, :doc:`base/frameworks/sumstats/plugins/max.zeek </scripts/base/frameworks/sumstats/plugins/max.zeek>`, :doc:`base/frameworks/sumstats/plugins/min.zeek </scripts/base/frameworks/sumstats/plugins/min.zeek>`, :doc:`base/frameworks/sumstats/plugins/sample.zeek </scripts/base/frameworks/sumstats/plugins/sample.zeek>`, :doc:`base/frameworks/sumstats/plugins/std-dev.zeek </scripts/base/frameworks/sumstats/plugins/std-dev.zeek>`, :doc:`base/frameworks/sumstats/plugins/sum.zeek </scripts/base/frameworks/sumstats/plugins/sum.zeek>`, :doc:`base/frameworks/sumstats/plugins/topk.zeek </scripts/base/frameworks/sumstats/plugins/topk.zeek>`, :doc:`base/frameworks/sumstats/plugins/unique.zeek </scripts/base/frameworks/sumstats/plugins/unique.zeek>`, :doc:`base/frameworks/sumstats/plugins/variance.zeek </scripts/base/frameworks/sumstats/plugins/variance.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/sumstats/plugins/average.zeek.rst b/doc/scripts/base/frameworks/sumstats/plugins/average.zeek.rst
new file mode 100644
index 0000000000..710af2c627
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/plugins/average.zeek.rst
@@ -0,0 +1,32 @@
+:tocdepth: 3
+
+base/frameworks/sumstats/plugins/average.zeek
+=============================================
+.. zeek:namespace:: SumStats
+
+Calculate the average.
+
+:Namespace: SumStats
+:Imports: :doc:`base/frameworks/sumstats/main.zeek </scripts/base/frameworks/sumstats/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+===================================================== ========================================================
+:zeek:type:`SumStats::Calculation`: :zeek:type:`enum` 
+                                                      
+                                                      * :zeek:enum:`SumStats::AVERAGE`:
+                                                        Calculate the average of the values.
+:zeek:type:`SumStats::ResultVal`: :zeek:type:`record` 
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::ResultVal`
+                                                      
+                                                        average: :zeek:type:`double` :zeek:attr:`&optional`
+                                                          For numeric data, this is the average of all values.
+===================================================== ========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/sumstats/plugins/hll_unique.zeek.rst b/doc/scripts/base/frameworks/sumstats/plugins/hll_unique.zeek.rst
new file mode 100644
index 0000000000..b448f8955f
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/plugins/hll_unique.zeek.rst
@@ -0,0 +1,61 @@
+:tocdepth: 3
+
+base/frameworks/sumstats/plugins/hll_unique.zeek
+================================================
+.. zeek:namespace:: SumStats
+
+Calculate the number of unique values (using the HyperLogLog algorithm).
+
+:Namespace: SumStats
+:Imports: :doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+===================================================== ===============================================================================================
+:zeek:type:`SumStats::Calculation`: :zeek:type:`enum` 
+                                                      
+                                                      * :zeek:enum:`SumStats::HLL_UNIQUE`:
+                                                        Calculate the number of unique values.
+:zeek:type:`SumStats::Reducer`: :zeek:type:`record`   
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::Reducer`
+                                                      
+                                                        hll_error_margin: :zeek:type:`double` :zeek:attr:`&default` = ``0.01`` :zeek:attr:`&optional`
+                                                          The error margin for HLL.
+                                                      
+                                                        hll_confidence: :zeek:type:`double` :zeek:attr:`&default` = ``0.95`` :zeek:attr:`&optional`
+                                                          The confidence for HLL.
+:zeek:type:`SumStats::ResultVal`: :zeek:type:`record` 
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::ResultVal`
+                                                      
+                                                        hll_unique: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                                          If cardinality is being tracked, the number of unique
+                                                          items is tracked here.
+                                                      
+                                                        card: :zeek:type:`opaque` of cardinality :zeek:attr:`&optional`
+                                                      
+                                                        hll_error_margin: :zeek:type:`double` :zeek:attr:`&optional`
+                                                      
+                                                        hll_confidence: :zeek:type:`double` :zeek:attr:`&optional`
+:zeek:type:`SumStats::ResultVal`: :zeek:type:`record` 
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::ResultVal`
+                                                      
+                                                        hll_unique: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                                          If cardinality is being tracked, the number of unique
+                                                          items is tracked here.
+                                                      
+                                                        card: :zeek:type:`opaque` of cardinality :zeek:attr:`&optional`
+                                                      
+                                                        hll_error_margin: :zeek:type:`double` :zeek:attr:`&optional`
+                                                      
+                                                        hll_confidence: :zeek:type:`double` :zeek:attr:`&optional`
+===================================================== ===============================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/sumstats/plugins/index.rst b/doc/scripts/base/frameworks/sumstats/plugins/index.rst
new file mode 100644
index 0000000000..d16fc990b0
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/plugins/index.rst
@@ -0,0 +1,59 @@
+:orphan:
+
+Package: base/frameworks/sumstats/plugins
+=========================================
+
+Plugins for the summary statistics framework.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/average.zeek`
+
+   Calculate the average.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/hll_unique.zeek`
+
+   Calculate the number of unique values (using the HyperLogLog algorithm).
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/last.zeek`
+
+   Keep the last X observations.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/max.zeek`
+
+   Find the maximum value.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/min.zeek`
+
+   Find the minimum value.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/sample.zeek`
+
+   Keep a random sample of values.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/std-dev.zeek`
+
+   Calculate the standard deviation.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/variance.zeek`
+
+   Calculate the variance.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/sum.zeek`
+
+   Calculate the sum.
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/topk.zeek`
+
+   Keep the top-k (i.e., most frequently occurring) observations.
+   
+   This plugin uses a probabilistic algorithm to count the top-k elements.
+   The algorithm (called Space-Saving) is described in the paper Efficient
+   Computation of Frequent and Top-k Elements in Data Streams", by
+   Metwally et al. (2005).
+
+:doc:`/scripts/base/frameworks/sumstats/plugins/unique.zeek`
+
+   Calculate the number of unique values.
+
diff --git a/doc/scripts/base/frameworks/sumstats/plugins/last.zeek.rst b/doc/scripts/base/frameworks/sumstats/plugins/last.zeek.rst
new file mode 100644
index 0000000000..619e793d11
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/plugins/last.zeek.rst
@@ -0,0 +1,53 @@
+:tocdepth: 3
+
+base/frameworks/sumstats/plugins/last.zeek
+==========================================
+.. zeek:namespace:: SumStats
+
+Keep the last X observations.
+
+:Namespace: SumStats
+:Imports: :doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`, :doc:`base/utils/queue.zeek </scripts/base/utils/queue.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+===================================================== ============================================================================================
+:zeek:type:`SumStats::Calculation`: :zeek:type:`enum` 
+                                                      
+                                                      * :zeek:enum:`SumStats::LAST`:
+                                                        Keep last X observations in a queue.
+:zeek:type:`SumStats::Reducer`: :zeek:type:`record`   
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::Reducer`
+                                                      
+                                                        num_last_elements: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                                          Number of elements to keep.
+:zeek:type:`SumStats::ResultVal`: :zeek:type:`record` 
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::ResultVal`
+                                                      
+                                                        last_elements: :zeek:type:`Queue::Queue` :zeek:attr:`&optional`
+                                                          This is the queue where elements are maintained.
+===================================================== ============================================================================================
+
+Functions
+#########
+==================================================== ================================================
+:zeek:id:`SumStats::get_last`: :zeek:type:`function` Get a vector of element values from a ResultVal.
+==================================================== ================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: SumStats::get_last
+   :source-code: base/frameworks/sumstats/plugins/last.zeek 31 48
+
+   :Type: :zeek:type:`function` (rv: :zeek:type:`SumStats::ResultVal`) : :zeek:type:`vector` of :zeek:type:`SumStats::Observation`
+
+   Get a vector of element values from a ResultVal.
+
+
diff --git a/doc/scripts/base/frameworks/sumstats/plugins/max.zeek.rst b/doc/scripts/base/frameworks/sumstats/plugins/max.zeek.rst
new file mode 100644
index 0000000000..b225cfb8b7
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/plugins/max.zeek.rst
@@ -0,0 +1,32 @@
+:tocdepth: 3
+
+base/frameworks/sumstats/plugins/max.zeek
+=========================================
+.. zeek:namespace:: SumStats
+
+Find the maximum value.
+
+:Namespace: SumStats
+:Imports: :doc:`base/frameworks/sumstats/main.zeek </scripts/base/frameworks/sumstats/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+===================================================== ====================================================
+:zeek:type:`SumStats::Calculation`: :zeek:type:`enum` 
+                                                      
+                                                      * :zeek:enum:`SumStats::MAX`:
+                                                        Find the maximum value.
+:zeek:type:`SumStats::ResultVal`: :zeek:type:`record` 
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::ResultVal`
+                                                      
+                                                        max: :zeek:type:`double` :zeek:attr:`&optional`
+                                                          For numeric data, this tracks the maximum value.
+===================================================== ====================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/sumstats/plugins/min.zeek.rst b/doc/scripts/base/frameworks/sumstats/plugins/min.zeek.rst
new file mode 100644
index 0000000000..41e7af229b
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/plugins/min.zeek.rst
@@ -0,0 +1,32 @@
+:tocdepth: 3
+
+base/frameworks/sumstats/plugins/min.zeek
+=========================================
+.. zeek:namespace:: SumStats
+
+Find the minimum value.
+
+:Namespace: SumStats
+:Imports: :doc:`base/frameworks/sumstats/main.zeek </scripts/base/frameworks/sumstats/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+===================================================== ====================================================
+:zeek:type:`SumStats::Calculation`: :zeek:type:`enum` 
+                                                      
+                                                      * :zeek:enum:`SumStats::MIN`:
+                                                        Find the minimum value.
+:zeek:type:`SumStats::ResultVal`: :zeek:type:`record` 
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::ResultVal`
+                                                      
+                                                        min: :zeek:type:`double` :zeek:attr:`&optional`
+                                                          For numeric data, this tracks the minimum value.
+===================================================== ====================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/sumstats/plugins/sample.zeek.rst b/doc/scripts/base/frameworks/sumstats/plugins/sample.zeek.rst
new file mode 100644
index 0000000000..6716bc794a
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/plugins/sample.zeek.rst
@@ -0,0 +1,55 @@
+:tocdepth: 3
+
+base/frameworks/sumstats/plugins/sample.zeek
+============================================
+.. zeek:namespace:: SumStats
+
+Keep a random sample of values.
+
+:Namespace: SumStats
+:Imports: :doc:`base/frameworks/sumstats/main.zeek </scripts/base/frameworks/sumstats/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+===================================================== ==========================================================================================================================
+:zeek:type:`SumStats::Calculation`: :zeek:type:`enum` 
+                                                      
+                                                      * :zeek:enum:`SumStats::SAMPLE`:
+                                                        Get uniquely distributed random samples from the observation
+                                                        stream.
+:zeek:type:`SumStats::Reducer`: :zeek:type:`record`   
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::Reducer`
+                                                      
+                                                        num_samples: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                                          The number of sample Observations to collect.
+:zeek:type:`SumStats::ResultVal`: :zeek:type:`record` 
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::ResultVal`
+                                                      
+                                                        samples: :zeek:type:`vector` of :zeek:type:`SumStats::Observation` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+                                                          This is the vector in which the samples are maintained.
+                                                      
+                                                        sample_elements: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                                          Number of total observed elements.
+                                                      
+                                                        num_samples: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+:zeek:type:`SumStats::ResultVal`: :zeek:type:`record` 
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::ResultVal`
+                                                      
+                                                        samples: :zeek:type:`vector` of :zeek:type:`SumStats::Observation` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+                                                          This is the vector in which the samples are maintained.
+                                                      
+                                                        sample_elements: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                                          Number of total observed elements.
+                                                      
+                                                        num_samples: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+===================================================== ==========================================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/sumstats/plugins/std-dev.zeek.rst b/doc/scripts/base/frameworks/sumstats/plugins/std-dev.zeek.rst
new file mode 100644
index 0000000000..2ffd5a01ac
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/plugins/std-dev.zeek.rst
@@ -0,0 +1,32 @@
+:tocdepth: 3
+
+base/frameworks/sumstats/plugins/std-dev.zeek
+=============================================
+.. zeek:namespace:: SumStats
+
+Calculate the standard deviation.
+
+:Namespace: SumStats
+:Imports: :doc:`base/frameworks/sumstats/main.zeek </scripts/base/frameworks/sumstats/main.zeek>`, :doc:`base/frameworks/sumstats/plugins/variance.zeek </scripts/base/frameworks/sumstats/plugins/variance.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+===================================================== =====================================================================================
+:zeek:type:`SumStats::Calculation`: :zeek:type:`enum` 
+                                                      
+                                                      * :zeek:enum:`SumStats::STD_DEV`:
+                                                        Calculate the standard deviation of the values.
+:zeek:type:`SumStats::ResultVal`: :zeek:type:`record` 
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::ResultVal`
+                                                      
+                                                        std_dev: :zeek:type:`double` :zeek:attr:`&default` = ``0.0`` :zeek:attr:`&optional`
+                                                          For numeric data, this calculates the standard deviation.
+===================================================== =====================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/sumstats/plugins/sum.zeek.rst b/doc/scripts/base/frameworks/sumstats/plugins/sum.zeek.rst
new file mode 100644
index 0000000000..b72d79e0c4
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/plugins/sum.zeek.rst
@@ -0,0 +1,32 @@
+:tocdepth: 3
+
+base/frameworks/sumstats/plugins/sum.zeek
+=========================================
+.. zeek:namespace:: SumStats
+
+Calculate the sum.
+
+:Namespace: SumStats
+:Imports: :doc:`base/frameworks/sumstats/main.zeek </scripts/base/frameworks/sumstats/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+===================================================== =================================================================================
+:zeek:type:`SumStats::Calculation`: :zeek:type:`enum` 
+                                                      
+                                                      * :zeek:enum:`SumStats::SUM`:
+                                                        Calculate the sum of the values.
+:zeek:type:`SumStats::ResultVal`: :zeek:type:`record` 
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::ResultVal`
+                                                      
+                                                        sum: :zeek:type:`double` :zeek:attr:`&default` = ``0.0`` :zeek:attr:`&optional`
+                                                          For numeric data, this tracks the sum of all values.
+===================================================== =================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/sumstats/plugins/topk.zeek.rst b/doc/scripts/base/frameworks/sumstats/plugins/topk.zeek.rst
new file mode 100644
index 0000000000..0afe944784
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/plugins/topk.zeek.rst
@@ -0,0 +1,44 @@
+:tocdepth: 3
+
+base/frameworks/sumstats/plugins/topk.zeek
+==========================================
+.. zeek:namespace:: SumStats
+
+Keep the top-k (i.e., most frequently occurring) observations.
+
+This plugin uses a probabilistic algorithm to count the top-k elements.
+The algorithm (called Space-Saving) is described in the paper Efficient
+Computation of Frequent and Top-k Elements in Data Streams", by
+Metwally et al. (2005).
+
+:Namespace: SumStats
+:Imports: :doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+===================================================== ======================================================================================
+:zeek:type:`SumStats::Calculation`: :zeek:type:`enum` 
+                                                      
+                                                      * :zeek:enum:`SumStats::TOPK`:
+                                                        Keep a top-k list of values.
+:zeek:type:`SumStats::Reducer`: :zeek:type:`record`   
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::Reducer`
+                                                      
+                                                        topk_size: :zeek:type:`count` :zeek:attr:`&default` = ``500`` :zeek:attr:`&optional`
+                                                          Number of elements to keep in the top-k list.
+:zeek:type:`SumStats::ResultVal`: :zeek:type:`record` 
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::ResultVal`
+                                                      
+                                                        topk: :zeek:type:`opaque` of topk :zeek:attr:`&optional`
+                                                          A handle which can be passed to some built-in functions to get
+                                                          the top-k results.
+===================================================== ======================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/sumstats/plugins/unique.zeek.rst b/doc/scripts/base/frameworks/sumstats/plugins/unique.zeek.rst
new file mode 100644
index 0000000000..3585b9513c
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/plugins/unique.zeek.rst
@@ -0,0 +1,54 @@
+:tocdepth: 3
+
+base/frameworks/sumstats/plugins/unique.zeek
+============================================
+.. zeek:namespace:: SumStats
+
+Calculate the number of unique values.
+
+:Namespace: SumStats
+:Imports: :doc:`base/frameworks/sumstats/main.zeek </scripts/base/frameworks/sumstats/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+===================================================== ===========================================================================================
+:zeek:type:`SumStats::Calculation`: :zeek:type:`enum` 
+                                                      
+                                                      * :zeek:enum:`SumStats::UNIQUE`:
+                                                        Calculate the number of unique values.
+:zeek:type:`SumStats::Reducer`: :zeek:type:`record`   
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::Reducer`
+                                                      
+                                                        unique_max: :zeek:type:`count` :zeek:attr:`&optional`
+                                                          Maximum number of unique values to store.
+:zeek:type:`SumStats::ResultVal`: :zeek:type:`record` 
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::ResultVal`
+                                                      
+                                                        unique: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                                          If cardinality is being tracked, the number of unique
+                                                          values is tracked here.
+                                                      
+                                                        unique_max: :zeek:type:`count` :zeek:attr:`&optional`
+                                                      
+                                                        unique_vals: :zeek:type:`set` [:zeek:type:`SumStats::Observation`] :zeek:attr:`&optional`
+:zeek:type:`SumStats::ResultVal`: :zeek:type:`record` 
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::ResultVal`
+                                                      
+                                                        unique: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                                          If cardinality is being tracked, the number of unique
+                                                          values is tracked here.
+                                                      
+                                                        unique_max: :zeek:type:`count` :zeek:attr:`&optional`
+                                                      
+                                                        unique_vals: :zeek:type:`set` [:zeek:type:`SumStats::Observation`] :zeek:attr:`&optional`
+===================================================== ===========================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/sumstats/plugins/variance.zeek.rst b/doc/scripts/base/frameworks/sumstats/plugins/variance.zeek.rst
new file mode 100644
index 0000000000..ef216c5a3c
--- /dev/null
+++ b/doc/scripts/base/frameworks/sumstats/plugins/variance.zeek.rst
@@ -0,0 +1,46 @@
+:tocdepth: 3
+
+base/frameworks/sumstats/plugins/variance.zeek
+==============================================
+.. zeek:namespace:: SumStats
+
+Calculate the variance.
+
+:Namespace: SumStats
+:Imports: :doc:`base/frameworks/sumstats/main.zeek </scripts/base/frameworks/sumstats/main.zeek>`, :doc:`base/frameworks/sumstats/plugins/average.zeek </scripts/base/frameworks/sumstats/plugins/average.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+===================================================== ===================================================================================
+:zeek:type:`SumStats::Calculation`: :zeek:type:`enum` 
+                                                      
+                                                      * :zeek:enum:`SumStats::VARIANCE`:
+                                                        Calculate the variance of the values.
+:zeek:type:`SumStats::ResultVal`: :zeek:type:`record` 
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::ResultVal`
+                                                      
+                                                        variance: :zeek:type:`double` :zeek:attr:`&optional`
+                                                          For numeric data, this is the variance.
+                                                      
+                                                        prev_avg: :zeek:type:`double` :zeek:attr:`&optional`
+                                                      
+                                                        var_s: :zeek:type:`double` :zeek:attr:`&default` = ``0.0`` :zeek:attr:`&optional`
+:zeek:type:`SumStats::ResultVal`: :zeek:type:`record` 
+                                                      
+                                                      :New Fields: :zeek:type:`SumStats::ResultVal`
+                                                      
+                                                        variance: :zeek:type:`double` :zeek:attr:`&optional`
+                                                          For numeric data, this is the variance.
+                                                      
+                                                        prev_avg: :zeek:type:`double` :zeek:attr:`&optional`
+                                                      
+                                                        var_s: :zeek:type:`double` :zeek:attr:`&default` = ``0.0`` :zeek:attr:`&optional`
+===================================================== ===================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/supervisor/__load__.zeek.rst b/doc/scripts/base/frameworks/supervisor/__load__.zeek.rst
new file mode 100644
index 0000000000..f0241dc3e6
--- /dev/null
+++ b/doc/scripts/base/frameworks/supervisor/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/supervisor/__load__.zeek
+========================================
+
+
+:Imports: :doc:`base/frameworks/supervisor/api.zeek </scripts/base/frameworks/supervisor/api.zeek>`, :doc:`base/frameworks/supervisor/control.zeek </scripts/base/frameworks/supervisor/control.zeek>`, :doc:`base/frameworks/supervisor/main.zeek </scripts/base/frameworks/supervisor/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/supervisor/api.zeek.rst b/doc/scripts/base/frameworks/supervisor/api.zeek.rst
new file mode 100644
index 0000000000..288f4953e7
--- /dev/null
+++ b/doc/scripts/base/frameworks/supervisor/api.zeek.rst
@@ -0,0 +1,377 @@
+:tocdepth: 3
+
+base/frameworks/supervisor/api.zeek
+===================================
+.. zeek:namespace:: Supervisor
+
+The Zeek process supervision API.
+This API was introduced in Zeek 3.1.0 and considered unstable until 4.0.0.
+That is, it may change in various incompatible ways without warning or
+deprecation until the stable 4.0.0 release.
+
+:Namespace: Supervisor
+
+Summary
+~~~~~~~
+Types
+#####
+============================================================= ========================================================================
+:zeek:type:`Supervisor::ClusterEndpoint`: :zeek:type:`record` Describes configuration of a supervised-node within Zeek's Cluster
+                                                              Framework.
+:zeek:type:`Supervisor::ClusterRole`: :zeek:type:`enum`       The role a supervised-node will play in Zeek's Cluster Framework.
+:zeek:type:`Supervisor::NodeConfig`: :zeek:type:`record`      Configuration options that influence behavior of a supervised Zeek node.
+:zeek:type:`Supervisor::NodeStatus`: :zeek:type:`record`      The current status of a supervised node.
+:zeek:type:`Supervisor::Status`: :zeek:type:`record`          The current status of a set of supervised nodes.
+============================================================= ========================================================================
+
+Events
+######
+====================================================== ================================================================
+:zeek:id:`Supervisor::node_status`: :zeek:type:`event` A notification event the Supervisor generates when it receives a
+                                                       status message update from the stem, indicating node has
+                                                       (re-)started.
+====================================================== ================================================================
+
+Hooks
+#####
+===================================================== ==================================================================
+:zeek:id:`Supervisor::stderr_hook`: :zeek:type:`hook` Hooks into the stderr stream for all supervisor's child processes.
+:zeek:id:`Supervisor::stdout_hook`: :zeek:type:`hook` Hooks into the stdout stream for all supervisor's child processes.
+===================================================== ==================================================================
+
+Functions
+#########
+=========================================================== =============================================================
+:zeek:id:`Supervisor::create`: :zeek:type:`function`        Create a new supervised node process.
+:zeek:id:`Supervisor::destroy`: :zeek:type:`function`       Destroy and remove a supervised node process.
+:zeek:id:`Supervisor::is_supervised`: :zeek:type:`function` Returns: true if this is a supervised node process.
+:zeek:id:`Supervisor::is_supervisor`: :zeek:type:`function` Returns: true if this is the Supervisor process.
+:zeek:id:`Supervisor::node`: :zeek:type:`function`          Returns: the node configuration if this is a supervised node.
+:zeek:id:`Supervisor::restart`: :zeek:type:`function`       Restart a supervised node process by destroying (killing) and
+                                                            re-recreating it.
+:zeek:id:`Supervisor::status`: :zeek:type:`function`        Retrieve current status of a supervised node process.
+=========================================================== =============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Supervisor::ClusterEndpoint
+   :source-code: base/frameworks/supervisor/api.zeek 20 35
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: role :zeek:type:`Supervisor::ClusterRole`
+
+      The role a supervised-node will play in Zeek's Cluster Framework.
+
+
+   .. zeek:field:: host :zeek:type:`addr`
+
+      The host/IP at which the cluster node runs.
+
+
+   .. zeek:field:: p :zeek:type:`port`
+
+      The TCP port at which the cluster node listens for connections.
+
+
+   .. zeek:field:: interface :zeek:type:`string` :zeek:attr:`&optional`
+
+      The interface name from which the node will read/analyze packets.
+      Typically used by worker nodes.
+
+
+   .. zeek:field:: pcap_file :zeek:type:`string` :zeek:attr:`&optional`
+
+      The PCAP file name from which the node will read/analyze packets.
+      Typically used by worker nodes.
+
+
+   .. zeek:field:: metrics_port :zeek:type:`port` :zeek:attr:`&optional`
+
+      The TCP port at which the cluster node exposes metrics for Prometheus.
+
+
+   Describes configuration of a supervised-node within Zeek's Cluster
+   Framework.
+
+.. zeek:type:: Supervisor::ClusterRole
+   :source-code: base/frameworks/supervisor/api.zeek 10 10
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Supervisor::NONE Supervisor::ClusterRole
+
+      .. zeek:enum:: Supervisor::LOGGER Supervisor::ClusterRole
+
+      .. zeek:enum:: Supervisor::MANAGER Supervisor::ClusterRole
+
+      .. zeek:enum:: Supervisor::PROXY Supervisor::ClusterRole
+
+      .. zeek:enum:: Supervisor::WORKER Supervisor::ClusterRole
+
+   The role a supervised-node will play in Zeek's Cluster Framework.
+
+.. zeek:type:: Supervisor::NodeConfig
+   :source-code: base/frameworks/supervisor/api.zeek 38 73
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      The name of the supervised node.  These are unique within a given
+      supervised process tree and typically human-readable.
+
+
+   .. zeek:field:: interface :zeek:type:`string` :zeek:attr:`&optional`
+
+      The interface name from which the node will read/analyze packets.
+
+
+   .. zeek:field:: pcap_file :zeek:type:`string` :zeek:attr:`&optional`
+
+      The PCAP file name from which the node will read/analyze packets.
+
+
+   .. zeek:field:: directory :zeek:type:`string` :zeek:attr:`&optional`
+
+      The working directory that the node should use.
+
+
+   .. zeek:field:: stdout_file :zeek:type:`string` :zeek:attr:`&optional`
+
+      The filename/path to which the node's stdout will be redirected.
+
+
+   .. zeek:field:: stderr_file :zeek:type:`string` :zeek:attr:`&optional`
+
+      The filename/path to which the node's stderr will be redirected.
+
+
+   .. zeek:field:: bare_mode :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Whether to start the node in bare mode. When left out, the node
+      inherits the bare-mode status the supervisor itself runs with.
+
+
+   .. zeek:field:: addl_base_scripts :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+
+      Additional script filenames/paths that the node should load
+      after the base scripts, and prior to any user-specified ones.
+
+
+   .. zeek:field:: addl_user_scripts :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+
+      Additional script filenames/paths that the node should load
+      after any user-specified scripts.
+
+
+   .. zeek:field:: env :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string` :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      Environment variables to define in the supervised node.
+
+
+   .. zeek:field:: cpu_affinity :zeek:type:`int` :zeek:attr:`&optional`
+
+      A cpu/core number to which the node will try to pin itself.
+
+
+   .. zeek:field:: cluster :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`Supervisor::ClusterEndpoint` :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      The Cluster Layout definition.  Each node in the Cluster Framework
+      knows about the full, static cluster topology to which it belongs.
+      Entries use node names for keys.  The Supervisor framework will
+      automatically translate this table into the right Cluster Framework
+      configuration when spawning supervised-nodes.  E.g. it will
+      populate the both the CLUSTER_NODE environment variable and
+      :zeek:see:`Cluster::nodes` table.
+
+
+   Configuration options that influence behavior of a supervised Zeek node.
+
+.. zeek:type:: Supervisor::NodeStatus
+   :source-code: base/frameworks/supervisor/api.zeek 76 82
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: node :zeek:type:`Supervisor::NodeConfig`
+
+      The desired node configuration.
+
+
+   .. zeek:field:: pid :zeek:type:`int` :zeek:attr:`&optional`
+
+      The current or last known process ID of the node.  This may not
+      be initialized if the process has not yet started.
+
+
+   The current status of a supervised node.
+
+.. zeek:type:: Supervisor::Status
+   :source-code: base/frameworks/supervisor/api.zeek 85 88
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: nodes :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`Supervisor::NodeStatus`
+
+      The status of supervised nodes, keyed by node names.
+
+
+   The current status of a set of supervised nodes.
+
+Events
+######
+.. zeek:id:: Supervisor::node_status
+   :source-code: base/frameworks/supervisor/api.zeek 174 174
+
+   :Type: :zeek:type:`event` (node: :zeek:type:`string`, pid: :zeek:type:`count`)
+
+   A notification event the Supervisor generates when it receives a
+   status message update from the stem, indicating node has
+   (re-)started.
+   
+
+   :param node: the name of a previously created node via
+         :zeek:see:`Supervisor::create` indicating to which
+         child process the stdout line is associated.
+   
+
+   :param pid: the process ID the stem reported for this node.
+
+Hooks
+#####
+.. zeek:id:: Supervisor::stderr_hook
+   :source-code: policy/frameworks/management/supervisor/main.zeek 77 92
+
+   :Type: :zeek:type:`hook` (node: :zeek:type:`string`, msg: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Hooks into the stderr stream for all supervisor's child processes.
+   If a hook terminates with ``break``, that will suppress output to the
+   associated stream.
+   
+
+   :param node: the name of a previously created node via
+         :zeek:see:`Supervisor::create` indicating to which
+         child process the stdout line is associated.
+         A empty value is used to indicate the message
+         came from the internal supervisor stem process.
+         (this should typically never happen).
+   
+
+   :param msg: line-buffered contents from the stderr of a child process.
+
+.. zeek:id:: Supervisor::stdout_hook
+   :source-code: policy/frameworks/management/supervisor/main.zeek 55 75
+
+   :Type: :zeek:type:`hook` (node: :zeek:type:`string`, msg: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Hooks into the stdout stream for all supervisor's child processes.
+   If a hook terminates with ``break``, that will suppress output to the
+   associated stream.
+   
+
+   :param node: the name of a previously created node via
+         :zeek:see:`Supervisor::create` indicating to which
+         child process the stdout line is associated.
+         An empty value is used to indicate the message
+         came from the internal supervisor stem process
+         (this should typically never happen).
+   
+
+   :param msg: line-buffered contents from the stdout of a child process.
+
+Functions
+#########
+.. zeek:id:: Supervisor::create
+   :source-code: base/frameworks/supervisor/main.zeek 12 15
+
+   :Type: :zeek:type:`function` (node: :zeek:type:`Supervisor::NodeConfig`) : :zeek:type:`string`
+
+   Create a new supervised node process.
+   It's an error to call this from a process other than a Supervisor.
+   
+
+   :param node: the desired configuration for the new supervised node process.
+   
+
+   :returns: an empty string on success or description of the error/failure.
+
+.. zeek:id:: Supervisor::destroy
+   :source-code: base/frameworks/supervisor/main.zeek 17 20
+
+   :Type: :zeek:type:`function` (node: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Destroy and remove a supervised node process.
+   It's an error to call this from a process other than a Supervisor.
+   
+
+   :param node: the name of the node to destroy or an empty string to mean
+         "all nodes".
+   
+
+   :returns: true on success.
+
+.. zeek:id:: Supervisor::is_supervised
+   :source-code: base/frameworks/supervisor/main.zeek 32 35
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+
+   :returns: true if this is a supervised node process.
+
+.. zeek:id:: Supervisor::is_supervisor
+   :source-code: base/frameworks/supervisor/main.zeek 27 30
+
+   :Type: :zeek:type:`function` () : :zeek:type:`bool`
+
+
+   :returns: true if this is the Supervisor process.
+
+.. zeek:id:: Supervisor::node
+   :source-code: base/frameworks/supervisor/main.zeek 37 40
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Supervisor::NodeConfig`
+
+
+   :returns: the node configuration if this is a supervised node.
+            It's an error to call this function from a process other than
+            a supervised one.
+
+.. zeek:id:: Supervisor::restart
+   :source-code: base/frameworks/supervisor/main.zeek 22 25
+
+   :Type: :zeek:type:`function` (node: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Restart a supervised node process by destroying (killing) and
+   re-recreating it.
+   It's an error to call this from a process other than a Supervisor.
+   
+
+   :param node: the name of the node to restart or an empty string to mean
+         "all nodes".
+   
+
+   :returns: true on success.
+
+.. zeek:id:: Supervisor::status
+   :source-code: base/frameworks/supervisor/main.zeek 7 10
+
+   :Type: :zeek:type:`function` (node: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`Supervisor::Status`
+
+   Retrieve current status of a supervised node process.
+   It's an error to call this from a process other than a Supervisor.
+   
+
+   :param node: the name of the node to get the status of or an empty string
+         to mean "all nodes".
+   
+
+   :returns: the current status of a set of nodes.
+
+
diff --git a/doc/scripts/base/frameworks/supervisor/control.zeek.rst b/doc/scripts/base/frameworks/supervisor/control.zeek.rst
new file mode 100644
index 0000000000..cb9be9c487
--- /dev/null
+++ b/doc/scripts/base/frameworks/supervisor/control.zeek.rst
@@ -0,0 +1,226 @@
+:tocdepth: 3
+
+base/frameworks/supervisor/control.zeek
+=======================================
+.. zeek:namespace:: SupervisorControl
+
+The Zeek process supervision (remote) control API.  This defines a Broker topic
+prefix and events that can be used to control an external Zeek supervisor process.
+This API was introduced in Zeek 3.1.0 and considered unstable until 4.0.0.
+That is, it may change in various incompatible ways without warning or
+deprecation until the stable 4.0.0 release.
+
+:Namespace: SupervisorControl
+:Imports: :doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`, :doc:`base/frameworks/supervisor/api.zeek </scripts/base/frameworks/supervisor/api.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+=================================================================================== =================================================================
+:zeek:id:`SupervisorControl::enable_listen`: :zeek:type:`bool` :zeek:attr:`&redef`  When enabled, the Supervisor will listen on the configured Broker
+                                                                                    :zeek:see:`Broker::default_listen_address`.
+:zeek:id:`SupervisorControl::topic_prefix`: :zeek:type:`string` :zeek:attr:`&redef` The Broker topic prefix to use when subscribing to Supervisor API
+                                                                                    requests and when publishing Supervisor API responses.
+=================================================================================== =================================================================
+
+Events
+######
+================================================================== ======================================================================
+:zeek:id:`SupervisorControl::create_request`: :zeek:type:`event`   Send a request to a remote Supervisor process to create a node.
+:zeek:id:`SupervisorControl::create_response`: :zeek:type:`event`  Handle a response from a Supervisor process that received
+                                                                   :zeek:see:`SupervisorControl::create_request`.
+:zeek:id:`SupervisorControl::destroy_request`: :zeek:type:`event`  Send a request to a remote Supervisor process to destroy a node.
+:zeek:id:`SupervisorControl::destroy_response`: :zeek:type:`event` Handle a response from a Supervisor process that received
+                                                                   :zeek:see:`SupervisorControl::destroy_request`.
+:zeek:id:`SupervisorControl::node_status`: :zeek:type:`event`      A notification event the Supervisor generates when it receives a
+                                                                   status message update from the stem, indicating node has
+                                                                   (re-)started.
+:zeek:id:`SupervisorControl::restart_request`: :zeek:type:`event`  Send a request to a remote Supervisor process to restart a node.
+:zeek:id:`SupervisorControl::restart_response`: :zeek:type:`event` Handle a response from a Supervisor process that received
+                                                                   :zeek:see:`SupervisorControl::restart_request`.
+:zeek:id:`SupervisorControl::status_request`: :zeek:type:`event`   Send a request to a remote Supervisor process to retrieve node status.
+:zeek:id:`SupervisorControl::status_response`: :zeek:type:`event`  Handle a response from a Supervisor process that received
+                                                                   :zeek:see:`SupervisorControl::status_request`.
+:zeek:id:`SupervisorControl::stop_request`: :zeek:type:`event`     Send a request to a remote Supervisor to stop and shutdown its
+                                                                   process tree.
+================================================================== ======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: SupervisorControl::enable_listen
+   :source-code: base/frameworks/supervisor/control.zeek 21 21
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+   :Redefinition: from :doc:`/scripts/policy/frameworks/management/agent/boot.zeek`
+
+      ``=``::
+
+         T
+
+
+   When enabled, the Supervisor will listen on the configured Broker
+   :zeek:see:`Broker::default_listen_address`.
+
+.. zeek:id:: SupervisorControl::topic_prefix
+   :source-code: base/frameworks/supervisor/control.zeek 17 17
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek/supervisor"``
+
+   The Broker topic prefix to use when subscribing to Supervisor API
+   requests and when publishing Supervisor API responses.  If you are
+   publishing Supervisor requests, this is also the prefix string to use
+   for their topic names.
+
+Events
+######
+.. zeek:id:: SupervisorControl::create_request
+   :source-code: base/frameworks/supervisor/main.zeek 73 81
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, node: :zeek:type:`Supervisor::NodeConfig`)
+
+   Send a request to a remote Supervisor process to create a node.
+   
+
+   :param reqid: an arbitrary string that will be directly echoed in the response
+   
+
+   :param node: the desired configuration for the new supervised node process.
+
+.. zeek:id:: SupervisorControl::create_response
+   :source-code: policy/frameworks/management/agent/main.zeek 286 308
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, result: :zeek:type:`string`)
+
+   Handle a response from a Supervisor process that received
+   :zeek:see:`SupervisorControl::create_request`.
+   
+
+   :param reqid: an arbitrary string matching the value in the original request.
+   
+
+   :param result: the return value of the remote call to
+           :zeek:see:`Supervisor::create`.
+
+.. zeek:id:: SupervisorControl::destroy_request
+   :source-code: base/frameworks/supervisor/main.zeek 83 91
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, node: :zeek:type:`string`)
+
+   Send a request to a remote Supervisor process to destroy a node.
+   
+
+   :param reqid: an arbitrary string that will be directly echoed in the response
+   
+
+   :param node: the name of the node to destroy or empty string to mean "all
+         nodes".
+
+.. zeek:id:: SupervisorControl::destroy_response
+   :source-code: policy/frameworks/management/agent/main.zeek 310 332
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, result: :zeek:type:`bool`)
+
+   Handle a response from a Supervisor process that received
+   :zeek:see:`SupervisorControl::destroy_request`.
+   
+
+   :param reqid: an arbitrary string matching the value in the original request.
+   
+
+   :param result: the return value of the remote call to
+           :zeek:see:`Supervisor::destroy`.
+
+.. zeek:id:: SupervisorControl::node_status
+   :source-code: base/frameworks/supervisor/control.zeek 105 105
+
+   :Type: :zeek:type:`event` (node: :zeek:type:`string`, pid: :zeek:type:`count`)
+
+   A notification event the Supervisor generates when it receives a
+   status message update from the stem, indicating node has
+   (re-)started. This is the remote equivalent of
+   :zeek:see:`Supervisor::node_status`.
+   
+
+   :param node: the name of a previously created node via
+         :zeek:see:`Supervisor::create` indicating to which
+         child process the stdout line is associated.
+   
+
+   :param pid: the process ID the stem reported for this node.
+
+.. zeek:id:: SupervisorControl::restart_request
+   :source-code: base/frameworks/supervisor/main.zeek 93 101
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, node: :zeek:type:`string`)
+
+   Send a request to a remote Supervisor process to restart a node.
+   
+
+   :param reqid: an arbitrary string that will be directly echoed in the response
+   
+
+   :param node: the name of the node to restart or empty string to mean "all
+         nodes".
+
+.. zeek:id:: SupervisorControl::restart_response
+   :source-code: policy/frameworks/management/agent/main.zeek 334 357
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, result: :zeek:type:`bool`)
+
+   Handle a response from a Supervisor process that received
+   :zeek:see:`SupervisorControl::restart_request`.
+   
+
+   :param reqid: an arbitrary string matching the value in the original request.
+   
+
+   :param result: the return value of the remote call to
+           :zeek:see:`Supervisor::restart`.
+
+.. zeek:id:: SupervisorControl::status_request
+   :source-code: base/frameworks/supervisor/main.zeek 63 71
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, node: :zeek:type:`string`)
+
+   Send a request to a remote Supervisor process to retrieve node status.
+   
+
+   :param reqid: an arbitrary string that will be directly echoed in the response
+   
+
+   :param node: the name of the node to get status of or empty string to mean "all
+         nodes".
+
+.. zeek:id:: SupervisorControl::status_response
+   :source-code: policy/frameworks/management/agent/main.zeek 271 284
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, result: :zeek:type:`Supervisor::Status`)
+
+   Handle a response from a Supervisor process that received
+   :zeek:see:`SupervisorControl::status_request`.
+   
+
+   :param reqid: an arbitrary string matching the value in the original request.
+   
+
+   :param result: the return value of the remote call to
+           :zeek:see:`Supervisor::status`.
+
+.. zeek:id:: SupervisorControl::stop_request
+   :source-code: base/frameworks/supervisor/main.zeek 55 61
+
+   :Type: :zeek:type:`event` ()
+
+   Send a request to a remote Supervisor to stop and shutdown its
+   process tree.  There is no response to this message as the Supervisor
+   simply terminates on receipt.
+
+
diff --git a/doc/scripts/base/frameworks/supervisor/index.rst b/doc/scripts/base/frameworks/supervisor/index.rst
new file mode 100644
index 0000000000..45f6dbff39
--- /dev/null
+++ b/doc/scripts/base/frameworks/supervisor/index.rst
@@ -0,0 +1,29 @@
+:orphan:
+
+Package: base/frameworks/supervisor
+===================================
+
+
+:doc:`/scripts/base/frameworks/supervisor/api.zeek`
+
+   The Zeek process supervision API.
+   This API was introduced in Zeek 3.1.0 and considered unstable until 4.0.0.
+   That is, it may change in various incompatible ways without warning or
+   deprecation until the stable 4.0.0 release.
+
+:doc:`/scripts/base/frameworks/supervisor/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/supervisor/control.zeek`
+
+   The Zeek process supervision (remote) control API.  This defines a Broker topic
+   prefix and events that can be used to control an external Zeek supervisor process.
+   This API was introduced in Zeek 3.1.0 and considered unstable until 4.0.0.
+   That is, it may change in various incompatible ways without warning or
+   deprecation until the stable 4.0.0 release.
+
+:doc:`/scripts/base/frameworks/supervisor/main.zeek`
+
+   Implements Zeek process supervision API and default behavior for its
+   associated (remote) control events.
+
diff --git a/doc/scripts/base/frameworks/supervisor/main.zeek.rst b/doc/scripts/base/frameworks/supervisor/main.zeek.rst
new file mode 100644
index 0000000000..f845b9f44e
--- /dev/null
+++ b/doc/scripts/base/frameworks/supervisor/main.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+base/frameworks/supervisor/main.zeek
+====================================
+
+Implements Zeek process supervision API and default behavior for its
+associated (remote) control events.
+
+:Imports: :doc:`base/frameworks/supervisor/api.zeek </scripts/base/frameworks/supervisor/api.zeek>`, :doc:`base/frameworks/supervisor/control.zeek </scripts/base/frameworks/supervisor/control.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/telemetry/__load__.zeek.rst b/doc/scripts/base/frameworks/telemetry/__load__.zeek.rst
new file mode 100644
index 0000000000..74b82d624d
--- /dev/null
+++ b/doc/scripts/base/frameworks/telemetry/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/telemetry/__load__.zeek
+=======================================
+
+
+:Imports: :doc:`base/frameworks/telemetry/main.zeek </scripts/base/frameworks/telemetry/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/telemetry/index.rst b/doc/scripts/base/frameworks/telemetry/index.rst
new file mode 100644
index 0000000000..28685d1965
--- /dev/null
+++ b/doc/scripts/base/frameworks/telemetry/index.rst
@@ -0,0 +1,25 @@
+:orphan:
+
+Package: base/frameworks/telemetry
+==================================
+
+
+:doc:`/scripts/base/frameworks/telemetry/options.zeek`
+
+   Configurable settings for the Telemetry framework.
+   
+   These reside separately from the main framework so that they can be loaded
+   in bare mode without all of the framework. This allows things like the
+   plugins.hooks test to see the options without needing the rest.
+
+:doc:`/scripts/base/frameworks/telemetry/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/telemetry/main.zeek`
+
+   Module for recording and querying metrics. This modules wraps
+   the lower-level telemetry.bif functions.
+   
+   Metrics will be exposed through a Prometheus HTTP endpoint when
+   enabled by setting :zeek:see:`Telemetry::metrics_port`.
+
diff --git a/doc/scripts/base/frameworks/telemetry/main.zeek.rst b/doc/scripts/base/frameworks/telemetry/main.zeek.rst
new file mode 100644
index 0000000000..52f6f849e9
--- /dev/null
+++ b/doc/scripts/base/frameworks/telemetry/main.zeek.rst
@@ -0,0 +1,469 @@
+:tocdepth: 3
+
+base/frameworks/telemetry/main.zeek
+===================================
+.. zeek:namespace:: Telemetry
+
+Module for recording and querying metrics. This modules wraps
+the lower-level telemetry.bif functions.
+
+Metrics will be exposed through a Prometheus HTTP endpoint when
+enabled by setting :zeek:see:`Telemetry::metrics_port`.
+
+:Namespace: Telemetry
+:Imports: :doc:`base/bif/telemetry_functions.bif.zeek </scripts/base/bif/telemetry_functions.bif.zeek>`, :doc:`base/misc/version.zeek </scripts/base/misc/version.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+============================================================ =========================================================================
+:zeek:type:`Telemetry::Counter`: :zeek:type:`record`         Type representing a counter metric with initialized label values.
+:zeek:type:`Telemetry::CounterFamily`: :zeek:type:`record`   Type representing a family of counters with uninitialized label values.
+:zeek:type:`Telemetry::Gauge`: :zeek:type:`record`           Type representing a gauge metric with initialized label values.
+:zeek:type:`Telemetry::GaugeFamily`: :zeek:type:`record`     Type representing a family of gauges with uninitialized label values.
+:zeek:type:`Telemetry::Histogram`: :zeek:type:`record`       Type representing a histogram metric with initialized label values.
+:zeek:type:`Telemetry::HistogramFamily`: :zeek:type:`record` Type representing a family of histograms with uninitialized label values.
+:zeek:type:`Telemetry::labels_vector`: :zeek:type:`vector`   Alias for a vector of label values.
+============================================================ =========================================================================
+
+Functions
+#########
+====================================================================== ============================================================================================
+:zeek:id:`Telemetry::collect_histogram_metrics`: :zeek:type:`function` Collect all histograms and their observations matching the given
+                                                                       *prefix* and *name*.
+:zeek:id:`Telemetry::collect_metrics`: :zeek:type:`function`           Collect all counter and gauge metrics matching the given *name* and *prefix*.
+:zeek:id:`Telemetry::counter_family_inc`: :zeek:type:`function`        Increment a :zeek:see:`Telemetry::Counter` through the :zeek:see:`Telemetry::CounterFamily`.
+:zeek:id:`Telemetry::counter_family_set`: :zeek:type:`function`        Set a :zeek:see:`Telemetry::Counter` through the :zeek:see:`Telemetry::CounterFamily`.
+:zeek:id:`Telemetry::counter_inc`: :zeek:type:`function`               Increment a :zeek:see:`Telemetry::Counter` by ``amount``.
+:zeek:id:`Telemetry::counter_set`: :zeek:type:`function`               Helper to set a :zeek:see:`Telemetry::Counter` to the given ``value``.
+:zeek:id:`Telemetry::counter_with`: :zeek:type:`function`              Get a :zeek:see:`Telemetry::Counter` instance given family and label values.
+:zeek:id:`Telemetry::gauge_dec`: :zeek:type:`function`                 Decrement a :zeek:see:`Telemetry::Gauge` by ``amount``.
+:zeek:id:`Telemetry::gauge_family_dec`: :zeek:type:`function`          Decrement a :zeek:see:`Telemetry::Gauge` by the given ``amount`` through
+                                                                       the :zeek:see:`Telemetry::GaugeFamily`.
+:zeek:id:`Telemetry::gauge_family_inc`: :zeek:type:`function`          Increment a :zeek:see:`Telemetry::Gauge` by the given ``amount`` through
+                                                                       the :zeek:see:`Telemetry::GaugeFamily`.
+:zeek:id:`Telemetry::gauge_family_set`: :zeek:type:`function`          Set a :zeek:see:`Telemetry::Gauge` to the given ``value`` through
+                                                                       the :zeek:see:`Telemetry::GaugeFamily`.
+:zeek:id:`Telemetry::gauge_inc`: :zeek:type:`function`                 Increment a :zeek:see:`Telemetry::Gauge` by ``amount``.
+:zeek:id:`Telemetry::gauge_set`: :zeek:type:`function`                 Helper to set a :zeek:see:`Telemetry::Gauge` to the given ``value``.
+:zeek:id:`Telemetry::gauge_with`: :zeek:type:`function`                Get a :zeek:see:`Telemetry::Gauge` instance given family and label values.
+:zeek:id:`Telemetry::histogram_family_observe`: :zeek:type:`function`  Observe a measurement for a :zeek:see:`Telemetry::Histogram` through
+                                                                       the :zeek:see:`Telemetry::HistogramFamily`.
+:zeek:id:`Telemetry::histogram_observe`: :zeek:type:`function`         Observe a measurement for a :zeek:see:`Telemetry::Histogram`.
+:zeek:id:`Telemetry::histogram_with`: :zeek:type:`function`            Get a :zeek:see:`Telemetry::Histogram` instance given family and label values.
+:zeek:id:`Telemetry::register_counter_family`: :zeek:type:`function`   Register a counter family.
+:zeek:id:`Telemetry::register_gauge_family`: :zeek:type:`function`     Register a gauge family.
+:zeek:id:`Telemetry::register_histogram_family`: :zeek:type:`function` Register a histogram family.
+====================================================================== ============================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Telemetry::Counter
+   :source-code: base/frameworks/telemetry/main.zeek 34 36
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: __metric :zeek:type:`opaque` of counter_metric
+
+
+   Type representing a counter metric with initialized label values.
+   
+   Counter metrics only ever go up and reset when the process
+   restarts. Use :zeek:see:`Telemetry::counter_inc` or
+   :zeek:see:`Telemetry::counter_set` to modify counters.
+   An example for a counter is the number of log writes
+   per :zeek:see:`Log::Stream` or number connections broken down
+   by protocol and service.
+
+.. zeek:type:: Telemetry::CounterFamily
+   :source-code: base/frameworks/telemetry/main.zeek 21 24
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: __family :zeek:type:`opaque` of counter_metric_family
+
+
+   .. zeek:field:: __labels :zeek:type:`vector` of :zeek:type:`string`
+
+
+   Type representing a family of counters with uninitialized label values.
+   
+   To create concrete :zeek:see:`Telemetry::Counter` instances, use
+   :zeek:see:`Telemetry::counter_with`. To modify counters directly
+   use :zeek:see:`Telemetry::counter_family_inc`.
+
+.. zeek:type:: Telemetry::Gauge
+   :source-code: base/frameworks/telemetry/main.zeek 117 119
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: __metric :zeek:type:`opaque` of gauge_metric
+
+
+   Type representing a gauge metric with initialized label values.
+   
+   Use :zeek:see:`Telemetry::gauge_inc`, :zeek:see:`Telemetry::gauge_dec`,
+   or :zeek:see:`Telemetry::gauge_set` to modify the gauge.
+   Example for gauges are process memory usage, table sizes
+   or footprints of long-lived values as determined by
+   :zeek:see:`val_footprint`.
+
+.. zeek:type:: Telemetry::GaugeFamily
+   :source-code: base/frameworks/telemetry/main.zeek 105 108
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: __family :zeek:type:`opaque` of gauge_metric_family
+
+
+   .. zeek:field:: __labels :zeek:type:`vector` of :zeek:type:`string`
+
+
+   Type representing a family of gauges with uninitialized label values.
+   
+   Create concrete :zeek:see:`Telemetry::Gauge` instances with
+   :zeek:see:`Telemetry::gauge_with`, or use
+   :zeek:see:`Telemetry::gauge_family_inc` or
+   :zeek:see:`Telemetry::gauge_family_set` directly.
+
+.. zeek:type:: Telemetry::Histogram
+   :source-code: base/frameworks/telemetry/main.zeek 213 215
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: __metric :zeek:type:`opaque` of histogram_metric
+
+
+   Type representing a histogram metric with initialized label values.
+   Use :zeek:see:`Telemetry::histogram_observe` to make observations.
+
+.. zeek:type:: Telemetry::HistogramFamily
+   :source-code: base/frameworks/telemetry/main.zeek 206 209
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: __family :zeek:type:`opaque` of histogram_metric_family
+
+
+   .. zeek:field:: __labels :zeek:type:`vector` of :zeek:type:`string`
+
+
+   Type representing a family of histograms with uninitialized label values.
+   Create concrete :zeek:see:`Telemetry::Histogram` instances with
+   :zeek:see:`Telemetry::histogram_with` or use
+   :zeek:see:`Telemetry::histogram_family_observe` directly.
+
+.. zeek:type:: Telemetry::labels_vector
+   :source-code: base/frameworks/telemetry/main.zeek 14 14
+
+   :Type: :zeek:type:`vector` of :zeek:type:`string`
+
+   Alias for a vector of label values.
+
+Functions
+#########
+.. zeek:id:: Telemetry::collect_histogram_metrics
+   :source-code: base/frameworks/telemetry/main.zeek 453 456
+
+   :Type: :zeek:type:`function` (prefix: :zeek:type:`string` :zeek:attr:`&default` = ``"*"`` :zeek:attr:`&optional`, name: :zeek:type:`string` :zeek:attr:`&default` = ``"*"`` :zeek:attr:`&optional`) : :zeek:type:`vector` of :zeek:type:`Telemetry::HistogramMetric`
+
+   Collect all histograms and their observations matching the given
+   *prefix* and *name*.
+   
+   The *prefix* and *name* parameters support globbing. By default,
+   all histogram metrics are returned.
+
+.. zeek:id:: Telemetry::collect_metrics
+   :source-code: base/frameworks/telemetry/main.zeek 448 451
+
+   :Type: :zeek:type:`function` (prefix: :zeek:type:`string` :zeek:attr:`&default` = ``"*"`` :zeek:attr:`&optional`, name: :zeek:type:`string` :zeek:attr:`&default` = ``"*"`` :zeek:attr:`&optional`) : :zeek:type:`vector` of :zeek:type:`Telemetry::Metric`
+
+   Collect all counter and gauge metrics matching the given *name* and *prefix*.
+   
+   For histogram metrics, use the :zeek:see:`Telemetry::collect_histogram_metrics`.
+   
+   The *prefix* and *name* parameters support globbing. By default,
+   all counters and gauges are returned.
+
+.. zeek:id:: Telemetry::counter_family_inc
+   :source-code: base/frameworks/telemetry/main.zeek 325 328
+
+   :Type: :zeek:type:`function` (cf: :zeek:type:`Telemetry::CounterFamily`, label_values: :zeek:type:`Telemetry::labels_vector` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`, amount: :zeek:type:`double` :zeek:attr:`&default` = ``1.0`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Increment a :zeek:see:`Telemetry::Counter` through the :zeek:see:`Telemetry::CounterFamily`.
+   This is a short-cut for :zeek:see:`Telemetry::counter_inc`.
+   Using a negative amount is an error.
+   
+
+   :param cf: The counter family to use.
+   
+
+   :param label_values: The label values to use for the counter.
+   
+
+   :param amount: The amount by which to increment the counter.
+   
+
+   :returns: True if the counter was incremented successfully.
+
+.. zeek:id:: Telemetry::counter_family_set
+   :source-code: base/frameworks/telemetry/main.zeek 330 333
+
+   :Type: :zeek:type:`function` (cf: :zeek:type:`Telemetry::CounterFamily`, label_values: :zeek:type:`Telemetry::labels_vector`, value: :zeek:type:`double`) : :zeek:type:`bool`
+
+   Set a :zeek:see:`Telemetry::Counter` through the :zeek:see:`Telemetry::CounterFamily`.
+   This is a short-cut for :zeek:see:`Telemetry::counter_set`.
+   Setting a value that is less than the current value of the
+   metric is an error and will be ignored.
+   
+
+   :param cf: The counter family to use.
+   
+
+   :param label_values: The label values to use for the counter.
+   
+
+   :param value: The value to set the counter to.
+   
+
+   :returns: True if the counter value was set successfully.
+
+.. zeek:id:: Telemetry::counter_inc
+   :source-code: base/frameworks/telemetry/main.zeek 309 312
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`Telemetry::Counter`, amount: :zeek:type:`double` :zeek:attr:`&default` = ``1.0`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Increment a :zeek:see:`Telemetry::Counter` by ``amount``.
+   Using a negative ``amount`` is an error.
+   
+
+   :param c: The counter instance.
+   
+
+   :param amount: The amount by which to increment the counter.
+   
+
+   :returns: True if the counter was incremented successfully.
+
+.. zeek:id:: Telemetry::counter_set
+   :source-code: base/frameworks/telemetry/main.zeek 314 323
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`Telemetry::Counter`, value: :zeek:type:`double`) : :zeek:type:`bool`
+
+   Helper to set a :zeek:see:`Telemetry::Counter` to the given ``value``.
+   This can be useful for mirroring counter metrics in an
+   :zeek:see:`Telemetry::sync` hook implementation.
+   Setting a value that is less than the current value of the
+   metric is an error and will be ignored.
+   
+
+   :param c: The counter instance.
+   
+
+   :param value: The value to set the counter to.
+   
+
+   :returns: True if the counter value was set successfully.
+
+.. zeek:id:: Telemetry::counter_with
+   :source-code: base/frameworks/telemetry/main.zeek 296 307
+
+   :Type: :zeek:type:`function` (cf: :zeek:type:`Telemetry::CounterFamily`, label_values: :zeek:type:`Telemetry::labels_vector` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`) : :zeek:type:`Telemetry::Counter`
+
+   Get a :zeek:see:`Telemetry::Counter` instance given family and label values.
+
+.. zeek:id:: Telemetry::gauge_dec
+   :source-code: base/frameworks/telemetry/main.zeek 372 375
+
+   :Type: :zeek:type:`function` (g: :zeek:type:`Telemetry::Gauge`, amount: :zeek:type:`double` :zeek:attr:`&default` = ``1.0`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Decrement a :zeek:see:`Telemetry::Gauge` by ``amount``.
+   
+
+   :param g: The gauge instance.
+   
+
+   :param amount: The amount by which to decrement the gauge.
+   
+
+   :returns: True if the gauge was incremented successfully.
+
+.. zeek:id:: Telemetry::gauge_family_dec
+   :source-code: base/frameworks/telemetry/main.zeek 393 396
+
+   :Type: :zeek:type:`function` (gf: :zeek:type:`Telemetry::GaugeFamily`, label_values: :zeek:type:`Telemetry::labels_vector` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`, value: :zeek:type:`double` :zeek:attr:`&default` = ``1.0`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Decrement a :zeek:see:`Telemetry::Gauge` by the given ``amount`` through
+   the :zeek:see:`Telemetry::GaugeFamily`.
+   This is a short-cut for :zeek:see:`Telemetry::gauge_dec`.
+   
+
+   :param gf: The gauge family to use.
+   
+
+   :param label_values: The label values to use for the gauge.
+   
+
+   :param amount: The amount by which to increment the gauge.
+   
+
+   :returns: True if the gauge was incremented successfully.
+
+.. zeek:id:: Telemetry::gauge_family_inc
+   :source-code: base/frameworks/telemetry/main.zeek 388 391
+
+   :Type: :zeek:type:`function` (gf: :zeek:type:`Telemetry::GaugeFamily`, label_values: :zeek:type:`Telemetry::labels_vector` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`, value: :zeek:type:`double` :zeek:attr:`&default` = ``1.0`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Increment a :zeek:see:`Telemetry::Gauge` by the given ``amount`` through
+   the :zeek:see:`Telemetry::GaugeFamily`.
+   This is a short-cut for :zeek:see:`Telemetry::gauge_inc`.
+   Using a negative amount is an error.
+   
+
+   :param gf: The gauge family to use.
+   
+
+   :param label_values: The label values to use for the gauge.
+   
+
+   :param amount: The amount by which to increment the gauge.
+   
+
+   :returns: True if the gauge was incremented successfully.
+
+.. zeek:id:: Telemetry::gauge_family_set
+   :source-code: base/frameworks/telemetry/main.zeek 398 401
+
+   :Type: :zeek:type:`function` (gf: :zeek:type:`Telemetry::GaugeFamily`, label_values: :zeek:type:`Telemetry::labels_vector`, value: :zeek:type:`double`) : :zeek:type:`bool`
+
+   Set a :zeek:see:`Telemetry::Gauge` to the given ``value`` through
+   the :zeek:see:`Telemetry::GaugeFamily`.
+   This is a short-cut for :zeek:see:`Telemetry::gauge_set`.
+   
+
+   :param gf: The gauge family to use.
+   
+
+   :param label_values: The label values to use for the gauge.
+   
+
+   :param value: The value to set the gauge to.
+   
+
+   :returns: True if the gauge value was set successfully.
+
+.. zeek:id:: Telemetry::gauge_inc
+   :source-code: base/frameworks/telemetry/main.zeek 367 370
+
+   :Type: :zeek:type:`function` (g: :zeek:type:`Telemetry::Gauge`, amount: :zeek:type:`double` :zeek:attr:`&default` = ``1.0`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Increment a :zeek:see:`Telemetry::Gauge` by ``amount``.
+   
+
+   :param g: The gauge instance.
+   
+
+   :param amount: The amount by which to increment the gauge.
+   
+
+   :returns: True if the gauge was incremented successfully.
+
+.. zeek:id:: Telemetry::gauge_set
+   :source-code: base/frameworks/telemetry/main.zeek 377 386
+
+   :Type: :zeek:type:`function` (g: :zeek:type:`Telemetry::Gauge`, value: :zeek:type:`double`) : :zeek:type:`bool`
+
+   Helper to set a :zeek:see:`Telemetry::Gauge` to the given ``value``.
+   
+
+   :param g: The gauge instance.
+   
+
+   :param value: The value to set the gauge to.
+   
+
+   :returns: True if the gauge value was set successfully.
+
+.. zeek:id:: Telemetry::gauge_with
+   :source-code: base/frameworks/telemetry/main.zeek 355 365
+
+   :Type: :zeek:type:`function` (gf: :zeek:type:`Telemetry::GaugeFamily`, label_values: :zeek:type:`Telemetry::labels_vector` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`) : :zeek:type:`Telemetry::Gauge`
+
+   Get a :zeek:see:`Telemetry::Gauge` instance given family and label values.
+
+.. zeek:id:: Telemetry::histogram_family_observe
+   :source-code: base/frameworks/telemetry/main.zeek 443 446
+
+   :Type: :zeek:type:`function` (hf: :zeek:type:`Telemetry::HistogramFamily`, label_values: :zeek:type:`Telemetry::labels_vector`, measurement: :zeek:type:`double`) : :zeek:type:`bool`
+
+   Observe a measurement for a :zeek:see:`Telemetry::Histogram` through
+   the :zeek:see:`Telemetry::HistogramFamily`.
+   This is a short-cut for :zeek:see:`Telemetry::histogram_observe`.
+   
+
+   :param hf: The histogram family to use.
+   
+
+   :param label_values: The label values to use for the histogram.
+   
+
+   :param measurement: The value for this observations.
+   
+
+   :returns: True if measurement was observed successfully.
+
+.. zeek:id:: Telemetry::histogram_observe
+   :source-code: base/frameworks/telemetry/main.zeek 438 441
+
+   :Type: :zeek:type:`function` (h: :zeek:type:`Telemetry::Histogram`, measurement: :zeek:type:`double`) : :zeek:type:`bool`
+
+   Observe a measurement for a :zeek:see:`Telemetry::Histogram`.
+   
+
+   :param h: The histogram instance.
+   
+
+   :param measurement: The value for this observations.
+   
+
+   :returns: True if measurement was observed successfully.
+
+.. zeek:id:: Telemetry::histogram_with
+   :source-code: base/frameworks/telemetry/main.zeek 425 436
+
+   :Type: :zeek:type:`function` (hf: :zeek:type:`Telemetry::HistogramFamily`, label_values: :zeek:type:`Telemetry::labels_vector` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`) : :zeek:type:`Telemetry::Histogram`
+
+   Get a :zeek:see:`Telemetry::Histogram` instance given family and label values.
+
+.. zeek:id:: Telemetry::register_counter_family
+   :source-code: base/frameworks/telemetry/main.zeek 276 286
+
+   :Type: :zeek:type:`function` (opts: :zeek:type:`Telemetry::MetricOpts`) : :zeek:type:`Telemetry::CounterFamily`
+
+   Register a counter family.
+
+.. zeek:id:: Telemetry::register_gauge_family
+   :source-code: base/frameworks/telemetry/main.zeek 335 345
+
+   :Type: :zeek:type:`function` (opts: :zeek:type:`Telemetry::MetricOpts`) : :zeek:type:`Telemetry::GaugeFamily`
+
+   Register a gauge family.
+
+.. zeek:id:: Telemetry::register_histogram_family
+   :source-code: base/frameworks/telemetry/main.zeek 403 414
+
+   :Type: :zeek:type:`function` (opts: :zeek:type:`Telemetry::MetricOpts`) : :zeek:type:`Telemetry::HistogramFamily`
+
+   Register a histogram family.
+
+
diff --git a/doc/scripts/base/frameworks/telemetry/options.zeek.rst b/doc/scripts/base/frameworks/telemetry/options.zeek.rst
new file mode 100644
index 0000000000..f5817f6bff
--- /dev/null
+++ b/doc/scripts/base/frameworks/telemetry/options.zeek.rst
@@ -0,0 +1,79 @@
+:tocdepth: 3
+
+base/frameworks/telemetry/options.zeek
+======================================
+.. zeek:namespace:: Telemetry
+
+Configurable settings for the Telemetry framework.
+
+These reside separately from the main framework so that they can be loaded
+in bare mode without all of the framework. This allows things like the
+plugins.hooks test to see the options without needing the rest.
+
+:Namespace: Telemetry
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+===================================================================================== =====================================================================
+:zeek:id:`Telemetry::metrics_address`: :zeek:type:`string` :zeek:attr:`&redef`        Address used to make metric data available to Prometheus scrapers via
+                                                                                      HTTP.
+:zeek:id:`Telemetry::metrics_endpoint_label`: :zeek:type:`string` :zeek:attr:`&redef` Every metric automatically receives a label with the following name
+                                                                                      and the metrics_endpoint_name as value to identify the originating
+                                                                                      cluster node.
+:zeek:id:`Telemetry::metrics_endpoint_name`: :zeek:type:`string` :zeek:attr:`&redef`  ID for the metrics exporter.
+:zeek:id:`Telemetry::metrics_port`: :zeek:type:`port` :zeek:attr:`&redef`             Port used to make metric data available to Prometheus scrapers via
+                                                                                      HTTP.
+===================================================================================== =====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Telemetry::metrics_address
+   :source-code: base/frameworks/telemetry/options.zeek 12 12
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Address used to make metric data available to Prometheus scrapers via
+   HTTP.
+
+.. zeek:id:: Telemetry::metrics_endpoint_label
+   :source-code: base/frameworks/telemetry/options.zeek 23 23
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"node"``
+
+   Every metric automatically receives a label with the following name
+   and the metrics_endpoint_name as value to identify the originating
+   cluster node.
+   The label was previously hard-code as "endpoint", and that's why
+   the variable is called the way it is, but "node" is the better label.
+
+.. zeek:id:: Telemetry::metrics_endpoint_name
+   :source-code: base/frameworks/telemetry/options.zeek 28 28
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   ID for the metrics exporter. This is used as the 'endpoint' label
+   value when exporting data to Prometheus. In a cluster setup, this
+   defaults to the name of the node in the cluster configuration.
+
+.. zeek:id:: Telemetry::metrics_port
+   :source-code: base/frameworks/telemetry/options.zeek 16 16
+
+   :Type: :zeek:type:`port`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0/unknown``
+
+   Port used to make metric data available to Prometheus scrapers via
+   HTTP. The default value means Zeek won't expose the port.
+
+
diff --git a/doc/scripts/base/frameworks/tunnels/__load__.zeek.rst b/doc/scripts/base/frameworks/tunnels/__load__.zeek.rst
new file mode 100644
index 0000000000..84a0c62f04
--- /dev/null
+++ b/doc/scripts/base/frameworks/tunnels/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/frameworks/tunnels/__load__.zeek
+=====================================
+
+
+:Imports: :doc:`base/frameworks/tunnels/main.zeek </scripts/base/frameworks/tunnels/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/frameworks/tunnels/index.rst b/doc/scripts/base/frameworks/tunnels/index.rst
new file mode 100644
index 0000000000..f652bb845a
--- /dev/null
+++ b/doc/scripts/base/frameworks/tunnels/index.rst
@@ -0,0 +1,20 @@
+:orphan:
+
+Package: base/frameworks/tunnels
+================================
+
+The tunnels framework handles the tracking/logging of tunnels (e.g. Teredo,
+AYIYA, or IP-in-IP such as 6to4 where "IP" is either IPv4 or IPv6).
+
+:doc:`/scripts/base/frameworks/tunnels/__load__.zeek`
+
+
+:doc:`/scripts/base/frameworks/tunnels/main.zeek`
+
+   This script handles the tracking/logging of tunnels (e.g. Teredo,
+   AYIYA, or IP-in-IP such as 6to4 where "IP" is either IPv4 or IPv6).
+   
+   For any connection that occurs over a tunnel, information about its
+   encapsulating tunnels is also found in the *tunnel* field of
+   :zeek:type:`connection`.
+
diff --git a/doc/scripts/base/frameworks/tunnels/main.zeek.rst b/doc/scripts/base/frameworks/tunnels/main.zeek.rst
new file mode 100644
index 0000000000..50fa58ad63
--- /dev/null
+++ b/doc/scripts/base/frameworks/tunnels/main.zeek.rst
@@ -0,0 +1,228 @@
+:tocdepth: 3
+
+base/frameworks/tunnels/main.zeek
+=================================
+.. zeek:namespace:: Tunnel
+
+This script handles the tracking/logging of tunnels (e.g. Teredo,
+AYIYA, or IP-in-IP such as 6to4 where "IP" is either IPv4 or IPv6).
+
+For any connection that occurs over a tunnel, information about its
+encapsulating tunnels is also found in the *tunnel* field of
+:zeek:type:`connection`.
+
+:Namespace: Tunnel
+:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+================================================================================= ===============================================================
+:zeek:id:`Tunnel::expiration_interval`: :zeek:type:`interval` :zeek:attr:`&redef` The amount of time a tunnel is not used in establishment of new
+                                                                                  connections before it is considered inactive/expired.
+================================================================================= ===============================================================
+
+State Variables
+###############
+======================================================================================================================================================================== =========================
+:zeek:id:`Tunnel::active`: :zeek:type:`table` :zeek:attr:`&read_expire` = :zeek:see:`Tunnel::expiration_interval` :zeek:attr:`&expire_func` = :zeek:see:`Tunnel::expire` Currently active tunnels.
+======================================================================================================================================================================== =========================
+
+Types
+#####
+============================================== ===============================================================
+:zeek:type:`Tunnel::Action`: :zeek:type:`enum` Types of interesting activity that can occur with a tunnel.
+:zeek:type:`Tunnel::Info`: :zeek:type:`record` The record type which contains column fields of the tunnel log.
+============================================== ===============================================================
+
+Redefinitions
+#############
+======================================= =====================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` The tunnel logging stream identifier.
+                                        
+                                        * :zeek:enum:`Tunnel::LOG`
+======================================= =====================================
+
+Hooks
+#####
+================================================================== =============================================
+:zeek:id:`Tunnel::finalize_tunnel`: :zeek:type:`Conn::RemovalHook` Tunnel finalization hook.
+:zeek:id:`Tunnel::log_policy`: :zeek:type:`Log::PolicyHook`        A default logging policy hook for the stream.
+================================================================== =============================================
+
+Functions
+#########
+====================================================== ================================================================
+:zeek:id:`Tunnel::close`: :zeek:type:`function`        Removes a single tunnel from the :zeek:id:`Tunnel::active` table
+                                                       and logs the closing/expiration of the tunnel.
+:zeek:id:`Tunnel::expire`: :zeek:type:`function`       Logs a single tunnel "connection" with action
+                                                       :zeek:see:`Tunnel::EXPIRE` and removes it from the
+                                                       :zeek:id:`Tunnel::active` table.
+:zeek:id:`Tunnel::register`: :zeek:type:`function`     Logs a single tunnel "connection" with action
+                                                       :zeek:see:`Tunnel::DISCOVER` if it's not already in the
+                                                       :zeek:id:`Tunnel::active` table and adds it if not.
+:zeek:id:`Tunnel::register_all`: :zeek:type:`function` Logs all tunnels in an encapsulation chain with action
+                                                       :zeek:see:`Tunnel::DISCOVER` that aren't already in the
+                                                       :zeek:id:`Tunnel::active` table and adds them if not.
+====================================================== ================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Tunnel::expiration_interval
+   :source-code: base/frameworks/tunnels/main.zeek 82 82
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 hr``
+
+   The amount of time a tunnel is not used in establishment of new
+   connections before it is considered inactive/expired.
+
+State Variables
+###############
+.. zeek:id:: Tunnel::active
+   :source-code: base/frameworks/tunnels/main.zeek 87 87
+
+   :Type: :zeek:type:`table` [:zeek:type:`conn_id`] of :zeek:type:`Tunnel::Info`
+   :Attributes: :zeek:attr:`&read_expire` = :zeek:see:`Tunnel::expiration_interval` :zeek:attr:`&expire_func` = :zeek:see:`Tunnel::expire`
+   :Default: ``{}``
+
+   Currently active tunnels.  That is, tunnels for which new,
+   encapsulated connections have been seen in the interval indicated by
+   :zeek:see:`Tunnel::expiration_interval`.
+
+Types
+#####
+.. zeek:type:: Tunnel::Action
+   :source-code: base/frameworks/tunnels/main.zeek 20 29
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Tunnel::DISCOVER Tunnel::Action
+
+         A new tunnel (encapsulating "connection") has been seen.
+
+      .. zeek:enum:: Tunnel::CLOSE Tunnel::Action
+
+         A tunnel connection has closed.
+
+      .. zeek:enum:: Tunnel::EXPIRE Tunnel::Action
+
+         No new connections over a tunnel happened in the amount of
+         time indicated by :zeek:see:`Tunnel::expiration_interval`.
+
+   Types of interesting activity that can occur with a tunnel.
+
+.. zeek:type:: Tunnel::Info
+   :source-code: base/frameworks/tunnels/main.zeek 31 47
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Time at which some tunnel activity occurred.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The unique identifier for the tunnel, which may correspond
+      to a :zeek:type:`connection`'s *uid* field for non-IP-in-IP tunnels.
+      This is optional because there could be numerous connections
+      for payload proxies like SOCKS but we should treat it as a
+      single tunnel.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The tunnel "connection" 4-tuple of endpoint addresses/ports.
+      For an IP tunnel, the ports will be 0.
+
+
+   .. zeek:field:: tunnel_type :zeek:type:`Tunnel::Type` :zeek:attr:`&log`
+
+      The type of tunnel.
+
+
+   .. zeek:field:: action :zeek:type:`Tunnel::Action` :zeek:attr:`&log`
+
+      The type of activity that occurred.
+
+
+   The record type which contains column fields of the tunnel log.
+
+Hooks
+#####
+.. zeek:id:: Tunnel::finalize_tunnel
+   :source-code: base/frameworks/tunnels/main.zeek 104 108
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   Tunnel finalization hook.  Remaining Tunnel info may get logged when it's called.
+
+.. zeek:id:: Tunnel::log_policy
+   :source-code: base/frameworks/tunnels/main.zeek 17 17
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+Functions
+#########
+.. zeek:id:: Tunnel::close
+   :source-code: base/frameworks/tunnels/main.zeek 130 136
+
+   :Type: :zeek:type:`function` (tunnel: :zeek:type:`Tunnel::Info`, action: :zeek:type:`Tunnel::Action`) : :zeek:type:`void`
+
+   Removes a single tunnel from the :zeek:id:`Tunnel::active` table
+   and logs the closing/expiration of the tunnel.
+   
+
+   :param tunnel: The tunnel which has closed or expired.
+   
+
+   :param action: The specific reason for the tunnel ending.
+
+.. zeek:id:: Tunnel::expire
+   :source-code: base/frameworks/tunnels/main.zeek 138 142
+
+   :Type: :zeek:type:`function` (t: :zeek:type:`table` [:zeek:type:`conn_id`] of :zeek:type:`Tunnel::Info`, idx: :zeek:type:`conn_id`) : :zeek:type:`interval`
+
+   Logs a single tunnel "connection" with action
+   :zeek:see:`Tunnel::EXPIRE` and removes it from the
+   :zeek:id:`Tunnel::active` table.
+   
+
+   :param t: A table of tunnels.
+   
+
+   :param idx: The index of the tunnel table corresponding to the tunnel to expire.
+   
+
+   :returns: 0secs, which when this function is used as an
+            :zeek:attr:`&expire_func`, indicates to remove the element at
+            *idx* immediately.
+
+.. zeek:id:: Tunnel::register
+   :source-code: base/frameworks/tunnels/main.zeek 110 128
+
+   :Type: :zeek:type:`function` (ec: :zeek:type:`Tunnel::EncapsulatingConn`) : :zeek:type:`void`
+
+   Logs a single tunnel "connection" with action
+   :zeek:see:`Tunnel::DISCOVER` if it's not already in the
+   :zeek:id:`Tunnel::active` table and adds it if not.
+
+.. zeek:id:: Tunnel::register_all
+   :source-code: base/frameworks/tunnels/main.zeek 98 102
+
+   :Type: :zeek:type:`function` (ecv: :zeek:type:`EncapsulatingConnVector`) : :zeek:type:`void`
+
+   Logs all tunnels in an encapsulation chain with action
+   :zeek:see:`Tunnel::DISCOVER` that aren't already in the
+   :zeek:id:`Tunnel::active` table and adds them if not.
+
+
diff --git a/doc/scripts/base/init-bare.zeek.rst b/doc/scripts/base/init-bare.zeek.rst
new file mode 100644
index 0000000000..c05871516a
--- /dev/null
+++ b/doc/scripts/base/init-bare.zeek.rst
@@ -0,0 +1,15561 @@
+:tocdepth: 3
+
+base/init-bare.zeek
+===================
+.. zeek:namespace:: AF_Packet
+.. zeek:namespace:: Analyzer
+.. zeek:namespace:: BinPAC
+.. zeek:namespace:: Cluster
+.. zeek:namespace:: ConnKey
+.. zeek:namespace:: ConnThreshold
+.. zeek:namespace:: DCE_RPC
+.. zeek:namespace:: DHCP
+.. zeek:namespace:: EventMetadata
+.. zeek:namespace:: FTP
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: HTTP
+.. zeek:namespace:: IP
+.. zeek:namespace:: JSON
+.. zeek:namespace:: KRB
+.. zeek:namespace:: Log
+.. zeek:namespace:: MIME
+.. zeek:namespace:: MOUNT3
+.. zeek:namespace:: MQTT
+.. zeek:namespace:: NCP
+.. zeek:namespace:: NFS3
+.. zeek:namespace:: NTLM
+.. zeek:namespace:: NTP
+.. zeek:namespace:: PE
+.. zeek:namespace:: POP3
+.. zeek:namespace:: Pcap
+.. zeek:namespace:: RADIUS
+.. zeek:namespace:: RDP
+.. zeek:namespace:: Reporter
+.. zeek:namespace:: SMB
+.. zeek:namespace:: SMB1
+.. zeek:namespace:: SMB2
+.. zeek:namespace:: SMTP
+.. zeek:namespace:: SNMP
+.. zeek:namespace:: SOCKS
+.. zeek:namespace:: SSH
+.. zeek:namespace:: SSL
+.. zeek:namespace:: Storage
+.. zeek:namespace:: TCP
+.. zeek:namespace:: Telemetry
+.. zeek:namespace:: Threading
+.. zeek:namespace:: Tunnel
+.. zeek:namespace:: UnknownProtocol
+.. zeek:namespace:: WebSocket
+.. zeek:namespace:: Weird
+.. zeek:namespace:: X509
+
+
+:Namespaces: AF_Packet, Analyzer, BinPAC, Cluster, ConnKey, ConnThreshold, DCE_RPC, DHCP, EventMetadata, FTP, GLOBAL, HTTP, IP, JSON, KRB, Log, MIME, MOUNT3, MQTT, NCP, NFS3, NTLM, NTP, PE, POP3, Pcap, RADIUS, RDP, Reporter, SMB, SMB1, SMB2, SMTP, SNMP, SOCKS, SSH, SSL, Storage, TCP, Telemetry, Threading, Tunnel, UnknownProtocol, WebSocket, Weird, X509
+:Imports: :doc:`base/bif/CPP-load.bif.zeek </scripts/base/bif/CPP-load.bif.zeek>`, :doc:`base/bif/communityid.bif.zeek </scripts/base/bif/communityid.bif.zeek>`, :doc:`base/bif/const.bif.zeek </scripts/base/bif/const.bif.zeek>`, :doc:`base/bif/event.bif.zeek </scripts/base/bif/event.bif.zeek>`, :doc:`base/bif/mmdb.bif.zeek </scripts/base/bif/mmdb.bif.zeek>`, :doc:`base/bif/option.bif.zeek </scripts/base/bif/option.bif.zeek>`, :doc:`base/bif/packet_analysis.bif.zeek </scripts/base/bif/packet_analysis.bif.zeek>`, :doc:`base/bif/plugins/Zeek_KRB.types.bif.zeek </scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek>`, :doc:`base/bif/plugins/Zeek_SNMP.types.bif.zeek </scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek>`, :doc:`base/bif/reporter.bif.zeek </scripts/base/bif/reporter.bif.zeek>`, :doc:`base/bif/stats.bif.zeek </scripts/base/bif/stats.bif.zeek>`, :doc:`base/bif/strings.bif.zeek </scripts/base/bif/strings.bif.zeek>`, :doc:`base/bif/supervisor.bif.zeek </scripts/base/bif/supervisor.bif.zeek>`, :doc:`base/bif/telemetry_functions.bif.zeek </scripts/base/bif/telemetry_functions.bif.zeek>`, :doc:`base/bif/telemetry_types.bif.zeek </scripts/base/bif/telemetry_types.bif.zeek>`, :doc:`base/bif/types.bif.zeek </scripts/base/bif/types.bif.zeek>`, :doc:`base/bif/zeek.bif.zeek </scripts/base/bif/zeek.bif.zeek>`, :doc:`base/frameworks/spicy/init-bare.zeek </scripts/base/frameworks/spicy/init-bare.zeek>`, :doc:`base/frameworks/supervisor/api.zeek </scripts/base/frameworks/supervisor/api.zeek>`, :doc:`base/packet-protocols </scripts/base/packet-protocols/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+===================================================================================== =============================================================================
+:zeek:id:`MQTT::max_payload_size`: :zeek:type:`count` :zeek:attr:`&redef`             The maximum payload size to allocate for the purpose of
+                                                                                      payload information in :zeek:see:`mqtt_publish` events (and the
+                                                                                      default MQTT logs generated from that).
+:zeek:id:`Weird::sampling_duration`: :zeek:type:`interval` :zeek:attr:`&redef`        How long a weird of a given type is allowed to keep state/counters in
+                                                                                      memory.
+:zeek:id:`Weird::sampling_global_list`: :zeek:type:`set` :zeek:attr:`&redef`          Rate-limits weird names in the table globally instead of per connection/flow.
+:zeek:id:`Weird::sampling_rate`: :zeek:type:`count` :zeek:attr:`&redef`               The rate-limiting sampling rate.
+:zeek:id:`Weird::sampling_threshold`: :zeek:type:`count` :zeek:attr:`&redef`          How many weirds of a given type to tolerate before sampling begins.
+:zeek:id:`Weird::sampling_whitelist`: :zeek:type:`set` :zeek:attr:`&redef`            Prevents rate-limiting sampling of any weirds named in the table.
+:zeek:id:`default_file_bof_buffer_size`: :zeek:type:`count` :zeek:attr:`&redef`       Default amount of bytes that file analysis will buffer in order to use
+                                                                                      for mime type matching.
+:zeek:id:`default_file_timeout_interval`: :zeek:type:`interval` :zeek:attr:`&redef`   Default amount of time a file can be inactive before the file analysis
+                                                                                      gives up and discards any internal state related to the file.
+:zeek:id:`ignore_checksums_nets`: :zeek:type:`set` :zeek:attr:`&redef`                Checksums are ignored for all packets with a src address within this set of
+                                                                                      networks.
+:zeek:id:`udp_content_delivery_ports_use_resp`: :zeek:type:`bool` :zeek:attr:`&redef` Whether ports given in :zeek:see:`udp_content_delivery_ports_orig`
+                                                                                      and :zeek:see:`udp_content_delivery_ports_resp` are in terms of
+                                                                                      UDP packet's destination port or the UDP connection's "responder"
+                                                                                      port.
+:zeek:id:`udp_content_ports`: :zeek:type:`set` :zeek:attr:`&redef`                    Defines UDP ports (source or destination) for which the contents of
+                                                                                      either originator or responder streams should be delivered via
+                                                                                      :zeek:see:`udp_contents`.
+===================================================================================== =============================================================================
+
+Redefinable Options
+###################
+=================================================================================================================== ================================================================================
+:zeek:id:`AF_Packet::block_size`: :zeek:type:`count` :zeek:attr:`&redef`                                            Size of an individual block.
+:zeek:id:`AF_Packet::block_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`                                      Retire timeout for a single block.
+:zeek:id:`AF_Packet::buffer_size`: :zeek:type:`count` :zeek:attr:`&redef`                                           Size of the ring-buffer.
+:zeek:id:`AF_Packet::checksum_validation_mode`: :zeek:type:`AF_Packet::ChecksumMode` :zeek:attr:`&redef`            Checksum validation mode.
+:zeek:id:`AF_Packet::enable_defrag`: :zeek:type:`bool` :zeek:attr:`&redef`                                          Toggle defragmentation of IP packets using PACKET_FANOUT_FLAG_DEFRAG.
+:zeek:id:`AF_Packet::enable_fanout`: :zeek:type:`bool` :zeek:attr:`&redef`                                          Toggle whether to use PACKET_FANOUT.
+:zeek:id:`AF_Packet::enable_hw_timestamping`: :zeek:type:`bool` :zeek:attr:`&redef`                                 Toggle whether to use hardware timestamps.
+:zeek:id:`AF_Packet::fanout_id`: :zeek:type:`count` :zeek:attr:`&redef`                                             Fanout ID.
+:zeek:id:`AF_Packet::fanout_mode`: :zeek:type:`AF_Packet::FanoutMode` :zeek:attr:`&redef`                           Fanout mode.
+:zeek:id:`AF_Packet::link_type`: :zeek:type:`count` :zeek:attr:`&redef`                                             Link type (default Ethernet).
+:zeek:id:`BinPAC::flowbuffer_capacity_max`: :zeek:type:`count` :zeek:attr:`&redef`                                  Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to
+                                                                                                                    grow to for use with incremental parsing of a given connection/analyzer.
+:zeek:id:`BinPAC::flowbuffer_capacity_min`: :zeek:type:`count` :zeek:attr:`&redef`                                  The initial capacity, in bytes, that will be allocated to the BinPAC
+                                                                                                                    flowbuffer of a given connection/analyzer.
+:zeek:id:`BinPAC::flowbuffer_contract_threshold`: :zeek:type:`count` :zeek:attr:`&redef`                            The threshold, in bytes, at which the BinPAC flowbuffer of a given
+                                                                                                                    connection/analyzer will have its capacity contracted to
+                                                                                                                    :zeek:see:`BinPAC::flowbuffer_capacity_min` after parsing a full unit.
+:zeek:id:`Cluster::backend`: :zeek:type:`Cluster::BackendTag` :zeek:attr:`&redef`                                   Cluster backend to use.
+:zeek:id:`Cluster::event_serializer`: :zeek:type:`Cluster::EventSerializerTag` :zeek:attr:`&redef`                  The event serializer to use by the cluster backend.
+:zeek:id:`Cluster::log_serializer`: :zeek:type:`Cluster::LogSerializerTag` :zeek:attr:`&redef`                      The log serializer to use by the backend.
+:zeek:id:`ConnKey::factory`: :zeek:type:`ConnKey::Tag` :zeek:attr:`&redef`                                          The connection key factory to use for Zeek's internal connection
+                                                                                                                    tracking.
+:zeek:id:`ConnThreshold::generic_packet_thresholds`: :zeek:type:`set` :zeek:attr:`&redef`                           Number of packets required to be observed on any IP-based session to
+                                                                                                                    trigger :zeek:id:`conn_generic_packet_threshold_crossed`.
+:zeek:id:`DCE_RPC::max_cmd_reassembly`: :zeek:type:`count` :zeek:attr:`&redef`                                      The maximum number of simultaneous fragmented commands that
+                                                                                                                    the DCE_RPC analyzer will tolerate before the it will generate
+                                                                                                                    a weird and skip further input.
+:zeek:id:`DCE_RPC::max_frag_data`: :zeek:type:`count` :zeek:attr:`&redef`                                           The maximum number of fragmented bytes that the DCE_RPC analyzer
+                                                                                                                    will tolerate on a command before the analyzer will generate a weird
+                                                                                                                    and skip further input.
+:zeek:id:`EventMetadata::add_missing_remote_network_timestamp`: :zeek:type:`bool` :zeek:attr:`&redef`               By default, remote events without network timestamp metadata
+                                                                                                                    will yield a negative zeek:see:`current_event_time` during
+                                                                                                                    processing.
+:zeek:id:`EventMetadata::add_network_timestamp`: :zeek:type:`bool` :zeek:attr:`&redef`                              Add network timestamp metadata to all events.
+:zeek:id:`FTP::max_command_length`: :zeek:type:`count` :zeek:attr:`&redef`                                          Limits the size of commands accepted by the FTP analyzer.
+:zeek:id:`HTTP::upgrade_analyzers`: :zeek:type:`table` :zeek:attr:`&redef`                                          Lookup table for Upgrade analyzers.
+:zeek:id:`IP::protocol_names`: :zeek:type:`table` :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function` Mapping from IP protocol identifier values to string names.
+:zeek:id:`KRB::keytab`: :zeek:type:`string` :zeek:attr:`&redef`                                                     Kerberos keytab file name.
+:zeek:id:`Log::default_max_field_container_elements`: :zeek:type:`count` :zeek:attr:`&redef`                        The maximum number of elements a single container field can contain when
+                                                                                                                    logging.
+:zeek:id:`Log::default_max_field_string_bytes`: :zeek:type:`count` :zeek:attr:`&redef`                              The maximum number of bytes that a single string field can contain when
+                                                                                                                    logging.
+:zeek:id:`Log::default_max_total_container_elements`: :zeek:type:`count` :zeek:attr:`&redef`                        The maximum total number of container elements a record may log.
+:zeek:id:`Log::default_max_total_string_bytes`: :zeek:type:`count` :zeek:attr:`&redef`                              The maximum total bytes a record may log for string fields.
+:zeek:id:`Log::flush_interval`: :zeek:type:`interval` :zeek:attr:`&redef`                                           Default interval for flushing the write buffers of all
+                                                                                                                    enabled log streams.
+:zeek:id:`Log::max_log_record_size`: :zeek:type:`count` :zeek:attr:`&redef`                                         Maximum size of a message that can be sent to a remote logger or logged
+                                                                                                                    locally.
+:zeek:id:`Log::write_buffer_size`: :zeek:type:`count` :zeek:attr:`&redef`                                           Default maximum size of the log write buffer per filter/path pair.
+:zeek:id:`MIME::max_depth`: :zeek:type:`count` :zeek:attr:`&redef`                                                  Stop analysis of nested multipart MIME entities if this depth is
+                                                                                                                    reached.
+:zeek:id:`NCP::max_frame_size`: :zeek:type:`count` :zeek:attr:`&redef`                                              The maximum number of bytes to allocate when parsing NCP frames.
+:zeek:id:`NFS3::return_data`: :zeek:type:`bool` :zeek:attr:`&redef`                                                 If true, :zeek:see:`nfs_proc_read` and :zeek:see:`nfs_proc_write`
+                                                                                                                    events return the file data that has been read/written.
+:zeek:id:`NFS3::return_data_first_only`: :zeek:type:`bool` :zeek:attr:`&redef`                                      If :zeek:id:`NFS3::return_data` is true, whether to *only* return data
+                                                                                                                    if the read or write offset is 0, i.e., only return data for the
+                                                                                                                    beginning of the file.
+:zeek:id:`NFS3::return_data_max`: :zeek:type:`count` :zeek:attr:`&redef`                                            If :zeek:id:`NFS3::return_data` is true, how much data should be
+                                                                                                                    returned at most.
+:zeek:id:`POP3::max_pending_commands`: :zeek:type:`count` :zeek:attr:`&redef`                                       How many commands a POP3 client may have pending
+                                                                                                                    before Zeek forcefully removes the oldest.
+:zeek:id:`POP3::max_unknown_client_commands`: :zeek:type:`count` :zeek:attr:`&redef`                                How many invalid commands a POP3 client may use
+                                                                                                                    before Zeek starts raising analyzer violations.
+:zeek:id:`Pcap::bufsize`: :zeek:type:`count` :zeek:attr:`&redef`                                                    Number of Mbytes to provide as buffer space when capturing from live
+                                                                                                                    interfaces.
+:zeek:id:`Pcap::bufsize_offline_bytes`: :zeek:type:`count` :zeek:attr:`&redef`                                      Number of bytes to use for buffering file read operations when reading
+                                                                                                                    from a PCAP file.
+:zeek:id:`Pcap::non_fd_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`                                          Default timeout for packet sources without file descriptors.
+:zeek:id:`Pcap::snaplen`: :zeek:type:`count` :zeek:attr:`&redef`                                                    Number of bytes per packet to capture from live interfaces.
+:zeek:id:`Reporter::errors_to_stderr`: :zeek:type:`bool` :zeek:attr:`&redef`                                        Tunable for sending reporter error messages to STDERR.
+:zeek:id:`Reporter::info_to_stderr`: :zeek:type:`bool` :zeek:attr:`&redef`                                          Tunable for sending reporter info messages to STDERR.
+:zeek:id:`Reporter::warnings_to_stderr`: :zeek:type:`bool` :zeek:attr:`&redef`                                      Tunable for sending reporter warning messages to STDERR.
+:zeek:id:`SMB::max_dce_rpc_analyzers`: :zeek:type:`count` :zeek:attr:`&redef`                                       Maximum number of DCE-RPC analyzers per connection
+                                                                                                                    before discarding them to avoid unbounded state growth.
+:zeek:id:`SMB::max_pending_messages`: :zeek:type:`count` :zeek:attr:`&redef`                                        The maximum number of messages for which to retain state
+                                                                                                                    about offsets, fids, or tree ids within the parser.
+:zeek:id:`SMB::pipe_filenames`: :zeek:type:`set` :zeek:attr:`&redef`                                                A set of file names used as named pipes over SMB.
+:zeek:id:`SMTP::bdat_max_line_length`: :zeek:type:`count` :zeek:attr:`&redef`                                       The maximum line length within a BDAT chunk before a forceful linebreak
+                                                                                                                    is introduced and a weird is raised.
+:zeek:id:`SMTP::enable_rfc822_msg_file_analysis`: :zeek:type:`bool` :zeek:attr:`&redef`                             Whether to send data of individual top-level RFC822 messages
+                                                                                                                    in SMTP transactions to the file analysis framework.
+:zeek:id:`SSL::dtls_max_reported_version_errors`: :zeek:type:`count` :zeek:attr:`&redef`                            Maximum number of invalid version errors to report in one DTLS connection.
+:zeek:id:`SSL::dtls_max_version_errors`: :zeek:type:`count` :zeek:attr:`&redef`                                     Number of non-DTLS frames that can occur in a DTLS connection before
+                                                                                                                    parsing of the connection is suspended.
+:zeek:id:`SSL::max_alerts_per_record`: :zeek:type:`count` :zeek:attr:`&redef`                                       Maximum number of Alert messages parsed from an SSL record with
+                                                                                                                    content_type alert (21).
+:zeek:id:`Storage::expire_interval`: :zeek:type:`interval` :zeek:attr:`&redef`                                      The interval used by the storage framework for automatic expiration
+                                                                                                                    of elements in all backends that don't support it natively, or if
+                                                                                                                    using expiration while reading pcap files.
+:zeek:id:`Telemetry::callback_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`                                   Maximum amount of time for CivetWeb HTTP threads to
+                                                                                                                    wait for metric callbacks to complete on the IO loop.
+:zeek:id:`Telemetry::civetweb_threads`: :zeek:type:`count` :zeek:attr:`&redef`                                      Number of CivetWeb threads to use.
+:zeek:id:`Threading::heartbeat_interval`: :zeek:type:`interval` :zeek:attr:`&redef`                                 The heartbeat interval used by the threading framework.
+:zeek:id:`Tunnel::delay_gtp_confirmation`: :zeek:type:`bool` :zeek:attr:`&redef`                                    With this set, the GTP analyzer waits until the most-recent upflow
+                                                                                                                    and downflow packets are a valid GTPv1 encapsulation before
+                                                                                                                    issuing :zeek:see:`analyzer_confirmation_info`.
+:zeek:id:`Tunnel::delay_teredo_confirmation`: :zeek:type:`bool` :zeek:attr:`&redef`                                 With this set, the Teredo analyzer waits until it sees both sides
+                                                                                                                    of a connection using a valid Teredo encapsulation before issuing
+                                                                                                                    a :zeek:see:`analyzer_confirmation_info`.
+:zeek:id:`Tunnel::ip_tunnel_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`                                     How often to cleanup internal state for inactive IP tunnels
+                                                                                                                    (includes GRE tunnels).
+:zeek:id:`Tunnel::max_changes_per_connection`: :zeek:type:`count` :zeek:attr:`&redef`                               The number of tunnel_changed events that will be sent for a connection.
+:zeek:id:`Tunnel::max_depth`: :zeek:type:`count` :zeek:attr:`&redef`                                                The maximum depth of a tunnel to decapsulate until giving up.
+:zeek:id:`Tunnel::validate_vxlan_checksums`: :zeek:type:`bool` :zeek:attr:`&redef`                                  Whether to validate the checksum supplied in the outer UDP header
+                                                                                                                    of a VXLAN encapsulation.
+:zeek:id:`UnknownProtocol::first_bytes_count`: :zeek:type:`count` :zeek:attr:`&redef`                               The number of bytes to extract from the next header and log in the
+                                                                                                                    first bytes field.
+:zeek:id:`UnknownProtocol::sampling_duration`: :zeek:type:`interval` :zeek:attr:`&redef`                            How long an analyzer/protocol pair is allowed to keep state/counters in
+                                                                                                                    in memory.
+:zeek:id:`UnknownProtocol::sampling_rate`: :zeek:type:`count` :zeek:attr:`&redef`                                   The rate-limiting sampling rate.
+:zeek:id:`UnknownProtocol::sampling_threshold`: :zeek:type:`count` :zeek:attr:`&redef`                              How many reports for an analyzer/protocol pair will be allowed to
+                                                                                                                    raise events before becoming rate-limited.
+:zeek:id:`WebSocket::payload_chunk_size`: :zeek:type:`count` :zeek:attr:`&redef`                                    The WebSocket analyzer consumes and forwards
+                                                                                                                    frame payload in chunks to keep memory usage
+                                                                                                                    bounded.
+:zeek:id:`WebSocket::use_dpd_default`: :zeek:type:`bool` :zeek:attr:`&redef`                                        Whether to enable DPD on WebSocket frame payload by default.
+:zeek:id:`WebSocket::use_spicy_analyzer`: :zeek:type:`bool` :zeek:attr:`&redef`                                     Whether to use the Spicy WebSocket protocol analyzer.
+:zeek:id:`allow_network_time_forward`: :zeek:type:`bool` :zeek:attr:`&redef`                                        Whether Zeek will forward network_time to the current time upon
+                                                                                                                    observing an idle packet source (or no configured packet source).
+:zeek:id:`bits_per_uid`: :zeek:type:`count` :zeek:attr:`&redef`                                                     Number of bits in UIDs that are generated to identify connections and
+                                                                                                                    files.
+:zeek:id:`cmd_line_bpf_filter`: :zeek:type:`string` :zeek:attr:`&redef`                                             BPF filter the user has set via the -f command line options.
+:zeek:id:`detect_filtered_trace`: :zeek:type:`bool` :zeek:attr:`&redef`                                             Whether to attempt to automatically detect SYN/FIN/RST-filtered trace
+                                                                                                                    and not report missing segments for such connections.
+:zeek:id:`digest_salt`: :zeek:type:`string` :zeek:attr:`&redef`                                                     This salt value is used for several message digests in Zeek.
+:zeek:id:`dns_session_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`                                           Time to wait before timing out a DNS request.
+:zeek:id:`dpd_buffer_size`: :zeek:type:`count` :zeek:attr:`&redef`                                                  Size of per-connection buffer used for dynamic protocol detection.
+:zeek:id:`dpd_ignore_ports`: :zeek:type:`bool` :zeek:attr:`&redef`                                                  If true, don't consider any ports for deciding which protocol analyzer to
+                                                                                                                    use.
+:zeek:id:`dpd_late_match_stop`: :zeek:type:`bool` :zeek:attr:`&redef`                                               If true, stops signature matching after a late match.
+:zeek:id:`dpd_match_only_beginning`: :zeek:type:`bool` :zeek:attr:`&redef`                                          If true, stops signature matching if :zeek:see:`dpd_buffer_size` has been
+                                                                                                                    reached.
+:zeek:id:`dpd_max_packets`: :zeek:type:`count` :zeek:attr:`&redef`                                                  Maximum number of per-connection packets that will be buffered for dynamic
+                                                                                                                    protocol detection.
+:zeek:id:`dpd_reassemble_first_packets`: :zeek:type:`bool` :zeek:attr:`&redef`                                      Reassemble the beginning of all TCP connections before doing
+                                                                                                                    signature matching.
+:zeek:id:`exit_only_after_terminate`: :zeek:type:`bool` :zeek:attr:`&redef`                                         Flag to prevent Zeek from exiting automatically when input is exhausted.
+:zeek:id:`expensive_profiling_multiple`: :zeek:type:`count` :zeek:attr:`&redef`                                     Multiples of :zeek:see:`profiling_interval` at which (more expensive) memory
+                                                                                                                    profiling is done (0 disables).
+:zeek:id:`frag_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`                                                  How long to hold onto fragments for possible reassembly.
+:zeek:id:`global_hash_seed`: :zeek:type:`string` :zeek:attr:`&redef`                                                Seed for hashes computed internally for probabilistic data structures.
+:zeek:id:`icmp_inactivity_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`                                       If an ICMP flow is inactive, time it out after this interval.
+:zeek:id:`ignore_checksums`: :zeek:type:`bool` :zeek:attr:`&redef`                                                  If true, don't verify checksums, and accept packets that give a length of
+                                                                                                                    zero in the IPv4 header.
+:zeek:id:`ignore_keep_alive_rexmit`: :zeek:type:`bool` :zeek:attr:`&redef`                                          Ignore certain TCP retransmissions for :zeek:see:`conn_stats`.
+:zeek:id:`io_poll_interval_default`: :zeek:type:`count` :zeek:attr:`&redef`                                         How many rounds to go without checking IO sources with file descriptors
+                                                                                                                    for readiness by default.
+:zeek:id:`io_poll_interval_live`: :zeek:type:`count` :zeek:attr:`&redef`                                            How often to check IO sources with file descriptors for readiness when
+                                                                                                                    monitoring with a live packet source.
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`                                                Ports which the core considers being likely used by servers.
+:zeek:id:`log_rotate_base_time`: :zeek:type:`string` :zeek:attr:`&redef`                                            Base time of log rotations in 24-hour time format (``%H:%M``), e.g.
+:zeek:id:`max_analyzer_violations`: :zeek:type:`count` :zeek:attr:`&redef`                                          The maximum number of analyzer violations the core generates before
+                                                                                                                    suppressing them for a given analyzer instance.
+:zeek:id:`max_find_all_string_length`: :zeek:type:`int` :zeek:attr:`&redef`                                         Maximum string length allowed for calls to the :zeek:see:`find_all` and
+                                                                                                                    :zeek:see:`find_all_ordered` BIFs.
+:zeek:id:`max_timer_expires`: :zeek:type:`count` :zeek:attr:`&redef`                                                The maximum number of expired timers to process after processing each new
+                                                                                                                    packet.
+:zeek:id:`mmdb_asn_db`: :zeek:type:`string` :zeek:attr:`&redef`                                                     Default name of the MaxMind ASN database file:
+:zeek:id:`mmdb_city_db`: :zeek:type:`string` :zeek:attr:`&redef`                                                    Default name of the MaxMind City database file:
+:zeek:id:`mmdb_country_db`: :zeek:type:`string` :zeek:attr:`&redef`                                                 Default name of the MaxMind Country database file:
+:zeek:id:`mmdb_dir`: :zeek:type:`string` :zeek:attr:`&redef`                                                        The directory containing MaxMind DB (.mmdb) files to use for GeoIP support.
+:zeek:id:`mmdb_dir_fallbacks`: :zeek:type:`vector` :zeek:attr:`&redef`                                              Fallback locations for MaxMind databases.
+:zeek:id:`mmdb_stale_check_interval`: :zeek:type:`interval` :zeek:attr:`&redef`                                     Sets the interval for MaxMind DB file staleness checks.
+:zeek:id:`netbios_ssn_session_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`                                   The amount of time before a connection created by the netbios analyzer times
+                                                                                                                    out and is removed.
+:zeek:id:`non_analyzed_lifetime`: :zeek:type:`interval` :zeek:attr:`&redef`                                         If a connection belongs to an application that we don't analyze,
+                                                                                                                    time it out after this interval.
+:zeek:id:`packet_filter_default`: :zeek:type:`bool` :zeek:attr:`&redef`                                             Default mode for Zeek's user-space dynamic packet filter.
+:zeek:id:`packet_source_inactivity_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`                              If a packet source does not yield packets for this amount of time,
+                                                                                                                    it is considered idle.
+:zeek:id:`partial_connection_ok`: :zeek:type:`bool` :zeek:attr:`&redef`                                             If true, instantiate connection state when a partial connection
+                                                                                                                    (one missing its initial establishment negotiation) is seen.
+:zeek:id:`peer_description`: :zeek:type:`string` :zeek:attr:`&redef`                                                Description transmitted to remote communication peers for identification.
+:zeek:id:`pkt_profile_freq`: :zeek:type:`double` :zeek:attr:`&redef`                                                Frequency associated with packet profiling.
+:zeek:id:`pkt_profile_mode`: :zeek:type:`pkt_profile_modes` :zeek:attr:`&redef`                                     Output mode for packet profiling information.
+:zeek:id:`profiling_interval`: :zeek:type:`interval` :zeek:attr:`&redef`                                            Update interval for profiling (0 disables).
+:zeek:id:`record_all_packets`: :zeek:type:`bool` :zeek:attr:`&redef`                                                If a trace file is given with ``-w``, dump *all* packets seen by Zeek into it.
+:zeek:id:`report_gaps_for_partial`: :zeek:type:`bool` :zeek:attr:`&redef`                                           Whether we want :zeek:see:`content_gap` for partial
+                                                                                                                    connections.
+:zeek:id:`rpc_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`                                                   Time to wait before timing out an RPC request.
+:zeek:id:`running_under_test`: :zeek:type:`bool` :zeek:attr:`&redef`                                                Whether Zeek is being run under test.
+:zeek:id:`sig_max_group_size`: :zeek:type:`count` :zeek:attr:`&redef`                                               Maximum size of regular expression groups for signature matching.
+:zeek:id:`skip_http_data`: :zeek:type:`bool` :zeek:attr:`&redef`                                                    Skip HTTP data for performance considerations.
+:zeek:id:`table_expire_delay`: :zeek:type:`interval` :zeek:attr:`&redef`                                            When expiring table entries, wait this amount of time before checking the
+                                                                                                                    next chunk of entries.
+:zeek:id:`table_expire_interval`: :zeek:type:`interval` :zeek:attr:`&redef`                                         Check for expired table entries after this amount of time.
+:zeek:id:`table_incremental_step`: :zeek:type:`count` :zeek:attr:`&redef`                                           When expiring/serializing table entries, don't work on more than this many
+                                                                                                                    table entries at a time.
+:zeek:id:`tcp_SYN_ack_ok`: :zeek:type:`bool` :zeek:attr:`&redef`                                                    If true, instantiate connection state when a SYN/ACK is seen but not the
+                                                                                                                    initial SYN (even if :zeek:see:`partial_connection_ok` is false).
+:zeek:id:`tcp_SYN_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`                                               Check up on the result of an initial SYN after this much time.
+:zeek:id:`tcp_attempt_delay`: :zeek:type:`interval` :zeek:attr:`&redef`                                             Wait this long upon seeing an initial SYN before timing out the
+                                                                                                                    connection attempt.
+:zeek:id:`tcp_close_delay`: :zeek:type:`interval` :zeek:attr:`&redef`                                               Upon seeing a normal connection close, flush state after this much time.
+:zeek:id:`tcp_connection_linger`: :zeek:type:`interval` :zeek:attr:`&redef`                                         When checking a closed connection for further activity, consider it
+                                                                                                                    inactive if there hasn't been any for this long.
+:zeek:id:`tcp_content_deliver_all_orig`: :zeek:type:`bool` :zeek:attr:`&redef`                                      If true, all TCP originator-side traffic is reported via
+                                                                                                                    :zeek:see:`tcp_contents`.
+:zeek:id:`tcp_content_deliver_all_resp`: :zeek:type:`bool` :zeek:attr:`&redef`                                      If true, all TCP responder-side traffic is reported via
+                                                                                                                    :zeek:see:`tcp_contents`.
+:zeek:id:`tcp_content_delivery_ports_orig`: :zeek:type:`table` :zeek:attr:`&redef`                                  Defines destination TCP ports for which the contents of the originator stream
+                                                                                                                    should be delivered via :zeek:see:`tcp_contents`.
+:zeek:id:`tcp_content_delivery_ports_resp`: :zeek:type:`table` :zeek:attr:`&redef`                                  Defines destination TCP ports for which the contents of the responder stream
+                                                                                                                    should be delivered via :zeek:see:`tcp_contents`.
+:zeek:id:`tcp_excessive_data_without_further_acks`: :zeek:type:`count` :zeek:attr:`&redef`                          If we've seen this much data without any of it being acked, we give up
+                                                                                                                    on that connection to avoid memory exhaustion due to buffering all that
+                                                                                                                    stuff.
+:zeek:id:`tcp_inactivity_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`                                        If a TCP connection is inactive, time it out after this interval.
+:zeek:id:`tcp_match_undelivered`: :zeek:type:`bool` :zeek:attr:`&redef`                                             If true, pass any undelivered to the signature engine before flushing the state.
+:zeek:id:`tcp_max_above_hole_without_any_acks`: :zeek:type:`count` :zeek:attr:`&redef`                              If we're not seeing our peer's ACKs, the maximum volume of data above a
+                                                                                                                    sequence hole that we'll tolerate before assuming that there's been a packet
+                                                                                                                    drop and we should give up on tracking a connection.
+:zeek:id:`tcp_max_initial_window`: :zeek:type:`count` :zeek:attr:`&redef`                                           Maximum amount of data that might plausibly be sent in an initial flight
+                                                                                                                    (prior to receiving any acks).
+:zeek:id:`tcp_max_old_segments`: :zeek:type:`count` :zeek:attr:`&redef`                                             Number of TCP segments to buffer beyond what's been acknowledged already
+                                                                                                                    to detect retransmission inconsistencies.
+:zeek:id:`tcp_partial_close_delay`: :zeek:type:`interval` :zeek:attr:`&redef`                                       Generate a :zeek:id:`connection_partial_close` event this much time after one
+                                                                                                                    half of a partial connection closes, assuming there has been no subsequent
+                                                                                                                    activity.
+:zeek:id:`tcp_reset_delay`: :zeek:type:`interval` :zeek:attr:`&redef`                                               Upon seeing a RST, flush state after this much time.
+:zeek:id:`tcp_session_timer`: :zeek:type:`interval` :zeek:attr:`&redef`                                             After a connection has closed, wait this long for further activity
+                                                                                                                    before checking whether to time out its state.
+:zeek:id:`tcp_storm_interarrival_thresh`: :zeek:type:`interval` :zeek:attr:`&redef`                                 FINs/RSTs must come with this much time or less between them to be
+                                                                                                                    considered a "storm".
+:zeek:id:`tcp_storm_thresh`: :zeek:type:`count` :zeek:attr:`&redef`                                                 Number of FINs/RSTs in a row that constitute a "storm".
+:zeek:id:`truncate_http_URI`: :zeek:type:`int` :zeek:attr:`&redef`                                                  Maximum length of HTTP URIs passed to events.
+:zeek:id:`udp_content_deliver_all_orig`: :zeek:type:`bool` :zeek:attr:`&redef`                                      If true, all UDP originator-side traffic is reported via
+                                                                                                                    :zeek:see:`udp_contents`.
+:zeek:id:`udp_content_deliver_all_resp`: :zeek:type:`bool` :zeek:attr:`&redef`                                      If true, all UDP responder-side traffic is reported via
+                                                                                                                    :zeek:see:`udp_contents`.
+:zeek:id:`udp_content_delivery_ports_orig`: :zeek:type:`table` :zeek:attr:`&redef`                                  Defines UDP destination ports for which the contents of the originator stream
+                                                                                                                    should be delivered via :zeek:see:`udp_contents`.
+:zeek:id:`udp_content_delivery_ports_resp`: :zeek:type:`table` :zeek:attr:`&redef`                                  Defines UDP destination ports for which the contents of the responder stream
+                                                                                                                    should be delivered via :zeek:see:`udp_contents`.
+:zeek:id:`udp_inactivity_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`                                        If a UDP flow is inactive, time it out after this interval.
+:zeek:id:`unknown_ip_inactivity_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`                                 If a flow with an unknown IP-based protocol is inactive, time it out after
+                                                                                                                    this interval.
+:zeek:id:`use_conn_size_analyzer`: :zeek:type:`bool` :zeek:attr:`&redef`                                            Whether to use the ``ConnSize`` analyzer to count the number of packets and
+                                                                                                                    IP-level bytes transferred by each endpoint.
+:zeek:id:`watchdog_interval`: :zeek:type:`interval` :zeek:attr:`&redef`                                             Zeek's watchdog interval.
+=================================================================================================================== ================================================================================
+
+Constants
+#########
+=========================================================== =======================================================================
+:zeek:id:`CONTENTS_BOTH`: :zeek:type:`count`                Record both originator and responder contents.
+:zeek:id:`CONTENTS_NONE`: :zeek:type:`count`                Turn off recording of contents.
+:zeek:id:`CONTENTS_ORIG`: :zeek:type:`count`                Record originator contents.
+:zeek:id:`CONTENTS_RESP`: :zeek:type:`count`                Record responder contents.
+:zeek:id:`DNS_ADDL`: :zeek:type:`count`                     An additional record.
+:zeek:id:`DNS_ANS`: :zeek:type:`count`                      An answer record.
+:zeek:id:`DNS_AUTH`: :zeek:type:`count`                     An authoritative record.
+:zeek:id:`DNS_QUERY`: :zeek:type:`count`                    A query.
+:zeek:id:`ENDIAN_BIG`: :zeek:type:`count`                   Big endian.
+:zeek:id:`ENDIAN_CONFUSED`: :zeek:type:`count`              Tried to determine endian, but failed.
+:zeek:id:`ENDIAN_LITTLE`: :zeek:type:`count`                Little endian.
+:zeek:id:`ENDIAN_UNKNOWN`: :zeek:type:`count`               Endian not yet determined.
+:zeek:id:`ICMP_UNREACH_ADMIN_PROHIB`: :zeek:type:`count`    Administratively prohibited.
+:zeek:id:`ICMP_UNREACH_HOST`: :zeek:type:`count`            Host unreachable.
+:zeek:id:`ICMP_UNREACH_NEEDFRAG`: :zeek:type:`count`        Fragment needed.
+:zeek:id:`ICMP_UNREACH_NET`: :zeek:type:`count`             Network unreachable.
+:zeek:id:`ICMP_UNREACH_PORT`: :zeek:type:`count`            Port unreachable.
+:zeek:id:`ICMP_UNREACH_PROTOCOL`: :zeek:type:`count`        Protocol unreachable.
+:zeek:id:`IPPROTO_AH`: :zeek:type:`count`                   IPv6 authentication header.
+:zeek:id:`IPPROTO_DSTOPTS`: :zeek:type:`count`              IPv6 destination options header.
+:zeek:id:`IPPROTO_ESP`: :zeek:type:`count`                  IPv6 encapsulating security payload header.
+:zeek:id:`IPPROTO_FRAGMENT`: :zeek:type:`count`             IPv6 fragment header.
+:zeek:id:`IPPROTO_HOPOPTS`: :zeek:type:`count`              IPv6 hop-by-hop-options header.
+:zeek:id:`IPPROTO_ICMP`: :zeek:type:`count`                 Control message protocol.
+:zeek:id:`IPPROTO_ICMPV6`: :zeek:type:`count`               ICMP for IPv6.
+:zeek:id:`IPPROTO_IGMP`: :zeek:type:`count`                 Group management protocol.
+:zeek:id:`IPPROTO_IP`: :zeek:type:`count`                   Dummy for IP.
+:zeek:id:`IPPROTO_IPIP`: :zeek:type:`count`                 IP encapsulation in IP.
+:zeek:id:`IPPROTO_IPV6`: :zeek:type:`count`                 IPv6 header.
+:zeek:id:`IPPROTO_MOBILITY`: :zeek:type:`count`             IPv6 mobility header.
+:zeek:id:`IPPROTO_NONE`: :zeek:type:`count`                 IPv6 no next header.
+:zeek:id:`IPPROTO_RAW`: :zeek:type:`count`                  Raw IP packet.
+:zeek:id:`IPPROTO_ROUTING`: :zeek:type:`count`              IPv6 routing header.
+:zeek:id:`IPPROTO_TCP`: :zeek:type:`count`                  TCP.
+:zeek:id:`IPPROTO_UDP`: :zeek:type:`count`                  User datagram protocol.
+:zeek:id:`LOGIN_STATE_AUTHENTICATE`: :zeek:type:`count`     
+:zeek:id:`LOGIN_STATE_CONFUSED`: :zeek:type:`count`         
+:zeek:id:`LOGIN_STATE_LOGGED_IN`: :zeek:type:`count`        
+:zeek:id:`LOGIN_STATE_SKIP`: :zeek:type:`count`             
+:zeek:id:`RPC_status`: :zeek:type:`table`                   Mapping of numerical RPC status codes to readable messages.
+:zeek:id:`SNMP::OBJ_COUNTER32_TAG`: :zeek:type:`count`      Unsigned 32-bit integer.
+:zeek:id:`SNMP::OBJ_COUNTER64_TAG`: :zeek:type:`count`      Unsigned 64-bit integer.
+:zeek:id:`SNMP::OBJ_ENDOFMIBVIEW_TAG`: :zeek:type:`count`   A NULL value.
+:zeek:id:`SNMP::OBJ_INTEGER_TAG`: :zeek:type:`count`        Signed 64-bit integer.
+:zeek:id:`SNMP::OBJ_IPADDRESS_TAG`: :zeek:type:`count`      An IP address.
+:zeek:id:`SNMP::OBJ_NOSUCHINSTANCE_TAG`: :zeek:type:`count` A NULL value.
+:zeek:id:`SNMP::OBJ_NOSUCHOBJECT_TAG`: :zeek:type:`count`   A NULL value.
+:zeek:id:`SNMP::OBJ_OCTETSTRING_TAG`: :zeek:type:`count`    An octet string.
+:zeek:id:`SNMP::OBJ_OID_TAG`: :zeek:type:`count`            An Object Identifier.
+:zeek:id:`SNMP::OBJ_OPAQUE_TAG`: :zeek:type:`count`         An octet string.
+:zeek:id:`SNMP::OBJ_TIMETICKS_TAG`: :zeek:type:`count`      Unsigned 32-bit integer.
+:zeek:id:`SNMP::OBJ_UNSIGNED32_TAG`: :zeek:type:`count`     Unsigned 32-bit integer.
+:zeek:id:`SNMP::OBJ_UNSPECIFIED_TAG`: :zeek:type:`count`    A NULL value.
+:zeek:id:`TCP_CLOSED`: :zeek:type:`count`                   Endpoint has closed connection.
+:zeek:id:`TCP_ESTABLISHED`: :zeek:type:`count`              Endpoint has finished initial handshake regularly.
+:zeek:id:`TCP_INACTIVE`: :zeek:type:`count`                 Error string if unsuccessful.
+:zeek:id:`TCP_PARTIAL`: :zeek:type:`count`                  Endpoint has sent data but no initial SYN.
+:zeek:id:`TCP_RESET`: :zeek:type:`count`                    Endpoint has sent RST.
+:zeek:id:`TCP_SYN_ACK_SENT`: :zeek:type:`count`             Endpoint has sent SYN/ACK.
+:zeek:id:`TCP_SYN_SENT`: :zeek:type:`count`                 Endpoint has sent SYN.
+:zeek:id:`TH_ACK`: :zeek:type:`count`                       ACK.
+:zeek:id:`TH_FIN`: :zeek:type:`count`                       FIN.
+:zeek:id:`TH_FLAGS`: :zeek:type:`count`                     Mask combining all flags.
+:zeek:id:`TH_PUSH`: :zeek:type:`count`                      PUSH.
+:zeek:id:`TH_RST`: :zeek:type:`count`                       RST.
+:zeek:id:`TH_SYN`: :zeek:type:`count`                       SYN.
+:zeek:id:`TH_URG`: :zeek:type:`count`                       URG.
+:zeek:id:`UDP_ACTIVE`: :zeek:type:`count`                   Endpoint has sent something.
+:zeek:id:`UDP_INACTIVE`: :zeek:type:`count`                 Endpoint is still inactive.
+:zeek:id:`trace_output_file`: :zeek:type:`string`           Holds the filename of the trace file given with ``-w`` (empty if none).
+:zeek:id:`zeek_script_args`: :zeek:type:`vector`            Arguments given to Zeek from the command line.
+=========================================================== =======================================================================
+
+State Variables
+###############
+=========================================================================================================================== ============================================================================
+:zeek:id:`capture_filters`: :zeek:type:`table` :zeek:attr:`&redef`                                                          Set of BPF capture filters to use for capturing, indexed by a user-definable
+                                                                                                                            ID (which must be unique).
+:zeek:id:`direct_login_prompts`: :zeek:type:`set` :zeek:attr:`&redef`                                                       TODO.
+:zeek:id:`discarder_maxlen`: :zeek:type:`count` :zeek:attr:`&redef`                                                         Maximum length of payload passed to discarder functions.
+:zeek:id:`dns_max_queries`: :zeek:type:`count` :zeek:attr:`&redef`                                                          If a DNS request includes more than this many queries, assume it's non-DNS
+                                                                                                                            traffic and do not process it.
+:zeek:id:`dns_skip_addl`: :zeek:type:`set` :zeek:attr:`&redef`                                                              For DNS servers in these sets, omit processing the ADDL records they include
+                                                                                                                            in their replies.
+:zeek:id:`dns_skip_all_addl`: :zeek:type:`bool` :zeek:attr:`&redef`                                                         If true, all DNS ADDL records are skipped.
+:zeek:id:`dns_skip_all_auth`: :zeek:type:`bool` :zeek:attr:`&redef`                                                         If true, all DNS AUTH records are skipped.
+:zeek:id:`dns_skip_auth`: :zeek:type:`set` :zeek:attr:`&redef`                                                              For DNS servers in these sets, omit processing the AUTH records they include
+                                                                                                                            in their replies.
+:zeek:id:`done_with_network`: :zeek:type:`bool`                                                                             
+:zeek:id:`http_entity_data_delivery_size`: :zeek:type:`count` :zeek:attr:`&redef`                                           Maximum number of HTTP entity data delivered to events.
+:zeek:id:`interfaces`: :zeek:type:`string` :zeek:attr:`&add_func` = :zeek:see:`add_interface` :zeek:attr:`&redef`           Network interfaces to listen on.
+:zeek:id:`login_failure_msgs`: :zeek:type:`set` :zeek:attr:`&redef`                                                         TODO.
+:zeek:id:`login_non_failure_msgs`: :zeek:type:`set` :zeek:attr:`&redef`                                                     TODO.
+:zeek:id:`login_prompts`: :zeek:type:`set` :zeek:attr:`&redef`                                                              TODO.
+:zeek:id:`login_success_msgs`: :zeek:type:`set` :zeek:attr:`&redef`                                                         TODO.
+:zeek:id:`login_timeouts`: :zeek:type:`set` :zeek:attr:`&redef`                                                             TODO.
+:zeek:id:`mime_segment_length`: :zeek:type:`count` :zeek:attr:`&redef`                                                      The length of MIME data segments delivered to handlers of
+                                                                                                                            :zeek:see:`mime_segment_data`.
+:zeek:id:`mime_segment_overlap_length`: :zeek:type:`count` :zeek:attr:`&redef`                                              The number of bytes of overlap between successive segments passed to
+                                                                                                                            :zeek:see:`mime_segment_data`.
+:zeek:id:`pkt_profile_file`: :zeek:type:`file` :zeek:attr:`&redef`                                                          File where packet profiles are logged.
+:zeek:id:`profiling_file`: :zeek:type:`file` :zeek:attr:`&redef`                                                            Write profiling info into this file in regular intervals.
+:zeek:id:`restrict_filters`: :zeek:type:`table` :zeek:attr:`&redef`                                                         Set of BPF filters to restrict capturing, indexed by a user-definable ID
+                                                                                                                            (which must be unique).
+:zeek:id:`secondary_filters`: :zeek:type:`table` :zeek:attr:`&redef`                                                        Definition of "secondary filters".
+:zeek:id:`signature_files`: :zeek:type:`string` :zeek:attr:`&add_func` = :zeek:see:`add_signature_file` :zeek:attr:`&redef` Signature files to read.
+:zeek:id:`skip_authentication`: :zeek:type:`set` :zeek:attr:`&redef`                                                        TODO.
+=========================================================================================================================== ============================================================================
+
+Types
+#####
+================================================================================ =======================================================================================================================
+:zeek:type:`Analyzer::disabling_analyzer`: :zeek:type:`hook` :zeek:attr:`&redef` A hook taking a connection, analyzer tag and analyzer id that can be
+                                                                                 used to veto disabling protocol analyzers.
+:zeek:type:`AnalyzerConfirmationInfo`: :zeek:type:`record`                       Generic analyzer confirmation info record.
+:zeek:type:`AnalyzerViolationInfo`: :zeek:type:`record`                          Generic analyzer violation info record.
+:zeek:type:`Backtrace`: :zeek:type:`vector`                                      A representation of a Zeek script's call stack.
+:zeek:type:`BacktraceElement`: :zeek:type:`record`                               A representation of an element in a Zeek script's call stack.
+:zeek:type:`BrokerPeeringStats`: :zeek:type:`record`                             Broker statistics for an individual peering.
+:zeek:type:`BrokerPeeringStatsTable`: :zeek:type:`table`                         
+:zeek:type:`BrokerStats`: :zeek:type:`record`                                    Statistics about Broker communication.
+:zeek:type:`Cluster::Pool`: :zeek:type:`record`                                  A pool used for distributing data/work among a set of cluster nodes.
+:zeek:type:`ConnStats`: :zeek:type:`record`                                      
+:zeek:type:`DHCP::Addrs`: :zeek:type:`vector`                                    A list of addresses offered by a DHCP server.
+:zeek:type:`DHCP::ClientFQDN`: :zeek:type:`record`                               DHCP Client FQDN Option information (Option 81)
+:zeek:type:`DHCP::ClientID`: :zeek:type:`record`                                 DHCP Client Identifier (Option 61)
+:zeek:type:`DHCP::Msg`: :zeek:type:`record`                                      A DHCP message.
+:zeek:type:`DHCP::Options`: :zeek:type:`record`                                  
+:zeek:type:`DHCP::SubOpt`: :zeek:type:`record`                                   DHCP Relay Agent Information Option (Option 82)
+:zeek:type:`DHCP::SubOpts`: :zeek:type:`vector`                                  
+:zeek:type:`DNSStats`: :zeek:type:`record`                                       Statistics related to Zeek's active use of DNS.
+:zeek:type:`EncapsulatingConnVector`: :zeek:type:`vector`                        A type alias for a vector of encapsulating "connections", i.e.
+:zeek:type:`EventMetadata::Entry`: :zeek:type:`record`                           A event metadata entry.
+:zeek:type:`EventMetadata::ID`: :zeek:type:`enum`                                Enum type for metadata identifiers.
+:zeek:type:`EventNameCounter`: :zeek:type:`record` :zeek:attr:`&log`             Statistics about how many times each event name is queued.
+:zeek:type:`EventNameStats`: :zeek:type:`vector`                                 
+:zeek:type:`EventStats`: :zeek:type:`record`                                     
+:zeek:type:`FileAnalysisStats`: :zeek:type:`record`                              Statistics of file analysis.
+:zeek:type:`GapStats`: :zeek:type:`record`                                       Statistics about number of gaps in TCP connections.
+:zeek:type:`IPAddrAnonymization`: :zeek:type:`enum`                              ..
+:zeek:type:`IPAddrAnonymizationClass`: :zeek:type:`enum`                         ..
+:zeek:type:`JSON::TimestampFormat`: :zeek:type:`enum`                            
+:zeek:type:`KRB::AP_Options`: :zeek:type:`record`                                AP Options.
+:zeek:type:`KRB::Encrypted_Data`: :zeek:type:`record`                            
+:zeek:type:`KRB::Error_Msg`: :zeek:type:`record`                                 The data from the ERROR_MSG message.
+:zeek:type:`KRB::Host_Address`: :zeek:type:`record`                              A Kerberos host address See :rfc:`4120`.
+:zeek:type:`KRB::Host_Address_Vector`: :zeek:type:`vector`                       
+:zeek:type:`KRB::KDC_Options`: :zeek:type:`record`                               KDC Options.
+:zeek:type:`KRB::KDC_Request`: :zeek:type:`record`                               The data from the AS_REQ and TGS_REQ messages.
+:zeek:type:`KRB::KDC_Response`: :zeek:type:`record`                              The data from the AS_REQ and TGS_REQ messages.
+:zeek:type:`KRB::SAFE_Msg`: :zeek:type:`record`                                  The data from the SAFE message.
+:zeek:type:`KRB::Ticket`: :zeek:type:`record`                                    A Kerberos ticket.
+:zeek:type:`KRB::Ticket_Vector`: :zeek:type:`vector`                             
+:zeek:type:`KRB::Type_Value`: :zeek:type:`record`                                Used in a few places in the Kerberos analyzer for elements
+                                                                                 that have a type and a string value.
+:zeek:type:`KRB::Type_Value_Vector`: :zeek:type:`vector`                         
+:zeek:type:`MOUNT3::dirmntargs_t`: :zeek:type:`record`                           MOUNT *mnt* arguments.
+:zeek:type:`MOUNT3::info_t`: :zeek:type:`record`                                 Record summarizing the general results and status of MOUNT3
+                                                                                 request/reply pairs.
+:zeek:type:`MOUNT3::mnt_reply_t`: :zeek:type:`record`                            MOUNT lookup reply.
+:zeek:type:`MQTT::ConnectAckMsg`: :zeek:type:`record`                            
+:zeek:type:`MQTT::ConnectMsg`: :zeek:type:`record`                               
+:zeek:type:`MQTT::PublishMsg`: :zeek:type:`record`                               
+:zeek:type:`MatcherStats`: :zeek:type:`record`                                   Statistics of all regular expression matchers.
+:zeek:type:`ModbusCoils`: :zeek:type:`vector`                                    A vector of boolean values that indicate the setting
+                                                                                 for a range of modbus coils.
+:zeek:type:`ModbusFileRecordRequest`: :zeek:type:`record`                        
+:zeek:type:`ModbusFileRecordRequests`: :zeek:type:`vector`                       
+:zeek:type:`ModbusFileRecordResponse`: :zeek:type:`record`                       
+:zeek:type:`ModbusFileRecordResponses`: :zeek:type:`vector`                      
+:zeek:type:`ModbusFileReference`: :zeek:type:`record`                            
+:zeek:type:`ModbusFileReferences`: :zeek:type:`vector`                           
+:zeek:type:`ModbusHeaders`: :zeek:type:`record`                                  
+:zeek:type:`ModbusRegisters`: :zeek:type:`vector`                                A vector of count values that represent 16bit modbus
+                                                                                 register values.
+:zeek:type:`NFS3::delobj_reply_t`: :zeek:type:`record`                           NFS reply for *remove*, *rmdir*.
+:zeek:type:`NFS3::direntry_t`: :zeek:type:`record`                               NFS *direntry*.
+:zeek:type:`NFS3::direntry_vec_t`: :zeek:type:`vector`                           Vector of NFS *direntry*.
+:zeek:type:`NFS3::diropargs_t`: :zeek:type:`record`                              NFS *readdir* arguments.
+:zeek:type:`NFS3::fattr_t`: :zeek:type:`record`                                  NFS file attributes.
+:zeek:type:`NFS3::fsstat_t`: :zeek:type:`record`                                 NFS *fsstat*.
+:zeek:type:`NFS3::info_t`: :zeek:type:`record`                                   Record summarizing the general results and status of NFSv3
+                                                                                 request/reply pairs.
+:zeek:type:`NFS3::link_reply_t`: :zeek:type:`record`                             NFS *link* reply.
+:zeek:type:`NFS3::linkargs_t`: :zeek:type:`record`                               NFS *link* arguments.
+:zeek:type:`NFS3::lookup_reply_t`: :zeek:type:`record`                           NFS lookup reply.
+:zeek:type:`NFS3::newobj_reply_t`: :zeek:type:`record`                           NFS reply for *create*, *mkdir*, and *symlink*.
+:zeek:type:`NFS3::read_reply_t`: :zeek:type:`record`                             NFS *read* reply.
+:zeek:type:`NFS3::readargs_t`: :zeek:type:`record`                               NFS *read* arguments.
+:zeek:type:`NFS3::readdir_reply_t`: :zeek:type:`record`                          NFS *readdir* reply.
+:zeek:type:`NFS3::readdirargs_t`: :zeek:type:`record`                            NFS *readdir* arguments.
+:zeek:type:`NFS3::readlink_reply_t`: :zeek:type:`record`                         NFS *readline* reply.
+:zeek:type:`NFS3::renameobj_reply_t`: :zeek:type:`record`                        NFS reply for *rename*.
+:zeek:type:`NFS3::renameopargs_t`: :zeek:type:`record`                           NFS *rename* arguments.
+:zeek:type:`NFS3::sattr_reply_t`: :zeek:type:`record`                            NFS *sattr* reply.
+:zeek:type:`NFS3::sattr_t`: :zeek:type:`record`                                  NFS file attributes.
+:zeek:type:`NFS3::sattrargs_t`: :zeek:type:`record`                              NFS *sattr* arguments.
+:zeek:type:`NFS3::symlinkargs_t`: :zeek:type:`record`                            NFS *symlink* arguments.
+:zeek:type:`NFS3::symlinkdata_t`: :zeek:type:`record`                            NFS symlinkdata attributes.
+:zeek:type:`NFS3::wcc_attr_t`: :zeek:type:`record`                               NFS *wcc* attributes.
+:zeek:type:`NFS3::write_reply_t`: :zeek:type:`record`                            NFS *write* reply.
+:zeek:type:`NFS3::writeargs_t`: :zeek:type:`record`                              NFS *write* arguments.
+:zeek:type:`NTLM::AVs`: :zeek:type:`record`                                      
+:zeek:type:`NTLM::Authenticate`: :zeek:type:`record`                             
+:zeek:type:`NTLM::Challenge`: :zeek:type:`record`                                
+:zeek:type:`NTLM::Negotiate`: :zeek:type:`record`                                
+:zeek:type:`NTLM::NegotiateFlags`: :zeek:type:`record`                           
+:zeek:type:`NTLM::Version`: :zeek:type:`record`                                  
+:zeek:type:`NTP::ControlMessage`: :zeek:type:`record`                            NTP control message as defined in :rfc:`1119` for mode=6
+                                                                                 This record contains the fields used by the NTP protocol
+                                                                                 for control operations.
+:zeek:type:`NTP::Message`: :zeek:type:`record`                                   NTP message as defined in :rfc:`5905`.
+:zeek:type:`NTP::Mode7Message`: :zeek:type:`record`                              NTP mode 7 message.
+:zeek:type:`NTP::StandardMessage`: :zeek:type:`record`                           NTP standard message as defined in :rfc:`5905` for modes 1-5
+                                                                                 This record contains the standard fields used by the NTP protocol
+                                                                                 for standard synchronization operations.
+:zeek:type:`NetStats`: :zeek:type:`record`                                       Packet capture statistics.
+:zeek:type:`PE::DOSHeader`: :zeek:type:`record`                                  
+:zeek:type:`PE::FileHeader`: :zeek:type:`record`                                 
+:zeek:type:`PE::OptionalHeader`: :zeek:type:`record`                             
+:zeek:type:`PE::SectionHeader`: :zeek:type:`record`                              Record for Portable Executable (PE) section headers.
+:zeek:type:`PacketSource`: :zeek:type:`record`                                   Properties of an I/O packet source being read by Zeek.
+:zeek:type:`Pcap::Interface`: :zeek:type:`record`                                The definition of a "pcap interface".
+:zeek:type:`Pcap::Interfaces`: :zeek:type:`set`                                  
+:zeek:type:`Pcap::filter_state`: :zeek:type:`enum`                               The state of the compilation for a pcap filter.
+:zeek:type:`PcapFilterID`: :zeek:type:`enum`                                     Enum type identifying dynamic BPF filters.
+:zeek:type:`PluginComponent`: :zeek:type:`record`                                Record containing information about a tag.
+:zeek:type:`ProcStats`: :zeek:type:`record`                                      Statistics about Zeek's process.
+:zeek:type:`RADIUS::AttributeList`: :zeek:type:`vector`                          
+:zeek:type:`RADIUS::Attributes`: :zeek:type:`table`                              
+:zeek:type:`RADIUS::Message`: :zeek:type:`record`                                
+:zeek:type:`RDP::ClientChannelDef`: :zeek:type:`record`                          Name and flags for a single channel requested by the client.
+:zeek:type:`RDP::ClientChannelList`: :zeek:type:`vector`                         The list of channels requested by the client.
+:zeek:type:`RDP::ClientClusterData`: :zeek:type:`record`                         The TS_UD_CS_CLUSTER data block is sent by the client to the server
+                                                                                 either to advertise that it can support the Server Redirection PDUs
+                                                                                 or to request a connection to a given session identifier.
+:zeek:type:`RDP::ClientCoreData`: :zeek:type:`record`                            
+:zeek:type:`RDP::ClientSecurityData`: :zeek:type:`record`                        The TS_UD_CS_SEC data block contains security-related information used
+                                                                                 to advertise client cryptographic support.
+:zeek:type:`RDP::EarlyCapabilityFlags`: :zeek:type:`record`                      
+:zeek:type:`ReassemblerStats`: :zeek:type:`record`                               Holds statistics for all types of reassembly.
+:zeek:type:`ReporterStats`: :zeek:type:`record`                                  Statistics about reporter messages and weirds.
+:zeek:type:`SMB1::Find_First2_Request_Args`: :zeek:type:`record`                 
+:zeek:type:`SMB1::Find_First2_Response_Args`: :zeek:type:`record`                
+:zeek:type:`SMB1::Header`: :zeek:type:`record`                                   An SMB1 header.
+:zeek:type:`SMB1::NegotiateCapabilities`: :zeek:type:`record`                    
+:zeek:type:`SMB1::NegotiateRawMode`: :zeek:type:`record`                         
+:zeek:type:`SMB1::NegotiateResponse`: :zeek:type:`record`                        
+:zeek:type:`SMB1::NegotiateResponseCore`: :zeek:type:`record`                    
+:zeek:type:`SMB1::NegotiateResponseLANMAN`: :zeek:type:`record`                  
+:zeek:type:`SMB1::NegotiateResponseNTLM`: :zeek:type:`record`                    
+:zeek:type:`SMB1::NegotiateResponseSecurity`: :zeek:type:`record`                
+:zeek:type:`SMB1::SessionSetupAndXCapabilities`: :zeek:type:`record`             
+:zeek:type:`SMB1::SessionSetupAndXRequest`: :zeek:type:`record`                  
+:zeek:type:`SMB1::SessionSetupAndXResponse`: :zeek:type:`record`                 
+:zeek:type:`SMB1::Trans2_Args`: :zeek:type:`record`                              
+:zeek:type:`SMB1::Trans2_Sec_Args`: :zeek:type:`record`                          
+:zeek:type:`SMB1::Trans_Sec_Args`: :zeek:type:`record`                           
+:zeek:type:`SMB2::CloseResponse`: :zeek:type:`record`                            The response to an SMB2 *close* request, which is used by the client to close an instance
+                                                                                 of a file that was opened previously.
+:zeek:type:`SMB2::CompressionCapabilities`: :zeek:type:`record`                  Compression information as defined in SMB v.
+:zeek:type:`SMB2::CreateRequest`: :zeek:type:`record`                            The request sent by the client to request either creation of or access to a file.
+:zeek:type:`SMB2::CreateResponse`: :zeek:type:`record`                           The response to an SMB2 *create_request* request, which is sent by the client to request
+                                                                                 either creation of or access to a file.
+:zeek:type:`SMB2::EncryptionCapabilities`: :zeek:type:`record`                   Encryption information as defined in SMB v.
+:zeek:type:`SMB2::FileAttrs`: :zeek:type:`record`                                A series of boolean flags describing basic and extended file attributes for SMB2.
+:zeek:type:`SMB2::FileEA`: :zeek:type:`record`                                   This information class is used to query or set extended attribute (EA) information for a file.
+:zeek:type:`SMB2::FileEAs`: :zeek:type:`vector`                                  A vector of extended attribute (EA) information for a file.
+:zeek:type:`SMB2::Fscontrol`: :zeek:type:`record`                                A series of integers flags used to set quota and content indexing control information for a file system volume in SMB2.
+:zeek:type:`SMB2::GUID`: :zeek:type:`record`                                     An SMB2 globally unique identifier which identifies a file.
+:zeek:type:`SMB2::Header`: :zeek:type:`record`                                   An SMB2 header.
+:zeek:type:`SMB2::NegotiateContextValue`: :zeek:type:`record`                    The context type information as defined in SMB v.
+:zeek:type:`SMB2::NegotiateContextValues`: :zeek:type:`vector`                   
+:zeek:type:`SMB2::NegotiateResponse`: :zeek:type:`record`                        The response to an SMB2 *negotiate* request, which is used by the client to notify the server
+                                                                                 what dialects of the SMB2 protocol the client understands.
+:zeek:type:`SMB2::PreAuthIntegrityCapabilities`: :zeek:type:`record`             Preauthentication information as defined in SMB v.
+:zeek:type:`SMB2::SessionSetupFlags`: :zeek:type:`record`                        A flags field that indicates additional information about the session that's sent in the
+                                                                                 *session_setup* response.
+:zeek:type:`SMB2::SessionSetupRequest`: :zeek:type:`record`                      The request sent by the client to request a new authenticated session
+                                                                                 within a new or existing SMB 2 Protocol transport connection to the server.
+:zeek:type:`SMB2::SessionSetupResponse`: :zeek:type:`record`                     The response to an SMB2 *session_setup* request, which is sent by the client to request a
+                                                                                 new authenticated session within a new or existing SMB 2 Protocol transport connection
+                                                                                 to the server.
+:zeek:type:`SMB2::Transform_header`: :zeek:type:`record`                         An SMB2 transform header (for SMB 3.x dialects with encryption enabled).
+:zeek:type:`SMB2::TreeConnectResponse`: :zeek:type:`record`                      The response to an SMB2 *tree_connect* request, which is sent by the client to request
+                                                                                 access to a particular share on the server.
+:zeek:type:`SMB::MACTimes`: :zeek:type:`record`                                  MAC times for a file.
+:zeek:type:`SNMP::Binding`: :zeek:type:`record`                                  The ``VarBind`` data structure from either :rfc:`1157` or
+                                                                                 :rfc:`3416`, which maps an Object Identifier to a value.
+:zeek:type:`SNMP::Bindings`: :zeek:type:`vector`                                 A ``VarBindList`` data structure from either :rfc:`1157` or :rfc:`3416`.
+:zeek:type:`SNMP::BulkPDU`: :zeek:type:`record`                                  A ``BulkPDU`` data structure from :rfc:`3416`.
+:zeek:type:`SNMP::Header`: :zeek:type:`record`                                   A generic SNMP header data structure that may include data from
+                                                                                 any version of SNMP.
+:zeek:type:`SNMP::HeaderV1`: :zeek:type:`record`                                 The top-level message data structure of an SNMPv1 datagram, not
+                                                                                 including the PDU data.
+:zeek:type:`SNMP::HeaderV2`: :zeek:type:`record`                                 The top-level message data structure of an SNMPv2 datagram, not
+                                                                                 including the PDU data.
+:zeek:type:`SNMP::HeaderV3`: :zeek:type:`record`                                 The top-level message data structure of an SNMPv3 datagram, not
+                                                                                 including the PDU data.
+:zeek:type:`SNMP::ObjectValue`: :zeek:type:`record`                              A generic SNMP object value, that may include any of the
+                                                                                 valid ``ObjectSyntax`` values from :rfc:`1155` or :rfc:`3416`.
+:zeek:type:`SNMP::PDU`: :zeek:type:`record`                                      A ``PDU`` data structure from either :rfc:`1157` or :rfc:`3416`.
+:zeek:type:`SNMP::ScopedPDU_Context`: :zeek:type:`record`                        The ``ScopedPduData`` data structure of an SNMPv3 datagram, not
+                                                                                 including the PDU data (i.e.
+:zeek:type:`SNMP::TrapPDU`: :zeek:type:`record`                                  A ``Trap-PDU`` data structure from :rfc:`1157`.
+:zeek:type:`SOCKS::Address`: :zeek:type:`record` :zeek:attr:`&log`               This record is for a SOCKS client or server to provide either a
+                                                                                 name or an address to represent a desired or established connection.
+:zeek:type:`SSH::Algorithm_Prefs`: :zeek:type:`record`                           The client and server each have some preferences for the algorithms used
+                                                                                 in each direction.
+:zeek:type:`SSH::Capabilities`: :zeek:type:`record`                              This record lists the preferences of an SSH endpoint for
+                                                                                 algorithm selection.
+:zeek:type:`SSL::PSKIdentity`: :zeek:type:`record`                               
+:zeek:type:`SSL::SignatureAndHashAlgorithm`: :zeek:type:`record`                 
+:zeek:type:`SYN_packet`: :zeek:type:`record`                                     Fields of a SYN packet.
+:zeek:type:`Storage::OperationResult`: :zeek:type:`record`                       Returned as the result of the various storage operations.
+:zeek:type:`Storage::ReturnCode`: :zeek:type:`enum` :zeek:attr:`&redef`          Common set of statuses that can be returned by storage operations.
+:zeek:type:`TCP::Option`: :zeek:type:`record`                                    A TCP Option field parsed from a TCP header.
+:zeek:type:`TCP::OptionList`: :zeek:type:`vector`                                The full list of TCP Option fields parsed from a TCP header.
+:zeek:type:`Telemetry::HistogramMetric`: :zeek:type:`record`                     Histograms returned by the :zeek:see:`Telemetry::collect_histogram_metrics` function.
+:zeek:type:`Telemetry::HistogramMetricVector`: :zeek:type:`vector`               
+:zeek:type:`Telemetry::Metric`: :zeek:type:`record`                              Metrics returned by the :zeek:see:`Telemetry::collect_metrics` function.
+:zeek:type:`Telemetry::MetricOpts`: :zeek:type:`record`                          Type that captures options used to create metrics.
+:zeek:type:`Telemetry::MetricVector`: :zeek:type:`vector`                        
+:zeek:type:`ThreadStats`: :zeek:type:`record`                                    Statistics about threads.
+:zeek:type:`TimerStats`: :zeek:type:`record`                                     Statistics of timers.
+:zeek:type:`Tunnel::EncapsulatingConn`: :zeek:type:`record` :zeek:attr:`&log`    Records the identity of an encapsulating parent of a tunneled connection.
+:zeek:type:`WebSocket::AnalyzerConfig`: :zeek:type:`record`                      Record type that is passed to :zeek:see:`WebSocket::configure_analyzer`.
+:zeek:type:`X509::BasicConstraints`: :zeek:type:`record` :zeek:attr:`&log`       
+:zeek:type:`X509::Certificate`: :zeek:type:`record`                              
+:zeek:type:`X509::Extension`: :zeek:type:`record`                                
+:zeek:type:`X509::Result`: :zeek:type:`record`                                   Result of an X509 certificate chain verification
+:zeek:type:`X509::SubjectAlternativeName`: :zeek:type:`record`                   
+:zeek:type:`addr_set`: :zeek:type:`set`                                          A set of addresses.
+:zeek:type:`addr_vec`: :zeek:type:`vector`                                       A vector of addresses.
+:zeek:type:`any_vec`: :zeek:type:`vector`                                        A vector of any, used by some builtin functions to store a list of varying
+                                                                                 types.
+:zeek:type:`assertion_failure`: :zeek:type:`hook`                                A hook that is invoked when an assert statement fails.
+:zeek:type:`assertion_result`: :zeek:type:`hook`                                 A hook that is invoked with the result of every assert statement.
+:zeek:type:`bittorrent_benc_dir`: :zeek:type:`table`                             A table of BitTorrent "benc" values.
+:zeek:type:`bittorrent_benc_value`: :zeek:type:`record`                          BitTorrent "benc" value.
+:zeek:type:`bittorrent_peer`: :zeek:type:`record`                                A BitTorrent peer.
+:zeek:type:`bittorrent_peer_set`: :zeek:type:`set`                               A set of BitTorrent peers.
+:zeek:type:`bt_tracker_headers`: :zeek:type:`table`                              Header table type used by BitTorrent analyzer.
+:zeek:type:`call_argument`: :zeek:type:`record`                                  Meta-information about a parameter to a function/event.
+:zeek:type:`call_argument_vector`: :zeek:type:`vector`                           Vector type used to capture parameters of a function/event call.
+:zeek:type:`conn_id`: :zeek:type:`record`                                        A connection's identifying 4-tuple of endpoints and ports.
+:zeek:type:`conn_id_ctx`: :zeek:type:`record`                                    A record type containing the context of a conn_id instance.
+:zeek:type:`connection`: :zeek:type:`record`                                     A connection.
+:zeek:type:`count_set`: :zeek:type:`set`                                         A set of counts.
+:zeek:type:`dns_answer`: :zeek:type:`record`                                     The general part of a DNS reply.
+:zeek:type:`dns_binds_rr`: :zeek:type:`record`                                   A Private RR type BINDS record.
+:zeek:type:`dns_dnskey_rr`: :zeek:type:`record`                                  A DNSSEC DNSKEY record.
+:zeek:type:`dns_ds_rr`: :zeek:type:`record`                                      A DNSSEC DS record.
+:zeek:type:`dns_edns_additional`: :zeek:type:`record`                            An additional DNS EDNS record.
+:zeek:type:`dns_edns_cookie`: :zeek:type:`record`                                An DNS EDNS COOKIE (COOKIE) record.
+:zeek:type:`dns_edns_ecs`: :zeek:type:`record`                                   An DNS EDNS Client Subnet (ECS) record.
+:zeek:type:`dns_edns_tcp_keepalive`: :zeek:type:`record`                         An DNS EDNS TCP KEEPALIVE (TCP KEEPALIVE) record.
+:zeek:type:`dns_loc_rr`: :zeek:type:`record`                                     A Private RR type LOC record.
+:zeek:type:`dns_mapping`: :zeek:type:`record`                                    
+:zeek:type:`dns_msg`: :zeek:type:`record`                                        A DNS message.
+:zeek:type:`dns_naptr_rr`: :zeek:type:`record`                                   A NAPTR record.
+:zeek:type:`dns_nsec3_rr`: :zeek:type:`record`                                   A DNSSEC NSEC3 record.
+:zeek:type:`dns_nsec3param_rr`: :zeek:type:`record`                              A DNSSEC NSEC3PARAM record.
+:zeek:type:`dns_rrsig_rr`: :zeek:type:`record`                                   A DNSSEC RRSIG record.
+:zeek:type:`dns_soa`: :zeek:type:`record`                                        A DNS SOA record.
+:zeek:type:`dns_svcb_param`: :zeek:type:`record`                                 A SvcParamKey with an optional SvcParamValue.
+:zeek:type:`dns_svcb_param_vec`: :zeek:type:`vector`                             
+:zeek:type:`dns_svcb_rr`: :zeek:type:`record`                                    A SVCB or HTTPS record.
+:zeek:type:`dns_tkey`: :zeek:type:`record`                                       A DNS TKEY record.
+:zeek:type:`dns_tsig_additional`: :zeek:type:`record`                            An additional DNS TSIG record.
+:zeek:type:`double_vec`: :zeek:type:`vector`                                     A vector of floating point numbers, used by telemetry builtin functions to store histogram bounds.
+:zeek:type:`endpoint`: :zeek:type:`record`                                       Statistics about a :zeek:type:`connection` endpoint.
+:zeek:type:`endpoint_stats`: :zeek:type:`record`                                 Statistics about what a TCP endpoint sent.
+:zeek:type:`entropy_test_result`: :zeek:type:`record`                            Computed entropy values.
+:zeek:type:`event_metadata_vec`: :zeek:type:`vector`                             A type alias for event metadata.
+:zeek:type:`fa_file`: :zeek:type:`record` :zeek:attr:`&redef`                    File Analysis handle for a file that Zeek is analyzing.
+:zeek:type:`fa_metadata`: :zeek:type:`record`                                    File Analysis metadata that's been inferred about a particular file.
+:zeek:type:`files_tag_set`: :zeek:type:`set`                                     A set of file analyzer tags.
+:zeek:type:`flow_id`: :zeek:type:`record` :zeek:attr:`&log`                      The identifying 4-tuple of a uni-directional flow.
+:zeek:type:`from_json_result`: :zeek:type:`record`                               Return type for from_json BIF.
+:zeek:type:`ftp_port`: :zeek:type:`record`                                       A parsed host/port combination describing server endpoint for an upcoming
+                                                                                 data transfer.
+:zeek:type:`geo_autonomous_system`: :zeek:type:`record` :zeek:attr:`&log`        GeoIP autonomous system information.
+:zeek:type:`geo_location`: :zeek:type:`record` :zeek:attr:`&log`                 GeoIP location information.
+:zeek:type:`gtp_access_point_name`: :zeek:type:`string`                          
+:zeek:type:`gtp_cause`: :zeek:type:`count`                                       
+:zeek:type:`gtp_charging_characteristics`: :zeek:type:`count`                    
+:zeek:type:`gtp_charging_gateway_addr`: :zeek:type:`addr`                        
+:zeek:type:`gtp_charging_id`: :zeek:type:`count`                                 
+:zeek:type:`gtp_create_pdp_ctx_request_elements`: :zeek:type:`record`            
+:zeek:type:`gtp_create_pdp_ctx_response_elements`: :zeek:type:`record`           
+:zeek:type:`gtp_delete_pdp_ctx_request_elements`: :zeek:type:`record`            
+:zeek:type:`gtp_delete_pdp_ctx_response_elements`: :zeek:type:`record`           
+:zeek:type:`gtp_end_user_addr`: :zeek:type:`record`                              
+:zeek:type:`gtp_gsn_addr`: :zeek:type:`record`                                   
+:zeek:type:`gtp_imsi`: :zeek:type:`count`                                        
+:zeek:type:`gtp_msisdn`: :zeek:type:`string`                                     
+:zeek:type:`gtp_nsapi`: :zeek:type:`count`                                       
+:zeek:type:`gtp_omc_id`: :zeek:type:`string`                                     
+:zeek:type:`gtp_private_extension`: :zeek:type:`record`                          
+:zeek:type:`gtp_proto_config_options`: :zeek:type:`string`                       
+:zeek:type:`gtp_qos_profile`: :zeek:type:`record`                                
+:zeek:type:`gtp_rai`: :zeek:type:`record`                                        
+:zeek:type:`gtp_recovery`: :zeek:type:`count`                                    
+:zeek:type:`gtp_reordering_required`: :zeek:type:`bool`                          
+:zeek:type:`gtp_selection_mode`: :zeek:type:`count`                              
+:zeek:type:`gtp_teardown_ind`: :zeek:type:`bool`                                 
+:zeek:type:`gtp_teid1`: :zeek:type:`count`                                       
+:zeek:type:`gtp_teid_control_plane`: :zeek:type:`count`                          
+:zeek:type:`gtp_tft`: :zeek:type:`string`                                        
+:zeek:type:`gtp_trace_reference`: :zeek:type:`count`                             
+:zeek:type:`gtp_trace_type`: :zeek:type:`count`                                  
+:zeek:type:`gtp_trigger_id`: :zeek:type:`string`                                 
+:zeek:type:`gtp_update_pdp_ctx_request_elements`: :zeek:type:`record`            
+:zeek:type:`gtp_update_pdp_ctx_response_elements`: :zeek:type:`record`           
+:zeek:type:`gtpv1_hdr`: :zeek:type:`record`                                      A GTPv1 (GPRS Tunneling Protocol) header.
+:zeek:type:`http_message_stat`: :zeek:type:`record`                              HTTP message statistics.
+:zeek:type:`http_stats_rec`: :zeek:type:`record`                                 HTTP session statistics.
+:zeek:type:`icmp6_nd_option`: :zeek:type:`record`                                Options extracted from ICMPv6 neighbor discovery messages as specified
+                                                                                 by :rfc:`4861`.
+:zeek:type:`icmp6_nd_options`: :zeek:type:`vector`                               A type alias for a vector of ICMPv6 neighbor discovery message options.
+:zeek:type:`icmp6_nd_prefix_info`: :zeek:type:`record`                           Values extracted from a Prefix Information option in an ICMPv6 neighbor
+                                                                                 discovery message as specified by :rfc:`4861`.
+:zeek:type:`icmp_context`: :zeek:type:`record`                                   Packet context part of an ICMP message.
+:zeek:type:`icmp_hdr`: :zeek:type:`record`                                       Values extracted from an ICMP header.
+:zeek:type:`icmp_info`: :zeek:type:`record`                                      Specifics about an ICMP conversation/packet.
+:zeek:type:`id_table`: :zeek:type:`table`                                        Table type used to map script-level identifiers to meta-information
+                                                                                 describing them.
+:zeek:type:`index_vec`: :zeek:type:`vector`                                      A vector of counts, used by some builtin functions to store a list of indices.
+:zeek:type:`int_vec`: :zeek:type:`vector`                                        A vector of integers, used by telemetry builtin functions to store histogram bounds.
+:zeek:type:`interval_set`: :zeek:type:`set`                                      A set of intervals.
+:zeek:type:`ip4_hdr`: :zeek:type:`record`                                        Values extracted from an IPv4 header.
+:zeek:type:`ip6_ah`: :zeek:type:`record`                                         Values extracted from an IPv6 Authentication extension header.
+:zeek:type:`ip6_dstopts`: :zeek:type:`record`                                    Values extracted from an IPv6 Destination options extension header.
+:zeek:type:`ip6_esp`: :zeek:type:`record`                                        Values extracted from an IPv6 ESP extension header.
+:zeek:type:`ip6_ext_hdr`: :zeek:type:`record`                                    A general container for a more specific IPv6 extension header.
+:zeek:type:`ip6_ext_hdr_chain`: :zeek:type:`vector`                              A type alias for a vector of IPv6 extension headers.
+:zeek:type:`ip6_fragment`: :zeek:type:`record`                                   Values extracted from an IPv6 Fragment extension header.
+:zeek:type:`ip6_hdr`: :zeek:type:`record`                                        Values extracted from an IPv6 header.
+:zeek:type:`ip6_hopopts`: :zeek:type:`record`                                    Values extracted from an IPv6 Hop-by-Hop options extension header.
+:zeek:type:`ip6_mobility_back`: :zeek:type:`record`                              Values extracted from an IPv6 Mobility Binding Acknowledgement message.
+:zeek:type:`ip6_mobility_be`: :zeek:type:`record`                                Values extracted from an IPv6 Mobility Binding Error message.
+:zeek:type:`ip6_mobility_brr`: :zeek:type:`record`                               Values extracted from an IPv6 Mobility Binding Refresh Request message.
+:zeek:type:`ip6_mobility_bu`: :zeek:type:`record`                                Values extracted from an IPv6 Mobility Binding Update message.
+:zeek:type:`ip6_mobility_cot`: :zeek:type:`record`                               Values extracted from an IPv6 Mobility Care-of Test message.
+:zeek:type:`ip6_mobility_coti`: :zeek:type:`record`                              Values extracted from an IPv6 Mobility Care-of Test Init message.
+:zeek:type:`ip6_mobility_hdr`: :zeek:type:`record`                               Values extracted from an IPv6 Mobility header.
+:zeek:type:`ip6_mobility_hot`: :zeek:type:`record`                               Values extracted from an IPv6 Mobility Home Test message.
+:zeek:type:`ip6_mobility_hoti`: :zeek:type:`record`                              Values extracted from an IPv6 Mobility Home Test Init message.
+:zeek:type:`ip6_mobility_msg`: :zeek:type:`record`                               Values extracted from an IPv6 Mobility header's message data.
+:zeek:type:`ip6_option`: :zeek:type:`record`                                     Values extracted from an IPv6 extension header's (e.g.
+:zeek:type:`ip6_options`: :zeek:type:`vector`                                    A type alias for a vector of IPv6 options.
+:zeek:type:`ip6_routing`: :zeek:type:`record`                                    Values extracted from an IPv6 Routing extension header.
+:zeek:type:`irc_join_info`: :zeek:type:`record`                                  IRC join information.
+:zeek:type:`irc_join_list`: :zeek:type:`set`                                     Set of IRC join information.
+:zeek:type:`l2_hdr`: :zeek:type:`record`                                         Values extracted from the layer 2 header.
+:zeek:type:`mime_header_list`: :zeek:type:`table`                                A list of MIME headers.
+:zeek:type:`mime_header_rec`: :zeek:type:`record`                                A MIME header key/value pair.
+:zeek:type:`mime_match`: :zeek:type:`record`                                     A structure indicating a MIME type and strength of a match against
+                                                                                 file magic signatures.
+:zeek:type:`mime_matches`: :zeek:type:`vector`                                   A vector of file magic signature matches, ordered by strength of
+                                                                                 the signature, strongest first.
+:zeek:type:`pcap_packet`: :zeek:type:`record`                                    Policy-level representation of a packet passed on by libpcap.
+:zeek:type:`pkt_hdr`: :zeek:type:`record`                                        A packet header, consisting of an IP header and transport-layer header.
+:zeek:type:`pkt_profile_modes`: :zeek:type:`enum`                                Output modes for packet profiling information.
+:zeek:type:`plugin_component_vec`: :zeek:type:`vector`                           
+:zeek:type:`pm_callit_request`: :zeek:type:`record`                              An RPC portmapper *callit* request.
+:zeek:type:`pm_mapping`: :zeek:type:`record`                                     An RPC portmapper mapping.
+:zeek:type:`pm_mappings`: :zeek:type:`table`                                     Table of RPC portmapper mappings.
+:zeek:type:`pm_port_request`: :zeek:type:`record`                                An RPC portmapper request.
+:zeek:type:`psk_identity_vec`: :zeek:type:`vector`                               
+:zeek:type:`raw_pkt_hdr`: :zeek:type:`record`                                    A raw packet header, consisting of L2 header and everything in
+                                                                                 :zeek:see:`pkt_hdr`.
+:zeek:type:`record_field`: :zeek:type:`record`                                   Meta-information about a record field.
+:zeek:type:`record_field_table`: :zeek:type:`table`                              Table type used to map record field declarations to meta-information
+                                                                                 describing them.
+:zeek:type:`rotate_info`: :zeek:type:`record`                                    ..
+:zeek:type:`script_id`: :zeek:type:`record`                                      Meta-information about a script-level identifier.
+:zeek:type:`signature_and_hashalgorithm_vec`: :zeek:type:`vector`                A vector of Signature and Hash Algorithms.
+:zeek:type:`signature_state`: :zeek:type:`record`                                Description of a signature match.
+:zeek:type:`string_any_file_hook`: :zeek:type:`hook`                             A hook taking a fa_file, an any, and a string.
+:zeek:type:`string_any_table`: :zeek:type:`table`                                A string-table of any.
+:zeek:type:`string_array`: :zeek:type:`table`                                    An ordered array of strings.
+:zeek:type:`string_mapper`: :zeek:type:`function`                                Function mapping a string to a string.
+:zeek:type:`string_set`: :zeek:type:`set`                                        A set of strings.
+:zeek:type:`string_vec`: :zeek:type:`vector`                                     A vector of strings.
+:zeek:type:`subnet_set`: :zeek:type:`set`                                        A set of subnets.
+:zeek:type:`subnet_vec`: :zeek:type:`vector`                                     A vector of subnets.
+:zeek:type:`sw_align`: :zeek:type:`record`                                       Helper type for return value of Smith-Waterman algorithm.
+:zeek:type:`sw_align_vec`: :zeek:type:`vector`                                   Helper type for return value of Smith-Waterman algorithm.
+:zeek:type:`sw_params`: :zeek:type:`record`                                      Parameters for the Smith-Waterman algorithm.
+:zeek:type:`sw_substring`: :zeek:type:`record`                                   Helper type for return value of Smith-Waterman algorithm.
+:zeek:type:`sw_substring_vec`: :zeek:type:`vector`                               Return type for Smith-Waterman algorithm.
+:zeek:type:`table_string_of_count`: :zeek:type:`table`                           A table of counts indexed by strings.
+:zeek:type:`table_string_of_string`: :zeek:type:`table`                          A table of strings indexed by strings.
+:zeek:type:`tcp_hdr`: :zeek:type:`record`                                        Values extracted from a TCP header.
+:zeek:type:`teredo_auth`: :zeek:type:`record`                                    A Teredo origin indication header.
+:zeek:type:`teredo_hdr`: :zeek:type:`record`                                     A Teredo packet header.
+:zeek:type:`teredo_origin`: :zeek:type:`record`                                  A Teredo authentication header.
+:zeek:type:`transport_proto`: :zeek:type:`enum`                                  A connection's transport-layer protocol.
+:zeek:type:`udp_hdr`: :zeek:type:`record`                                        Values extracted from a UDP header.
+:zeek:type:`var_sizes`: :zeek:type:`table`                                       Table type used to map variable names to their memory allocation.
+:zeek:type:`x509_opaque_vector`: :zeek:type:`vector`                             A vector of x509 opaques.
+:zeek:type:`ConnKey::Tag`: :zeek:type:`enum`                                     
+================================================================================ =======================================================================================================================
+
+Hooks
+#####
+============================================= ====================
+:zeek:id:`Telemetry::sync`: :zeek:type:`hook` Telemetry sync hook.
+============================================= ====================
+
+Functions
+#########
+============================================================== =========================================================
+:zeek:id:`add_interface`: :zeek:type:`function`                Internal function.
+:zeek:id:`add_signature_file`: :zeek:type:`function`           Internal function.
+:zeek:id:`discarder_check_icmp`: :zeek:type:`function`         Function for skipping packets based on their ICMP header.
+:zeek:id:`discarder_check_ip`: :zeek:type:`function`           Function for skipping packets based on their IP header.
+:zeek:id:`discarder_check_tcp`: :zeek:type:`function`          Function for skipping packets based on their TCP header.
+:zeek:id:`discarder_check_udp`: :zeek:type:`function`          Function for skipping packets based on their UDP header.
+:zeek:id:`from_json_default_key_mapper`: :zeek:type:`function` The default JSON key mapper function.
+:zeek:id:`max_count`: :zeek:type:`function`                    Returns maximum of two ``count`` values.
+:zeek:id:`max_double`: :zeek:type:`function`                   Returns maximum of two ``double`` values.
+:zeek:id:`max_interval`: :zeek:type:`function`                 Returns maximum of two ``interval`` values.
+:zeek:id:`min_count`: :zeek:type:`function`                    Returns minimum of two ``count`` values.
+:zeek:id:`min_double`: :zeek:type:`function`                   Returns minimum of two ``double`` values.
+:zeek:id:`min_interval`: :zeek:type:`function`                 Returns minimum of two ``interval`` values.
+============================================================== =========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: MQTT::max_payload_size
+   :source-code: base/init-bare.zeek 6006 6006
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100``
+
+   The maximum payload size to allocate for the purpose of
+   payload information in :zeek:see:`mqtt_publish` events (and the
+   default MQTT logs generated from that).
+
+.. zeek:id:: Weird::sampling_duration
+   :source-code: base/init-bare.zeek 6059 6059
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10.0 mins``
+
+   How long a weird of a given type is allowed to keep state/counters in
+   memory. For "net" weirds an expiration timer starts per weird name when
+   first initializing its counter. For "flow" weirds an expiration timer
+   starts once per src/dst IP pair for the first weird of any name. For
+   "conn" weirds, counters and expiration timers are kept for the duration
+   of the connection for each named weird and reset when necessary. E.g.
+   if a "conn" weird by the name of "foo" is seen more than
+   :zeek:see:`Weird::sampling_threshold` times, then an expiration timer
+   begins for "foo" and upon triggering will reset the counter for "foo"
+   and unthrottle its rate-limiting until it once again exceeds the
+   threshold.
+
+.. zeek:id:: Weird::sampling_global_list
+   :source-code: base/init-bare.zeek 6035 6035
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Rate-limits weird names in the table globally instead of per connection/flow.
+
+.. zeek:id:: Weird::sampling_rate
+   :source-code: base/init-bare.zeek 6046 6046
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1000``
+
+   The rate-limiting sampling rate. One out of every of this number of
+   rate-limited weirds of a given type will be allowed to raise events
+   for further script-layer handling. Setting the sampling rate to 0
+   will disable all output of rate-limited weirds.
+
+.. zeek:id:: Weird::sampling_threshold
+   :source-code: base/init-bare.zeek 6040 6040
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``25``
+
+   How many weirds of a given type to tolerate before sampling begins.
+   I.e. this many consecutive weirds of a given type will be allowed to
+   raise events for script-layer handling before being rate-limited.
+
+.. zeek:id:: Weird::sampling_whitelist
+   :source-code: base/init-bare.zeek 6032 6032
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Prevents rate-limiting sampling of any weirds named in the table.
+
+.. zeek:id:: default_file_bof_buffer_size
+   :source-code: base/init-bare.zeek 910 910
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``4096``
+   :Redefinition: from :doc:`/scripts/policy/frameworks/signatures/iso-9660.zeek`
+
+      ``=``::
+
+         2048 * (16 + 1)
+
+
+   Default amount of bytes that file analysis will buffer in order to use
+   for mime type matching.  File analyzers attached at the time of mime type
+   matching or later, will receive a copy of this buffer.
+
+.. zeek:id:: default_file_timeout_interval
+   :source-code: base/init-bare.zeek 905 905
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``2.0 mins``
+
+   Default amount of time a file can be inactive before the file analysis
+   gives up and discards any internal state related to the file.
+
+.. zeek:id:: ignore_checksums_nets
+   :source-code: base/init-bare.zeek 1615 1615
+
+   :Type: :zeek:type:`set` [:zeek:type:`subnet`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Checksums are ignored for all packets with a src address within this set of
+   networks. Useful for cases where a host might be seeing packets collected
+   from local hosts before checksums were applied by hardware. This frequently
+   manifests when sniffing a local management interface on a host and Zeek sees
+   packets before the hardware has had a chance to apply the checksums.
+
+.. zeek:id:: udp_content_delivery_ports_use_resp
+   :source-code: base/init-bare.zeek 1802 1802
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Whether ports given in :zeek:see:`udp_content_delivery_ports_orig`
+   and :zeek:see:`udp_content_delivery_ports_resp` are in terms of
+   UDP packet's destination port or the UDP connection's "responder"
+   port.
+
+.. zeek:id:: udp_content_ports
+   :source-code: base/init-bare.zeek 1796 1796
+
+   :Type: :zeek:type:`set` [:zeek:type:`port`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Defines UDP ports (source or destination) for which the contents of
+   either originator or responder streams should be delivered via
+   :zeek:see:`udp_contents`.
+   
+   .. zeek:see:: tcp_content_delivery_ports_orig
+      tcp_content_delivery_ports_resp tcp_content_deliver_all_orig
+      tcp_content_deliver_all_resp udp_content_delivery_ports_orig
+      udp_content_deliver_all_orig udp_content_deliver_all_resp udp_contents
+      udp_content_delivery_ports_use_resp udp_content_delivery_ports_resp
+
+Redefinable Options
+###################
+.. zeek:id:: AF_Packet::block_size
+   :source-code: base/init-bare.zeek 5718 5718
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``32768``
+
+   Size of an individual block. Needs to be a multiple of page size.
+
+.. zeek:id:: AF_Packet::block_timeout
+   :source-code: base/init-bare.zeek 5720 5720
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10.0 msecs``
+
+   Retire timeout for a single block.
+
+.. zeek:id:: AF_Packet::buffer_size
+   :source-code: base/init-bare.zeek 5716 5716
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``134217728``
+
+   Size of the ring-buffer.
+
+.. zeek:id:: AF_Packet::checksum_validation_mode
+   :source-code: base/init-bare.zeek 5734 5734
+
+   :Type: :zeek:type:`AF_Packet::ChecksumMode`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``AF_Packet::CHECKSUM_ON``
+
+   Checksum validation mode.
+
+.. zeek:id:: AF_Packet::enable_defrag
+   :source-code: base/init-bare.zeek 5726 5726
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Toggle defragmentation of IP packets using PACKET_FANOUT_FLAG_DEFRAG.
+
+.. zeek:id:: AF_Packet::enable_fanout
+   :source-code: base/init-bare.zeek 5724 5724
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Toggle whether to use PACKET_FANOUT.
+
+.. zeek:id:: AF_Packet::enable_hw_timestamping
+   :source-code: base/init-bare.zeek 5722 5722
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Toggle whether to use hardware timestamps.
+
+.. zeek:id:: AF_Packet::fanout_id
+   :source-code: base/init-bare.zeek 5730 5730
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``23``
+
+   Fanout ID.
+
+.. zeek:id:: AF_Packet::fanout_mode
+   :source-code: base/init-bare.zeek 5728 5728
+
+   :Type: :zeek:type:`AF_Packet::FanoutMode`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``AF_Packet::FANOUT_HASH``
+
+   Fanout mode.
+
+.. zeek:id:: AF_Packet::link_type
+   :source-code: base/init-bare.zeek 5732 5732
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1``
+
+   Link type (default Ethernet).
+
+.. zeek:id:: BinPAC::flowbuffer_capacity_max
+   :source-code: base/init-bare.zeek 6090 6090
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10485760``
+
+   Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to
+   grow to for use with incremental parsing of a given connection/analyzer.
+
+.. zeek:id:: BinPAC::flowbuffer_capacity_min
+   :source-code: base/init-bare.zeek 6095 6095
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``512``
+
+   The initial capacity, in bytes, that will be allocated to the BinPAC
+   flowbuffer of a given connection/analyzer.  If the buffer is
+   later contracted, its capacity is also reduced to this size.
+
+.. zeek:id:: BinPAC::flowbuffer_contract_threshold
+   :source-code: base/init-bare.zeek 6103 6103
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``2097152``
+
+   The threshold, in bytes, at which the BinPAC flowbuffer of a given
+   connection/analyzer will have its capacity contracted to
+   :zeek:see:`BinPAC::flowbuffer_capacity_min` after parsing a full unit.
+   I.e. this is the maximum capacity to reserve in between the parsing of
+   units.  If, after parsing a unit, the flowbuffer capacity is greater
+   than this value, it will be contracted.
+
+.. zeek:id:: Cluster::backend
+   :source-code: base/init-bare.zeek 6015 6015
+
+   :Type: :zeek:type:`Cluster::BackendTag`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``Cluster::CLUSTER_BACKEND_BROKER``
+   :Redefinition: from :doc:`/scripts/policy/frameworks/cluster/backend/zeromq/main.zeek`
+
+      ``=``::
+
+         Cluster::CLUSTER_BACKEND_ZEROMQ
+
+
+   Cluster backend to use. Default is the broker backend.
+
+.. zeek:id:: Cluster::event_serializer
+   :source-code: base/init-bare.zeek 6020 6020
+
+   :Type: :zeek:type:`Cluster::EventSerializerTag`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``Cluster::EVENT_SERIALIZER_BROKER_BIN_V1``
+
+   The event serializer to use by the cluster backend.
+   
+   This currently has no effect for backend BROKER.
+
+.. zeek:id:: Cluster::log_serializer
+   :source-code: base/init-bare.zeek 6025 6025
+
+   :Type: :zeek:type:`Cluster::LogSerializerTag`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``Cluster::LOG_SERIALIZER_ZEEK_BIN_V1``
+
+   The log serializer to use by the backend.
+   
+   This currently has no effect for backend BROKER.
+
+.. zeek:id:: ConnKey::factory
+   :source-code: base/init-bare.zeek 652 652
+
+   :Type: :zeek:type:`ConnKey::Tag`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``ConnKey::CONNKEY_FIVETUPLE``
+   :Redefinition: from :doc:`/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek`
+
+      ``=``::
+
+         ConnKey::CONNKEY_VLAN_FIVETUPLE
+
+
+   The connection key factory to use for Zeek's internal connection
+   tracking. This is a ``ConnKey::Tag`` plugin component enum value,
+   and the default is Zeek's traditional 5-tuple-tracking based on
+   IP/port endpoint pairs, plus transport protocol. Plugins can provide
+   their own implementation. You'll usually not adjust this value in
+   isolation, but with a corresponding redef of the :zeek:type:`conn_id`
+   record to represent additional connection tuple members.
+
+.. zeek:id:: ConnThreshold::generic_packet_thresholds
+   :source-code: base/init-bare.zeek 6463 6463
+
+   :Type: :zeek:type:`set` [:zeek:type:`count`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Number of packets required to be observed on any IP-based session to
+   trigger :zeek:id:`conn_generic_packet_threshold_crossed`. Note that the
+   thresholds refers to the total number of packets transferred in both
+   directions.
+   
+   .. zeek:see:: conn_generic_packet_threshold_crossed
+
+.. zeek:id:: DCE_RPC::max_cmd_reassembly
+   :source-code: base/init-bare.zeek 5743 5743
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``20``
+
+   The maximum number of simultaneous fragmented commands that
+   the DCE_RPC analyzer will tolerate before the it will generate
+   a weird and skip further input.
+
+.. zeek:id:: DCE_RPC::max_frag_data
+   :source-code: base/init-bare.zeek 5748 5748
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``30000``
+
+   The maximum number of fragmented bytes that the DCE_RPC analyzer
+   will tolerate on a command before the analyzer will generate a weird
+   and skip further input.
+
+.. zeek:id:: EventMetadata::add_missing_remote_network_timestamp
+   :source-code: base/init-bare.zeek 639 639
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   By default, remote events without network timestamp metadata
+   will yield a negative zeek:see:`current_event_time` during
+   processing. To have the receiving Zeek node set the event's
+   network timestamp metadata with its current local network time,
+   set this option to true.
+   
+   This setting is only in effect if :zeek:see:`EventMetadata::add_network_timestamp`
+   is also set to true.
+
+.. zeek:id:: EventMetadata::add_network_timestamp
+   :source-code: base/init-bare.zeek 629 629
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Add network timestamp metadata to all events.
+   
+   Adding network timestamp metadata affects local and
+   remote events. Events scheduled have a network timestamp
+   of when the scheduled timer was supposed to expire, which
+   might be a value before the network_time() when the event
+   was actually dispatched.
+
+.. zeek:id:: FTP::max_command_length
+   :source-code: base/init-bare.zeek 660 660
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100``
+
+   Limits the size of commands accepted by the FTP analyzer. Longer commands
+   raise a FTP_max_command_length_exceeded weird and are discarded.
+
+.. zeek:id:: HTTP::upgrade_analyzers
+   :source-code: base/init-bare.zeek 780 780
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`Analyzer::Tag`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+   :Redefinition: from :doc:`/scripts/base/protocols/websocket/main.zeek`
+
+      ``+=``::
+
+         websocket = Analyzer::ANALYZER_WEBSOCKET
+
+
+   Lookup table for Upgrade analyzers. First, a case sensitive lookup
+   is done using the client's Upgrade header. If no match is found,
+   the all lower-case value is used. If there's still no match Zeek
+   uses dynamic protocol detection for the upgraded to protocol instead.
+
+.. zeek:id:: IP::protocol_names
+   :source-code: base/init-bare.zeek 6243 6243
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [96] = "scc-sp",
+            [73] = "cphb",
+            [39] = "tp++",
+            [46] = "rsvp",
+            [28] = "irtp",
+            [9] = "igp",
+            [68] = "distributed-files",
+            [107] = "a/n",
+            [53] = "swipe",
+            [71] = "ipcu",
+            [127] = "crudp",
+            [52] = "i-nlsp",
+            [41] = "ipv6",
+            [17] = "udp",
+            [105] = "scps",
+            [119] = "srp",
+            [81] = "vmtp",
+            [88] = "eigrp",
+            [111] = "ipx-in-ip",
+            [29] = "iso-tp4",
+            [115] = "l2tp",
+            [133] = "fc",
+            [95] = "micp",
+            [54] = "narp",
+            [90] = "sprite-rpc",
+            [146] = "homa",
+            [86] = "dgp",
+            [1] = "icmp",
+            [116] = "ddx",
+            [35] = "idpr",
+            [102] = "pnni",
+            [135] = "mobility-header",
+            [3] = "ggp",
+            [114] = "zero-hop",
+            [140] = "shim6",
+            [44] = "ipv6-frag",
+            [129] = "iplt",
+            [34] = "3pc",
+            [45] = "idrp",
+            [14] = "emcon",
+            [31] = "mfe-nsp",
+            [82] = "secure-vmtp",
+            [56] = "tlsp",
+            [7] = "cbt",
+            [66] = "rvd",
+            [26] = "leaf-2",
+            [128] = "sccopmce",
+            [47] = "gre",
+            [70] = "visa",
+            [93] = "ax.25",
+            [2] = "igmp",
+            [132] = "sctp",
+            [72] = "cpnx",
+            [24] = "trunk-2",
+            [69] = "sat-on",
+            [99] = "private-encryption",
+            [109] = "snp",
+            [103] = "pim",
+            [126] = "crtp",
+            [104] = "aris",
+            [61] = "host-protocol",
+            [60] = "ipv6-opts",
+            [51] = "ah",
+            [37] = "ddp",
+            [18] = "mux",
+            [0] = "hopopt",
+            [110] = "compaq-peer",
+            [137] = "mpls-in-ip",
+            [94] = "os",
+            [19] = "dcn-meas",
+            [20] = "hmp",
+            [33] = "dccp",
+            [75] = "pvp",
+            [67] = "ippc",
+            [15] = "xnet",
+            [30] = "netblt",
+            [77] = "sun-and",
+            [64] = "sat-expak",
+            [106] = "qnx",
+            [91] = "larp",
+            [97] = "etherip",
+            [55] = "mobile",
+            [21] = "prm",
+            [4] = "ip-in-ip",
+            [12] = "pup",
+            [124] = "is-is-over-ipv4",
+            [130] = "sps",
+            [58] = "ipv6-icmp",
+            [134] = "rsvp-e2e-ignore",
+            [80] = "iso-ip",
+            [76] = "br-sat-mon",
+            [25] = "leaf-1",
+            [142] = "rohc",
+            [16] = "chaos",
+            [59] = "ipv6-nonxt",
+            [38] = "idpr-cmtp",
+            [63] = "local-network",
+            [42] = "sdrp",
+            [57] = "skip",
+            [78] = "wb-mon",
+            [98] = "encap",
+            [11] = "nvp-ii",
+            [113] = "pgm",
+            [108] = "ipcomp",
+            [22] = "xns-idp",
+            [43] = "ipv6-route",
+            [143] = "ethernet",
+            [136] = "udplite",
+            [144] = "aggfrag",
+            [40] = "il",
+            [36] = "xtp",
+            [6] = "tcp",
+            [125] = "fire",
+            [141] = "wesp",
+            [8] = "egp",
+            [23] = "trunk-1",
+            [27] = "rdp",
+            [145] = "nsh",
+            [83] = "vines",
+            [122] = "sm",
+            [92] = "mtp",
+            [10] = "bbc-rcc-mon",
+            [65] = "kryptolan",
+            [13] = "argus",
+            [32] = "merit-inp",
+            [74] = "wsn",
+            [62] = "cftp",
+            [101] = "ifmp",
+            [89] = "ospf",
+            [118] = "stp",
+            [138] = "manet",
+            [139] = "hip",
+            [50] = "esp",
+            [120] = "uti",
+            [79] = "wb-expak",
+            [121] = "smp",
+            [48] = "dsr",
+            [85] = "nsfnet-igp",
+            [49] = "bna",
+            [5] = "st",
+            [112] = "vrrp",
+            [100] = "gtmp",
+            [117] = "iatp",
+            [123] = "ptp",
+            [131] = "pipe",
+            [87] = "tcf",
+            [84] = "ttp or iptm"
+         }
+
+
+   Mapping from IP protocol identifier values to string names.
+
+.. zeek:id:: KRB::keytab
+   :source-code: base/init-bare.zeek 5407 5407
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Kerberos keytab file name. Used to decrypt tickets encountered on the wire.
+
+.. zeek:id:: Log::default_max_field_container_elements
+   :source-code: base/init-bare.zeek 3773 3773
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100``
+
+   The maximum number of elements a single container field can contain when
+   logging. If a container reaches this limit, the log output for the field will
+   be truncated. Setting this to zero disables the limiting.
+
+.. zeek:id:: Log::default_max_field_string_bytes
+   :source-code: base/init-bare.zeek 3768 3768
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``4096``
+
+   The maximum number of bytes that a single string field can contain when
+   logging. If a string reaches this limit, the log output for the field will be
+   truncated. Setting this to zero disables the limiting.
+
+.. zeek:id:: Log::default_max_total_container_elements
+   :source-code: base/init-bare.zeek 3788 3788
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``500``
+
+   The maximum total number of container elements a record may log. This is the
+   sum of all container elements logged for the record. If this limit is reached,
+   all further containers will be logged as empty containers. If the limit is
+   reached while processing a container, the container will be truncated in the
+   output. Setting this to zero disables the limiting.
+
+.. zeek:id:: Log::default_max_total_string_bytes
+   :source-code: base/init-bare.zeek 3781 3781
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``256000``
+
+   The maximum total bytes a record may log for string fields. This is the sum of
+   all bytes in string fields logged for the record. If this limit is reached, all
+   further string fields will be logged as empty strings. Any containers holding
+   string fields will be logged as empty containers. If the limit is reached while
+   processing a container holding string fields, the container will be truncated
+   in the log output. Setting this to zero disables the limiting.
+
+.. zeek:id:: Log::flush_interval
+   :source-code: base/init-bare.zeek 3743 3743
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 sec``
+
+   Default interval for flushing the write buffers of all
+   enabled log streams.
+   
+   In earlier Zeek releases this was governed by :zeek:see:`Threading::heartbeat_interval`.
+   For Broker, see also :zeek:see:`Broker::log_batch_interval`.
+   
+   .. :zeek:see:`Log::flush`
+   .. :zeek:see:`Log::set_buf`
+   .. :zeek:see:`Log::write_buffer_size`
+
+.. zeek:id:: Log::max_log_record_size
+   :source-code: base/init-bare.zeek 3763 3763
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``67108864``
+
+   Maximum size of a message that can be sent to a remote logger or logged
+   locally. If this limit is met, report a ``log_line_too_large`` weird and drop
+   the log entry. This isn't necessarily the full size of a line that might be
+   written to a log, but a general representation of the size as the log record is
+   serialized for writing. The size of end result from serialization might be
+   higher than this limit, but it prevents runaway-sized log entries from causing
+   problems.
+
+.. zeek:id:: Log::write_buffer_size
+   :source-code: base/init-bare.zeek 3754 3754
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1000``
+
+   Default maximum size of the log write buffer per filter/path pair.
+   If this many log writes are buffered, the writer frontend flushes
+   its writes to its backend before flush_interval expires.
+   
+   In earlier Zeek releases this was hard-coded to 1000.
+   
+   .. :zeek:see:`Log::flush`
+   .. :zeek:see:`Log::set_buf`
+   .. :zeek:see:`Log::flush_interval`
+
+.. zeek:id:: MIME::max_depth
+   :source-code: base/init-bare.zeek 3663 3663
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100``
+
+   Stop analysis of nested multipart MIME entities if this depth is
+   reached. Setting this value to 0 removes the limit.
+
+.. zeek:id:: NCP::max_frame_size
+   :source-code: base/init-bare.zeek 5755 5755
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``65536``
+
+   The maximum number of bytes to allocate when parsing NCP frames.
+
+.. zeek:id:: NFS3::return_data
+   :source-code: base/init-bare.zeek 3349 3349
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If true, :zeek:see:`nfs_proc_read` and :zeek:see:`nfs_proc_write`
+   events return the file data that has been read/written.
+   
+   .. zeek:see:: NFS3::return_data_max NFS3::return_data_first_only
+
+.. zeek:id:: NFS3::return_data_first_only
+   :source-code: base/init-bare.zeek 3358 3358
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   If :zeek:id:`NFS3::return_data` is true, whether to *only* return data
+   if the read or write offset is 0, i.e., only return data for the
+   beginning of the file.
+
+.. zeek:id:: NFS3::return_data_max
+   :source-code: base/init-bare.zeek 3353 3353
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``512``
+
+   If :zeek:id:`NFS3::return_data` is true, how much data should be
+   returned at most.
+
+.. zeek:id:: POP3::max_pending_commands
+   :source-code: base/init-bare.zeek 3798 3798
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10``
+
+   How many commands a POP3 client may have pending
+   before Zeek forcefully removes the oldest.
+   
+   Setting this value to 0 removes the limit.
+
+.. zeek:id:: POP3::max_unknown_client_commands
+   :source-code: base/init-bare.zeek 3804 3804
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10``
+
+   How many invalid commands a POP3 client may use
+   before Zeek starts raising analyzer violations.
+   
+   Setting this value to 0 removes the limit.
+
+.. zeek:id:: Pcap::bufsize
+   :source-code: base/init-bare.zeek 5651 5651
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``128``
+
+   Number of Mbytes to provide as buffer space when capturing from live
+   interfaces.
+
+.. zeek:id:: Pcap::bufsize_offline_bytes
+   :source-code: base/init-bare.zeek 5656 5656
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``131072``
+
+   Number of bytes to use for buffering file read operations when reading
+   from a PCAP file. Setting this to 0 uses operating system defaults
+   as chosen by fopen().
+
+.. zeek:id:: Pcap::non_fd_timeout
+   :source-code: base/init-bare.zeek 5682 5682
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``20.0 usecs``
+
+   Default timeout for packet sources without file descriptors.
+   
+   For libpcap based packet sources that do not provide a usable
+   file descriptor for select(), the timeout provided to the IO
+   loop is either zero if a packet was most recently available
+   or else this value.
+   
+   Depending on the expected packet rate per-worker and the amount of
+   available packet buffer, raising this value can significantly reduce
+   Zeek's CPU usage at the cost of a small delay before processing
+   packets. Setting this value too high may cause packet drops due
+   to running out of available buffer space.
+   
+   Increasing this value to 200usec on low-traffic Myricom based systems
+   (5 kpps per Zeek worker) has shown a 50% reduction in CPU usage.
+   
+   This is an advanced setting. Do monitor dropped packets and capture
+   loss information when changing it.
+   
+   .. note:: Packet sources that override ``GetNextTimeout()`` method
+      may not respect this value.
+   
+   .. zeek:see:: io_poll_interval_live
+   
+
+.. zeek:id:: Pcap::snaplen
+   :source-code: base/init-bare.zeek 5647 5647
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``9216``
+
+   Number of bytes per packet to capture from live interfaces.
+
+.. zeek:id:: Reporter::errors_to_stderr
+   :source-code: base/init-bare.zeek 5640 5640
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Tunable for sending reporter error messages to STDERR.  The option to
+   turn it off is presented here in case Zeek is being run by some
+   external harness and shouldn't output anything to the console.
+
+.. zeek:id:: Reporter::info_to_stderr
+   :source-code: base/init-bare.zeek 5630 5630
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Tunable for sending reporter info messages to STDERR.  The option to
+   turn it off is presented here in case Zeek is being run by some
+   external harness and shouldn't output anything to the console.
+
+.. zeek:id:: Reporter::warnings_to_stderr
+   :source-code: base/init-bare.zeek 5635 5635
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Tunable for sending reporter warning messages to STDERR.  The option
+   to turn it off is presented here in case Zeek is being run by some
+   external harness and shouldn't output anything to the console.
+
+.. zeek:id:: SMB::max_dce_rpc_analyzers
+   :source-code: base/init-bare.zeek 4040 4040
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1000``
+
+   Maximum number of DCE-RPC analyzers per connection
+   before discarding them to avoid unbounded state growth.
+   
+   .. zeek:see:: smb_discarded_dce_rpc_analyzers
+
+.. zeek:id:: SMB::max_pending_messages
+   :source-code: base/init-bare.zeek 4034 4034
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1000``
+
+   The maximum number of messages for which to retain state
+   about offsets, fids, or tree ids within the parser. When
+   the limit is reached, internal parser state is discarded
+   and :zeek:see:`smb2_discarded_messages_state` raised.
+   
+   Setting this to zero will disable the functionality.
+   
+   .. zeek:see:: smb2_discarded_messages_state
+
+.. zeek:id:: SMB::pipe_filenames
+   :source-code: base/init-bare.zeek 4024 4024
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+   :Redefinition: from :doc:`/scripts/base/protocols/smb/consts.zeek`
+
+      ``=``::
+
+         spoolss, winreg, samr, srvsvc, netdfs, lsarpc, wkssvc, MsFteWds
+
+
+   A set of file names used as named pipes over SMB. This
+   only comes into play as a heuristic to identify named
+   pipes when the drive mapping wasn't seen by Zeek.
+   
+   .. zeek:see:: smb_pipe_connect_heuristic
+
+.. zeek:id:: SMTP::bdat_max_line_length
+   :source-code: base/init-bare.zeek 669 669
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``4096``
+
+   The maximum line length within a BDAT chunk before a forceful linebreak
+   is introduced and a weird is raised. Conventionally, MIME messages
+   have a maximum line length of 1000 octets when properly encoded.
+
+.. zeek:id:: SMTP::enable_rfc822_msg_file_analysis
+   :source-code: base/init-bare.zeek 677 677
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Whether to send data of individual top-level RFC822 messages
+   in SMTP transactions to the file analysis framework.
+   
+   If this option is enabled, the first :zeek:see:`file_over_new_connection`
+   event for a new SMTP transaction will be for the top-level RFC822
+   message. The file's :zeek:field:`mime_type` will be ``message/rfc822``.
+
+.. zeek:id:: SSL::dtls_max_reported_version_errors
+   :source-code: base/init-bare.zeek 5065 5065
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1``
+
+   Maximum number of invalid version errors to report in one DTLS connection.
+
+.. zeek:id:: SSL::dtls_max_version_errors
+   :source-code: base/init-bare.zeek 5062 5062
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10``
+
+   Number of non-DTLS frames that can occur in a DTLS connection before
+   parsing of the connection is suspended.
+   DTLS does not immediately stop parsing a connection because other protocols
+   might be interleaved in the same UDP "connection".
+
+.. zeek:id:: SSL::max_alerts_per_record
+   :source-code: base/init-bare.zeek 5070 5070
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10``
+
+   Maximum number of Alert messages parsed from an SSL record with
+   content_type alert (21). The remaining alerts are discarded. For
+   TLS 1.3 connections, this is implicitly 1 as defined by RFC 8446.
+
+.. zeek:id:: Storage::expire_interval
+   :source-code: base/init-bare.zeek 6402 6402
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``15.0 secs``
+
+   The interval used by the storage framework for automatic expiration
+   of elements in all backends that don't support it natively, or if
+   using expiration while reading pcap files.
+
+.. zeek:id:: Telemetry::callback_timeout
+   :source-code: base/init-bare.zeek 6233 6233
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5.0 secs``
+
+   Maximum amount of time for CivetWeb HTTP threads to
+   wait for metric callbacks to complete on the IO loop.
+
+.. zeek:id:: Telemetry::civetweb_threads
+   :source-code: base/init-bare.zeek 6236 6236
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``2``
+
+   Number of CivetWeb threads to use.
+
+.. zeek:id:: Threading::heartbeat_interval
+   :source-code: base/init-bare.zeek 3814 3814
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 sec``
+
+   The heartbeat interval used by the threading framework.
+   Changing this should usually not be necessary and will break
+   several tests.
+
+.. zeek:id:: Tunnel::delay_gtp_confirmation
+   :source-code: base/init-bare.zeek 759 759
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   With this set, the GTP analyzer waits until the most-recent upflow
+   and downflow packets are a valid GTPv1 encapsulation before
+   issuing :zeek:see:`analyzer_confirmation_info`.  If it's false, the
+   first occurrence of a packet with valid GTPv1 encapsulation causes
+   confirmation.  Since the same inner connection can be carried
+   differing outer upflow/downflow connections, setting to false
+   may work better.
+
+.. zeek:id:: Tunnel::delay_teredo_confirmation
+   :source-code: base/init-bare.zeek 750 750
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   With this set, the Teredo analyzer waits until it sees both sides
+   of a connection using a valid Teredo encapsulation before issuing
+   a :zeek:see:`analyzer_confirmation_info`.  If it's false, the first
+   occurrence of a packet with valid Teredo encapsulation causes a
+   confirmation.
+
+.. zeek:id:: Tunnel::ip_tunnel_timeout
+   :source-code: base/init-bare.zeek 763 763
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 day``
+
+   How often to cleanup internal state for inactive IP tunnels
+   (includes GRE tunnels).
+
+.. zeek:id:: Tunnel::max_changes_per_connection
+   :source-code: base/init-bare.zeek 739 739
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5``
+
+   The number of tunnel_changed events that will be sent for a connection. Once this
+   limit is hit, no more of those events will be sent to avoid a large number of events
+   being sent for connections that regularly swap. This can be set to zero to disable
+   this limiting.
+
+.. zeek:id:: Tunnel::max_depth
+   :source-code: base/init-bare.zeek 743 743
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``4``
+
+   The maximum depth of a tunnel to decapsulate until giving up.
+   Setting this to zero will disable all types of tunnel decapsulation.
+
+.. zeek:id:: Tunnel::validate_vxlan_checksums
+   :source-code: base/init-bare.zeek 769 769
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Whether to validate the checksum supplied in the outer UDP header
+   of a VXLAN encapsulation.  The spec says the checksum should be
+   transmitted as zero, but if not, then the decapsulating destination
+   may choose whether to perform the validation.
+
+.. zeek:id:: UnknownProtocol::first_bytes_count
+   :source-code: base/init-bare.zeek 6082 6082
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10``
+
+   The number of bytes to extract from the next header and log in the
+   first bytes field.
+
+.. zeek:id:: UnknownProtocol::sampling_duration
+   :source-code: base/init-bare.zeek 6078 6078
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 hr``
+
+   How long an analyzer/protocol pair is allowed to keep state/counters in
+   in memory. Once the threshold has been hit, this is the amount of time
+   before the rate-limiting for a pair expires and is reset.
+
+.. zeek:id:: UnknownProtocol::sampling_rate
+   :source-code: base/init-bare.zeek 6073 6073
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100000``
+
+   The rate-limiting sampling rate. One out of every of this number of
+   rate-limited pairs of a given type will be allowed to raise events
+   for further script-layer handling. Setting the sampling rate to 0
+   will disable all output of rate-limited pairs.
+
+.. zeek:id:: UnknownProtocol::sampling_threshold
+   :source-code: base/init-bare.zeek 6067 6067
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``3``
+
+   How many reports for an analyzer/protocol pair will be allowed to
+   raise events before becoming rate-limited.
+
+.. zeek:id:: WebSocket::payload_chunk_size
+   :source-code: base/init-bare.zeek 791 791
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``8192``
+
+   The WebSocket analyzer consumes and forwards
+   frame payload in chunks to keep memory usage
+   bounded. There should not be a reason to change
+   this value except for debugging and
+   testing reasons.
+
+.. zeek:id:: WebSocket::use_dpd_default
+   :source-code: base/init-bare.zeek 794 794
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Whether to enable DPD on WebSocket frame payload by default.
+
+.. zeek:id:: WebSocket::use_spicy_analyzer
+   :source-code: base/init-bare.zeek 800 800
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Whether to use the Spicy WebSocket protocol analyzer.
+   
+   As of now, the BinPac version has better performance, but
+   we may change the default in the future.
+
+.. zeek:id:: allow_network_time_forward
+   :source-code: base/init-bare.zeek 195 195
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Whether Zeek will forward network_time to the current time upon
+   observing an idle packet source (or no configured packet source).
+   
+   Only set this to *F* if you really know what you're doing. Setting this to
+   *F* on non-worker systems causes :zeek:see:`network_time` to be stuck
+   at 0.0 and timer expiration will be non-functional.
+   
+   The main purpose of this option is to yield control over network time
+   to plugins or scripts via broker or other non-timer events.
+   
+   .. zeek:see:: network_time set_network_time packet_source_inactivity_timeout
+   
+
+.. zeek:id:: bits_per_uid
+   :source-code: base/init-bare.zeek 558 558
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``96``
+
+   Number of bits in UIDs that are generated to identify connections and
+   files.  The larger the value, the more confidence in UID uniqueness.
+   The maximum is currently 128 bits.
+
+.. zeek:id:: cmd_line_bpf_filter
+   :source-code: base/init-bare.zeek 411 411
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   BPF filter the user has set via the -f command line options. Empty if none.
+
+.. zeek:id:: detect_filtered_trace
+   :source-code: base/init-bare.zeek 420 420
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Whether to attempt to automatically detect SYN/FIN/RST-filtered trace
+   and not report missing segments for such connections.
+   If this is enabled, then missing data at the end of connections may not
+   be reported via :zeek:see:`content_gap`.
+
+.. zeek:id:: digest_salt
+   :source-code: base/init-bare.zeek 566 566
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"Please change this value."``
+
+   This salt value is used for several message digests in Zeek. We
+   use a salt to help mitigate the possibility of an attacker
+   manipulating source data to, e.g., mount complexity attacks or
+   cause ID collisions.
+   This salt is, for example, used by :zeek:see:`get_file_handle`
+   to generate installation-unique file IDs (the *id* field of :zeek:see:`fa_file`).
+
+.. zeek:id:: dns_session_timeout
+   :source-code: base/init-bare.zeek 1844 1844
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10.0 secs``
+
+   Time to wait before timing out a DNS request.
+
+.. zeek:id:: dpd_buffer_size
+   :source-code: base/init-bare.zeek 477 477
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1024``
+
+   Size of per-connection buffer used for dynamic protocol detection. For each
+   connection, Zeek buffers this initial amount of payload in memory so that
+   complete protocol analysis can start even after the initial packets have
+   already passed through (i.e., when a DPD signature matches only later).
+   However, once the buffer is full, data is deleted and lost to analyzers that
+   are activated afterwards. Then only analyzers that can deal with partial
+   connections will be able to analyze the session.
+   
+   .. zeek:see:: dpd_reassemble_first_packets dpd_match_only_beginning
+      dpd_ignore_ports dpd_max_packets
+
+.. zeek:id:: dpd_ignore_ports
+   :source-code: base/init-bare.zeek 518 518
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If true, don't consider any ports for deciding which protocol analyzer to
+   use.
+   
+   .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size
+      dpd_match_only_beginning
+
+.. zeek:id:: dpd_late_match_stop
+   :source-code: base/init-bare.zeek 511 511
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+   :Redefinition: from :doc:`/scripts/policy/protocols/conn/speculative-service.zeek`
+
+      ``=``::
+
+         T
+
+
+   If true, stops signature matching after a late match. A late match may occur
+   in case the DPD buffer is exhausted but a protocol signature matched. To
+   allow late matching, :zeek:see:`dpd_match_only_beginning` must be disabled.
+   
+   .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size
+      dpd_match_only_beginning
+   
+   .. note:: Despite the name, this option stops *all* signature matching, not
+      only signatures used for dynamic protocol detection but is triggered by
+      DPD signatures only.
+
+.. zeek:id:: dpd_match_only_beginning
+   :source-code: base/init-bare.zeek 499 499
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+   :Redefinition: from :doc:`/scripts/policy/protocols/conn/speculative-service.zeek`
+
+      ``=``::
+
+         F
+
+
+   If true, stops signature matching if :zeek:see:`dpd_buffer_size` has been
+   reached.
+   
+   .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size
+      dpd_ignore_ports
+   
+   .. note:: Despite the name, this option affects *all* signature matching, not
+      only signatures used for dynamic protocol detection.
+
+.. zeek:id:: dpd_max_packets
+   :source-code: base/init-bare.zeek 489 489
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100``
+
+   Maximum number of per-connection packets that will be buffered for dynamic
+   protocol detection. For each connection, Zeek buffers up to this amount
+   of packets in memory so that complete protocol analysis can start even after
+   the initial packets have already passed through (i.e., when a DPD signature
+   matches only later). However, once the buffer is full, data is deleted and lost
+   to analyzers that are activated afterwards. Then only analyzers that can deal
+   with partial connections will be able to analyze the session.
+   
+   .. zeek:see:: dpd_reassemble_first_packets dpd_match_only_beginning
+      dpd_ignore_ports dpd_buffer_size
+
+.. zeek:id:: dpd_reassemble_first_packets
+   :source-code: base/init-bare.zeek 465 465
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Reassemble the beginning of all TCP connections before doing
+   signature matching. Enabling this provides more accurate matching at the
+   expense of CPU cycles.
+   
+   .. zeek:see:: dpd_buffer_size
+      dpd_match_only_beginning dpd_ignore_ports
+   
+   .. note:: Despite the name, this option affects *all* signature matching, not
+      only signatures used for dynamic protocol detection.
+
+.. zeek:id:: exit_only_after_terminate
+   :source-code: base/init-bare.zeek 436 436
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Flag to prevent Zeek from exiting automatically when input is exhausted.
+   Normally Zeek terminates when all packet sources have gone dry
+   and communication isn't enabled. If this flag is set, Zeek's main loop will
+   instead keep idling until :zeek:see:`terminate` is explicitly called.
+   
+   This is mainly for testing purposes when termination behaviour needs to be
+   controlled for reproducing results.
+
+.. zeek:id:: expensive_profiling_multiple
+   :source-code: base/init-bare.zeek 2831 2831
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0``
+   :Redefinition: from :doc:`/scripts/policy/misc/profiling.zeek`
+
+      ``=``::
+
+         20
+
+
+   Multiples of :zeek:see:`profiling_interval` at which (more expensive) memory
+   profiling is done (0 disables).
+   
+   .. zeek:see:: profiling_interval profiling_file
+
+.. zeek:id:: frag_timeout
+   :source-code: base/init-bare.zeek 1851 1851
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5.0 mins``
+
+   How long to hold onto fragments for possible reassembly.  A value of 0.0
+   means "forever", which resists evasion, but can lead to state accrual.
+
+.. zeek:id:: global_hash_seed
+   :source-code: base/init-bare.zeek 553 553
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Seed for hashes computed internally for probabilistic data structures. Using
+   the same value here will make the hashes compatible between independent Zeek
+   instances. If left unset, Zeek will use a temporary local seed.
+
+.. zeek:id:: icmp_inactivity_timeout
+   :source-code: base/init-bare.zeek 1679 1679
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 min``
+
+   If an ICMP flow is inactive, time it out after this interval. If 0 secs, then
+   don't time it out.
+   
+   .. zeek:see:: tcp_inactivity_timeout udp_inactivity_timeout unknown_ip_inactivity_timeout set_inactivity_timeout
+
+.. zeek:id:: ignore_checksums
+   :source-code: base/init-bare.zeek 1608 1608
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If true, don't verify checksums, and accept packets that give a length of
+   zero in the IPv4 header. This is useful when running against traces of local
+   traffic and the NIC checksum offloading feature is enabled. It can also
+   be useful for running on altered trace files, and for saving a few cycles
+   at the risk of analyzing invalid data.
+   With this option, packets that have a value of zero in the total-length field
+   of the IPv4 header are also accepted, and the capture-length is used instead.
+   The total-length field is commonly set to zero when the NIC sequence offloading
+   feature is enabled.
+   Note that the ``-C`` command-line option overrides the setting of this
+   variable.
+
+.. zeek:id:: ignore_keep_alive_rexmit
+   :source-code: base/init-bare.zeek 546 546
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Ignore certain TCP retransmissions for :zeek:see:`conn_stats`.  Some
+   connections (e.g., SSH) retransmit the acknowledged last byte to keep the
+   connection alive. If *ignore_keep_alive_rexmit* is set to true, such
+   retransmissions will be excluded in the rexmit counter in
+   :zeek:see:`conn_stats`.
+   
+   .. zeek:see:: conn_stats
+
+.. zeek:id:: io_poll_interval_default
+   :source-code: base/init-bare.zeek 583 583
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100``
+
+   How many rounds to go without checking IO sources with file descriptors
+   for readiness by default. This is used when reading from traces.
+   
+   Very roughly, when reading from a pcap, setting this to 100 results in
+   100 packets being processed without checking FD based IO sources.
+   
+   .. note:: This should not be changed outside of development or when
+      debugging problems with the main-loop, or developing features with
+      tight main-loop interaction.
+   
+   .. zeek:see:: io_poll_interval_live
+
+.. zeek:id:: io_poll_interval_live
+   :source-code: base/init-bare.zeek 598 598
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10``
+
+   How often to check IO sources with file descriptors for readiness when
+   monitoring with a live packet source.
+   
+   The poll interval gets defaulted to 100 which is good for cases like reading
+   from pcap files and when there isn't a packet source, but is a little too
+   infrequent for live sources (especially fast live sources). Set it down a
+   little bit for those sources.
+   
+   .. note:: This should not be changed outside of development or when
+      debugging problems with the main-loop, or developing features with
+      tight main-loop interaction.
+   
+   .. zeek:see:: io_poll_interval_default
+
+.. zeek:id:: likely_server_ports
+   :source-code: base/init-bare.zeek 523 523
+
+   :Type: :zeek:type:`set` [:zeek:type:`port`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+   :Redefinition: from :doc:`/scripts/base/packet-protocols/ayiya/main.zeek`
+
+      ``+=``::
+
+         PacketAnalyzer::AYIYA::ayiya_ports
+
+   :Redefinition: from :doc:`/scripts/base/packet-protocols/geneve/main.zeek`
+
+      ``+=``::
+
+         PacketAnalyzer::Geneve::geneve_ports
+
+   :Redefinition: from :doc:`/scripts/base/packet-protocols/vxlan/main.zeek`
+
+      ``+=``::
+
+         PacketAnalyzer::VXLAN::vxlan_ports
+
+   :Redefinition: from :doc:`/scripts/base/packet-protocols/teredo/main.zeek`
+
+      ``+=``::
+
+         PacketAnalyzer::TEREDO::teredo_ports
+
+   :Redefinition: from :doc:`/scripts/base/packet-protocols/gtpv1/main.zeek`
+
+      ``+=``::
+
+         PacketAnalyzer::GTPV1::gtpv1_ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/dce-rpc/main.zeek`
+
+      ``+=``::
+
+         DCE_RPC::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/dhcp/main.zeek`
+
+      ``+=``::
+
+         67/udp
+
+   :Redefinition: from :doc:`/scripts/base/protocols/dnp3/main.zeek`
+
+      ``+=``::
+
+         DNP3::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/dns/main.zeek`
+
+      ``+=``::
+
+         DNS::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/finger/main.zeek`
+
+      ``+=``::
+
+         Finger::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/ftp/main.zeek`
+
+      ``+=``::
+
+         FTP::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/ssl/main.zeek`
+
+      ``+=``::
+
+         SSL::ssl_ports, SSL::dtls_ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/http/main.zeek`
+
+      ``+=``::
+
+         HTTP::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/imap/main.zeek`
+
+      ``+=``::
+
+         IMAP::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/irc/main.zeek`
+
+      ``+=``::
+
+         IRC::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/krb/main.zeek`
+
+      ``+=``::
+
+         KRB::tcp_ports, KRB::udp_ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/ldap/main.zeek`
+
+      ``+=``::
+
+         LDAP::ports_tcp, LDAP::ports_udp
+
+   :Redefinition: from :doc:`/scripts/base/protocols/modbus/main.zeek`
+
+      ``+=``::
+
+         Modbus::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/mqtt/main.zeek`
+
+      ``+=``::
+
+         MQTT::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/ntp/main.zeek`
+
+      ``+=``::
+
+         NTP::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/postgresql/main.zeek`
+
+      ``+=``::
+
+         PostgreSQL::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/radius/main.zeek`
+
+      ``+=``::
+
+         RADIUS::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/rdp/main.zeek`
+
+      ``+=``::
+
+         RDP::rdp_ports, RDP::rdpeudp_ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/redis/main.zeek`
+
+      ``+=``::
+
+         Redis::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/sip/main.zeek`
+
+      ``+=``::
+
+         SIP::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/snmp/main.zeek`
+
+      ``+=``::
+
+         SNMP::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/smb/main.zeek`
+
+      ``+=``::
+
+         SMB::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/smtp/main.zeek`
+
+      ``+=``::
+
+         SMTP::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/socks/main.zeek`
+
+      ``+=``::
+
+         SOCKS::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/ssh/main.zeek`
+
+      ``+=``::
+
+         SSH::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/syslog/main.zeek`
+
+      ``+=``::
+
+         Syslog::ports
+
+   :Redefinition: from :doc:`/scripts/base/protocols/xmpp/main.zeek`
+
+      ``+=``::
+
+         XMPP::ports
+
+
+   Ports which the core considers being likely used by servers. For ports in
+   this set, it may heuristically decide to flip the direction of the
+   connection if it misses the initial handshake.
+
+.. zeek:id:: log_rotate_base_time
+   :source-code: base/init-bare.zeek 414 414
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"0:00"``
+
+   Base time of log rotations in 24-hour time format (``%H:%M``), e.g. "12:00".
+
+.. zeek:id:: max_analyzer_violations
+   :source-code: base/init-bare.zeek 1041 1041
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1000``
+
+   The maximum number of analyzer violations the core generates before
+   suppressing them for a given analyzer instance. A weird providing
+   information about the analyzer and connection is generated once the
+   limit is reached.
+   
+   An analyzer generating this many violations is unlikely parsing
+   the right protocol or potentially buggy.
+
+.. zeek:id:: max_find_all_string_length
+   :source-code: base/init-bare.zeek 570 570
+
+   :Type: :zeek:type:`int`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10000``
+
+   Maximum string length allowed for calls to the :zeek:see:`find_all` and
+   :zeek:see:`find_all_ordered` BIFs.
+
+.. zeek:id:: max_timer_expires
+   :source-code: base/init-bare.zeek 2647 2647
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``300``
+
+   The maximum number of expired timers to process after processing each new
+   packet. The value trades off spreading out the timer expiration load
+   with possibly having to hold state longer.  A value of 0 means
+   "process all expired timers with each new packet".
+
+.. zeek:id:: mmdb_asn_db
+   :source-code: base/init-bare.zeek 1534 1534
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"GeoLite2-ASN.mmdb"``
+
+   Default name of the MaxMind ASN database file:
+
+.. zeek:id:: mmdb_city_db
+   :source-code: base/init-bare.zeek 1530 1530
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"GeoLite2-City.mmdb"``
+
+   Default name of the MaxMind City database file:
+
+.. zeek:id:: mmdb_country_db
+   :source-code: base/init-bare.zeek 1532 1532
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"GeoLite2-Country.mmdb"``
+
+   Default name of the MaxMind Country database file:
+
+.. zeek:id:: mmdb_dir
+   :source-code: base/init-bare.zeek 1527 1527
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   The directory containing MaxMind DB (.mmdb) files to use for GeoIP support.
+
+.. zeek:id:: mmdb_dir_fallbacks
+   :source-code: base/init-bare.zeek 1541 1541
+
+   :Type: :zeek:type:`vector` of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         ["/usr/share/GeoIP", "/var/lib/GeoIP", "/usr/local/share/GeoIP", "/usr/local/var/GeoIP"]
+
+
+   Fallback locations for MaxMind databases. Zeek attempts these when
+   :zeek:see:`mmdb_dir` is not set, or it cannot read a DB file from it. For
+   geolocation lookups, Zeek will first attempt to locate the city database in
+   each of the fallback locations, and should this fail, attempt to locate the
+   country one.
+
+.. zeek:id:: mmdb_stale_check_interval
+   :source-code: base/init-bare.zeek 1551 1551
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5.0 mins``
+
+   Sets the interval for MaxMind DB file staleness checks. When Zeek detects a
+   change in inode or modification time, the database is re-opened. Setting
+   a negative interval disables staleness checks.
+
+.. zeek:id:: netbios_ssn_session_timeout
+   :source-code: base/init-bare.zeek 606 606
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``15.0 secs``
+
+   The amount of time before a connection created by the netbios analyzer times
+   out and is removed.
+
+.. zeek:id:: non_analyzed_lifetime
+   :source-code: base/init-bare.zeek 1661 1661
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0 secs``
+
+   If a connection belongs to an application that we don't analyze,
+   time it out after this interval.  If 0 secs, then don't time it out (but
+   :zeek:see:`tcp_inactivity_timeout`, :zeek:see:`udp_inactivity_timeout`, and
+   :zeek:see:`icmp_inactivity_timeout` still apply).
+
+.. zeek:id:: packet_filter_default
+   :source-code: base/init-bare.zeek 448 448
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Default mode for Zeek's user-space dynamic packet filter. If true, packets
+   that aren't explicitly allowed through, are dropped from any further
+   processing.
+   
+   .. note:: This is not the BPF packet filter but an additional dynamic filter
+      that Zeek optionally applies just before normal processing starts.
+   
+   .. zeek:see:: install_dst_addr_filter install_dst_net_filter
+      install_src_addr_filter install_src_net_filter  uninstall_dst_addr_filter
+      uninstall_dst_net_filter uninstall_src_addr_filter uninstall_src_net_filter
+
+.. zeek:id:: packet_source_inactivity_timeout
+   :source-code: base/init-bare.zeek 181 181
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100.0 msecs``
+
+   If a packet source does not yield packets for this amount of time,
+   it is considered idle. When a packet source is found to be idle,
+   Zeek will update network_time to current time in order for timer expiration
+   to function. A packet source queueing up packets and not yielding them for
+   longer than this interval without yielding any packets will provoke
+   not-very-well-defined timer behavior.
+   
+   On Zeek workers with low packet rates, timer expiration may be delayed
+   by this many milliseconds after the last packet has been received.
+
+.. zeek:id:: partial_connection_ok
+   :source-code: base/init-bare.zeek 1619 1619
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   If true, instantiate connection state when a partial connection
+   (one missing its initial establishment negotiation) is seen.
+
+.. zeek:id:: peer_description
+   :source-code: base/init-bare.zeek 454 454
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek"``
+
+   Description transmitted to remote communication peers for identification.
+
+.. zeek:id:: pkt_profile_freq
+   :source-code: base/init-bare.zeek 2851 2851
+
+   :Type: :zeek:type:`double`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0.0``
+
+   Frequency associated with packet profiling.
+   
+   .. zeek:see:: pkt_profile_modes pkt_profile_mode pkt_profile_file
+
+.. zeek:id:: pkt_profile_mode
+   :source-code: base/init-bare.zeek 2846 2846
+
+   :Type: :zeek:type:`pkt_profile_modes`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``PKT_PROFILE_MODE_NONE``
+
+   Output mode for packet profiling information.
+   
+   .. zeek:see:: pkt_profile_modes pkt_profile_freq pkt_profile_file
+
+.. zeek:id:: profiling_interval
+   :source-code: base/init-bare.zeek 2825 2825
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0 secs``
+   :Redefinition: from :doc:`/scripts/policy/misc/profiling.zeek`
+
+      ``=``::
+
+         15.0 secs
+
+
+   Update interval for profiling (0 disables).  The easiest way to activate
+   profiling is loading  :doc:`/scripts/policy/misc/profiling.zeek`.
+   
+   .. zeek:see:: profiling_file expensive_profiling_multiple
+
+.. zeek:id:: record_all_packets
+   :source-code: base/init-bare.zeek 537 537
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If a trace file is given with ``-w``, dump *all* packets seen by Zeek into it.
+   By default, Zeek applies (very few) heuristics to reduce the volume. A side
+   effect of setting this to true is that we can write the packets out before we
+   actually process them, which can be helpful for debugging in case the
+   analysis triggers a crash.
+   
+   .. zeek:see:: trace_output_file
+
+.. zeek:id:: report_gaps_for_partial
+   :source-code: base/init-bare.zeek 427 427
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Whether we want :zeek:see:`content_gap` for partial
+   connections. A connection is partial if it is missing a full handshake. Note
+   that gap reports for partial connections might not be reliable.
+   
+   .. zeek:see:: content_gap partial_connection
+
+.. zeek:id:: rpc_timeout
+   :source-code: base/init-bare.zeek 1847 1847
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``24.0 secs``
+
+   Time to wait before timing out an RPC request.
+
+.. zeek:id:: running_under_test
+   :source-code: base/init-bare.zeek 602 602
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Whether Zeek is being run under test. This can be used to alter functionality
+   while testing, but should be used sparingly.
+
+.. zeek:id:: sig_max_group_size
+   :source-code: base/init-bare.zeek 451 451
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``50``
+
+   Maximum size of regular expression groups for signature matching.
+
+.. zeek:id:: skip_http_data
+   :source-code: base/init-bare.zeek 3202 3202
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Skip HTTP data for performance considerations. The skipped
+   portion will not go through TCP reassembly.
+   
+   .. zeek:see:: http_entity_data skip_http_entity_data http_entity_data_delivery_size
+
+.. zeek:id:: table_expire_delay
+   :source-code: base/init-bare.zeek 1841 1841
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10.0 msecs``
+
+   When expiring table entries, wait this amount of time before checking the
+   next chunk of entries.
+   
+   .. zeek:see:: table_expire_interval table_incremental_step
+
+.. zeek:id:: table_expire_interval
+   :source-code: base/init-bare.zeek 1829 1829
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10.0 secs``
+   :Redefinition: from :doc:`/scripts/policy/frameworks/management/agent/main.zeek`
+
+      ``=``::
+
+         2.0 secs
+
+   :Redefinition: from :doc:`/scripts/policy/frameworks/management/controller/main.zeek`
+
+      ``=``::
+
+         2.0 secs
+
+
+   Check for expired table entries after this amount of time.
+   
+   .. zeek:see:: table_incremental_step table_expire_delay
+
+.. zeek:id:: table_incremental_step
+   :source-code: base/init-bare.zeek 1835 1835
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5000``
+
+   When expiring/serializing table entries, don't work on more than this many
+   table entries at a time.
+   
+   .. zeek:see:: table_expire_interval table_expire_delay
+
+.. zeek:id:: tcp_SYN_ack_ok
+   :source-code: base/init-bare.zeek 1623 1623
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   If true, instantiate connection state when a SYN/ACK is seen but not the
+   initial SYN (even if :zeek:see:`partial_connection_ok` is false).
+
+.. zeek:id:: tcp_SYN_timeout
+   :source-code: base/init-bare.zeek 1631 1631
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5.0 secs``
+
+   Check up on the result of an initial SYN after this much time.
+
+.. zeek:id:: tcp_attempt_delay
+   :source-code: base/init-bare.zeek 1644 1644
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5.0 secs``
+
+   Wait this long upon seeing an initial SYN before timing out the
+   connection attempt.
+
+.. zeek:id:: tcp_close_delay
+   :source-code: base/init-bare.zeek 1647 1647
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5.0 secs``
+
+   Upon seeing a normal connection close, flush state after this much time.
+
+.. zeek:id:: tcp_connection_linger
+   :source-code: base/init-bare.zeek 1640 1640
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5.0 secs``
+
+   When checking a closed connection for further activity, consider it
+   inactive if there hasn't been any for this long.  Complain if the
+   connection is reused before this much time has elapsed.
+
+.. zeek:id:: tcp_content_deliver_all_orig
+   :source-code: base/init-bare.zeek 1754 1754
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If true, all TCP originator-side traffic is reported via
+   :zeek:see:`tcp_contents`.
+   
+   .. zeek:see:: tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp
+      tcp_content_deliver_all_resp udp_content_delivery_ports_orig
+      udp_content_delivery_ports_resp  udp_content_deliver_all_orig
+      udp_content_deliver_all_resp tcp_contents
+
+.. zeek:id:: tcp_content_deliver_all_resp
+   :source-code: base/init-bare.zeek 1764 1764
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If true, all TCP responder-side traffic is reported via
+   :zeek:see:`tcp_contents`.
+   
+   .. zeek:see:: tcp_content_delivery_ports_orig
+      tcp_content_delivery_ports_resp
+      tcp_content_deliver_all_orig udp_content_delivery_ports_orig
+      udp_content_delivery_ports_resp  udp_content_deliver_all_orig
+      udp_content_deliver_all_resp tcp_contents
+
+.. zeek:id:: tcp_content_delivery_ports_orig
+   :source-code: base/init-bare.zeek 1736 1736
+
+   :Type: :zeek:type:`table` [:zeek:type:`port`] of :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Defines destination TCP ports for which the contents of the originator stream
+   should be delivered via :zeek:see:`tcp_contents`.
+   
+   .. zeek:see:: tcp_content_delivery_ports_resp tcp_content_deliver_all_orig
+      tcp_content_deliver_all_resp udp_content_delivery_ports_orig
+      udp_content_delivery_ports_resp  udp_content_deliver_all_orig
+      udp_content_deliver_all_resp  tcp_contents
+
+.. zeek:id:: tcp_content_delivery_ports_resp
+   :source-code: base/init-bare.zeek 1745 1745
+
+   :Type: :zeek:type:`table` [:zeek:type:`port`] of :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Defines destination TCP ports for which the contents of the responder stream
+   should be delivered via :zeek:see:`tcp_contents`.
+   
+   .. zeek:see:: tcp_content_delivery_ports_orig tcp_content_deliver_all_orig
+      tcp_content_deliver_all_resp udp_content_delivery_ports_orig
+      udp_content_delivery_ports_resp  udp_content_deliver_all_orig
+      udp_content_deliver_all_resp tcp_contents
+
+.. zeek:id:: tcp_excessive_data_without_further_acks
+   :source-code: base/init-bare.zeek 1722 1722
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10485760``
+
+   If we've seen this much data without any of it being acked, we give up
+   on that connection to avoid memory exhaustion due to buffering all that
+   stuff.  If set to zero, then we don't ever give up.  Ideally, Zeek would
+   track the current window on a connection and use it to infer that data
+   has in fact gone too far, but for now we just make this quite beefy.
+   
+   .. zeek:see:: tcp_max_initial_window tcp_max_above_hole_without_any_acks
+
+.. zeek:id:: tcp_inactivity_timeout
+   :source-code: base/init-bare.zeek 1667 1667
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5.0 mins``
+
+   If a TCP connection is inactive, time it out after this interval. If 0 secs,
+   then don't time it out.
+   
+   .. zeek:see:: udp_inactivity_timeout icmp_inactivity_timeout unknown_ip_inactivity_timeout set_inactivity_timeout
+
+.. zeek:id:: tcp_match_undelivered
+   :source-code: base/init-bare.zeek 1628 1628
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   If true, pass any undelivered to the signature engine before flushing the state.
+   If a connection state is removed, there may still be some data waiting in the
+   reassembler.
+
+.. zeek:id:: tcp_max_above_hole_without_any_acks
+   :source-code: base/init-bare.zeek 1713 1713
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``16384``
+
+   If we're not seeing our peer's ACKs, the maximum volume of data above a
+   sequence hole that we'll tolerate before assuming that there's been a packet
+   drop and we should give up on tracking a connection. If set to zero, then we
+   don't ever give up.
+   
+   .. zeek:see:: tcp_max_initial_window tcp_excessive_data_without_further_acks
+
+.. zeek:id:: tcp_max_initial_window
+   :source-code: base/init-bare.zeek 1705 1705
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``16384``
+
+   Maximum amount of data that might plausibly be sent in an initial flight
+   (prior to receiving any acks).  Used to determine whether we must not be
+   seeing our peer's ACKs.  Set to zero to turn off this determination.
+   
+   .. zeek:see:: tcp_max_above_hole_without_any_acks tcp_excessive_data_without_further_acks
+
+.. zeek:id:: tcp_max_old_segments
+   :source-code: base/init-bare.zeek 1727 1727
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0``
+
+   Number of TCP segments to buffer beyond what's been acknowledged already
+   to detect retransmission inconsistencies. Zero disables any additional
+   buffering.
+
+.. zeek:id:: tcp_partial_close_delay
+   :source-code: base/init-bare.zeek 1655 1655
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``3.0 secs``
+
+   Generate a :zeek:id:`connection_partial_close` event this much time after one
+   half of a partial connection closes, assuming there has been no subsequent
+   activity.
+
+.. zeek:id:: tcp_reset_delay
+   :source-code: base/init-bare.zeek 1650 1650
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5.0 secs``
+
+   Upon seeing a RST, flush state after this much time.
+
+.. zeek:id:: tcp_session_timer
+   :source-code: base/init-bare.zeek 1635 1635
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``6.0 secs``
+
+   After a connection has closed, wait this long for further activity
+   before checking whether to time out its state.
+
+.. zeek:id:: tcp_storm_interarrival_thresh
+   :source-code: base/init-bare.zeek 1698 1698
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 sec``
+
+   FINs/RSTs must come with this much time or less between them to be
+   considered a "storm".
+   
+   .. zeek:see:: tcp_storm_thresh
+
+.. zeek:id:: tcp_storm_thresh
+   :source-code: base/init-bare.zeek 1692 1692
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1000``
+
+   Number of FINs/RSTs in a row that constitute a "storm". Storms are reported
+   as ``weird`` via the notice framework, and they must also come within
+   intervals of at most :zeek:see:`tcp_storm_interarrival_thresh`.
+   
+   .. zeek:see:: tcp_storm_interarrival_thresh
+
+.. zeek:id:: truncate_http_URI
+   :source-code: base/init-bare.zeek 3209 3209
+
+   :Type: :zeek:type:`int`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``-1``
+
+   Maximum length of HTTP URIs passed to events. Longer ones will be truncated
+   to prevent over-long URIs (usually sent by worms) from slowing down event
+   processing.  A value of -1 means "do not truncate".
+   
+   .. zeek:see:: http_request
+
+.. zeek:id:: udp_content_deliver_all_orig
+   :source-code: base/init-bare.zeek 1813 1813
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If true, all UDP originator-side traffic is reported via
+   :zeek:see:`udp_contents`.
+   
+   .. zeek:see:: tcp_content_delivery_ports_orig
+      tcp_content_delivery_ports_resp tcp_content_deliver_all_resp
+      tcp_content_delivery_ports_orig udp_content_delivery_ports_orig
+      udp_content_delivery_ports_resp  udp_content_deliver_all_resp
+      udp_contents
+      udp_content_delivery_ports_use_resp
+
+.. zeek:id:: udp_content_deliver_all_resp
+   :source-code: base/init-bare.zeek 1824 1824
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If true, all UDP responder-side traffic is reported via
+   :zeek:see:`udp_contents`.
+   
+   .. zeek:see:: tcp_content_delivery_ports_orig
+      tcp_content_delivery_ports_resp tcp_content_deliver_all_resp
+      tcp_content_delivery_ports_orig udp_content_delivery_ports_orig
+      udp_content_delivery_ports_resp  udp_content_deliver_all_orig
+      udp_contents
+      udp_content_delivery_ports_use_resp
+
+.. zeek:id:: udp_content_delivery_ports_orig
+   :source-code: base/init-bare.zeek 1775 1775
+
+   :Type: :zeek:type:`table` [:zeek:type:`port`] of :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Defines UDP destination ports for which the contents of the originator stream
+   should be delivered via :zeek:see:`udp_contents`.
+   
+   .. zeek:see:: tcp_content_delivery_ports_orig
+      tcp_content_delivery_ports_resp
+      tcp_content_deliver_all_orig tcp_content_deliver_all_resp
+      udp_content_delivery_ports_resp  udp_content_deliver_all_orig
+      udp_content_deliver_all_resp  udp_contents
+      udp_content_delivery_ports_use_resp udp_content_ports
+
+.. zeek:id:: udp_content_delivery_ports_resp
+   :source-code: base/init-bare.zeek 1785 1785
+
+   :Type: :zeek:type:`table` [:zeek:type:`port`] of :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Defines UDP destination ports for which the contents of the responder stream
+   should be delivered via :zeek:see:`udp_contents`.
+   
+   .. zeek:see:: tcp_content_delivery_ports_orig
+      tcp_content_delivery_ports_resp tcp_content_deliver_all_orig
+      tcp_content_deliver_all_resp udp_content_delivery_ports_orig
+      udp_content_deliver_all_orig udp_content_deliver_all_resp udp_contents
+      udp_content_delivery_ports_use_resp udp_content_ports
+
+.. zeek:id:: udp_inactivity_timeout
+   :source-code: base/init-bare.zeek 1673 1673
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 min``
+
+   If a UDP flow is inactive, time it out after this interval. If 0 secs, then
+   don't time it out.
+   
+   .. zeek:see:: tcp_inactivity_timeout icmp_inactivity_timeout unknown_ip_inactivity_timeout set_inactivity_timeout
+
+.. zeek:id:: unknown_ip_inactivity_timeout
+   :source-code: base/init-bare.zeek 1685 1685
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 min``
+
+   If a flow with an unknown IP-based protocol is inactive, time it out after
+   this interval. If 0 secs, then don't time it out.
+   
+   .. zeek:see:: tcp_inactivity_timeout udp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout
+
+.. zeek:id:: use_conn_size_analyzer
+   :source-code: base/init-bare.zeek 1856 1856
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Whether to use the ``ConnSize`` analyzer to count the number of packets and
+   IP-level bytes transferred by each endpoint. If true, these values are
+   returned in the connection's :zeek:see:`endpoint` record value.
+
+.. zeek:id:: watchdog_interval
+   :source-code: base/init-bare.zeek 2641 2641
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10.0 secs``
+
+   Zeek's watchdog interval.
+
+Constants
+#########
+.. zeek:id:: CONTENTS_BOTH
+   :source-code: base/init-bare.zeek 1869 1869
+
+   :Type: :zeek:type:`count`
+   :Default: ``3``
+
+   Record both originator and responder contents.
+
+.. zeek:id:: CONTENTS_NONE
+   :source-code: base/init-bare.zeek 1866 1866
+
+   :Type: :zeek:type:`count`
+   :Default: ``0``
+
+   Turn off recording of contents.
+
+.. zeek:id:: CONTENTS_ORIG
+   :source-code: base/init-bare.zeek 1867 1867
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+   Record originator contents.
+
+.. zeek:id:: CONTENTS_RESP
+   :source-code: base/init-bare.zeek 1868 1868
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+   Record responder contents.
+
+.. zeek:id:: DNS_ADDL
+   :source-code: base/init-bare.zeek 3122 3122
+
+   :Type: :zeek:type:`count`
+   :Default: ``3``
+
+   An additional record.
+
+.. zeek:id:: DNS_ANS
+   :source-code: base/init-bare.zeek 3120 3120
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+   An answer record.
+
+.. zeek:id:: DNS_AUTH
+   :source-code: base/init-bare.zeek 3121 3121
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+   An authoritative record.
+
+.. zeek:id:: DNS_QUERY
+   :source-code: base/init-bare.zeek 3119 3119
+
+   :Type: :zeek:type:`count`
+   :Default: ``0``
+
+   A query. This shouldn't occur, just for completeness.
+
+.. zeek:id:: ENDIAN_BIG
+   :source-code: base/init-bare.zeek 1861 1861
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+   Big endian.
+
+.. zeek:id:: ENDIAN_CONFUSED
+   :source-code: base/init-bare.zeek 1862 1862
+
+   :Type: :zeek:type:`count`
+   :Default: ``3``
+
+   Tried to determine endian, but failed.
+
+.. zeek:id:: ENDIAN_LITTLE
+   :source-code: base/init-bare.zeek 1860 1860
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+   Little endian.
+
+.. zeek:id:: ENDIAN_UNKNOWN
+   :source-code: base/init-bare.zeek 1859 1859
+
+   :Type: :zeek:type:`count`
+   :Default: ``0``
+
+   Endian not yet determined.
+
+.. zeek:id:: ICMP_UNREACH_ADMIN_PROHIB
+   :source-code: base/init-bare.zeek 1880 1880
+
+   :Type: :zeek:type:`count`
+   :Default: ``13``
+
+   Administratively prohibited.
+
+.. zeek:id:: ICMP_UNREACH_HOST
+   :source-code: base/init-bare.zeek 1876 1876
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+   Host unreachable.
+
+.. zeek:id:: ICMP_UNREACH_NEEDFRAG
+   :source-code: base/init-bare.zeek 1879 1879
+
+   :Type: :zeek:type:`count`
+   :Default: ``4``
+
+   Fragment needed.
+
+.. zeek:id:: ICMP_UNREACH_NET
+   :source-code: base/init-bare.zeek 1875 1875
+
+   :Type: :zeek:type:`count`
+   :Default: ``0``
+
+   Network unreachable.
+
+.. zeek:id:: ICMP_UNREACH_PORT
+   :source-code: base/init-bare.zeek 1878 1878
+
+   :Type: :zeek:type:`count`
+   :Default: ``3``
+
+   Port unreachable.
+
+.. zeek:id:: ICMP_UNREACH_PROTOCOL
+   :source-code: base/init-bare.zeek 1877 1877
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+   Protocol unreachable.
+
+.. zeek:id:: IPPROTO_AH
+   :source-code: base/init-bare.zeek 1900 1900
+
+   :Type: :zeek:type:`count`
+   :Default: ``51``
+
+   IPv6 authentication header.
+
+.. zeek:id:: IPPROTO_DSTOPTS
+   :source-code: base/init-bare.zeek 1902 1902
+
+   :Type: :zeek:type:`count`
+   :Default: ``60``
+
+   IPv6 destination options header.
+
+.. zeek:id:: IPPROTO_ESP
+   :source-code: base/init-bare.zeek 1899 1899
+
+   :Type: :zeek:type:`count`
+   :Default: ``50``
+
+   IPv6 encapsulating security payload header.
+
+.. zeek:id:: IPPROTO_FRAGMENT
+   :source-code: base/init-bare.zeek 1898 1898
+
+   :Type: :zeek:type:`count`
+   :Default: ``44``
+
+   IPv6 fragment header.
+
+.. zeek:id:: IPPROTO_HOPOPTS
+   :source-code: base/init-bare.zeek 1896 1896
+
+   :Type: :zeek:type:`count`
+   :Default: ``0``
+
+   IPv6 hop-by-hop-options header.
+
+.. zeek:id:: IPPROTO_ICMP
+   :source-code: base/init-bare.zeek 1886 1886
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+   Control message protocol.
+
+.. zeek:id:: IPPROTO_ICMPV6
+   :source-code: base/init-bare.zeek 1892 1892
+
+   :Type: :zeek:type:`count`
+   :Default: ``58``
+
+   ICMP for IPv6.
+
+.. zeek:id:: IPPROTO_IGMP
+   :source-code: base/init-bare.zeek 1887 1887
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+   Group management protocol.
+
+.. zeek:id:: IPPROTO_IP
+   :source-code: base/init-bare.zeek 1885 1885
+
+   :Type: :zeek:type:`count`
+   :Default: ``0``
+
+   Dummy for IP.
+
+.. zeek:id:: IPPROTO_IPIP
+   :source-code: base/init-bare.zeek 1888 1888
+
+   :Type: :zeek:type:`count`
+   :Default: ``4``
+
+   IP encapsulation in IP.
+
+.. zeek:id:: IPPROTO_IPV6
+   :source-code: base/init-bare.zeek 1891 1891
+
+   :Type: :zeek:type:`count`
+   :Default: ``41``
+
+   IPv6 header.
+
+.. zeek:id:: IPPROTO_MOBILITY
+   :source-code: base/init-bare.zeek 1903 1903
+
+   :Type: :zeek:type:`count`
+   :Default: ``135``
+
+   IPv6 mobility header.
+
+.. zeek:id:: IPPROTO_NONE
+   :source-code: base/init-bare.zeek 1901 1901
+
+   :Type: :zeek:type:`count`
+   :Default: ``59``
+
+   IPv6 no next header.
+
+.. zeek:id:: IPPROTO_RAW
+   :source-code: base/init-bare.zeek 1893 1893
+
+   :Type: :zeek:type:`count`
+   :Default: ``255``
+
+   Raw IP packet.
+
+.. zeek:id:: IPPROTO_ROUTING
+   :source-code: base/init-bare.zeek 1897 1897
+
+   :Type: :zeek:type:`count`
+   :Default: ``43``
+
+   IPv6 routing header.
+
+.. zeek:id:: IPPROTO_TCP
+   :source-code: base/init-bare.zeek 1889 1889
+
+   :Type: :zeek:type:`count`
+   :Default: ``6``
+
+   TCP.
+
+.. zeek:id:: IPPROTO_UDP
+   :source-code: base/init-bare.zeek 1890 1890
+
+   :Type: :zeek:type:`count`
+   :Default: ``17``
+
+   User datagram protocol.
+
+.. zeek:id:: LOGIN_STATE_AUTHENTICATE
+   :source-code: base/init-bare.zeek 2654 2654
+
+   :Type: :zeek:type:`count`
+   :Default: ``0``
+
+
+.. zeek:id:: LOGIN_STATE_CONFUSED
+   :source-code: base/init-bare.zeek 2657 2657
+
+   :Type: :zeek:type:`count`
+   :Default: ``3``
+
+
+.. zeek:id:: LOGIN_STATE_LOGGED_IN
+   :source-code: base/init-bare.zeek 2655 2655
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+
+.. zeek:id:: LOGIN_STATE_SKIP
+   :source-code: base/init-bare.zeek 2656 2656
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+
+.. zeek:id:: RPC_status
+   :source-code: base/init-bare.zeek 2803 2803
+
+   :Type: :zeek:type:`table` [:zeek:type:`rpc_status`] of :zeek:type:`string`
+   :Default:
+
+      ::
+
+         {
+            [RPC_PROG_MISMATCH] = "mismatch",
+            [RPC_AUTH_ERROR] = "auth error",
+            [RPC_SYSTEM_ERR] = "system err",
+            [RPC_PROC_UNAVAIL] = "proc unavail",
+            [RPC_SUCCESS] = "ok",
+            [RPC_UNKNOWN_ERROR] = "unknown",
+            [RPC_TIMEOUT] = "timeout",
+            [RPC_GARBAGE_ARGS] = "garbage args",
+            [RPC_PROG_UNAVAIL] = "prog unavail"
+         }
+
+
+   Mapping of numerical RPC status codes to readable messages.
+   
+   .. zeek:see:: pm_attempt_callit pm_attempt_dump pm_attempt_getport
+      pm_attempt_null pm_attempt_set pm_attempt_unset rpc_dialogue rpc_reply
+
+.. zeek:id:: SNMP::OBJ_COUNTER32_TAG
+   :source-code: base/init-bare.zeek 5354 5354
+
+   :Type: :zeek:type:`count`
+   :Default: ``65``
+
+   Unsigned 32-bit integer.
+
+.. zeek:id:: SNMP::OBJ_COUNTER64_TAG
+   :source-code: base/init-bare.zeek 5358 5358
+
+   :Type: :zeek:type:`count`
+   :Default: ``70``
+
+   Unsigned 64-bit integer.
+
+.. zeek:id:: SNMP::OBJ_ENDOFMIBVIEW_TAG
+   :source-code: base/init-bare.zeek 5361 5361
+
+   :Type: :zeek:type:`count`
+   :Default: ``130``
+
+   A NULL value.
+
+.. zeek:id:: SNMP::OBJ_INTEGER_TAG
+   :source-code: base/init-bare.zeek 5349 5349
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+   Signed 64-bit integer.
+
+.. zeek:id:: SNMP::OBJ_IPADDRESS_TAG
+   :source-code: base/init-bare.zeek 5353 5353
+
+   :Type: :zeek:type:`count`
+   :Default: ``64``
+
+   An IP address.
+
+.. zeek:id:: SNMP::OBJ_NOSUCHINSTANCE_TAG
+   :source-code: base/init-bare.zeek 5360 5360
+
+   :Type: :zeek:type:`count`
+   :Default: ``129``
+
+   A NULL value.
+
+.. zeek:id:: SNMP::OBJ_NOSUCHOBJECT_TAG
+   :source-code: base/init-bare.zeek 5359 5359
+
+   :Type: :zeek:type:`count`
+   :Default: ``128``
+
+   A NULL value.
+
+.. zeek:id:: SNMP::OBJ_OCTETSTRING_TAG
+   :source-code: base/init-bare.zeek 5350 5350
+
+   :Type: :zeek:type:`count`
+   :Default: ``4``
+
+   An octet string.
+
+.. zeek:id:: SNMP::OBJ_OID_TAG
+   :source-code: base/init-bare.zeek 5352 5352
+
+   :Type: :zeek:type:`count`
+   :Default: ``6``
+
+   An Object Identifier.
+
+.. zeek:id:: SNMP::OBJ_OPAQUE_TAG
+   :source-code: base/init-bare.zeek 5357 5357
+
+   :Type: :zeek:type:`count`
+   :Default: ``68``
+
+   An octet string.
+
+.. zeek:id:: SNMP::OBJ_TIMETICKS_TAG
+   :source-code: base/init-bare.zeek 5356 5356
+
+   :Type: :zeek:type:`count`
+   :Default: ``67``
+
+   Unsigned 32-bit integer.
+
+.. zeek:id:: SNMP::OBJ_UNSIGNED32_TAG
+   :source-code: base/init-bare.zeek 5355 5355
+
+   :Type: :zeek:type:`count`
+   :Default: ``66``
+
+   Unsigned 32-bit integer.
+
+.. zeek:id:: SNMP::OBJ_UNSPECIFIED_TAG
+   :source-code: base/init-bare.zeek 5351 5351
+
+   :Type: :zeek:type:`count`
+   :Default: ``5``
+
+   A NULL value.
+
+.. zeek:id:: TCP_CLOSED
+   :source-code: base/init-bare.zeek 1589 1589
+
+   :Type: :zeek:type:`count`
+   :Default: ``5``
+
+   Endpoint has closed connection.
+
+.. zeek:id:: TCP_ESTABLISHED
+   :source-code: base/init-bare.zeek 1588 1588
+
+   :Type: :zeek:type:`count`
+   :Default: ``4``
+
+   Endpoint has finished initial handshake regularly.
+
+.. zeek:id:: TCP_INACTIVE
+   :source-code: base/init-bare.zeek 1584 1584
+
+   :Type: :zeek:type:`count`
+   :Default: ``0``
+
+   Error string if unsuccessful.
+   Endpoint is still inactive.
+
+.. zeek:id:: TCP_PARTIAL
+   :source-code: base/init-bare.zeek 1587 1587
+
+   :Type: :zeek:type:`count`
+   :Default: ``3``
+
+   Endpoint has sent data but no initial SYN.
+
+.. zeek:id:: TCP_RESET
+   :source-code: base/init-bare.zeek 1590 1590
+
+   :Type: :zeek:type:`count`
+   :Default: ``6``
+
+   Endpoint has sent RST.
+
+.. zeek:id:: TCP_SYN_ACK_SENT
+   :source-code: base/init-bare.zeek 1586 1586
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+   Endpoint has sent SYN/ACK.
+
+.. zeek:id:: TCP_SYN_SENT
+   :source-code: base/init-bare.zeek 1585 1585
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+   Endpoint has sent SYN.
+
+.. zeek:id:: TH_ACK
+   :source-code: base/init-bare.zeek 2231 2231
+
+   :Type: :zeek:type:`count`
+   :Default: ``16``
+
+   ACK.
+
+.. zeek:id:: TH_FIN
+   :source-code: base/init-bare.zeek 2227 2227
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+   FIN.
+
+.. zeek:id:: TH_FLAGS
+   :source-code: base/init-bare.zeek 2233 2233
+
+   :Type: :zeek:type:`count`
+   :Default: ``63``
+
+   Mask combining all flags.
+
+.. zeek:id:: TH_PUSH
+   :source-code: base/init-bare.zeek 2230 2230
+
+   :Type: :zeek:type:`count`
+   :Default: ``8``
+
+   PUSH.
+
+.. zeek:id:: TH_RST
+   :source-code: base/init-bare.zeek 2229 2229
+
+   :Type: :zeek:type:`count`
+   :Default: ``4``
+
+   RST.
+
+.. zeek:id:: TH_SYN
+   :source-code: base/init-bare.zeek 2228 2228
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+   SYN.
+
+.. zeek:id:: TH_URG
+   :source-code: base/init-bare.zeek 2232 2232
+
+   :Type: :zeek:type:`count`
+   :Default: ``32``
+
+   URG.
+
+.. zeek:id:: UDP_ACTIVE
+   :source-code: base/init-bare.zeek 1595 1595
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+   Endpoint has sent something.
+
+.. zeek:id:: UDP_INACTIVE
+   :source-code: base/init-bare.zeek 1594 1594
+
+   :Type: :zeek:type:`count`
+   :Default: ``0``
+
+   Endpoint is still inactive.
+
+.. zeek:id:: trace_output_file
+   :source-code: base/init-bare.zeek 528 528
+
+   :Type: :zeek:type:`string`
+   :Default: ``""``
+
+   Holds the filename of the trace file given with ``-w`` (empty if none).
+   
+   .. zeek:see:: record_all_packets
+
+.. zeek:id:: zeek_script_args
+   :source-code: base/init-bare.zeek 408 408
+
+   :Type: :zeek:type:`vector` of :zeek:type:`string`
+   :Default:
+
+      ::
+
+         []
+
+
+   Arguments given to Zeek from the command line. In order to use this, Zeek
+   must use a ``--`` command line argument immediately followed by a script
+   file and additional arguments after that. For example::
+   
+     zeek --bare-mode -- myscript.zeek -a -b -c
+   
+   To use Zeek as an executable interpreter, include a line at the top of a script
+   like the following and make the script executable::
+   
+     #!/usr/local/zeek/bin/zeek --
+
+State Variables
+###############
+.. zeek:id:: capture_filters
+   :source-code: base/init-bare.zeek 1405 1405
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Set of BPF capture filters to use for capturing, indexed by a user-definable
+   ID (which must be unique). If Zeek is *not* configured with
+   :zeek:id:`PacketFilter::enable_auto_protocol_capture_filters`,
+   all packets matching at least one of the filters in this table (and all in
+   :zeek:id:`restrict_filters`) will be analyzed.
+   
+   .. zeek:see:: PacketFilter PacketFilter::enable_auto_protocol_capture_filters
+      PacketFilter::unrestricted_filter restrict_filters
+
+.. zeek:id:: direct_login_prompts
+   :source-code: base/init-bare.zeek 2714 2714
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   TODO.
+
+.. zeek:id:: discarder_maxlen
+   :source-code: base/init-bare.zeek 2570 2570
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``128``
+
+   Maximum length of payload passed to discarder functions.
+   
+   .. zeek:see:: discarder_check_tcp discarder_check_udp discarder_check_icmp
+      discarder_check_ip
+
+.. zeek:id:: dns_max_queries
+   :source-code: base/init-bare.zeek 3163 3163
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``25``
+
+   If a DNS request includes more than this many queries, assume it's non-DNS
+   traffic and do not process it.  Set to 0 to turn off this functionality.
+
+.. zeek:id:: dns_skip_addl
+   :source-code: base/init-bare.zeek 3149 3149
+
+   :Type: :zeek:type:`set` [:zeek:type:`addr`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   For DNS servers in these sets, omit processing the ADDL records they include
+   in their replies.
+   
+   .. zeek:see:: dns_skip_all_addl dns_skip_auth
+
+.. zeek:id:: dns_skip_all_addl
+   :source-code: base/init-bare.zeek 3159 3159
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+   :Redefinition: from :doc:`/scripts/policy/protocols/dns/auth-addl.zeek`
+
+      ``=``::
+
+         F
+
+
+   If true, all DNS ADDL records are skipped.
+   
+   .. zeek:see:: dns_skip_all_auth dns_skip_addl
+
+.. zeek:id:: dns_skip_all_auth
+   :source-code: base/init-bare.zeek 3154 3154
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+   :Redefinition: from :doc:`/scripts/policy/protocols/dns/auth-addl.zeek`
+
+      ``=``::
+
+         F
+
+
+   If true, all DNS AUTH records are skipped.
+   
+   .. zeek:see:: dns_skip_all_addl dns_skip_auth
+
+.. zeek:id:: dns_skip_auth
+   :source-code: base/init-bare.zeek 3143 3143
+
+   :Type: :zeek:type:`set` [:zeek:type:`addr`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   For DNS servers in these sets, omit processing the AUTH records they include
+   in their replies.
+   
+   .. zeek:see:: dns_skip_all_auth dns_skip_addl
+
+.. zeek:id:: done_with_network
+   :source-code: base/init-bare.zeek 6470 6470
+
+   :Type: :zeek:type:`bool`
+   :Default: ``F``
+
+
+.. zeek:id:: http_entity_data_delivery_size
+   :source-code: base/init-bare.zeek 3196 3196
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1500``
+
+   Maximum number of HTTP entity data delivered to events.
+   
+   .. zeek:see:: http_entity_data skip_http_entity_data skip_http_data
+
+.. zeek:id:: interfaces
+   :source-code: base/init-bare.zeek 2543 2543
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&add_func` = :zeek:see:`add_interface` :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Network interfaces to listen on. Use ``redef interfaces += "eth0"`` to
+   extend.
+
+.. zeek:id:: login_failure_msgs
+   :source-code: base/init-bare.zeek 2723 2723
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   TODO.
+
+.. zeek:id:: login_non_failure_msgs
+   :source-code: base/init-bare.zeek 2720 2720
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   TODO.
+
+.. zeek:id:: login_prompts
+   :source-code: base/init-bare.zeek 2717 2717
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   TODO.
+
+.. zeek:id:: login_success_msgs
+   :source-code: base/init-bare.zeek 2726 2726
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   TODO.
+
+.. zeek:id:: login_timeouts
+   :source-code: base/init-bare.zeek 2729 2729
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   TODO.
+
+.. zeek:id:: mime_segment_length
+   :source-code: base/init-bare.zeek 2749 2749
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1024``
+
+   The length of MIME data segments delivered to handlers of
+   :zeek:see:`mime_segment_data`.
+   
+   .. zeek:see:: mime_segment_data mime_segment_overlap_length
+
+.. zeek:id:: mime_segment_overlap_length
+   :source-code: base/init-bare.zeek 2753 2753
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0``
+
+   The number of bytes of overlap between successive segments passed to
+   :zeek:see:`mime_segment_data`.
+
+.. zeek:id:: pkt_profile_file
+   :source-code: base/init-bare.zeek 2856 2856
+
+   :Type: :zeek:type:`file`
+   :Attributes: :zeek:attr:`&redef`
+
+   File where packet profiles are logged.
+   
+   .. zeek:see:: pkt_profile_modes pkt_profile_freq pkt_profile_mode
+
+.. zeek:id:: profiling_file
+   :source-code: base/init-bare.zeek 2819 2819
+
+   :Type: :zeek:type:`file`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         file "prof.log" of string
+
+   :Redefinition: from :doc:`/scripts/policy/misc/profiling.zeek`
+
+      ``=``::
+
+         open(fmt(prof.%s, Profiling::log_suffix()))
+
+
+   Write profiling info into this file in regular intervals. The easiest way to
+   activate profiling is loading :doc:`/scripts/policy/misc/profiling.zeek`.
+   
+   .. zeek:see:: profiling_interval expensive_profiling_multiple
+
+.. zeek:id:: restrict_filters
+   :source-code: base/init-bare.zeek 1412 1412
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Set of BPF filters to restrict capturing, indexed by a user-definable ID
+   (which must be unique).
+   
+   .. zeek:see:: PacketFilter PacketFilter::enable_auto_protocol_capture_filters
+      PacketFilter::unrestricted_filter capture_filters
+
+.. zeek:id:: secondary_filters
+   :source-code: base/init-bare.zeek 2563 2563
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`event` (filter: :zeek:type:`string`, pkt: :zeek:type:`pkt_hdr`)
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Definition of "secondary filters". A secondary filter is a BPF filter given
+   as index in this table. For each such filter, the corresponding event is
+   raised for all matching packets.
+
+.. zeek:id:: signature_files
+   :source-code: base/init-bare.zeek 2558 2558
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&add_func` = :zeek:see:`add_signature_file` :zeek:attr:`&redef`
+   :Default: ``""``
+
+   Signature files to read. Use ``redef signature_files  += "foo.sig"`` to
+   extend. Signature files added this way will be searched relative to
+   ``ZEEKPATH``.  Using the ``@load-sigs`` directive instead is preferred
+   since that can search paths relative to the current script.
+
+.. zeek:id:: skip_authentication
+   :source-code: base/init-bare.zeek 2711 2711
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   TODO.
+
+Types
+#####
+.. zeek:type:: Analyzer::disabling_analyzer
+   :source-code: policy/frameworks/analyzer/debug-logging.zeek 192 207
+
+   :Type: :zeek:type:`hook` (c: :zeek:type:`connection`, atype: :zeek:type:`AllAnalyzers::Tag`, aid: :zeek:type:`count`) : :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+
+   A hook taking a connection, analyzer tag and analyzer id that can be
+   used to veto disabling protocol analyzers. Specifically, an analyzer
+   can be prevented from being disabled by using a :zeek:see:`break`
+   statement within the hook.
+   This hook is invoked synchronously during a :zeek:see:`disable_analyzer` call.
+   
+   Scripts implementing this hook should have other logic that will eventually
+   disable the analyzer for the given connection. That is, if a script vetoes
+   disabling an analyzer, it takes responsibility for a later call to
+   :zeek:see:`disable_analyzer`, which may be never.
+   
+
+   :param c: The connection
+   
+
+   :param atype: The type / tag of the analyzer being disabled.
+   
+
+   :param aid: The analyzer ID.
+
+.. zeek:type:: AnalyzerConfirmationInfo
+   :source-code: base/init-bare.zeek 993 1007
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: c :zeek:type:`connection` :zeek:attr:`&optional`
+
+      The connection related to this confirmation, if any.
+      This field may be set if there's any connection related information
+      available for this confirmation. For protocol analyzers it is guaranteed
+      to be set, but may also be added by file analyzers as additional
+      contextual information.
+
+
+   .. zeek:field:: f :zeek:type:`fa_file` :zeek:attr:`&optional`
+
+      The file object related to this confirmation, if any.
+
+
+   .. zeek:field:: aid :zeek:type:`count` :zeek:attr:`&optional`
+
+      Specific analyzer instance that can be used to reference the analyzer
+      when using builtin functions like :zeek:id:`disable_analyzer`.
+
+
+   Generic analyzer confirmation info record.
+   
+   .. zeek:see:: analyzer_confirmation_info
+
+.. zeek:type:: AnalyzerViolationInfo
+   :source-code: base/init-bare.zeek 1012 1032
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: reason :zeek:type:`string`
+
+      The reason for the violation - should be user readable.
+
+
+   .. zeek:field:: c :zeek:type:`connection` :zeek:attr:`&optional`
+
+      The connection related to this violation, if any.
+      This field may be set if there's any connection related information
+      available for this violation. For protocol analyzers it is guaranteed
+      to be set, but may also be added by file analyzers as additional
+      contextual information.
+
+
+   .. zeek:field:: f :zeek:type:`fa_file` :zeek:attr:`&optional`
+
+      The file object related to this violation, if any.
+
+
+   .. zeek:field:: aid :zeek:type:`count` :zeek:attr:`&optional`
+
+      Specific analyzer instance that can be used to reference the analyzer
+      when using builtin functions like :zeek:id:`disable_analyzer`.
+
+
+   .. zeek:field:: data :zeek:type:`string` :zeek:attr:`&optional`
+
+      Piece of binary data that was parsed and caused the violation.
+
+
+   Generic analyzer violation info record.
+   
+   .. zeek:see:: analyzer_violation_info
+
+.. zeek:type:: Backtrace
+   :source-code: base/init-bare.zeek 1350 1350
+
+   :Type: :zeek:type:`vector` of :zeek:type:`BacktraceElement`
+
+   A representation of a Zeek script's call stack.
+   
+   .. zeek:see:: backtrace print_backtrace
+
+.. zeek:type:: BacktraceElement
+   :source-code: base/init-bare.zeek 1336 1345
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: function_name :zeek:type:`string`
+
+      The name of the function being called at this point in the call stack.
+
+
+   .. zeek:field:: function_args :zeek:type:`call_argument_vector`
+
+      The arguments passed to the function being called.
+
+
+   .. zeek:field:: file_location :zeek:type:`string` :zeek:attr:`&optional`
+
+      The file in which the function call is being made.
+
+
+   .. zeek:field:: line_location :zeek:type:`count` :zeek:attr:`&optional`
+
+      The line number at which the function call is being made.
+
+
+   A representation of an element in a Zeek script's call stack.
+   
+   .. zeek:see:: backtrace print_backtrace
+
+.. zeek:type:: BrokerPeeringStats
+   :source-code: base/init-bare.zeek 1225 1233
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: num_queued :zeek:type:`count`
+
+      The number of messages currently queued locally for transmission.
+
+
+   .. zeek:field:: max_queued_recently :zeek:type:`count`
+
+      The maximum number of messages queued in the recent
+      :zeek:see:`Broker::buffer_stats_reset_interval` time interval.
+
+
+   .. zeek:field:: num_overflows :zeek:type:`count`
+
+      The number of times the send buffer has overflowed.
+
+
+   Broker statistics for an individual peering.
+   
+
+.. zeek:type:: BrokerPeeringStatsTable
+   :source-code: base/init-bare.zeek 1235 1235
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`BrokerPeeringStats`
+
+
+.. zeek:type:: BrokerStats
+   :source-code: base/init-bare.zeek 1203 1221
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: num_peers :zeek:type:`count`
+
+
+   .. zeek:field:: num_stores :zeek:type:`count`
+
+      Number of active data stores.
+
+
+   .. zeek:field:: num_pending_queries :zeek:type:`count`
+
+      Number of pending data store queries.
+
+
+   .. zeek:field:: num_events_incoming :zeek:type:`count`
+
+      Number of total log messages received.
+
+
+   .. zeek:field:: num_events_outgoing :zeek:type:`count`
+
+      Number of total log messages sent.
+
+
+   .. zeek:field:: num_logs_incoming :zeek:type:`count`
+
+      Number of total log records received.
+
+
+   .. zeek:field:: num_logs_outgoing :zeek:type:`count`
+
+      Number of total log records sent.
+
+
+   .. zeek:field:: num_ids_incoming :zeek:type:`count`
+
+      Number of total identifiers received.
+
+
+   .. zeek:field:: num_ids_outgoing :zeek:type:`count`
+
+      Number of total identifiers sent.
+
+
+   Statistics about Broker communication.
+   
+   .. zeek:see:: get_broker_stats
+
+.. zeek:type:: Cluster::Pool
+   :source-code: base/frameworks/cluster/pools.zeek 46 61
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: spec :zeek:type:`Cluster::PoolSpec`
+
+      (present if :doc:`/scripts/base/frameworks/cluster/pools.zeek` is loaded)
+
+      The specification of the pool that was used when registering it.
+
+
+   .. zeek:field:: nodes :zeek:type:`Cluster::PoolNodeTable` :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/cluster/pools.zeek` is loaded)
+
+      Nodes in the pool, indexed by their name (e.g. "manager").
+
+
+   .. zeek:field:: node_list :zeek:type:`vector` of :zeek:type:`Cluster::PoolNode` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/cluster/pools.zeek` is loaded)
+
+      A list of nodes in the pool in a deterministic order.
+
+
+   .. zeek:field:: hrw_pool :zeek:type:`HashHRW::Pool` :zeek:attr:`&default` = ``[sites={  }]`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/cluster/pools.zeek` is loaded)
+
+      The Rendezvous hashing structure.
+
+
+   .. zeek:field:: rr_key_seq :zeek:type:`Cluster::RoundRobinTable` :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/cluster/pools.zeek` is loaded)
+
+      Round-Robin table indexed by arbitrary key and storing the next
+      index of *node_list* that will be eligible to receive work (if it's
+      alive at the time of next request).
+
+
+   .. zeek:field:: alive_count :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/cluster/pools.zeek` is loaded)
+
+      Number of pool nodes that are currently alive.
+
+
+   A pool used for distributing data/work among a set of cluster nodes.
+
+.. zeek:type:: ConnStats
+   :source-code: base/init-bare.zeek 1075 1098
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: total_conns :zeek:type:`count`
+
+      
+
+
+   .. zeek:field:: current_conns :zeek:type:`count`
+
+      
+
+
+   .. zeek:field:: sess_current_conns :zeek:type:`count`
+
+      
+
+
+   .. zeek:field:: num_packets :zeek:type:`count`
+
+
+   .. zeek:field:: num_fragments :zeek:type:`count`
+
+
+   .. zeek:field:: max_fragments :zeek:type:`count`
+
+
+   .. zeek:field:: num_tcp_conns :zeek:type:`count`
+
+      Current number of TCP connections in memory.
+
+
+   .. zeek:field:: max_tcp_conns :zeek:type:`count`
+
+      Maximum number of concurrent TCP connections so far.
+
+
+   .. zeek:field:: cumulative_tcp_conns :zeek:type:`count`
+
+      Total number of TCP connections so far.
+
+
+   .. zeek:field:: num_udp_conns :zeek:type:`count`
+
+      Current number of UDP flows in memory.
+
+
+   .. zeek:field:: max_udp_conns :zeek:type:`count`
+
+      Maximum number of concurrent UDP flows so far.
+
+
+   .. zeek:field:: cumulative_udp_conns :zeek:type:`count`
+
+      Total number of UDP flows so far.
+
+
+   .. zeek:field:: num_icmp_conns :zeek:type:`count`
+
+      Current number of ICMP flows in memory.
+
+
+   .. zeek:field:: max_icmp_conns :zeek:type:`count`
+
+      Maximum number of concurrent ICMP flows so far.
+
+
+   .. zeek:field:: cumulative_icmp_conns :zeek:type:`count`
+
+      Total number of ICMP flows so far.
+
+
+   .. zeek:field:: num_packets_unprocessed :zeek:type:`count`
+
+      Total number of packets not processed by any analyzer.
+
+
+   .. zeek:field:: killed_by_inactivity :zeek:type:`count`
+
+
+
+.. zeek:type:: DHCP::Addrs
+   :source-code: base/init-bare.zeek 4752 4752
+
+   :Type: :zeek:type:`vector` of :zeek:type:`addr`
+
+   A list of addresses offered by a DHCP server.  Could be routers,
+   DNS servers, or other.
+   
+   .. zeek:see:: dhcp_message
+
+.. zeek:type:: DHCP::ClientFQDN
+   :source-code: base/init-bare.zeek 4783 4793
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+      An unparsed bitfield of flags (refer to RFC 4702).
+
+
+   .. zeek:field:: rcode1 :zeek:type:`count`
+
+      This field is deprecated in the standard.
+
+
+   .. zeek:field:: rcode2 :zeek:type:`count`
+
+      This field is deprecated in the standard.
+
+
+   .. zeek:field:: domain_name :zeek:type:`string`
+
+      The Domain Name part of the option carries all or part of the FQDN
+      of a DHCP client.
+
+
+   DHCP Client FQDN Option information (Option 81)
+
+.. zeek:type:: DHCP::ClientID
+   :source-code: base/init-bare.zeek 4777 4780
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: hwtype :zeek:type:`count`
+
+
+   .. zeek:field:: hwaddr :zeek:type:`string`
+
+
+   DHCP Client Identifier (Option 61)
+   
+   .. zeek:see:: dhcp_message
+
+.. zeek:type:: DHCP::Msg
+   :source-code: base/init-bare.zeek 4757 4772
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: op :zeek:type:`count`
+
+      Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
+
+
+   .. zeek:field:: m_type :zeek:type:`count`
+
+      The type of DHCP message.
+
+
+   .. zeek:field:: xid :zeek:type:`count`
+
+      Transaction ID of a DHCP session.
+
+
+   .. zeek:field:: secs :zeek:type:`interval`
+
+      Number of seconds since client began address acquisition
+      or renewal process
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+
+   .. zeek:field:: ciaddr :zeek:type:`addr`
+
+      Original IP address of the client.
+
+
+   .. zeek:field:: yiaddr :zeek:type:`addr`
+
+      IP address assigned to the client.
+
+
+   .. zeek:field:: siaddr :zeek:type:`addr`
+
+      IP address of the server.
+
+
+   .. zeek:field:: giaddr :zeek:type:`addr`
+
+      IP address of the relaying gateway.
+
+
+   .. zeek:field:: chaddr :zeek:type:`string`
+
+      Client hardware address.
+
+
+   .. zeek:field:: sname :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      Server host name.
+
+
+   .. zeek:field:: file_n :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      Boot file name.
+
+
+   A DHCP message.
+   
+   .. zeek:see:: dhcp_message
+
+.. zeek:type:: DHCP::Options
+   :source-code: base/init-bare.zeek 4805 4903
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: options :zeek:type:`index_vec` :zeek:attr:`&optional`
+
+      The ordered list of all DHCP option numbers.
+
+
+   .. zeek:field:: subnet_mask :zeek:type:`addr` :zeek:attr:`&optional`
+
+      Subnet Mask Value (option 1)
+
+
+   .. zeek:field:: routers :zeek:type:`DHCP::Addrs` :zeek:attr:`&optional`
+
+      Router addresses (option 3)
+
+
+   .. zeek:field:: dns_servers :zeek:type:`DHCP::Addrs` :zeek:attr:`&optional`
+
+      DNS Server addresses (option 6)
+
+
+   .. zeek:field:: host_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The Hostname of the client (option 12)
+
+
+   .. zeek:field:: domain_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The DNS domain name of the client (option 15)
+
+
+   .. zeek:field:: forwarding :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Enable/Disable IP Forwarding (option 19)
+
+
+   .. zeek:field:: broadcast :zeek:type:`addr` :zeek:attr:`&optional`
+
+      Broadcast Address (option 28)
+
+
+   .. zeek:field:: vendor :zeek:type:`string` :zeek:attr:`&optional`
+
+      Vendor specific data. This can frequently
+      be unparsed binary data. (option 43)
+
+
+   .. zeek:field:: nbns :zeek:type:`DHCP::Addrs` :zeek:attr:`&optional`
+
+      NETBIOS name server list (option 44)
+
+
+   .. zeek:field:: addr_request :zeek:type:`addr` :zeek:attr:`&optional`
+
+      Address requested by the client (option 50)
+
+
+   .. zeek:field:: lease :zeek:type:`interval` :zeek:attr:`&optional`
+
+      Lease time offered by the server. (option 51)
+
+
+   .. zeek:field:: serv_addr :zeek:type:`addr` :zeek:attr:`&optional`
+
+      Server address to allow clients to distinguish
+      between lease offers. (option 54)
+
+
+   .. zeek:field:: param_list :zeek:type:`index_vec` :zeek:attr:`&optional`
+
+      DHCP Parameter Request list (option 55)
+
+
+   .. zeek:field:: message :zeek:type:`string` :zeek:attr:`&optional`
+
+      Textual error message (option 56)
+
+
+   .. zeek:field:: max_msg_size :zeek:type:`count` :zeek:attr:`&optional`
+
+      Maximum Message Size (option 57)
+
+
+   .. zeek:field:: renewal_time :zeek:type:`interval` :zeek:attr:`&optional`
+
+      This option specifies the time interval from address
+      assignment until the client transitions to the
+      RENEWING state. (option 58)
+
+
+   .. zeek:field:: rebinding_time :zeek:type:`interval` :zeek:attr:`&optional`
+
+      This option specifies the time interval from address
+      assignment until the client transitions to the
+      REBINDING state. (option 59)
+
+
+   .. zeek:field:: vendor_class :zeek:type:`string` :zeek:attr:`&optional`
+
+      This option is used by DHCP clients to optionally
+      identify the vendor type and configuration of a DHCP
+      client. (option 60)
+
+
+   .. zeek:field:: client_id :zeek:type:`DHCP::ClientID` :zeek:attr:`&optional`
+
+      DHCP Client Identifier (Option 61)
+
+
+   .. zeek:field:: user_class :zeek:type:`string` :zeek:attr:`&optional`
+
+      User Class opaque value (Option 77)
+
+
+   .. zeek:field:: client_fqdn :zeek:type:`DHCP::ClientFQDN` :zeek:attr:`&optional`
+
+      DHCP Client FQDN (Option 81)
+
+
+   .. zeek:field:: sub_opt :zeek:type:`DHCP::SubOpts` :zeek:attr:`&optional`
+
+      DHCP Relay Agent Information Option (Option 82)
+
+
+   .. zeek:field:: auto_config :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Auto Config option to let host know if it's allowed to
+      auto assign an IP address. (Option 116)
+
+
+   .. zeek:field:: auto_proxy_config :zeek:type:`string` :zeek:attr:`&optional`
+
+      URL to find a proxy.pac for auto proxy config (Option 252)
+
+
+   .. zeek:field:: time_offset :zeek:type:`int` :zeek:attr:`&optional`
+
+      The offset of the client's subnet in seconds from UTC. (Option 2)
+
+
+   .. zeek:field:: time_servers :zeek:type:`DHCP::Addrs` :zeek:attr:`&optional`
+
+      A list of :rfc:`868` time servers available to the client.
+      (Option 4)
+
+
+   .. zeek:field:: name_servers :zeek:type:`DHCP::Addrs` :zeek:attr:`&optional`
+
+      A list of IEN 116 name servers available to the client. (Option 5)
+
+
+   .. zeek:field:: ntp_servers :zeek:type:`DHCP::Addrs` :zeek:attr:`&optional`
+
+      A list of IP addresses indicating NTP servers available to the
+      client. (Option 42)
+
+
+
+.. zeek:type:: DHCP::SubOpt
+   :source-code: base/init-bare.zeek 4798 4801
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: code :zeek:type:`count`
+
+
+   .. zeek:field:: value :zeek:type:`string`
+
+
+   DHCP Relay Agent Information Option (Option 82)
+   
+   .. zeek:see:: dhcp_message
+
+.. zeek:type:: DHCP::SubOpts
+   :source-code: base/init-bare.zeek 4803 4803
+
+   :Type: :zeek:type:`vector` of :zeek:type:`DHCP::SubOpt`
+
+
+.. zeek:type:: DNSStats
+   :source-code: base/init-bare.zeek 1172 1181
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: requests :zeek:type:`count`
+
+      Number of DNS requests made
+
+
+   .. zeek:field:: successful :zeek:type:`count`
+
+      Number of successful DNS replies.
+
+
+   .. zeek:field:: failed :zeek:type:`count`
+
+      Number of DNS reply failures.
+
+
+   .. zeek:field:: pending :zeek:type:`count`
+
+      Current pending queries.
+
+
+   .. zeek:field:: cached_hosts :zeek:type:`count`
+
+      Number of cached hosts.
+
+
+   .. zeek:field:: cached_addresses :zeek:type:`count`
+
+      Number of cached addresses.
+
+
+   .. zeek:field:: cached_texts :zeek:type:`count`
+
+      Number of cached text entries.
+
+
+   .. zeek:field:: cached_total :zeek:type:`count`
+
+      Total number of cached entries.
+
+
+   Statistics related to Zeek's active use of DNS.  These numbers are
+   about Zeek performing DNS queries on it's own, not traffic
+   being seen.
+   
+   .. zeek:see:: get_dns_stats
+
+.. zeek:type:: EncapsulatingConnVector
+   :source-code: base/init-bare.zeek 833 833
+
+   :Type: :zeek:type:`vector` of :zeek:type:`Tunnel::EncapsulatingConn`
+
+   A type alias for a vector of encapsulating "connections", i.e. for when
+   there are tunnels within tunnels.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: EventMetadata::Entry
+   :source-code: base/init-bare.zeek 617 620
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`EventMetadata::ID`
+
+      The registered :zeek:see:`EventMetadata::ID` value.
+
+
+   .. zeek:field:: val :zeek:type:`any`
+
+      The value. Its type matches what was passed to :zeek:see:`EventMetadata::register`.
+
+
+   A event metadata entry.
+
+.. zeek:type:: EventMetadata::ID
+   :source-code: base/init-bare.zeek 612 615
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: EventMetadata::NETWORK_TIMESTAMP EventMetadata::ID
+
+   Enum type for metadata identifiers.
+
+.. zeek:type:: EventNameCounter
+   :source-code: base/init-bare.zeek 1251 1256
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string` :zeek:attr:`&log`
+
+      Name of the zeek event.
+
+
+   .. zeek:field:: times_called :zeek:type:`count` :zeek:attr:`&log`
+
+      Times it was called, as counted by the event handlers.
+
+   :Attributes: :zeek:attr:`&log`
+
+   Statistics about how many times each event name is queued.
+   
+   .. zeek:see:: get_event_handler_stats
+
+.. zeek:type:: EventNameStats
+   :source-code: base/init-bare.zeek 1258 1258
+
+   :Type: :zeek:type:`vector` of :zeek:type:`EventNameCounter`
+
+
+.. zeek:type:: EventStats
+   :source-code: base/init-bare.zeek 1121 1124
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: queued :zeek:type:`count`
+
+      Total number of events queued so far.
+
+
+   .. zeek:field:: dispatched :zeek:type:`count`
+
+      Total number of events dispatched so far.
+
+
+
+.. zeek:type:: FileAnalysisStats
+   :source-code: base/init-bare.zeek 1161 1165
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: current :zeek:type:`count`
+
+      Current number of files being analyzed.
+
+
+   .. zeek:field:: max :zeek:type:`count`
+
+      Maximum number of concurrent files so far.
+
+
+   .. zeek:field:: cumulative :zeek:type:`count`
+
+      Cumulative number of files analyzed.
+
+
+   Statistics of file analysis.
+   
+   .. zeek:see:: get_file_analysis_stats
+
+.. zeek:type:: GapStats
+   :source-code: base/init-bare.zeek 1186 1191
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ack_events :zeek:type:`count`
+
+      How many ack events *could* have had gaps.
+
+
+   .. zeek:field:: ack_bytes :zeek:type:`count`
+
+      How many bytes those covered.
+
+
+   .. zeek:field:: gap_events :zeek:type:`count`
+
+      How many *did* have gaps.
+
+
+   .. zeek:field:: gap_bytes :zeek:type:`count`
+
+      How many bytes were missing in the gaps.
+
+
+   Statistics about number of gaps in TCP connections.
+   
+   .. zeek:see:: get_gap_stats
+
+.. zeek:type:: IPAddrAnonymization
+   :source-code: base/init-bare.zeek 1419 1426
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: KEEP_ORIG_ADDR IPAddrAnonymization
+
+      .. zeek:enum:: SEQUENTIALLY_NUMBERED IPAddrAnonymization
+
+      .. zeek:enum:: RANDOM_MD5 IPAddrAnonymization
+
+      .. zeek:enum:: PREFIX_PRESERVING_A50 IPAddrAnonymization
+
+      .. zeek:enum:: PREFIX_PRESERVING_MD5 IPAddrAnonymization
+
+   .. zeek:see:: anonymize_addr
+
+.. zeek:type:: IPAddrAnonymizationClass
+   :source-code: base/init-bare.zeek 1428 1433
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: ORIG_ADDR IPAddrAnonymizationClass
+
+      .. zeek:enum:: RESP_ADDR IPAddrAnonymizationClass
+
+      .. zeek:enum:: OTHER_ADDR IPAddrAnonymizationClass
+
+   .. zeek:see:: anonymize_addr
+
+.. zeek:type:: JSON::TimestampFormat
+   :source-code: base/init-bare.zeek 5602 5622
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: JSON::TS_EPOCH JSON::TimestampFormat
+
+         Timestamps will be formatted as UNIX epoch doubles.  This is
+         the format that Zeek typically writes out timestamps.
+
+      .. zeek:enum:: JSON::TS_MILLIS JSON::TimestampFormat
+
+         Timestamps will be formatted as signed integers that
+         represent the number of milliseconds since the UNIX
+         epoch. Timestamps before the UNIX epoch are represented
+         as negative values.
+
+      .. zeek:enum:: JSON::TS_MILLIS_UNSIGNED JSON::TimestampFormat
+
+         Timestamps will be formatted as unsigned integers that
+         represent the number of milliseconds since the UNIX
+         epoch. Timestamps before the UNIX epoch result in negative
+         values being interpreted as large unsigned integers.
+
+      .. zeek:enum:: JSON::TS_ISO8601 JSON::TimestampFormat
+
+         Timestamps will be formatted in the ISO8601 DateTime format.
+         Subseconds are also included which isn't actually part of the
+         standard but most consumers that parse ISO8601 seem to be able
+         to cope with that.
+
+
+.. zeek:type:: KRB::AP_Options
+   :source-code: base/init-bare.zeek 5443 5448
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: use_session_key :zeek:type:`bool`
+
+      Indicates that user-to-user-authentication is in use
+
+
+   .. zeek:field:: mutual_required :zeek:type:`bool`
+
+      Mutual authentication is required
+
+
+   AP Options. See :rfc:`4120`
+
+.. zeek:type:: KRB::Encrypted_Data
+   :source-code: base/init-bare.zeek 5461 5468
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: kvno :zeek:type:`count` :zeek:attr:`&optional`
+
+      The key version number
+
+
+   .. zeek:field:: cipher :zeek:type:`count`
+
+      The cipher the data was encrypted with
+
+
+   .. zeek:field:: ciphertext :zeek:type:`string`
+
+      The encrypted data
+
+
+
+.. zeek:type:: KRB::Error_Msg
+   :source-code: base/init-bare.zeek 5502 5525
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: pvno :zeek:type:`count` :zeek:attr:`&optional`
+
+      Protocol version number (5 for KRB5)
+
+
+   .. zeek:field:: msg_type :zeek:type:`count` :zeek:attr:`&optional`
+
+      The message type (30 for ERROR_MSG)
+
+
+   .. zeek:field:: client_time :zeek:type:`time` :zeek:attr:`&optional`
+
+      Current time on the client
+
+
+   .. zeek:field:: server_time :zeek:type:`time` :zeek:attr:`&optional`
+
+      Current time on the server
+
+
+   .. zeek:field:: error_code :zeek:type:`count`
+
+      The specific error code
+
+
+   .. zeek:field:: client_realm :zeek:type:`string` :zeek:attr:`&optional`
+
+      Realm of the ticket
+
+
+   .. zeek:field:: client_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      Name on the ticket
+
+
+   .. zeek:field:: service_realm :zeek:type:`string` :zeek:attr:`&optional`
+
+      Realm of the service
+
+
+   .. zeek:field:: service_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      Name of the service
+
+
+   .. zeek:field:: error_text :zeek:type:`string` :zeek:attr:`&optional`
+
+      Additional text to explain the error
+
+
+   .. zeek:field:: pa_data :zeek:type:`vector` of :zeek:type:`KRB::Type_Value` :zeek:attr:`&optional`
+
+      Optional pre-authentication data
+
+
+   The data from the ERROR_MSG message. See :rfc:`4120`.
+
+.. zeek:type:: KRB::Host_Address
+   :source-code: base/init-bare.zeek 5471 5478
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ip :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      IPv4 or IPv6 address
+
+
+   .. zeek:field:: netbios :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      NetBIOS address
+
+
+   .. zeek:field:: unknown :zeek:type:`KRB::Type_Value` :zeek:attr:`&optional`
+
+      Some other type that we don't support yet
+
+
+   A Kerberos host address See :rfc:`4120`.
+
+.. zeek:type:: KRB::Host_Address_Vector
+   :source-code: base/init-bare.zeek 5480 5480
+
+   :Type: :zeek:type:`vector` of :zeek:type:`KRB::Host_Address`
+
+
+.. zeek:type:: KRB::KDC_Options
+   :source-code: base/init-bare.zeek 5409 5440
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: forwardable :zeek:type:`bool`
+
+      The ticket to be issued should have its forwardable flag set.
+
+
+   .. zeek:field:: forwarded :zeek:type:`bool`
+
+      A (TGT) request for forwarding.
+
+
+   .. zeek:field:: proxiable :zeek:type:`bool`
+
+      The ticket to be issued should have its proxiable flag set.
+
+
+   .. zeek:field:: proxy :zeek:type:`bool`
+
+      A request for a proxy.
+
+
+   .. zeek:field:: allow_postdate :zeek:type:`bool`
+
+      The ticket to be issued should have its may-postdate flag set.
+
+
+   .. zeek:field:: postdated :zeek:type:`bool`
+
+      A request for a postdated ticket.
+
+
+   .. zeek:field:: renewable :zeek:type:`bool`
+
+      The ticket to be issued should have its renewable  flag set.
+
+
+   .. zeek:field:: opt_hardware_auth :zeek:type:`bool`
+
+      Reserved for opt_hardware_auth
+
+
+   .. zeek:field:: disable_transited_check :zeek:type:`bool`
+
+      Request that the KDC not check the transited field of a TGT against
+      the policy of the local realm before it will issue derivative tickets
+      based on the TGT.
+
+
+   .. zeek:field:: renewable_ok :zeek:type:`bool`
+
+      If a ticket with the requested lifetime cannot be issued, a renewable
+      ticket is acceptable
+
+
+   .. zeek:field:: enc_tkt_in_skey :zeek:type:`bool`
+
+      The ticket for the end server is to be encrypted in the session key
+      from the additional TGT provided
+
+
+   .. zeek:field:: renew :zeek:type:`bool`
+
+      The request is for a renewal
+
+
+   .. zeek:field:: validate :zeek:type:`bool`
+
+      The request is to validate a postdated ticket.
+
+
+   KDC Options. See :rfc:`4120`
+
+.. zeek:type:: KRB::KDC_Request
+   :source-code: base/init-bare.zeek 5546 5577
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: pvno :zeek:type:`count`
+
+      Protocol version number (5 for KRB5)
+
+
+   .. zeek:field:: msg_type :zeek:type:`count`
+
+      The message type (10 for AS_REQ, 12 for TGS_REQ)
+
+
+   .. zeek:field:: pa_data :zeek:type:`vector` of :zeek:type:`KRB::Type_Value` :zeek:attr:`&optional`
+
+      Optional pre-authentication data
+
+
+   .. zeek:field:: kdc_options :zeek:type:`KRB::KDC_Options` :zeek:attr:`&optional`
+
+      Options specified in the request
+
+
+   .. zeek:field:: client_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      Name on the ticket
+
+
+   .. zeek:field:: service_realm :zeek:type:`string` :zeek:attr:`&optional`
+
+      Realm of the service
+
+
+   .. zeek:field:: service_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      Name of the service
+
+
+   .. zeek:field:: from :zeek:type:`time` :zeek:attr:`&optional`
+
+      Time the ticket is good from
+
+
+   .. zeek:field:: till :zeek:type:`time` :zeek:attr:`&optional`
+
+      Time the ticket is good till
+
+
+   .. zeek:field:: rtime :zeek:type:`time` :zeek:attr:`&optional`
+
+      The requested renew-till time
+
+
+   .. zeek:field:: nonce :zeek:type:`count` :zeek:attr:`&optional`
+
+      A random nonce generated by the client
+
+
+   .. zeek:field:: encryption_types :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&optional`
+
+      The desired encryption algorithms, in order of preference
+
+
+   .. zeek:field:: host_addrs :zeek:type:`vector` of :zeek:type:`KRB::Host_Address` :zeek:attr:`&optional`
+
+      Any additional addresses the ticket should be valid for
+
+
+   .. zeek:field:: additional_tickets :zeek:type:`vector` of :zeek:type:`KRB::Ticket` :zeek:attr:`&optional`
+
+      Additional tickets may be included for certain transactions
+
+
+   The data from the AS_REQ and TGS_REQ messages. See :rfc:`4120`.
+
+.. zeek:type:: KRB::KDC_Response
+   :source-code: base/init-bare.zeek 5580 5596
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: pvno :zeek:type:`count`
+
+      Protocol version number (5 for KRB5)
+
+
+   .. zeek:field:: msg_type :zeek:type:`count`
+
+      The message type (11 for AS_REP, 13 for TGS_REP)
+
+
+   .. zeek:field:: pa_data :zeek:type:`vector` of :zeek:type:`KRB::Type_Value` :zeek:attr:`&optional`
+
+      Optional pre-authentication data
+
+
+   .. zeek:field:: client_realm :zeek:type:`string` :zeek:attr:`&optional`
+
+      Realm on the ticket
+
+
+   .. zeek:field:: client_name :zeek:type:`string`
+
+      Name on the service
+
+
+   .. zeek:field:: ticket :zeek:type:`KRB::Ticket`
+
+      The ticket that was issued
+
+
+   .. zeek:field:: enc_part :zeek:type:`KRB::Encrypted_Data`
+
+      The encrypted session key for the client
+
+
+   The data from the AS_REQ and TGS_REQ messages. See :rfc:`4120`.
+
+.. zeek:type:: KRB::SAFE_Msg
+   :source-code: base/init-bare.zeek 5483 5499
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: pvno :zeek:type:`count`
+
+      Protocol version number (5 for KRB5)
+
+
+   .. zeek:field:: msg_type :zeek:type:`count`
+
+      The message type (20 for SAFE_MSG)
+
+
+   .. zeek:field:: data :zeek:type:`string`
+
+      The application-specific data that is being passed
+      from the sender to the receiver
+
+
+   .. zeek:field:: timestamp :zeek:type:`time` :zeek:attr:`&optional`
+
+      Current time from the sender of the message
+
+
+   .. zeek:field:: seq :zeek:type:`count` :zeek:attr:`&optional`
+
+      Sequence number used to detect replays
+
+
+   .. zeek:field:: sender :zeek:type:`KRB::Host_Address` :zeek:attr:`&optional`
+
+      Sender address
+
+
+   .. zeek:field:: recipient :zeek:type:`KRB::Host_Address` :zeek:attr:`&optional`
+
+      Recipient address
+
+
+   The data from the SAFE message. See :rfc:`4120`.
+
+.. zeek:type:: KRB::Ticket
+   :source-code: base/init-bare.zeek 5528 5541
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: pvno :zeek:type:`count`
+
+      Protocol version number (5 for KRB5)
+
+
+   .. zeek:field:: realm :zeek:type:`string`
+
+      Realm
+
+
+   .. zeek:field:: service_name :zeek:type:`string`
+
+      Name of the service
+
+
+   .. zeek:field:: cipher :zeek:type:`count`
+
+      Cipher the ticket was encrypted with
+
+
+   .. zeek:field:: ciphertext :zeek:type:`string` :zeek:attr:`&optional`
+
+      Cipher text of the ticket
+
+
+   .. zeek:field:: authenticationinfo :zeek:type:`string` :zeek:attr:`&optional`
+
+      Authentication info
+
+
+   A Kerberos ticket. See :rfc:`4120`.
+
+.. zeek:type:: KRB::Ticket_Vector
+   :source-code: base/init-bare.zeek 5543 5543
+
+   :Type: :zeek:type:`vector` of :zeek:type:`KRB::Ticket`
+
+
+.. zeek:type:: KRB::Type_Value
+   :source-code: base/init-bare.zeek 5452 5457
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: data_type :zeek:type:`count`
+
+      The data type
+
+
+   .. zeek:field:: val :zeek:type:`string`
+
+      The data value
+
+
+   Used in a few places in the Kerberos analyzer for elements
+   that have a type and a string value.
+
+.. zeek:type:: KRB::Type_Value_Vector
+   :source-code: base/init-bare.zeek 5459 5459
+
+   :Type: :zeek:type:`vector` of :zeek:type:`KRB::Type_Value`
+
+
+.. zeek:type:: MOUNT3::dirmntargs_t
+   :source-code: base/init-bare.zeek 3716 3718
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: dirname :zeek:type:`string`
+
+      Name of directory to mount
+
+
+   MOUNT *mnt* arguments.
+   
+   .. zeek:see:: mount_proc_mnt
+
+.. zeek:type:: MOUNT3::info_t
+   :source-code: base/init-bare.zeek 3684 3711
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: rpc_stat :zeek:type:`rpc_status`
+
+      The RPC status.
+
+
+   .. zeek:field:: mnt_stat :zeek:type:`MOUNT3::status_t`
+
+      The MOUNT status.
+
+
+   .. zeek:field:: req_start :zeek:type:`time`
+
+      The start time of the request.
+
+
+   .. zeek:field:: req_dur :zeek:type:`interval`
+
+      The duration of the request.
+
+
+   .. zeek:field:: req_len :zeek:type:`count`
+
+      The length in bytes of the request.
+
+
+   .. zeek:field:: rep_start :zeek:type:`time`
+
+      The start time of the reply.
+
+
+   .. zeek:field:: rep_dur :zeek:type:`interval`
+
+      The duration of the reply.
+
+
+   .. zeek:field:: rep_len :zeek:type:`count`
+
+      The length in bytes of the reply.
+
+
+   .. zeek:field:: rpc_uid :zeek:type:`count`
+
+      The user id of the reply.
+
+
+   .. zeek:field:: rpc_gid :zeek:type:`count`
+
+      The group id of the reply.
+
+
+   .. zeek:field:: rpc_stamp :zeek:type:`count`
+
+      The stamp of the reply.
+
+
+   .. zeek:field:: rpc_machine_name :zeek:type:`string`
+
+      The machine name of the reply.
+
+
+   .. zeek:field:: rpc_auxgids :zeek:type:`index_vec`
+
+      The auxiliary ids of the reply.
+
+
+   Record summarizing the general results and status of MOUNT3
+   request/reply pairs.
+   
+   Note that when *rpc_stat* or *mount_stat* indicates not successful,
+   the reply record passed to the corresponding event will be empty and
+   contain uninitialized fields, so don't use it. Also note that time
+
+.. zeek:type:: MOUNT3::mnt_reply_t
+   :source-code: base/init-bare.zeek 3724 3727
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: dirfh :zeek:type:`string` :zeek:attr:`&optional`
+
+      Dir handle
+
+
+   .. zeek:field:: auth_flavors :zeek:type:`vector` of :zeek:type:`MOUNT3::auth_flavor_t` :zeek:attr:`&optional`
+
+      Returned authentication flavors
+
+
+   MOUNT lookup reply. If the mount failed, *dir_attr* may be set. If the
+   mount succeeded, *fh* is always set.
+   
+   .. zeek:see:: mount_proc_mnt
+
+.. zeek:type:: MQTT::ConnectAckMsg
+   :source-code: base/init-bare.zeek 5968 5977
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: return_code :zeek:type:`count`
+
+      Return code from the connack message
+
+
+   .. zeek:field:: session_present :zeek:type:`bool`
+
+      The Session present flag helps the client
+      establish whether the Client and Server
+      have a consistent view about whether there
+      is already stored Session state.
+
+
+
+.. zeek:type:: MQTT::ConnectMsg
+   :source-code: base/init-bare.zeek 5936 5966
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: protocol_name :zeek:type:`string`
+
+      Protocol name
+
+
+   .. zeek:field:: protocol_version :zeek:type:`count`
+
+      Protocol version
+
+
+   .. zeek:field:: client_id :zeek:type:`string`
+
+      Identifies the Client to the Server.
+
+
+   .. zeek:field:: keep_alive :zeek:type:`interval`
+
+      The maximum time interval that is permitted to elapse between the
+      point at which the Client finishes transmitting one Control Packet
+      and the point it starts sending the next.
+
+
+   .. zeek:field:: clean_session :zeek:type:`bool`
+
+      The clean_session flag indicates if the server should or shouldn't
+      use a clean session or use existing previous session state.
+
+
+   .. zeek:field:: will_retain :zeek:type:`bool`
+
+      Specifies if the Will Message is to be retained when it is published.
+
+
+   .. zeek:field:: will_qos :zeek:type:`count`
+
+      Specifies the QoS level to be used when publishing the Will Message.
+
+
+   .. zeek:field:: will_topic :zeek:type:`string` :zeek:attr:`&optional`
+
+      Topic to publish the Will message to.
+
+
+   .. zeek:field:: will_msg :zeek:type:`string` :zeek:attr:`&optional`
+
+      The actual Will message to publish.
+
+
+   .. zeek:field:: username :zeek:type:`string` :zeek:attr:`&optional`
+
+      Username to use for authentication to the server.
+
+
+   .. zeek:field:: password :zeek:type:`string` :zeek:attr:`&optional`
+
+      Pass to use for authentication to the server.
+
+
+
+.. zeek:type:: MQTT::PublishMsg
+   :source-code: base/init-bare.zeek 5979 6001
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: dup :zeek:type:`bool`
+
+      Indicates if this is the first attempt at publishing the message.
+
+
+   .. zeek:field:: qos :zeek:type:`count`
+
+      Indicates what level of QoS is enabled for this message.
+
+
+   .. zeek:field:: retain :zeek:type:`bool`
+
+      Indicates if the server should retain this message so that clients
+      subscribing to the topic in the future will receive this message
+      automatically.
+
+
+   .. zeek:field:: topic :zeek:type:`string`
+
+      Name of the topic the published message is directed into.
+
+
+   .. zeek:field:: payload :zeek:type:`string`
+
+      Payload of the published message.
+
+
+   .. zeek:field:: payload_len :zeek:type:`count`
+
+      The actual length of the payload in the case the *payload*
+      field's contents were truncated according to
+      :zeek:see:`MQTT::max_payload_size`.
+
+
+
+.. zeek:type:: MatcherStats
+   :source-code: base/init-bare.zeek 1139 1147
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: matchers :zeek:type:`count`
+
+      Number of distinct RE matchers.
+
+
+   .. zeek:field:: nfa_states :zeek:type:`count`
+
+      Number of NFA states across all matchers.
+
+
+   .. zeek:field:: dfa_states :zeek:type:`count`
+
+      Number of DFA states across all matchers.
+
+
+   .. zeek:field:: computed :zeek:type:`count`
+
+      Number of computed DFA state transitions.
+
+
+   .. zeek:field:: mem :zeek:type:`count`
+
+      Number of bytes used by DFA states.
+
+
+   .. zeek:field:: hits :zeek:type:`count`
+
+      Number of cache hits.
+
+
+   .. zeek:field:: misses :zeek:type:`count`
+
+      Number of cache misses.
+
+
+   Statistics of all regular expression matchers.
+   
+   .. zeek:see:: get_matcher_stats
+
+.. zeek:type:: ModbusCoils
+   :source-code: base/init-bare.zeek 3273 3273
+
+   :Type: :zeek:type:`vector` of :zeek:type:`bool`
+
+   A vector of boolean values that indicate the setting
+   for a range of modbus coils.
+
+.. zeek:type:: ModbusFileRecordRequest
+   :source-code: base/init-bare.zeek 3293 3298
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ref_type :zeek:type:`count`
+
+
+   .. zeek:field:: file_num :zeek:type:`count`
+
+
+   .. zeek:field:: record_num :zeek:type:`count`
+
+
+   .. zeek:field:: record_len :zeek:type:`count`
+
+
+
+.. zeek:type:: ModbusFileRecordRequests
+   :source-code: base/init-bare.zeek 3300 3300
+
+   :Type: :zeek:type:`vector` of :zeek:type:`ModbusFileRecordRequest`
+
+
+.. zeek:type:: ModbusFileRecordResponse
+   :source-code: base/init-bare.zeek 3302 3306
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: file_len :zeek:type:`count`
+
+
+   .. zeek:field:: ref_type :zeek:type:`count`
+
+
+   .. zeek:field:: record_data :zeek:type:`string`
+
+
+
+.. zeek:type:: ModbusFileRecordResponses
+   :source-code: base/init-bare.zeek 3308 3308
+
+   :Type: :zeek:type:`vector` of :zeek:type:`ModbusFileRecordResponse`
+
+
+.. zeek:type:: ModbusFileReference
+   :source-code: base/init-bare.zeek 3310 3316
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ref_type :zeek:type:`count`
+
+
+   .. zeek:field:: file_num :zeek:type:`count`
+
+
+   .. zeek:field:: record_num :zeek:type:`count`
+
+
+   .. zeek:field:: record_len :zeek:type:`count`
+
+
+   .. zeek:field:: record_data :zeek:type:`string`
+
+
+
+.. zeek:type:: ModbusFileReferences
+   :source-code: base/init-bare.zeek 3318 3318
+
+   :Type: :zeek:type:`vector` of :zeek:type:`ModbusFileReference`
+
+
+.. zeek:type:: ModbusHeaders
+   :source-code: base/init-bare.zeek 3279 3291
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: tid :zeek:type:`count`
+
+      Transaction identifier
+
+
+   .. zeek:field:: pid :zeek:type:`count`
+
+      Protocol identifier
+
+
+   .. zeek:field:: uid :zeek:type:`count`
+
+      Unit identifier (previously 'slave address')
+
+
+   .. zeek:field:: function_code :zeek:type:`count`
+
+      MODBUS function code
+
+
+   .. zeek:field:: len :zeek:type:`count`
+
+      Length of the application PDU following the header plus
+      one byte for the uid field.
+
+
+
+.. zeek:type:: ModbusRegisters
+   :source-code: base/init-bare.zeek 3277 3277
+
+   :Type: :zeek:type:`vector` of :zeek:type:`count`
+
+   A vector of count values that represent 16bit modbus
+   register values.
+
+.. zeek:type:: NFS3::delobj_reply_t
+   :source-code: base/init-bare.zeek 3590 3593
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: dir_pre_attr :zeek:type:`NFS3::wcc_attr_t` :zeek:attr:`&optional`
+
+      Optional attributes associated w/ dir.
+
+
+   .. zeek:field:: dir_post_attr :zeek:type:`NFS3::fattr_t` :zeek:attr:`&optional`
+
+      Optional attributes associated w/ dir.
+
+
+   NFS reply for *remove*, *rmdir*. Corresponds to *wcc_data* in the spec.
+   
+   .. zeek:see:: nfs_proc_remove nfs_proc_rmdir
+
+.. zeek:type:: NFS3::direntry_t
+   :source-code: base/init-bare.zeek 3621 3627
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: fileid :zeek:type:`count`
+
+      E.g., inode number.
+
+
+   .. zeek:field:: fname :zeek:type:`string`
+
+      Filename.
+
+
+   .. zeek:field:: cookie :zeek:type:`count`
+
+      Cookie value.
+
+
+   .. zeek:field:: attr :zeek:type:`NFS3::fattr_t` :zeek:attr:`&optional`
+
+      *readdirplus*: the *fh* attributes for the entry.
+
+
+   .. zeek:field:: fh :zeek:type:`string` :zeek:attr:`&optional`
+
+      *readdirplus*: the *fh* for the entry
+
+
+   NFS *direntry*.  *fh* and *attr* are used for *readdirplus*. However,
+   even for *readdirplus* they may not be filled out.
+   
+   .. zeek:see:: NFS3::direntry_vec_t NFS3::readdir_reply_t
+
+.. zeek:type:: NFS3::direntry_vec_t
+   :source-code: base/init-bare.zeek 3632 3632
+
+   :Type: :zeek:type:`vector` of :zeek:type:`NFS3::direntry_t`
+
+   Vector of NFS *direntry*.
+   
+   .. zeek:see:: NFS3::readdir_reply_t
+
+.. zeek:type:: NFS3::diropargs_t
+   :source-code: base/init-bare.zeek 3447 3450
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: dirfh :zeek:type:`string`
+
+      The file handle of the directory.
+
+
+   .. zeek:field:: fname :zeek:type:`string`
+
+      The name of the file we are interested in.
+
+
+   NFS *readdir* arguments.
+   
+   .. zeek:see:: nfs_proc_readdir
+
+.. zeek:type:: NFS3::fattr_t
+   :source-code: base/init-bare.zeek 3419 3434
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ftype :zeek:type:`NFS3::file_type_t`
+
+      File type.
+
+
+   .. zeek:field:: mode :zeek:type:`count`
+
+      Mode
+
+
+   .. zeek:field:: nlink :zeek:type:`count`
+
+      Number of links.
+
+
+   .. zeek:field:: uid :zeek:type:`count`
+
+      User ID.
+
+
+   .. zeek:field:: gid :zeek:type:`count`
+
+      Group ID.
+
+
+   .. zeek:field:: size :zeek:type:`count`
+
+      Size.
+
+
+   .. zeek:field:: used :zeek:type:`count`
+
+      TODO.
+
+
+   .. zeek:field:: rdev1 :zeek:type:`count`
+
+      TODO.
+
+
+   .. zeek:field:: rdev2 :zeek:type:`count`
+
+      TODO.
+
+
+   .. zeek:field:: fsid :zeek:type:`count`
+
+      TODO.
+
+
+   .. zeek:field:: fileid :zeek:type:`count`
+
+      TODO.
+
+
+   .. zeek:field:: atime :zeek:type:`time`
+
+      Time of last access.
+
+
+   .. zeek:field:: mtime :zeek:type:`time`
+
+      Time of last modification.
+
+
+   .. zeek:field:: ctime :zeek:type:`time`
+
+      Time of creation.
+
+
+   NFS file attributes. Field names are based on RFC 1813.
+   
+   .. zeek:see:: nfs_proc_getattr
+
+.. zeek:type:: NFS3::fsstat_t
+   :source-code: base/init-bare.zeek 3646 3655
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: attrs :zeek:type:`NFS3::fattr_t` :zeek:attr:`&optional`
+
+      Attributes.
+
+
+   .. zeek:field:: tbytes :zeek:type:`double`
+
+      TODO.
+
+
+   .. zeek:field:: fbytes :zeek:type:`double`
+
+      TODO.
+
+
+   .. zeek:field:: abytes :zeek:type:`double`
+
+      TODO.
+
+
+   .. zeek:field:: tfiles :zeek:type:`double`
+
+      TODO.
+
+
+   .. zeek:field:: ffiles :zeek:type:`double`
+
+      TODO.
+
+
+   .. zeek:field:: afiles :zeek:type:`double`
+
+      TODO.
+
+
+   .. zeek:field:: invarsec :zeek:type:`interval`
+
+      TODO.
+
+
+   NFS *fsstat*.
+
+.. zeek:type:: NFS3::info_t
+   :source-code: base/init-bare.zeek 3375 3402
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: rpc_stat :zeek:type:`rpc_status`
+
+      The RPC status.
+
+
+   .. zeek:field:: nfs_stat :zeek:type:`NFS3::status_t`
+
+      The NFS status.
+
+
+   .. zeek:field:: req_start :zeek:type:`time`
+
+      The start time of the request.
+
+
+   .. zeek:field:: req_dur :zeek:type:`interval`
+
+      The duration of the request.
+
+
+   .. zeek:field:: req_len :zeek:type:`count`
+
+      The length in bytes of the request.
+
+
+   .. zeek:field:: rep_start :zeek:type:`time`
+
+      The start time of the reply.
+
+
+   .. zeek:field:: rep_dur :zeek:type:`interval`
+
+      The duration of the reply.
+
+
+   .. zeek:field:: rep_len :zeek:type:`count`
+
+      The length in bytes of the reply.
+
+
+   .. zeek:field:: rpc_uid :zeek:type:`count`
+
+      The user id of the reply.
+
+
+   .. zeek:field:: rpc_gid :zeek:type:`count`
+
+      The group id of the reply.
+
+
+   .. zeek:field:: rpc_stamp :zeek:type:`count`
+
+      The stamp of the reply.
+
+
+   .. zeek:field:: rpc_machine_name :zeek:type:`string`
+
+      The machine name of the reply.
+
+
+   .. zeek:field:: rpc_auxgids :zeek:type:`index_vec`
+
+      The auxiliary ids of the reply.
+
+
+   Record summarizing the general results and status of NFSv3
+   request/reply pairs.
+   
+   Note that when *rpc_stat* or *nfs_stat* indicates not successful,
+   the reply record passed to the corresponding event will be empty and
+   contain uninitialized fields, so don't use it. Also note that time
+   and duration values might not be fully accurate. For TCP, we record
+   times when the corresponding chunk of data is delivered to the
+   analyzer. Depending on the reassembler, this might be well after the
+   first packet of the request was received.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup
+      nfs_proc_mkdir nfs_proc_not_implemented nfs_proc_null
+      nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove
+      nfs_proc_rmdir nfs_proc_write nfs_reply_status
+
+.. zeek:type:: NFS3::link_reply_t
+   :source-code: base/init-bare.zeek 3547 3551
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: post_attr :zeek:type:`NFS3::fattr_t` :zeek:attr:`&optional`
+
+      Optional post-operation attributes of the file system object identified by file
+
+
+   .. zeek:field:: preattr :zeek:type:`NFS3::wcc_attr_t` :zeek:attr:`&optional`
+
+      Optional attributes associated w/ file.
+
+
+   .. zeek:field:: postattr :zeek:type:`NFS3::fattr_t` :zeek:attr:`&optional`
+
+      Optional attributes associated w/ file.
+
+
+   NFS *link* reply.
+   
+   .. zeek:see:: nfs_proc_link
+
+.. zeek:type:: NFS3::linkargs_t
+   :source-code: base/init-bare.zeek 3473 3476
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: fh :zeek:type:`string`
+
+      The file handle for the existing file system object.
+
+
+   .. zeek:field:: link :zeek:type:`NFS3::diropargs_t`
+
+      The location of the link to be created.
+
+
+   NFS *link* arguments.
+   
+   .. zeek:see:: nfs_proc_link
+
+.. zeek:type:: NFS3::lookup_reply_t
+   :source-code: base/init-bare.zeek 3491 3495
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: fh :zeek:type:`string` :zeek:attr:`&optional`
+
+      File handle of object looked up.
+
+
+   .. zeek:field:: obj_attr :zeek:type:`NFS3::fattr_t` :zeek:attr:`&optional`
+
+      Optional attributes associated w/ file
+
+
+   .. zeek:field:: dir_attr :zeek:type:`NFS3::fattr_t` :zeek:attr:`&optional`
+
+      Optional attributes associated w/ dir.
+
+
+   NFS lookup reply. If the lookup failed, *dir_attr* may be set. If the
+   lookup succeeded, *fh* is always set and *obj_attr* and *dir_attr*
+   may be set.
+   
+   .. zeek:see:: nfs_proc_lookup
+
+.. zeek:type:: NFS3::newobj_reply_t
+   :source-code: base/init-bare.zeek 3580 3585
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: fh :zeek:type:`string` :zeek:attr:`&optional`
+
+      File handle of object created.
+
+
+   .. zeek:field:: obj_attr :zeek:type:`NFS3::fattr_t` :zeek:attr:`&optional`
+
+      Optional attributes associated w/ new object.
+
+
+   .. zeek:field:: dir_pre_attr :zeek:type:`NFS3::wcc_attr_t` :zeek:attr:`&optional`
+
+      Optional attributes associated w/ dir.
+
+
+   .. zeek:field:: dir_post_attr :zeek:type:`NFS3::fattr_t` :zeek:attr:`&optional`
+
+      Optional attributes associated w/ dir.
+
+
+   NFS reply for *create*, *mkdir*, and *symlink*. If the proc
+   failed, *dir_\*_attr* may be set. If the proc succeeded, *fh* and the
+   *attr*'s may be set. Note: no guarantee that *fh* is set after
+   success.
+   
+   .. zeek:see:: nfs_proc_create nfs_proc_mkdir
+
+.. zeek:type:: NFS3::read_reply_t
+   :source-code: base/init-bare.zeek 3508 3513
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: attr :zeek:type:`NFS3::fattr_t` :zeek:attr:`&optional`
+
+      Attributes.
+
+
+   .. zeek:field:: size :zeek:type:`count` :zeek:attr:`&optional`
+
+      Number of bytes read.
+
+
+   .. zeek:field:: eof :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Sid the read end at EOF.
+
+
+   .. zeek:field:: data :zeek:type:`string` :zeek:attr:`&optional`
+
+      The actual data; not yet implemented.
+
+
+   NFS *read* reply. If the lookup fails, *attr* may be set. If the
+   lookup succeeds, *attr* may be set and all other fields are set.
+
+.. zeek:type:: NFS3::readargs_t
+   :source-code: base/init-bare.zeek 3500 3504
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: fh :zeek:type:`string`
+
+      File handle to read from.
+
+
+   .. zeek:field:: offset :zeek:type:`count`
+
+      Offset in file.
+
+
+   .. zeek:field:: size :zeek:type:`count`
+
+      Number of bytes to read.
+
+
+   NFS *read* arguments.
+   
+   .. zeek:see:: nfs_proc_read
+
+.. zeek:type:: NFS3::readdir_reply_t
+   :source-code: base/init-bare.zeek 3637 3643
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: isplus :zeek:type:`bool`
+
+      True if the reply for a *readdirplus* request.
+
+
+   .. zeek:field:: dir_attr :zeek:type:`NFS3::fattr_t` :zeek:attr:`&optional`
+
+      Directory attributes.
+
+
+   .. zeek:field:: cookieverf :zeek:type:`count` :zeek:attr:`&optional`
+
+      TODO.
+
+
+   .. zeek:field:: entries :zeek:type:`NFS3::direntry_vec_t` :zeek:attr:`&optional`
+
+      Returned directory entries.
+
+
+   .. zeek:field:: eof :zeek:type:`bool`
+
+      If true, no more entries in directory.
+
+
+   NFS *readdir* reply. Used for *readdir* and *readdirplus*. If an is
+   returned, *dir_attr* might be set. On success, *dir_attr* may be set,
+   all others must be set.
+
+.. zeek:type:: NFS3::readdirargs_t
+   :source-code: base/init-bare.zeek 3608 3615
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: isplus :zeek:type:`bool`
+
+      Is this a readdirplus request?
+
+
+   .. zeek:field:: dirfh :zeek:type:`string`
+
+      The directory filehandle.
+
+
+   .. zeek:field:: cookie :zeek:type:`count`
+
+      Cookie / pos in dir; 0 for first call.
+
+
+   .. zeek:field:: cookieverf :zeek:type:`count`
+
+      The cookie verifier.
+
+
+   .. zeek:field:: dircount :zeek:type:`count`
+
+      "count" field for readdir; maxcount otherwise (in bytes).
+
+
+   .. zeek:field:: maxcount :zeek:type:`count` :zeek:attr:`&optional`
+
+      Only used for readdirplus. in bytes.
+
+
+   NFS *readdir* arguments. Used for both *readdir* and *readdirplus*.
+   
+   .. zeek:see:: nfs_proc_readdir
+
+.. zeek:type:: NFS3::readlink_reply_t
+   :source-code: base/init-bare.zeek 3519 3522
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: attr :zeek:type:`NFS3::fattr_t` :zeek:attr:`&optional`
+
+      Attributes.
+
+
+   .. zeek:field:: nfspath :zeek:type:`string` :zeek:attr:`&optional`
+
+      Contents of the symlink; in general a pathname as text.
+
+
+   NFS *readline* reply. If the request fails, *attr* may be set. If the
+   request succeeds, *attr* may be set and all other fields are set.
+   
+   .. zeek:see:: nfs_proc_readlink
+
+.. zeek:type:: NFS3::renameobj_reply_t
+   :source-code: base/init-bare.zeek 3598 3603
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: src_dir_pre_attr :zeek:type:`NFS3::wcc_attr_t`
+
+
+   .. zeek:field:: src_dir_post_attr :zeek:type:`NFS3::fattr_t`
+
+
+   .. zeek:field:: dst_dir_pre_attr :zeek:type:`NFS3::wcc_attr_t`
+
+
+   .. zeek:field:: dst_dir_post_attr :zeek:type:`NFS3::fattr_t`
+
+
+   NFS reply for *rename*. Corresponds to *wcc_data* in the spec.
+   
+   .. zeek:see:: nfs_proc_rename
+
+.. zeek:type:: NFS3::renameopargs_t
+   :source-code: base/init-bare.zeek 3455 3460
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: src_dirfh :zeek:type:`string`
+
+
+   .. zeek:field:: src_fname :zeek:type:`string`
+
+
+   .. zeek:field:: dst_dirfh :zeek:type:`string`
+
+
+   .. zeek:field:: dst_fname :zeek:type:`string`
+
+
+   NFS *rename* arguments.
+   
+   .. zeek:see:: nfs_proc_rename
+
+.. zeek:type:: NFS3::sattr_reply_t
+   :source-code: base/init-bare.zeek 3556 3559
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: dir_pre_attr :zeek:type:`NFS3::wcc_attr_t` :zeek:attr:`&optional`
+
+      Optional attributes associated w/ dir.
+
+
+   .. zeek:field:: dir_post_attr :zeek:type:`NFS3::fattr_t` :zeek:attr:`&optional`
+
+      Optional attributes associated w/ dir.
+
+
+   NFS *sattr* reply. If the request fails, *pre|post* attr may be set.
+   If the request succeeds, *pre|post* attr are set.
+   
+
+.. zeek:type:: NFS3::sattr_t
+   :source-code: base/init-bare.zeek 3407 3414
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: mode :zeek:type:`count` :zeek:attr:`&optional`
+
+      Mode
+
+
+   .. zeek:field:: uid :zeek:type:`count` :zeek:attr:`&optional`
+
+      User ID.
+
+
+   .. zeek:field:: gid :zeek:type:`count` :zeek:attr:`&optional`
+
+      Group ID.
+
+
+   .. zeek:field:: size :zeek:type:`count` :zeek:attr:`&optional`
+
+      Size.
+
+
+   .. zeek:field:: atime :zeek:type:`NFS3::time_how_t` :zeek:attr:`&optional`
+
+      Time of last access.
+
+
+   .. zeek:field:: mtime :zeek:type:`NFS3::time_how_t` :zeek:attr:`&optional`
+
+      Time of last modification.
+
+
+   NFS file attributes. Field names are based on RFC 1813.
+   
+   .. zeek:see:: nfs_proc_sattr
+
+.. zeek:type:: NFS3::sattrargs_t
+   :source-code: base/init-bare.zeek 3481 3484
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: fh :zeek:type:`string`
+
+      The file handle for the existing file system object.
+
+
+   .. zeek:field:: new_attributes :zeek:type:`NFS3::sattr_t`
+
+      The new attributes for the file.
+
+
+   NFS *sattr* arguments.
+   
+   .. zeek:see:: nfs_proc_sattr
+
+.. zeek:type:: NFS3::symlinkargs_t
+   :source-code: base/init-bare.zeek 3465 3468
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: link :zeek:type:`NFS3::diropargs_t`
+
+      The location of the link to be created.
+
+
+   .. zeek:field:: symlinkdata :zeek:type:`NFS3::symlinkdata_t`
+
+      The symbolic link to be created.
+
+
+   NFS *symlink* arguments.
+   
+   .. zeek:see:: nfs_proc_symlink
+
+.. zeek:type:: NFS3::symlinkdata_t
+   :source-code: base/init-bare.zeek 3439 3442
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: symlink_attributes :zeek:type:`NFS3::sattr_t`
+
+      The initial attributes for the symbolic link
+
+
+   .. zeek:field:: nfspath :zeek:type:`string` :zeek:attr:`&optional`
+
+      The string containing the symbolic link data.
+
+
+   NFS symlinkdata attributes. Field names are based on RFC 1813
+   
+   .. zeek:see:: nfs_proc_symlink
+
+.. zeek:type:: NFS3::wcc_attr_t
+   :source-code: base/init-bare.zeek 3538 3542
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: size :zeek:type:`count`
+
+      The size.
+
+
+   .. zeek:field:: atime :zeek:type:`time`
+
+      Access time.
+
+
+   .. zeek:field:: mtime :zeek:type:`time`
+
+      Modification time.
+
+
+   NFS *wcc* attributes.
+   
+   .. zeek:see:: NFS3::write_reply_t
+
+.. zeek:type:: NFS3::write_reply_t
+   :source-code: base/init-bare.zeek 3566 3572
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: preattr :zeek:type:`NFS3::wcc_attr_t` :zeek:attr:`&optional`
+
+      Pre operation attributes.
+
+
+   .. zeek:field:: postattr :zeek:type:`NFS3::fattr_t` :zeek:attr:`&optional`
+
+      Post operation attributes.
+
+
+   .. zeek:field:: size :zeek:type:`count` :zeek:attr:`&optional`
+
+      Size.
+
+
+   .. zeek:field:: commited :zeek:type:`NFS3::stable_how_t` :zeek:attr:`&optional`
+
+      TODO.
+
+
+   .. zeek:field:: verf :zeek:type:`count` :zeek:attr:`&optional`
+
+      Write verifier cookie.
+
+
+   NFS *write* reply. If the request fails, *pre|post* attr may be set.
+   If the request succeeds, *pre|post* attr may be set and all other
+   fields are set.
+   
+   .. zeek:see:: nfs_proc_write
+
+.. zeek:type:: NFS3::writeargs_t
+   :source-code: base/init-bare.zeek 3527 3533
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: fh :zeek:type:`string`
+
+      File handle to write to.
+
+
+   .. zeek:field:: offset :zeek:type:`count`
+
+      Offset in file.
+
+
+   .. zeek:field:: size :zeek:type:`count`
+
+      Number of bytes to write.
+
+
+   .. zeek:field:: stable :zeek:type:`NFS3::stable_how_t`
+
+      How and when data is committed.
+
+
+   .. zeek:field:: data :zeek:type:`string` :zeek:attr:`&optional`
+
+      The actual data; not implemented yet.
+
+
+   NFS *write* arguments.
+   
+   .. zeek:see:: nfs_proc_write
+
+.. zeek:type:: NTLM::AVs
+   :source-code: base/init-bare.zeek 3932 3956
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: nb_computer_name :zeek:type:`string`
+
+      The server's NetBIOS computer name
+
+
+   .. zeek:field:: nb_domain_name :zeek:type:`string`
+
+      The server's NetBIOS domain name
+
+
+   .. zeek:field:: dns_computer_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The FQDN of the computer
+
+
+   .. zeek:field:: dns_domain_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The FQDN of the domain
+
+
+   .. zeek:field:: dns_tree_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The FQDN of the forest
+
+
+   .. zeek:field:: constrained_auth :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Indicates to the client that the account
+      authentication is constrained
+
+
+   .. zeek:field:: timestamp :zeek:type:`time` :zeek:attr:`&optional`
+
+      The associated timestamp, if present
+
+
+   .. zeek:field:: single_host_id :zeek:type:`count` :zeek:attr:`&optional`
+
+      Indicates that the client is providing
+      a machine ID created at computer startup to
+      identify the calling machine
+
+
+   .. zeek:field:: target_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The SPN of the target server
+
+
+
+.. zeek:type:: NTLM::Authenticate
+   :source-code: base/init-bare.zeek 3974 3989
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: flags :zeek:type:`NTLM::NegotiateFlags`
+
+      The negotiate flags
+
+
+   .. zeek:field:: domain_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The domain or computer name hosting the account
+
+
+   .. zeek:field:: user_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The name of the user to be authenticated.
+
+
+   .. zeek:field:: workstation :zeek:type:`string` :zeek:attr:`&optional`
+
+      The name of the computer to which the user was logged on.
+
+
+   .. zeek:field:: session_key :zeek:type:`string` :zeek:attr:`&optional`
+
+      The session key
+
+
+   .. zeek:field:: version :zeek:type:`NTLM::Version` :zeek:attr:`&optional`
+
+      The Windows version information, if supplied
+
+
+   .. zeek:field:: response :zeek:type:`string` :zeek:attr:`&optional`
+
+      The client's response for the challenge
+
+
+
+.. zeek:type:: NTLM::Challenge
+   :source-code: base/init-bare.zeek 3958 3972
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: flags :zeek:type:`NTLM::NegotiateFlags`
+
+      The negotiate flags
+
+
+   .. zeek:field:: challenge :zeek:type:`count`
+
+      A 64-bit value that contains the NTLM challenge.
+
+
+   .. zeek:field:: target_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The server authentication realm. If the server is
+      domain-joined, the name of the domain. Otherwise
+      the server name. See flags.target_type_domain
+      and flags.target_type_server
+
+
+   .. zeek:field:: version :zeek:type:`NTLM::Version` :zeek:attr:`&optional`
+
+      The Windows version information, if supplied
+
+
+   .. zeek:field:: target_info :zeek:type:`NTLM::AVs` :zeek:attr:`&optional`
+
+      Attribute-value pairs specified by the server
+
+
+
+.. zeek:type:: NTLM::Negotiate
+   :source-code: base/init-bare.zeek 3921 3930
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: flags :zeek:type:`NTLM::NegotiateFlags`
+
+      The negotiate flags
+
+
+   .. zeek:field:: domain_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The domain name of the client, if known
+
+
+   .. zeek:field:: workstation :zeek:type:`string` :zeek:attr:`&optional`
+
+      The machine name of the client, if known
+
+
+   .. zeek:field:: version :zeek:type:`NTLM::Version` :zeek:attr:`&optional`
+
+      The Windows version information, if supplied
+
+
+
+.. zeek:type:: NTLM::NegotiateFlags
+   :source-code: base/init-bare.zeek 3866 3919
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: negotiate_56 :zeek:type:`bool`
+
+      If set, requires 56-bit encryption
+
+
+   .. zeek:field:: negotiate_key_exch :zeek:type:`bool`
+
+      If set, requests an explicit key exchange
+
+
+   .. zeek:field:: negotiate_128 :zeek:type:`bool`
+
+      If set, requests 128-bit session key negotiation
+
+
+   .. zeek:field:: negotiate_version :zeek:type:`bool`
+
+      If set, requests the protocol version number
+
+
+   .. zeek:field:: negotiate_target_info :zeek:type:`bool`
+
+      If set, indicates that the TargetInfo fields in the
+      CHALLENGE_MESSAGE are populated
+
+
+   .. zeek:field:: request_non_nt_session_key :zeek:type:`bool`
+
+      If set, requests the usage of the LMOWF function
+
+
+   .. zeek:field:: negotiate_identify :zeek:type:`bool`
+
+      If set, requests and identify level token
+
+
+   .. zeek:field:: negotiate_extended_sessionsecurity :zeek:type:`bool`
+
+      If set, requests usage of NTLM v2 session security
+      Note: NTLM v2 session security is actually NTLM v1
+
+
+   .. zeek:field:: target_type_server :zeek:type:`bool`
+
+      If set, TargetName must be a server name
+
+
+   .. zeek:field:: target_type_domain :zeek:type:`bool`
+
+      If set, TargetName must be a domain name
+
+
+   .. zeek:field:: negotiate_always_sign :zeek:type:`bool`
+
+      If set, requests the presence of a signature block
+      on all messages
+
+
+   .. zeek:field:: negotiate_oem_workstation_supplied :zeek:type:`bool`
+
+      If set, the workstation name is provided
+
+
+   .. zeek:field:: negotiate_oem_domain_supplied :zeek:type:`bool`
+
+      If set, the domain name is provided
+
+
+   .. zeek:field:: negotiate_anonymous_connection :zeek:type:`bool`
+
+      If set, the connection should be anonymous
+
+
+   .. zeek:field:: negotiate_ntlm :zeek:type:`bool`
+
+      If set, requests usage of NTLM v1
+
+
+   .. zeek:field:: negotiate_lm_key :zeek:type:`bool`
+
+      If set, requests LAN Manager session key computation
+
+
+   .. zeek:field:: negotiate_datagram :zeek:type:`bool`
+
+      If set, requests connectionless authentication
+
+
+   .. zeek:field:: negotiate_seal :zeek:type:`bool`
+
+      If set, requests session key negotiation for message
+      confidentiality
+
+
+   .. zeek:field:: negotiate_sign :zeek:type:`bool`
+
+      If set, requests session key negotiation for message
+      signatures
+
+
+   .. zeek:field:: request_target :zeek:type:`bool`
+
+      If set, the TargetName field is present
+
+
+   .. zeek:field:: negotiate_oem :zeek:type:`bool`
+
+      If set, requests OEM character set encoding
+
+
+   .. zeek:field:: negotiate_unicode :zeek:type:`bool`
+
+      If set, requests Unicode character set encoding
+
+
+
+.. zeek:type:: NTLM::Version
+   :source-code: base/init-bare.zeek 3855 3864
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: major :zeek:type:`count`
+
+      The major version of the Windows operating system in use
+
+
+   .. zeek:field:: minor :zeek:type:`count`
+
+      The minor version of the Windows operating system in use
+
+
+   .. zeek:field:: build :zeek:type:`count`
+
+      The build number of the Windows operating system in use
+
+
+   .. zeek:field:: ntlmssp :zeek:type:`count`
+
+      The current revision of NTLMSSP in use
+
+
+
+.. zeek:type:: NTP::ControlMessage
+   :source-code: base/init-bare.zeek 5822 5856
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: op_code :zeek:type:`count`
+
+      An integer specifying the command function. Values currently defined:
+      
+      * 1 read status command/response
+      * 2 read variables command/response
+      * 3 write variables command/response
+      * 4 read clock variables command/response
+      * 5 write clock variables command/response
+      * 6 set trap address/port command/response
+      * 7 trap response
+      
+      Other values are reserved.
+
+
+   .. zeek:field:: resp_bit :zeek:type:`bool`
+
+      The response bit. Set to zero for commands, one for responses.
+
+
+   .. zeek:field:: err_bit :zeek:type:`bool`
+
+      The error bit. Set to zero for normal response, one for error
+      response.
+
+
+   .. zeek:field:: more_bit :zeek:type:`bool`
+
+      The more bit. Set to zero for last fragment, one for all others.
+
+
+   .. zeek:field:: sequence :zeek:type:`count`
+
+      The sequence number of the command or response.
+
+
+   .. zeek:field:: status :zeek:type:`count`
+
+      The current status of the system, peer or clock.
+
+
+   .. zeek:field:: association_id :zeek:type:`count`
+
+      A 16-bit integer identifying a valid association.
+
+
+   .. zeek:field:: data :zeek:type:`string` :zeek:attr:`&optional`
+
+      Message data for the command or response + Authenticator (optional).
+
+
+   .. zeek:field:: key_id :zeek:type:`count` :zeek:attr:`&optional`
+
+      This is an integer identifying the cryptographic
+      key used to generate the message-authentication code.
+
+
+   .. zeek:field:: crypto_checksum :zeek:type:`string` :zeek:attr:`&optional`
+
+      This is a crypto-checksum computed by the encryption procedure.
+
+
+   NTP control message as defined in :rfc:`1119` for mode=6
+   This record contains the fields used by the NTP protocol
+   for control operations.
+
+.. zeek:type:: NTP::Message
+   :source-code: base/init-bare.zeek 5903 5930
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: version :zeek:type:`count`
+
+      The NTP version number (1, 2, 3, 4).
+
+
+   .. zeek:field:: mode :zeek:type:`count`
+
+      The NTP mode being used. Possible values are:
+      
+        * 1 - symmetric active
+        * 2 - symmetric passive
+        * 3 - client
+        * 4 - server
+        * 5 - broadcast
+        * 6 - NTP control message
+        * 7 - reserved for private use
+
+
+   .. zeek:field:: std_msg :zeek:type:`NTP::StandardMessage` :zeek:attr:`&optional`
+
+      If mode 1-5, the standard fields for synchronization operations are
+      here.  See :rfc:`5905`
+
+
+   .. zeek:field:: control_msg :zeek:type:`NTP::ControlMessage` :zeek:attr:`&optional`
+
+      If mode 6, the fields for control operations are here.
+      See :rfc:`1119`
+
+
+   .. zeek:field:: mode7_msg :zeek:type:`NTP::Mode7Message` :zeek:attr:`&optional`
+
+      If mode 7, the fields for extra operations are here.
+      Note that this is not defined in any RFC
+      and is implementation dependent. We used the official implementation
+      from the `NTP official project <https://www.ntp.org>`_.
+      A mode 7 packet is used exchanging data between an NTP server
+      and a client for purposes other than time synchronization, e.g.
+      monitoring, statistics gathering and configuration.
+
+
+   NTP message as defined in :rfc:`5905`.  Does include fields for mode 7,
+   reserved for private use in :rfc:`5905`, but used in some implementation
+   for commands such as "monlist".
+
+.. zeek:type:: NTP::Mode7Message
+   :source-code: base/init-bare.zeek 5865 5898
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: req_code :zeek:type:`count`
+
+      An implementation-specific code which specifies the
+      operation to be (which has been) performed and/or the
+      format and semantics of the data included in the packet.
+
+
+   .. zeek:field:: auth_bit :zeek:type:`bool`
+
+      The authenticated bit. If set, this packet is authenticated.
+
+
+   .. zeek:field:: sequence :zeek:type:`count`
+
+      For a multipacket response, contains the sequence
+      number of this packet.  0 is the first in the sequence,
+      127 (or less) is the last.  The More Bit must be set in
+      all packets but the last.
+
+
+   .. zeek:field:: implementation :zeek:type:`count`
+
+      The number of the implementation this request code
+      is defined by.  An implementation number of zero is used
+      for request codes/data formats which all implementations
+      agree on.  Implementation number 255 is reserved (for
+      extensions, in case we run out).
+
+
+   .. zeek:field:: err :zeek:type:`count`
+
+      Must be 0 for a request.  For a response, holds an error
+      code relating to the request.  If nonzero, the operation
+      requested wasn't performed.
+      
+        * 0 - no error
+        * 1 - incompatible implementation number
+        * 2 - unimplemented request code
+        * 3 - format error (wrong data items, data size, packet size etc.)
+        * 4 - no data available (e.g. request for details on unknown peer)
+        * 5 - unknown
+        * 6 - unknown
+        * 7 - authentication failure (i.e. permission denied)
+
+
+   .. zeek:field:: data :zeek:type:`string` :zeek:attr:`&optional`
+
+      Rest of data
+
+
+   NTP mode 7 message. Note that this is not defined in any RFC and is
+   implementation dependent. We used the official implementation from the
+   `NTP official project <https://www.ntp.org>`_.  A mode 7 packet is used
+   exchanging data between an NTP server and a client for purposes other
+   than time synchronization, e.g.  monitoring, statistics gathering and
+   configuration.  For details see the documentation from the `NTP official
+   project <https://www.ntp.org>`_, code v. ntp-4.2.8p13, in include/ntp_request.h.
+
+.. zeek:type:: NTP::StandardMessage
+   :source-code: base/init-bare.zeek 5764 5817
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: stratum :zeek:type:`count`
+
+      This value mainly identifies the type of server (primary server,
+      secondary server, etc.). Possible values, as in :rfc:`5905`, are:
+      
+        * 0 -> unspecified or invalid
+        * 1 -> primary server (e.g., equipped with a GPS receiver)
+        * 2-15 -> secondary server (via NTP)
+        * 16 -> unsynchronized
+        * 17-255 -> reserved
+      
+      For stratum 0, a *kiss_code* can be given for debugging and
+      monitoring.
+
+
+   .. zeek:field:: poll :zeek:type:`interval`
+
+      The maximum interval between successive messages.
+
+
+   .. zeek:field:: precision :zeek:type:`interval`
+
+      The precision of the system clock.
+
+
+   .. zeek:field:: root_delay :zeek:type:`interval`
+
+      Root delay. The total round-trip delay to the reference clock.
+
+
+   .. zeek:field:: root_disp :zeek:type:`interval`
+
+      Root Dispersion. The total dispersion to the reference clock.
+
+
+   .. zeek:field:: kiss_code :zeek:type:`string` :zeek:attr:`&optional`
+
+      For stratum 0, four-character ASCII string used for debugging and
+      monitoring. Values are defined in :rfc:`1345`.
+
+
+   .. zeek:field:: ref_id :zeek:type:`string` :zeek:attr:`&optional`
+
+      Reference ID. For stratum 1, this is the ID assigned to the
+      reference clock by IANA.
+      For example: GOES, GPS, GAL, etc. (see :rfc:`5905`)
+
+
+   .. zeek:field:: ref_addr :zeek:type:`addr` :zeek:attr:`&optional`
+
+      Above stratum 1, when using IPv4, the IP address of the reference
+      clock.  Note that the NTP protocol did not originally specify a
+      large enough field to represent IPv6 addresses, so they use
+      the first four bytes of the MD5 hash of the reference clock's
+      IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).
+
+
+   .. zeek:field:: ref_time :zeek:type:`time`
+
+      Reference timestamp. Time when the system clock was last set or
+      correct.
+
+
+   .. zeek:field:: org_time :zeek:type:`time`
+
+      Origin timestamp. Time at the client when the request departed for
+      the NTP server.
+
+
+   .. zeek:field:: rec_time :zeek:type:`time`
+
+      Receive timestamp. Time at the server when the request arrived from
+      the NTP client.
+
+
+   .. zeek:field:: xmt_time :zeek:type:`time`
+
+      Transmit timestamp. Time at the server when the response departed
+
+
+   .. zeek:field:: key_id :zeek:type:`count` :zeek:attr:`&optional`
+
+      Key used to designate a secret MD5 key.
+
+
+   .. zeek:field:: digest :zeek:type:`string` :zeek:attr:`&optional`
+
+      MD5 hash computed over the key followed by the NTP packet header and
+      extension fields.
+
+
+   .. zeek:field:: num_exts :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Number of extension fields (which are not currently parsed).
+
+
+   NTP standard message as defined in :rfc:`5905` for modes 1-5
+   This record contains the standard fields used by the NTP protocol
+   for standard synchronization operations.
+
+.. zeek:type:: NetStats
+   :source-code: base/init-bare.zeek 1062 1073
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: pkts_recvd :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Packets received by Zeek.
+
+
+   .. zeek:field:: pkts_dropped :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Packets reported dropped by the system.
+
+
+   .. zeek:field:: pkts_link :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Packets seen on the link. Note that this may differ
+      from *pkts_recvd* because of a potential capture_filter. See
+      :doc:`/scripts/base/frameworks/packet-filter/main.zeek`. Depending on the
+      packet capture system, this value may not be available and will then
+      be always set to zero.
+
+
+   .. zeek:field:: bytes_recvd :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Bytes received by Zeek.
+
+
+   .. zeek:field:: pkts_filtered :zeek:type:`count` :zeek:attr:`&optional`
+
+      Packets filtered by the packet source.
+
+
+   Packet capture statistics.  All counts are cumulative.
+   
+   .. zeek:see:: get_net_stats
+
+.. zeek:type:: PE::DOSHeader
+   :source-code: base/init-bare.zeek 4909 4945
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: signature :zeek:type:`string`
+
+      The magic number of a portable executable file ("MZ").
+
+
+   .. zeek:field:: used_bytes_in_last_page :zeek:type:`count`
+
+      The number of bytes in the last page that are used.
+
+
+   .. zeek:field:: file_in_pages :zeek:type:`count`
+
+      The number of pages in the file that are part of the PE file itself.
+
+
+   .. zeek:field:: num_reloc_items :zeek:type:`count`
+
+      Number of relocation entries stored after the header.
+
+
+   .. zeek:field:: header_in_paragraphs :zeek:type:`count`
+
+      Number of paragraphs in the header.
+
+
+   .. zeek:field:: min_extra_paragraphs :zeek:type:`count`
+
+      Number of paragraphs of additional memory that the program will need.
+
+
+   .. zeek:field:: max_extra_paragraphs :zeek:type:`count`
+
+      Maximum number of paragraphs of additional memory.
+
+
+   .. zeek:field:: init_relative_ss :zeek:type:`count`
+
+      Relative value of the stack segment.
+
+
+   .. zeek:field:: init_sp :zeek:type:`count`
+
+      Initial value of the SP register.
+
+
+   .. zeek:field:: checksum :zeek:type:`count`
+
+      Checksum. The 16-bit sum of all words in the file should be 0. Normally not set.
+
+
+   .. zeek:field:: init_ip :zeek:type:`count`
+
+      Initial value of the IP register.
+
+
+   .. zeek:field:: init_relative_cs :zeek:type:`count`
+
+      Initial value of the CS register (relative to the initial segment).
+
+
+   .. zeek:field:: addr_of_reloc_table :zeek:type:`count`
+
+      Offset of the first relocation table.
+
+
+   .. zeek:field:: overlay_num :zeek:type:`count`
+
+      Overlays allow you to append data to the end of the file. If this is the main program,
+      this will be 0.
+
+
+   .. zeek:field:: oem_id :zeek:type:`count`
+
+      OEM identifier.
+
+
+   .. zeek:field:: oem_info :zeek:type:`count`
+
+      Additional OEM info, specific to oem_id.
+
+
+   .. zeek:field:: addr_of_new_exe_header :zeek:type:`count`
+
+      Address of the new EXE header.
+
+
+
+.. zeek:type:: PE::FileHeader
+   :source-code: base/init-bare.zeek 4947 4960
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: machine :zeek:type:`count`
+
+      The target machine that the file was compiled for.
+
+
+   .. zeek:field:: ts :zeek:type:`time`
+
+      The time that the file was created at.
+
+
+   .. zeek:field:: sym_table_ptr :zeek:type:`count`
+
+      Pointer to the symbol table.
+
+
+   .. zeek:field:: num_syms :zeek:type:`count`
+
+      Number of symbols.
+
+
+   .. zeek:field:: optional_header_size :zeek:type:`count`
+
+      The size of the optional header.
+
+
+   .. zeek:field:: characteristics :zeek:type:`set` [:zeek:type:`count`]
+
+      Bit flags that determine if this file is executable, non-relocatable, and/or a DLL.
+
+
+
+.. zeek:type:: PE::OptionalHeader
+   :source-code: base/init-bare.zeek 4962 5013
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: magic :zeek:type:`count`
+
+      PE32 or PE32+ indicator.
+
+
+   .. zeek:field:: major_linker_version :zeek:type:`count`
+
+      The major version of the linker used to create the PE.
+
+
+   .. zeek:field:: minor_linker_version :zeek:type:`count`
+
+      The minor version of the linker used to create the PE.
+
+
+   .. zeek:field:: size_of_code :zeek:type:`count`
+
+      Size of the .text section.
+
+
+   .. zeek:field:: size_of_init_data :zeek:type:`count`
+
+      Size of the .data section.
+
+
+   .. zeek:field:: size_of_uninit_data :zeek:type:`count`
+
+      Size of the .bss section.
+
+
+   .. zeek:field:: addr_of_entry_point :zeek:type:`count`
+
+      The relative virtual address (RVA) of the entry point.
+
+
+   .. zeek:field:: base_of_code :zeek:type:`count`
+
+      The relative virtual address (RVA) of the .text section.
+
+
+   .. zeek:field:: base_of_data :zeek:type:`count` :zeek:attr:`&optional`
+
+      The relative virtual address (RVA) of the .data section.
+
+
+   .. zeek:field:: image_base :zeek:type:`count`
+
+      Preferred memory location for the image to be based at.
+
+
+   .. zeek:field:: section_alignment :zeek:type:`count`
+
+      The alignment (in bytes) of sections when they're loaded in memory.
+
+
+   .. zeek:field:: file_alignment :zeek:type:`count`
+
+      The alignment (in bytes) of the raw data of sections.
+
+
+   .. zeek:field:: os_version_major :zeek:type:`count`
+
+      The major version of the required OS.
+
+
+   .. zeek:field:: os_version_minor :zeek:type:`count`
+
+      The minor version of the required OS.
+
+
+   .. zeek:field:: major_image_version :zeek:type:`count`
+
+      The major version of this image.
+
+
+   .. zeek:field:: minor_image_version :zeek:type:`count`
+
+      The minor version of this image.
+
+
+   .. zeek:field:: major_subsys_version :zeek:type:`count`
+
+      The major version of the subsystem required to run this file.
+
+
+   .. zeek:field:: minor_subsys_version :zeek:type:`count`
+
+      The minor version of the subsystem required to run this file.
+
+
+   .. zeek:field:: size_of_image :zeek:type:`count`
+
+      The size (in bytes) of the image as the image is loaded in memory.
+
+
+   .. zeek:field:: size_of_headers :zeek:type:`count`
+
+      The size (in bytes) of the headers, rounded up to file_alignment.
+
+
+   .. zeek:field:: checksum :zeek:type:`count`
+
+      The image file checksum.
+
+
+   .. zeek:field:: subsystem :zeek:type:`count`
+
+      The subsystem that's required to run this image.
+
+
+   .. zeek:field:: dll_characteristics :zeek:type:`set` [:zeek:type:`count`]
+
+      Bit flags that determine how to execute or load this file.
+
+
+   .. zeek:field:: table_sizes :zeek:type:`vector` of :zeek:type:`count`
+
+      A vector with the sizes of various tables and strings that are
+      defined in the optional header data directories. Examples include
+      the import table, the resource table, and debug information.
+
+
+
+.. zeek:type:: PE::SectionHeader
+   :source-code: base/init-bare.zeek 5017 5042
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      The name of the section
+
+
+   .. zeek:field:: virtual_size :zeek:type:`count`
+
+      The total size of the section when loaded into memory.
+
+
+   .. zeek:field:: virtual_addr :zeek:type:`count`
+
+      The relative virtual address (RVA) of the section.
+
+
+   .. zeek:field:: size_of_raw_data :zeek:type:`count`
+
+      The size of the initialized data for the section, as it is
+      in the file on disk.
+
+
+   .. zeek:field:: ptr_to_raw_data :zeek:type:`count`
+
+      The virtual address of the initialized dat for the section,
+      as it is in the file on disk.
+
+
+   .. zeek:field:: ptr_to_relocs :zeek:type:`count`
+
+      The file pointer to the beginning of relocation entries for
+      the section.
+
+
+   .. zeek:field:: ptr_to_line_nums :zeek:type:`count`
+
+      The file pointer to the beginning of line-number entries for
+      the section.
+
+
+   .. zeek:field:: num_of_relocs :zeek:type:`count`
+
+      The number of relocation entries for the section.
+
+
+   .. zeek:field:: num_of_line_nums :zeek:type:`count`
+
+      The number of line-number entries for the section.
+
+
+   .. zeek:field:: characteristics :zeek:type:`set` [:zeek:type:`count`]
+
+      Bit-flags that describe the characteristics of the section.
+
+
+   Record for Portable Executable (PE) section headers.
+
+.. zeek:type:: PacketSource
+   :source-code: base/init-bare.zeek 159 169
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: live :zeek:type:`bool`
+
+      Whether the packet source is a live interface or offline pcap file.
+
+
+   .. zeek:field:: path :zeek:type:`string`
+
+      The interface name for a live interface or filesystem path of
+      an offline pcap file.
+
+
+   .. zeek:field:: link_type :zeek:type:`int`
+
+      The data link-layer type of the packet source.
+
+
+   .. zeek:field:: netmask :zeek:type:`count`
+
+      The netmask associated with the source or ``NETMASK_UNKNOWN``.
+
+
+   Properties of an I/O packet source being read by Zeek.
+
+.. zeek:type:: Pcap::Interface
+   :source-code: base/init-bare.zeek 5685 5700
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      The interface/device name.
+
+
+   .. zeek:field:: description :zeek:type:`string` :zeek:attr:`&optional`
+
+      A human-readable description of the device.
+
+
+   .. zeek:field:: addrs :zeek:type:`set` [:zeek:type:`addr`]
+
+      The network addresses associated with the device.
+
+
+   .. zeek:field:: is_loopback :zeek:type:`bool`
+
+      Whether the device is a loopback interface.  E.g. addresses
+      of ``127.0.0.1`` or ``[::1]`` are used by loopback interfaces.
+
+
+   .. zeek:field:: is_up :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Whether the device is up.  Not set when that info is unavailable.
+
+
+   .. zeek:field:: is_running :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Whether the device is running.  Not set when that info is unavailable.
+
+
+   The definition of a "pcap interface".
+
+.. zeek:type:: Pcap::Interfaces
+   :source-code: base/init-bare.zeek 5702 5702
+
+   :Type: :zeek:type:`set` [:zeek:type:`Pcap::Interface`]
+
+
+.. zeek:type:: Pcap::filter_state
+   :source-code: base/init-bare.zeek 5705 5710
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Pcap::ok Pcap::filter_state
+
+      .. zeek:enum:: Pcap::fatal Pcap::filter_state
+
+      .. zeek:enum:: Pcap::warning Pcap::filter_state
+
+   The state of the compilation for a pcap filter.
+
+.. zeek:type:: PcapFilterID
+   :source-code: base/init-bare.zeek 1416 1417
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: None PcapFilterID
+
+      .. zeek:enum:: PacketFilter::DefaultPcapFilter PcapFilterID
+
+         (present if :doc:`/scripts/base/frameworks/packet-filter/main.zeek` is loaded)
+
+
+      .. zeek:enum:: PacketFilter::FilterTester PcapFilterID
+
+         (present if :doc:`/scripts/base/frameworks/packet-filter/main.zeek` is loaded)
+
+
+   Enum type identifying dynamic BPF filters. These are used by
+   :zeek:see:`Pcap::precompile_pcap_filter` and :zeek:see:`Pcap::precompile_pcap_filter`.
+
+.. zeek:type:: PluginComponent
+   :source-code: base/init-bare.zeek 389 394
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+
+   .. zeek:field:: canonical_name :zeek:type:`string`
+
+
+   .. zeek:field:: tag :zeek:type:`string`
+
+
+   .. zeek:field:: enabled :zeek:type:`bool`
+
+
+   Record containing information about a tag.
+   
+   .. zeek:see:: get_plugin_components
+
+.. zeek:type:: ProcStats
+   :source-code: base/init-bare.zeek 1106 1119
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: debug :zeek:type:`bool`
+
+      True if compiled with --enable-debug.
+
+
+   .. zeek:field:: start_time :zeek:type:`time`
+
+      Start time of process.
+
+
+   .. zeek:field:: real_time :zeek:type:`interval`
+
+      Elapsed real time since Zeek started running.
+
+
+   .. zeek:field:: user_time :zeek:type:`interval`
+
+      User CPU seconds.
+
+
+   .. zeek:field:: system_time :zeek:type:`interval`
+
+      System CPU seconds.
+
+
+   .. zeek:field:: mem :zeek:type:`count`
+
+      Maximum memory consumed, in bytes.
+
+
+   .. zeek:field:: minor_faults :zeek:type:`count`
+
+      Page faults not requiring actual I/O.
+
+
+   .. zeek:field:: major_faults :zeek:type:`count`
+
+      Page faults requiring actual I/O.
+
+
+   .. zeek:field:: num_swap :zeek:type:`count`
+
+      Times swapped out.
+
+
+   .. zeek:field:: blocking_input :zeek:type:`count`
+
+      Blocking input operations.
+
+
+   .. zeek:field:: blocking_output :zeek:type:`count`
+
+      Blocking output operations.
+
+
+   .. zeek:field:: num_context :zeek:type:`count`
+
+      Number of involuntary context switches.
+
+
+   Statistics about Zeek's process.
+   
+   .. zeek:see:: get_proc_stats
+   
+   .. note:: All process-level values refer to Zeek's main process only, not to
+      the child process it spawns for doing communication.
+
+.. zeek:type:: RADIUS::AttributeList
+   :source-code: base/init-bare.zeek 5150 5150
+
+   :Type: :zeek:type:`vector` of :zeek:type:`string`
+
+
+.. zeek:type:: RADIUS::Attributes
+   :source-code: base/init-bare.zeek 5151 5151
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`RADIUS::AttributeList`
+
+
+.. zeek:type:: RADIUS::Message
+   :source-code: base/init-bare.zeek 5153 5162
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: code :zeek:type:`count`
+
+      The type of message (Access-Request, Access-Accept, etc.).
+
+
+   .. zeek:field:: trans_id :zeek:type:`count`
+
+      The transaction ID.
+
+
+   .. zeek:field:: authenticator :zeek:type:`string`
+
+      The "authenticator" string.
+
+
+   .. zeek:field:: attributes :zeek:type:`RADIUS::Attributes` :zeek:attr:`&optional`
+
+      Any attributes.
+
+
+
+.. zeek:type:: RDP::ClientChannelDef
+   :source-code: base/init-bare.zeek 5220 5248
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      A unique name for the channel
+
+
+   .. zeek:field:: options :zeek:type:`count`
+
+      Channel Def raw options as count
+
+
+   .. zeek:field:: initialized :zeek:type:`bool`
+
+      Absence of this flag indicates that this channel is
+      a placeholder and that the server MUST NOT set it up.
+
+
+   .. zeek:field:: encrypt_rdp :zeek:type:`bool`
+
+      Unused, must be ignored by the server.
+
+
+   .. zeek:field:: encrypt_sc :zeek:type:`bool`
+
+      Unused, must be ignored by the server.
+
+
+   .. zeek:field:: encrypt_cs :zeek:type:`bool`
+
+      Unused, must be ignored by the server.
+
+
+   .. zeek:field:: pri_high :zeek:type:`bool`
+
+      Channel data must be sent with high MCS priority.
+
+
+   .. zeek:field:: pri_med :zeek:type:`bool`
+
+      Channel data must be sent with medium MCS priority.
+
+
+   .. zeek:field:: pri_low :zeek:type:`bool`
+
+      Channel data must be sent with low MCS priority.
+
+
+   .. zeek:field:: compress_rdp :zeek:type:`bool`
+
+      Virtual channel data must be compressed if RDP data is being compressed.
+
+
+   .. zeek:field:: compress :zeek:type:`bool`
+
+      Virtual channel data must be compressed.
+
+
+   .. zeek:field:: show_protocol :zeek:type:`bool`
+
+      Ignored by the server.
+
+
+   .. zeek:field:: persistent :zeek:type:`bool`
+
+      Channel must be persistent across remote control transactions.
+
+
+   Name and flags for a single channel requested by the client.
+
+.. zeek:type:: RDP::ClientChannelList
+   :source-code: base/init-bare.zeek 5275 5275
+
+   :Type: :zeek:type:`vector` of :zeek:type:`RDP::ClientChannelDef`
+
+   The list of channels requested by the client.
+
+.. zeek:type:: RDP::ClientClusterData
+   :source-code: base/init-bare.zeek 5253 5272
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+      Cluster information flags.
+
+
+   .. zeek:field:: redir_session_id :zeek:type:`count`
+
+      If the *redir_sessionid_field_valid* flag is set, this field
+      contains a valid session identifier to which the client requests
+      to connect.
+
+
+   .. zeek:field:: redir_supported :zeek:type:`bool`
+
+      The client can receive server session redirection packets.
+      If this flag is set, the *svr_session_redir_version_mask*
+      field MUST contain the server session redirection version that
+      the client supports.
+
+
+   .. zeek:field:: svr_session_redir_version_mask :zeek:type:`count`
+
+      The server session redirection version that the client supports.
+
+
+   .. zeek:field:: redir_sessionid_field_valid :zeek:type:`bool`
+
+      Whether the *redir_session_id* field identifies a session on
+      the server to associate with the connection.
+
+
+   .. zeek:field:: redir_smartcard :zeek:type:`bool`
+
+      The client logged on with a smart card.
+
+
+   The TS_UD_CS_CLUSTER data block is sent by the client to the server
+   either to advertise that it can support the Server Redirection PDUs
+   or to request a connection to a given session identifier.
+
+.. zeek:type:: RDP::ClientCoreData
+   :source-code: base/init-bare.zeek 5180 5201
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: version_major :zeek:type:`count`
+
+
+   .. zeek:field:: version_minor :zeek:type:`count`
+
+
+   .. zeek:field:: desktop_width :zeek:type:`count`
+
+
+   .. zeek:field:: desktop_height :zeek:type:`count`
+
+
+   .. zeek:field:: color_depth :zeek:type:`count`
+
+
+   .. zeek:field:: sas_sequence :zeek:type:`count`
+
+
+   .. zeek:field:: keyboard_layout :zeek:type:`count`
+
+
+   .. zeek:field:: client_build :zeek:type:`count`
+
+
+   .. zeek:field:: client_name :zeek:type:`string`
+
+
+   .. zeek:field:: keyboard_type :zeek:type:`count`
+
+
+   .. zeek:field:: keyboard_sub :zeek:type:`count`
+
+
+   .. zeek:field:: keyboard_function_key :zeek:type:`count`
+
+
+   .. zeek:field:: ime_file_name :zeek:type:`string`
+
+
+   .. zeek:field:: post_beta2_color_depth :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: client_product_id :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: serial_number :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: high_color_depth :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: supported_color_depths :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: ec_flags :zeek:type:`RDP::EarlyCapabilityFlags` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: dig_product_id :zeek:type:`string` :zeek:attr:`&optional`
+
+
+
+.. zeek:type:: RDP::ClientSecurityData
+   :source-code: base/init-bare.zeek 5205 5217
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: encryption_methods :zeek:type:`count`
+
+      Cryptographic encryption methods supported by the client and used in
+      conjunction with Standard RDP Security.  Known flags:
+      
+      - 0x00000001: support for 40-bit session encryption keys
+      - 0x00000002: support for 128-bit session encryption keys
+      - 0x00000008: support for 56-bit session encryption keys
+      - 0x00000010: support for FIPS compliant encryption and MAC methods
+
+
+   .. zeek:field:: ext_encryption_methods :zeek:type:`count`
+
+      Only used in French locale and designates the encryption method.  If
+      non-zero, then encryption_methods should be set to 0.
+
+
+   The TS_UD_CS_SEC data block contains security-related information used
+   to advertise client cryptographic support.
+
+.. zeek:type:: RDP::EarlyCapabilityFlags
+   :source-code: base/init-bare.zeek 5168 5178
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: support_err_info_pdu :zeek:type:`bool`
+
+
+   .. zeek:field:: want_32bpp_session :zeek:type:`bool`
+
+
+   .. zeek:field:: support_statusinfo_pdu :zeek:type:`bool`
+
+
+   .. zeek:field:: strong_asymmetric_keys :zeek:type:`bool`
+
+
+   .. zeek:field:: support_monitor_layout_pdu :zeek:type:`bool`
+
+
+   .. zeek:field:: support_netchar_autodetect :zeek:type:`bool`
+
+
+   .. zeek:field:: support_dynvc_gfx_protocol :zeek:type:`bool`
+
+
+   .. zeek:field:: support_dynamic_time_zone :zeek:type:`bool`
+
+
+   .. zeek:field:: support_heartbeat_pdu :zeek:type:`bool`
+
+
+
+.. zeek:type:: ReassemblerStats
+   :source-code: base/init-bare.zeek 1129 1134
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: file_size :zeek:type:`count`
+
+      Byte size of File reassembly tracking.
+
+
+   .. zeek:field:: frag_size :zeek:type:`count`
+
+      Byte size of Fragment reassembly tracking.
+
+
+   .. zeek:field:: tcp_size :zeek:type:`count`
+
+      Byte size of TCP reassembly tracking.
+
+
+   .. zeek:field:: unknown_size :zeek:type:`count`
+
+      Byte size of reassembly tracking for unknown purposes.
+
+
+   Holds statistics for all types of reassembly.
+   
+   .. zeek:see:: get_reassembler_stats
+
+.. zeek:type:: ReporterStats
+   :source-code: base/init-bare.zeek 1240 1246
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: weirds :zeek:type:`count`
+
+      Number of total weirds encountered, before any rate-limiting.
+
+
+   .. zeek:field:: weirds_by_type :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`count`
+
+      Number of times each individual weird is encountered, before any
+      rate-limiting is applied.
+
+
+   Statistics about reporter messages and weirds.
+   
+   .. zeek:see:: get_reporter_stats
+
+.. zeek:type:: SMB1::Find_First2_Request_Args
+   :source-code: base/init-bare.zeek 4367 4381
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: search_attrs :zeek:type:`count`
+
+      File attributes to apply as a constraint to the search
+
+
+   .. zeek:field:: search_count :zeek:type:`count`
+
+      Max search results
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+      Misc. flags for how the server should manage the transaction
+      once results are returned
+
+
+   .. zeek:field:: info_level :zeek:type:`count`
+
+      How detailed the information returned in the results should be
+
+
+   .. zeek:field:: search_storage_type :zeek:type:`count`
+
+      Specify whether to search for directories or files
+
+
+   .. zeek:field:: file_name :zeek:type:`string`
+
+      The string to search for (note: may contain wildcards)
+
+
+
+.. zeek:type:: SMB1::Find_First2_Response_Args
+   :source-code: base/init-bare.zeek 4383 4393
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: sid :zeek:type:`count`
+
+      The server generated search identifier
+
+
+   .. zeek:field:: search_count :zeek:type:`count`
+
+      Number of results returned by the search
+
+
+   .. zeek:field:: end_of_search :zeek:type:`bool`
+
+      Whether or not the search can be continued using
+      the TRANS2_FIND_NEXT2 transaction
+
+
+   .. zeek:field:: ext_attr_error :zeek:type:`string` :zeek:attr:`&optional`
+
+      An extended attribute name that couldn't be retrieved
+
+
+
+.. zeek:type:: SMB1::Header
+   :source-code: base/init-bare.zeek 4064 4073
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: command :zeek:type:`count`
+
+      The command number
+
+
+   .. zeek:field:: status :zeek:type:`count`
+
+      The status code
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+      Flag set 1
+
+
+   .. zeek:field:: flags2 :zeek:type:`count`
+
+      Flag set 2
+
+
+   .. zeek:field:: tid :zeek:type:`count`
+
+      Tree ID
+
+
+   .. zeek:field:: pid :zeek:type:`count`
+
+      Process ID
+
+
+   .. zeek:field:: uid :zeek:type:`count`
+
+      User ID
+
+
+   .. zeek:field:: mid :zeek:type:`count`
+
+      Multiplex ID
+
+
+   An SMB1 header.
+   
+   .. zeek:see:: smb1_message smb1_empty_response smb1_error
+      smb1_check_directory_request smb1_check_directory_response
+      smb1_close_request smb1_create_directory_request
+      smb1_create_directory_response smb1_echo_request
+      smb1_echo_response smb1_negotiate_request
+      smb1_negotiate_response smb1_nt_cancel_request
+      smb1_nt_create_andx_request smb1_nt_create_andx_response
+      smb1_query_information_request smb1_read_andx_request
+      smb1_read_andx_response smb1_session_setup_andx_request
+      smb1_session_setup_andx_response smb1_transaction_request
+      smb1_transaction2_request smb1_trans2_find_first2_request
+      smb1_trans2_query_path_info_request
+      smb1_trans2_get_dfs_referral_request
+      smb1_tree_connect_andx_request smb1_tree_connect_andx_response
+      smb1_tree_disconnect smb1_write_andx_request
+      smb1_write_andx_response
+
+.. zeek:type:: SMB1::NegotiateCapabilities
+   :source-code: base/init-bare.zeek 4082 4124
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: raw_mode :zeek:type:`bool`
+
+      The server supports SMB_COM_READ_RAW and SMB_COM_WRITE_RAW
+
+
+   .. zeek:field:: mpx_mode :zeek:type:`bool`
+
+      The server supports SMB_COM_READ_MPX and SMB_COM_WRITE_MPX
+
+
+   .. zeek:field:: unicode :zeek:type:`bool`
+
+      The server supports unicode strings
+
+
+   .. zeek:field:: large_files :zeek:type:`bool`
+
+      The server supports large files with 64 bit offsets
+
+
+   .. zeek:field:: nt_smbs :zeek:type:`bool`
+
+      The server supports the SMBs particular to the NT LM 0.12 dialect. Implies nt_find.
+
+
+   .. zeek:field:: rpc_remote_apis :zeek:type:`bool`
+
+      The server supports remote admin API requests via DCE-RPC
+
+
+   .. zeek:field:: status32 :zeek:type:`bool`
+
+      The server can respond with 32 bit status codes in Status.Status
+
+
+   .. zeek:field:: level_2_oplocks :zeek:type:`bool`
+
+      The server supports level 2 oplocks
+
+
+   .. zeek:field:: lock_and_read :zeek:type:`bool`
+
+      The server supports SMB_COM_LOCK_AND_READ
+
+
+   .. zeek:field:: nt_find :zeek:type:`bool`
+
+      Reserved
+
+
+   .. zeek:field:: dfs :zeek:type:`bool`
+
+      The server is DFS aware
+
+
+   .. zeek:field:: infolevel_passthru :zeek:type:`bool`
+
+      The server supports NT information level requests passing through
+
+
+   .. zeek:field:: large_readx :zeek:type:`bool`
+
+      The server supports large SMB_COM_READ_ANDX (up to 64k)
+
+
+   .. zeek:field:: large_writex :zeek:type:`bool`
+
+      The server supports large SMB_COM_WRITE_ANDX (up to 64k)
+
+
+   .. zeek:field:: unix :zeek:type:`bool`
+
+      The server supports CIFS Extensions for UNIX
+
+
+   .. zeek:field:: bulk_transfer :zeek:type:`bool`
+
+      The server supports SMB_BULK_READ, SMB_BULK_WRITE
+      Note: No known implementations support this
+
+
+   .. zeek:field:: compressed_data :zeek:type:`bool`
+
+      The server supports compressed data transfer. Requires bulk_transfer.
+      Note: No known implementations support this
+
+
+   .. zeek:field:: extended_security :zeek:type:`bool`
+
+      The server supports extended security exchanges
+
+
+
+.. zeek:type:: SMB1::NegotiateRawMode
+   :source-code: base/init-bare.zeek 4075 4080
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: read_raw :zeek:type:`bool`
+
+      Read raw supported
+
+
+   .. zeek:field:: write_raw :zeek:type:`bool`
+
+      Write raw supported
+
+
+
+.. zeek:type:: SMB1::NegotiateResponse
+   :source-code: base/init-bare.zeek 4214 4223
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: core :zeek:type:`SMB1::NegotiateResponseCore` :zeek:attr:`&optional`
+
+      If the server does not understand any of the dialect strings, or if
+      PC NETWORK PROGRAM 1.0 is the chosen dialect.
+
+
+   .. zeek:field:: lanman :zeek:type:`SMB1::NegotiateResponseLANMAN` :zeek:attr:`&optional`
+
+      If the chosen dialect is greater than core up to and including
+      LANMAN 2.1.
+
+
+   .. zeek:field:: ntlm :zeek:type:`SMB1::NegotiateResponseNTLM` :zeek:attr:`&optional`
+
+      If the chosen dialect is NT LM 0.12.
+
+
+
+.. zeek:type:: SMB1::NegotiateResponseCore
+   :source-code: base/init-bare.zeek 4143 4146
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: dialect_index :zeek:type:`count`
+
+      Index of selected dialect
+
+
+
+.. zeek:type:: SMB1::NegotiateResponseLANMAN
+   :source-code: base/init-bare.zeek 4148 4174
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: word_count :zeek:type:`count`
+
+      Count of parameter words (should be 13)
+
+
+   .. zeek:field:: dialect_index :zeek:type:`count`
+
+      Index of selected dialect
+
+
+   .. zeek:field:: security_mode :zeek:type:`SMB1::NegotiateResponseSecurity`
+
+      Security mode
+
+
+   .. zeek:field:: max_buffer_size :zeek:type:`count`
+
+      Max transmit buffer size (>= 1024)
+
+
+   .. zeek:field:: max_mpx_count :zeek:type:`count`
+
+      Max pending multiplexed requests
+
+
+   .. zeek:field:: max_number_vcs :zeek:type:`count`
+
+      Max number of virtual circuits (VCs - transport-layer connections)
+      between client and server
+
+
+   .. zeek:field:: raw_mode :zeek:type:`SMB1::NegotiateRawMode`
+
+      Raw mode
+
+
+   .. zeek:field:: session_key :zeek:type:`count`
+
+      Unique token identifying this session
+
+
+   .. zeek:field:: server_time :zeek:type:`time`
+
+      Current date and time at server
+
+
+   .. zeek:field:: encryption_key :zeek:type:`string`
+
+      The challenge encryption key
+
+
+   .. zeek:field:: primary_domain :zeek:type:`string`
+
+      The server's primary domain
+
+
+
+.. zeek:type:: SMB1::NegotiateResponseNTLM
+   :source-code: base/init-bare.zeek 4176 4212
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: word_count :zeek:type:`count`
+
+      Count of parameter words (should be 17)
+
+
+   .. zeek:field:: dialect_index :zeek:type:`count`
+
+      Index of selected dialect
+
+
+   .. zeek:field:: security_mode :zeek:type:`SMB1::NegotiateResponseSecurity`
+
+      Security mode
+
+
+   .. zeek:field:: max_buffer_size :zeek:type:`count`
+
+      Max transmit buffer size
+
+
+   .. zeek:field:: max_mpx_count :zeek:type:`count`
+
+      Max pending multiplexed requests
+
+
+   .. zeek:field:: max_number_vcs :zeek:type:`count`
+
+      Max number of virtual circuits (VCs - transport-layer connections)
+      between client and server
+
+
+   .. zeek:field:: max_raw_size :zeek:type:`count`
+
+      Max raw buffer size
+
+
+   .. zeek:field:: session_key :zeek:type:`count`
+
+      Unique token identifying this session
+
+
+   .. zeek:field:: capabilities :zeek:type:`SMB1::NegotiateCapabilities`
+
+      Server capabilities
+
+
+   .. zeek:field:: server_time :zeek:type:`time`
+
+      Current date and time at server
+
+
+   .. zeek:field:: encryption_key :zeek:type:`string` :zeek:attr:`&optional`
+
+      The challenge encryption key.
+      Present only for non-extended security (i.e. capabilities$extended_security = F)
+
+
+   .. zeek:field:: domain_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      The name of the domain.
+      Present only for non-extended security (i.e. capabilities$extended_security = F)
+
+
+   .. zeek:field:: guid :zeek:type:`string` :zeek:attr:`&optional`
+
+      A globally unique identifier assigned to the server.
+      Present only for extended security (i.e. capabilities$extended_security = T)
+
+
+   .. zeek:field:: security_blob :zeek:type:`string`
+
+      Opaque security blob associated with the security package if capabilities$extended_security = T
+      Otherwise, the challenge for challenge/response authentication.
+
+
+
+.. zeek:type:: SMB1::NegotiateResponseSecurity
+   :source-code: base/init-bare.zeek 4126 4141
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: user_level :zeek:type:`bool`
+
+      This indicates whether the server, as a whole, is operating under
+      Share Level or User Level security.
+
+
+   .. zeek:field:: challenge_response :zeek:type:`bool`
+
+      This indicates whether or not the server supports Challenge/Response
+      authentication. If the bit is false, then plaintext passwords must
+      be used.
+
+
+   .. zeek:field:: signatures_enabled :zeek:type:`bool` :zeek:attr:`&optional`
+
+      This indicates if the server is capable of performing MAC message
+      signing. Note: Requires NT LM 0.12 or later.
+
+
+   .. zeek:field:: signatures_required :zeek:type:`bool` :zeek:attr:`&optional`
+
+      This indicates if the server is requiring the use of a MAC in each
+      packet. If false, message signing is optional. Note: Requires NT LM 0.12
+      or later.
+
+
+
+.. zeek:type:: SMB1::SessionSetupAndXCapabilities
+   :source-code: base/init-bare.zeek 4225 4239
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: unicode :zeek:type:`bool`
+
+      The client can use unicode strings
+
+
+   .. zeek:field:: large_files :zeek:type:`bool`
+
+      The client can deal with files having 64 bit offsets
+
+
+   .. zeek:field:: nt_smbs :zeek:type:`bool`
+
+      The client understands the SMBs introduced with NT LM 0.12
+      Implies nt_find
+
+
+   .. zeek:field:: status32 :zeek:type:`bool`
+
+      The client can receive 32 bit errors encoded in Status.Status
+
+
+   .. zeek:field:: level_2_oplocks :zeek:type:`bool`
+
+      The client understands Level II oplocks
+
+
+   .. zeek:field:: nt_find :zeek:type:`bool`
+
+      Reserved. Implied by nt_smbs.
+
+
+
+.. zeek:type:: SMB1::SessionSetupAndXRequest
+   :source-code: base/init-bare.zeek 4241 4283
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: word_count :zeek:type:`count`
+
+      Count of parameter words
+         - 10 for pre NT LM 0.12
+         - 12 for NT LM 0.12 with extended security
+         - 13 for NT LM 0.12 without extended security
+
+
+   .. zeek:field:: max_buffer_size :zeek:type:`count`
+
+      Client maximum buffer size
+
+
+   .. zeek:field:: max_mpx_count :zeek:type:`count`
+
+      Actual maximum multiplexed pending request
+
+
+   .. zeek:field:: vc_number :zeek:type:`count`
+
+      Virtual circuit number. First VC == 0
+
+
+   .. zeek:field:: session_key :zeek:type:`count`
+
+      Session key (valid iff vc_number > 0)
+
+
+   .. zeek:field:: native_os :zeek:type:`string`
+
+      Client's native operating system
+
+
+   .. zeek:field:: native_lanman :zeek:type:`string`
+
+      Client's native LAN Manager type
+
+
+   .. zeek:field:: account_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      Account name
+      Note: not set for NT LM 0.12 with extended security
+
+
+   .. zeek:field:: account_password :zeek:type:`string` :zeek:attr:`&optional`
+
+      If challenge/response auth is not being used, this is the password.
+      Otherwise, it's the response to the server's challenge.
+      Note: Only set for pre NT LM 0.12
+
+
+   .. zeek:field:: primary_domain :zeek:type:`string` :zeek:attr:`&optional`
+
+      Client's primary domain, if known
+      Note: not set for NT LM 0.12 with extended security
+
+
+   .. zeek:field:: case_insensitive_password :zeek:type:`string` :zeek:attr:`&optional`
+
+      Case insensitive password
+      Note: only set for NT LM 0.12 without extended security
+
+
+   .. zeek:field:: case_sensitive_password :zeek:type:`string` :zeek:attr:`&optional`
+
+      Case sensitive password
+      Note: only set for NT LM 0.12 without extended security
+
+
+   .. zeek:field:: security_blob :zeek:type:`string` :zeek:attr:`&optional`
+
+      Security blob
+      Note: only set for NT LM 0.12 with extended security
+
+
+   .. zeek:field:: capabilities :zeek:type:`SMB1::SessionSetupAndXCapabilities` :zeek:attr:`&optional`
+
+      Client capabilities
+      Note: only set for NT LM 0.12
+
+
+
+.. zeek:type:: SMB1::SessionSetupAndXResponse
+   :source-code: base/init-bare.zeek 4285 4298
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: word_count :zeek:type:`count`
+
+      Count of parameter words (should be 3 for pre NT LM 0.12 and 4 for NT LM 0.12)
+
+
+   .. zeek:field:: is_guest :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Were we logged in as a guest user?
+
+
+   .. zeek:field:: native_os :zeek:type:`string` :zeek:attr:`&optional`
+
+      Server's native operating system
+
+
+   .. zeek:field:: native_lanman :zeek:type:`string` :zeek:attr:`&optional`
+
+      Server's native LAN Manager type
+
+
+   .. zeek:field:: primary_domain :zeek:type:`string` :zeek:attr:`&optional`
+
+      Server's primary domain
+
+
+   .. zeek:field:: security_blob :zeek:type:`string` :zeek:attr:`&optional`
+
+      Security blob if NTLM
+
+
+
+.. zeek:type:: SMB1::Trans2_Args
+   :source-code: base/init-bare.zeek 4300 4325
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: total_param_count :zeek:type:`count`
+
+      Total parameter count
+
+
+   .. zeek:field:: total_data_count :zeek:type:`count`
+
+      Total data count
+
+
+   .. zeek:field:: max_param_count :zeek:type:`count`
+
+      Max parameter count
+
+
+   .. zeek:field:: max_data_count :zeek:type:`count`
+
+      Max data count
+
+
+   .. zeek:field:: max_setup_count :zeek:type:`count`
+
+      Max setup count
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+      Flags
+
+
+   .. zeek:field:: trans_timeout :zeek:type:`count`
+
+      Timeout
+
+
+   .. zeek:field:: param_count :zeek:type:`count`
+
+      Parameter count
+
+
+   .. zeek:field:: param_offset :zeek:type:`count`
+
+      Parameter offset
+
+
+   .. zeek:field:: data_count :zeek:type:`count`
+
+      Data count
+
+
+   .. zeek:field:: data_offset :zeek:type:`count`
+
+      Data offset
+
+
+   .. zeek:field:: setup_count :zeek:type:`count`
+
+      Setup count
+
+
+
+.. zeek:type:: SMB1::Trans2_Sec_Args
+   :source-code: base/init-bare.zeek 4346 4365
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: total_param_count :zeek:type:`count`
+
+      Total parameter count
+
+
+   .. zeek:field:: total_data_count :zeek:type:`count`
+
+      Total data count
+
+
+   .. zeek:field:: param_count :zeek:type:`count`
+
+      Parameter count
+
+
+   .. zeek:field:: param_offset :zeek:type:`count`
+
+      Parameter offset
+
+
+   .. zeek:field:: param_displacement :zeek:type:`count`
+
+      Parameter displacement
+
+
+   .. zeek:field:: data_count :zeek:type:`count`
+
+      Data count
+
+
+   .. zeek:field:: data_offset :zeek:type:`count`
+
+      Data offset
+
+
+   .. zeek:field:: data_displacement :zeek:type:`count`
+
+      Data displacement
+
+
+   .. zeek:field:: FID :zeek:type:`count`
+
+      File ID
+
+
+
+.. zeek:type:: SMB1::Trans_Sec_Args
+   :source-code: base/init-bare.zeek 4327 4344
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: total_param_count :zeek:type:`count`
+
+      Total parameter count
+
+
+   .. zeek:field:: total_data_count :zeek:type:`count`
+
+      Total data count
+
+
+   .. zeek:field:: param_count :zeek:type:`count`
+
+      Parameter count
+
+
+   .. zeek:field:: param_offset :zeek:type:`count`
+
+      Parameter offset
+
+
+   .. zeek:field:: param_displacement :zeek:type:`count`
+
+      Parameter displacement
+
+
+   .. zeek:field:: data_count :zeek:type:`count`
+
+      Data count
+
+
+   .. zeek:field:: data_offset :zeek:type:`count`
+
+      Data offset
+
+
+   .. zeek:field:: data_displacement :zeek:type:`count`
+
+      Data displacement
+
+
+
+.. zeek:type:: SMB2::CloseResponse
+   :source-code: base/init-bare.zeek 4508 4517
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: alloc_size :zeek:type:`count`
+
+      The size, in bytes of the data that is allocated to the file.
+
+
+   .. zeek:field:: eof :zeek:type:`count`
+
+      The size, in bytes, of the file.
+
+
+   .. zeek:field:: times :zeek:type:`SMB::MACTimes`
+
+      The creation, last access, last write, and change times.
+
+
+   .. zeek:field:: attrs :zeek:type:`SMB2::FileAttrs`
+
+      The attributes of the file.
+
+
+   The response to an SMB2 *close* request, which is used by the client to close an instance
+   of a file that was opened previously.
+   
+   For more information, see MS-SMB2:2.2.16
+   
+   .. zeek:see:: smb2_close_response
+
+.. zeek:type:: SMB2::CompressionCapabilities
+   :source-code: base/init-bare.zeek 4549 4554
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: alg_count :zeek:type:`count`
+
+      The number of algorithms.
+
+
+   .. zeek:field:: algs :zeek:type:`vector` of :zeek:type:`count`
+
+      An array of compression algorithms.
+
+
+   Compression information as defined in SMB v. 3.1.1
+   
+   For more information, see MS-SMB2:2.3.1.3
+   
+
+.. zeek:type:: SMB2::CreateRequest
+   :source-code: base/init-bare.zeek 4656 4663
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: filename :zeek:type:`string`
+
+      Name of the file
+
+
+   .. zeek:field:: disposition :zeek:type:`count`
+
+      Defines the action the server MUST take if the file that is specified already exists.
+
+
+   .. zeek:field:: create_options :zeek:type:`count`
+
+      Specifies the options to be applied when creating or opening the file.
+
+
+   The request sent by the client to request either creation of or access to a file.
+   
+   For more information, see MS-SMB2:2.2.13
+   
+   .. zeek:see:: smb2_create_request
+
+.. zeek:type:: SMB2::CreateResponse
+   :source-code: base/init-bare.zeek 4671 4682
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: file_id :zeek:type:`SMB2::GUID`
+
+      The SMB2 GUID for the file.
+
+
+   .. zeek:field:: size :zeek:type:`count`
+
+      Size of the file.
+
+
+   .. zeek:field:: times :zeek:type:`SMB::MACTimes`
+
+      Timestamps associated with the file in question.
+
+
+   .. zeek:field:: attrs :zeek:type:`SMB2::FileAttrs`
+
+      File attributes.
+
+
+   .. zeek:field:: create_action :zeek:type:`count`
+
+      The action taken in establishing the open.
+
+
+   The response to an SMB2 *create_request* request, which is sent by the client to request
+   either creation of or access to a file.
+   
+   For more information, see MS-SMB2:2.2.14
+   
+   .. zeek:see:: smb2_create_response
+
+.. zeek:type:: SMB2::EncryptionCapabilities
+   :source-code: base/init-bare.zeek 4538 4543
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: cipher_count :zeek:type:`count`
+
+      The number of ciphers.
+
+
+   .. zeek:field:: ciphers :zeek:type:`vector` of :zeek:type:`count`
+
+      An array of ciphers.
+
+
+   Encryption information as defined in SMB v. 3.1.1
+   
+   For more information, see MS-SMB2:2.3.1.2
+   
+
+.. zeek:type:: SMB2::FileAttrs
+   :source-code: base/init-bare.zeek 4457 4500
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: read_only :zeek:type:`bool`
+
+      The file is read only. Applications can read the file but cannot
+      write to it or delete it.
+
+
+   .. zeek:field:: hidden :zeek:type:`bool`
+
+      The file is hidden. It is not to be included in an ordinary directory listing.
+
+
+   .. zeek:field:: system :zeek:type:`bool`
+
+      The file is part of or is used exclusively by the operating system.
+
+
+   .. zeek:field:: directory :zeek:type:`bool`
+
+      The file is a directory.
+
+
+   .. zeek:field:: archive :zeek:type:`bool`
+
+      The file has not been archived since it was last modified. Applications use
+      this attribute to mark files for backup or removal.
+
+
+   .. zeek:field:: normal :zeek:type:`bool`
+
+      The file has no other attributes set. This attribute is valid only if used alone.
+
+
+   .. zeek:field:: temporary :zeek:type:`bool`
+
+      The file is temporary. This is a hint to the cache manager that it does not need
+      to flush the file to backing storage.
+
+
+   .. zeek:field:: sparse_file :zeek:type:`bool`
+
+      A file that is a sparse file.
+
+
+   .. zeek:field:: reparse_point :zeek:type:`bool`
+
+      A file or directory that has an associated reparse point.
+
+
+   .. zeek:field:: compressed :zeek:type:`bool`
+
+      The file or directory is compressed. For a file, this means that all of the data
+      in the file is compressed. For a directory, this means that compression is the
+      default for newly created files and subdirectories.
+
+
+   .. zeek:field:: offline :zeek:type:`bool`
+
+      The data in this file is not available immediately. This attribute indicates that
+      the file data is physically moved to offline storage. This attribute is used by
+      Remote Storage, which is hierarchical storage management software.
+
+
+   .. zeek:field:: not_content_indexed :zeek:type:`bool`
+
+      A file or directory that is not indexed by the content indexing service.
+
+
+   .. zeek:field:: encrypted :zeek:type:`bool`
+
+      A file or directory that is encrypted. For a file, all data streams in the file
+      are encrypted. For a directory, encryption is the default for newly created files
+      and subdirectories.
+
+
+   .. zeek:field:: integrity_stream :zeek:type:`bool`
+
+      A file or directory that is configured with integrity support. For a file, all
+      data streams in the file have integrity support. For a directory, integrity support
+      is the default for newly created files and subdirectories, unless the caller
+      specifies otherwise.
+
+
+   .. zeek:field:: no_scrub_data :zeek:type:`bool`
+
+      A file or directory that is configured to be excluded from the data integrity scan.
+
+
+   A series of boolean flags describing basic and extended file attributes for SMB2.
+   
+   For more information, see MS-CIFS:2.2.1.2.3 and MS-FSCC:2.6
+   
+   .. zeek:see:: smb2_create_response
+
+.. zeek:type:: SMB2::FileEA
+   :source-code: base/init-bare.zeek 4707 4712
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ea_name :zeek:type:`string`
+
+      Specifies the extended attribute name
+
+
+   .. zeek:field:: ea_value :zeek:type:`string`
+
+      Contains the extended attribute value
+
+
+   This information class is used to query or set extended attribute (EA) information for a file.
+   
+   For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.4.15
+   
+
+.. zeek:type:: SMB2::FileEAs
+   :source-code: base/init-bare.zeek 4718 4718
+
+   :Type: :zeek:type:`vector` of :zeek:type:`SMB2::FileEA`
+
+   A vector of extended attribute (EA) information for a file.
+   
+   For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.4.15
+   
+
+.. zeek:type:: SMB2::Fscontrol
+   :source-code: base/init-bare.zeek 4688 4701
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: free_space_start_filtering :zeek:type:`int`
+
+      minimum amount of free disk space required to begin document filtering
+
+
+   .. zeek:field:: free_space_threshold :zeek:type:`int`
+
+      minimum amount of free disk space required to continue filtering documents and merging word lists
+
+
+   .. zeek:field:: free_space_stop_filtering :zeek:type:`int`
+
+      minimum amount of free disk space required to continue content filtering
+
+
+   .. zeek:field:: delete_quota_threshold :zeek:type:`count`
+
+      default per-user disk quota
+
+
+   .. zeek:field:: default_quota_limit :zeek:type:`count`
+
+      default per-user disk limit
+
+
+   .. zeek:field:: fs_control_flags :zeek:type:`count`
+
+      file systems control flags passed as unsigned int
+
+
+   A series of integers flags used to set quota and content indexing control information for a file system volume in SMB2.
+   
+   For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.5.2
+   
+
+.. zeek:type:: SMB2::GUID
+   :source-code: base/init-bare.zeek 4445 4450
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: persistent :zeek:type:`count`
+
+      A file handle that remains persistent when reconnected after a disconnect
+
+
+   .. zeek:field:: volatile :zeek:type:`count`
+
+      A file handle that can be changed when reconnected after a disconnect
+
+
+   An SMB2 globally unique identifier which identifies a file.
+   
+   For more information, see MS-SMB2:2.2.14.1
+   
+   .. zeek:see:: smb2_close_request smb2_create_response smb2_read_request
+      smb2_file_rename smb2_file_delete smb2_write_request
+
+.. zeek:type:: SMB2::Header
+   :source-code: base/init-bare.zeek 4412 4437
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: credit_charge :zeek:type:`count`
+
+      The number of credits that this request consumes
+
+
+   .. zeek:field:: status :zeek:type:`count`
+
+      In a request, this is an indication to the server about the client's channel
+      change. In a response, this is the status field
+
+
+   .. zeek:field:: command :zeek:type:`count`
+
+      The command code of the packet
+
+
+   .. zeek:field:: credits :zeek:type:`count`
+
+      The number of credits the client is requesting, or the number of credits
+      granted to the client in a response.
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+      A flags field, which indicates how to process the operation (e.g. asynchronously)
+
+
+   .. zeek:field:: message_id :zeek:type:`count`
+
+      A value that uniquely identifies the message request/response pair across all
+      messages that are sent on the same transport protocol connection
+
+
+   .. zeek:field:: process_id :zeek:type:`count`
+
+      A value that uniquely identifies the process that generated the event.
+
+
+   .. zeek:field:: tree_id :zeek:type:`count`
+
+      A value that uniquely identifies the tree connect for the command.
+
+
+   .. zeek:field:: session_id :zeek:type:`count`
+
+      A value that uniquely identifies the established session for the command.
+
+
+   .. zeek:field:: signature :zeek:type:`string`
+
+      The 16-byte signature of the message, if SMB2_FLAGS_SIGNED is set in the ``flags``
+      field.
+
+
+   An SMB2 header.
+   
+   For more information, see MS-SMB2:2.2.1.1 and MS-SMB2:2.2.1.2
+   
+   .. zeek:see:: smb2_message smb2_close_request smb2_close_response
+      smb2_create_request smb2_create_response smb2_negotiate_request
+      smb2_negotiate_response smb2_read_request
+      smb2_session_setup_request smb2_session_setup_response
+      smb2_file_rename smb2_file_delete
+      smb2_tree_connect_request smb2_tree_connect_response
+      smb2_write_request
+
+.. zeek:type:: SMB2::NegotiateContextValue
+   :source-code: base/init-bare.zeek 4560 4573
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: context_type :zeek:type:`count`
+
+      Specifies the type of context (preauth or encryption).
+
+
+   .. zeek:field:: data_length :zeek:type:`count`
+
+      The length in byte of the data field.
+
+
+   .. zeek:field:: preauth_info :zeek:type:`SMB2::PreAuthIntegrityCapabilities` :zeek:attr:`&optional`
+
+      The preauthentication information.
+
+
+   .. zeek:field:: encryption_info :zeek:type:`SMB2::EncryptionCapabilities` :zeek:attr:`&optional`
+
+      The encryption information.
+
+
+   .. zeek:field:: compression_info :zeek:type:`SMB2::CompressionCapabilities` :zeek:attr:`&optional`
+
+      The compression information.
+
+
+   .. zeek:field:: netname :zeek:type:`string` :zeek:attr:`&optional`
+
+      Indicates the server name the client must connect to.
+
+
+   The context type information as defined in SMB v. 3.1.1
+   
+   For more information, see MS-SMB2:2.3.1
+   
+
+.. zeek:type:: SMB2::NegotiateContextValues
+   :source-code: base/init-bare.zeek 4575 4575
+
+   :Type: :zeek:type:`vector` of :zeek:type:`SMB2::NegotiateContextValue`
+
+
+.. zeek:type:: SMB2::NegotiateResponse
+   :source-code: base/init-bare.zeek 4583 4600
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: dialect_revision :zeek:type:`count`
+
+      The preferred common SMB2 Protocol dialect number from the array that was sent in the SMB2
+      NEGOTIATE Request.
+
+
+   .. zeek:field:: security_mode :zeek:type:`count`
+
+      The security mode field specifies whether SMB signing is enabled, required at the server, or both.
+
+
+   .. zeek:field:: server_guid :zeek:type:`SMB2::GUID`
+
+      A globally unique identifier that is generate by the server to uniquely identify the server.
+
+
+   .. zeek:field:: system_time :zeek:type:`time`
+
+      The system time of the SMB2 server when the SMB2 NEGOTIATE Request was processed.
+
+
+   .. zeek:field:: server_start_time :zeek:type:`time`
+
+      The SMB2 server start time.
+
+
+   .. zeek:field:: negotiate_context_count :zeek:type:`count`
+
+      The number of negotiate context values in SMB v. 3.1.1, otherwise reserved to 0.
+
+
+   .. zeek:field:: negotiate_context_values :zeek:type:`SMB2::NegotiateContextValues`
+
+      An array of context values in SMB v. 3.1.1.
+
+
+   The response to an SMB2 *negotiate* request, which is used by the client to notify the server
+   what dialects of the SMB2 protocol the client understands.
+   
+   For more information, see MS-SMB2:2.2.4
+   
+   .. zeek:see:: smb2_negotiate_response
+
+.. zeek:type:: SMB2::PreAuthIntegrityCapabilities
+   :source-code: base/init-bare.zeek 4523 4532
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: hash_alg_count :zeek:type:`count`
+
+      The number of hash algorithms.
+
+
+   .. zeek:field:: salt_length :zeek:type:`count`
+
+      The salt length.
+
+
+   .. zeek:field:: hash_alg :zeek:type:`vector` of :zeek:type:`count`
+
+      An array of hash algorithms (counts).
+
+
+   .. zeek:field:: salt :zeek:type:`string`
+
+      The salt.
+
+
+   Preauthentication information as defined in SMB v. 3.1.1
+   
+   For more information, see MS-SMB2:2.3.1.1
+   
+
+.. zeek:type:: SMB2::SessionSetupFlags
+   :source-code: base/init-bare.zeek 4619 4626
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: guest :zeek:type:`bool`
+
+      If set, the client has been authenticated as a guest user.
+
+
+   .. zeek:field:: anonymous :zeek:type:`bool`
+
+      If set, the client has been authenticated as an anonymous user.
+
+
+   .. zeek:field:: encrypt :zeek:type:`bool`
+
+      If set, the server requires encryption of messages on this session.
+
+
+   A flags field that indicates additional information about the session that's sent in the
+   *session_setup* response.
+   
+   For more information, see MS-SMB2:2.2.6
+   
+   .. zeek:see:: smb2_session_setup_response
+
+.. zeek:type:: SMB2::SessionSetupRequest
+   :source-code: base/init-bare.zeek 4608 4611
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: security_mode :zeek:type:`count`
+
+      The security mode field specifies whether SMB signing is enabled or required at the client.
+
+
+   The request sent by the client to request a new authenticated session
+   within a new or existing SMB 2 Protocol transport connection to the server.
+   
+   For more information, see MS-SMB2:2.2.5
+   
+   .. zeek:see:: smb2_session_setup_request
+
+.. zeek:type:: SMB2::SessionSetupResponse
+   :source-code: base/init-bare.zeek 4635 4638
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: flags :zeek:type:`SMB2::SessionSetupFlags`
+
+      Additional information about the session
+
+
+   The response to an SMB2 *session_setup* request, which is sent by the client to request a
+   new authenticated session within a new or existing SMB 2 Protocol transport connection
+   to the server.
+   
+   For more information, see MS-SMB2:2.2.6
+   
+   .. zeek:see:: smb2_session_setup_response
+
+.. zeek:type:: SMB2::Transform_header
+   :source-code: base/init-bare.zeek 4731 4742
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: signature :zeek:type:`string`
+
+      The 16-byte signature of the encrypted message, generated by using Session.EncryptionKey.
+
+
+   .. zeek:field:: nonce :zeek:type:`string`
+
+      An implementation specific value assigned for every encrypted message.
+
+
+   .. zeek:field:: orig_msg_size :zeek:type:`count`
+
+      The size, in bytes, of the SMB2 message.
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+      A flags field, interpreted in different ways depending of the SMB2 dialect.
+
+
+   .. zeek:field:: session_id :zeek:type:`count`
+
+      A value that uniquely identifies the established session for the command.
+
+
+   An SMB2 transform header (for SMB 3.x dialects with encryption enabled).
+   
+   For more information, see MS-SMB2:2.2.41
+   
+   .. zeek:see:: smb2_transform_header smb2_message smb2_close_request smb2_close_response
+      smb2_create_request smb2_create_response smb2_negotiate_request
+      smb2_negotiate_response smb2_read_request
+      smb2_session_setup_request smb2_session_setup_response
+      smb2_file_rename smb2_file_delete
+      smb2_tree_connect_request smb2_tree_connect_response
+      smb2_write_request
+
+.. zeek:type:: SMB2::TreeConnectResponse
+   :source-code: base/init-bare.zeek 4646 4649
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: share_type :zeek:type:`count`
+
+      The type of share being accessed. Physical disk, named pipe, or printer.
+
+
+   The response to an SMB2 *tree_connect* request, which is sent by the client to request
+   access to a particular share on the server.
+   
+   For more information, see MS-SMB2:2.2.9
+   
+   .. zeek:see:: smb2_tree_connect_response
+
+.. zeek:type:: SMB::MACTimes
+   :source-code: base/init-bare.zeek 4000 4017
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: modified :zeek:type:`time` :zeek:attr:`&log`
+
+      The time when data was last written to the file.
+
+
+   .. zeek:field:: modified_raw :zeek:type:`count`
+
+      Same as `modified` but in SMB's original `FILETIME` integer format.
+
+
+   .. zeek:field:: accessed :zeek:type:`time` :zeek:attr:`&log`
+
+      The time when the file was last accessed.
+
+
+   .. zeek:field:: accessed_raw :zeek:type:`count`
+
+      Same as `accessed` but in SMB's original `FILETIME` integer format.
+
+
+   .. zeek:field:: created :zeek:type:`time` :zeek:attr:`&log`
+
+      The time the file was created.
+
+
+   .. zeek:field:: created_raw :zeek:type:`count`
+
+      Same as `created` but in SMB's original `FILETIME` integer format.
+
+
+   .. zeek:field:: changed :zeek:type:`time` :zeek:attr:`&log`
+
+      The time when the file was last modified.
+
+
+   .. zeek:field:: changed_raw :zeek:type:`count`
+
+      Same as `changed` but in SMB's original `FILETIME` integer format.
+
+
+   MAC times for a file.
+   
+   For more information, see MS-SMB2:2.2.16
+   
+   .. zeek:see:: smb1_nt_create_andx_response smb2_create_response
+
+.. zeek:type:: SNMP::Binding
+   :source-code: base/init-bare.zeek 5365 5368
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: oid :zeek:type:`string`
+
+
+   .. zeek:field:: value :zeek:type:`SNMP::ObjectValue`
+
+
+   The ``VarBind`` data structure from either :rfc:`1157` or
+   :rfc:`3416`, which maps an Object Identifier to a value.
+
+.. zeek:type:: SNMP::Bindings
+   :source-code: base/init-bare.zeek 5372 5372
+
+   :Type: :zeek:type:`vector` of :zeek:type:`SNMP::Binding`
+
+   A ``VarBindList`` data structure from either :rfc:`1157` or :rfc:`3416`.
+   A sequences of :zeek:see:`SNMP::Binding`, which maps an OIDs to values.
+
+.. zeek:type:: SNMP::BulkPDU
+   :source-code: base/init-bare.zeek 5393 5398
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: request_id :zeek:type:`int`
+
+
+   .. zeek:field:: non_repeaters :zeek:type:`count`
+
+
+   .. zeek:field:: max_repetitions :zeek:type:`count`
+
+
+   .. zeek:field:: bindings :zeek:type:`SNMP::Bindings`
+
+
+   A ``BulkPDU`` data structure from :rfc:`3416`.
+
+.. zeek:type:: SNMP::Header
+   :source-code: base/init-bare.zeek 5320 5325
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: version :zeek:type:`count`
+
+
+   .. zeek:field:: v1 :zeek:type:`SNMP::HeaderV1` :zeek:attr:`&optional`
+
+      Set when ``version`` is 0.
+
+
+   .. zeek:field:: v2 :zeek:type:`SNMP::HeaderV2` :zeek:attr:`&optional`
+
+      Set when ``version`` is 1.
+
+
+   .. zeek:field:: v3 :zeek:type:`SNMP::HeaderV3` :zeek:attr:`&optional`
+
+      Set when ``version`` is 3.
+
+
+   A generic SNMP header data structure that may include data from
+   any version of SNMP.  The value of the ``version`` field
+   determines what header field is initialized.
+
+.. zeek:type:: SNMP::HeaderV1
+   :source-code: base/init-bare.zeek 5285 5287
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: community :zeek:type:`string`
+
+
+   The top-level message data structure of an SNMPv1 datagram, not
+   including the PDU data.  See :rfc:`1157`.
+
+.. zeek:type:: SNMP::HeaderV2
+   :source-code: base/init-bare.zeek 5291 5293
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: community :zeek:type:`string`
+
+
+   The top-level message data structure of an SNMPv2 datagram, not
+   including the PDU data.  See :rfc:`1901`.
+
+.. zeek:type:: SNMP::HeaderV3
+   :source-code: base/init-bare.zeek 5305 5315
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`count`
+
+
+   .. zeek:field:: max_size :zeek:type:`count`
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+
+   .. zeek:field:: auth_flag :zeek:type:`bool`
+
+
+   .. zeek:field:: priv_flag :zeek:type:`bool`
+
+
+   .. zeek:field:: reportable_flag :zeek:type:`bool`
+
+
+   .. zeek:field:: security_model :zeek:type:`count`
+
+
+   .. zeek:field:: security_params :zeek:type:`string`
+
+
+   .. zeek:field:: pdu_context :zeek:type:`SNMP::ScopedPDU_Context` :zeek:attr:`&optional`
+
+
+   The top-level message data structure of an SNMPv3 datagram, not
+   including the PDU data.  See :rfc:`3412`.
+
+.. zeek:type:: SNMP::ObjectValue
+   :source-code: base/init-bare.zeek 5336 5343
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: tag :zeek:type:`count`
+
+
+   .. zeek:field:: oid :zeek:type:`string` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: signed :zeek:type:`int` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: unsigned :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: address :zeek:type:`addr` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: octets :zeek:type:`string` :zeek:attr:`&optional`
+
+
+   A generic SNMP object value, that may include any of the
+   valid ``ObjectSyntax`` values from :rfc:`1155` or :rfc:`3416`.
+   The value is decoded whenever possible and assigned to
+   the appropriate field, which can be determined from the value
+   of the ``tag`` field.  For tags that can't be mapped to an
+   appropriate type, the ``octets`` field holds the BER encoded
+   ASN.1 content if there is any (though, ``octets`` is may also
+   be used for other tags such as OCTET STRINGS or Opaque).  Null
+   values will only have their corresponding tag value set.
+
+.. zeek:type:: SNMP::PDU
+   :source-code: base/init-bare.zeek 5375 5380
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: request_id :zeek:type:`int`
+
+
+   .. zeek:field:: error_status :zeek:type:`int`
+
+
+   .. zeek:field:: error_index :zeek:type:`int`
+
+
+   .. zeek:field:: bindings :zeek:type:`SNMP::Bindings`
+
+
+   A ``PDU`` data structure from either :rfc:`1157` or :rfc:`3416`.
+
+.. zeek:type:: SNMP::ScopedPDU_Context
+   :source-code: base/init-bare.zeek 5298 5301
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: engine_id :zeek:type:`string`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+
+   The ``ScopedPduData`` data structure of an SNMPv3 datagram, not
+   including the PDU data (i.e. just the "context" fields).
+   See :rfc:`3412`.
+
+.. zeek:type:: SNMP::TrapPDU
+   :source-code: base/init-bare.zeek 5383 5390
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: enterprise :zeek:type:`string`
+
+
+   .. zeek:field:: agent :zeek:type:`addr`
+
+
+   .. zeek:field:: generic_trap :zeek:type:`int`
+
+
+   .. zeek:field:: specific_trap :zeek:type:`int`
+
+
+   .. zeek:field:: time_stamp :zeek:type:`count`
+
+
+   .. zeek:field:: bindings :zeek:type:`SNMP::Bindings`
+
+
+   A ``Trap-PDU`` data structure from :rfc:`1157`.
+
+.. zeek:type:: SOCKS::Address
+   :source-code: base/init-bare.zeek 5141 5144
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: host :zeek:type:`addr` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: name :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+   :Attributes: :zeek:attr:`&log`
+
+   This record is for a SOCKS client or server to provide either a
+   name or an address to represent a desired or established connection.
+
+.. zeek:type:: SSH::Algorithm_Prefs
+   :source-code: base/init-bare.zeek 3822 3827
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: client_to_server :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional`
+
+      The algorithm preferences for client to server communication
+
+
+   .. zeek:field:: server_to_client :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional`
+
+      The algorithm preferences for server to client communication
+
+
+   The client and server each have some preferences for the algorithms used
+   in each direction.
+
+.. zeek:type:: SSH::Capabilities
+   :source-code: base/init-bare.zeek 3834 3849
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: kex_algorithms :zeek:type:`string_vec`
+
+      Key exchange algorithms
+
+
+   .. zeek:field:: server_host_key_algorithms :zeek:type:`string_vec`
+
+      The algorithms supported for the server host key
+
+
+   .. zeek:field:: encryption_algorithms :zeek:type:`SSH::Algorithm_Prefs`
+
+      Symmetric encryption algorithm preferences
+
+
+   .. zeek:field:: mac_algorithms :zeek:type:`SSH::Algorithm_Prefs`
+
+      Symmetric MAC algorithm preferences
+
+
+   .. zeek:field:: compression_algorithms :zeek:type:`SSH::Algorithm_Prefs`
+
+      Compression algorithm preferences
+
+
+   .. zeek:field:: languages :zeek:type:`SSH::Algorithm_Prefs` :zeek:attr:`&optional`
+
+      Language preferences
+
+
+   .. zeek:field:: is_server :zeek:type:`bool`
+
+      Are these the capabilities of the server?
+
+
+   This record lists the preferences of an SSH endpoint for
+   algorithm selection. During the initial :abbr:`SSH (Secure Shell)`
+   key exchange, each endpoint lists the algorithms
+   that it supports, in order of preference. See
+   :rfc:`4253#section-7.1` for details.
+
+.. zeek:type:: SSL::PSKIdentity
+   :source-code: base/init-bare.zeek 5053 5056
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: identity :zeek:type:`string`
+
+      PSK identity
+
+
+   .. zeek:field:: obfuscated_ticket_age :zeek:type:`count`
+
+
+
+.. zeek:type:: SSL::SignatureAndHashAlgorithm
+   :source-code: base/init-bare.zeek 5048 5051
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: HashAlgorithm :zeek:type:`count`
+
+      Hash algorithm number
+
+
+   .. zeek:field:: SignatureAlgorithm :zeek:type:`count`
+
+      Signature algorithm number
+
+
+
+.. zeek:type:: SYN_packet
+   :source-code: base/init-bare.zeek 1046 1057
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: is_orig :zeek:type:`bool`
+
+      True if the packet was sent the connection's originator.
+
+
+   .. zeek:field:: DF :zeek:type:`bool`
+
+      True if the *don't fragment* is set in the IP header.
+
+
+   .. zeek:field:: ttl :zeek:type:`count`
+
+      The IP header's time-to-live.
+
+
+   .. zeek:field:: size :zeek:type:`count`
+
+      The size of the packet's payload as specified in the IP header.
+
+
+   .. zeek:field:: win_size :zeek:type:`count`
+
+      The window size from the TCP header.
+
+
+   .. zeek:field:: win_scale :zeek:type:`int`
+
+      The window scale option if present, or -1 if not.
+
+
+   .. zeek:field:: MSS :zeek:type:`count`
+
+      The maximum segment size if present, or 0 if not.
+
+
+   .. zeek:field:: SACK_OK :zeek:type:`bool`
+
+      True if the *SACK* option (Selective ACKnowledgement) is present.
+
+
+   .. zeek:field:: TSval :zeek:type:`count` :zeek:attr:`&optional`
+
+      The TCP TS value if present.
+
+
+   .. zeek:field:: TSecr :zeek:type:`count` :zeek:attr:`&optional`
+
+      The TCP TS echo reply if present.
+
+
+   Fields of a SYN packet.
+   
+   .. zeek:see:: connection_SYN_packet
+
+.. zeek:type:: Storage::OperationResult
+   :source-code: base/init-bare.zeek 6440 6451
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: code :zeek:type:`Storage::ReturnCode`
+
+      One of a set of backend-redefinable return codes.
+
+
+   .. zeek:field:: error_str :zeek:type:`string` :zeek:attr:`&optional`
+
+      An optional error string. This should be set when the
+      ``code`` field is not set to ``SUCCESS``.
+
+
+   .. zeek:field:: value :zeek:type:`any` :zeek:attr:`&optional`
+
+      An optional value for operations that can return data. ``get``
+      operations uses this to return the value when a match was found
+      for the key requested. ``open_backend`` uses this to return the
+      backend handle on successful connections.
+
+
+   Returned as the result of the various storage operations.
+
+.. zeek:type:: Storage::ReturnCode
+   :source-code: base/init-bare.zeek 6406 6438
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Storage::SUCCESS Storage::ReturnCode
+
+         Operation succeeded.
+
+      .. zeek:enum:: Storage::VAL_TYPE_MISMATCH Storage::ReturnCode
+
+         Type of value passed to operation does not match type of
+         value passed when opening backend.
+
+      .. zeek:enum:: Storage::KEY_TYPE_MISMATCH Storage::ReturnCode
+
+         Type of key passed to operation does not match type of
+         key passed when opening backend.
+
+      .. zeek:enum:: Storage::NOT_CONNECTED Storage::ReturnCode
+
+         Backend is not connected.
+
+      .. zeek:enum:: Storage::TIMEOUT Storage::ReturnCode
+
+         Operation timed out.
+
+      .. zeek:enum:: Storage::CONNECTION_LOST Storage::ReturnCode
+
+         Connection to backed was lost unexpectedly.
+
+      .. zeek:enum:: Storage::OPERATION_FAILED Storage::ReturnCode
+
+         Generic operation failure.
+
+      .. zeek:enum:: Storage::KEY_NOT_FOUND Storage::ReturnCode
+
+         Key requested was not found in backend.
+
+      .. zeek:enum:: Storage::KEY_EXISTS Storage::ReturnCode
+
+         Key requested for overwrite already exists.
+
+      .. zeek:enum:: Storage::CONNECTION_FAILED Storage::ReturnCode
+
+         Generic connection-setup failure. This is not if the connection
+         was lost, but if it failed to be setup in the first place.
+
+      .. zeek:enum:: Storage::DISCONNECTION_FAILED Storage::ReturnCode
+
+         Generic disconnection failure.
+
+      .. zeek:enum:: Storage::INITIALIZATION_FAILED Storage::ReturnCode
+
+         Generic initialization failure.
+
+      .. zeek:enum:: Storage::IN_PROGRESS Storage::ReturnCode
+
+         Returned from async operations when the backend is waiting
+         for a result.
+   :Attributes: :zeek:attr:`&redef`
+
+   Common set of statuses that can be returned by storage operations. Backend plugins
+   can add to this enum if custom values are needed.
+
+.. zeek:type:: TCP::Option
+   :source-code: base/init-bare.zeek 684 711
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: kind :zeek:type:`count`
+
+      The kind number associated with the option.  Other optional fields
+      of this record may be set depending on this value.
+
+
+   .. zeek:field:: length :zeek:type:`count`
+
+      The total length of the option in bytes, including the kind byte and
+      length byte (if present).
+
+
+   .. zeek:field:: data :zeek:type:`string` :zeek:attr:`&optional`
+
+      This field is set to the raw option bytes if the kind is not
+      otherwise known/parsed.  It's also set for known kinds whose length
+      was invalid.
+
+
+   .. zeek:field:: mss :zeek:type:`count` :zeek:attr:`&optional`
+
+      Kind 2: Maximum Segment Size.
+
+
+   .. zeek:field:: window_scale :zeek:type:`count` :zeek:attr:`&optional`
+
+      Kind 3: Window scale.
+
+
+   .. zeek:field:: sack :zeek:type:`index_vec` :zeek:attr:`&optional`
+
+      Kind 5: Selective ACKnowledgement (SACK).  This is a list of 2, 4,
+      6, or 8 numbers with each consecutive pair being a 32-bit
+      begin-pointer and 32-bit end pointer.
+
+
+   .. zeek:field:: send_timestamp :zeek:type:`count` :zeek:attr:`&optional`
+
+      Kind 8: 4-byte sender timestamp value.
+
+
+   .. zeek:field:: echo_timestamp :zeek:type:`count` :zeek:attr:`&optional`
+
+      Kind 8: 4-byte echo reply timestamp value.
+
+
+   .. zeek:field:: rate :zeek:type:`count` :zeek:attr:`&optional`
+
+      Kind 27: TCP Quick Start Response value.
+
+
+   .. zeek:field:: ttl_diff :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: qs_nonce :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   A TCP Option field parsed from a TCP header.
+
+.. zeek:type:: TCP::OptionList
+   :source-code: base/init-bare.zeek 714 714
+
+   :Type: :zeek:type:`vector` of :zeek:type:`TCP::Option`
+
+   The full list of TCP Option fields parsed from a TCP header.
+
+.. zeek:type:: Telemetry::HistogramMetric
+   :source-code: base/init-bare.zeek 6187 6211
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: opts :zeek:type:`Telemetry::MetricOpts`
+
+      A :zeek:see:`Telemetry::MetricOpts` record describing this histogram.
+
+
+   .. zeek:field:: label_names :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+
+      The label names (also called dimensions) of the metric. When
+      instantiating or working with concrete metrics, corresponding
+      label values have to be provided. Examples of a label might
+      be the protocol a general observation applies to, the
+      directionality in a traffic flow, or protocol-specific
+      context like a particular message type.
+
+
+   .. zeek:field:: label_values :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional`
+
+      The label values associated with this metric, if any.
+
+
+   .. zeek:field:: values :zeek:type:`vector` of :zeek:type:`double`
+
+      Individual counters for each of the buckets as
+      described by the *bounds* field in *opts*;
+
+
+   .. zeek:field:: observations :zeek:type:`double`
+
+      The number of observations made for this histogram.
+
+
+   .. zeek:field:: sum :zeek:type:`double`
+
+      The sum of all observations for this histogram.
+
+
+   Histograms returned by the :zeek:see:`Telemetry::collect_histogram_metrics` function.
+
+.. zeek:type:: Telemetry::HistogramMetricVector
+   :source-code: base/init-bare.zeek 6229 6229
+
+   :Type: :zeek:type:`vector` of :zeek:type:`Telemetry::HistogramMetric`
+
+
+.. zeek:type:: Telemetry::Metric
+   :source-code: base/init-bare.zeek 6164 6184
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: opts :zeek:type:`Telemetry::MetricOpts`
+
+      A :zeek:see:`Telemetry::MetricOpts` record describing this metric.
+
+
+   .. zeek:field:: label_names :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+
+      The label names (also called dimensions) of the metric. When
+      instantiating or working with concrete metrics, corresponding
+      label values have to be provided. Examples of a label might
+      be the protocol a general observation applies to, the
+      directionality in a traffic flow, or protocol-specific
+      context like a particular message type.
+
+
+   .. zeek:field:: label_values :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional`
+
+      The label values associated with this metric, if any.
+
+
+   .. zeek:field:: value :zeek:type:`double` :zeek:attr:`&optional`
+
+      The value of gauge or counter cast to a double
+      independent of the underlying data type.
+      This value is set for all counter and gauge metrics,
+      it is unset for histograms.
+
+
+   Metrics returned by the :zeek:see:`Telemetry::collect_metrics` function.
+
+.. zeek:type:: Telemetry::MetricOpts
+   :source-code: base/init-bare.zeek 6113 6161
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: prefix :zeek:type:`string`
+
+      The prefix (namespace) of the metric. Zeek uses the ``zeek``
+      prefix for any internal metrics and the ``process`` prefix
+      for any metrics involving process state (CPU, memory, etc).
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      The human-readable name of the metric. This is set to the
+      full prefixed name including the unit when returned from
+      :zeek:see:`Telemetry::collect_metrics` or
+      :zeek:see:`Telemetry::collect_histogram_metrics`.
+
+
+   .. zeek:field:: unit :zeek:type:`string` :zeek:attr:`&optional`
+
+      The unit of the metric. Leave this unset for a unit-less
+      metric. Will be unset when returned from
+      :zeek:see:`Telemetry::collect_metrics` or
+      :zeek:see:`Telemetry::collect_histogram_metrics`.
+
+
+   .. zeek:field:: help_text :zeek:type:`string` :zeek:attr:`&optional`
+
+      Documentation for this metric.
+
+
+   .. zeek:field:: label_names :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+
+      The label names (also called dimensions) of the metric. When
+      instantiating or working with concrete metrics, corresponding
+      label values have to be provided. Examples of a label might
+      be the protocol a general observation applies to, the
+      directionality in a traffic flow, or protocol-specific
+      context like a particular message type. This field is only
+      used in the construction of new metrics and will not be
+      filled in when returned from
+      :zeek:see:`Telemetry::collect_metrics` or
+      :zeek:see:`Telemetry::collect_histogram_metrics`,
+
+
+   .. zeek:field:: is_total :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Whether the metric represents something that is accumulating.
+      Defaults to ``T`` for counters and ``F`` for gauges and
+      histograms.
+
+
+   .. zeek:field:: bounds :zeek:type:`vector` of :zeek:type:`double` :zeek:attr:`&optional`
+
+      When creating a :zeek:see:`Telemetry::HistogramFamily`,
+      describes the number and bounds of the individual buckets.
+
+
+   .. zeek:field:: metric_type :zeek:type:`Telemetry::MetricType` :zeek:attr:`&optional`
+
+      Describes the underlying metric type.
+      Only set in the return value of
+      :zeek:see:`Telemetry::collect_metrics` or
+      :zeek:see:`Telemetry::collect_histogram_metrics`,
+      otherwise ignored.
+
+
+   Type that captures options used to create metrics.
+
+.. zeek:type:: Telemetry::MetricVector
+   :source-code: base/init-bare.zeek 6228 6228
+
+   :Type: :zeek:type:`vector` of :zeek:type:`Telemetry::Metric`
+
+
+.. zeek:type:: ThreadStats
+   :source-code: base/init-bare.zeek 1196 1198
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: num_threads :zeek:type:`count`
+
+
+   Statistics about threads.
+   
+   .. zeek:see:: get_thread_stats
+
+.. zeek:type:: TimerStats
+   :source-code: base/init-bare.zeek 1152 1156
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: current :zeek:type:`count`
+
+      Current number of pending timers.
+
+
+   .. zeek:field:: max :zeek:type:`count`
+
+      Maximum number of concurrent timers pending so far.
+
+
+   .. zeek:field:: cumulative :zeek:type:`count`
+
+      Cumulative number of timers scheduled.
+
+
+   Statistics of timers.
+   
+   .. zeek:see:: get_timer_stats
+
+.. zeek:type:: Tunnel::EncapsulatingConn
+   :source-code: base/init-bare.zeek 721 733
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: cid :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The 4-tuple of the encapsulating "connection". In case of an
+      IP-in-IP tunnel the ports will be set to 0. The direction
+      (i.e., orig and resp) are set according to the first tunneled
+      packet seen and not according to the side that established
+      the tunnel.
+
+
+   .. zeek:field:: tunnel_type :zeek:type:`Tunnel::Type` :zeek:attr:`&log`
+
+      The type of tunnel.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      A globally unique identifier that, for non-IP-in-IP tunnels,
+      cross-references the *uid* field of :zeek:type:`connection`.
+
+   :Attributes: :zeek:attr:`&log`
+
+   Records the identity of an encapsulating parent of a tunneled connection.
+
+.. zeek:type:: WebSocket::AnalyzerConfig
+   :source-code: base/init-bare.zeek 806 822
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: analyzer :zeek:type:`Analyzer::Tag` :zeek:attr:`&optional`
+
+      The analyzer to attach for analysis of the WebSocket
+      frame payload. See *use_dpd* below for the behavior
+      when unset.
+
+
+   .. zeek:field:: use_dpd :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`WebSocket::use_dpd_default` :zeek:attr:`&optional`
+
+      If *analyzer* is unset, determines whether to attach a
+      PIA_TCP analyzer for dynamic protocol detection with
+      WebSocket payload.
+
+
+   .. zeek:field:: subprotocol :zeek:type:`string` :zeek:attr:`&optional`
+
+      The subprotocol as selected by the server, if any.
+
+
+   .. zeek:field:: server_extensions :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional`
+
+      The WebSocket extensions as selected by the server, if any.
+
+
+   Record type that is passed to :zeek:see:`WebSocket::configure_analyzer`.
+   
+   This record allows to configure the WebSocket analyzer given
+   parameters collected from HTTP headers.
+
+.. zeek:type:: X509::BasicConstraints
+   :source-code: base/init-bare.zeek 5112 5115
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ca :zeek:type:`bool` :zeek:attr:`&log`
+
+      CA flag set?
+
+
+   .. zeek:field:: path_len :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Maximum path length
+
+   :Attributes: :zeek:attr:`&log`
+
+
+.. zeek:type:: X509::Certificate
+   :source-code: base/init-bare.zeek 5087 5102
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: version :zeek:type:`count` :zeek:attr:`&log`
+
+      Version number.
+
+
+   .. zeek:field:: serial :zeek:type:`string` :zeek:attr:`&log`
+
+      Serial number.
+
+
+   .. zeek:field:: subject :zeek:type:`string` :zeek:attr:`&log`
+
+      Subject.
+
+
+   .. zeek:field:: issuer :zeek:type:`string` :zeek:attr:`&log`
+
+      Issuer.
+
+
+   .. zeek:field:: cn :zeek:type:`string` :zeek:attr:`&optional`
+
+      Last (most specific) common name.
+
+
+   .. zeek:field:: not_valid_before :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp before when certificate is not valid.
+
+
+   .. zeek:field:: not_valid_after :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp after when certificate is not valid.
+
+
+   .. zeek:field:: key_alg :zeek:type:`string` :zeek:attr:`&log`
+
+      Name of the key algorithm
+
+
+   .. zeek:field:: sig_alg :zeek:type:`string` :zeek:attr:`&log`
+
+      Name of the signature algorithm
+
+
+   .. zeek:field:: key_type :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Key type, if key parseable by openssl (either rsa, dsa or ec)
+
+
+   .. zeek:field:: key_length :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Key length in bits
+
+
+   .. zeek:field:: exponent :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Exponent, if RSA-certificate
+
+
+   .. zeek:field:: curve :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Curve, if EC-certificate
+
+
+   .. zeek:field:: tbs_sig_alg :zeek:type:`string`
+
+      Name of the signature algorithm given inside the tbsCertificate. Should be equivalent to `sig_alg`.
+
+
+
+.. zeek:type:: X509::Extension
+   :source-code: base/init-bare.zeek 5104 5110
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      Long name of extension. oid if name not known
+
+
+   .. zeek:field:: short_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      Short name of extension if known
+
+
+   .. zeek:field:: oid :zeek:type:`string`
+
+      Oid of extension
+
+
+   .. zeek:field:: critical :zeek:type:`bool`
+
+      True if extension is critical
+
+
+   .. zeek:field:: value :zeek:type:`string`
+
+      Extension content parsed to string for known extensions. Raw data otherwise.
+
+
+
+.. zeek:type:: X509::Result
+   :source-code: base/init-bare.zeek 5126 5133
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: result :zeek:type:`int`
+
+      OpenSSL result code
+
+
+   .. zeek:field:: result_string :zeek:type:`string`
+
+      Result as string
+
+
+   .. zeek:field:: chain_certs :zeek:type:`vector` of :zeek:type:`opaque` of x509 :zeek:attr:`&optional`
+
+      References to the final certificate chain, if verification successful. End-host certificate is first.
+
+
+   Result of an X509 certificate chain verification
+
+.. zeek:type:: X509::SubjectAlternativeName
+   :source-code: base/init-bare.zeek 5117 5123
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: dns :zeek:type:`string_vec` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      List of DNS entries in SAN
+
+
+   .. zeek:field:: uri :zeek:type:`string_vec` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      List of URI entries in SAN
+
+
+   .. zeek:field:: email :zeek:type:`string_vec` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      List of email entries in SAN
+
+
+   .. zeek:field:: ip :zeek:type:`addr_vec` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      List of IP entries in SAN
+
+
+   .. zeek:field:: other_fields :zeek:type:`bool`
+
+      True if the certificate contained other, not recognized or parsed name fields
+
+
+
+.. zeek:type:: addr_set
+   :source-code: base/init-bare.zeek 40 40
+
+   :Type: :zeek:type:`set` [:zeek:type:`addr`]
+
+   A set of addresses.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: addr_vec
+   :source-code: base/init-bare.zeek 104 104
+
+   :Type: :zeek:type:`vector` of :zeek:type:`addr`
+
+   A vector of addresses.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: any_vec
+   :source-code: base/init-bare.zeek 83 83
+
+   :Type: :zeek:type:`vector` of :zeek:type:`any`
+
+   A vector of any, used by some builtin functions to store a list of varying
+   types.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: assertion_failure
+   :source-code: base/init-bare.zeek 1367 1367
+
+   :Type: :zeek:type:`hook` (cond: :zeek:type:`string`, msg: :zeek:type:`string`, bt: :zeek:type:`Backtrace`) : :zeek:type:`bool`
+
+   A hook that is invoked when an assert statement fails.
+   
+   By default, a reporter error message is logged describing the failing
+   assert similarly to how scripting errors are reported after invoking
+   this hook. Using the :zeek:see:`break` statement in an assertion_failure
+   hook handler allows to suppress this message.
+   
+
+   :param cond: The string representation of the condition.
+   
+
+   :param msg: Evaluated message as string given to the assert statement.
+   
+
+   :param bt: Backtrace of the assertion error. The top element will contain
+       the location of the assert statement that failed.
+   
+   .. zeek:see:: assertion_result
+
+.. zeek:type:: assertion_result
+   :source-code: base/init-bare.zeek 1389 1389
+
+   :Type: :zeek:type:`hook` (result: :zeek:type:`bool`, cond: :zeek:type:`string`, msg: :zeek:type:`string`, bt: :zeek:type:`Backtrace`) : :zeek:type:`bool`
+
+   A hook that is invoked with the result of every assert statement.
+   
+   This is a potentially expensive hook meant to be used by testing
+   frameworks to summarize assert results. In a production setup,
+   this hook is likely detrimental to performance.
+   
+   Using the :zeek:see:`break` statement within an assertion_failure hook
+   handler allows to suppress the reporter error message generated for
+   failing assert statements.
+   
+
+   :param result: The result of evaluating **cond**.
+   
+
+   :param cond: The string representation of the condition.
+   
+
+   :param msg: Evaluated message as string given to the assert statement.
+   
+
+   :param bt: Backtrace of the assertion error. The top element will contain
+       the location of the assert statement that failed.
+   
+   .. zeek:see:: assertion_failure
+
+.. zeek:type:: bittorrent_benc_dir
+   :source-code: base/init-bare.zeek 3263 3263
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`bittorrent_benc_value`
+
+   A table of BitTorrent "benc" values.
+   
+   .. zeek:see:: bt_tracker_response
+
+.. zeek:type:: bittorrent_benc_value
+   :source-code: base/init-bare.zeek 3253 3258
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: i :zeek:type:`int` :zeek:attr:`&optional`
+
+      TODO.
+
+
+   .. zeek:field:: s :zeek:type:`string` :zeek:attr:`&optional`
+
+      TODO.
+
+
+   .. zeek:field:: d :zeek:type:`string` :zeek:attr:`&optional`
+
+      TODO.
+
+
+   .. zeek:field:: l :zeek:type:`string` :zeek:attr:`&optional`
+
+      TODO.
+
+
+   BitTorrent "benc" value. Note that "benc" = Bencode ("Bee-Encode"), per
+   http://en.wikipedia.org/wiki/Bencode.
+   
+   .. zeek:see:: bittorrent_benc_dir
+
+.. zeek:type:: bittorrent_peer
+   :source-code: base/init-bare.zeek 3239 3242
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: h :zeek:type:`addr`
+
+      The peer's address.
+
+
+   .. zeek:field:: p :zeek:type:`port`
+
+      The peer's port.
+
+
+   A BitTorrent peer.
+   
+   .. zeek:see:: bittorrent_peer_set
+
+.. zeek:type:: bittorrent_peer_set
+   :source-code: base/init-bare.zeek 3247 3247
+
+   :Type: :zeek:type:`set` [:zeek:type:`bittorrent_peer`]
+
+   A set of BitTorrent peers.
+   
+   .. zeek:see:: bt_tracker_response
+
+.. zeek:type:: bt_tracker_headers
+   :source-code: base/init-bare.zeek 3269 3269
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
+
+   Header table type used by BitTorrent analyzer.
+   
+   .. zeek:see:: bt_tracker_request bt_tracker_response
+      bt_tracker_response_not_ok
+
+.. zeek:type:: call_argument
+   :source-code: base/init-bare.zeek 1317 1326
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      The name of the parameter.
+
+
+   .. zeek:field:: type_name :zeek:type:`string`
+
+      The name of the parameters's type.
+
+
+   .. zeek:field:: default_val :zeek:type:`any` :zeek:attr:`&optional`
+
+      The value of the :zeek:attr:`&default` attribute if defined.
+
+
+   .. zeek:field:: value :zeek:type:`any` :zeek:attr:`&optional`
+
+      The value of the parameter as passed into a given call instance.
+      Might be unset in the case a :zeek:attr:`&default` attribute is
+      defined.
+
+
+   Meta-information about a parameter to a function/event.
+   
+   .. zeek:see:: call_argument_vector new_event backtrace print_backtrace
+
+.. zeek:type:: call_argument_vector
+   :source-code: base/init-bare.zeek 1331 1331
+
+   :Type: :zeek:type:`vector` of :zeek:type:`call_argument`
+
+   Vector type used to capture parameters of a function/event call.
+   
+   .. zeek:see:: call_argument new_event backtrace print_backtrace
+
+.. zeek:type:: conn_id
+   :source-code: base/init-bare.zeek 224 231
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: orig_h :zeek:type:`addr` :zeek:attr:`&log`
+
+      The originator's IP address.
+
+
+   .. zeek:field:: orig_p :zeek:type:`port` :zeek:attr:`&log`
+
+      The originator's port number.
+
+
+   .. zeek:field:: resp_h :zeek:type:`addr` :zeek:attr:`&log`
+
+      The responder's IP address.
+
+
+   .. zeek:field:: resp_p :zeek:type:`port` :zeek:attr:`&log`
+
+      The responder's port number.
+
+
+   .. zeek:field:: proto :zeek:type:`count` :zeek:attr:`&default` = ``65535`` :zeek:attr:`&optional`
+
+      The transport protocol ID. Defaults to 65535 as an "unknown" value.
+
+
+   .. zeek:field:: ctx :zeek:type:`conn_id_ctx` :zeek:attr:`&log` :zeek:attr:`&default` = *...* :zeek:attr:`&optional`
+
+      The context in which this connection exists.
+
+
+   A connection's identifying 4-tuple of endpoints and ports.
+   
+   .. note:: It's actually a 5-tuple: the transport-layer protocol is stored as
+      part of the port values, `orig_p` and `resp_p`, and can be extracted from
+      them with :zeek:id:`get_port_transport_proto`.
+   
+   .. note:: For explanation of Zeek's "originator" and "responder" terminology,
+      see :ref:`the manual's description of the connection record
+      <writing-scripts-connection-record>`.
+
+.. zeek:type:: conn_id_ctx
+   :source-code: base/init-bare.zeek 213 214
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: vlan :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek` is loaded)
+
+      The outer VLAN for this connection, if applicable.
+
+
+   .. zeek:field:: inner_vlan :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek` is loaded)
+
+      The inner VLAN for this connection, if applicable.
+
+
+   A record type containing the context of a conn_id instance.
+   
+   This context is used to discriminate between :zeek:see:`conn_id` instances
+   with identical five tuples, but not otherwise related due to, e.g. being observed
+   on different VLANs, or within independent tunnel connections like VXLAN or Geneve.
+   
+   This record type is meant to be extended by custom ConnKey implementations.
+
+.. zeek:type:: connection
+   :source-code: base/init-bare.zeek 866 901
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`conn_id`
+
+      The connection's identifying 4-tuple.
+
+
+   .. zeek:field:: orig :zeek:type:`endpoint`
+
+      Statistics about originator side.
+
+
+   .. zeek:field:: resp :zeek:type:`endpoint`
+
+      Statistics about responder side.
+
+
+   .. zeek:field:: start_time :zeek:type:`time`
+
+      The timestamp of the connection's first packet.
+
+
+   .. zeek:field:: duration :zeek:type:`interval`
+
+      The duration of the conversation. Roughly speaking, this is the
+      interval between first and last data packet (low-level TCP details
+      may adjust it somewhat in ambiguous cases).
+
+
+   .. zeek:field:: service :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&ordered`
+
+      The set of services the connection is using as determined by Zeek's
+      dynamic protocol detection. Each entry is the label of an analyzer
+      that confirmed that it could parse the connection payload.  While
+      typically, there will be at most one entry for each connection, in
+      principle it is possible that more than one protocol analyzer is able
+      to parse the same data. If so, all will be recorded. Also note that
+      the recorded services are independent of any transport-level protocols.
+
+
+   .. zeek:field:: history :zeek:type:`string`
+
+      State history of connections. See *history* in :zeek:see:`Conn::Info`.
+
+
+   .. zeek:field:: uid :zeek:type:`string`
+
+      A globally unique connection identifier. For each connection, Zeek
+      creates an ID that is very likely unique across independent Zeek runs.
+      These IDs can thus be used to tag and locate information associated
+      with that connection.
+
+
+   .. zeek:field:: tunnel :zeek:type:`EncapsulatingConnVector` :zeek:attr:`&optional`
+
+      If the connection is tunneled, this field contains information about
+      the encapsulating "connection(s)" with the outermost one starting
+      at index zero.  It's also always the first such encapsulation seen
+      for the connection unless the :zeek:id:`tunnel_changed` event is
+      handled and reassigns this field to the new encapsulation.
+
+
+   .. zeek:field:: vlan :zeek:type:`int` :zeek:attr:`&optional`
+
+      The outer VLAN, if applicable for this connection.
+
+
+   .. zeek:field:: inner_vlan :zeek:type:`int` :zeek:attr:`&optional`
+
+      The inner VLAN, if applicable for this connection.
+
+
+   .. zeek:field:: removal_hooks :zeek:type:`set` [:zeek:type:`Conn::RemovalHook`] :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/conn/removal-hooks.zeek` is loaded)
+
+
+   .. zeek:field:: failed_analyzers :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/analyzer/dpd.zeek` is loaded)
+
+      The set of prototol analyzers that were removed due to a protocol
+      violation after the same analyzer had previously been confirmed.
+
+
+   .. zeek:field:: conn :zeek:type:`Conn::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/conn/main.zeek` is loaded)
+
+
+   .. zeek:field:: extract_orig :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`Conn::default_extract` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/conn/contents.zeek` is loaded)
+
+
+   .. zeek:field:: extract_resp :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`Conn::default_extract` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/conn/contents.zeek` is loaded)
+
+
+   .. zeek:field:: thresholds :zeek:type:`ConnThreshold::Thresholds` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/conn/thresholds.zeek` is loaded)
+
+
+   .. zeek:field:: dce_rpc :zeek:type:`DCE_RPC::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/dce-rpc/main.zeek` is loaded)
+
+
+   .. zeek:field:: dce_rpc_state :zeek:type:`DCE_RPC::State` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/dce-rpc/main.zeek` is loaded)
+
+
+   .. zeek:field:: dce_rpc_backing :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`DCE_RPC::BackingState` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/dce-rpc/main.zeek` is loaded)
+
+
+   .. zeek:field:: dhcp :zeek:type:`DHCP::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/dhcp/main.zeek` is loaded)
+
+
+   .. zeek:field:: dnp3 :zeek:type:`DNP3::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/dnp3/main.zeek` is loaded)
+
+
+   .. zeek:field:: dns :zeek:type:`DNS::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/dns/main.zeek` is loaded)
+
+
+   .. zeek:field:: dns_state :zeek:type:`DNS::State` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/dns/main.zeek` is loaded)
+
+
+   .. zeek:field:: ftp :zeek:type:`FTP::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ftp/main.zeek` is loaded)
+
+
+   .. zeek:field:: ftp_data_reuse :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ftp/main.zeek` is loaded)
+
+
+   .. zeek:field:: ssl :zeek:type:`SSL::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ssl/main.zeek` is loaded)
+
+
+   .. zeek:field:: http :zeek:type:`HTTP::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/http/main.zeek` is loaded)
+
+
+   .. zeek:field:: http_state :zeek:type:`HTTP::State` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/http/main.zeek` is loaded)
+
+
+   .. zeek:field:: irc :zeek:type:`IRC::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/irc/main.zeek` is loaded)
+
+      IRC session information.
+
+
+   .. zeek:field:: krb :zeek:type:`KRB::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/krb/main.zeek` is loaded)
+
+
+   .. zeek:field:: ldap :zeek:type:`LDAP::State` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ldap/main.zeek` is loaded)
+
+
+   .. zeek:field:: modbus :zeek:type:`Modbus::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/modbus/main.zeek` is loaded)
+
+
+   .. zeek:field:: mqtt :zeek:type:`MQTT::ConnectInfo` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/mqtt/main.zeek` is loaded)
+
+
+   .. zeek:field:: mqtt_state :zeek:type:`MQTT::State` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/mqtt/main.zeek` is loaded)
+
+
+   .. zeek:field:: mysql :zeek:type:`MySQL::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/mysql/main.zeek` is loaded)
+
+
+   .. zeek:field:: ntlm :zeek:type:`NTLM::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ntlm/main.zeek` is loaded)
+
+
+   .. zeek:field:: ntp :zeek:type:`NTP::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ntp/main.zeek` is loaded)
+
+
+   .. zeek:field:: postgresql :zeek:type:`PostgreSQL::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/postgresql/main.zeek` is loaded)
+
+
+   .. zeek:field:: postgresql_state :zeek:type:`PostgreSQL::State` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/postgresql/main.zeek` is loaded)
+
+
+   .. zeek:field:: quic :zeek:type:`QUIC::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/quic/main.zeek` is loaded)
+
+
+   .. zeek:field:: radius :zeek:type:`RADIUS::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/radius/main.zeek` is loaded)
+
+
+   .. zeek:field:: rdp :zeek:type:`RDP::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/rdp/main.zeek` is loaded)
+
+
+   .. zeek:field:: redis :zeek:type:`Redis::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/redis/main.zeek` is loaded)
+
+
+   .. zeek:field:: redis_state :zeek:type:`Redis::State` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/redis/main.zeek` is loaded)
+
+
+   .. zeek:field:: rfb :zeek:type:`RFB::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/rfb/main.zeek` is loaded)
+
+
+   .. zeek:field:: sip :zeek:type:`SIP::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/sip/main.zeek` is loaded)
+
+
+   .. zeek:field:: sip_state :zeek:type:`SIP::State` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/sip/main.zeek` is loaded)
+
+
+   .. zeek:field:: snmp :zeek:type:`SNMP::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/snmp/main.zeek` is loaded)
+
+
+   .. zeek:field:: smb_state :zeek:type:`SMB::State` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/smb/main.zeek` is loaded)
+
+
+   .. zeek:field:: smtp :zeek:type:`SMTP::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/smtp/main.zeek` is loaded)
+
+
+   .. zeek:field:: smtp_state :zeek:type:`SMTP::State` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/smtp/main.zeek` is loaded)
+
+
+   .. zeek:field:: socks :zeek:type:`SOCKS::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/socks/main.zeek` is loaded)
+
+
+   .. zeek:field:: ssh :zeek:type:`SSH::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ssh/main.zeek` is loaded)
+
+
+   .. zeek:field:: syslog :zeek:type:`Syslog::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/syslog/main.zeek` is loaded)
+
+
+   .. zeek:field:: websocket :zeek:type:`WebSocket::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/websocket/main.zeek` is loaded)
+
+
+   .. zeek:field:: packet_segment :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      (present if :doc:`/scripts/policy/frameworks/analyzer/packet-segment-logging.zeek` is loaded)
+
+      A chunk of the payload that most likely resulted in a
+      analyzer violation.
+
+
+   .. zeek:field:: known_services_done :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/conn/known-services.zeek` is loaded)
+
+
+   .. zeek:field:: speculative_service :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/conn/speculative-service.zeek` is loaded)
+
+
+   A connection. This is Zeek's basic connection type describing IP- and
+   transport-layer information about the conversation. Note that Zeek uses a
+   liberal interpretation of "connection" and associates instances of this type
+   also with UDP and ICMP flows.
+
+.. zeek:type:: count_set
+   :source-code: base/init-bare.zeek 47 47
+
+   :Type: :zeek:type:`set` [:zeek:type:`count`]
+
+   A set of counts.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: dns_answer
+   :source-code: base/init-bare.zeek 3129 3137
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: answer_type :zeek:type:`count`
+
+      Answer type. One of :zeek:see:`DNS_QUERY`, :zeek:see:`DNS_ANS`,
+      :zeek:see:`DNS_AUTH` and :zeek:see:`DNS_ADDL`.
+
+
+   .. zeek:field:: query :zeek:type:`string`
+
+      Query.
+
+
+   .. zeek:field:: qtype :zeek:type:`count`
+
+      Query type.
+
+
+   .. zeek:field:: qclass :zeek:type:`count`
+
+      Query class.
+
+
+   .. zeek:field:: TTL :zeek:type:`interval`
+
+      Time-to-live.
+
+
+   The general part of a DNS reply.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply
+      dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
+      dns_TXT_reply dns_WKS_reply
+
+.. zeek:type:: dns_binds_rr
+   :source-code: base/init-bare.zeek 3048 3056
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: query :zeek:type:`string`
+
+      Query.
+
+
+   .. zeek:field:: answer_type :zeek:type:`count`
+
+      Ans type.
+
+
+   .. zeek:field:: algorithm :zeek:type:`count`
+
+      Algorithm for Public Key.
+
+
+   .. zeek:field:: key_id :zeek:type:`count`
+
+      key tag.
+
+
+   .. zeek:field:: removal_flag :zeek:type:`count`
+
+      rm flag.
+
+
+   .. zeek:field:: complete_flag :zeek:type:`count`
+
+      complete flag.
+
+
+   .. zeek:field:: is_query :zeek:type:`count`
+
+      The RR is a query/Response.
+
+
+   A Private RR type BINDS record.
+   
+   .. zeek:see:: dns_BINDS
+
+.. zeek:type:: dns_dnskey_rr
+   :source-code: base/init-bare.zeek 2991 2999
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: query :zeek:type:`string`
+
+      Query.
+
+
+   .. zeek:field:: answer_type :zeek:type:`count`
+
+      Ans type.
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+      flags filed.
+
+
+   .. zeek:field:: protocol :zeek:type:`count`
+
+      Protocol, should be always 3 for DNSSEC.
+
+
+   .. zeek:field:: algorithm :zeek:type:`count`
+
+      Algorithm for Public Key.
+
+
+   .. zeek:field:: public_key :zeek:type:`string`
+
+      Public Key
+
+
+   .. zeek:field:: is_query :zeek:type:`count`
+
+      The RR is a query/Response.
+
+
+   A DNSSEC DNSKEY record.
+   
+   .. zeek:see:: dns_DNSKEY
+
+.. zeek:type:: dns_ds_rr
+   :source-code: base/init-bare.zeek 3035 3043
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: query :zeek:type:`string`
+
+      Query.
+
+
+   .. zeek:field:: answer_type :zeek:type:`count`
+
+      Ans type.
+
+
+   .. zeek:field:: key_tag :zeek:type:`count`
+
+      flags filed.
+
+
+   .. zeek:field:: algorithm :zeek:type:`count`
+
+      Algorithm for Public Key.
+
+
+   .. zeek:field:: digest_type :zeek:type:`count`
+
+      Digest Type.
+
+
+   .. zeek:field:: digest_val :zeek:type:`string`
+
+      Digest Value.
+
+
+   .. zeek:field:: is_query :zeek:type:`count`
+
+      The RR is a query/Response.
+
+
+   A DNSSEC DS record.
+   
+   .. zeek:see:: dns_DS
+
+.. zeek:type:: dns_edns_additional
+   :source-code: base/init-bare.zeek 2902 2912
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: query :zeek:type:`string`
+
+      Query.
+
+
+   .. zeek:field:: qtype :zeek:type:`count`
+
+      Query type.
+
+
+   .. zeek:field:: t :zeek:type:`count`
+
+      TODO.
+
+
+   .. zeek:field:: payload_size :zeek:type:`count`
+
+      TODO.
+
+
+   .. zeek:field:: extended_rcode :zeek:type:`count`
+
+      Extended return code.
+
+
+   .. zeek:field:: version :zeek:type:`count`
+
+      Version.
+
+
+   .. zeek:field:: z_field :zeek:type:`count`
+
+      TODO.
+
+
+   .. zeek:field:: TTL :zeek:type:`interval`
+
+      Time-to-live.
+
+
+   .. zeek:field:: is_query :zeek:type:`count`
+
+      TODO.
+
+
+   An additional DNS EDNS record.
+   
+   .. zeek:see:: dns_EDNS_addl
+
+.. zeek:type:: dns_edns_cookie
+   :source-code: base/init-bare.zeek 2935 2938
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: client_cookie :zeek:type:`string`
+
+      Cookie from the client (fixed 8 bytes).
+
+
+   .. zeek:field:: server_cookie :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      Cookie from the server (0 bytes if missing, or 8 to 32 bytes).
+
+
+   An DNS EDNS COOKIE (COOKIE) record.
+   
+   .. zeek:see:: dns_EDNS_cookie
+
+.. zeek:type:: dns_edns_ecs
+   :source-code: base/init-bare.zeek 2917 2922
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: family :zeek:type:`string`
+
+      IP Family
+
+
+   .. zeek:field:: source_prefix_len :zeek:type:`count`
+
+      Source Prefix Length.
+
+
+   .. zeek:field:: scope_prefix_len :zeek:type:`count`
+
+      Scope Prefix Length.
+
+
+   .. zeek:field:: address :zeek:type:`addr`
+
+      Client Subnet Address.
+
+
+   An DNS EDNS Client Subnet (ECS) record.
+   
+   .. zeek:see:: dns_EDNS_ecs
+
+.. zeek:type:: dns_edns_tcp_keepalive
+   :source-code: base/init-bare.zeek 2927 2930
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: keepalive_timeout_omitted :zeek:type:`bool`
+
+      Whether timeout value is omitted.
+
+
+   .. zeek:field:: keepalive_timeout :zeek:type:`count`
+
+      Timeout value, in 100ms.
+
+
+   An DNS EDNS TCP KEEPALIVE (TCP KEEPALIVE) record.
+   
+   .. zeek:see:: dns_EDNS_tcp_keepalive
+
+.. zeek:type:: dns_loc_rr
+   :source-code: base/init-bare.zeek 3061 3072
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: query :zeek:type:`string`
+
+      Query.
+
+
+   .. zeek:field:: answer_type :zeek:type:`count`
+
+      Ans type.
+
+
+   .. zeek:field:: version :zeek:type:`count`
+
+      version number of the representation.
+
+
+   .. zeek:field:: size :zeek:type:`count`
+
+      Diameter of a sphere enclosing the entity.
+
+
+   .. zeek:field:: horiz_pre :zeek:type:`count`
+
+      The horizontal precision of the data, in centimeters.
+
+
+   .. zeek:field:: vert_pre :zeek:type:`count`
+
+      The vertical precision of the data, in centimeters.
+
+
+   .. zeek:field:: latitude :zeek:type:`count`
+
+      The latitude of the center of the sphere.
+
+
+   .. zeek:field:: longitude :zeek:type:`count`
+
+      The longitude of the center of the sphere.
+
+
+   .. zeek:field:: altitude :zeek:type:`count`
+
+      The altitude of the center of the sphere.
+
+
+   .. zeek:field:: is_query :zeek:type:`count`
+
+      The RR is a query/Response.
+
+
+   A Private RR type LOC record.
+   
+   .. zeek:see:: dns_LOC
+
+.. zeek:type:: dns_mapping
+   :source-code: base/init-bare.zeek 337 356
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: creation_time :zeek:type:`time`
+
+      The time when the mapping was created, which corresponds to when
+      the DNS query was sent out.
+
+
+   .. zeek:field:: req_host :zeek:type:`string`
+
+      If the mapping is the result of a name lookup, the queried host name;
+      otherwise empty.
+
+
+   .. zeek:field:: req_addr :zeek:type:`addr`
+
+      If the mapping is the result of a pointer lookup, the queried
+      address; otherwise null.
+
+
+   .. zeek:field:: valid :zeek:type:`bool`
+
+      True if the lookup returned success. Only then are the result fields
+      valid.
+
+
+   .. zeek:field:: hostname :zeek:type:`string`
+
+      If the mapping is the result of a pointer lookup, the resolved
+      hostname; otherwise empty.
+
+
+   .. zeek:field:: addrs :zeek:type:`addr_set`
+
+      If the mapping is the result of an address lookup, the resolved
+      address(es); otherwise empty.
+
+
+
+.. zeek:type:: dns_msg
+   :source-code: base/init-bare.zeek 2865 2884
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`count`
+
+      Transaction ID.
+
+
+   .. zeek:field:: opcode :zeek:type:`count`
+
+      Operation code.
+
+
+   .. zeek:field:: rcode :zeek:type:`count`
+
+      Return code.
+
+
+   .. zeek:field:: QR :zeek:type:`bool`
+
+      Query response flag.
+
+
+   .. zeek:field:: AA :zeek:type:`bool`
+
+      Authoritative answer flag.
+
+
+   .. zeek:field:: TC :zeek:type:`bool`
+
+      Truncated packet flag.
+
+
+   .. zeek:field:: RD :zeek:type:`bool`
+
+      Recursion desired flag.
+
+
+   .. zeek:field:: RA :zeek:type:`bool`
+
+      Recursion available flag.
+
+
+   .. zeek:field:: Z :zeek:type:`count`
+
+      3 bit field (includes AD and CD)
+
+
+   .. zeek:field:: AD :zeek:type:`bool`
+
+      authentic data
+
+
+   .. zeek:field:: CD :zeek:type:`bool`
+
+      checking disabled
+
+
+   .. zeek:field:: num_queries :zeek:type:`count`
+
+      Number of query records.
+
+
+   .. zeek:field:: num_answers :zeek:type:`count`
+
+      Number of answer records.
+
+
+   .. zeek:field:: num_auth :zeek:type:`count`
+
+      Number of authoritative records.
+
+
+   .. zeek:field:: num_addl :zeek:type:`count`
+
+      Number of additional records.
+
+
+   A DNS message.
+   
+   .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+      dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+      dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+      dns_message dns_query_reply dns_rejected dns_request
+
+.. zeek:type:: dns_naptr_rr
+   :source-code: base/init-bare.zeek 3105 3112
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: order :zeek:type:`count`
+
+      Order in which to process NAPTR records.
+
+
+   .. zeek:field:: preference :zeek:type:`count`
+
+      Preference specifying processing order for *equal* :zeek:field:`dns_naptr_rr$order` fields.
+
+
+   .. zeek:field:: flags :zeek:type:`string`
+
+      Flags to control rewriting. E.g. "u", "a", "s" or "p".
+
+
+   .. zeek:field:: service :zeek:type:`string`
+
+      The services available down this rewrite path.
+
+
+   .. zeek:field:: regexp :zeek:type:`string`
+
+      Substitution expression to be applied to the original query.
+
+
+   .. zeek:field:: replacement :zeek:type:`string`
+
+      The next name to query, where the type is depending on the :zeek:field:`dns_naptr_rr$flags` field.
+
+
+   A NAPTR record.
+   
+   See also RFC 2915 - The Naming Authority Pointer (NAPTR) DNS Resource Record.
+   
+   .. zeek:see:: dns_NAPTR_reply
+
+.. zeek:type:: dns_nsec3_rr
+   :source-code: base/init-bare.zeek 3004 3016
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: query :zeek:type:`string`
+
+      Query.
+
+
+   .. zeek:field:: answer_type :zeek:type:`count`
+
+      Ans type.
+
+
+   .. zeek:field:: nsec_flags :zeek:type:`count`
+
+      flags field.
+
+
+   .. zeek:field:: nsec_hash_algo :zeek:type:`count`
+
+      Hash algorithm.
+
+
+   .. zeek:field:: nsec_iter :zeek:type:`count`
+
+      Iterations.
+
+
+   .. zeek:field:: nsec_salt_len :zeek:type:`count`
+
+      Salt length.
+
+
+   .. zeek:field:: nsec_salt :zeek:type:`string`
+
+      Salt value
+
+
+   .. zeek:field:: nsec_hlen :zeek:type:`count`
+
+      Hash length.
+
+
+   .. zeek:field:: nsec_hash :zeek:type:`string`
+
+      Hash value.
+
+
+   .. zeek:field:: bitmaps :zeek:type:`string_vec`
+
+      Type Bit Maps.
+
+
+   .. zeek:field:: is_query :zeek:type:`count`
+
+      The RR is a query/Response.
+
+
+   A DNSSEC NSEC3 record.
+   
+   .. zeek:see:: dns_NSEC3
+
+.. zeek:type:: dns_nsec3param_rr
+   :source-code: base/init-bare.zeek 3021 3030
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: query :zeek:type:`string`
+
+      Query.
+
+
+   .. zeek:field:: answer_type :zeek:type:`count`
+
+      Ans type.
+
+
+   .. zeek:field:: nsec_flags :zeek:type:`count`
+
+      flags field.
+
+
+   .. zeek:field:: nsec_hash_algo :zeek:type:`count`
+
+      Hash algorithm.
+
+
+   .. zeek:field:: nsec_iter :zeek:type:`count`
+
+      Iterations.
+
+
+   .. zeek:field:: nsec_salt_len :zeek:type:`count`
+
+      Salt length.
+
+
+   .. zeek:field:: nsec_salt :zeek:type:`string`
+
+      Salt value
+
+
+   .. zeek:field:: is_query :zeek:type:`count`
+
+      The RR is a query/Response.
+
+
+   A DNSSEC NSEC3PARAM record.
+   
+   .. zeek:see:: dns_NSEC3PARAM
+
+.. zeek:type:: dns_rrsig_rr
+   :source-code: base/init-bare.zeek 2973 2986
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: query :zeek:type:`string`
+
+      Query.
+
+
+   .. zeek:field:: answer_type :zeek:type:`count`
+
+      Ans type.
+
+
+   .. zeek:field:: type_covered :zeek:type:`count`
+
+      qtype covered by RRSIG RR.
+
+
+   .. zeek:field:: algorithm :zeek:type:`count`
+
+      Algorithm.
+
+
+   .. zeek:field:: labels :zeek:type:`count`
+
+      Labels in the owner's name.
+
+
+   .. zeek:field:: orig_ttl :zeek:type:`interval`
+
+      Original TTL.
+
+
+   .. zeek:field:: sig_exp :zeek:type:`time`
+
+      Time when signed RR expires.
+
+
+   .. zeek:field:: sig_incep :zeek:type:`time`
+
+      Time when signed.
+
+
+   .. zeek:field:: key_tag :zeek:type:`count`
+
+      Key tag value.
+
+
+   .. zeek:field:: signer_name :zeek:type:`string`
+
+      Signature.
+
+
+   .. zeek:field:: signature :zeek:type:`string`
+
+      Hash of the RRDATA.
+
+
+   .. zeek:field:: is_query :zeek:type:`count`
+
+      The RR is a query/Response.
+
+
+   A DNSSEC RRSIG record.
+   
+   .. zeek:see:: dns_RRSIG
+
+.. zeek:type:: dns_soa
+   :source-code: base/init-bare.zeek 2889 2897
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: mname :zeek:type:`string`
+
+      Primary source of data for zone.
+
+
+   .. zeek:field:: rname :zeek:type:`string`
+
+      Mailbox for responsible person.
+
+
+   .. zeek:field:: serial :zeek:type:`count`
+
+      Version number of zone.
+
+
+   .. zeek:field:: refresh :zeek:type:`interval`
+
+      Seconds before refreshing.
+
+
+   .. zeek:field:: retry :zeek:type:`interval`
+
+      How long before retrying failed refresh.
+
+
+   .. zeek:field:: expire :zeek:type:`interval`
+
+      When zone no longer authoritative.
+
+
+   .. zeek:field:: minimum :zeek:type:`interval`
+
+      Minimum TTL to use when exporting.
+
+
+   A DNS SOA record.
+   
+   .. zeek:see:: dns_SOA_reply
+
+.. zeek:type:: dns_svcb_param
+   :source-code: base/init-bare.zeek 3077 3085
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: key :zeek:type:`count`
+
+      SvcParamKey
+
+
+   .. zeek:field:: mandatory :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&optional`
+
+      "mandatory" SvcParamKey values
+
+
+   .. zeek:field:: alpn :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional`
+
+      "alpn" IDs
+
+
+   .. zeek:field:: p :zeek:type:`count` :zeek:attr:`&optional`
+
+      "port" number, TCP or UDP
+
+
+   .. zeek:field:: hint :zeek:type:`vector` of :zeek:type:`addr` :zeek:attr:`&optional`
+
+      "ipv4hint" or "ipv6hint" IP addresses
+
+
+   .. zeek:field:: ech :zeek:type:`string` :zeek:attr:`&optional`
+
+      "ech" base64 encoded ECHConfigList blob
+
+
+   .. zeek:field:: raw :zeek:type:`string` :zeek:attr:`&optional`
+
+      reserved key's or malformed value
+
+
+   A SvcParamKey with an optional SvcParamValue.
+   .. zeek:see:: dns_svcb_rr
+
+.. zeek:type:: dns_svcb_param_vec
+   :source-code: base/init-bare.zeek 3087 3087
+
+   :Type: :zeek:type:`vector` of :zeek:type:`dns_svcb_param`
+
+
+.. zeek:type:: dns_svcb_rr
+   :source-code: base/init-bare.zeek 3094 3098
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: svc_priority :zeek:type:`count`
+
+      Service priority. If zero, the record is in AliasMode and has no SvcParam.
+
+
+   .. zeek:field:: target_name :zeek:type:`string`
+
+      Target name, the hostname of the service endpoint.
+
+
+   .. zeek:field:: svc_params :zeek:type:`dns_svcb_param_vec` :zeek:attr:`&optional`
+
+      Service parameters, if any.
+
+
+   A SVCB or HTTPS record.
+   
+   See also RFC 9460 - Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records).
+   
+   .. zeek:see:: dns_SVCB dns_HTTPS
+
+.. zeek:type:: dns_tkey
+   :source-code: base/init-bare.zeek 2943 2953
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: query :zeek:type:`string`
+
+      Query.
+
+
+   .. zeek:field:: qtype :zeek:type:`count`
+
+      Query type.
+
+
+   .. zeek:field:: alg_name :zeek:type:`string`
+
+      Algorithm name.
+
+
+   .. zeek:field:: inception :zeek:type:`time`
+
+      Requested or provided start of validity interval for keying material.
+
+
+   .. zeek:field:: expiration :zeek:type:`time`
+
+      Requested or provided end of validity interval for keying material.
+
+
+   .. zeek:field:: mode :zeek:type:`count`
+
+      Key agreement or purpose of the message.
+
+
+   .. zeek:field:: rr_error :zeek:type:`count`
+
+      Error code.
+
+
+   .. zeek:field:: key_data :zeek:type:`string`
+
+      Key exchange data field.
+
+
+   .. zeek:field:: is_query :zeek:type:`count`
+
+      The RR is a query/Response.
+
+
+   A DNS TKEY record.
+   
+   .. zeek:see:: dns_TKEY
+
+.. zeek:type:: dns_tsig_additional
+   :source-code: base/init-bare.zeek 2958 2968
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: query :zeek:type:`string`
+
+      Query.
+
+
+   .. zeek:field:: qtype :zeek:type:`count`
+
+      Query type.
+
+
+   .. zeek:field:: alg_name :zeek:type:`string`
+
+      Algorithm name.
+
+
+   .. zeek:field:: sig :zeek:type:`string`
+
+      Signature.
+
+
+   .. zeek:field:: time_signed :zeek:type:`time`
+
+      Time when signed.
+
+
+   .. zeek:field:: fudge :zeek:type:`time`
+
+      TODO.
+
+
+   .. zeek:field:: orig_id :zeek:type:`count`
+
+      TODO.
+
+
+   .. zeek:field:: rr_error :zeek:type:`count`
+
+      TODO.
+
+
+   .. zeek:field:: is_query :zeek:type:`count`
+
+      TODO.
+
+
+   An additional DNS TSIG record.
+   
+   .. zeek:see:: dns_TSIG_addl
+
+.. zeek:type:: double_vec
+   :source-code: base/init-bare.zeek 68 68
+
+   :Type: :zeek:type:`vector` of :zeek:type:`double`
+
+   A vector of floating point numbers, used by telemetry builtin functions to store histogram bounds.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: endpoint
+   :source-code: base/init-bare.zeek 841 860
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: size :zeek:type:`count`
+
+      Logical size of data sent (for TCP: derived from sequence numbers).
+
+
+   .. zeek:field:: state :zeek:type:`count`
+
+      Endpoint state. For a TCP connection, one of the constants:
+      :zeek:see:`TCP_INACTIVE` :zeek:see:`TCP_SYN_SENT`
+      :zeek:see:`TCP_SYN_ACK_SENT` :zeek:see:`TCP_PARTIAL`
+      :zeek:see:`TCP_ESTABLISHED` :zeek:see:`TCP_CLOSED` :zeek:see:`TCP_RESET`.
+      For UDP, one of :zeek:see:`UDP_ACTIVE` and :zeek:see:`UDP_INACTIVE`.
+
+
+   .. zeek:field:: num_pkts :zeek:type:`count` :zeek:attr:`&optional`
+
+      Number of packets sent. Only set if :zeek:id:`use_conn_size_analyzer`
+      is true.
+
+
+   .. zeek:field:: num_bytes_ip :zeek:type:`count` :zeek:attr:`&optional`
+
+      Number of IP-level bytes sent. Only set if
+      :zeek:id:`use_conn_size_analyzer` is true.
+
+
+   .. zeek:field:: flow_label :zeek:type:`count`
+
+      The current IPv6 flow label that the connection endpoint is using.
+      Always 0 if the connection is over IPv4.
+
+
+   .. zeek:field:: l2_addr :zeek:type:`string` :zeek:attr:`&optional`
+
+      The link-layer address seen in the first packet (if available).
+
+
+   Statistics about a :zeek:type:`connection` endpoint.
+   
+   .. zeek:see:: connection
+
+.. zeek:type:: endpoint_stats
+   :source-code: base/init-bare.zeek 372 384
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: num_pkts :zeek:type:`count`
+
+      Number of packets.
+
+
+   .. zeek:field:: num_rxmit :zeek:type:`count`
+
+      Number of retransmissions.
+
+
+   .. zeek:field:: num_rxmit_bytes :zeek:type:`count`
+
+      Number of retransmitted bytes.
+
+
+   .. zeek:field:: num_in_order :zeek:type:`count`
+
+      Number of in-order packets.
+
+
+   .. zeek:field:: num_OO :zeek:type:`count`
+
+      Number of out-of-order packets.
+
+
+   .. zeek:field:: num_repl :zeek:type:`count`
+
+      Number of replicated packets (last packet was sent again).
+
+
+   .. zeek:field:: endian_type :zeek:type:`count`
+
+      Endian type used by the endpoint, if it could be determined from
+      the sequence numbers used. This is one of :zeek:see:`ENDIAN_UNKNOWN`,
+      :zeek:see:`ENDIAN_BIG`, :zeek:see:`ENDIAN_LITTLE`, and
+      :zeek:see:`ENDIAN_CONFUSED`.
+
+
+   Statistics about what a TCP endpoint sent.
+   
+   .. zeek:see:: conn_stats
+
+.. zeek:type:: entropy_test_result
+   :source-code: base/init-bare.zeek 1559 1565
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: entropy :zeek:type:`double`
+
+      Information density.
+
+
+   .. zeek:field:: chi_square :zeek:type:`double`
+
+      Chi-Square value.
+
+
+   .. zeek:field:: mean :zeek:type:`double`
+
+      Arithmetic Mean.
+
+
+   .. zeek:field:: monte_carlo_pi :zeek:type:`double`
+
+      Monte-carlo value for pi.
+
+
+   .. zeek:field:: serial_correlation :zeek:type:`double`
+
+      Serial correlation coefficient.
+
+
+   Computed entropy values. The record captures a number of measures that are
+   computed in parallel. See `A Pseudorandom Number Sequence Test Program
+   <http://www.fourmilab.ch/random>`_ for more information, Zeek uses the same
+   code.
+   
+   .. zeek:see:: entropy_test_add entropy_test_finish entropy_test_init find_entropy
+
+.. zeek:type:: event_metadata_vec
+   :source-code: base/init-bare.zeek 836 836
+
+   :Type: :zeek:type:`vector` of :zeek:type:`EventMetadata::Entry`
+
+   A type alias for event metadata.
+
+.. zeek:type:: fa_file
+   :source-code: base/init-bare.zeek 917 969
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`string`
+
+      A hash serving as the identifier associated with a single file.
+
+
+   .. zeek:field:: parent_id :zeek:type:`string` :zeek:attr:`&optional`
+
+      Identifier associated with a container file from which this one was
+      extracted as part of the file analysis.
+
+
+   .. zeek:field:: source :zeek:type:`string`
+
+      An identification of the source of the file data. E.g. it may be
+      a network protocol over which it was transferred, or a local file
+      path including filename which was read, or some other input source.
+      Examples are: "HTTP", "SMTP", "IRC_DATA", or the filename, or even
+      the full path and filename.
+
+
+   .. zeek:field:: is_orig :zeek:type:`bool` :zeek:attr:`&optional`
+
+      If the source of this file is a network connection, this field
+      may be set to indicate the directionality.
+
+
+   .. zeek:field:: conns :zeek:type:`table` [:zeek:type:`conn_id`] of :zeek:type:`connection` :zeek:attr:`&optional`
+
+      The set of connections over which the file was transferred.
+
+
+   .. zeek:field:: last_active :zeek:type:`time`
+
+      The time at which the last activity for the file was seen.
+
+
+   .. zeek:field:: seen_bytes :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Number of bytes provided to the file analysis engine for the file.
+
+
+   .. zeek:field:: total_bytes :zeek:type:`count` :zeek:attr:`&optional`
+
+      Total number of bytes that are supposed to comprise the full file.
+
+
+   .. zeek:field:: missing_bytes :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      The number of bytes in the file stream that were completely missed
+      during the process of analysis e.g. due to dropped packets.
+
+
+   .. zeek:field:: overflow_bytes :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      The number of bytes in the file stream that were not delivered to
+      stream file analyzers.  Generally, this consists of bytes that
+      couldn't be reassembled, either because reassembly simply isn't
+      enabled, or due to size limitations of the reassembly buffer.
+
+
+   .. zeek:field:: timeout_interval :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`default_file_timeout_interval` :zeek:attr:`&optional`
+
+      The amount of time between receiving new data for this file that
+      the analysis engine will wait before giving up on it.
+
+
+   .. zeek:field:: bof_buffer_size :zeek:type:`count` :zeek:attr:`&default` = :zeek:see:`default_file_bof_buffer_size` :zeek:attr:`&optional`
+
+      The number of bytes at the beginning of a file to save for later
+      inspection in the *bof_buffer* field.
+
+
+   .. zeek:field:: bof_buffer :zeek:type:`string` :zeek:attr:`&optional`
+
+      The content of the beginning of a file up to *bof_buffer_size* bytes.
+      This is also the buffer that's used for file/mime type detection.
+
+
+   .. zeek:field:: info :zeek:type:`Files::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/frameworks/files/main.zeek` is loaded)
+
+
+   .. zeek:field:: ftp :zeek:type:`FTP::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ftp/files.zeek` is loaded)
+
+
+   .. zeek:field:: http :zeek:type:`HTTP::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
+
+
+   .. zeek:field:: irc :zeek:type:`IRC::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/irc/files.zeek` is loaded)
+
+
+   .. zeek:field:: pe :zeek:type:`PE::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/files/pe/main.zeek` is loaded)
+
+   :Attributes: :zeek:attr:`&redef`
+
+   File Analysis handle for a file that Zeek is analyzing. This holds
+   information about, but not the content of, a conceptual "file";
+   essentially any byte stream that is e.g. pulled from a network connection
+   or possibly some other input source. Note that fa_file is also used in
+   cases where there isn't a filename to be had.
+
+.. zeek:type:: fa_metadata
+   :source-code: base/init-bare.zeek 979 987
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: mime_type :zeek:type:`string` :zeek:attr:`&optional`
+
+      The strongest matching MIME type if one was discovered.
+
+
+   .. zeek:field:: mime_types :zeek:type:`mime_matches` :zeek:attr:`&optional`
+
+      All matching MIME types if any were discovered.
+
+
+   .. zeek:field:: inferred :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
+
+      Specifies whether the MIME type was inferred using signatures,
+      or provided directly by the protocol the file appeared in.
+
+
+   File Analysis metadata that's been inferred about a particular file.
+
+.. zeek:type:: files_tag_set
+   :source-code: base/init-bare.zeek 125 125
+
+   :Type: :zeek:type:`set` [:zeek:type:`Files::Tag`]
+
+   A set of file analyzer tags.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: flow_id
+   :source-code: base/init-bare.zeek 238 243
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: src_h :zeek:type:`addr` :zeek:attr:`&log`
+
+      The source IP address.
+
+
+   .. zeek:field:: src_p :zeek:type:`port` :zeek:attr:`&log`
+
+      The source port number.
+
+
+   .. zeek:field:: dst_h :zeek:type:`addr` :zeek:attr:`&log`
+
+      The destination IP address.
+
+
+   .. zeek:field:: dst_p :zeek:type:`port` :zeek:attr:`&log`
+
+      The destination port number.
+
+   :Attributes: :zeek:attr:`&log`
+
+   The identifying 4-tuple of a uni-directional flow.
+   
+   .. note:: It's actually a 5-tuple: the transport-layer protocol is stored as
+      part of the port values, `src_p` and `dst_p`, and can be extracted from
+      them with :zeek:id:`get_port_transport_proto`.
+
+.. zeek:type:: from_json_result
+   :source-code: base/init-bare.zeek 1576 1580
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: v :zeek:type:`any` :zeek:attr:`&optional`
+
+      Parsed value.
+
+
+   .. zeek:field:: valid :zeek:type:`bool`
+
+      True if parsing was successful.
+
+
+   .. zeek:field:: err :zeek:type:`string` :zeek:attr:`&optional`
+
+
+   Return type for from_json BIF.
+   
+   .. zeek:see:: from_json
+
+.. zeek:type:: ftp_port
+   :source-code: base/init-bare.zeek 363 367
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: h :zeek:type:`addr`
+
+      The host's address.
+
+
+   .. zeek:field:: p :zeek:type:`port`
+
+      The host's port.
+
+
+   .. zeek:field:: valid :zeek:type:`bool`
+
+      True if format was right. Only then are *h* and *p* valid.
+
+
+   A parsed host/port combination describing server endpoint for an upcoming
+   data transfer.
+   
+   .. zeek:see:: fmt_ftp_port parse_eftp_port parse_ftp_epsv parse_ftp_pasv
+      parse_ftp_port
+
+.. zeek:type:: geo_autonomous_system
+   :source-code: base/init-bare.zeek 1521 1524
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: number :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      The autonomous system number.
+
+
+   .. zeek:field:: organization :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Associated organization.
+
+   :Attributes: :zeek:attr:`&log`
+
+   GeoIP autonomous system information.
+   
+   .. zeek:see:: lookup_autonomous_system
+
+.. zeek:type:: geo_location
+   :source-code: base/init-bare.zeek 1510 1516
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: country_code :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      The country code.
+
+
+   .. zeek:field:: region :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      The region.
+
+
+   .. zeek:field:: city :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      The city.
+
+
+   .. zeek:field:: latitude :zeek:type:`double` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Latitude.
+
+
+   .. zeek:field:: longitude :zeek:type:`double` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Longitude.
+
+   :Attributes: :zeek:attr:`&log`
+
+   GeoIP location information.
+   
+   .. zeek:see:: lookup_location
+
+.. zeek:type:: gtp_access_point_name
+   :source-code: base/init-bare.zeek 2397 2397
+
+   :Type: :zeek:type:`string`
+
+
+.. zeek:type:: gtp_cause
+   :source-code: base/init-bare.zeek 2379 2379
+
+   :Type: :zeek:type:`count`
+
+
+.. zeek:type:: gtp_charging_characteristics
+   :source-code: base/init-bare.zeek 2395 2395
+
+   :Type: :zeek:type:`count`
+
+
+.. zeek:type:: gtp_charging_gateway_addr
+   :source-code: base/init-bare.zeek 2387 2387
+
+   :Type: :zeek:type:`addr`
+
+
+.. zeek:type:: gtp_charging_id
+   :source-code: base/init-bare.zeek 2386 2386
+
+   :Type: :zeek:type:`count`
+
+
+.. zeek:type:: gtp_create_pdp_ctx_request_elements
+   :source-code: base/init-bare.zeek 2435 2458
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: imsi :zeek:type:`gtp_imsi` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: rai :zeek:type:`gtp_rai` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: recovery :zeek:type:`gtp_recovery` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: select_mode :zeek:type:`gtp_selection_mode` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: data1 :zeek:type:`gtp_teid1`
+
+
+   .. zeek:field:: cp :zeek:type:`gtp_teid_control_plane` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: nsapi :zeek:type:`gtp_nsapi`
+
+
+   .. zeek:field:: linked_nsapi :zeek:type:`gtp_nsapi` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: charge_character :zeek:type:`gtp_charging_characteristics` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: trace_ref :zeek:type:`gtp_trace_reference` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: trace_type :zeek:type:`gtp_trace_type` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: end_user_addr :zeek:type:`gtp_end_user_addr` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: ap_name :zeek:type:`gtp_access_point_name` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: opts :zeek:type:`gtp_proto_config_options` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: signal_addr :zeek:type:`gtp_gsn_addr`
+
+
+   .. zeek:field:: user_addr :zeek:type:`gtp_gsn_addr`
+
+
+   .. zeek:field:: msisdn :zeek:type:`gtp_msisdn` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: qos_prof :zeek:type:`gtp_qos_profile`
+
+
+   .. zeek:field:: tft :zeek:type:`gtp_tft` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: trigger_id :zeek:type:`gtp_trigger_id` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: omc_id :zeek:type:`gtp_omc_id` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: ext :zeek:type:`gtp_private_extension` :zeek:attr:`&optional`
+
+
+
+.. zeek:type:: gtp_create_pdp_ctx_response_elements
+   :source-code: base/init-bare.zeek 2460 2474
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: cause :zeek:type:`gtp_cause`
+
+
+   .. zeek:field:: reorder_req :zeek:type:`gtp_reordering_required` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: recovery :zeek:type:`gtp_recovery` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: data1 :zeek:type:`gtp_teid1` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: cp :zeek:type:`gtp_teid_control_plane` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: charging_id :zeek:type:`gtp_charging_id` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: end_user_addr :zeek:type:`gtp_end_user_addr` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: opts :zeek:type:`gtp_proto_config_options` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: cp_addr :zeek:type:`gtp_gsn_addr` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: user_addr :zeek:type:`gtp_gsn_addr` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: qos_prof :zeek:type:`gtp_qos_profile` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: charge_gateway :zeek:type:`gtp_charging_gateway_addr` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: ext :zeek:type:`gtp_private_extension` :zeek:attr:`&optional`
+
+
+
+.. zeek:type:: gtp_delete_pdp_ctx_request_elements
+   :source-code: base/init-bare.zeek 2508 2512
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: teardown_ind :zeek:type:`gtp_teardown_ind` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: nsapi :zeek:type:`gtp_nsapi`
+
+
+   .. zeek:field:: ext :zeek:type:`gtp_private_extension` :zeek:attr:`&optional`
+
+
+
+.. zeek:type:: gtp_delete_pdp_ctx_response_elements
+   :source-code: base/init-bare.zeek 2514 2517
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: cause :zeek:type:`gtp_cause`
+
+
+   .. zeek:field:: ext :zeek:type:`gtp_private_extension` :zeek:attr:`&optional`
+
+
+
+.. zeek:type:: gtp_end_user_addr
+   :source-code: base/init-bare.zeek 2409 2416
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: pdp_type_org :zeek:type:`count`
+
+
+   .. zeek:field:: pdp_type_num :zeek:type:`count`
+
+
+   .. zeek:field:: pdp_ip :zeek:type:`addr` :zeek:attr:`&optional`
+
+      Set if the End User Address information element is IPv4/IPv6.
+
+
+   .. zeek:field:: pdp_other_addr :zeek:type:`string` :zeek:attr:`&optional`
+
+      Set if the End User Address information element isn't IPv4/IPv6.
+
+
+
+.. zeek:type:: gtp_gsn_addr
+   :source-code: base/init-bare.zeek 2400 2407
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ip :zeek:type:`addr` :zeek:attr:`&optional`
+
+      If the GSN Address information element has length 4 or 16, then this
+      field is set to be the informational element's value interpreted as
+      an IPv4 or IPv6 address, respectively.
+
+
+   .. zeek:field:: other :zeek:type:`string` :zeek:attr:`&optional`
+
+      This field is set if it's not an IPv4 or IPv6 address.
+
+
+
+.. zeek:type:: gtp_imsi
+   :source-code: base/init-bare.zeek 2380 2380
+
+   :Type: :zeek:type:`count`
+
+
+.. zeek:type:: gtp_msisdn
+   :source-code: base/init-bare.zeek 2398 2398
+
+   :Type: :zeek:type:`string`
+
+
+.. zeek:type:: gtp_nsapi
+   :source-code: base/init-bare.zeek 2382 2382
+
+   :Type: :zeek:type:`count`
+
+
+.. zeek:type:: gtp_omc_id
+   :source-code: base/init-bare.zeek 2392 2392
+
+   :Type: :zeek:type:`string`
+
+
+.. zeek:type:: gtp_private_extension
+   :source-code: base/init-bare.zeek 2430 2433
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`count`
+
+
+   .. zeek:field:: value :zeek:type:`string`
+
+
+
+.. zeek:type:: gtp_proto_config_options
+   :source-code: base/init-bare.zeek 2394 2394
+
+   :Type: :zeek:type:`string`
+
+
+.. zeek:type:: gtp_qos_profile
+   :source-code: base/init-bare.zeek 2425 2428
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: priority :zeek:type:`count`
+
+
+   .. zeek:field:: data :zeek:type:`string`
+
+
+
+.. zeek:type:: gtp_rai
+   :source-code: base/init-bare.zeek 2418 2423
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: mcc :zeek:type:`count`
+
+
+   .. zeek:field:: mnc :zeek:type:`count`
+
+
+   .. zeek:field:: lac :zeek:type:`count`
+
+
+   .. zeek:field:: rac :zeek:type:`count`
+
+
+
+.. zeek:type:: gtp_recovery
+   :source-code: base/init-bare.zeek 2383 2383
+
+   :Type: :zeek:type:`count`
+
+
+.. zeek:type:: gtp_reordering_required
+   :source-code: base/init-bare.zeek 2393 2393
+
+   :Type: :zeek:type:`bool`
+
+
+.. zeek:type:: gtp_selection_mode
+   :source-code: base/init-bare.zeek 2396 2396
+
+   :Type: :zeek:type:`count`
+
+
+.. zeek:type:: gtp_teardown_ind
+   :source-code: base/init-bare.zeek 2381 2381
+
+   :Type: :zeek:type:`bool`
+
+
+.. zeek:type:: gtp_teid1
+   :source-code: base/init-bare.zeek 2384 2384
+
+   :Type: :zeek:type:`count`
+
+
+.. zeek:type:: gtp_teid_control_plane
+   :source-code: base/init-bare.zeek 2385 2385
+
+   :Type: :zeek:type:`count`
+
+
+.. zeek:type:: gtp_tft
+   :source-code: base/init-bare.zeek 2390 2390
+
+   :Type: :zeek:type:`string`
+
+
+.. zeek:type:: gtp_trace_reference
+   :source-code: base/init-bare.zeek 2388 2388
+
+   :Type: :zeek:type:`count`
+
+
+.. zeek:type:: gtp_trace_type
+   :source-code: base/init-bare.zeek 2389 2389
+
+   :Type: :zeek:type:`count`
+
+
+.. zeek:type:: gtp_trigger_id
+   :source-code: base/init-bare.zeek 2391 2391
+
+   :Type: :zeek:type:`string`
+
+
+.. zeek:type:: gtp_update_pdp_ctx_request_elements
+   :source-code: base/init-bare.zeek 2476 2493
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: imsi :zeek:type:`gtp_imsi` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: rai :zeek:type:`gtp_rai` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: recovery :zeek:type:`gtp_recovery` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: data1 :zeek:type:`gtp_teid1`
+
+
+   .. zeek:field:: cp :zeek:type:`gtp_teid_control_plane` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: nsapi :zeek:type:`gtp_nsapi`
+
+
+   .. zeek:field:: trace_ref :zeek:type:`gtp_trace_reference` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: trace_type :zeek:type:`gtp_trace_type` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: cp_addr :zeek:type:`gtp_gsn_addr`
+
+
+   .. zeek:field:: user_addr :zeek:type:`gtp_gsn_addr`
+
+
+   .. zeek:field:: qos_prof :zeek:type:`gtp_qos_profile`
+
+
+   .. zeek:field:: tft :zeek:type:`gtp_tft` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: trigger_id :zeek:type:`gtp_trigger_id` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: omc_id :zeek:type:`gtp_omc_id` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: ext :zeek:type:`gtp_private_extension` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: end_user_addr :zeek:type:`gtp_end_user_addr` :zeek:attr:`&optional`
+
+
+
+.. zeek:type:: gtp_update_pdp_ctx_response_elements
+   :source-code: base/init-bare.zeek 2495 2506
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: cause :zeek:type:`gtp_cause`
+
+
+   .. zeek:field:: recovery :zeek:type:`gtp_recovery` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: data1 :zeek:type:`gtp_teid1` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: cp :zeek:type:`gtp_teid_control_plane` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: charging_id :zeek:type:`gtp_charging_id` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: cp_addr :zeek:type:`gtp_gsn_addr` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: user_addr :zeek:type:`gtp_gsn_addr` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: qos_prof :zeek:type:`gtp_qos_profile` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: charge_gateway :zeek:type:`gtp_charging_gateway_addr` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: ext :zeek:type:`gtp_private_extension` :zeek:attr:`&optional`
+
+
+
+.. zeek:type:: gtpv1_hdr
+   :source-code: base/init-bare.zeek 2342 2377
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: version :zeek:type:`count`
+
+      The 3-bit version field, which for GTPv1 should be 1.
+
+
+   .. zeek:field:: pt_flag :zeek:type:`bool`
+
+      Protocol Type value differentiates GTP (value 1) from GTP' (value 0).
+
+
+   .. zeek:field:: rsv :zeek:type:`bool`
+
+      Reserved field, should be 0.
+
+
+   .. zeek:field:: e_flag :zeek:type:`bool`
+
+      Extension Header flag.  When 0, the *next_type* field may or may not
+      be present, but shouldn't be meaningful.  When 1, *next_type* is
+      present and meaningful.
+
+
+   .. zeek:field:: s_flag :zeek:type:`bool`
+
+      Sequence Number flag.  When 0, the *seq* field may or may not
+      be present, but shouldn't be meaningful.  When 1, *seq* is
+      present and meaningful.
+
+
+   .. zeek:field:: pn_flag :zeek:type:`bool`
+
+      N-PDU flag.  When 0, the *n_pdu* field may or may not
+      be present, but shouldn't be meaningful.  When 1, *n_pdu* is
+      present and meaningful.
+
+
+   .. zeek:field:: msg_type :zeek:type:`count`
+
+      Message Type.  A value of 255 indicates user-plane data is encapsulated.
+
+
+   .. zeek:field:: length :zeek:type:`count`
+
+      Length of the GTP packet payload (the rest of the packet following
+      the mandatory 8-byte GTP header).
+
+
+   .. zeek:field:: teid :zeek:type:`count`
+
+      Tunnel Endpoint Identifier.  Unambiguously identifies a tunnel
+      endpoint in receiving GTP-U or GTP-C protocol entity.
+
+
+   .. zeek:field:: seq :zeek:type:`count` :zeek:attr:`&optional`
+
+      Sequence Number.  Set if any *e_flag*, *s_flag*, or *pn_flag* field
+      is set.
+
+
+   .. zeek:field:: n_pdu :zeek:type:`count` :zeek:attr:`&optional`
+
+      N-PDU Number.  Set if any *e_flag*, *s_flag*, or *pn_flag* field is set.
+
+
+   .. zeek:field:: next_type :zeek:type:`count` :zeek:attr:`&optional`
+
+      Next Extension Header Type.  Set if any *e_flag*, *s_flag*, or
+      *pn_flag* field is set.
+
+
+   A GTPv1 (GPRS Tunneling Protocol) header.
+
+.. zeek:type:: http_message_stat
+   :source-code: base/init-bare.zeek 3178 3191
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: start :zeek:type:`time`
+
+      When the request/reply line was complete.
+
+
+   .. zeek:field:: interrupted :zeek:type:`bool`
+
+      Whether the message was interrupted.
+
+
+   .. zeek:field:: finish_msg :zeek:type:`string`
+
+      Reason phrase if interrupted.
+
+
+   .. zeek:field:: body_length :zeek:type:`count`
+
+      Length of body processed (before finished/interrupted).
+
+
+   .. zeek:field:: content_gap_length :zeek:type:`count`
+
+      Total length of gaps within *body_length*.
+
+
+   .. zeek:field:: header_length :zeek:type:`count`
+
+      Length of headers (including the req/reply line, but not CR/LF's).
+
+
+   HTTP message statistics.
+   
+   .. zeek:see:: http_message_done
+
+.. zeek:type:: http_stats_rec
+   :source-code: base/init-bare.zeek 3168 3173
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: num_requests :zeek:type:`count`
+
+      Number of requests.
+
+
+   .. zeek:field:: num_replies :zeek:type:`count`
+
+      Number of replies.
+
+
+   .. zeek:field:: request_version :zeek:type:`double`
+
+      HTTP version of the requests.
+
+
+   .. zeek:field:: reply_version :zeek:type:`double`
+
+      HTTP Version of the replies.
+
+
+   HTTP session statistics.
+   
+   .. zeek:see:: http_stats
+
+.. zeek:type:: icmp6_nd_option
+   :source-code: base/init-bare.zeek 306 327
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: otype :zeek:type:`count`
+
+      8-bit identifier of the type of option.
+
+
+   .. zeek:field:: len :zeek:type:`count`
+
+      8-bit integer representing the length of the option (including the
+      type and length fields) in units of 8 octets.
+
+
+   .. zeek:field:: link_address :zeek:type:`string` :zeek:attr:`&optional`
+
+      Source Link-Layer Address (Type 1) or Target Link-Layer Address (Type 2).
+      Byte ordering of this is dependent on the actual link-layer.
+
+
+   .. zeek:field:: prefix :zeek:type:`icmp6_nd_prefix_info` :zeek:attr:`&optional`
+
+      Prefix Information (Type 3).
+
+
+   .. zeek:field:: redirect :zeek:type:`icmp_context` :zeek:attr:`&optional`
+
+      Redirected header (Type 4).  This field contains the context of the
+      original, redirected packet.
+
+
+   .. zeek:field:: mtu :zeek:type:`count` :zeek:attr:`&optional`
+
+      Recommended MTU for the link (Type 5).
+
+
+   .. zeek:field:: payload :zeek:type:`string` :zeek:attr:`&optional`
+
+      The raw data of the option (everything after type & length fields),
+      useful for unknown option types or when the full option payload is
+      truncated in the captured packet.  In those cases, option fields
+      won't be pre-extracted into the fields above.
+
+
+   Options extracted from ICMPv6 neighbor discovery messages as specified
+   by :rfc:`4861`.
+   
+   .. zeek:see:: icmp_router_solicitation icmp_router_advertisement
+      icmp_neighbor_advertisement icmp_neighbor_solicitation icmp_redirect
+      icmp6_nd_options
+
+.. zeek:type:: icmp6_nd_options
+   :source-code: base/init-bare.zeek 330 330
+
+   :Type: :zeek:type:`vector` of :zeek:type:`icmp6_nd_option`
+
+   A type alias for a vector of ICMPv6 neighbor discovery message options.
+
+.. zeek:type:: icmp6_nd_prefix_info
+   :source-code: base/init-bare.zeek 281 298
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: prefix_len :zeek:type:`count`
+
+      Number of leading bits of the *prefix* that are valid.
+
+
+   .. zeek:field:: L_flag :zeek:type:`bool`
+
+      Flag indicating the prefix can be used for on-link determination.
+
+
+   .. zeek:field:: A_flag :zeek:type:`bool`
+
+      Autonomous address-configuration flag.
+
+
+   .. zeek:field:: valid_lifetime :zeek:type:`interval`
+
+      Length of time in seconds that the prefix is valid for purpose of
+      on-link determination (0xffffffff represents infinity).
+
+
+   .. zeek:field:: preferred_lifetime :zeek:type:`interval`
+
+      Length of time in seconds that the addresses generated from the
+      prefix via stateless address autoconfiguration remain preferred
+      (0xffffffff represents infinity).
+
+
+   .. zeek:field:: prefix :zeek:type:`addr`
+
+      An IP address or prefix of an IP address.  Use the *prefix_len* field
+      to convert this into a :zeek:type:`subnet`.
+
+
+   Values extracted from a Prefix Information option in an ICMPv6 neighbor
+   discovery message as specified by :rfc:`4861`.
+   
+   .. zeek:see:: icmp6_nd_option
+
+.. zeek:type:: icmp_context
+   :source-code: base/init-bare.zeek 262 275
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`conn_id`
+
+      The packet's 4-tuple.
+
+
+   .. zeek:field:: len :zeek:type:`count`
+
+      The length of the IP packet (headers + payload).
+
+
+   .. zeek:field:: proto :zeek:type:`count`
+
+      The packet's transport-layer protocol.
+
+
+   .. zeek:field:: frag_offset :zeek:type:`count`
+
+      The packet's fragmentation offset.
+
+
+   .. zeek:field:: bad_hdr_len :zeek:type:`bool`
+
+      True if the packet's IP header is not fully included in the context
+      or if there is not enough of the transport header to determine source
+      and destination ports. If that is the case, the appropriate fields
+      of this record will be set to null values.
+
+
+   .. zeek:field:: bad_checksum :zeek:type:`bool`
+
+      True if the packet's IP checksum is not correct.
+
+
+   .. zeek:field:: MF :zeek:type:`bool`
+
+      True if the packet's *more fragments* flag is set.
+
+
+   .. zeek:field:: DF :zeek:type:`bool`
+
+      True if the packet's *don't fragment* flag is set.
+
+
+   Packet context part of an ICMP message. The fields of this record reflect the
+   packet that is described by the context.
+   
+   .. zeek:see:: icmp_time_exceeded icmp_unreachable
+
+.. zeek:type:: icmp_hdr
+   :source-code: base/init-bare.zeek 2262 2264
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: icmp_type :zeek:type:`count`
+
+      type of message
+
+
+   Values extracted from an ICMP header.
+   
+   .. zeek:see:: pkt_hdr discarder_check_icmp
+
+.. zeek:type:: icmp_info
+   :source-code: base/init-bare.zeek 250 256
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: v6 :zeek:type:`bool`
+
+      True if it's an ICMPv6 packet.
+
+
+   .. zeek:field:: itype :zeek:type:`count`
+
+      The ICMP type of the current packet.
+
+
+   .. zeek:field:: icode :zeek:type:`count`
+
+      The ICMP code of the current packet.
+
+
+   .. zeek:field:: len :zeek:type:`count`
+
+      The length of the ICMP payload.
+
+
+   .. zeek:field:: ttl :zeek:type:`count`
+
+      The encapsulating IP header's TTL (IPv4) or Hop Limit (IPv6).
+
+
+   Specifics about an ICMP conversation/packet.
+   ICMP events typically pass this in addition to :zeek:type:`conn_id`.
+   
+   .. zeek:see:: icmp_echo_reply icmp_echo_request icmp_redirect icmp_sent
+      icmp_time_exceeded icmp_unreachable
+
+.. zeek:type:: id_table
+   :source-code: base/init-bare.zeek 1289 1289
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`script_id`
+
+   Table type used to map script-level identifiers to meta-information
+   describing them.
+   
+   .. zeek:see:: global_ids script_id
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: index_vec
+   :source-code: base/init-bare.zeek 54 54
+
+   :Type: :zeek:type:`vector` of :zeek:type:`count`
+
+   A vector of counts, used by some builtin functions to store a list of indices.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: int_vec
+   :source-code: base/init-bare.zeek 61 61
+
+   :Type: :zeek:type:`vector` of :zeek:type:`int`
+
+   A vector of integers, used by telemetry builtin functions to store histogram bounds.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: interval_set
+   :source-code: base/init-bare.zeek 132 132
+
+   :Type: :zeek:type:`set` [:zeek:type:`interval`]
+
+   A set of intervals.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: ip4_hdr
+   :source-code: base/init-bare.zeek 2209 2222
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: hl :zeek:type:`count`
+
+      Header length in bytes.
+
+
+   .. zeek:field:: tos :zeek:type:`count`
+
+      Type of service.
+
+
+   .. zeek:field:: len :zeek:type:`count`
+
+      Total length.
+
+
+   .. zeek:field:: id :zeek:type:`count`
+
+      Identification.
+
+
+   .. zeek:field:: DF :zeek:type:`bool`
+
+      True if the packet's *don't fragment* flag is set.
+
+
+   .. zeek:field:: MF :zeek:type:`bool`
+
+      True if the packet's *more fragments* flag is set.
+
+
+   .. zeek:field:: offset :zeek:type:`count`
+
+      Fragment offset.
+
+
+   .. zeek:field:: ttl :zeek:type:`count`
+
+      Time to live.
+
+
+   .. zeek:field:: p :zeek:type:`count`
+
+      Protocol.
+
+
+   .. zeek:field:: sum :zeek:type:`count`
+
+      Checksum.
+
+
+   .. zeek:field:: src :zeek:type:`addr`
+
+      Source address.
+
+
+   .. zeek:field:: dst :zeek:type:`addr`
+
+      Destination address.
+
+
+   Values extracted from an IPv4 header.
+   
+   .. zeek:see:: pkt_hdr ip6_hdr discarder_check_ip
+
+.. zeek:type:: ip6_ah
+   :source-code: base/init-bare.zeek 1983 1997
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: nxt :zeek:type:`count`
+
+      Protocol number of the next header (RFC 1700 et seq., IANA assigned
+      number), e.g. :zeek:id:`IPPROTO_ICMP`.
+
+
+   .. zeek:field:: len :zeek:type:`count`
+
+      Length of header in 4-octet units, excluding first two units.
+
+
+   .. zeek:field:: rsv :zeek:type:`count`
+
+      Reserved field.
+
+
+   .. zeek:field:: spi :zeek:type:`count`
+
+      Security Parameter Index.
+
+
+   .. zeek:field:: seq :zeek:type:`count` :zeek:attr:`&optional`
+
+      Sequence number, unset in the case that *len* field is zero.
+
+
+   .. zeek:field:: data :zeek:type:`string` :zeek:attr:`&optional`
+
+      Authentication data, unset in the case that *len* field is zero.
+
+
+   Values extracted from an IPv6 Authentication extension header.
+   
+   .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr
+
+.. zeek:type:: ip6_dstopts
+   :source-code: base/init-bare.zeek 1934 1942
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: nxt :zeek:type:`count`
+
+      Protocol number of the next header (RFC 1700 et seq., IANA assigned
+      number), e.g. :zeek:id:`IPPROTO_ICMP`.
+
+
+   .. zeek:field:: len :zeek:type:`count`
+
+      Length of header in 8-octet units, excluding first unit.
+
+
+   .. zeek:field:: options :zeek:type:`ip6_options`
+
+      The TLV encoded options;
+
+
+   Values extracted from an IPv6 Destination options extension header.
+   
+   .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr ip6_option
+
+.. zeek:type:: ip6_esp
+   :source-code: base/init-bare.zeek 2002 2007
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: spi :zeek:type:`count`
+
+      Security Parameters Index.
+
+
+   .. zeek:field:: seq :zeek:type:`count`
+
+      Sequence number.
+
+
+   Values extracted from an IPv6 ESP extension header.
+   
+   .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr
+
+.. zeek:type:: ip6_ext_hdr
+   :source-code: base/init-bare.zeek 2166 2184
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`count`
+
+      The RFC 1700 et seq. IANA assigned number identifying the type of
+      the extension header.
+
+
+   .. zeek:field:: hopopts :zeek:type:`ip6_hopopts` :zeek:attr:`&optional`
+
+      Hop-by-hop option extension header.
+
+
+   .. zeek:field:: dstopts :zeek:type:`ip6_dstopts` :zeek:attr:`&optional`
+
+      Destination option extension header.
+
+
+   .. zeek:field:: routing :zeek:type:`ip6_routing` :zeek:attr:`&optional`
+
+      Routing extension header.
+
+
+   .. zeek:field:: fragment :zeek:type:`ip6_fragment` :zeek:attr:`&optional`
+
+      Fragment header.
+
+
+   .. zeek:field:: ah :zeek:type:`ip6_ah` :zeek:attr:`&optional`
+
+      Authentication extension header.
+
+
+   .. zeek:field:: esp :zeek:type:`ip6_esp` :zeek:attr:`&optional`
+
+      Encapsulating security payload header.
+
+
+   .. zeek:field:: mobility :zeek:type:`ip6_mobility_hdr` :zeek:attr:`&optional`
+
+      Mobility header.
+
+
+   A general container for a more specific IPv6 extension header.
+   
+   .. zeek:see:: pkt_hdr ip4_hdr ip6_hopopts ip6_dstopts ip6_routing ip6_fragment
+      ip6_ah ip6_esp
+
+.. zeek:type:: ip6_ext_hdr_chain
+   :source-code: base/init-bare.zeek 2187 2187
+
+   :Type: :zeek:type:`vector` of :zeek:type:`ip6_ext_hdr`
+
+   A type alias for a vector of IPv6 extension headers.
+
+.. zeek:type:: ip6_fragment
+   :source-code: base/init-bare.zeek 1964 1978
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: nxt :zeek:type:`count`
+
+      Protocol number of the next header (RFC 1700 et seq., IANA assigned
+      number), e.g. :zeek:id:`IPPROTO_ICMP`.
+
+
+   .. zeek:field:: rsv1 :zeek:type:`count`
+
+      8-bit reserved field.
+
+
+   .. zeek:field:: offset :zeek:type:`count`
+
+      Fragmentation offset.
+
+
+   .. zeek:field:: rsv2 :zeek:type:`count`
+
+      2-bit reserved field.
+
+
+   .. zeek:field:: more :zeek:type:`bool`
+
+      More fragments.
+
+
+   .. zeek:field:: id :zeek:type:`count`
+
+      Fragment identification.
+
+
+   Values extracted from an IPv6 Fragment extension header.
+   
+   .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr
+
+.. zeek:type:: ip6_hdr
+   :source-code: base/init-bare.zeek 2193 2204
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: class :zeek:type:`count`
+
+      Traffic class.
+
+
+   .. zeek:field:: flow :zeek:type:`count`
+
+      Flow label.
+
+
+   .. zeek:field:: len :zeek:type:`count`
+
+      Payload length.
+
+
+   .. zeek:field:: nxt :zeek:type:`count`
+
+      Protocol number of the next header
+      (RFC 1700 et seq., IANA assigned number)
+      e.g. :zeek:id:`IPPROTO_ICMP`.
+
+
+   .. zeek:field:: hlim :zeek:type:`count`
+
+      Hop limit.
+
+
+   .. zeek:field:: src :zeek:type:`addr`
+
+      Source address.
+
+
+   .. zeek:field:: dst :zeek:type:`addr`
+
+      Destination address.
+
+
+   .. zeek:field:: exts :zeek:type:`ip6_ext_hdr_chain`
+
+      Extension header chain.
+
+
+   Values extracted from an IPv6 header.
+   
+   .. zeek:see:: pkt_hdr ip4_hdr ip6_ext_hdr ip6_hopopts ip6_dstopts
+      ip6_routing ip6_fragment ip6_ah ip6_esp
+
+.. zeek:type:: ip6_hopopts
+   :source-code: base/init-bare.zeek 1921 1929
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: nxt :zeek:type:`count`
+
+      Protocol number of the next header (RFC 1700 et seq., IANA assigned
+      number), e.g. :zeek:id:`IPPROTO_ICMP`.
+
+
+   .. zeek:field:: len :zeek:type:`count`
+
+      Length of header in 8-octet units, excluding first unit.
+
+
+   .. zeek:field:: options :zeek:type:`ip6_options`
+
+      The TLV encoded options;
+
+
+   Values extracted from an IPv6 Hop-by-Hop options extension header.
+   
+   .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr ip6_option
+
+.. zeek:type:: ip6_mobility_back
+   :source-code: base/init-bare.zeek 2094 2105
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: status :zeek:type:`count`
+
+      Status.
+
+
+   .. zeek:field:: k :zeek:type:`bool`
+
+      Key Management Mobility Capability.
+
+
+   .. zeek:field:: seq :zeek:type:`count`
+
+      Sequence number.
+
+
+   .. zeek:field:: life :zeek:type:`count`
+
+      Lifetime.
+
+
+   .. zeek:field:: options :zeek:type:`vector` of :zeek:type:`ip6_option`
+
+      Mobility Options.
+
+
+   Values extracted from an IPv6 Mobility Binding Acknowledgement message.
+   
+   .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg
+
+.. zeek:type:: ip6_mobility_be
+   :source-code: base/init-bare.zeek 2110 2117
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: status :zeek:type:`count`
+
+      Status.
+
+
+   .. zeek:field:: hoa :zeek:type:`addr`
+
+      Home Address.
+
+
+   .. zeek:field:: options :zeek:type:`vector` of :zeek:type:`ip6_option`
+
+      Mobility Options.
+
+
+   Values extracted from an IPv6 Mobility Binding Error message.
+   
+   .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg
+
+.. zeek:type:: ip6_mobility_brr
+   :source-code: base/init-bare.zeek 2012 2017
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: rsv :zeek:type:`count`
+
+      Reserved.
+
+
+   .. zeek:field:: options :zeek:type:`vector` of :zeek:type:`ip6_option`
+
+      Mobility Options.
+
+
+   Values extracted from an IPv6 Mobility Binding Refresh Request message.
+   
+   .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg
+
+.. zeek:type:: ip6_mobility_bu
+   :source-code: base/init-bare.zeek 2074 2089
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: seq :zeek:type:`count`
+
+      Sequence number.
+
+
+   .. zeek:field:: a :zeek:type:`bool`
+
+      Acknowledge bit.
+
+
+   .. zeek:field:: h :zeek:type:`bool`
+
+      Home Registration bit.
+
+
+   .. zeek:field:: l :zeek:type:`bool`
+
+      Link-Local Address Compatibility bit.
+
+
+   .. zeek:field:: k :zeek:type:`bool`
+
+      Key Management Mobility Capability bit.
+
+
+   .. zeek:field:: life :zeek:type:`count`
+
+      Lifetime.
+
+
+   .. zeek:field:: options :zeek:type:`vector` of :zeek:type:`ip6_option`
+
+      Mobility Options.
+
+
+   Values extracted from an IPv6 Mobility Binding Update message.
+   
+   .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg
+
+.. zeek:type:: ip6_mobility_cot
+   :source-code: base/init-bare.zeek 2060 2069
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: nonce_idx :zeek:type:`count`
+
+      Care-of Nonce Index.
+
+
+   .. zeek:field:: cookie :zeek:type:`count`
+
+      Care-of Init Cookie.
+
+
+   .. zeek:field:: token :zeek:type:`count`
+
+      Care-of Keygen Token.
+
+
+   .. zeek:field:: options :zeek:type:`vector` of :zeek:type:`ip6_option`
+
+      Mobility Options.
+
+
+   Values extracted from an IPv6 Mobility Care-of Test message.
+   
+   .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg
+
+.. zeek:type:: ip6_mobility_coti
+   :source-code: base/init-bare.zeek 2034 2041
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: rsv :zeek:type:`count`
+
+      Reserved.
+
+
+   .. zeek:field:: cookie :zeek:type:`count`
+
+      Care-of Init Cookie.
+
+
+   .. zeek:field:: options :zeek:type:`vector` of :zeek:type:`ip6_option`
+
+      Mobility Options.
+
+
+   Values extracted from an IPv6 Mobility Care-of Test Init message.
+   
+   .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg
+
+.. zeek:type:: ip6_mobility_hdr
+   :source-code: base/init-bare.zeek 2146 2160
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: nxt :zeek:type:`count`
+
+      Protocol number of the next header (RFC 1700 et seq., IANA assigned
+      number), e.g. :zeek:id:`IPPROTO_ICMP`.
+
+
+   .. zeek:field:: len :zeek:type:`count`
+
+      Length of header in 8-octet units, excluding first unit.
+
+
+   .. zeek:field:: mh_type :zeek:type:`count`
+
+      Mobility header type used to identify header's the message.
+
+
+   .. zeek:field:: rsv :zeek:type:`count`
+
+      Reserved field.
+
+
+   .. zeek:field:: chksum :zeek:type:`count`
+
+      Mobility header checksum.
+
+
+   .. zeek:field:: msg :zeek:type:`ip6_mobility_msg`
+
+      Mobility header message
+
+
+   Values extracted from an IPv6 Mobility header.
+   
+   .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr
+
+.. zeek:type:: ip6_mobility_hot
+   :source-code: base/init-bare.zeek 2046 2055
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: nonce_idx :zeek:type:`count`
+
+      Home Nonce Index.
+
+
+   .. zeek:field:: cookie :zeek:type:`count`
+
+      Home Init Cookie.
+
+
+   .. zeek:field:: token :zeek:type:`count`
+
+      Home Keygen Token.
+
+
+   .. zeek:field:: options :zeek:type:`vector` of :zeek:type:`ip6_option`
+
+      Mobility Options.
+
+
+   Values extracted from an IPv6 Mobility Home Test message.
+   
+   .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg
+
+.. zeek:type:: ip6_mobility_hoti
+   :source-code: base/init-bare.zeek 2022 2029
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: rsv :zeek:type:`count`
+
+      Reserved.
+
+
+   .. zeek:field:: cookie :zeek:type:`count`
+
+      Home Init Cookie.
+
+
+   .. zeek:field:: options :zeek:type:`vector` of :zeek:type:`ip6_option`
+
+      Mobility Options.
+
+
+   Values extracted from an IPv6 Mobility Home Test Init message.
+   
+   .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg
+
+.. zeek:type:: ip6_mobility_msg
+   :source-code: base/init-bare.zeek 2122 2141
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`count`
+
+      The type of message from the header's MH Type field.
+
+
+   .. zeek:field:: brr :zeek:type:`ip6_mobility_brr` :zeek:attr:`&optional`
+
+      Binding Refresh Request.
+
+
+   .. zeek:field:: hoti :zeek:type:`ip6_mobility_hoti` :zeek:attr:`&optional`
+
+      Home Test Init.
+
+
+   .. zeek:field:: coti :zeek:type:`ip6_mobility_coti` :zeek:attr:`&optional`
+
+      Care-of Test Init.
+
+
+   .. zeek:field:: hot :zeek:type:`ip6_mobility_hot` :zeek:attr:`&optional`
+
+      Home Test.
+
+
+   .. zeek:field:: cot :zeek:type:`ip6_mobility_cot` :zeek:attr:`&optional`
+
+      Care-of Test.
+
+
+   .. zeek:field:: bu :zeek:type:`ip6_mobility_bu` :zeek:attr:`&optional`
+
+      Binding Update.
+
+
+   .. zeek:field:: back :zeek:type:`ip6_mobility_back` :zeek:attr:`&optional`
+
+      Binding Acknowledgement.
+
+
+   .. zeek:field:: be :zeek:type:`ip6_mobility_be` :zeek:attr:`&optional`
+
+      Binding Error.
+
+
+   Values extracted from an IPv6 Mobility header's message data.
+   
+   .. zeek:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr
+
+.. zeek:type:: ip6_option
+   :source-code: base/init-bare.zeek 1909 1913
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: otype :zeek:type:`count`
+
+      Option type.
+
+
+   .. zeek:field:: len :zeek:type:`count`
+
+      Option data length.
+
+
+   .. zeek:field:: data :zeek:type:`string`
+
+      Option data.
+
+
+   Values extracted from an IPv6 extension header's (e.g. hop-by-hop or
+   destination option headers) option field.
+   
+   .. zeek:see:: ip6_hdr ip6_ext_hdr ip6_hopopts ip6_dstopts
+
+.. zeek:type:: ip6_options
+   :source-code: base/init-bare.zeek 1916 1916
+
+   :Type: :zeek:type:`vector` of :zeek:type:`ip6_option`
+
+   A type alias for a vector of IPv6 options.
+
+.. zeek:type:: ip6_routing
+   :source-code: base/init-bare.zeek 1947 1959
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: nxt :zeek:type:`count`
+
+      Protocol number of the next header (RFC 1700 et seq., IANA assigned
+      number), e.g. :zeek:id:`IPPROTO_ICMP`.
+
+
+   .. zeek:field:: len :zeek:type:`count`
+
+      Length of header in 8-octet units, excluding first unit.
+
+
+   .. zeek:field:: rtype :zeek:type:`count`
+
+      Routing type.
+
+
+   .. zeek:field:: segleft :zeek:type:`count`
+
+      Segments left.
+
+
+   .. zeek:field:: data :zeek:type:`string`
+
+      Type-specific data.
+
+
+   Values extracted from an IPv6 Routing extension header.
+   
+   .. zeek:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr
+
+.. zeek:type:: irc_join_info
+   :source-code: base/init-bare.zeek 3214 3219
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: nick :zeek:type:`string`
+
+
+   .. zeek:field:: channel :zeek:type:`string`
+
+
+   .. zeek:field:: password :zeek:type:`string`
+
+
+   .. zeek:field:: usermode :zeek:type:`string`
+
+
+   IRC join information.
+   
+   .. zeek:see:: irc_join_list
+
+.. zeek:type:: irc_join_list
+   :source-code: base/init-bare.zeek 3224 3224
+
+   :Type: :zeek:type:`set` [:zeek:type:`irc_join_info`]
+
+   Set of IRC join information.
+   
+   .. zeek:see:: irc_join_message
+
+.. zeek:type:: l2_hdr
+   :source-code: base/init-bare.zeek 2280 2290
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: encap :zeek:type:`link_encap`
+
+      L2 link encapsulation.
+
+
+   .. zeek:field:: len :zeek:type:`count`
+
+      Total frame length on wire.
+
+
+   .. zeek:field:: cap_len :zeek:type:`count`
+
+      Captured length.
+
+
+   .. zeek:field:: src :zeek:type:`string` :zeek:attr:`&optional`
+
+      L2 source (if Ethernet).
+
+
+   .. zeek:field:: dst :zeek:type:`string` :zeek:attr:`&optional`
+
+      L2 destination (if Ethernet).
+
+
+   .. zeek:field:: vlan :zeek:type:`count` :zeek:attr:`&optional`
+
+      Outermost VLAN tag if any (and Ethernet).
+
+
+   .. zeek:field:: inner_vlan :zeek:type:`count` :zeek:attr:`&optional`
+
+      Innermost VLAN tag if any (and Ethernet).
+
+
+   .. zeek:field:: eth_type :zeek:type:`count` :zeek:attr:`&optional`
+
+      Innermost Ethertype (if Ethernet).
+
+
+   .. zeek:field:: proto :zeek:type:`layer3_proto`
+
+      L3 protocol.
+
+
+   Values extracted from the layer 2 header.
+   
+   .. zeek:see:: pkt_hdr
+
+.. zeek:type:: mime_header_list
+   :source-code: base/init-bare.zeek 2743 2743
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`mime_header_rec`
+
+   A list of MIME headers.
+   
+   .. zeek:see:: mime_header_rec http_all_headers mime_all_headers
+
+.. zeek:type:: mime_header_rec
+   :source-code: base/init-bare.zeek 2734 2738
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: original_name :zeek:type:`string`
+
+      The header name (unaltered).
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      The header name (converted to all upper-case).
+
+
+   .. zeek:field:: value :zeek:type:`string`
+
+      The header value.
+
+
+   A MIME header key/value pair.
+   
+   .. zeek:see:: mime_header_list http_all_headers mime_all_headers mime_one_header
+
+.. zeek:type:: mime_match
+   :source-code: base/init-bare.zeek 145 150
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: strength :zeek:type:`int`
+
+      How strongly the signature matched.  Used for
+      prioritization when multiple file magic signatures
+      match.
+
+
+   .. zeek:field:: mime :zeek:type:`string`
+
+      The MIME type of the file magic signature match.
+
+
+   A structure indicating a MIME type and strength of a match against
+   file magic signatures.
+   
+   :zeek:see:`file_magic`
+
+.. zeek:type:: mime_matches
+   :source-code: base/init-bare.zeek 156 156
+
+   :Type: :zeek:type:`vector` of :zeek:type:`mime_match`
+
+   A vector of file magic signature matches, ordered by strength of
+   the signature, strongest first.
+   
+   :zeek:see:`file_magic`
+
+.. zeek:type:: pcap_packet
+   :source-code: base/init-bare.zeek 1498 1505
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts_sec :zeek:type:`count`
+
+      The non-fractional part of the packet's timestamp (i.e., full seconds since the epoch).
+
+
+   .. zeek:field:: ts_usec :zeek:type:`count`
+
+      The fractional part of the packet's timestamp.
+
+
+   .. zeek:field:: caplen :zeek:type:`count`
+
+      The number of bytes captured (<= *len*).
+
+
+   .. zeek:field:: len :zeek:type:`count`
+
+      The length of the packet in bytes, including link-level header.
+
+
+   .. zeek:field:: data :zeek:type:`string`
+
+      The payload of the packet, including link-level header.
+
+
+   .. zeek:field:: link_type :zeek:type:`link_encap`
+
+      Layer 2 link encapsulation type.
+
+
+   Policy-level representation of a packet passed on by libpcap. The data
+   includes the complete packet as returned by libpcap, including the link-layer
+   header.
+   
+   .. zeek:see:: dump_packet get_current_packet
+
+.. zeek:type:: pkt_hdr
+   :source-code: base/init-bare.zeek 2269 2275
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ip :zeek:type:`ip4_hdr` :zeek:attr:`&optional`
+
+      The IPv4 header if an IPv4 packet.
+
+
+   .. zeek:field:: ip6 :zeek:type:`ip6_hdr` :zeek:attr:`&optional`
+
+      The IPv6 header if an IPv6 packet.
+
+
+   .. zeek:field:: tcp :zeek:type:`tcp_hdr` :zeek:attr:`&optional`
+
+      The TCP header if a TCP packet.
+
+
+   .. zeek:field:: udp :zeek:type:`udp_hdr` :zeek:attr:`&optional`
+
+      The UDP header if a UDP packet.
+
+
+   .. zeek:field:: icmp :zeek:type:`icmp_hdr` :zeek:attr:`&optional`
+
+      The ICMP header if an ICMP packet.
+
+
+   A packet header, consisting of an IP header and transport-layer header.
+   
+   .. zeek:see:: new_packet
+
+.. zeek:type:: pkt_profile_modes
+   :source-code: base/init-bare.zeek 2836 2842
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: PKT_PROFILE_MODE_NONE pkt_profile_modes
+
+         No output.
+
+      .. zeek:enum:: PKT_PROFILE_MODE_SECS pkt_profile_modes
+
+         Output every :zeek:see:`pkt_profile_freq` seconds.
+
+      .. zeek:enum:: PKT_PROFILE_MODE_PKTS pkt_profile_modes
+
+         Output every :zeek:see:`pkt_profile_freq` packets.
+
+      .. zeek:enum:: PKT_PROFILE_MODE_BYTES pkt_profile_modes
+
+         Output every :zeek:see:`pkt_profile_freq` bytes.
+
+   Output modes for packet profiling information.
+   
+   .. zeek:see:: pkt_profile_mode pkt_profile_freq pkt_profile_file
+
+.. zeek:type:: plugin_component_vec
+   :source-code: base/init-bare.zeek 396 396
+
+   :Type: :zeek:type:`vector` of :zeek:type:`PluginComponent`
+
+
+.. zeek:type:: pm_callit_request
+   :source-code: base/init-bare.zeek 2781 2786
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: program :zeek:type:`count`
+
+      The RPC program.
+
+
+   .. zeek:field:: version :zeek:type:`count`
+
+      The program version.
+
+
+   .. zeek:field:: proc :zeek:type:`count`
+
+      The procedure being called.
+
+
+   .. zeek:field:: arg_size :zeek:type:`count`
+
+      The size of the argument.
+
+
+   An RPC portmapper *callit* request.
+   
+   .. zeek:see:: pm_attempt_callit pm_request_callit
+
+.. zeek:type:: pm_mapping
+   :source-code: base/init-bare.zeek 2758 2762
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: program :zeek:type:`count`
+
+      The RPC program.
+
+
+   .. zeek:field:: version :zeek:type:`count`
+
+      The program version.
+
+
+   .. zeek:field:: p :zeek:type:`port`
+
+      The port.
+
+
+   An RPC portmapper mapping.
+   
+   .. zeek:see:: pm_mappings
+
+.. zeek:type:: pm_mappings
+   :source-code: base/init-bare.zeek 2767 2767
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`pm_mapping`
+
+   Table of RPC portmapper mappings.
+   
+   .. zeek:see:: pm_request_dump
+
+.. zeek:type:: pm_port_request
+   :source-code: base/init-bare.zeek 2772 2776
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: program :zeek:type:`count`
+
+      The RPC program.
+
+
+   .. zeek:field:: version :zeek:type:`count`
+
+      The program version.
+
+
+   .. zeek:field:: is_tcp :zeek:type:`bool`
+
+      True if using TCP.
+
+
+   An RPC portmapper request.
+   
+   .. zeek:see:: pm_attempt_getport pm_request_getport
+
+.. zeek:type:: psk_identity_vec
+   :source-code: base/init-bare.zeek 5082 5082
+
+   :Type: :zeek:type:`vector` of :zeek:type:`SSL::PSKIdentity`
+
+
+.. zeek:type:: raw_pkt_hdr
+   :source-code: base/init-bare.zeek 2296 2303
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: l2 :zeek:type:`l2_hdr`
+
+      The layer 2 header.
+
+
+   .. zeek:field:: ip :zeek:type:`ip4_hdr` :zeek:attr:`&optional`
+
+      The IPv4 header if an IPv4 packet.
+
+
+   .. zeek:field:: ip6 :zeek:type:`ip6_hdr` :zeek:attr:`&optional`
+
+      The IPv6 header if an IPv6 packet.
+
+
+   .. zeek:field:: tcp :zeek:type:`tcp_hdr` :zeek:attr:`&optional`
+
+      The TCP header if a TCP packet.
+
+
+   .. zeek:field:: udp :zeek:type:`udp_hdr` :zeek:attr:`&optional`
+
+      The UDP header if a UDP packet.
+
+
+   .. zeek:field:: icmp :zeek:type:`icmp_hdr` :zeek:attr:`&optional`
+
+      The ICMP header if an ICMP packet.
+
+
+   A raw packet header, consisting of L2 header and everything in
+   :zeek:see:`pkt_hdr`. .
+   
+   .. zeek:see:: raw_packet pkt_hdr
+
+.. zeek:type:: record_field
+   :source-code: base/init-bare.zeek 1294 1302
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: type_name :zeek:type:`string`
+
+      The name of the field's type.
+
+
+   .. zeek:field:: log :zeek:type:`bool`
+
+      True if the field is declared with :zeek:attr:`&log` attribute.
+
+
+   .. zeek:field:: value :zeek:type:`any` :zeek:attr:`&optional`
+
+      The current value of the field in the record instance passed into
+      :zeek:see:`record_fields` (if it has one).
+
+
+   .. zeek:field:: default_val :zeek:type:`any` :zeek:attr:`&optional`
+
+      The value of the :zeek:attr:`&default` attribute if defined.
+
+
+   .. zeek:field:: optional :zeek:type:`bool`
+
+      True if the field is :zeek:attr:`&optional`, else false.
+
+
+   Meta-information about a record field.
+   
+   .. zeek:see:: record_fields record_field_table
+
+.. zeek:type:: record_field_table
+   :source-code: base/init-bare.zeek 1312 1312
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`record_field`
+
+   Table type used to map record field declarations to meta-information
+   describing them.
+   
+   .. zeek:see:: record_fields record_field
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: rotate_info
+   :source-code: base/init-bare.zeek 1435 1440
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: old_name :zeek:type:`string`
+
+      Original filename.
+
+
+   .. zeek:field:: new_name :zeek:type:`string`
+
+      File name after rotation.
+
+
+   .. zeek:field:: open :zeek:type:`time`
+
+      Time when opened.
+
+
+   .. zeek:field:: close :zeek:type:`time`
+
+      Time when closed.
+
+
+   .. zeek:see:: rotate_file rotate_file_by_name
+
+.. zeek:type:: script_id
+   :source-code: base/init-bare.zeek 1270 1279
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: type_name :zeek:type:`string`
+
+      The name of the identifier's type.
+
+
+   .. zeek:field:: exported :zeek:type:`bool`
+
+      True if the identifier is exported.
+
+
+   .. zeek:field:: constant :zeek:type:`bool`
+
+      True if the identifier is a constant.
+
+
+   .. zeek:field:: enum_constant :zeek:type:`bool`
+
+      True if the identifier is an enum value.
+
+
+   .. zeek:field:: option_value :zeek:type:`bool`
+
+      True if the identifier is an option.
+
+
+   .. zeek:field:: redefinable :zeek:type:`bool`
+
+      True if the identifier is declared with the :zeek:attr:`&redef` attribute.
+
+
+   .. zeek:field:: broker_backend :zeek:type:`bool`
+
+      True if the identifier has a Broker backend defined using the :zeek:attr:`&backend` attribute.
+
+
+   .. zeek:field:: value :zeek:type:`any` :zeek:attr:`&optional`
+
+      The current value of the identifier.
+
+
+   Meta-information about a script-level identifier.
+   
+   .. zeek:see:: global_ids id_table
+
+.. zeek:type:: signature_and_hashalgorithm_vec
+   :source-code: base/init-bare.zeek 5080 5080
+
+   :Type: :zeek:type:`vector` of :zeek:type:`SSL::SignatureAndHashAlgorithm`
+
+   A vector of Signature and Hash Algorithms.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: signature_state
+   :source-code: base/init-bare.zeek 3229 3234
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: sig_id :zeek:type:`string`
+
+      ID of the matching signature.
+
+
+   .. zeek:field:: conn :zeek:type:`connection`
+
+      Matching connection.
+
+
+   .. zeek:field:: is_orig :zeek:type:`bool`
+
+      True if matching endpoint is originator.
+
+
+   .. zeek:field:: payload_size :zeek:type:`count`
+
+      Payload size of the first matching packet of current endpoint.
+
+
+   Description of a signature match.
+   
+   .. zeek:see:: signature_match
+
+.. zeek:type:: string_any_file_hook
+   :source-code: base/init-bare.zeek 976 976
+
+   :Type: :zeek:type:`hook` (f: :zeek:type:`fa_file`, e: :zeek:type:`any`, str: :zeek:type:`string`) : :zeek:type:`bool`
+
+   A hook taking a fa_file, an any, and a string. Used by the X509 analyzer as callback.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: string_any_table
+   :source-code: base/init-bare.zeek 19 19
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`any`
+
+   A string-table of any.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: string_array
+   :source-code: base/init-bare.zeek 12 12
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+
+   An ordered array of strings. The entries are indexed by successive numbers.
+   Note that it depends on the usage whether the first index is zero or one.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: string_mapper
+   :source-code: base/init-bare.zeek 139 139
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`string`
+
+   Function mapping a string to a string.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: string_set
+   :source-code: base/init-bare.zeek 26 26
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+
+   A set of strings.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: string_vec
+   :source-code: base/init-bare.zeek 90 90
+
+   :Type: :zeek:type:`vector` of :zeek:type:`string`
+
+   A vector of strings.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: subnet_set
+   :source-code: base/init-bare.zeek 33 33
+
+   :Type: :zeek:type:`set` [:zeek:type:`subnet`]
+
+   A set of subnets.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: subnet_vec
+   :source-code: base/init-bare.zeek 75 75
+
+   :Type: :zeek:type:`vector` of :zeek:type:`subnet`
+
+   A vector of subnets.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: sw_align
+   :source-code: base/init-bare.zeek 1464 1467
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: str :zeek:type:`string`
+
+      String a substring is part of.
+
+
+   .. zeek:field:: index :zeek:type:`count`
+
+      Offset substring is located.
+
+
+   Helper type for return value of Smith-Waterman algorithm.
+   
+   .. zeek:see:: str_smith_waterman sw_substring_vec sw_substring sw_align_vec sw_params
+
+.. zeek:type:: sw_align_vec
+   :source-code: base/init-bare.zeek 1472 1472
+
+   :Type: :zeek:type:`vector` of :zeek:type:`sw_align`
+
+   Helper type for return value of Smith-Waterman algorithm.
+   
+   .. zeek:see:: str_smith_waterman sw_substring_vec sw_substring sw_align sw_params
+
+.. zeek:type:: sw_params
+   :source-code: base/init-bare.zeek 1453 1459
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: min_strlen :zeek:type:`count` :zeek:attr:`&default` = ``3`` :zeek:attr:`&optional`
+
+      Minimum size of a substring, minimum "granularity".
+
+
+   .. zeek:field:: sw_variant :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Smith-Waterman flavor to use.
+
+
+   Parameters for the Smith-Waterman algorithm.
+   
+   .. zeek:see:: str_smith_waterman
+
+.. zeek:type:: sw_substring
+   :source-code: base/init-bare.zeek 1478 1482
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: str :zeek:type:`string`
+
+      A substring.
+
+
+   .. zeek:field:: aligns :zeek:type:`sw_align_vec`
+
+      All strings of which it's a substring.
+
+
+   .. zeek:field:: new :zeek:type:`bool`
+
+      True if start of new alignment.
+
+
+   Helper type for return value of Smith-Waterman algorithm.
+   
+   .. zeek:see:: str_smith_waterman sw_substring_vec sw_align_vec sw_align sw_params
+   
+
+.. zeek:type:: sw_substring_vec
+   :source-code: base/init-bare.zeek 1491 1491
+
+   :Type: :zeek:type:`vector` of :zeek:type:`sw_substring`
+
+   Return type for Smith-Waterman algorithm.
+   
+   .. zeek:see:: str_smith_waterman sw_substring sw_align_vec sw_align sw_params
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: table_string_of_count
+   :source-code: base/init-bare.zeek 118 118
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`count`
+
+   A table of counts indexed by strings.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: table_string_of_string
+   :source-code: base/init-bare.zeek 111 111
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
+
+   A table of strings indexed by strings.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: tcp_hdr
+   :source-code: base/init-bare.zeek 2238 2248
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: sport :zeek:type:`port`
+
+      source port.
+
+
+   .. zeek:field:: dport :zeek:type:`port`
+
+      destination port
+
+
+   .. zeek:field:: seq :zeek:type:`count`
+
+      sequence number
+
+
+   .. zeek:field:: ack :zeek:type:`count`
+
+      acknowledgement number
+
+
+   .. zeek:field:: hl :zeek:type:`count`
+
+      header length (in bytes)
+
+
+   .. zeek:field:: dl :zeek:type:`count`
+
+      data length (xxx: not in original tcphdr!)
+
+
+   .. zeek:field:: reserved :zeek:type:`count`
+
+      The "reserved" 4 bits after the "data offset" field.
+
+
+   .. zeek:field:: flags :zeek:type:`count`
+
+      The 8 bits of flags after the "reserved" field.
+
+
+   .. zeek:field:: win :zeek:type:`count`
+
+      window
+
+
+   Values extracted from a TCP header.
+   
+   .. zeek:see:: pkt_hdr discarder_check_tcp
+
+.. zeek:type:: teredo_auth
+   :source-code: base/init-bare.zeek 2310 2318
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`string`
+
+      Teredo client identifier.
+
+
+   .. zeek:field:: value :zeek:type:`string`
+
+      HMAC-SHA1 over shared secret key between client and
+      server, nonce, confirmation byte, origin indication
+      (if present), and the IPv6 packet.
+
+
+   .. zeek:field:: nonce :zeek:type:`count`
+
+      Nonce chosen by Teredo client to be repeated by
+      Teredo server.
+
+
+   .. zeek:field:: confirm :zeek:type:`count`
+
+      Confirmation byte to be set to 0 by Teredo client
+      and non-zero by server if client needs new key.
+
+
+   A Teredo origin indication header.  See :rfc:`4380` for more information
+   about the Teredo protocol.
+   
+   .. zeek:see:: teredo_bubble teredo_origin_indication teredo_authentication
+      teredo_hdr
+
+.. zeek:type:: teredo_hdr
+   :source-code: base/init-bare.zeek 2335 2339
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: auth :zeek:type:`teredo_auth` :zeek:attr:`&optional`
+
+      Teredo authentication header.
+
+
+   .. zeek:field:: origin :zeek:type:`teredo_origin` :zeek:attr:`&optional`
+
+      Teredo origin indication header.
+
+
+   .. zeek:field:: hdr :zeek:type:`pkt_hdr`
+
+      IPv6 and transport protocol headers.
+
+
+   A Teredo packet header.  See :rfc:`4380` for more information about the
+   Teredo protocol.
+   
+   .. zeek:see:: teredo_bubble teredo_origin_indication teredo_authentication
+
+.. zeek:type:: teredo_origin
+   :source-code: base/init-bare.zeek 2326 2329
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: p :zeek:type:`port`
+
+      Unobfuscated UDP port of Teredo client.
+
+
+   .. zeek:field:: a :zeek:type:`addr`
+
+      Unobfuscated IPv4 address of Teredo client.
+
+
+   A Teredo authentication header.  See :rfc:`4380` for more information
+   about the Teredo protocol.
+   
+   .. zeek:see:: teredo_bubble teredo_origin_indication teredo_authentication
+      teredo_hdr
+
+.. zeek:type:: transport_proto
+   :source-code: base/init-bare.zeek 199 205
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: unknown_transport transport_proto
+
+         An unknown transport-layer protocol.
+
+      .. zeek:enum:: tcp transport_proto
+
+         TCP.
+
+      .. zeek:enum:: udp transport_proto
+
+         UDP.
+
+      .. zeek:enum:: icmp transport_proto
+
+         ICMP.
+
+   A connection's transport-layer protocol. Note that Zeek uses the term
+   "connection" broadly, using flow semantics for ICMP and UDP.
+
+.. zeek:type:: udp_hdr
+   :source-code: base/init-bare.zeek 2253 2257
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: sport :zeek:type:`port`
+
+      source port
+
+
+   .. zeek:field:: dport :zeek:type:`port`
+
+      destination port
+
+
+   .. zeek:field:: ulen :zeek:type:`count`
+
+      udp length
+
+
+   Values extracted from a UDP header.
+   
+   .. zeek:see:: pkt_hdr discarder_check_udp
+
+.. zeek:type:: var_sizes
+   :source-code: base/init-bare.zeek 1265 1265
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`count`
+
+   Table type used to map variable names to their memory allocation.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: x509_opaque_vector
+   :source-code: base/init-bare.zeek 97 97
+
+   :Type: :zeek:type:`vector` of :zeek:type:`opaque` of x509
+
+   A vector of x509 opaques.
+   
+   .. todo:: We need this type definition only for declaring builtin functions
+      via ``bifcl``. We should extend ``bifcl`` to understand composite types
+      directly and then remove this alias.
+
+.. zeek:type:: ConnKey::Tag
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: ConnKey::CONNKEY_FIVETUPLE ConnKey::Tag
+
+      .. zeek:enum:: ConnKey::CONNKEY_VLAN_FIVETUPLE ConnKey::Tag
+
+
+Hooks
+#####
+.. zeek:id:: Telemetry::sync
+   :source-code: policy/misc/stats.zeek 145 163
+
+   :Type: :zeek:type:`hook` () : :zeek:type:`bool`
+
+   Telemetry sync hook.
+   
+   This hook is invoked when metrics are requested via functions
+   :zeek:see:`Telemetry::collect_metrics` and :zeek:see:`Telemetry::collect_histogram_metrics`,
+   or just before Zeek collects metrics when being scraped through
+   its Prometheus endpoint.
+   Script writers can use it to synchronize (or mirror) metrics with the
+   telemetry subsystem. For example, when tracking table or value
+   footprints with gauges, the value in question can be set on an actual
+   :zeek:see:`Telemetry::Gauge` instance during execution of this hook.
+   
+   Implementations should be lightweight, this hook may be called
+   multiple times per minute.
+
+Functions
+#########
+.. zeek:id:: add_interface
+   :source-code: base/init-bare.zeek 2533 2539
+
+   :Type: :zeek:type:`function` (iold: :zeek:type:`string`, inew: :zeek:type:`string`) : :zeek:type:`string`
+
+   Internal function.
+
+.. zeek:id:: add_signature_file
+   :source-code: base/init-bare.zeek 2546 2552
+
+   :Type: :zeek:type:`function` (sold: :zeek:type:`string`, snew: :zeek:type:`string`) : :zeek:type:`string`
+
+   Internal function.
+
+.. zeek:id:: discarder_check_icmp
+   :source-code: base/init-bare.zeek 2638 2638
+
+   :Type: :zeek:type:`function` (p: :zeek:type:`pkt_hdr`) : :zeek:type:`bool`
+
+   Function for skipping packets based on their ICMP header. If defined, this
+   function will be called for all ICMP packets before Zeek performs any further
+   analysis. If the function signals to discard a packet, no further processing
+   will be performed on it.
+   
+
+   :param p: The IP and ICMP headers of the considered packet.
+   
+
+   :returns: True if the packet should not be analyzed any further.
+   
+   .. zeek:see:: discarder_check_ip discarder_check_tcp discarder_check_udp
+      discarder_maxlen
+   
+   .. note:: This is very low-level functionality and potentially expensive.
+      Avoid using it.
+
+.. zeek:id:: discarder_check_ip
+   :source-code: base/init-bare.zeek 2586 2586
+
+   :Type: :zeek:type:`function` (p: :zeek:type:`pkt_hdr`) : :zeek:type:`bool`
+
+   Function for skipping packets based on their IP header. If defined, this
+   function will be called for all IP packets before Zeek performs any further
+   analysis. If the function signals to discard a packet, no further processing
+   will be performed on it.
+   
+
+   :param p: The IP header of the considered packet.
+   
+
+   :returns: True if the packet should not be analyzed any further.
+   
+   .. zeek:see:: discarder_check_tcp discarder_check_udp discarder_check_icmp
+      discarder_maxlen
+   
+   .. note:: This is very low-level functionality and potentially expensive.
+      Avoid using it.
+
+.. zeek:id:: discarder_check_tcp
+   :source-code: base/init-bare.zeek 2604 2604
+
+   :Type: :zeek:type:`function` (p: :zeek:type:`pkt_hdr`, d: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Function for skipping packets based on their TCP header. If defined, this
+   function will be called for all TCP packets before Zeek performs any further
+   analysis. If the function signals to discard a packet, no further processing
+   will be performed on it.
+   
+
+   :param p: The IP and TCP headers of the considered packet.
+   
+
+   :param d: Up to :zeek:see:`discarder_maxlen` bytes of the TCP payload.
+   
+
+   :returns: True if the packet should not be analyzed any further.
+   
+   .. zeek:see:: discarder_check_ip discarder_check_udp discarder_check_icmp
+      discarder_maxlen
+   
+   .. note:: This is very low-level functionality and potentially expensive.
+      Avoid using it.
+
+.. zeek:id:: discarder_check_udp
+   :source-code: base/init-bare.zeek 2622 2622
+
+   :Type: :zeek:type:`function` (p: :zeek:type:`pkt_hdr`, d: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Function for skipping packets based on their UDP header. If defined, this
+   function will be called for all UDP packets before Zeek performs any further
+   analysis. If the function signals to discard a packet, no further processing
+   will be performed on it.
+   
+
+   :param p: The IP and UDP headers of the considered packet.
+   
+
+   :param d: Up to :zeek:see:`discarder_maxlen` bytes of the UDP payload.
+   
+
+   :returns: True if the packet should not be analyzed any further.
+   
+   .. zeek:see:: discarder_check_ip discarder_check_tcp discarder_check_icmp
+      discarder_maxlen
+   
+   .. note:: This is very low-level functionality and potentially expensive.
+      Avoid using it.
+
+.. zeek:id:: from_json_default_key_mapper
+   :source-code: base/init-bare.zeek 1568 1571
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`string`
+
+   The default JSON key mapper function. Identity function.
+
+.. zeek:id:: max_count
+   :source-code: base/init-bare.zeek 2708 2709
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`count`, b: :zeek:type:`count`) : :zeek:type:`count`
+
+   Returns maximum of two ``count`` values.
+   
+
+   :param a: First value.
+
+   :param b: Second value.
+   
+
+   :returns: The maximum of *a* and *b*.
+
+.. zeek:id:: max_double
+   :source-code: base/init-bare.zeek 2676 2677
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`double`, b: :zeek:type:`double`) : :zeek:type:`double`
+
+   Returns maximum of two ``double`` values.
+   
+
+   :param a: First value.
+
+   :param b: Second value.
+   
+
+   :returns: The maximum of *a* and *b*.
+
+.. zeek:id:: max_interval
+   :source-code: base/init-bare.zeek 2692 2693
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`interval`, b: :zeek:type:`interval`) : :zeek:type:`interval`
+
+   Returns maximum of two ``interval`` values.
+   
+
+   :param a: First value.
+
+   :param b: Second value.
+   
+
+   :returns: The maximum of *a* and *b*.
+
+.. zeek:id:: min_count
+   :source-code: base/init-bare.zeek 2700 2701
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`count`, b: :zeek:type:`count`) : :zeek:type:`count`
+
+   Returns minimum of two ``count`` values.
+   
+
+   :param a: First value.
+
+   :param b: Second value.
+   
+
+   :returns: The minimum of *a* and *b*.
+
+.. zeek:id:: min_double
+   :source-code: base/init-bare.zeek 2668 2669
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`double`, b: :zeek:type:`double`) : :zeek:type:`double`
+
+   Returns minimum of two ``double`` values.
+   
+
+   :param a: First value.
+
+   :param b: Second value.
+   
+
+   :returns: The minimum of *a* and *b*.
+
+.. zeek:id:: min_interval
+   :source-code: base/init-bare.zeek 2684 2685
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`interval`, b: :zeek:type:`interval`) : :zeek:type:`interval`
+
+   Returns minimum of two ``interval`` values.
+   
+
+   :param a: First value.
+
+   :param b: Second value.
+   
+
+   :returns: The minimum of *a* and *b*.
+
+
diff --git a/doc/scripts/base/init-default.zeek.rst b/doc/scripts/base/init-default.zeek.rst
new file mode 100644
index 0000000000..7d03924afe
--- /dev/null
+++ b/doc/scripts/base/init-default.zeek.rst
@@ -0,0 +1,19 @@
+:tocdepth: 3
+
+base/init-default.zeek
+======================
+
+This script loads everything in the base/ script directory.  If you want
+to run Zeek without all of these scripts loaded by default, you can use
+the ``-b`` (``--bare-mode``) command line argument.  You can also copy the
+"@load" lines from this script to your own script to load only the scripts
+that you actually want.
+
+:Imports: :doc:`base/files/extract </scripts/base/files/extract/index>`, :doc:`base/files/hash </scripts/base/files/hash/index>`, :doc:`base/files/pe </scripts/base/files/pe/index>`, :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/frameworks/analyzer </scripts/base/frameworks/analyzer/index>`, :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/config </scripts/base/frameworks/config/index>`, :doc:`base/frameworks/control </scripts/base/frameworks/control/index>`, :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/frameworks/netcontrol </scripts/base/frameworks/netcontrol/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/openflow </scripts/base/frameworks/openflow/index>`, :doc:`base/frameworks/packet-filter </scripts/base/frameworks/packet-filter/index>`, :doc:`base/frameworks/reporter </scripts/base/frameworks/reporter/index>`, :doc:`base/frameworks/signatures </scripts/base/frameworks/signatures/index>`, :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`, :doc:`base/frameworks/spicy </scripts/base/frameworks/spicy/index>`, :doc:`base/frameworks/storage </scripts/base/frameworks/storage/index>`, :doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`, :doc:`base/frameworks/telemetry </scripts/base/frameworks/telemetry/index>`, :doc:`base/frameworks/tunnels </scripts/base/frameworks/tunnels/index>`, :doc:`base/misc/find-checksum-offloading.zeek </scripts/base/misc/find-checksum-offloading.zeek>`, :doc:`base/misc/find-filtered-trace.zeek </scripts/base/misc/find-filtered-trace.zeek>`, :doc:`base/misc/installation.zeek </scripts/base/misc/installation.zeek>`, :doc:`base/misc/version.zeek </scripts/base/misc/version.zeek>`, :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`, :doc:`base/protocols/dce-rpc </scripts/base/protocols/dce-rpc/index>`, :doc:`base/protocols/dhcp </scripts/base/protocols/dhcp/index>`, :doc:`base/protocols/dnp3 </scripts/base/protocols/dnp3/index>`, :doc:`base/protocols/dns </scripts/base/protocols/dns/index>`, :doc:`base/protocols/finger </scripts/base/protocols/finger/index>`, :doc:`base/protocols/ftp </scripts/base/protocols/ftp/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`, :doc:`base/protocols/imap </scripts/base/protocols/imap/index>`, :doc:`base/protocols/irc </scripts/base/protocols/irc/index>`, :doc:`base/protocols/krb </scripts/base/protocols/krb/index>`, :doc:`base/protocols/ldap </scripts/base/protocols/ldap/index>`, :doc:`base/protocols/modbus </scripts/base/protocols/modbus/index>`, :doc:`base/protocols/mqtt </scripts/base/protocols/mqtt/index>`, :doc:`base/protocols/mysql </scripts/base/protocols/mysql/index>`, :doc:`base/protocols/ntlm </scripts/base/protocols/ntlm/index>`, :doc:`base/protocols/ntp </scripts/base/protocols/ntp/index>`, :doc:`base/protocols/pop3 </scripts/base/protocols/pop3/index>`, :doc:`base/protocols/postgresql </scripts/base/protocols/postgresql/index>`, :doc:`base/protocols/quic </scripts/base/protocols/quic/index>`, :doc:`base/protocols/radius </scripts/base/protocols/radius/index>`, :doc:`base/protocols/rdp </scripts/base/protocols/rdp/index>`, :doc:`base/protocols/redis </scripts/base/protocols/redis/index>`, :doc:`base/protocols/rfb </scripts/base/protocols/rfb/index>`, :doc:`base/protocols/sip </scripts/base/protocols/sip/index>`, :doc:`base/protocols/smb </scripts/base/protocols/smb/index>`, :doc:`base/protocols/smtp </scripts/base/protocols/smtp/index>`, :doc:`base/protocols/snmp </scripts/base/protocols/snmp/index>`, :doc:`base/protocols/socks </scripts/base/protocols/socks/index>`, :doc:`base/protocols/ssh </scripts/base/protocols/ssh/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`base/protocols/syslog </scripts/base/protocols/syslog/index>`, :doc:`base/protocols/tunnels </scripts/base/protocols/tunnels/index>`, :doc:`base/protocols/websocket </scripts/base/protocols/websocket/index>`, :doc:`base/protocols/xmpp </scripts/base/protocols/xmpp/index>`, :doc:`base/utils/active-http.zeek </scripts/base/utils/active-http.zeek>`, :doc:`base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>`, :doc:`base/utils/backtrace.zeek </scripts/base/utils/backtrace.zeek>`, :doc:`base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>`, :doc:`base/utils/dir.zeek </scripts/base/utils/dir.zeek>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`, :doc:`base/utils/email.zeek </scripts/base/utils/email.zeek>`, :doc:`base/utils/exec.zeek </scripts/base/utils/exec.zeek>`, :doc:`base/utils/files.zeek </scripts/base/utils/files.zeek>`, :doc:`base/utils/geoip-distance.zeek </scripts/base/utils/geoip-distance.zeek>`, :doc:`base/utils/hash_hrw.zeek </scripts/base/utils/hash_hrw.zeek>`, :doc:`base/utils/numbers.zeek </scripts/base/utils/numbers.zeek>`, :doc:`base/utils/packages.zeek </scripts/base/utils/packages.zeek>`, :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`, :doc:`base/utils/patterns.zeek </scripts/base/utils/patterns.zeek>`, :doc:`base/utils/queue.zeek </scripts/base/utils/queue.zeek>`, :doc:`base/utils/site.zeek </scripts/base/utils/site.zeek>`, :doc:`base/utils/strings.zeek </scripts/base/utils/strings.zeek>`, :doc:`base/utils/thresholds.zeek </scripts/base/utils/thresholds.zeek>`, :doc:`base/utils/time.zeek </scripts/base/utils/time.zeek>`, :doc:`base/utils/urls.zeek </scripts/base/utils/urls.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/init-frameworks-and-bifs.zeek.rst b/doc/scripts/base/init-frameworks-and-bifs.zeek.rst
new file mode 100644
index 0000000000..cefb864d9f
--- /dev/null
+++ b/doc/scripts/base/init-frameworks-and-bifs.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/init-frameworks-and-bifs.zeek
+==================================
+
+
+:Imports: :doc:`base/bif </scripts/base/bif/index>`, :doc:`base/bif/plugins </scripts/base/bif/plugins/index>`, :doc:`base/frameworks/analyzer </scripts/base/frameworks/analyzer/index>`, :doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`, :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/config </scripts/base/frameworks/config/index>`, :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/frameworks/input </scripts/base/frameworks/input/index>`, :doc:`base/frameworks/logging </scripts/base/frameworks/logging/index>`, :doc:`base/frameworks/spicy/init-framework.zeek </scripts/base/frameworks/spicy/init-framework.zeek>`, :doc:`base/frameworks/supervisor </scripts/base/frameworks/supervisor/index>`, :doc:`base/frameworks/telemetry/options.zeek </scripts/base/frameworks/telemetry/options.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/misc/find-checksum-offloading.zeek.rst b/doc/scripts/base/misc/find-checksum-offloading.zeek.rst
new file mode 100644
index 0000000000..071efb3da5
--- /dev/null
+++ b/doc/scripts/base/misc/find-checksum-offloading.zeek.rst
@@ -0,0 +1,39 @@
+:tocdepth: 3
+
+base/misc/find-checksum-offloading.zeek
+=======================================
+.. zeek:namespace:: ChecksumOffloading
+
+Discover cases where the local interface is sniffed and outbound packets
+have checksum offloading.  Load this script to receive a notice if it's
+likely that checksum offload effects are being seen on a live interface or
+in a packet trace file.
+
+:Namespace: ChecksumOffloading
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+======================================================================================== =========================================================
+:zeek:id:`ChecksumOffloading::check_interval`: :zeek:type:`interval` :zeek:attr:`&redef` The interval which is used for checking packet statistics
+                                                                                         to see if checksum offloading is affecting analysis.
+======================================================================================== =========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: ChecksumOffloading::check_interval
+   :source-code: base/misc/find-checksum-offloading.zeek 13 13
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10.0 secs``
+
+   The interval which is used for checking packet statistics
+   to see if checksum offloading is affecting analysis.
+
+
diff --git a/doc/scripts/base/misc/find-filtered-trace.zeek.rst b/doc/scripts/base/misc/find-filtered-trace.zeek.rst
new file mode 100644
index 0000000000..d0797eb06e
--- /dev/null
+++ b/doc/scripts/base/misc/find-filtered-trace.zeek.rst
@@ -0,0 +1,38 @@
+:tocdepth: 3
+
+base/misc/find-filtered-trace.zeek
+==================================
+.. zeek:namespace:: FilteredTraceDetection
+
+Discovers trace files that contain TCP traffic consisting only of
+control packets (e.g. it's been filtered to contain only SYN/FIN/RST
+packets and no content).  On finding such a trace, a warning is
+emitted that suggests toggling the :zeek:see:`detect_filtered_trace`
+option may be desired if the user does not want Zeek to report
+missing TCP segments.
+
+:Namespace: FilteredTraceDetection
+
+Summary
+~~~~~~~
+State Variables
+###############
+================================================================================ =================================================================
+:zeek:id:`FilteredTraceDetection::enable`: :zeek:type:`bool` :zeek:attr:`&redef` Flag to enable filtered trace file detection and warning message.
+================================================================================ =================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+State Variables
+###############
+.. zeek:id:: FilteredTraceDetection::enable
+   :source-code: base/misc/find-filtered-trace.zeek 13 13
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Flag to enable filtered trace file detection and warning message.
+
+
diff --git a/doc/scripts/base/misc/installation.zeek.rst b/doc/scripts/base/misc/installation.zeek.rst
new file mode 100644
index 0000000000..831530a570
--- /dev/null
+++ b/doc/scripts/base/misc/installation.zeek.rst
@@ -0,0 +1,74 @@
+:tocdepth: 3
+
+base/misc/installation.zeek
+===========================
+.. zeek:namespace:: Installation
+
+This module collects properties of the Zeek installation.
+
+Directories are absolute and guaranteed to exist. Not all are necessarily in
+operational use -- this depends on how you're running Zeek (as a standalone
+process or clusterized, via zeekctl or the Management framework, etc).
+
+For details about Zeek's version, see the :zeek:see:`Version` module.
+
+:Namespace: Installation
+
+Summary
+~~~~~~~
+Constants
+#########
+======================================================= ============================================
+:zeek:id:`Installation::etc_dir`: :zeek:type:`string`   The installation's configuration directory.
+:zeek:id:`Installation::log_dir`: :zeek:type:`string`   The installation's log directory.
+:zeek:id:`Installation::root_dir`: :zeek:type:`string`  Zeek installation root directory.
+:zeek:id:`Installation::spool_dir`: :zeek:type:`string` The installation's spool directory.
+:zeek:id:`Installation::state_dir`: :zeek:type:`string` The installation's variable-state directory.
+======================================================= ============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: Installation::etc_dir
+   :source-code: base/misc/installation.zeek 15 15
+
+   :Type: :zeek:type:`string`
+   :Default: ``"/usr/local/zeek/etc"``
+
+   The installation's configuration directory.
+
+.. zeek:id:: Installation::log_dir
+   :source-code: base/misc/installation.zeek 18 18
+
+   :Type: :zeek:type:`string`
+   :Default: ``"/usr/local/zeek/logs"``
+
+   The installation's log directory.
+
+.. zeek:id:: Installation::root_dir
+   :source-code: base/misc/installation.zeek 12 12
+
+   :Type: :zeek:type:`string`
+   :Default: ``"/usr/local/zeek"``
+
+   Zeek installation root directory.
+
+.. zeek:id:: Installation::spool_dir
+   :source-code: base/misc/installation.zeek 21 21
+
+   :Type: :zeek:type:`string`
+   :Default: ``"/usr/local/zeek/spool"``
+
+   The installation's spool directory.
+
+.. zeek:id:: Installation::state_dir
+   :source-code: base/misc/installation.zeek 24 24
+
+   :Type: :zeek:type:`string`
+   :Default: ``"/usr/local/zeek/var/lib"``
+
+   The installation's variable-state directory.
+
+
diff --git a/doc/scripts/base/misc/version.zeek.rst b/doc/scripts/base/misc/version.zeek.rst
new file mode 100644
index 0000000000..346fd7c77d
--- /dev/null
+++ b/doc/scripts/base/misc/version.zeek.rst
@@ -0,0 +1,156 @@
+:tocdepth: 3
+
+base/misc/version.zeek
+======================
+.. zeek:namespace:: Version
+
+Provide information about the currently running Zeek version.  The most
+convenient way to access this are the :zeek:see:`Version::number` and
+:zeek:see:`Version::info` constants.
+
+:Namespace: Version
+
+Summary
+~~~~~~~
+Constants
+#########
+================================================================== ==========================================================================
+:zeek:id:`Version::info`: :zeek:type:`Version::VersionDescription` :zeek:see:`Version::VersionDescription` record pertaining to the currently
+                                                                   running version of Zeek.
+:zeek:id:`Version::number`: :zeek:type:`count`                     version number of the currently running version of Zeek as a numeric
+                                                                   representation.
+================================================================== ==========================================================================
+
+Types
+#####
+============================================================= ========================================
+:zeek:type:`Version::VersionDescription`: :zeek:type:`record` A type exactly describing a Zeek version
+============================================================= ========================================
+
+Functions
+#########
+=================================================== ==================================================================
+:zeek:id:`Version::at_least`: :zeek:type:`function` Test if the current running version of Zeek is greater or equal to
+                                                    the given version string.
+:zeek:id:`Version::parse`: :zeek:type:`function`    Parse a given version string.
+=================================================== ==================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: Version::info
+   :source-code: base/misc/version.zeek 123 123
+
+   :Type: :zeek:type:`Version::VersionDescription`
+
+   :zeek:see:`Version::VersionDescription` record pertaining to the currently
+   running version of Zeek.
+
+.. zeek:id:: Version::number
+   :source-code: base/misc/version.zeek 130 130
+
+   :Type: :zeek:type:`count`
+
+   version number of the currently running version of Zeek as a numeric
+   representation.  The format of the number is ABBCC with A being the
+   major version, bb being the minor version (2 digits) and CC being the
+   patchlevel (2 digits).  As an example, Zeek 2.4.1 results in the
+   number 20401
+
+Types
+#####
+.. zeek:type:: Version::VersionDescription
+   :source-code: base/misc/version.zeek 9 38
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: version_number :zeek:type:`count`
+
+      Number representing the version which can be used for easy comparison.
+      The format of the number is ABBCC with A being the major version,
+      bb being the minor version (2 digits) and CC being the patchlevel (2 digits).
+      As an example, Zeek 2.4.1 results in the number 20401.
+
+
+   .. zeek:field:: major :zeek:type:`count`
+
+      Major version number (e.g. 2 for 2.5)
+
+
+   .. zeek:field:: minor :zeek:type:`count`
+
+      Minor version number (e.g. 5 for 2.5)
+
+
+   .. zeek:field:: patch :zeek:type:`count`
+
+      Patch version number (e.g. 0 for 2.5 or 1 for 2.4.1)
+
+
+   .. zeek:field:: commit :zeek:type:`count`
+
+      Commit number for development versions, Versions prior to 3.0.0,
+      like "2.4-12", use a post-release commit number (12 commits
+      after the 2.4 release).  Versions after 3.0.0, like
+      "3.1.0-dev.37", use a pre-release commit number (37 commits
+      into the development cycle for 3.1.0).  For non-development version
+      this number will be zero.
+
+
+   .. zeek:field:: beta :zeek:type:`bool`
+
+      If set to true, the version is a beta build of Zeek.  These versions
+      may start like "2.6-beta" or "3.0.0-rc" (the "rc" form started
+      being used for 3.0.0 and later).
+
+
+   .. zeek:field:: debug :zeek:type:`bool`
+
+      If set to true, the version is a debug build
+
+
+   .. zeek:field:: localversion :zeek:type:`string`
+
+      Local version portion of the version string
+
+
+   .. zeek:field:: version_string :zeek:type:`string`
+
+      String representation of this version
+
+
+   A type exactly describing a Zeek version
+
+Functions
+#########
+.. zeek:id:: Version::at_least
+   :source-code: base/misc/version.zeek 133 136
+
+   :Type: :zeek:type:`function` (version_string: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Test if the current running version of Zeek is greater or equal to
+   the given version string.
+   
+
+   :param version_string: Version to check against the current running version.
+   
+
+   :returns: True if running version greater or equal to the given version.
+
+.. zeek:id:: Version::parse
+   :source-code: base/misc/version.zeek 56 118
+
+   :Type: :zeek:type:`function` (version_string: :zeek:type:`string`) : :zeek:type:`Version::VersionDescription`
+
+   Parse a given version string.
+   
+
+   :param version_string: Zeek version string.
+   
+
+   :returns: :zeek:see:`Version::VersionDescription` record.
+
+
diff --git a/doc/scripts/base/packet-protocols/__load__.zeek.rst b/doc/scripts/base/packet-protocols/__load__.zeek.rst
new file mode 100644
index 0000000000..c0cff16147
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/__load__.zeek
+===================================
+
+
+:Imports: :doc:`base/packet-protocols/ayiya </scripts/base/packet-protocols/ayiya/index>`, :doc:`base/packet-protocols/ethernet </scripts/base/packet-protocols/ethernet/index>`, :doc:`base/packet-protocols/fddi </scripts/base/packet-protocols/fddi/index>`, :doc:`base/packet-protocols/geneve </scripts/base/packet-protocols/geneve/index>`, :doc:`base/packet-protocols/gre </scripts/base/packet-protocols/gre/index>`, :doc:`base/packet-protocols/gtpv1 </scripts/base/packet-protocols/gtpv1/index>`, :doc:`base/packet-protocols/icmp </scripts/base/packet-protocols/icmp/index>`, :doc:`base/packet-protocols/ieee802_11 </scripts/base/packet-protocols/ieee802_11/index>`, :doc:`base/packet-protocols/ieee802_11_radio </scripts/base/packet-protocols/ieee802_11_radio/index>`, :doc:`base/packet-protocols/ip </scripts/base/packet-protocols/ip/index>`, :doc:`base/packet-protocols/iptunnel </scripts/base/packet-protocols/iptunnel/index>`, :doc:`base/packet-protocols/linux_sll </scripts/base/packet-protocols/linux_sll/index>`, :doc:`base/packet-protocols/linux_sll2 </scripts/base/packet-protocols/linux_sll2/index>`, :doc:`base/packet-protocols/llc </scripts/base/packet-protocols/llc/index>`, :doc:`base/packet-protocols/main.zeek </scripts/base/packet-protocols/main.zeek>`, :doc:`base/packet-protocols/mpls </scripts/base/packet-protocols/mpls/index>`, :doc:`base/packet-protocols/nflog </scripts/base/packet-protocols/nflog/index>`, :doc:`base/packet-protocols/novell_802_3 </scripts/base/packet-protocols/novell_802_3/index>`, :doc:`base/packet-protocols/null </scripts/base/packet-protocols/null/index>`, :doc:`base/packet-protocols/pbb </scripts/base/packet-protocols/pbb/index>`, :doc:`base/packet-protocols/ppp </scripts/base/packet-protocols/ppp/index>`, :doc:`base/packet-protocols/ppp_serial </scripts/base/packet-protocols/ppp_serial/index>`, :doc:`base/packet-protocols/pppoe </scripts/base/packet-protocols/pppoe/index>`, :doc:`base/packet-protocols/root </scripts/base/packet-protocols/root/index>`, :doc:`base/packet-protocols/skip </scripts/base/packet-protocols/skip/index>`, :doc:`base/packet-protocols/snap </scripts/base/packet-protocols/snap/index>`, :doc:`base/packet-protocols/tcp </scripts/base/packet-protocols/tcp/index>`, :doc:`base/packet-protocols/teredo </scripts/base/packet-protocols/teredo/index>`, :doc:`base/packet-protocols/udp </scripts/base/packet-protocols/udp/index>`, :doc:`base/packet-protocols/vlan </scripts/base/packet-protocols/vlan/index>`, :doc:`base/packet-protocols/vntag </scripts/base/packet-protocols/vntag/index>`, :doc:`base/packet-protocols/vxlan </scripts/base/packet-protocols/vxlan/index>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/ayiya/__load__.zeek.rst b/doc/scripts/base/packet-protocols/ayiya/__load__.zeek.rst
new file mode 100644
index 0000000000..f7793def99
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ayiya/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/ayiya/__load__.zeek
+=========================================
+
+
+:Imports: :doc:`base/packet-protocols/ayiya/main.zeek </scripts/base/packet-protocols/ayiya/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/ayiya/index.rst b/doc/scripts/base/packet-protocols/ayiya/index.rst
new file mode 100644
index 0000000000..be37001ea6
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ayiya/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/ayiya
+====================================
+
+
+:doc:`/scripts/base/packet-protocols/ayiya/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ayiya/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/ayiya/main.zeek.rst b/doc/scripts/base/packet-protocols/ayiya/main.zeek.rst
new file mode 100644
index 0000000000..505305971a
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ayiya/main.zeek.rst
@@ -0,0 +1,22 @@
+:tocdepth: 3
+
+base/packet-protocols/ayiya/main.zeek
+=====================================
+.. zeek:namespace:: PacketAnalyzer::AYIYA
+
+
+:Namespace: PacketAnalyzer::AYIYA
+:Imports: :doc:`base/frameworks/analyzer/main.zeek </scripts/base/frameworks/analyzer/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+==================================================================== =
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/ethernet/__load__.zeek.rst b/doc/scripts/base/packet-protocols/ethernet/__load__.zeek.rst
new file mode 100644
index 0000000000..84a5337cf8
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ethernet/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/ethernet/__load__.zeek
+============================================
+
+
+:Imports: :doc:`base/packet-protocols/ethernet/main.zeek </scripts/base/packet-protocols/ethernet/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/ethernet/index.rst b/doc/scripts/base/packet-protocols/ethernet/index.rst
new file mode 100644
index 0000000000..d159f2cbe2
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ethernet/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/ethernet
+=======================================
+
+
+:doc:`/scripts/base/packet-protocols/ethernet/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ethernet/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/ethernet/main.zeek.rst b/doc/scripts/base/packet-protocols/ethernet/main.zeek.rst
new file mode 100644
index 0000000000..3f97c17b57
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ethernet/main.zeek.rst
@@ -0,0 +1,46 @@
+:tocdepth: 3
+
+base/packet-protocols/ethernet/main.zeek
+========================================
+.. zeek:namespace:: PacketAnalyzer::ETHERNET
+
+
+:Namespace: PacketAnalyzer::ETHERNET
+
+Summary
+~~~~~~~
+Constants
+#########
+============================================================================== =
+:zeek:id:`PacketAnalyzer::ETHERNET::LLC_FORWARDING_KEY`: :zeek:type:`count`    
+:zeek:id:`PacketAnalyzer::ETHERNET::NOVELL_FORWARDING_KEY`: :zeek:type:`count` 
+:zeek:id:`PacketAnalyzer::ETHERNET::SNAP_FORWARDING_KEY`: :zeek:type:`count`   
+============================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: PacketAnalyzer::ETHERNET::LLC_FORWARDING_KEY
+   :source-code: base/packet-protocols/ethernet/main.zeek 9 9
+
+   :Type: :zeek:type:`count`
+   :Default: ``3``
+
+
+.. zeek:id:: PacketAnalyzer::ETHERNET::NOVELL_FORWARDING_KEY
+   :source-code: base/packet-protocols/ethernet/main.zeek 8 8
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+
+.. zeek:id:: PacketAnalyzer::ETHERNET::SNAP_FORWARDING_KEY
+   :source-code: base/packet-protocols/ethernet/main.zeek 7 7
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+
+
diff --git a/doc/scripts/base/packet-protocols/fddi/__load__.zeek.rst b/doc/scripts/base/packet-protocols/fddi/__load__.zeek.rst
new file mode 100644
index 0000000000..df3ac56205
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/fddi/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/fddi/__load__.zeek
+========================================
+
+
+:Imports: :doc:`base/packet-protocols/fddi/main.zeek </scripts/base/packet-protocols/fddi/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/fddi/index.rst b/doc/scripts/base/packet-protocols/fddi/index.rst
new file mode 100644
index 0000000000..f44e3e2856
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/fddi/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/fddi
+===================================
+
+
+:doc:`/scripts/base/packet-protocols/fddi/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/fddi/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/fddi/main.zeek.rst b/doc/scripts/base/packet-protocols/fddi/main.zeek.rst
new file mode 100644
index 0000000000..c478166ed8
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/fddi/main.zeek.rst
@@ -0,0 +1,32 @@
+:tocdepth: 3
+
+base/packet-protocols/fddi/main.zeek
+====================================
+.. zeek:namespace:: PacketAnalyzer::FDDI
+
+
+:Namespace: PacketAnalyzer::FDDI
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+======================================================================================================= ================
+:zeek:id:`PacketAnalyzer::FDDI::default_analyzer`: :zeek:type:`PacketAnalyzer::Tag` :zeek:attr:`&redef` Default analyzer
+======================================================================================================= ================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: PacketAnalyzer::FDDI::default_analyzer
+   :source-code: base/packet-protocols/fddi/main.zeek 5 5
+
+   :Type: :zeek:type:`PacketAnalyzer::Tag`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``PacketAnalyzer::ANALYZER_IP``
+
+   Default analyzer
+
+
diff --git a/doc/scripts/base/packet-protocols/geneve/__load__.zeek.rst b/doc/scripts/base/packet-protocols/geneve/__load__.zeek.rst
new file mode 100644
index 0000000000..91ce4bd966
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/geneve/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/geneve/__load__.zeek
+==========================================
+
+
+:Imports: :doc:`base/packet-protocols/geneve/main.zeek </scripts/base/packet-protocols/geneve/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/geneve/index.rst b/doc/scripts/base/packet-protocols/geneve/index.rst
new file mode 100644
index 0000000000..d9ec044f9a
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/geneve/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/geneve
+=====================================
+
+
+:doc:`/scripts/base/packet-protocols/geneve/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/geneve/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/geneve/main.zeek.rst b/doc/scripts/base/packet-protocols/geneve/main.zeek.rst
new file mode 100644
index 0000000000..ee5f88b88c
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/geneve/main.zeek.rst
@@ -0,0 +1,99 @@
+:tocdepth: 3
+
+base/packet-protocols/geneve/main.zeek
+======================================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: PacketAnalyzer::Geneve
+
+
+:Namespaces: GLOBAL, PacketAnalyzer::Geneve
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+===================================================================================== =============================================
+:zeek:id:`PacketAnalyzer::Geneve::geneve_ports`: :zeek:type:`set` :zeek:attr:`&redef` The set of UDP ports used for Geneve traffic.
+===================================================================================== =============================================
+
+Types
+#####
+================================================================ ================
+:zeek:type:`PacketAnalyzer::Geneve::Option`: :zeek:type:`record` A Geneve option.
+:zeek:type:`geneve_options_vec`: :zeek:type:`vector`             
+:zeek:type:`geneve_options_vec_vec`: :zeek:type:`vector`         
+================================================================ ================
+
+Redefinitions
+#############
+==================================================================== =
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: PacketAnalyzer::Geneve::geneve_ports
+   :source-code: base/packet-protocols/geneve/main.zeek 8 8
+
+   :Type: :zeek:type:`set` [:zeek:type:`port`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            6081/udp
+         }
+
+
+   The set of UDP ports used for Geneve traffic.  Traffic using this
+   UDP destination port will attempt to be decapsulated.  Note that if
+   if you customize this, you may still want to manually ensure that
+   :zeek:see:`likely_server_ports` also gets populated accordingly.
+
+Types
+#####
+.. zeek:type:: PacketAnalyzer::Geneve::Option
+   :source-code: base/packet-protocols/geneve/main.zeek 11 20
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: class :zeek:type:`count`
+
+      The class of the option.
+
+
+   .. zeek:field:: critical :zeek:type:`bool`
+
+      The critical bit of the type.
+
+
+   .. zeek:field:: typ :zeek:type:`count`
+
+      The type field of the option with the critical bit masked.
+
+
+   .. zeek:field:: data :zeek:type:`string`
+
+      The data field of the option.
+
+
+   A Geneve option.
+
+.. zeek:type:: geneve_options_vec
+   :source-code: base/packet-protocols/geneve/main.zeek 43 43
+
+   :Type: :zeek:type:`vector` of :zeek:type:`PacketAnalyzer::Geneve::Option`
+
+
+.. zeek:type:: geneve_options_vec_vec
+   :source-code: base/packet-protocols/geneve/main.zeek 44 44
+
+   :Type: :zeek:type:`vector` of :zeek:type:`geneve_options_vec`
+
+
+
diff --git a/doc/scripts/base/packet-protocols/gre/__load__.zeek.rst b/doc/scripts/base/packet-protocols/gre/__load__.zeek.rst
new file mode 100644
index 0000000000..471b211e0b
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/gre/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/gre/__load__.zeek
+=======================================
+
+
+:Imports: :doc:`base/packet-protocols/gre/main.zeek </scripts/base/packet-protocols/gre/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/gre/index.rst b/doc/scripts/base/packet-protocols/gre/index.rst
new file mode 100644
index 0000000000..39eed082a1
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/gre/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/gre
+==================================
+
+
+:doc:`/scripts/base/packet-protocols/gre/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/gre/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/gre/main.zeek.rst b/doc/scripts/base/packet-protocols/gre/main.zeek.rst
new file mode 100644
index 0000000000..a7225c12a8
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/gre/main.zeek.rst
@@ -0,0 +1,47 @@
+:tocdepth: 3
+
+base/packet-protocols/gre/main.zeek
+===================================
+.. zeek:namespace:: PacketAnalyzer::GRE
+
+
+:Namespace: PacketAnalyzer::GRE
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+====================================================================================================== =
+:zeek:id:`PacketAnalyzer::GRE::default_analyzer`: :zeek:type:`PacketAnalyzer::Tag` :zeek:attr:`&redef` 
+:zeek:id:`PacketAnalyzer::GRE::gre_ports`: :zeek:type:`set` :zeek:attr:`&redef`                        
+====================================================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: PacketAnalyzer::GRE::default_analyzer
+   :source-code: base/packet-protocols/gre/main.zeek 4 4
+
+   :Type: :zeek:type:`PacketAnalyzer::Tag`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``PacketAnalyzer::ANALYZER_IPTUNNEL``
+
+
+.. zeek:id:: PacketAnalyzer::GRE::gre_ports
+   :source-code: base/packet-protocols/gre/main.zeek 5 5
+
+   :Type: :zeek:type:`set` [:zeek:type:`port`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            4754/udp
+         }
+
+
+
+
diff --git a/doc/scripts/base/packet-protocols/gtpv1/__load__.zeek.rst b/doc/scripts/base/packet-protocols/gtpv1/__load__.zeek.rst
new file mode 100644
index 0000000000..833881b2cc
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/gtpv1/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/gtpv1/__load__.zeek
+=========================================
+
+
+:Imports: :doc:`base/packet-protocols/gtpv1/main.zeek </scripts/base/packet-protocols/gtpv1/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/gtpv1/index.rst b/doc/scripts/base/packet-protocols/gtpv1/index.rst
new file mode 100644
index 0000000000..cc0cd5fc83
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/gtpv1/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/gtpv1
+====================================
+
+
+:doc:`/scripts/base/packet-protocols/gtpv1/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/gtpv1/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/gtpv1/main.zeek.rst b/doc/scripts/base/packet-protocols/gtpv1/main.zeek.rst
new file mode 100644
index 0000000000..2c17ae7a66
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/gtpv1/main.zeek.rst
@@ -0,0 +1,39 @@
+:tocdepth: 3
+
+base/packet-protocols/gtpv1/main.zeek
+=====================================
+.. zeek:namespace:: PacketAnalyzer::GTPV1
+
+
+:Namespace: PacketAnalyzer::GTPV1
+:Imports: :doc:`base/bif/plugins/Zeek_GTPv1.events.bif.zeek </scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_GTPv1.functions.bif.zeek </scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek>`, :doc:`base/frameworks/analyzer/main.zeek </scripts/base/frameworks/analyzer/main.zeek>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+======================================================================================================== ================
+:zeek:id:`PacketAnalyzer::GTPV1::default_analyzer`: :zeek:type:`PacketAnalyzer::Tag` :zeek:attr:`&redef` Default analyzer
+======================================================================================================== ================
+
+Redefinitions
+#############
+==================================================================== =
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: PacketAnalyzer::GTPV1::default_analyzer
+   :source-code: base/packet-protocols/gtpv1/main.zeek 17 17
+
+   :Type: :zeek:type:`PacketAnalyzer::Tag`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``PacketAnalyzer::ANALYZER_IP``
+
+   Default analyzer
+
+
diff --git a/doc/scripts/base/packet-protocols/icmp/__load__.zeek.rst b/doc/scripts/base/packet-protocols/icmp/__load__.zeek.rst
new file mode 100644
index 0000000000..48e006374d
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/icmp/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/icmp/__load__.zeek
+========================================
+
+
+:Imports: :doc:`base/packet-protocols/icmp/main.zeek </scripts/base/packet-protocols/icmp/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/icmp/index.rst b/doc/scripts/base/packet-protocols/icmp/index.rst
new file mode 100644
index 0000000000..2dc20f613f
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/icmp/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/icmp
+===================================
+
+
+:doc:`/scripts/base/packet-protocols/icmp/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/icmp/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/icmp/main.zeek.rst b/doc/scripts/base/packet-protocols/icmp/main.zeek.rst
new file mode 100644
index 0000000000..336c2b8ae0
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/icmp/main.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/packet-protocols/icmp/main.zeek
+====================================
+.. zeek:namespace:: PacketAnalyzer::ICMP
+
+
+:Namespace: PacketAnalyzer::ICMP
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/ieee802_11/__load__.zeek.rst b/doc/scripts/base/packet-protocols/ieee802_11/__load__.zeek.rst
new file mode 100644
index 0000000000..ea041a07bc
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ieee802_11/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/ieee802_11/__load__.zeek
+==============================================
+
+
+:Imports: :doc:`base/packet-protocols/ieee802_11/main.zeek </scripts/base/packet-protocols/ieee802_11/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/ieee802_11/index.rst b/doc/scripts/base/packet-protocols/ieee802_11/index.rst
new file mode 100644
index 0000000000..792842cb75
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ieee802_11/index.rst
@@ -0,0 +1,18 @@
+:orphan:
+
+Package: base/packet-protocols/ieee802_11
+=========================================
+
+
+:doc:`/scripts/base/packet-protocols/ieee802_11/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ieee802_11/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ieee802_11_radio/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ieee802_11_radio/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/ieee802_11/main.zeek.rst b/doc/scripts/base/packet-protocols/ieee802_11/main.zeek.rst
new file mode 100644
index 0000000000..09c595498f
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ieee802_11/main.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/packet-protocols/ieee802_11/main.zeek
+==========================================
+.. zeek:namespace:: PacketAnalyzer::IEEE802_11
+
+
+:Namespace: PacketAnalyzer::IEEE802_11
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/ieee802_11_radio/__load__.zeek.rst b/doc/scripts/base/packet-protocols/ieee802_11_radio/__load__.zeek.rst
new file mode 100644
index 0000000000..9c274d35be
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ieee802_11_radio/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/ieee802_11_radio/__load__.zeek
+====================================================
+
+
+:Imports: :doc:`base/packet-protocols/ieee802_11_radio/main.zeek </scripts/base/packet-protocols/ieee802_11_radio/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/ieee802_11_radio/index.rst b/doc/scripts/base/packet-protocols/ieee802_11_radio/index.rst
new file mode 100644
index 0000000000..15c85e8001
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ieee802_11_radio/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/ieee802_11_radio
+===============================================
+
+
+:doc:`/scripts/base/packet-protocols/ieee802_11_radio/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ieee802_11_radio/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/ieee802_11_radio/main.zeek.rst b/doc/scripts/base/packet-protocols/ieee802_11_radio/main.zeek.rst
new file mode 100644
index 0000000000..67ac662142
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ieee802_11_radio/main.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/packet-protocols/ieee802_11_radio/main.zeek
+================================================
+.. zeek:namespace:: PacketAnalyzer::IEEE802_11_RADIO
+
+
+:Namespace: PacketAnalyzer::IEEE802_11_RADIO
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/index.rst b/doc/scripts/base/packet-protocols/index.rst
new file mode 100644
index 0000000000..769123be8c
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/index.rst
@@ -0,0 +1,198 @@
+:orphan:
+
+Package: base/packet-protocols
+==============================
+
+
+:doc:`/scripts/base/packet-protocols/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/root/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/root/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ip/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ip/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/skip/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/skip/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ethernet/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ethernet/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/fddi/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/fddi/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ieee802_11/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ieee802_11/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ieee802_11_radio/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ieee802_11_radio/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/linux_sll/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/linux_sll/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/linux_sll2/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/linux_sll2/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/nflog/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/nflog/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/null/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/null/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ppp/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ppp/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ppp_serial/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ppp_serial/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/pppoe/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/pppoe/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/vlan/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/vlan/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/mpls/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/mpls/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/pbb/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/pbb/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/vntag/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/vntag/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/udp/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/udp/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/tcp/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/tcp/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/icmp/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/icmp/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/llc/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/llc/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/novell_802_3/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/novell_802_3/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/snap/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/snap/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/gre/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/gre/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/iptunnel/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/iptunnel/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ayiya/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ayiya/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/geneve/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/geneve/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/vxlan/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/vxlan/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/teredo/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/teredo/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/gtpv1/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/gtpv1/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/ip/__load__.zeek.rst b/doc/scripts/base/packet-protocols/ip/__load__.zeek.rst
new file mode 100644
index 0000000000..ca3dc18611
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ip/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/ip/__load__.zeek
+======================================
+
+
+:Imports: :doc:`base/packet-protocols/ip/main.zeek </scripts/base/packet-protocols/ip/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/ip/index.rst b/doc/scripts/base/packet-protocols/ip/index.rst
new file mode 100644
index 0000000000..9ed1063095
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ip/index.rst
@@ -0,0 +1,18 @@
+:orphan:
+
+Package: base/packet-protocols/ip
+=================================
+
+
+:doc:`/scripts/base/packet-protocols/ip/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ip/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/iptunnel/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/iptunnel/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/ip/main.zeek.rst b/doc/scripts/base/packet-protocols/ip/main.zeek.rst
new file mode 100644
index 0000000000..9c6b43da58
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ip/main.zeek.rst
@@ -0,0 +1,32 @@
+:tocdepth: 3
+
+base/packet-protocols/ip/main.zeek
+==================================
+.. zeek:namespace:: PacketAnalyzer::IP
+
+
+:Namespace: PacketAnalyzer::IP
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+===================================================================================================== ================
+:zeek:id:`PacketAnalyzer::IP::default_analyzer`: :zeek:type:`PacketAnalyzer::Tag` :zeek:attr:`&redef` Default analyzer
+===================================================================================================== ================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: PacketAnalyzer::IP::default_analyzer
+   :source-code: base/packet-protocols/ip/main.zeek 5 5
+
+   :Type: :zeek:type:`PacketAnalyzer::Tag`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``PacketAnalyzer::ANALYZER_UNKNOWN_IP_TRANSPORT``
+
+   Default analyzer
+
+
diff --git a/doc/scripts/base/packet-protocols/iptunnel/__load__.zeek.rst b/doc/scripts/base/packet-protocols/iptunnel/__load__.zeek.rst
new file mode 100644
index 0000000000..062c2fc1f9
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/iptunnel/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/iptunnel/__load__.zeek
+============================================
+
+
+:Imports: :doc:`base/packet-protocols/iptunnel/main.zeek </scripts/base/packet-protocols/iptunnel/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/iptunnel/index.rst b/doc/scripts/base/packet-protocols/iptunnel/index.rst
new file mode 100644
index 0000000000..dc326f89c9
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/iptunnel/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/iptunnel
+=======================================
+
+
+:doc:`/scripts/base/packet-protocols/iptunnel/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/iptunnel/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/iptunnel/main.zeek.rst b/doc/scripts/base/packet-protocols/iptunnel/main.zeek.rst
new file mode 100644
index 0000000000..f174aab135
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/iptunnel/main.zeek.rst
@@ -0,0 +1,31 @@
+:tocdepth: 3
+
+base/packet-protocols/iptunnel/main.zeek
+========================================
+.. zeek:namespace:: PacketAnalyzer::IPTUNNEL
+
+
+:Namespace: PacketAnalyzer::IPTUNNEL
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+=========================================================================================================== =
+:zeek:id:`PacketAnalyzer::IPTUNNEL::default_analyzer`: :zeek:type:`PacketAnalyzer::Tag` :zeek:attr:`&redef` 
+=========================================================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: PacketAnalyzer::IPTUNNEL::default_analyzer
+   :source-code: base/packet-protocols/iptunnel/main.zeek 4 4
+
+   :Type: :zeek:type:`PacketAnalyzer::Tag`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``PacketAnalyzer::ANALYZER_IP``
+
+
+
diff --git a/doc/scripts/base/packet-protocols/linux_sll/__load__.zeek.rst b/doc/scripts/base/packet-protocols/linux_sll/__load__.zeek.rst
new file mode 100644
index 0000000000..9ed9fe5e50
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/linux_sll/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/linux_sll/__load__.zeek
+=============================================
+
+
+:Imports: :doc:`base/packet-protocols/linux_sll/main.zeek </scripts/base/packet-protocols/linux_sll/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/linux_sll/index.rst b/doc/scripts/base/packet-protocols/linux_sll/index.rst
new file mode 100644
index 0000000000..c425cbd72e
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/linux_sll/index.rst
@@ -0,0 +1,18 @@
+:orphan:
+
+Package: base/packet-protocols/linux_sll
+========================================
+
+
+:doc:`/scripts/base/packet-protocols/linux_sll/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/linux_sll/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/linux_sll2/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/linux_sll2/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/linux_sll/main.zeek.rst b/doc/scripts/base/packet-protocols/linux_sll/main.zeek.rst
new file mode 100644
index 0000000000..97e026bcf3
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/linux_sll/main.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/packet-protocols/linux_sll/main.zeek
+=========================================
+.. zeek:namespace:: PacketAnalyzer::LINUXSLL
+
+
+:Namespace: PacketAnalyzer::LINUXSLL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/linux_sll2/__load__.zeek.rst b/doc/scripts/base/packet-protocols/linux_sll2/__load__.zeek.rst
new file mode 100644
index 0000000000..6893599756
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/linux_sll2/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/linux_sll2/__load__.zeek
+==============================================
+
+
+:Imports: :doc:`base/packet-protocols/linux_sll2/main.zeek </scripts/base/packet-protocols/linux_sll2/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/linux_sll2/index.rst b/doc/scripts/base/packet-protocols/linux_sll2/index.rst
new file mode 100644
index 0000000000..99422ab35d
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/linux_sll2/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/linux_sll2
+=========================================
+
+
+:doc:`/scripts/base/packet-protocols/linux_sll2/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/linux_sll2/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/linux_sll2/main.zeek.rst b/doc/scripts/base/packet-protocols/linux_sll2/main.zeek.rst
new file mode 100644
index 0000000000..0b4c944ac0
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/linux_sll2/main.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/packet-protocols/linux_sll2/main.zeek
+==========================================
+.. zeek:namespace:: PacketAnalyzer::LINUXSLL2
+
+
+:Namespace: PacketAnalyzer::LINUXSLL2
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/llc/__load__.zeek.rst b/doc/scripts/base/packet-protocols/llc/__load__.zeek.rst
new file mode 100644
index 0000000000..f861299e64
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/llc/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/llc/__load__.zeek
+=======================================
+
+
+:Imports: :doc:`base/packet-protocols/llc/main.zeek </scripts/base/packet-protocols/llc/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/llc/index.rst b/doc/scripts/base/packet-protocols/llc/index.rst
new file mode 100644
index 0000000000..60c5d5d120
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/llc/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/llc
+==================================
+
+
+:doc:`/scripts/base/packet-protocols/llc/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/llc/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/llc/main.zeek.rst b/doc/scripts/base/packet-protocols/llc/main.zeek.rst
new file mode 100644
index 0000000000..747b1d0bc3
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/llc/main.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/packet-protocols/llc/main.zeek
+===================================
+.. zeek:namespace:: PacketAnalyzer::LLC
+
+
+:Namespace: PacketAnalyzer::LLC
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/main.zeek.rst b/doc/scripts/base/packet-protocols/main.zeek.rst
new file mode 100644
index 0000000000..cde4561977
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/main.zeek.rst
@@ -0,0 +1,63 @@
+:tocdepth: 3
+
+base/packet-protocols/main.zeek
+===============================
+.. zeek:namespace:: PacketAnalyzer
+
+
+:Namespace: PacketAnalyzer
+:Imports: :doc:`base/frameworks/analyzer/main.zeek </scripts/base/frameworks/analyzer/main.zeek>`
+
+Summary
+~~~~~~~
+Functions
+#########
+==================================================================== ========================================================
+:zeek:id:`PacketAnalyzer::register_for_port`: :zeek:type:`function`  Registers an individual well-known port for an analyzer.
+:zeek:id:`PacketAnalyzer::register_for_ports`: :zeek:type:`function` Registers a set of well-known ports for an analyzer.
+==================================================================== ========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: PacketAnalyzer::register_for_port
+   :source-code: base/packet-protocols/main.zeek 52 61
+
+   :Type: :zeek:type:`function` (parent: :zeek:type:`PacketAnalyzer::Tag`, child: :zeek:type:`PacketAnalyzer::Tag`, p: :zeek:type:`port`) : :zeek:type:`bool`
+
+   Registers an individual well-known port for an analyzer. If a future
+   connection on this port is seen, the analyzer will be automatically
+   assigned to parsing it. The function *adds* to all ports already
+   registered, it doesn't replace them.
+   
+
+   :param tag: The tag of the analyzer.
+   
+
+   :param p: The well-known port to associate with the analyzer.
+   
+
+   :returns: True if the port was successfully registered.
+
+.. zeek:id:: PacketAnalyzer::register_for_ports
+   :source-code: base/packet-protocols/main.zeek 37 48
+
+   :Type: :zeek:type:`function` (parent: :zeek:type:`PacketAnalyzer::Tag`, child: :zeek:type:`PacketAnalyzer::Tag`, ports: :zeek:type:`set` [:zeek:type:`port`]) : :zeek:type:`bool`
+
+   Registers a set of well-known ports for an analyzer. If a future
+   connection on one of these ports is seen, the analyzer will be
+   automatically assigned to parsing it. The function *adds* to all ports
+   already registered, it doesn't replace them.
+   
+
+   :param tag: The tag of the analyzer.
+   
+
+   :param ports: The set of well-known ports to associate with the analyzer.
+   
+
+   :returns: True if the ports were successfully registered.
+
+
diff --git a/doc/scripts/base/packet-protocols/mpls/__load__.zeek.rst b/doc/scripts/base/packet-protocols/mpls/__load__.zeek.rst
new file mode 100644
index 0000000000..4c7c78858c
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/mpls/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/mpls/__load__.zeek
+========================================
+
+
+:Imports: :doc:`base/packet-protocols/mpls/main.zeek </scripts/base/packet-protocols/mpls/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/mpls/index.rst b/doc/scripts/base/packet-protocols/mpls/index.rst
new file mode 100644
index 0000000000..1b6e76c5a9
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/mpls/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/mpls
+===================================
+
+
+:doc:`/scripts/base/packet-protocols/mpls/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/mpls/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/mpls/main.zeek.rst b/doc/scripts/base/packet-protocols/mpls/main.zeek.rst
new file mode 100644
index 0000000000..300cb37d7a
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/mpls/main.zeek.rst
@@ -0,0 +1,32 @@
+:tocdepth: 3
+
+base/packet-protocols/mpls/main.zeek
+====================================
+.. zeek:namespace:: PacketAnalyzer::MPLS
+
+
+:Namespace: PacketAnalyzer::MPLS
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+======================================================================================================= ================
+:zeek:id:`PacketAnalyzer::MPLS::default_analyzer`: :zeek:type:`PacketAnalyzer::Tag` :zeek:attr:`&redef` Default analyzer
+======================================================================================================= ================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: PacketAnalyzer::MPLS::default_analyzer
+   :source-code: base/packet-protocols/mpls/main.zeek 5 5
+
+   :Type: :zeek:type:`PacketAnalyzer::Tag`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``PacketAnalyzer::ANALYZER_IP``
+
+   Default analyzer
+
+
diff --git a/doc/scripts/base/packet-protocols/nflog/__load__.zeek.rst b/doc/scripts/base/packet-protocols/nflog/__load__.zeek.rst
new file mode 100644
index 0000000000..d69b2a82cf
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/nflog/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/nflog/__load__.zeek
+=========================================
+
+
+:Imports: :doc:`base/packet-protocols/nflog/main.zeek </scripts/base/packet-protocols/nflog/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/nflog/index.rst b/doc/scripts/base/packet-protocols/nflog/index.rst
new file mode 100644
index 0000000000..ed57fab8b6
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/nflog/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/nflog
+====================================
+
+
+:doc:`/scripts/base/packet-protocols/nflog/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/nflog/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/nflog/main.zeek.rst b/doc/scripts/base/packet-protocols/nflog/main.zeek.rst
new file mode 100644
index 0000000000..a90c9f324b
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/nflog/main.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/packet-protocols/nflog/main.zeek
+=====================================
+.. zeek:namespace:: PacketAnalyzer::NFLOG
+
+
+:Namespace: PacketAnalyzer::NFLOG
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/novell_802_3/__load__.zeek.rst b/doc/scripts/base/packet-protocols/novell_802_3/__load__.zeek.rst
new file mode 100644
index 0000000000..148ceb38c0
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/novell_802_3/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/novell_802_3/__load__.zeek
+================================================
+
+
+:Imports: :doc:`base/packet-protocols/novell_802_3/main.zeek </scripts/base/packet-protocols/novell_802_3/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/novell_802_3/index.rst b/doc/scripts/base/packet-protocols/novell_802_3/index.rst
new file mode 100644
index 0000000000..a64cba5f5c
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/novell_802_3/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/novell_802_3
+===========================================
+
+
+:doc:`/scripts/base/packet-protocols/novell_802_3/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/novell_802_3/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/novell_802_3/main.zeek.rst b/doc/scripts/base/packet-protocols/novell_802_3/main.zeek.rst
new file mode 100644
index 0000000000..ad6288d028
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/novell_802_3/main.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/packet-protocols/novell_802_3/main.zeek
+============================================
+.. zeek:namespace:: PacketAnalyzer::NOVELL_802_3
+
+
+:Namespace: PacketAnalyzer::NOVELL_802_3
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/null/__load__.zeek.rst b/doc/scripts/base/packet-protocols/null/__load__.zeek.rst
new file mode 100644
index 0000000000..aff83cf076
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/null/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/null/__load__.zeek
+========================================
+
+
+:Imports: :doc:`base/packet-protocols/null/main.zeek </scripts/base/packet-protocols/null/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/null/index.rst b/doc/scripts/base/packet-protocols/null/index.rst
new file mode 100644
index 0000000000..e21ceb6bf3
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/null/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/null
+===================================
+
+
+:doc:`/scripts/base/packet-protocols/null/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/null/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/null/main.zeek.rst b/doc/scripts/base/packet-protocols/null/main.zeek.rst
new file mode 100644
index 0000000000..af3e42065a
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/null/main.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/packet-protocols/null/main.zeek
+====================================
+.. zeek:namespace:: PacketAnalyzer::NULL
+
+
+:Namespace: PacketAnalyzer::NULL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/pbb/__load__.zeek.rst b/doc/scripts/base/packet-protocols/pbb/__load__.zeek.rst
new file mode 100644
index 0000000000..c3b319941e
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/pbb/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/pbb/__load__.zeek
+=======================================
+
+
+:Imports: :doc:`base/packet-protocols/pbb/main.zeek </scripts/base/packet-protocols/pbb/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/pbb/index.rst b/doc/scripts/base/packet-protocols/pbb/index.rst
new file mode 100644
index 0000000000..8006f808eb
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/pbb/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/pbb
+==================================
+
+
+:doc:`/scripts/base/packet-protocols/pbb/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/pbb/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/pbb/main.zeek.rst b/doc/scripts/base/packet-protocols/pbb/main.zeek.rst
new file mode 100644
index 0000000000..4e934e5031
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/pbb/main.zeek.rst
@@ -0,0 +1,32 @@
+:tocdepth: 3
+
+base/packet-protocols/pbb/main.zeek
+===================================
+.. zeek:namespace:: PacketAnalyzer::PBB
+
+
+:Namespace: PacketAnalyzer::PBB
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+====================================================================================================== ================
+:zeek:id:`PacketAnalyzer::PBB::default_analyzer`: :zeek:type:`PacketAnalyzer::Tag` :zeek:attr:`&redef` Default analyzer
+====================================================================================================== ================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: PacketAnalyzer::PBB::default_analyzer
+   :source-code: base/packet-protocols/pbb/main.zeek 5 5
+
+   :Type: :zeek:type:`PacketAnalyzer::Tag`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``PacketAnalyzer::ANALYZER_ETHERNET``
+
+   Default analyzer
+
+
diff --git a/doc/scripts/base/packet-protocols/ppp/__load__.zeek.rst b/doc/scripts/base/packet-protocols/ppp/__load__.zeek.rst
new file mode 100644
index 0000000000..9212cd0ff2
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ppp/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/ppp/__load__.zeek
+=======================================
+
+
+:Imports: :doc:`base/packet-protocols/ppp/main.zeek </scripts/base/packet-protocols/ppp/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/ppp/index.rst b/doc/scripts/base/packet-protocols/ppp/index.rst
new file mode 100644
index 0000000000..dc65ea5276
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ppp/index.rst
@@ -0,0 +1,24 @@
+:orphan:
+
+Package: base/packet-protocols/ppp
+==================================
+
+
+:doc:`/scripts/base/packet-protocols/ppp/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ppp/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ppp_serial/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ppp_serial/main.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/pppoe/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/pppoe/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/ppp/main.zeek.rst b/doc/scripts/base/packet-protocols/ppp/main.zeek.rst
new file mode 100644
index 0000000000..ec17e690fb
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ppp/main.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/packet-protocols/ppp/main.zeek
+===================================
+.. zeek:namespace:: PacketAnalyzer::PPP
+
+
+:Namespace: PacketAnalyzer::PPP
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/ppp_serial/__load__.zeek.rst b/doc/scripts/base/packet-protocols/ppp_serial/__load__.zeek.rst
new file mode 100644
index 0000000000..becc8255b0
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ppp_serial/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/ppp_serial/__load__.zeek
+==============================================
+
+
+:Imports: :doc:`base/packet-protocols/ppp_serial/main.zeek </scripts/base/packet-protocols/ppp_serial/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/ppp_serial/index.rst b/doc/scripts/base/packet-protocols/ppp_serial/index.rst
new file mode 100644
index 0000000000..6ff133a513
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ppp_serial/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/ppp_serial
+=========================================
+
+
+:doc:`/scripts/base/packet-protocols/ppp_serial/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/ppp_serial/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/ppp_serial/main.zeek.rst b/doc/scripts/base/packet-protocols/ppp_serial/main.zeek.rst
new file mode 100644
index 0000000000..64627e09a9
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/ppp_serial/main.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/packet-protocols/ppp_serial/main.zeek
+==========================================
+.. zeek:namespace:: PacketAnalyzer::PPP_SERIAL
+
+
+:Namespace: PacketAnalyzer::PPP_SERIAL
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/pppoe/__load__.zeek.rst b/doc/scripts/base/packet-protocols/pppoe/__load__.zeek.rst
new file mode 100644
index 0000000000..fa5b4c7f96
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/pppoe/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/pppoe/__load__.zeek
+=========================================
+
+
+:Imports: :doc:`base/packet-protocols/pppoe/main.zeek </scripts/base/packet-protocols/pppoe/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/pppoe/index.rst b/doc/scripts/base/packet-protocols/pppoe/index.rst
new file mode 100644
index 0000000000..c77f73682b
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/pppoe/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/pppoe
+====================================
+
+
+:doc:`/scripts/base/packet-protocols/pppoe/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/pppoe/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/pppoe/main.zeek.rst b/doc/scripts/base/packet-protocols/pppoe/main.zeek.rst
new file mode 100644
index 0000000000..cabaa6a3d0
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/pppoe/main.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/packet-protocols/pppoe/main.zeek
+=====================================
+.. zeek:namespace:: PacketAnalyzer::PPPOE
+
+
+:Namespace: PacketAnalyzer::PPPOE
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/root/__load__.zeek.rst b/doc/scripts/base/packet-protocols/root/__load__.zeek.rst
new file mode 100644
index 0000000000..fba7499bc3
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/root/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/root/__load__.zeek
+========================================
+
+
+:Imports: :doc:`base/packet-protocols/root/main.zeek </scripts/base/packet-protocols/root/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/root/index.rst b/doc/scripts/base/packet-protocols/root/index.rst
new file mode 100644
index 0000000000..3a535a8bd5
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/root/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/root
+===================================
+
+
+:doc:`/scripts/base/packet-protocols/root/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/root/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/root/main.zeek.rst b/doc/scripts/base/packet-protocols/root/main.zeek.rst
new file mode 100644
index 0000000000..e4d625bd57
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/root/main.zeek.rst
@@ -0,0 +1,32 @@
+:tocdepth: 3
+
+base/packet-protocols/root/main.zeek
+====================================
+.. zeek:namespace:: PacketAnalyzer::ROOT
+
+
+:Namespace: PacketAnalyzer::ROOT
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+======================================================================================================= ===================================================================
+:zeek:id:`PacketAnalyzer::ROOT::default_analyzer`: :zeek:type:`PacketAnalyzer::Tag` :zeek:attr:`&redef` Default analyzer (if we don't know the link type, we assume raw IP)
+======================================================================================================= ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: PacketAnalyzer::ROOT::default_analyzer
+   :source-code: base/packet-protocols/root/main.zeek 5 5
+
+   :Type: :zeek:type:`PacketAnalyzer::Tag`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``PacketAnalyzer::ANALYZER_IP``
+
+   Default analyzer (if we don't know the link type, we assume raw IP)
+
+
diff --git a/doc/scripts/base/packet-protocols/skip/__load__.zeek.rst b/doc/scripts/base/packet-protocols/skip/__load__.zeek.rst
new file mode 100644
index 0000000000..1eded85bf1
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/skip/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/skip/__load__.zeek
+========================================
+
+
+:Imports: :doc:`base/packet-protocols/skip/main.zeek </scripts/base/packet-protocols/skip/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/skip/index.rst b/doc/scripts/base/packet-protocols/skip/index.rst
new file mode 100644
index 0000000000..f0cffac655
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/skip/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/skip
+===================================
+
+
+:doc:`/scripts/base/packet-protocols/skip/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/skip/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/skip/main.zeek.rst b/doc/scripts/base/packet-protocols/skip/main.zeek.rst
new file mode 100644
index 0000000000..8069415c36
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/skip/main.zeek.rst
@@ -0,0 +1,42 @@
+:tocdepth: 3
+
+base/packet-protocols/skip/main.zeek
+====================================
+.. zeek:namespace:: PacketAnalyzer::SKIP
+
+
+:Namespace: PacketAnalyzer::SKIP
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+======================================================================================================= ================
+:zeek:id:`PacketAnalyzer::SKIP::default_analyzer`: :zeek:type:`PacketAnalyzer::Tag` :zeek:attr:`&redef` Default analyzer
+:zeek:id:`PacketAnalyzer::SKIP::skip_bytes`: :zeek:type:`count` :zeek:attr:`&redef`                     Bytes to skip.
+======================================================================================================= ================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: PacketAnalyzer::SKIP::default_analyzer
+   :source-code: base/packet-protocols/skip/main.zeek 5 5
+
+   :Type: :zeek:type:`PacketAnalyzer::Tag`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``PacketAnalyzer::ANALYZER_IP``
+
+   Default analyzer
+
+.. zeek:id:: PacketAnalyzer::SKIP::skip_bytes
+   :source-code: base/packet-protocols/skip/main.zeek 8 8
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0``
+
+   Bytes to skip.
+
+
diff --git a/doc/scripts/base/packet-protocols/snap/__load__.zeek.rst b/doc/scripts/base/packet-protocols/snap/__load__.zeek.rst
new file mode 100644
index 0000000000..3c04ea78d4
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/snap/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/snap/__load__.zeek
+========================================
+
+
+:Imports: :doc:`base/packet-protocols/snap/main.zeek </scripts/base/packet-protocols/snap/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/snap/index.rst b/doc/scripts/base/packet-protocols/snap/index.rst
new file mode 100644
index 0000000000..6e1f3b077c
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/snap/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/snap
+===================================
+
+
+:doc:`/scripts/base/packet-protocols/snap/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/snap/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/snap/main.zeek.rst b/doc/scripts/base/packet-protocols/snap/main.zeek.rst
new file mode 100644
index 0000000000..868d309161
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/snap/main.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/packet-protocols/snap/main.zeek
+====================================
+.. zeek:namespace:: PacketAnalyzer::SNAP
+
+
+:Namespace: PacketAnalyzer::SNAP
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/tcp/__load__.zeek.rst b/doc/scripts/base/packet-protocols/tcp/__load__.zeek.rst
new file mode 100644
index 0000000000..208df149d3
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/tcp/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/tcp/__load__.zeek
+=======================================
+
+
+:Imports: :doc:`base/packet-protocols/tcp/main.zeek </scripts/base/packet-protocols/tcp/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/tcp/index.rst b/doc/scripts/base/packet-protocols/tcp/index.rst
new file mode 100644
index 0000000000..b4049a7002
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/tcp/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/tcp
+==================================
+
+
+:doc:`/scripts/base/packet-protocols/tcp/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/tcp/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/tcp/main.zeek.rst b/doc/scripts/base/packet-protocols/tcp/main.zeek.rst
new file mode 100644
index 0000000000..cbb92c4095
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/tcp/main.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/packet-protocols/tcp/main.zeek
+===================================
+.. zeek:namespace:: PacketAnalyzer::TCP
+
+
+:Namespace: PacketAnalyzer::TCP
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/teredo/__load__.zeek.rst b/doc/scripts/base/packet-protocols/teredo/__load__.zeek.rst
new file mode 100644
index 0000000000..7ad82a6403
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/teredo/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/teredo/__load__.zeek
+==========================================
+
+
+:Imports: :doc:`base/packet-protocols/teredo/main.zeek </scripts/base/packet-protocols/teredo/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/teredo/index.rst b/doc/scripts/base/packet-protocols/teredo/index.rst
new file mode 100644
index 0000000000..e680fdeabe
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/teredo/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/teredo
+=====================================
+
+
+:doc:`/scripts/base/packet-protocols/teredo/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/teredo/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/teredo/main.zeek.rst b/doc/scripts/base/packet-protocols/teredo/main.zeek.rst
new file mode 100644
index 0000000000..f4335ec9ed
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/teredo/main.zeek.rst
@@ -0,0 +1,39 @@
+:tocdepth: 3
+
+base/packet-protocols/teredo/main.zeek
+======================================
+.. zeek:namespace:: PacketAnalyzer::TEREDO
+
+
+:Namespace: PacketAnalyzer::TEREDO
+:Imports: :doc:`base/bif/plugins/Zeek_Teredo.events.bif.zeek </scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek>`, :doc:`base/bif/plugins/Zeek_Teredo.functions.bif.zeek </scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek>`, :doc:`base/frameworks/analyzer/main.zeek </scripts/base/frameworks/analyzer/main.zeek>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+========================================================================================================= ================
+:zeek:id:`PacketAnalyzer::TEREDO::default_analyzer`: :zeek:type:`PacketAnalyzer::Tag` :zeek:attr:`&redef` Default analyzer
+========================================================================================================= ================
+
+Redefinitions
+#############
+==================================================================== =
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: PacketAnalyzer::TEREDO::default_analyzer
+   :source-code: base/packet-protocols/teredo/main.zeek 17 17
+
+   :Type: :zeek:type:`PacketAnalyzer::Tag`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``PacketAnalyzer::ANALYZER_IP``
+
+   Default analyzer
+
+
diff --git a/doc/scripts/base/packet-protocols/udp/__load__.zeek.rst b/doc/scripts/base/packet-protocols/udp/__load__.zeek.rst
new file mode 100644
index 0000000000..e210bdb896
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/udp/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/udp/__load__.zeek
+=======================================
+
+
+:Imports: :doc:`base/packet-protocols/udp/main.zeek </scripts/base/packet-protocols/udp/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/udp/index.rst b/doc/scripts/base/packet-protocols/udp/index.rst
new file mode 100644
index 0000000000..b02ea51c2a
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/udp/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/udp
+==================================
+
+
+:doc:`/scripts/base/packet-protocols/udp/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/udp/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/udp/main.zeek.rst b/doc/scripts/base/packet-protocols/udp/main.zeek.rst
new file mode 100644
index 0000000000..d5815689d0
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/udp/main.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/packet-protocols/udp/main.zeek
+===================================
+.. zeek:namespace:: PacketAnalyzer::UDP
+
+
+:Namespace: PacketAnalyzer::UDP
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/vlan/__load__.zeek.rst b/doc/scripts/base/packet-protocols/vlan/__load__.zeek.rst
new file mode 100644
index 0000000000..984b9f956f
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/vlan/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/vlan/__load__.zeek
+========================================
+
+
+:Imports: :doc:`base/packet-protocols/vlan/main.zeek </scripts/base/packet-protocols/vlan/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/vlan/index.rst b/doc/scripts/base/packet-protocols/vlan/index.rst
new file mode 100644
index 0000000000..5355a8f5b8
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/vlan/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/vlan
+===================================
+
+
+:doc:`/scripts/base/packet-protocols/vlan/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/vlan/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/vlan/main.zeek.rst b/doc/scripts/base/packet-protocols/vlan/main.zeek.rst
new file mode 100644
index 0000000000..1917d05f2f
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/vlan/main.zeek.rst
@@ -0,0 +1,46 @@
+:tocdepth: 3
+
+base/packet-protocols/vlan/main.zeek
+====================================
+.. zeek:namespace:: PacketAnalyzer::VLAN
+
+
+:Namespace: PacketAnalyzer::VLAN
+
+Summary
+~~~~~~~
+Constants
+#########
+========================================================================== =
+:zeek:id:`PacketAnalyzer::VLAN::LLC_FORWARDING_KEY`: :zeek:type:`count`    
+:zeek:id:`PacketAnalyzer::VLAN::NOVELL_FORWARDING_KEY`: :zeek:type:`count` 
+:zeek:id:`PacketAnalyzer::VLAN::SNAP_FORWARDING_KEY`: :zeek:type:`count`   
+========================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: PacketAnalyzer::VLAN::LLC_FORWARDING_KEY
+   :source-code: base/packet-protocols/vlan/main.zeek 9 9
+
+   :Type: :zeek:type:`count`
+   :Default: ``3``
+
+
+.. zeek:id:: PacketAnalyzer::VLAN::NOVELL_FORWARDING_KEY
+   :source-code: base/packet-protocols/vlan/main.zeek 8 8
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+
+.. zeek:id:: PacketAnalyzer::VLAN::SNAP_FORWARDING_KEY
+   :source-code: base/packet-protocols/vlan/main.zeek 7 7
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+
+
diff --git a/doc/scripts/base/packet-protocols/vntag/__load__.zeek.rst b/doc/scripts/base/packet-protocols/vntag/__load__.zeek.rst
new file mode 100644
index 0000000000..c57c7db1ea
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/vntag/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/vntag/__load__.zeek
+=========================================
+
+
+:Imports: :doc:`base/packet-protocols/vntag/main.zeek </scripts/base/packet-protocols/vntag/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/vntag/index.rst b/doc/scripts/base/packet-protocols/vntag/index.rst
new file mode 100644
index 0000000000..cff5d3c481
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/vntag/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/vntag
+====================================
+
+
+:doc:`/scripts/base/packet-protocols/vntag/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/vntag/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/vntag/main.zeek.rst b/doc/scripts/base/packet-protocols/vntag/main.zeek.rst
new file mode 100644
index 0000000000..8df1f2ed63
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/vntag/main.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/packet-protocols/vntag/main.zeek
+=====================================
+.. zeek:namespace:: PacketAnalyzer::VNTAG
+
+
+:Namespace: PacketAnalyzer::VNTAG
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/vxlan/__load__.zeek.rst b/doc/scripts/base/packet-protocols/vxlan/__load__.zeek.rst
new file mode 100644
index 0000000000..b40600ef06
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/vxlan/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/packet-protocols/vxlan/__load__.zeek
+=========================================
+
+
+:Imports: :doc:`base/packet-protocols/vxlan/main.zeek </scripts/base/packet-protocols/vxlan/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/packet-protocols/vxlan/index.rst b/doc/scripts/base/packet-protocols/vxlan/index.rst
new file mode 100644
index 0000000000..a7e135067c
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/vxlan/index.rst
@@ -0,0 +1,12 @@
+:orphan:
+
+Package: base/packet-protocols/vxlan
+====================================
+
+
+:doc:`/scripts/base/packet-protocols/vxlan/__load__.zeek`
+
+
+:doc:`/scripts/base/packet-protocols/vxlan/main.zeek`
+
+
diff --git a/doc/scripts/base/packet-protocols/vxlan/main.zeek.rst b/doc/scripts/base/packet-protocols/vxlan/main.zeek.rst
new file mode 100644
index 0000000000..559d16d433
--- /dev/null
+++ b/doc/scripts/base/packet-protocols/vxlan/main.zeek.rst
@@ -0,0 +1,57 @@
+:tocdepth: 3
+
+base/packet-protocols/vxlan/main.zeek
+=====================================
+.. zeek:namespace:: PacketAnalyzer::VXLAN
+
+
+:Namespace: PacketAnalyzer::VXLAN
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+======================================================================================================== ============================================
+:zeek:id:`PacketAnalyzer::VXLAN::default_analyzer`: :zeek:type:`PacketAnalyzer::Tag` :zeek:attr:`&redef` 
+:zeek:id:`PacketAnalyzer::VXLAN::vxlan_ports`: :zeek:type:`set` :zeek:attr:`&redef`                      The set of UDP ports used for VXLAN traffic.
+======================================================================================================== ============================================
+
+Redefinitions
+#############
+==================================================================== =
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: PacketAnalyzer::VXLAN::default_analyzer
+   :source-code: base/packet-protocols/vxlan/main.zeek 6 6
+
+   :Type: :zeek:type:`PacketAnalyzer::Tag`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``PacketAnalyzer::ANALYZER_ETHERNET``
+
+
+.. zeek:id:: PacketAnalyzer::VXLAN::vxlan_ports
+   :source-code: base/packet-protocols/vxlan/main.zeek 12 12
+
+   :Type: :zeek:type:`set` [:zeek:type:`port`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            4789/udp
+         }
+
+
+   The set of UDP ports used for VXLAN traffic.  Traffic using this
+   UDP destination port will attempt to be decapsulated.  Note that if
+   if you customize this, you may still want to manually ensure that
+   :zeek:see:`likely_server_ports` also gets populated accordingly.
+
+
diff --git a/doc/scripts/base/protocols/conn/__load__.zeek.rst b/doc/scripts/base/protocols/conn/__load__.zeek.rst
new file mode 100644
index 0000000000..d6f876c4c7
--- /dev/null
+++ b/doc/scripts/base/protocols/conn/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/conn/__load__.zeek
+=================================
+
+
+:Imports: :doc:`base/protocols/conn/contents.zeek </scripts/base/protocols/conn/contents.zeek>`, :doc:`base/protocols/conn/inactivity.zeek </scripts/base/protocols/conn/inactivity.zeek>`, :doc:`base/protocols/conn/main.zeek </scripts/base/protocols/conn/main.zeek>`, :doc:`base/protocols/conn/polling.zeek </scripts/base/protocols/conn/polling.zeek>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/conn/thresholds.zeek </scripts/base/protocols/conn/thresholds.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/conn/contents.zeek.rst b/doc/scripts/base/protocols/conn/contents.zeek.rst
new file mode 100644
index 0000000000..85f1b9e7e8
--- /dev/null
+++ b/doc/scripts/base/protocols/conn/contents.zeek.rst
@@ -0,0 +1,71 @@
+:tocdepth: 3
+
+base/protocols/conn/contents.zeek
+=================================
+.. zeek:namespace:: Conn
+
+This script can be used to extract either the originator's data or the
+responders data or both.  By default nothing is extracted, and in order
+to actually extract data the ``c$extract_orig`` and/or the
+``c$extract_resp`` variable must be set to ``T``.  One way to achieve this
+would be to handle the :zeek:id:`connection_established` event elsewhere
+and set the ``extract_orig`` and ``extract_resp`` options there.
+However, there may be trouble with the timing due to event queue delay.
+
+.. note::
+
+   This script does not work well in a cluster context unless it has a
+   remotely mounted disk to write the content files to.
+
+:Namespace: Conn
+:Imports: :doc:`base/utils/files.zeek </scripts/base/utils/files.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=========================================================================== ==================================================================
+:zeek:id:`Conn::default_extract`: :zeek:type:`bool` :zeek:attr:`&redef`     If this variable is set to ``T``, then all contents of all
+                                                                            connections will be extracted.
+:zeek:id:`Conn::extraction_prefix`: :zeek:type:`string` :zeek:attr:`&redef` The prefix given to files containing extracted connections as they
+                                                                            are opened on disk.
+=========================================================================== ==================================================================
+
+Redefinitions
+#############
+============================================ ==================================================================================================================
+:zeek:type:`connection`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`connection`
+                                             
+                                               extract_orig: :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`Conn::default_extract` :zeek:attr:`&optional`
+                                             
+                                               extract_resp: :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`Conn::default_extract` :zeek:attr:`&optional`
+============================================ ==================================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Conn::default_extract
+   :source-code: base/protocols/conn/contents.zeek 25 25
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If this variable is set to ``T``, then all contents of all
+   connections will be extracted.
+
+.. zeek:id:: Conn::extraction_prefix
+   :source-code: base/protocols/conn/contents.zeek 21 21
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"contents"``
+
+   The prefix given to files containing extracted connections as they
+   are opened on disk.
+
+
diff --git a/doc/scripts/base/protocols/conn/inactivity.zeek.rst b/doc/scripts/base/protocols/conn/inactivity.zeek.rst
new file mode 100644
index 0000000000..b0fb3dce31
--- /dev/null
+++ b/doc/scripts/base/protocols/conn/inactivity.zeek.rst
@@ -0,0 +1,64 @@
+:tocdepth: 3
+
+base/protocols/conn/inactivity.zeek
+===================================
+.. zeek:namespace:: Conn
+
+Adjust the inactivity timeouts for interactive services which could
+very possibly have long delays between packets.
+
+:Namespace: Conn
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+===================================================================================== ==================================================================
+:zeek:id:`Conn::analyzer_inactivity_timeouts`: :zeek:type:`table` :zeek:attr:`&redef` Define inactivity timeouts by the service detected being used over
+                                                                                      the connection.
+:zeek:id:`Conn::port_inactivity_timeouts`: :zeek:type:`table` :zeek:attr:`&redef`     Define inactivity timeouts based on common protocol ports.
+===================================================================================== ==================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Conn::analyzer_inactivity_timeouts
+   :source-code: base/protocols/conn/inactivity.zeek 9 9
+
+   :Type: :zeek:type:`table` [:zeek:type:`AllAnalyzers::Tag`] of :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            [AllAnalyzers::ANALYZER_ANALYZER_FTP] = 1.0 hr,
+            [AllAnalyzers::ANALYZER_ANALYZER_SSH] = 1.0 hr
+         }
+
+
+   Define inactivity timeouts by the service detected being used over
+   the connection.
+
+.. zeek:id:: Conn::port_inactivity_timeouts
+   :source-code: base/protocols/conn/inactivity.zeek 15 15
+
+   :Type: :zeek:type:`table` [:zeek:type:`port`] of :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            [513/tcp] = 1.0 hr,
+            [21/tcp] = 1.0 hr,
+            [23/tcp] = 1.0 hr,
+            [22/tcp] = 1.0 hr
+         }
+
+
+   Define inactivity timeouts based on common protocol ports.
+
+
diff --git a/doc/scripts/base/protocols/conn/index.rst b/doc/scripts/base/protocols/conn/index.rst
new file mode 100644
index 0000000000..096541bd3e
--- /dev/null
+++ b/doc/scripts/base/protocols/conn/index.rst
@@ -0,0 +1,62 @@
+:orphan:
+
+Package: base/protocols/conn
+============================
+
+Support for connection (TCP, UDP, or ICMP) analysis.
+
+:doc:`/scripts/base/protocols/conn/removal-hooks.zeek`
+
+   Adds a framework for registering "connection removal hooks".
+   All registered hooks for a given connection get run within the
+   :zeek:see:`connection_state_remove` event for that connection.
+   This functionality is useful from a performance/scaling concern:
+   if every new protocol-analysis script uses
+   :zeek:see:`connection_state_remove` to implement its finalization/cleanup
+   logic, then all connections take the performance hit of dispatching that
+   event, even if they aren't related to that specific protocol.
+
+:doc:`/scripts/base/protocols/conn/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/conn/main.zeek`
+
+   This script manages the tracking/logging of general information regarding
+   TCP, UDP, and ICMP traffic.  For UDP and ICMP, "connections" are to
+   be interpreted using flow semantics (sequence of packets from a source
+   host/port to a destination host/port).  Further, ICMP "ports" are to
+   be interpreted as the source port meaning the ICMP message type and
+   the destination port being the ICMP message code.
+
+:doc:`/scripts/base/protocols/conn/contents.zeek`
+
+   This script can be used to extract either the originator's data or the
+   responders data or both.  By default nothing is extracted, and in order
+   to actually extract data the ``c$extract_orig`` and/or the
+   ``c$extract_resp`` variable must be set to ``T``.  One way to achieve this
+   would be to handle the :zeek:id:`connection_established` event elsewhere
+   and set the ``extract_orig`` and ``extract_resp`` options there.
+   However, there may be trouble with the timing due to event queue delay.
+   
+   .. note::
+   
+      This script does not work well in a cluster context unless it has a
+      remotely mounted disk to write the content files to.
+
+:doc:`/scripts/base/protocols/conn/inactivity.zeek`
+
+   Adjust the inactivity timeouts for interactive services which could
+   very possibly have long delays between packets.
+
+:doc:`/scripts/base/protocols/conn/polling.zeek`
+
+   Implements a generic way to poll connections looking for certain features
+   (e.g. monitor bytes transferred).  The specific feature of a connection
+   to look for, the polling interval, and the code to execute if the feature
+   is found are all controlled by user-defined callback functions.
+
+:doc:`/scripts/base/protocols/conn/thresholds.zeek`
+
+   Implements a generic API to throw events when a connection crosses a
+   fixed threshold of bytes or packets.
+
diff --git a/doc/scripts/base/protocols/conn/main.zeek.rst b/doc/scripts/base/protocols/conn/main.zeek.rst
new file mode 100644
index 0000000000..421584abfc
--- /dev/null
+++ b/doc/scripts/base/protocols/conn/main.zeek.rst
@@ -0,0 +1,346 @@
+:tocdepth: 3
+
+base/protocols/conn/main.zeek
+=============================
+.. zeek:namespace:: Conn
+
+This script manages the tracking/logging of general information regarding
+TCP, UDP, and ICMP traffic.  For UDP and ICMP, "connections" are to
+be interpreted using flow semantics (sequence of packets from a source
+host/port to a destination host/port).  Further, ICMP "ports" are to
+be interpreted as the source port meaning the ICMP message type and
+the destination port being the ICMP message code.
+
+:Namespace: Conn
+:Imports: :doc:`base/utils/site.zeek </scripts/base/utils/site.zeek>`, :doc:`base/utils/strings.zeek </scripts/base/utils/strings.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+============================================ ===================================================================
+:zeek:type:`Conn::Info`: :zeek:type:`record` The record type which contains column fields of the connection log.
+============================================ ===================================================================
+
+Redefinitions
+#############
+============================================ ======================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`      The connection logging stream identifier.
+                                             
+                                             * :zeek:enum:`Conn::LOG`
+:zeek:type:`connection`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`connection`
+                                             
+                                               conn: :zeek:type:`Conn::Info` :zeek:attr:`&optional`
+============================================ ======================================================
+
+Events
+######
+============================================= ===============================================================
+:zeek:id:`Conn::log_conn`: :zeek:type:`event` Event that can be handled to access the :zeek:type:`Conn::Info`
+                                              record as it is sent on to the logging framework.
+============================================= ===============================================================
+
+Hooks
+#####
+========================================================= =============================================
+:zeek:id:`Conn::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
+========================================================= =============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Conn::Info
+   :source-code: base/protocols/conn/main.zeek 21 168
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      This is the time of the first packet.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      A unique identifier of the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: proto :zeek:type:`transport_proto` :zeek:attr:`&log`
+
+      The transport layer protocol of the connection.
+
+
+   .. zeek:field:: service :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      A comma-separated list of confirmed protocol(s).
+      With :zeek:see:DPD::track_removed_services_in_connection, the list
+      includes the same protocols prefixed with "-" to record that Zeek
+      dropped them due to parsing violations."
+
+
+   .. zeek:field:: duration :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      How long the connection lasted.
+      
+      .. note:: The duration doesn't cover trailing "non-productive"
+         TCP packets (i.e., ones not contributing new stream payload)
+         once a direction is closed.  For example, for regular
+         3-way/4-way connection tear-downs it doesn't include the
+         final ACK.  The reason is largely historic: this approach
+         allows more accurate computation of connection data rates.
+         Zeek does however reflect such trailing packets in the
+         connection history.
+
+
+   .. zeek:field:: orig_bytes :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The number of payload bytes the originator sent. For TCP
+      this is taken from sequence numbers and might be inaccurate
+      (e.g., due to large connections).
+
+
+   .. zeek:field:: resp_bytes :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The number of payload bytes the responder sent. See
+      *orig_bytes*.
+
+
+   .. zeek:field:: conn_state :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Possible *conn_state* values:
+      
+      * S0: Connection attempt seen, no reply.
+      
+      * S1: Connection established, not terminated.
+      
+      * SF: Normal establishment and termination.
+        Note that this is the same symbol as for state S1.
+        You can tell the two apart because for S1 there will not be any
+        byte counts in the summary, while for SF there will be.
+      
+      * REJ: Connection attempt rejected.
+      
+      * S2: Connection established and close attempt by originator seen
+        (but no reply from responder).
+      
+      * S3: Connection established and close attempt by responder seen
+        (but no reply from originator).
+      
+      * RSTO: Connection established, originator aborted (sent a RST).
+      
+      * RSTR: Responder sent a RST.
+      
+      * RSTOS0: Originator sent a SYN followed by a RST, we never saw a
+        SYN-ACK from the responder.
+      
+      * RSTRH: Responder sent a SYN ACK followed by a RST, we never saw a
+        SYN from the (purported) originator.
+      
+      * SH: Originator sent a SYN followed by a FIN, we never saw a
+        SYN ACK from the responder (hence the connection was "half" open).
+      
+      * SHR: Responder sent a SYN ACK followed by a FIN, we never saw a
+        SYN from the originator.
+      
+      * OTH: No SYN seen, just midstream traffic (one example of this
+        is a "partial connection" that was not later closed).
+
+
+   .. zeek:field:: local_orig :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      If the connection is originated locally, this value will be T.
+      If it was originated remotely it will be F.  In the case that
+      the :zeek:id:`Site::local_nets` variable is undefined, this
+      field will be left empty at all times.
+
+
+   .. zeek:field:: local_resp :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      If the connection is responded to locally, this value will be T.
+      If it was responded to remotely it will be F.  In the case that
+      the :zeek:id:`Site::local_nets` variable is undefined, this
+      field will be left empty at all times.
+
+
+   .. zeek:field:: missed_bytes :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Indicates the number of bytes missed in content gaps, which
+      is representative of packet loss.  A value other than zero
+      will normally cause protocol analysis to fail but some
+      analysis may have been completed prior to the packet loss.
+
+
+   .. zeek:field:: history :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Records the state history of connections as a string of
+      letters.  The meaning of those letters is:
+      
+      ======  ====================================================
+      Letter  Meaning
+      ======  ====================================================
+      s       a SYN w/o the ACK bit set
+      h       a SYN+ACK ("handshake")
+      a       a pure ACK
+      d       packet with payload ("data")
+      f       packet with FIN bit set
+      r       packet with RST bit set
+      c       packet with a bad checksum (applies to UDP too)
+      g       a content gap
+      t       packet with retransmitted payload
+      w       packet with a zero window advertisement
+      i       inconsistent packet (e.g. FIN+RST bits set)
+      q       multi-flag packet (SYN+FIN or SYN+RST bits set)
+      ^       connection direction was flipped by Zeek's heuristic
+      x       connection analysis partial (e.g. limits exceeded)
+      ======  ====================================================
+      
+      If the event comes from the originator, the letter is in
+      upper-case; if it comes from the responder, it's in
+      lower-case.  The 'a', 'd', 'i' and 'q' flags are
+      recorded a maximum of one time in either direction regardless
+      of how many are actually seen.  'f', 'h', 'r' and
+      's' can be recorded multiple times for either direction
+      if the associated sequence number differs from the
+      last-seen packet of the same flag type.
+      'c', 'g', 't' and 'w' are recorded in a logarithmic fashion:
+      the second instance represents that the event was seen
+      (at least) 10 times; the third instance, 100 times; etc.
+
+
+   .. zeek:field:: orig_pkts :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Number of packets that the originator sent.
+      Only set if :zeek:id:`use_conn_size_analyzer` = T.
+
+
+   .. zeek:field:: orig_ip_bytes :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Number of IP level bytes that the originator sent (as seen on
+      the wire, taken from the IP total_length header field).
+      Only set if :zeek:id:`use_conn_size_analyzer` = T.
+
+
+   .. zeek:field:: resp_pkts :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Number of packets that the responder sent.
+      Only set if :zeek:id:`use_conn_size_analyzer` = T.
+
+
+   .. zeek:field:: resp_ip_bytes :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Number of IP level bytes that the responder sent (as seen on
+      the wire, taken from the IP total_length header field).
+      Only set if :zeek:id:`use_conn_size_analyzer` = T.
+
+
+   .. zeek:field:: tunnel_parents :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      If this connection was over a tunnel, indicate the
+      *uid* values for any encapsulating parent connections
+      used over the lifetime of this inner connection.
+
+
+   .. zeek:field:: ip_proto :zeek:type:`count` :zeek:attr:`&optional`
+
+      For IP-based connections, this contains the protocol
+      identifier passed in the IP header. This is different
+      from the *proto* field in that this value comes
+      directly from the header.
+
+
+   .. zeek:field:: community_id :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      (present if :doc:`/scripts/policy/protocols/conn/community-id-logging.zeek` is loaded)
+
+
+   .. zeek:field:: failed_service :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional` :zeek:attr:`&ordered`
+
+      (present if :doc:`/scripts/policy/protocols/conn/failed-service-logging.zeek` is loaded)
+
+      List of analyzers in a connection that raised violations
+      causing their removal.
+      Analyzers are listed in order that they were removed.
+
+
+   .. zeek:field:: ip_proto_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/conn/ip-proto-name-logging.zeek` is loaded)
+
+      A string version of the ip_proto field
+
+
+   .. zeek:field:: orig_l2_addr :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/conn/mac-logging.zeek` is loaded)
+
+      Link-layer address of the originator, if available.
+
+
+   .. zeek:field:: resp_l2_addr :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/conn/mac-logging.zeek` is loaded)
+
+      Link-layer address of the responder, if available.
+
+
+   .. zeek:field:: vlan :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/conn/vlan-logging.zeek` is loaded)
+
+      The outer VLAN for this connection, if applicable.
+
+
+   .. zeek:field:: inner_vlan :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/conn/vlan-logging.zeek` is loaded)
+
+      The inner VLAN for this connection, if applicable.
+
+
+   .. zeek:field:: pppoe_session_id :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek` is loaded)
+
+      The PPPoE session id, if applicable for this connection.
+
+
+   .. zeek:field:: speculative_service :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/conn/speculative-service.zeek` is loaded)
+
+      Protocol that was determined by a matching signature after the beginning
+      of a connection. In this situation no analyzer can be attached and hence
+      the data cannot be analyzed nor the protocol can be confirmed.
+
+
+   The record type which contains column fields of the connection log.
+
+Events
+######
+.. zeek:id:: Conn::log_conn
+   :source-code: base/protocols/conn/main.zeek 172 172
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Conn::Info`)
+
+   Event that can be handled to access the :zeek:type:`Conn::Info`
+   record as it is sent on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: Conn::log_policy
+   :source-code: base/protocols/conn/main.zeek 18 18
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+
diff --git a/doc/scripts/base/protocols/conn/polling.zeek.rst b/doc/scripts/base/protocols/conn/polling.zeek.rst
new file mode 100644
index 0000000000..48d8af067c
--- /dev/null
+++ b/doc/scripts/base/protocols/conn/polling.zeek.rst
@@ -0,0 +1,52 @@
+:tocdepth: 3
+
+base/protocols/conn/polling.zeek
+================================
+.. zeek:namespace:: ConnPolling
+
+Implements a generic way to poll connections looking for certain features
+(e.g. monitor bytes transferred).  The specific feature of a connection
+to look for, the polling interval, and the code to execute if the feature
+is found are all controlled by user-defined callback functions.
+
+:Namespace: ConnPolling
+
+Summary
+~~~~~~~
+Functions
+#########
+==================================================== =====================================
+:zeek:id:`ConnPolling::watch`: :zeek:type:`function` Starts monitoring a given connection.
+==================================================== =====================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: ConnPolling::watch
+   :source-code: base/protocols/conn/polling.zeek 47 51
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, callback: :zeek:type:`function` (c: :zeek:type:`connection`, cnt: :zeek:type:`count`) : :zeek:type:`interval`, cnt: :zeek:type:`count`, i: :zeek:type:`interval`) : :zeek:type:`void`
+
+   Starts monitoring a given connection.
+   
+
+   :param c: The connection to watch.
+   
+
+   :param callback: A callback function that takes as arguments the monitored
+             *connection*, and counter *cnt* that increments each time
+             the callback is called.  It returns an interval indicating
+             how long in the future to schedule an event which will call
+             the callback.  A negative return interval causes polling
+             to stop.
+   
+
+   :param cnt: The initial value of a counter which gets passed to *callback*.
+   
+
+   :param i: The initial interval at which to schedule the next callback.
+      May be ``0secs`` to poll right away.
+
+
diff --git a/doc/scripts/base/protocols/conn/removal-hooks.zeek.rst b/doc/scripts/base/protocols/conn/removal-hooks.zeek.rst
new file mode 100644
index 0000000000..e0c7b6cd08
--- /dev/null
+++ b/doc/scripts/base/protocols/conn/removal-hooks.zeek.rst
@@ -0,0 +1,101 @@
+:tocdepth: 3
+
+base/protocols/conn/removal-hooks.zeek
+======================================
+.. zeek:namespace:: Conn
+
+Adds a framework for registering "connection removal hooks".
+All registered hooks for a given connection get run within the
+:zeek:see:`connection_state_remove` event for that connection.
+This functionality is useful from a performance/scaling concern:
+if every new protocol-analysis script uses
+:zeek:see:`connection_state_remove` to implement its finalization/cleanup
+logic, then all connections take the performance hit of dispatching that
+event, even if they aren't related to that specific protocol.
+
+:Namespace: Conn
+
+Summary
+~~~~~~~
+Types
+#####
+================================================= ===========================================================================
+:zeek:type:`Conn::RemovalHook`: :zeek:type:`hook` A hook function for use with either :zeek:see:`Conn::register_removal_hook`
+                                                  or :zeek:see:`Conn::unregister_removal_hook`.
+================================================= ===========================================================================
+
+Redefinitions
+#############
+============================================ =========================================================================================
+:zeek:type:`connection`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`connection`
+                                             
+                                               removal_hooks: :zeek:type:`set` [:zeek:type:`Conn::RemovalHook`] :zeek:attr:`&optional`
+============================================ =========================================================================================
+
+Functions
+#########
+=============================================================== =====================================================================
+:zeek:id:`Conn::register_removal_hook`: :zeek:type:`function`   Register a hook that will later be called during a connection's
+                                                                :zeek:see:`connection_state_remove` event.
+:zeek:id:`Conn::unregister_removal_hook`: :zeek:type:`function` Unregister a hook that would have been called during a connection's
+                                                                :zeek:see:`connection_state_remove` event such that it will no longer
+                                                                be called.
+=============================================================== =====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Conn::RemovalHook
+   :source-code: base/protocols/conn/removal-hooks.zeek 17 17
+
+   :Type: :zeek:type:`hook` (c: :zeek:type:`connection`) : :zeek:type:`bool`
+
+   A hook function for use with either :zeek:see:`Conn::register_removal_hook`
+   or :zeek:see:`Conn::unregister_removal_hook`.  The :zeek:see:`connection`
+   argument refers to the connection currently being removed within a
+   :zeek:see:`connection_state_remove` event.
+
+Functions
+#########
+.. zeek:id:: Conn::register_removal_hook
+   :source-code: base/protocols/conn/removal-hooks.zeek 47 60
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, hk: :zeek:type:`Conn::RemovalHook`) : :zeek:type:`bool`
+
+   Register a hook that will later be called during a connection's
+   :zeek:see:`connection_state_remove` event.
+   
+
+   :param c: The associated connection whose :zeek:see:`connection_state_remove`
+      event should trigger a callback to *hk*.
+   
+
+   :param hk: The hook function to use as a callback.
+   
+
+   :returns: false if the provided hook was previously registered, else true.
+
+.. zeek:id:: Conn::unregister_removal_hook
+   :source-code: base/protocols/conn/removal-hooks.zeek 62 72
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, hk: :zeek:type:`Conn::RemovalHook`) : :zeek:type:`bool`
+
+   Unregister a hook that would have been called during a connection's
+   :zeek:see:`connection_state_remove` event such that it will no longer
+   be called.
+   
+
+   :param c: The associated connection whose :zeek:see:`connection_state_remove`
+      event could have triggered a callback to *hk*.
+   
+
+   :param hk: The hook function that would have been used as a callback.
+   
+
+   :returns: true if the provided hook was previously registered, else false.
+
+
diff --git a/doc/scripts/base/protocols/conn/thresholds.zeek.rst b/doc/scripts/base/protocols/conn/thresholds.zeek.rst
new file mode 100644
index 0000000000..65caa46e38
--- /dev/null
+++ b/doc/scripts/base/protocols/conn/thresholds.zeek.rst
@@ -0,0 +1,252 @@
+:tocdepth: 3
+
+base/protocols/conn/thresholds.zeek
+===================================
+.. zeek:namespace:: ConnThreshold
+
+Implements a generic API to throw events when a connection crosses a
+fixed threshold of bytes or packets.
+
+:Namespace: ConnThreshold
+
+Summary
+~~~~~~~
+Types
+#####
+=========================================================== =
+:zeek:type:`ConnThreshold::Thresholds`: :zeek:type:`record` 
+=========================================================== =
+
+Redefinitions
+#############
+============================================ ===========================================================================
+:zeek:type:`connection`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`connection`
+                                             
+                                               thresholds: :zeek:type:`ConnThreshold::Thresholds` :zeek:attr:`&optional`
+============================================ ===========================================================================
+
+Events
+######
+======================================================================== =================================================================
+:zeek:id:`ConnThreshold::bytes_threshold_crossed`: :zeek:type:`event`    Generated for a connection that crossed a set byte threshold
+:zeek:id:`ConnThreshold::duration_threshold_crossed`: :zeek:type:`event` Generated for a connection that crossed a set duration threshold.
+:zeek:id:`ConnThreshold::packets_threshold_crossed`: :zeek:type:`event`  Generated for a connection that crossed a set byte threshold
+======================================================================== =================================================================
+
+Functions
+#########
+========================================================================== ===================================================================================================
+:zeek:id:`ConnThreshold::delete_bytes_threshold`: :zeek:type:`function`    Deletes a byte threshold for connection sizes.
+:zeek:id:`ConnThreshold::delete_duration_threshold`: :zeek:type:`function` Deletes a duration threshold for a connection.
+:zeek:id:`ConnThreshold::delete_packets_threshold`: :zeek:type:`function`  Deletes a packet threshold for connection sizes.
+:zeek:id:`ConnThreshold::set_bytes_threshold`: :zeek:type:`function`       Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds.
+:zeek:id:`ConnThreshold::set_duration_threshold`: :zeek:type:`function`    Sets a duration threshold for a connection, adding it to potentially already existing thresholds.
+:zeek:id:`ConnThreshold::set_packets_threshold`: :zeek:type:`function`     Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds.
+========================================================================== ===================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: ConnThreshold::Thresholds
+   :source-code: base/protocols/conn/thresholds.zeek 8 14
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: orig_byte :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      current originator byte thresholds we watch for
+
+
+   .. zeek:field:: resp_byte :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      current responder byte thresholds we watch for
+
+
+   .. zeek:field:: orig_packet :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      current originator packet thresholds we watch for
+
+
+   .. zeek:field:: resp_packet :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      current responder packet thresholds we watch for
+
+
+   .. zeek:field:: duration :zeek:type:`set` [:zeek:type:`interval`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      current duration thresholds we watch for
+
+
+
+Events
+######
+.. zeek:id:: ConnThreshold::bytes_threshold_crossed
+   :source-code: base/protocols/ftp/gridftp.zeek 73 86
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`)
+
+   Generated for a connection that crossed a set byte threshold
+   
+
+   :param c: the connection
+   
+
+   :param threshold: the threshold that was set
+   
+
+   :param is_orig: True if the threshold was crossed by the originator of the connection
+
+.. zeek:id:: ConnThreshold::duration_threshold_crossed
+   :source-code: base/protocols/conn/thresholds.zeek 109 109
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`interval`, is_orig: :zeek:type:`bool`)
+
+   Generated for a connection that crossed a set duration threshold. Note that this event is
+   not raised at the exact moment that a duration threshold is crossed; instead it is raised
+   when the next packet is seen after the threshold has been crossed. On a connection that is
+   idle, this can be raised significantly later.
+   
+
+   :param c: the connection
+   
+
+   :param threshold: the threshold that was set
+   
+
+   :param is_orig: True if the threshold was crossed by the originator of the connection
+
+.. zeek:id:: ConnThreshold::packets_threshold_crossed
+   :source-code: base/protocols/conn/thresholds.zeek 97 97
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`)
+
+   Generated for a connection that crossed a set byte threshold
+   
+
+   :param c: the connection
+   
+
+   :param threshold: the threshold that was set
+   
+
+   :param is_orig: True if the threshold was crossed by the originator of the connection
+
+Functions
+#########
+.. zeek:id:: ConnThreshold::delete_bytes_threshold
+   :source-code: base/protocols/conn/thresholds.zeek 266 284
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
+
+   Deletes a byte threshold for connection sizes.
+   
+
+   :param cid: The connection id.
+   
+
+   :param threshold: Threshold in bytes to remove.
+   
+
+   :param is_orig: If true, threshold is removed for packets from originator, otherwise for packets from responder.
+   
+
+   :returns: T on success, F on failure.
+
+.. zeek:id:: ConnThreshold::delete_duration_threshold
+   :source-code: base/protocols/conn/thresholds.zeek 306 318
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, threshold: :zeek:type:`interval`) : :zeek:type:`bool`
+
+   Deletes a duration threshold for a connection.
+   
+
+   :param cid: The connection id.
+   
+
+   :param threshold: Threshold in packets.
+   
+
+   :returns: T on success, F on failure.
+
+.. zeek:id:: ConnThreshold::delete_packets_threshold
+   :source-code: base/protocols/conn/thresholds.zeek 286 304
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
+
+   Deletes a packet threshold for connection sizes.
+   
+
+   :param cid: The connection id.
+   
+
+   :param threshold: Threshold in packets.
+   
+
+   :param is_orig: If true, threshold is removed for packets from originator, otherwise for packets from responder.
+   
+
+   :returns: T on success, F on failure.
+
+.. zeek:id:: ConnThreshold::set_bytes_threshold
+   :source-code: base/protocols/conn/thresholds.zeek 224 237
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
+
+   Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds.
+   conn_bytes_threshold_crossed will be raised for each set threshold.
+   
+
+   :param cid: The connection id.
+   
+
+   :param threshold: Threshold in bytes.
+   
+
+   :param is_orig: If true, threshold is set for bytes from originator, otherwise for bytes from responder.
+   
+
+   :returns: T on success, F on failure.
+
+.. zeek:id:: ConnThreshold::set_duration_threshold
+   :source-code: base/protocols/conn/thresholds.zeek 254 264
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, threshold: :zeek:type:`interval`) : :zeek:type:`bool`
+
+   Sets a duration threshold for a connection, adding it to potentially already existing thresholds.
+   conn_duration_threshold_crossed will be raised for each set threshold.
+   
+
+   :param cid: The connection id.
+   
+
+   :param threshold: Threshold in seconds.
+   
+
+   :returns: T on success, F on failure.
+
+.. zeek:id:: ConnThreshold::set_packets_threshold
+   :source-code: base/protocols/conn/thresholds.zeek 239 252
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
+
+   Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds.
+   conn_packets_threshold_crossed will be raised for each set threshold.
+   
+
+   :param cid: The connection id.
+   
+
+   :param threshold: Threshold in packets.
+   
+
+   :param is_orig: If true, threshold is set for packets from originator, otherwise for packets from responder.
+   
+
+   :returns: T on success, F on failure.
+
+
diff --git a/doc/scripts/base/protocols/dce-rpc/__load__.zeek.rst b/doc/scripts/base/protocols/dce-rpc/__load__.zeek.rst
new file mode 100644
index 0000000000..2f2a8918b2
--- /dev/null
+++ b/doc/scripts/base/protocols/dce-rpc/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/dce-rpc/__load__.zeek
+====================================
+
+
+:Imports: :doc:`base/protocols/dce-rpc/consts.zeek </scripts/base/protocols/dce-rpc/consts.zeek>`, :doc:`base/protocols/dce-rpc/main.zeek </scripts/base/protocols/dce-rpc/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/dce-rpc/consts.zeek.rst b/doc/scripts/base/protocols/dce-rpc/consts.zeek.rst
new file mode 100644
index 0000000000..081bb3d715
--- /dev/null
+++ b/doc/scripts/base/protocols/dce-rpc/consts.zeek.rst
@@ -0,0 +1,2848 @@
+:tocdepth: 3
+
+base/protocols/dce-rpc/consts.zeek
+==================================
+.. zeek:namespace:: DCE_RPC
+
+
+:Namespace: DCE_RPC
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+=========================================================================================================================== ==================================================
+:zeek:id:`DCE_RPC::operations`: :zeek:type:`table` :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function`        
+:zeek:id:`DCE_RPC::pipe_name_to_common_uuid`: :zeek:type:`table` :zeek:attr:`&redef`                                        This table is to map pipe names to the most common
+                                                                                                                            service used over that pipe.
+:zeek:id:`DCE_RPC::uuid_endpoint_map`: :zeek:type:`table` :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function` 
+=========================================================================================================================== ==================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: DCE_RPC::operations
+   :source-code: base/protocols/dce-rpc/consts.zeek 248 248
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`, :zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            ["367abb81-9844-35f1-ad32-98f038001003", 16] = "OpenServiceW",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 69] = "LlsrProductLicensesGetA",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 65] = "R_DhcpServerSetConfigV6",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 111] = "R_DhcpV4DeletePolicy",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 5] = "S_DSSetObjectSecurity",
+            ["7c4e1804-e342-483d-a43e-a850cfcc8d18", 3] = "CreateApplication",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 57] = "RRPC_FWEnumCryptoSets2_10",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 24] = "Opnum24NotUsedOnWire",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 67] = "HrGetErrorData",
+            ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 3] = "RpcFilterByCallersName",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 44] = "RRPC_FWGetGlobalConfig2_10",
+            ["12345678-1234-abcd-ef00-01234567cffb", 36] = "NetrEnumerateTrustedDomainsEx",
+            ["01954e6b-9254-4e6e-808c-c9e05d007696", 6] = "Clone",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 1] = "AudioServerDisconnect",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 26] = "PNP_GetClassRegProp",
+            ["e65e8028-83e8-491b-9af7-aaf6bd51a0ce", 7] = "Opnum7NotUsedOnWire",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6", 1] = "RpcSrvRenewPrefix",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 35] = "PolicyConfigGetShareMode",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 22] = "ApiCreateResEnum",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 61] = "LlsrReplicationServerAddW",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 34] = "RpcAsyncSendRecvBidiData",
+            ["12345778-1234-abcd-ef00-0123456789ab", 91] = "LsarQueryAuditSecurity",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 6] = "GetObject",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 71] = "ApiEvictNode",
+            ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 8] = "DsRolerServerSaveStateForUpgrade",
+            ["12345678-1234-abcd-ef00-0123456789ab", 28] = "RpcWaitForPrinterChange",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 4] = "R_WinsDoScavenging",
+            ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 20] = "GetConditionalPolicy",
+            ["12345678-1234-abcd-ef00-0123456789ab", 56] = "RpcFindClosePrinterChangeNotification",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 45] = "DiskMerge",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 75] = "RRPC_FWSetFirewallRule2_25",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 12] = "EvtRpcQuerySeek",
+            ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 2] = "KeyrEnumerateProviderTypes",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 37] = "RpcWinStationTerminateProcess",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 2] = "RpcSrvRenewLeaseByBroadcast",
+            ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 7] = "Opnum7NotUsedOnWire",
+            ["12345778-1234-abcd-ef00-0123456789ab", 30] = "LsarQuerySecret",
+            ["f5cc59b4-4264-101a-8c59-08002b2f8426", 0] = "FrsRpcSendCommPkt",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 74] = "R_DhcpCreateClassV6",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 55] = "NetrServerAliasEnum",
+            ["12345678-1234-abcd-ef00-0123456789ab", 45] = "RpcPrinterMessageBox",
+            ["a4f1db00-ca47-1067-b31f-00dd010662da", 2] = "EcDoRpc",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 61] = "RpcWinStationIsHelpAssistantSession",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 34] = "NetprNameCanonicalize",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 28] = "Backup",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 55] = "ApiCreateNotify",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 26] = "Format",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 2] = "R_WinsTrigger",
+            ["00000000-0000-0000-c000-000000000046", 1] = "Opnum1NotUsedOnWire",
+            ["4bb8ab1d-9ef9-4100-8eb6-dd4b4e418b72", 5] = "ModifyObject",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 40] = "PNP_HwProfFlags",
+            ["a4f1db00-ca47-1067-b31f-00dd010662da", 6] = "EcDummyRpc",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 24] = "BackupOpenFile",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 63] = "RpcAsyncUploadPrinterDriverPackage",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f", 10] = "WakeupGetNotificationRpc",
+            ["378e52b0-c0a9-11cf-822d-00aa0051e40f", 0] = "SASetAccountInformation",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 1] = "R_WinsStatus",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 11] = "DeleteDate",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 16] = "GetDataPaths",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 36] = "RpcAsyncPlayGdiScriptOnPrinterIC",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 163] = "ApiCreateGroupSet",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 115] = "ApiGetBatchNotification",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 33] = "R_DhcpSetClientInfoV4",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 19] = "ChangePermissions",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 51] = "RpcAsyncAddMonitor",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 17] = "DRSAddEntry",
+            ["e8fb8620-588f-11d2-9d61-00c04f79c5fe", 10] = "Status",
+            ["12345778-1234-abcd-ef00-0123456789ac", 33] = "SamrGetMembersInAlias",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 12] = "SchRpcRun",
+            ["4bb8ab1d-9ef9-4100-8eb6-dd4b4e418b72", 3] = "CreateObject",
+            ["12345678-1234-abcd-ef00-0123456789ab", 6] = "RpcDeletePrinter",
+            ["484809d6-4239-471b-b5bc-61df8c23ac48", 0] = "RpcWaitForSessionState",
+            ["12345778-1234-abcd-ef00-0123456789ac", 40] = "SamrQueryDisplayInformation",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 42] = "R_DhcpQueryDnsRegCredentials",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 27] = "ApiDeleteResourceType",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 8] = "nsi_profile_elt_remove",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 70] = "PNP_DriverStoreAddDriverPackage",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 39] = "RpcServerNWLogonQueryAdmin",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 44] = "R_DhcpCreateClientInfoVQ",
+            ["12345678-1234-abcd-ef00-0123456789ab", 97] = "RpcAddPrinterConnection2",
+            ["338cd001-2244-31f1-aaaa-900038001003", 28] = "OpenDynData",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 16] = "FTBreakMirror",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 78] = "RRPC_FWAddFirewallRule2_26",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 63] = "LlsrReplicationServiceAddW",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 62] = "Opnum62NotUsedOnWire",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 67] = "RRPC_FWEnumFirewallRules2_20",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 24] = "EvtRpcGetPublisherMetadata",
+            ["bc681469-9dd9-4bf4-9b3d-709f69efe431", 10] = "DeleteResourceGroup",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 80] = "Opnum80NotUsedOnWire",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 17] = "RRPC_FWAddAuthenticationSet",
+            ["21546ae8-4da5-445e-987f-627fea39c5e8", 12] = "SetExclusionList",
+            ["12345678-1234-abcd-ef00-0123456789ab", 68] = "RpcSetAllocFailCount",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 21] = "RpcWinStationInstallLicense",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 35] = "CreatePartitionsForVolume",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 29] = "RpcWinStationGetApplicationInfo",
+            ["f5cc59b4-4264-101a-8c59-08002b2f8426", 3] = "FrsNOP",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 132] = "R_DhcpV4GetClientInfoEx",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 27] = "RRPC_FWEnumPhase1SAs",
+            ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 3] = "RpcGetLastInputTime",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 7] = "SchRpcEnumTasks",
+            ["d3fbb514-0e3b-11cb-8fad-08002b1d29c3", 1] = "nsi_binding_lookup_done",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 34] = "DeleteVolume",
+            ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 7] = "KeyrEnroll",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 26] = "RRPC_FWEnumCryptoSets",
+            ["68b58241-c259-4f03-a2e5-a2651dcbc930", 2] = "KSrGetCAs",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 6] = "R_InetInfoQueryStatistics",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 55] = "GetDontShow",
+            ["497d95a6-2d27-4bf5-9bbd-a6046957133c", 3] = "RpcStartListener",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 15] = "FTDeleteVolume",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 72] = "RpcWinStationUnRegisterNotificationEvent",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 8] = "ApiOpenResource",
+            ["300f3532-38cc-11d0-a3f0-0020af6b0add", 4] = "Opnum4NotUsedOnWire",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 75] = "R_DhcpModifyClassV6",
+            ["12345778-1234-abcd-ef00-0123456789ab", 83] = "LsarSetAuditPolicy",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 6] = "RpcWinStationSetInformation",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 8] = "PutClass",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6", 2] = "RpcSrvReleasePrefix",
+            ["338cd001-2244-31f1-aaaa-900038001003", 30] = "BaseInitiateSystemShutdownEx",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 168] = "ApiRemoveGroupFromGroupSet",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 4] = "SchRpcSetSecurity",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 40] = "LlsrMappingAddW",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 33] = "PNP_UninstallDevInst",
+            ["12345678-1234-abcd-ef00-01234567cffb", 15] = "NetrServerAuthenticate2",
+            ["367abb81-9844-35f1-ad32-98f038001003", 2] = "DeleteService",
+            ["12345778-1234-abcd-ef00-0123456789ab", 68] = "LsarLookupNames3",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 12] = "S_DSSetPropsGuid",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 116] = "R_DhcpV6SetStatelessStoreParams",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 22] = "RpcAsyncDeleteForm",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 80] = "AddAccessPath",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 30] = "IDL_DRSReadNgcKey",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 13] = "CreateClassEnumAsync",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 10] = "InstanceName",
+            ["d3fbb514-0e3b-11cb-8fad-08002b1d29c3", 2] = "nsi_binding_lookup_next",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 15] = "R_WinsDeleteWins",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 16] = "RpcAsyncGetPrinterData",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 3] = "RRPC_FWGetGlobalConfig",
+            ["12345778-1234-abcd-ef00-0123456789ac", 48] = "SamrQueryDisplayInformation2",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 27] = "IDL_DRSFinishDemotion",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 36] = "LlsrMappingUserAddW",
+            ["12345678-1234-abcd-ef00-01234567cffb", 19] = "NetrEnumerateTrustedDomains",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 9] = "SchRpcGetInstanceInfo",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 25] = "RRPC_FWDeleteAllCryptoSets",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 17] = "LlsrUserEnumA",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 119] = "R_DhcpV4EnumSubnetReservations",
+            ["708cca10-9569-11d1-b2a5-0060977d8118", 7] = "Opnum7NotUsedOnWire",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 9] = "GetCRL",
+            ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 13] = "GetMachineInfo",
+            ["00020401-0000-0000-c000-000000000046", 3] = "GetTypeAttr",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 87] = "LlsrLocalServiceInfoGetW",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 57] = "AudioSessionGetDisplayName",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 62] = "R_DhcpDeleteSubnetV6",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 72] = "LlsrCertificateClaimEnumW",
+            ["8165b19e-8d3a-4d0b-80c8-97de310db583", 3] = "GetComponentInfo",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 29] = "R_DhcpAddSubnetElementV4",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 54] = "RpcWinStationUpdateUserConfig",
+            ["00020401-0000-0000-c000-000000000046", 14] = "GetRefTypeInfo",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 8] = "Opnum8NotUsedOnWire",
+            ["8298d101-f992-43b7-8eca-5052d885b995", 37] = "Import",
+            ["367abb81-9844-35f1-ad32-98f038001003", 28] = "OpenServiceA",
+            ["6bffd098-a112-3610-9833-012892020162", 5] = "BrowserrQueryStatistics",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 19] = "FTReplaceMirrorPartition",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 86] = "R_DhcpEnumFilterV4",
+            ["12345678-1234-abcd-ef00-0123456789ab", 35] = "RpcEnumPorts",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 12] = "PNP_GetDepth",
+            ["12345778-1234-abcd-ef00-0123456789ab", 92] = "CredReadByTokenHandle",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 30] = "NetrEnumerateComputerNames",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 84] = "LlsrLocalServiceAddW",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 44] = "R_DhcpBackupDatabase",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 61] = "Opnum61NotUsedOnWire",
+            ["f31931a9-832d-481c-9503-887a0e6a79f0", 7] = "GetSupportedClient",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 50] = "PNP_GetResDesData",
+            ["4bdafc52-fe6a-11d2-93f8-00105a11164a", 3] = "GetMaxAdjustedFreeSpace",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 48] = "NetrDfsCreateExitPoint",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 43] = "AudioSessionManagerDeleteAudioSessionClientNotification",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 174] = "ApiGroupSetControl",
+            ["378e52b0-c0a9-11cf-822d-00aa0051e40f", 2] = "SAGetNSAccountInformation",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 7] = "EvtRpcExportLog",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 10] = "NetrFileGetInfo",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 45] = "PNP_GetNextLogConf",
+            ["d049b186-814f-11d1-9a3c-00c04fc9b232", 7] = "NtFrsApi_Rpc_InfoW",
+            ["a4f1db00-ca47-1067-b31f-00dd010662da", 14] = "EcDoAsyncConnectEx",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 0] = "ApiOpenCluster",
+            ["12345778-1234-abcd-ef00-0123456789ac", 54] = "SamrOemChangePasswordUser2",
+            ["12345678-1234-abcd-ef00-0123456789ab", 93] = "RpcCloseSpoolFileHandle",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 46] = "NetrDfsSetLocalVolumeState",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 13] = "AudioSessionGetLastActivation",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 118] = "ApiOpenNodeEx",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 41] = "Opnum41NotUsedOnWire",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 20] = "RRPC_FWDeleteAllAuthenticationSets",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 39] = "GetArchivedKey",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 165] = "ApiCloseGroupSet",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 18] = "EfsRpcGetEncryptedFileMetadata",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 65] = "RpcAsyncCorePrinterDriverInstalled",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 30] = "RestoreGetDatabaseLocations",
+            ["12345678-1234-abcd-ef00-0123456789ab", 14] = "RpcAddPrintProcessor",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 64] = "PNP_GetServerSideDeviceInstallFlags",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 5] = "R_DhcpEnumMScopeElements",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 14] = "RpcAsyncEndDocPrinter",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 11] = "RpcWinStationVirtualOpen",
+            ["338cd001-2244-31f1-aaaa-900038001003", 0] = "OpenClassesRoot",
+            ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 1] = "KeyrEnumerateProviders",
+            ["481e06cf-ab04-4498-8ffe-124a0a34296d", 13] = "GetScheduleInfo",
+            ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 0] = "RpcGetClientData",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 6] = "DnssrvQuery2",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 51] = "ApiMoveGroup",
+            ["300f3532-38cc-11d0-a3f0-0020af6b0add", 8] = "Opnum8NotUsedOnWire",
+            ["22e5386d-8b12-4bf0-b0ec-6a1ea419e366", 1] = "RpcNetEventReceiveData",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 3] = "EnumDisksEx",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 18] = "DRSExecuteKCC",
+            ["83da7c00-e84f-11d2-9807-00c04f8ec850", 3] = "SfcSrv_InitiateScan",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 87] = "ApiSetNetworkPriorityOrder",
+            ["12345678-1234-abcd-ef00-0123456789ab", 10] = "RpcEnumPrinterDrivers",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 8] = "AudioServerIsFormatSupported",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 40] = "NetrpSetFileSecurity",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 68] = "ApiGetNodeState",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 57] = "NetrShareDelEx",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 35] = "Opnum35NotUsedOnWire",
+            ["12345778-1234-abcd-ef00-0123456789ab", 88] = "LsarLookupAuditCategoryName",
+            ["2f5f3220-c126-1076-b549-074d078619da", 1] = "NDdeShareDelA",
+            ["00000143-0000-0000-c000-000000000046", 6] = "RemQueryInterface2",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 64] = "LlsrReplicationUserAddW",
+            ["7c4e1804-e342-483d-a43e-a850cfcc8d18", 6] = "DeleteApplicationPool",
+            ["12345778-1234-abcd-ef00-0123456789ab", 8] = "LsarSetInformationPolicy",
+            ["5422fd3a-d4b8-4cef-a12e-e87d4ca22e90", 4] = "GetCACert",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 64] = "RpcWinStationFUSCanRemoteUserDisconnect",
+            ["ccd8c074-d0e5-4a40-92b4-d074faa6ba28", 2] = "WitnessrUnRegister",
+            ["367abb81-9844-35f1-ad32-98f038001003", 26] = "EnumServicesStatusA",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 101] = "ApiCreateNodeEnum",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 13] = "FTEnumVolumes",
+            ["300f3532-38cc-11d0-a3f0-0020af6b0add", 5] = "Opnum5NotUsedOnWire",
+            ["68b58241-c259-4f03-a2e5-a2651dcbc930", 0] = "KSrSubmitRequest",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 34] = "RRPC_FWDeleteMainModeRule",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 66] = "Opnum66NotUsedOnWire",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 17] = "Opnum17NotUsedOnWire",
+            ["d049b186-814f-11d1-9a3c-00c04fc9b232", 6] = "Opnum6NotUsedOnWire",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 9] = "R_WinsPullRange",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 25] = "ExportToBlob",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f", 8] = "RegisterNotificationRpc",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 65] = "LlsrProductSecurityGetW",
+            ["12345778-1234-abcd-ef00-0123456789ab", 46] = "LsarQueryInformationPolicy2",
+            ["12345678-1234-abcd-ef00-01234567cffb", 24] = "NetrLogonComputeServerDigest",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 1] = "nsi_group_mbr_add",
+            ["17fdd703-1827-4e34-79d4-24a55c53bb37", 1] = "NetrMessageNameEnum",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 49] = "RpcWinStationNotifyNewSession",
+            ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 9] = "DsRolerUpgradeDownlevelServer",
+            ["027947e1-d731-11ce-a357-000000000001", 7] = "Skip",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 60] = "LlsrReplicationRequestW",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 24] = "SetLastChangeTime",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 14] = "ApiGetResourceId",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 49] = "LlsrLocalProductEnumA",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 97] = "R_DhcpV4FailoverGetScopeStatistics",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 70] = "ApiResumeNode",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f", 1] = "DeregisterServiceRpcByUSN",
+            ["12345778-1234-abcd-ef00-0123456789ab", 93] = "CredrRestoreCredentials",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 19] = "EfsRpcSetEncryptedFileMetadata",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 31] = "RpcAsyncDeletePrinterDataEx",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 3] = "LlsrLicenseEnumA",
+            ["12345678-1234-abcd-ef00-0123456789ab", 19] = "RpcWritePrinter",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 121] = "R_DhcpV6GetFreeIPAddress",
+            ["2a3eb639-d134-422d-90d8-aaa1b5216202", 7] = "ExportObjects",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 40] = "R_DhcpGetServerBindingInfo",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 35] = "ApiDeleteKey",
+            ["2a3eb639-d134-422d-90d8-aaa1b5216202", 8] = "GetImportConflicts",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 7] = "CreatePartitionAssignandFormatEx",
+            ["000001a0-0000-0000-c000-000000000046", 4] = "RemoteCreateInstance",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 31] = "RRPC_FWEnumProducts",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 1] = "R_DhcpSetSubnetInfo",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 52] = "LlsrLocalProductInfoSetW",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 59] = "PNP_RegisterNotification",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 2] = "NspiUpdateStat",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 20] = "ElfrDeregisterClusterSvc",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 50] = "RpcServerGetInternetConnectorStatus",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f", 5] = "CleanupCacheRpc",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 60] = "RpcWinStationCloseServerEx",
+            ["12345778-1234-abcd-ef00-0123456789ab", 94] = "CredrBackupCredentials",
+            ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 9] = "ModifyPolicy",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 1] = "RRPC_FWClosePolicyStore",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 81] = "R_DhcpGetMibInfoV5",
+            ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 8] = "RpcGetAllListeners",
+            ["8fb6d884-2388-11d0-8c35-00c04fda2795", 1] = "W32TimeGetNetlogonServiceBits",
+            ["83da7c00-e84f-11d2-9807-00c04f8ec850", 0] = "SfcSrv_GetNextProtectedFile",
+            ["a4f1db00-ca47-1067-b31f-00dd010662da", 3] = "EcGetMoreRpc",
+            ["338cd001-2244-31f1-aaaa-900038001003", 11] = "BaseRegFlushKey",
+            ["12345778-1234-abcd-ef00-0123456789ab", 29] = "LsarSetSecret",
+            ["367abb81-9844-35f1-ad32-98f038001003", 25] = "EnumDependentServicesA",
+            ["6bffd098-a112-3610-9833-012892020162", 0] = "BrowserrServerEnum",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 72] = "RpcAsyncDeleteJobNamedProperty",
+            ["12345678-1234-abcd-ef00-0123456789ab", 73] = "RpcDeletePrinterData",
+            ["214a0f28-b737-4026-b847-4f9e37d79529", 8] = "Opnum08NotUsedOnWire",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 94] = "ApiGetNetInterfaceState",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 13] = "R_WinsGetNameAndAdd",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 6] = "EfsRpcQueryUsersOnFile",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 6] = "R_WinsTerm",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 11] = "R_W3ClearStatistics2",
+            ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53", 0] = "ItSrvRegisterIdleTask",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 15] = "PutInstanceAsync",
+            ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 7] = "DsRolerCancel",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 23] = "AudioSessionSetMute",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 7] = "NetrWkstaTransportDel",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 79] = "EnumAccessPathForVolume",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 20] = "NetrGetJoinInformation",
+            ["6bffd098-a112-3610-9833-012892020162", 3] = "BrowserrResetNetlogonState",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 8] = "SchRpcEnumInstances",
+            ["338cd001-2244-31f1-aaaa-900038001003", 24] = "BaseInitiateSystemShutdown",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 56] = "Opnum56NotUsedOnWire",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 38] = "AddMirror",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 74] = "ApiNodeResourceTypeControl",
+            ["7c4e1804-e342-483d-a43e-a850cfcc8d18", 4] = "DeleteApplication",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 20] = "EvtRpcGetChannelConfig",
+            ["8298d101-f992-43b7-8eca-5052d885b995", 38] = "RestoreHistory",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 21] = "NetrDfsEnumEx",
+            ["12345678-1234-abcd-ef00-0123456789ab", 84] = "RpcDeletePrinterDriverEx",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 55] = "LlsrServiceInfoGetA",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 44] = "RpcAsyncAddPrintProcessor",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 53] = "LlsrLocalProductInfoSetA",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 47] = "RpcAsyncEnumPorts",
+            ["6bffd098-a112-3610-9833-012892020162", 1] = "BrowserrDebugCall",
+            ["91ae6020-9e3c-11cf-8d7c-00aa00c091be", 0] = "CertServerRequest",
+            ["afa8bd80-7d8a-11c9-bef4-08002b102989", 4] = "inq_princ_name",
+            ["708cca10-9569-11d1-b2a5-0060977d8118", 5] = "S_DSEndDeleteNotification",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 36] = "RpcWinStationEnumerateProcesses",
+            ["12345778-1234-abcd-ef00-0123456789ab", 37] = "LsarAddAccountRights",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 9] = "RpcWinStationNameFromLogonId",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 56] = "NetrServerAliasDel",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 3] = "OpenNamespace",
+            ["12345678-1234-abcd-ef00-01234567cffb", 6] = "NetrServerPasswordSet",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 33] = "RpcAsyncXcvData",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 88] = "ApiNodeNetworkControl",
+            ["300f3532-38cc-11d0-a3f0-0020af6b0add", 2] = "Opnum2NotUsedOnWire",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 78] = "ApiNodeNodeControl",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 35] = "RpcAsyncCreatePrinterIC",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 75] = "ApiResourceTypeControl",
+            ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 0] = "ept_insert",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 177] = "ApiSetGroupSetDependencyExpression",
+            ["367abb81-9844-35f1-ad32-98f038001003", 60] = "CreateWowService",
+            ["894de0c0-0d55-11d3-a322-00c04fa321a1", 0] = "BaseInitiateShutdown",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 98] = "R_DhcpV4FailoverGetClientInfo",
+            ["378e52b0-c0a9-11cf-822d-00aa0051e40f", 3] = "SAGetAccountInformation",
+            ["12345678-1234-abcd-ef00-0123456789ab", 104] = "RpcReportJobProcessingProgress",
+            ["12345678-1234-abcd-ef00-0123456789ab", 42] = "RpcDeletePrinterIC",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 28] = "LlsrMappingEnumW",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 7] = "EfsRpcQueryRecoveryAgents",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 6] = "CreatePartitionAssignAndFormat",
+            ["21546ae8-4da5-445e-987f-627fea39c5e8", 11] = "GetExclusionList",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 41] = "R_DhcpServerSetConfigVQ",
+            ["00000143-0000-0000-c000-000000000046", 2] = "Release",
+            ["367abb81-9844-35f1-ad32-98f038001003", 49] = "CloseNotifyHandle",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 24] = "PNP_RegisterDeviceClassAssociation",
+            ["12345778-1234-abcd-ef00-0123456789ac", 30] = "SamrDeleteAlias",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 44] = "RpcWinStationGetProcessSid",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 32] = "RRPC_FWAddMainModeRule",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 29] = "Restore",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 1] = "LlsrClose",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 23] = "DRSGetObjectExistence",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 62] = "LlsrReplicationServerServiceAddW",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 36] = "DeletePartitionsForVolume",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 3] = "R_DhcpEnumSubnets",
+            ["2f5f3220-c126-1076-b549-074d078619da", 2] = "NDdeShareDelW",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 23] = "Opnum23NotUsedOnWire",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 39] = "InitializeDiskEx",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 13] = "RRPC_FWSetConnectionSecurityRule",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 27] = "EnumVolumes",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 41] = "AudioSessionManagerGetExistingSession",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 59] = "R_DhcpAddSubnetElementV6",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 17] = "RdcFileDataTransferKeepAlive",
+            ["12345778-1234-abcd-ef00-0123456789ab", 72] = "LsarUnregisterAuditEvent",
+            ["a8e0653c-2744-4389-a61d-7373df8b2292", 12] = "PrepareShadowCopy",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 8] = "DeletePartition",
+            ["12345678-1234-abcd-ef00-0123456789ab", 101] = "RpcGetCorePrinterDrivers",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 54] = "RpcAsyncEnumPrintProcessorDatatypes",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 56] = "RpcWinStationRegisterConsoleNotification",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 2] = "ElfrCloseEL",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 59] = "Opnum59NotUsedOnWire",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 11] = "RRPC_FWSetConfig",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 26] = "NetrGetJoinableOUs2",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 0] = "R_WinsRecordAction",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 18] = "NetrValidateName",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 17] = "PNP_DeleteRegistryKey",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 6] = "NetrDfsRename",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 40] = "RpcAsyncEnumPrinterDrivers",
+            ["338cd001-2244-31f1-aaaa-900038001003", 13] = "BaseRegLoadKey",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 33] = "AudioServerGetDevicePeriod",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 32] = "ApiSetValue",
+            ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 7] = "RpcLicensingGetPolicyInformation",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 25] = "LlsrUserProductEnumA",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 53] = "PNP_DetectResourceConflict",
+            ["708cca10-9569-11d1-b2a5-0060977d8118", 1] = "S_DSGetPropsEx",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 30] = "RRPC_FWDeletePhase2SAs",
+            ["2f5f3220-c126-1076-b549-074d078619da", 7] = "NDdeShareEnumA",
+            ["481e06cf-ab04-4498-8ffe-124a0a34296d", 20] = "GetServerTimeZone",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 10] = "RpcAsyncStartDocPrinter",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 66] = "AbortTask",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 23] = "ApiAddResourceNode",
+            ["12345678-1234-abcd-ef00-01234567cffb", 3] = "NetrLogonSamLogoff",
+            ["12345678-1234-abcd-ef00-01234567cffb", 45] = "NetrLogonSamLogonWithFlags",
+            ["12345778-1234-abcd-ef00-0123456789ac", 0] = "SamrConnect",
+            ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 7] = "GetPolicyInfo",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 19] = "CreateInstanceEnumAsync",
+            ["2f5f6521-ca47-1068-b319-00dd010662db", 2] = "RemoteSPDetach",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 8] = "EfsRpcRemoveUsersFromFile",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 2] = "R_DhcpGetSubnetInfo",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 22] = "EfsRpcQueryProtectors",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 16] = "R_WinsSetFlags",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 11] = "DRSGetNT4ChangeLog",
+            ["12345778-1234-abcd-ef00-0123456789ab", 60] = "CredrWrite",
+            ["12345678-1234-abcd-ef00-01234567cffb", 32] = "NetrLogonSendToSam",
+            ["708cca10-9569-11d1-b2a5-0060977d8118", 4] = "S_DSNotifyDelete",
+            ["12345678-1234-abcd-ef00-0123456789ab", 65] = "RpcRemoteFindFirstPrinterChangeNotificationEx",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 23] = "GetDataSetNumber",
+            ["12345778-1234-abcd-ef00-0123456789ac", 42] = "SamrTestPrivateFunctionsDomain",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 18] = "NetrShareDel",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 57] = "Opnum57NotUsedOnWire",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 4] = "LlsrLicenseAddW",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 21] = "EnumDriveLetters",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 68] = "GetTaskDetail",
+            ["12345778-1234-abcd-ef00-0123456789ab", 129] = "LsarCreateTrustedDomainEx3",
+            ["f309ad18-d86a-11d0-a075-00c04fb68820", 4] = "RequestChallenge",
+            ["99fcfec4-5260-101b-bbcb-00aa0021347a", 5] = "ServerAlive2",
+            ["8fb6d884-2388-11d0-8c35-00c04fda2795", 6] = "W32TimeQueryStatus",
+            ["83da7c00-e84f-11d2-9807-00c04f8ec850", 4] = "SfcSrv_PurgeCache",
+            ["12345678-1234-abcd-ef00-0123456789ab", 44] = "RpcDeletePrinterConnection",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 18] = "nsi_mgmt_entry_create",
+            ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 8] = "KeyrExportCert",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 4] = "CancelAsyncCall",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 16] = "NspiQueryColumns",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 7] = "DRSReplicaModify",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 45] = "R_DhcpRestoreDatabase",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 35] = "EnumViewColumnTable",
+            ["7c4e1804-e342-483d-a43e-a850cfcc8d18", 8] = "RecycleApplicationPool",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 48] = "RpcWinStationSendWindowMessage",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 31] = "PolicyConfigGetDeviceFormat",
+            ["a8e0653c-2744-4389-a61d-7373df8b2292", 0] = "GetSupportedVersion",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 13] = "SchRpcDelete",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 11] = "Eject",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 9] = "RdcGetSignatures",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 22] = "GetSystemChangeNumber",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 19] = "DRSGetReplInfo",
+            ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 2] = "TsProxyAuthorizeTunnel",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 37] = "PNP_RequestDeviceEject",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 15] = "R_DhcpRemoveOptionValue",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 7] = "GetObjectAsync",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 19] = "FTReplaceMirrorPartition",
+            ["12345778-1234-abcd-ef00-0123456789ab", 43] = "LsarRetrievePrivateData",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 45] = "RRPC_FWGetConfig2_10",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 10] = "NetrUseDel",
+            ["12345678-1234-abcd-ef00-0123456789ab", 23] = "RpcEndDocPrinter",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 13] = "EvtRpcClose",
+            ["300f3532-38cc-11d0-a3f0-0020af6b0add", 9] = "Opnum9NotUsedOnWire",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 69] = "R_DhcpGetServerBindingInfoV6",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 10] = "S_DSDeleteObjectGuid",
+            ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 18] = "SetAccountingClientStatus",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 16] = "EfsRpcFileKeyInfoEx",
+            ["12345778-1234-abcd-ef00-0123456789ac", 68] = "SamrQueryLocalizableAccountsInDomain",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 14] = "FTEnumLogicalDiskMembers",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 157] = "ApiExecuteReadBatchEx",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 25] = "AudioSessionSetChannelVolume",
+            ["29822ab7-f302-11d0-9953-00c04fd919c1", 7] = "AppDeleteRecoverable",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 65] = "Opnum65NotUsedOnWire",
+            ["12345678-1234-abcd-ef00-01234567cffb", 9] = "NetrAccountDeltas",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 15] = "RRPC_FWEnumConnectionSecurityRules",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 80] = "R_DhcpGetSubnetDelayOffer",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 35] = "Opnum35NotUsedOnWire",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 42] = "LlsrMappingDeleteW",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 108] = "ApiSetServiceAccountPassword",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 6] = "EvtRpcClearLog",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 36] = "R_DhcpServerRedoAuthorization",
+            ["484809d6-4239-471b-b5bc-61df8c23ac48", 1] = "RpcRegisterAsyncNotification",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 19] = "R_DhcpSetOptionValueV5",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 39] = "RRPC_FWQueryMainModeRules",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 103] = "ApiCreateResTypeEnum",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 14] = "FTEnumLogicalDiskMembers",
+            ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 5] = "ept_inq_object",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 89] = "R_DhcpV4FailoverCreateRelationship",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 15] = "ElfrRegisterEventSourceA",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 6] = "PNP_ValidateDeviceInstance",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 20] = "RpcWinStationGenerateLicense",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6", 0] = "RpcSrvRequestPrefix",
+            ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 17] = "GetAccountingClients",
+            ["12345678-1234-abcd-ef00-0123456789ab", 32] = "RpcGetForm",
+            ["367abb81-9844-35f1-ad32-98f038001003", 46] = "ScQueryServiceTagInfo",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 27] = "BackupTruncateLogs",
+            ["afa8bd80-7d8a-11c9-bef4-08002b102989", 0] = "inq_if_ids",
+            ["12345778-1234-abcd-ef00-0123456789ac", 2] = "SamrSetSecurityObject",
+            ["367abb81-9844-35f1-ad32-98f038001003", 20] = "GetServiceDisplayNameW",
+            ["e65e8028-83e8-491b-9af7-aaf6bd51a0ce", 8] = "GetReferenceBacklogCounts",
+            ["367abb81-9844-35f1-ad32-98f038001003", 31] = "StartServiceA",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 63] = "Opnum63NotUsedOnWire",
+            ["83da7c00-e84f-11d2-9807-00c04f8ec850", 6] = "SfcSrv_SetDisable",
+            ["12345778-1234-abcd-ef00-0123456789ab", 86] = "LsarEnumerateAuditCategories",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 35] = "LlsrMappingUserEnumA",
+            ["2f5f3220-c126-1076-b549-074d078619da", 18] = "NDdeSpecialCommand",
+            ["d049b186-814f-11d1-9a3c-00c04fc9b232", 0] = "Opnum0NotUsedOnWire",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 60] = "PNP_UnregisterNotification",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 47] = "ReAttachDisk",
+            ["12345678-1234-abcd-ef00-0123456789ab", 33] = "RpcSetForm",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 63] = "PNP_GetBlockedDriverInfo",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 15] = "DnssrvOperation4",
+            ["c4b0c7d9-abe0-4733-a1e1-9fdedf260c7a", 6] = "CreateObject",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 125] = "ApiCreateEnumEx",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 4] = "NetrCharDevQGetInfo",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 6] = "DRSReplicaDel",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 164] = "ApiOpenGroupSet",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 22] = "NetrServerSetInfo",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 10] = "RevokeCertificate",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 35] = "R_DhcpServerQueryAttributes",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 26] = "IDL_DRSReplicaDemotion",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 68] = "RpcWinStationSessionInitialized",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 13] = "EfsRpcDuplicateEncryptionInfoFile",
+            ["367abb81-9844-35f1-ad32-98f038001003", 39] = "QueryServiceConfig2W",
+            ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 1] = "gfxCreateGfxFactoriesList",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 36] = "RRPC_FWEnumMainModeRules",
+            ["12345678-1234-abcd-ef00-0123456789ab", 29] = "RpcClosePrinter",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 41] = "NetrServerTransportAddEx",
+            ["d049b186-814f-11d1-9a3c-00c04fc9b232", 9] = "NtFrsApi_Rpc_WriterCommand",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 67] = "R_DhcpGetMibInfoV6",
+            ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 6] = "RpcLicensingGetPolicy",
+            ["83da7c00-e84f-11d2-9807-00c04f8ec850", 7] = "SfcSrv_InstallProtectedFiles",
+            ["4da1c422-943d-11d1-acae-00c04fc2aa3f", 0] = "LnkSvrMessage",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 77] = "ApiGroupControl",
+            ["12345678-1234-abcd-ef00-0123456789ab", 89] = "RpcAddPrinterDriverEx",
+            ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 17] = "GetCurrentPolicy",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 39] = "LlsrMappingUserDeleteA",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 21] = "ApiCanResourceBeDependent",
+            ["12345678-1234-abcd-ef00-0123456789ab", 70] = "RpcAddPrinterEx",
+            ["378e52b0-c0a9-11cf-822d-00aa0051e40f", 1] = "SASetNSAccountInformation",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 2] = "NetrCharDevControl",
+            ["300f3532-38cc-11d0-a3f0-0020af6b0add", 0] = "Opnum0NotUsedOnWire",
+            ["12345678-1234-abcd-ef00-0123456789ab", 30] = "RpcAddForm",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f", 11] = "DeregisterNotificationRpc",
+            ["6619a740-8154-43be-a186-0319578e02db", 8] = "RemoteDispatchNotAutoDone",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 10] = "PNP_GetDeviceList",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 67] = "RpcWinStationNotifyDisconnectPipe",
+            ["00020401-0000-0000-c000-000000000046", 17] = "GetMops",
+            ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 8] = "ept_map_auth_async",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 18] = "PNP_GetClassCount",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 15] = "nsi_entry_expand_name",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 36] = "NetrShareEnumSticky",
+            ["a8e0653c-2744-4389-a61d-7373df8b2292", 7] = "AbortShadowCopySet",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 30] = "NetprPathType",
+            ["12345778-1234-abcd-ef00-0123456789ac", 55] = "SamrUnicodeChangePasswordUser2",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 16] = "EfsRpcFileKeyInfoEx",
+            ["367abb81-9844-35f1-ad32-98f038001003", 48] = "GetNotifyResult",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 46] = "RpcWinStationReInitializeSecurity",
+            ["fa7df749-66e7-4986-a27f-e2f04ae53772", 5] = "QuerySnapshotsByVolume",
+            ["481e06cf-ab04-4498-8ffe-124a0a34296d", 9] = "ModifyCalendar",
+            ["f309ad18-d86a-11d0-a075-00c04fb68820", 5] = "WBEMLogin",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 20] = "RpcSrvGetOriginalSubnetMask",
+            ["d95afe70-a6d5-4259-822e-2c84da1ddb0d", 0] = "WsdrInitiateShutdown",
+            ["12345778-1234-abcd-ef00-0123456789ab", 79] = "LsarAdtRegisterSecurityEventSource",
+            ["367abb81-9844-35f1-ad32-98f038001003", 51] = "ControlServiceExW",
+            ["bc681469-9dd9-4bf4-9b3d-709f69efe431", 7] = "GetResourceGroupInfo",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 1] = "DnssrvQuery",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 28] = "R_DhcpEnumClasses",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 13] = "S_DSGetObjectSecurityGuid",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 8] = "DeletePartition",
+            ["29822ab7-f302-11d0-9953-00c04fd919c1", 4] = "AppDelete",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 0] = "NspiBind",
+            ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53", 1] = "ItSrvUnregisterIdleTask",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 2] = "RpcAsyncSetJob",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 36] = "Opnum36NotUsedOnWire",
+            ["12345678-1234-abcd-ef00-0123456789ab", 78] = "RpcGetPrinterDataEx",
+            ["5422fd3a-d4b8-4cef-a12e-e87d4ca22e90", 3] = "Request",
+            ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 15] = "GetCalDefaultPolicyName",
+            ["12345678-1234-abcd-ef00-0123456789ab", 3] = "RpcGetJob",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 20] = "R_DhcpSetOptionValuesV5",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 25] = "NetrServerTransportAdd",
+            ["12345778-1234-abcd-ef00-0123456789ab", 36] = "LsarEnumerateAccountRights",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 12] = "nsi_entry_object_inq_begin",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 58] = "RRPC_FWAddConnectionSecurityRule2_20",
+            ["d049b186-814f-11d1-9a3c-00c04fc9b232", 4] = "NtFrsApi_Rpc_Set_DsPollingIntervalW",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 9] = "ElfrOpenBELW",
+            ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 8] = "gfxLogoff",
+            ["12345678-1234-abcd-ef00-01234567cffb", 2] = "NetrLogonSamLogon",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 12] = "R_WinsWorkerThdUpd",
+            ["8298d101-f992-43b7-8eca-5052d885b995", 39] = "EnumHistory",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 2] = "nsi_group_mbr_remove",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 29] = "AudioServerDisconnect",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 10] = "nsi_profile_elt_inq_next",
+            ["12345778-1234-abcd-ef00-0123456789ab", 70] = "LsarRegisterAuditEvent",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 12] = "R_FtpQueryStatistics2",
+            ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 14] = "GetllSAppPoolNames",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 58] = "AudioVolumeAddMasterVolumeNotification",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 54] = "LlsrServiceInfoGetW",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 28] = "PNP_CreateDevInst",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 1] = "R_InetInfoGetAdminInformation",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 31] = "Opnum31NotUsedOnWire",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 4] = "DeleteKey",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 123] = "ApiChangeCsvState",
+            ["0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7", 6] = "AuthrzModifySids",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 77] = "R_DhcpEnumClassesV6",
+            ["29822ab7-f302-11d0-9953-00c04fd919c1", 5] = "AppUnLoad",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 34] = "LlsrMappingUserEnumW",
+            ["12345778-1234-abcd-ef00-0123456789ab", 84] = "LsarQueryAuditPolicy",
+            ["367abb81-9844-35f1-ad32-98f038001003", 19] = "StartServiceW",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 20] = "NetrDfsRemove2",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 27] = "Opnum27NotUsedOnWire",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 16] = "DeleteClass",
+            ["484809d6-4239-471b-b5bc-61df8c23ac48", 2] = "RpcWaitAsyncNotification",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 51] = "R_DhcpRemoveOptionV6",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 17] = "DeleteClassAsync",
+            ["b9785960-524f-11df-8b6d-83dcded72085", 0] = "GetKey",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 19] = "NetrDfsAdd2",
+            ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 11] = "RestoreXMLFiles",
+            ["12345678-1234-abcd-ef00-01234567cffb", 34] = "DsrGetDcNameEx2",
+            ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 5] = "gfxModifyGx",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 13] = "DRSWriteSPN",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 25] = "EvtRpcGetPublisherResourceMetadata",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 78] = "DeleteAccessPath",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f", 3] = "UpdateCacheRpc",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 12] = "EfsRpcFileKeyInfo",
+            ["6bffd098-a112-3610-9833-012892020162", 8] = "NetrBrowserStatisticsGet",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 25] = "ExecMethodAsync",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 9] = "Opnum9NotUsedOnWire",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 18] = "SchRpcGetNumberOfMissedRuns",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 14] = "RpcWinStationReset",
+            ["214a0f28-b737-4026-b847-4f9e37d79529", 6] = "QueryDiffAreasForVolume",
+            ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 11] = "RenameMachineGroup",
+            ["12345778-1234-abcd-ef00-0123456789ac", 32] = "SamrRemoveMemberFromAlias",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 139] = "ApiGetNotifyV2",
+            ["2f5f3220-c126-1076-b549-074d078619da", 10] = "NDdeShareSetInfoW",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 30] = "ApiOpenKey",
+            ["12345678-1234-abcd-ef00-0123456789ab", 25] = "RpcScheduleJob",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 19] = "NetrShareDelSticky",
+            ["f5cc59b4-4264-101a-8c59-08002b2f8426", 5] = "FrsBackupComplete",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 28] = "EnumVolumeMembers",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 135] = "ApiOnlineResourceEx",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 23] = "RpcWinStationActivateLicense",
+            ["12345778-1234-abcd-ef00-0123456789ab", 76] = "LsarLookupSids3",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 37] = "SetCASecurity",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 24] = "Opnum24NotUsedOnWire",
+            ["12345778-1234-abcd-ef00-0123456789ab", 5] = "LsarChangePassword",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 24] = "ApiRemoveResourceNode",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 15] = "R_DhcpSetOptionInfoV5",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 22] = "AssignDriveLetter",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 9] = "EvtRpcMessageRender",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 21] = "S_DSQMGetObjectSecurity",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 5] = "RpcAsyncAddJob",
+            ["367abb81-9844-35f1-ad32-98f038001003", 34] = "ScGetCurrentGroupStateW",
+            ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 2] = "RpcLicensingLoadPolicy",
+            ["2f5f6521-ca47-1068-b319-00dd010662db", 1] = "RemoteSPEventProc",
+            ["12345678-1234-abcd-ef00-0123456789ab", 26] = "RpcGetPrinterData",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 3] = "RequestUpdates",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 11] = "RpcAsyncStartPagePrinter",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 120] = "ApiOpenResourceEx",
+            ["12345678-1234-abcd-ef00-0123456789ab", 13] = "RpcDeletePrinterDriver",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 39] = "Opnum39NotUsedOnWire",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 69] = "Uninitialize",
+            ["367abb81-9844-35f1-ad32-98f038001003", 1] = "ControlService",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 46] = "R_DhcpGetServerSpecificStrings",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 181] = "ApiCreateNetInterfaceEnum",
+            ["12345678-1234-abcd-ef00-0123456789ab", 39] = "RpcDeletePort",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 11] = "NetrDfsRemoveFtRoot",
+            ["12345778-1234-abcd-ef00-0123456789ac", 25] = "SamrGetMembersInGroup",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 101] = "R_DhcpV4SetOptionValue",
+            ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 9] = "RpcGetSessionProtocolLastInputTime",
+            ["894de0c0-0d55-11d3-a322-00c04fa321a1", 1] = "BaseAbortShutdown",
+            ["12345678-1234-abcd-ef00-0123456789ab", 83] = "RpcSeekPrinter",
+            ["00020401-0000-0000-c000-000000000046", 7] = "GetNames",
+            ["367abb81-9844-35f1-ad32-98f038001003", 15] = "OpenSCManagerW",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 81] = "ApiOpenNetwork",
+            ["a4f1db00-ca47-1067-b31f-00dd010662da", 13] = "EcUnknown0xD",
+            ["12345678-1234-abcd-ef00-0123456789ab", 80] = "RpcEnumPrinterKey",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 7] = "UpdateCancel",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 20] = "EfsRpcFlushEfsCache",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 18] = "EvtRpcGetLogFileInfo",
+            ["a8e0653c-2744-4389-a61d-7373df8b2292", 6] = "RecoveryCompleteShadowCopySet",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 25] = "RpcSrvGetNotificationStatus",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 117] = "ApiOpenClusterEx",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 2] = "PNP_GetVersion",
+            ["00000143-0000-0000-c000-000000000046", 0] = "QueryInterface",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 73] = "SecureSystemPartition",
+            ["12345778-1234-abcd-ef00-0123456789ab", 49] = "LsarSetTrustedDomainInfoByName",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 117] = "R_DhcpV6GetStatelessStoreParams",
+            ["12345778-1234-abcd-ef00-0123456789ab", 48] = "LsarQueryTrustedDomainInfoByName",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 29] = "BackupGetDynamicFiles",
+            ["d3fbb514-0e3b-11cb-8fad-08002b1d29c3", 3] = "nsi_mgmt_handle_set_exp_age",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 22] = "RRPC_FWAddCryptoSet",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 23] = "ElfrFlushEL",
+            ["12345678-1234-abcd-ef00-0123456789ab", 16] = "RpcGetPrintProcessorDirectory",
+            ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 0] = "RpcLicensingOpenServer",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 25] = "ElfrReportEventExW",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 48] = "R_DhcpCreateSubnetVQ",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 18] = "NspiGetIDsFromNames",
+            ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 18] = "SetCurrentPolicy",
+            ["12345678-1234-abcd-ef00-0123456789ab", 98] = "RpcDeletePrinterConnection2",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 29] = "RRPC_FWDeletePhase1SAs",
+            ["12345778-1234-abcd-ef00-0123456789ac", 67] = "SamrValidatePassword",
+            ["12345778-1234-abcd-ef00-0123456789ac", 15] = "SamrEnumerateAliasesInDomain",
+            ["6619a740-8154-43be-a186-0319578e02db", 7] = "RemoteDispatchAutoDone",
+            ["367abb81-9844-35f1-ad32-98f038001003", 44] = "CreateServiceWOW64A",
+            ["12345678-1234-abcd-ef00-0123456789ab", 47] = "RpcDeleteMonitor",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 59] = "AudioVolumeDeleteMasterVolumeNotification",
+            ["ae1c7110-2f60-11d3-8a39-00c04f72d8e3", 6] = "Clone",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 41] = "ApiOpenGroup",
+            ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 2] = "RpcFilterByState",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 26] = "RpcSrvGetDhcpServicedConnections",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 99] = "ApiAddNotifyNetInterface",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 32] = "R_DhcpAuditLogSetParams",
+            ["338cd001-2244-31f1-aaaa-900038001003", 31] = "BaseRegSaveKeyEx",
+            ["12345778-1234-abcd-ef00-0123456789ab", 42] = "LsarStorePrivateData",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 108] = "R_DhcpV4CreatePolicy",
+            ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 11] = "KeyrEnumerateCAs",
+            ["481e06cf-ab04-4498-8ffe-124a0a34296d", 18] = "MoveBeforeCalendar",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 51] = "EncapsulateDiskEx",
+            ["12345778-1234-abcd-ef00-0123456789ac", 64] = "SamrConnect5",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 65] = "ApiGetNotify",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 83] = "R_DhcpDeleteFilterV4",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 26] = "R_DhcpDeleteClass",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 14] = "ElfrOpenELA",
+            ["12345778-1234-abcd-ef00-0123456789ab", 23] = "LsarGetSystemAccessAccount",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f", 4] = "LookupCacheRpc",
+            ["367abb81-9844-35f1-ad32-98f038001003", 0] = "CloseServiceHandle",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 18] = "NetrDfsFlushFtTable",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 130] = "ApiOnlineGroupEx",
+            ["e8fb8620-588f-11d2-9d61-00c04f79c5fe", 7] = "Stop",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 29] = "EnumVolumeMembers",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 34] = "GetCAPropertyInfo",
+            ["367abb81-9844-35f1-ad32-98f038001003", 30] = "QueryServiceLockStatusA",
+            ["12345678-1234-abcd-ef00-0123456789ab", 31] = "RpcDeleteForm",
+            ["708cca10-9569-11d1-b2a5-0060977d8118", 3] = "S_DSBeginDeleteNotification",
+            ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 7] = "ept_map_auth",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 14] = "NspiModLinkAtt",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 14] = "EvtRpcCancel",
+            ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 13] = "KeyrQueryRequestStatus",
+            ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 20] = "SetClientPermissions",
+            ["d99e6e70-fc88-11d0-b498-00a0c90312f3", 3] = "Request",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 28] = "NetrRemoveAlternateComputerName",
+            ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 7] = "CreateAccountingDb",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 32] = "NetprPathCompare",
+            ["17fdd703-1827-4e34-79d4-24a55c53bb37", 3] = "NetrMessageNameDel",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 2] = "RpcIcaServerPing",
+            ["12345678-1234-abcd-ef00-0123456789ab", 22] = "RpcReadPrinter",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 9] = "DRSGetMemberships",
+            ["214a0f28-b737-4026-b847-4f9e37d79529", 5] = "QueryVolumesSupportedForDiffAreas",
+            ["12345778-1234-abcd-ef00-0123456789ab", 51] = "LsarCreateTrustedDomainEx",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 1] = "DRSUnbind",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 21] = "EnumDriveLetters",
+            ["338cd001-2244-31f1-aaaa-900038001003", 1] = "OpenCurrentUser",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 13] = "R_DhcpEnumMScopeClients",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 9] = "PutClassAsync",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 132] = "ApiMoveGroupEx",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 1] = "NetrDfsAdd",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 72] = "ApiNodeResourceControl",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 20] = "RpcAsyncClosePrinter",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 91] = "R_DhcpV4FailoverDeleteRelationship",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 16] = "RdcGetFileDataAsync",
+            ["12345778-1234-abcd-ef00-0123456789ac", 43] = "SamrTestPrivateFunctionsUser",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 57] = "PNP_QueryArbitratorFreeSize",
+            ["12345778-1234-abcd-ef00-0123456789ab", 66] = "CredrGetTargetInfo",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 27] = "PNP_SetClassRegProp",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 8] = "RpcSrvRemoveDnsRegistrations",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 6] = "NetrWkstaTransportAdd",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 121] = "ApiOpenNetworkEx",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 103] = "R_DhcpV4GetOptionValue",
+            ["12345678-1234-abcd-ef00-0123456789ab", 2] = "RpcSetJob",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 3] = "DnssrvEnumRecords",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 41] = "R_DhcpSetServerBindingInfo",
+            ["12345778-1234-abcd-ef00-0123456789ab", 18] = "LsarEnumeratePrivilegesAccount",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 47] = "R_DhcpEnumSubnetClientsVQ",
+            ["12345678-1234-abcd-ef00-01234567cffb", 41] = "DsrDeregisterDnsHostRecords",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 7] = "NspiDNToEph",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 1] = "R_DhcpSetMScopeInfo",
+            ["367abb81-9844-35f1-ad32-98f038001003", 22] = "ScSetServiceBitsA",
+            ["a4f1db00-ca47-1067-b31f-00dd010662da", 5] = "EcRUnregisterPushNotification",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 8] = "NetrUseAdd",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 48] = "ApiGetNodeId",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 21] = "RpcSrvSetMSFTVendorSpecificOptions",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 32] = "GetCAProperty",
+            ["12345678-1234-abcd-ef00-01234567cffb", 37] = "DsrAddressToSiteNamesExW",
+            ["a4f1db00-ca47-1067-b31f-00dd010662da", 7] = "EcRGetDCName",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 21] = "EvtRpcPutChannelConfig",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 29] = "NetrServerSetServiceBits",
+            ["12345778-1234-abcd-ef00-0123456789ab", 38] = "LsarRemoveAccountRights",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 37] = "RpcAsyncDeletePrinterIC",
+            ["481e06cf-ab04-4498-8ffe-124a0a34296d", 7] = "GetCalendarInfo",
+            ["338cd001-2244-31f1-aaaa-900038001003", 29] = "BaseRegQueryMultipleValues",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 48] = "LlsrLocalProductEnumW",
+            ["f5cc59b4-4264-101a-8c59-08002b2f8426", 7] = "FrsBackupComplete",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 15] = "NetrDfsAddStdRootForced",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 8] = "RenameKey",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 10] = "AudioVolumeGetMasterVolumeLevelScalar",
+            ["338cd001-2244-31f1-aaaa-900038001003", 20] = "BaseRegSaveKey",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 34] = "ApiQueryValue",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 59] = "LlsrReplClose",
+            ["12345678-1234-abcd-ef00-0123456789ab", 92] = "RpcCommitSpoolData",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 24] = "ElfrReportEventAndSourceW",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 60] = "RpcSyncRefreshRemoteNotifications",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 9] = "NetrFileEnum",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 55] = "QueryChangePartitionNumbers",
+            ["0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7", 0] = "AuthzrFreeContext",
+            ["12345778-1234-abcd-ef00-0123456789ac", 29] = "SamrSetInformationAlias",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 17] = "nsi_mgmt_entry_delete",
+            ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 10] = "DeletePolicy",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 44] = "DiskMergeQuery",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 33] = "GetVolumeMountName",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 22] = "ExecNotificationQuery",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 26] = "ApiCreateResourceType",
+            ["8fb6d884-2388-11d0-8c35-00c04fda2795", 2] = "W32TimeQueryProviderStatus",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 56] = "ApiCloseNotify",
+            ["a8e0653c-2744-4389-a61d-7373df8b2292", 1] = "SetContext",
+            ["12345678-1234-abcd-ef00-0123456789ab", 69] = "RpcSplOpenPrinter",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 57] = "SetDontShow",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 37] = "LlsrMappingUserAddA",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 13] = "R_GetAllData",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 11] = "nsi_profile_elt_inq_done",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 26] = "Opnum26NotUsedOnWire",
+            ["21546ae8-4da5-445e-987f-627fea39c5e8", 15] = "RestoreExclusionList",
+            ["12345678-1234-abcd-ef00-0123456789ab", 85] = "RpcAddPerMachineConnection",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 18] = "RpcWinStationShadowTargetSetup",
+            ["338cd001-2244-31f1-aaaa-900038001003", 8] = "BaseRegDeleteValue",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 18] = "ElfrReportEventA",
+            ["12345678-1234-abcd-ef00-01234567cffb", 28] = "DsrGetSiteName",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 8] = "NetrDfsManagerGetConfigInfo",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 45] = "RpcWinStationGetTermSrvCountersValue",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 23] = "Opnum23NotUsedOnWire",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 54] = "RRPC_FWEnumAuthenticationSets2_10",
+            ["894de0c0-0d55-11d3-a322-00c04fa321a1", 2] = "BaseInitiateShutdownEx",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 16] = "nsi_mgmt_binding_unexport",
+            ["338cd001-2244-31f1-aaaa-900038001003", 5] = "BaseRegCloseKey",
+            ["ccd8c074-d0e5-4a40-92b4-d074faa6ba28", 3] = "WitnessrAsyncNotify",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 107] = "R_DhcpSetPolicyEnforcement",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 3] = "RpcWinStationEnumerate",
+            ["12345778-1234-abcd-ef00-0123456789ac", 59] = "SamrSetBootKeyInformation",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 25] = "GetLastChangeTime",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 14] = "R_DhcpEnumOptionValues",
+            ["12345678-1234-abcd-ef00-0123456789ab", 102] = "RpcCorePrinterDriverInstalled",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 14] = "NetrLogonDomainNameAdd",
+            ["6bffd098-a112-3610-9833-012892020162", 2] = "BrowserrQueryOtherDomains",
+            ["1257b580-ce2f-4109-82d6-a9459d0bf6bc", 0] = "RpcShadow2",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 32] = "RpcAsyncDeletePrinterKey",
+            ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 14] = "ModifyMachineInfo",
+            ["c3fcc19e-a970-11d2-8b5a-00a0c9b7c9c4", 4] = "GetObjectIdentify",
+            ["367abb81-9844-35f1-ad32-98f038001003", 27] = "OpenSCManagerA",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 27] = "R_KeyExchangePhase2",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 10] = "DeleteClass",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 167] = "ApiAddGroupToGroupSet",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 74] = "RpcWinStationCheckAccess",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 12] = "RdcClose",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 4] = "RequestVersionVector",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 42] = "R_DhcpServerGetConfigVQ",
+            ["a4f1db00-ca47-1067-b31f-00dd010662da", 12] = "EcUnknown0xC",
+            ["12345778-1234-abcd-ef00-0123456789ab", 32] = "LsarLookupPrivilegeName",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 65] = "RpcWinStationCheckLoopBack",
+            ["7c44d7d4-31d5-424c-bd5e-2b3e1f323d22", 0] = "IDL_DSAPrepareScript",
+            ["00020400-0000-0000-c000-000000000046", 5] = "GetIDsOfNames",
+            ["12345778-1234-abcd-ef00-0123456789ab", 53] = "LsarQueryDomainInformationPolicy",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 12] = "R_DhcpSetOptionValue",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 9] = "NetrUseGetInfo",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 33] = "ApiDeleteValue",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 20] = "NspiResolveNamesW",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 17] = "Opnum17NotUsedOnWire",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 10] = "MarkActivePartition",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 81] = "DeleteAccessPath",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 31] = "NetprPathCanonicalize",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 2] = "EvtRpcRemoteSubscriptionNext",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 53] = "R_DhcpEnumOptionValuesV6",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 26] = "RpcAsyncGetPrinterDriver",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 129] = "R_DhcpV4EnumPoliciesEx",
+            ["e65e8028-83e8-491b-9af7-aaf6bd51a0ce", 4] = "GetCompressedReport",
+            ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 19] = "CheckAccountingConnection",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 33] = "Opnum33NotUsedOnWire",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 23] = "NetrUnjoinDomain2",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 21] = "NetrGetJoinableOUs",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 37] = "R_DhcpGetSuperScopeInfoV4",
+            ["12345678-1234-abcd-ef00-01234567cffb", 31] = "NetrServerPasswordGet",
+            ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 4] = "RpcLicensingSetPolicy",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 78] = "R_DhcpGetOptionValueV6",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 64] = "EnumTasks",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 54] = "ApiSetGroupNodeList",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 1] = "EfsRpcReadFileRaw",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 13] = "InitializeFileTransferAsync",
+            ["21546ae8-4da5-445e-987f-627fea39c5e8", 14] = "IsWSRMActivated",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 26] = "LlsrUserProductDeleteW",
+            ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 9] = "RpcGetEnumResultEx",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 25] = "Opnum25NotUsedOnWire",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 14] = "DRSRemoveDsServer",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 13] = "FTEnumVolumes",
+            ["12345778-1234-abcd-ef00-0123456789ac", 20] = "SamrQueryInformationGroup",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 33] = "LlsrMappingInfoSetA",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 107] = "ApiUnblockGetNotifyCall",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 22] = "RpcSrvRequestCachedParams",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 8] = "R_DhcpScanMDatabase",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 39] = "ApiSetKeySecurity",
+            ["fdf8a2b9-02de-47f4-bc26-aa85ab5e5267", 5] = "CreateVirtualSmartCardWithPinPolicy",
+            ["12345678-1234-abcd-ef00-0123456789ab", 96] = "RpcAddDriverCatalog",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 129] = "ApiCreateGroupEx",
+            ["12345678-1234-abcd-ef00-0123456789ab", 67] = "RpcRouterRefreshPrinterChangeNotification",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 27] = "R_DhcpGetClassInfo",
+            ["12345778-1234-abcd-ef00-0123456789ab", 40] = "LsarSetTrustedDomainInfo",
+            ["12345678-1234-abcd-ef00-0123456789ab", 75] = "RpcClusterSplClose",
+            ["1a1bb35f-abb8-451c-a1ae-33d98f1bef4a", 3] = "ReportProgress",
+            ["12345678-1234-abcd-ef00-01234567cffb", 0] = "NetrLogonUasLogon",
+            ["12345678-1234-abcd-ef00-0123456789ab", 90] = "RpcSplOpenPrinter",
+            ["367abb81-9844-35f1-ad32-98f038001003", 40] = "QueryServiceStatusEx",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 124] = "ApiCreateNodeEnumEx",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 23] = "R_DhcpEnumOptions",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 63] = "R_DhcpGetSubnetInfoV6",
+            ["00000131-0000-0000-c000-000000000046", 4] = "RemAddRef",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 57] = "LlsrServiceInfoSetA",
+            ["367abb81-9844-35f1-ad32-98f038001003", 50] = "ControlServiceExA",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 30] = "RpcWinStationReadRegistry",
+            ["12345678-1234-abcd-ef00-01234567cffb", 43] = "DsrGetForestTrustInformation",
+            ["e33c0cc4-0482-101a-bc0c-02608c6ba218", 1] = "I_nsi_lookup_done",
+            ["12345778-1234-abcd-ef00-0123456789ab", 39] = "LsarQueryTrustedDomainInfo",
+            ["367abb81-9844-35f1-ad32-98f038001003", 33] = "GetServiceKeyNameA",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 52] = "ApiMoveGroupToNode",
+            ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 19] = "GetCurrentStateAndActivePolicyName",
+            ["ccd8c074-d0e5-4a40-92b4-d074faa6ba28", 1] = "WitnessrRegister",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 51] = "RpcServerSetInternetConnectorStatus",
+            ["afc07e2e-311c-4435-808c-c483ffeec7c9", 0] = "LsarGetAvailableCAPIDs",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 7] = "ApiCreateEnum",
+            ["12345678-1234-abcd-ef00-0123456789ab", 60] = "RpcReplyClosePrinter",
+            ["367abb81-9844-35f1-ad32-98f038001003", 10] = "ScSetServiceBitsW",
+            ["00020400-0000-0000-c000-000000000046", 4] = "GetTypeInfo",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 32] = "PNP_DisableDevInst",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 46] = "DiskMerge",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 133] = "ApiMoveGroupToNodeEx",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 106] = "R_DhcpV4QueryPolicyEnforcement",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 27] = "NetrServerTransportDel",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 66] = "RRPC_FWSetFirewallRule2_20",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 2] = "SchRpcRetrieveTask",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 11] = "EvtRpcQueryNext",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 52] = "NetrDfsManagerReportSiteInfo",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 46] = "RpcAsyncGetPrintProcessorDirectory",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 80] = "RRPC_FWEnumFirewallRules2_26",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 15] = "AudioSessionIsSystemSoundsSession",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 6] = "LlsrProductEnumW",
+            ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 1] = "RpcGetConfigData",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 29] = "R_DhcpGetAllOptions",
+            ["12345778-1234-abcd-ef00-0123456789ac", 9] = "SamrSetInformationDomain",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 29] = "CreateVolume",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 14] = "DnssrvComplexOperation3",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 116] = "ApiCloseBatchPort",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 5] = "R_DhcpEnumSubnetElements",
+            ["12b81e99-f207-4a4c-85d3-77b42f76fd14", 0] = "SeclCreateProcessWithLogonW",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 26] = "BackupCloseFile",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 120] = "R_DhcpV4GetFreeIPAddress",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 4] = "R_DhcpAddMScopeElement",
+            ["12345778-1234-abcd-ef00-0123456789ac", 50] = "SamrCreateUser2InDomain",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 26] = "NetrServerTransportEnum",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 37] = "R_DhcpAddSubnetElementV5",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 4] = "SetAttributes",
+            ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 13] = "winmmAdvisePreferredDeviceChange",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 14] = "nsi_entry_object_inq_done",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 22] = "R_DhcpEnumOptionValuesV5",
+            ["12345778-1234-abcd-ef00-0123456789ac", 49] = "SamrGetDisplayEnumerationIndex2",
+            ["708cca10-9569-11d1-b2a5-0060977d8118", 6] = "S_DSIsServerGC",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 43] = "NetrDfsGetVersion",
+            ["12345778-1234-abcd-ef00-0123456789ac", 6] = "SamrEnumerateDomainsInSamServer",
+            ["708cca10-9569-11d1-b2a5-0060977d8118", 2] = "S_DSGetPropsGuidEx",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 7] = "RpcWinStationSendMessage",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 25] = "R_DhcpModifyClass",
+            ["811109bf-a4e1-11d1-ab54-00a0c91e9b45", 0] = "R_WinsTombstoneDbRecs",
+            ["112b1dff-d9dc-41f7-869f-d67fee7cb591", 3] = "CreateVirtualSmartCard",
+            ["12345778-1234-abcd-ef00-0123456789ac", 14] = "SamrCreateAliasInDomain",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 60] = "Opnum60NotUsedOnWire",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 33] = "RpcWinStationNotifyLogoff",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 13] = "RpcWinStationDisconnect",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 56] = "AudioVolumeSetMute",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 37] = "Opnum37NotUsedOnWire",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 19] = "R_DhcpDeleteClientInfo",
+            ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 0] = "gfxCreateZoneFactoriesList",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 28] = "RRPC_FWEnumPhase2SAs",
+            ["338cd001-2244-31f1-aaaa-900038001003", 32] = "OpenPerformanceText",
+            ["12345778-1234-abcd-ef00-0123456789ab", 22] = "LsarSetQuotasForAccount",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 58] = "RpcWinStationUpdateSettings",
+            ["12345778-1234-abcd-ef00-0123456789ac", 17] = "SamrLookupNamesInDomain",
+            ["a4f1db00-ca47-1067-b31f-00dd010662da", 8] = "EcRNetGetDCName",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 18] = "ApiOfflineResource",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 16] = "EvtRpcRetractConfig",
+            ["367abb81-9844-35f1-ad32-98f038001003", 17] = "QueryServiceConfigW",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 3] = "S_DSSetProps",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 16] = "NetrDfsGetDcAddress",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 8] = "NetrConnectionEnum",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 22] = "AudioSessionGetMute",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 14] = "Opnum14NotUsedOnWire",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 14] = "Opnum14NotUsedOnWire",
+            ["12345778-1234-abcd-ef00-0123456789ab", 34] = "LsarDeleteObject",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 0] = "R_InetInfoGetVersion",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 53] = "GetEncapsulateDiskInfoEx",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 23] = "RRPC_FWSetCryptoSet",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 2] = "DnssrvComplexOperation",
+            ["12345778-1234-abcd-ef00-0123456789ab", 89] = "LsarLookupAuditSubCategoryName",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 50] = "RRPC_FWSetConnectionSecurityRule2_10",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 0] = "AudioServerConnect",
+            ["12345678-1234-abcd-ef00-0123456789ab", 94] = "RpcFlushPrinter",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 49] = "RRPC_FWAddConnectionSecurityRule2_10",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 23] = "RpcSrvRegisterConnectionStateNotification",
+            ["fc910418-55ca-45ef-b264-83d4ce7d30e0", 8] = "SetRemoteUserCategories",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 28] = "AudioSessionGetAllVolumes",
+            ["a8e0653c-2744-4389-a61d-7373df8b2292", 5] = "ExposeShadowCopySet",
+            ["12345678-1234-abcd-ef00-0123456789ab", 50] = "RpcDeletePrintProvidor",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 7] = "AudioServerGetMixFormat",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 23] = "RpcAsyncGetForm",
+            ["6bffd098-a112-3610-9833-012892020162", 9] = "BrowserrSetNetlogonState",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 71] = "RpcAsyncSetJobNamedProperty",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 7] = "IsValidCertificate",
+            ["367abb81-9844-35f1-ad32-98f038001003", 24] = "CreateServiceA",
+            ["12345678-1234-abcd-ef00-0123456789ab", 61] = "RpcAddPortEx",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 38] = "Opnum38NotUsedOnWire",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 6] = "RpcSrvFallbackRefreshParams",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 30] = "R_DhcpGetAllOptionValues",
+            ["68b58241-c259-4f03-a2e5-a2651dcbc930", 1] = "KSrGetTemplates",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 80] = "LlsrCapabilityGet",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 64] = "RpcAsyncGetCorePrinterDrivers",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 4] = "EnumDiskRegionsEx",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 74] = "LlsrCertificateClaimAddCheckW",
+            ["367abb81-9844-35f1-ad32-98f038001003", 9] = "NotifyBootConfigStatus",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 43] = "RRPC_FWEnumAdapters",
+            ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 4] = "ept_lookup_handle_free",
+            ["e33c0cc4-0482-101a-bc0c-02608c6ba218", 6] = "I_nsi_entry_object_inq_begin",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 9] = "RpcAsyncGetPrinter",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 40] = "Opnum40NotUsedOnWire",
+            ["8fb6d884-2388-11d0-8c35-00c04fda2795", 4] = "W32TimeQueryProviderConfiguration",
+            ["2f5f3220-c126-1076-b549-074d078619da", 11] = "NDdeSetTrustedShareA",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 63] = "Opnum63NotUsedOnWire",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 11] = "NetrUseEnum",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 27] = "R_DhcpScanDatabase",
+            ["f50aac00-c7f3-428e-a022-a6b71bfb9d43", 1] = "SSCatDBDeleteCatalog",
+            ["027947e1-d731-11ce-a357-000000000001", 5] = "NextAsync",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 48] = "ReplaceRaid5Column",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 31] = "R_DhcpRemoveSubnetElementV4",
+            ["00020401-0000-0000-c000-000000000046", 6] = "GetVarDesc",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 17] = "RpcWinStationShadow",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 11] = "Eject",
+            ["12345678-1234-abcd-ef00-01234567cffb", 40] = "DsrEnumerateDomainTrusts",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 26] = "R_KeyExchangePhase1",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 56] = "PNP_QueryArbitratorFreeData",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 31] = "PNP_SetDeviceProblem",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 12] = "NspiGetSpecialTable",
+            ["367abb81-9844-35f1-ad32-98f038001003", 36] = "ChangeServiceConfig2A",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 44] = "LlsrServerEnumW",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 9] = "ApiCreateResource",
+            ["000001a0-0000-0000-c000-000000000046", 3] = "RemoteGetClassObject",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 10] = "LlsrProductUserEnumW",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 75] = "LlsrCertificateClaimAddA",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 29] = "RpcAsyncEnumPrinterKey",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 14] = "PNP_SetDeviceRegProp",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 55] = "R_DhcpGetAllOptionsV6",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 7] = "S_DSLookupNext",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 2] = "EfsRpcWriteFileRaw",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 41] = "PNP_GetHwProfInfo",
+            ["12345778-1234-abcd-ef00-0123456789ab", 11] = "LsarEnumerateAccounts",
+            ["481e06cf-ab04-4498-8ffe-124a0a34296d", 10] = "DeleteCalendar",
+            ["12345778-1234-abcd-ef00-0123456789ac", 5] = "SamrLookupDomainInSamServer",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 59] = "RRPC_FWSetConnectionSecurityRule2_20",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 21] = "RpcAsyncAddForm",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 10] = "RRPC_FWGetConfig",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 5] = "R_WinsGetDbRecs",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 86] = "ApiGetNetworkId",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 70] = "Refresh",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f", 13] = "DisableDeviceHost",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 12] = "RpcWinStationBeepOpen",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 49] = "Opnum49NotUsedOnWire",
+            ["2f5f3220-c126-1076-b549-074d078619da", 3] = "NDdeGetShareSecurityA",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 15] = "PNP_GetClassInstance",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 10] = "ApiDeleteResource",
+            ["12345778-1234-abcd-ef00-0123456789ab", 77] = "LsarLookupNames4",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 0] = "SchRpcHighestVersion",
+            ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 10] = "winmmUnregisterSessionNotification",
+            ["12345678-1234-abcd-ef00-0123456789ab", 59] = "RpcRouterReplyPrinter",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 0] = "NetrCharDevEnum",
+            ["a8e0653c-2744-4389-a61d-7373df8b2292", 8] = "IsPathSupported",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 52] = "RRPC_FWAddAuthenticationSet2_10",
+            ["1ff70682-0a51-30e8-076d-740be8cee98b", 2] = "NetrJobEnum",
+            ["12345778-1234-abcd-ef00-0123456789ac", 24] = "SamrRemoveMemberFromGroup",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 23] = "R_DhcpRemoveOptionValueV5",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 4] = "RRPC_FWSetGlobalConfig",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 49] = "AudioVolumeSetMasterVolumeLevelScalar",
+            ["99fcfec4-5260-101b-bbcb-00aa0021347a", 1] = "SimplePing",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 3] = "AudioServerGetAudioSession",
+            ["12345678-1234-abcd-ef00-01234567cffb", 27] = "DsrGetDcNameEx",
+            ["57674cd0-5200-11ce-a897-08002b2e9c6d", 1] = "LlsrLicenseFree",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 47] = "LlsrServerProductEnumA",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 3] = "R_WinsDoStaticInit",
+            ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 1] = "RpcLicensingCloseServer",
+            ["12345778-1234-abcd-ef00-0123456789ac", 28] = "SamrQueryInformationAlias",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 113] = "R_DhcpV4AddPolicyRange",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 122] = "R_DhcpV4CreateClientInfo",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 6] = "S_DSLookupBegin",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 56] = "LlsrServiceInfoSetW",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 18] = "R_DhcpGetClientInfo",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 9] = "NspiGetProps",
+            ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 14] = "winmmGetPnpInfo",
+            ["12345678-1234-abcd-ef00-0123456789ab", 72] = "RpcEnumPrinterData",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 8] = "DRSVerifyNames",
+            ["12345678-1234-abcd-ef00-01234567cffb", 22] = "NetrLogonSetServiceBits",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 41] = "RpcWinStationBreakPoint",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 41] = "RpcAsyncGetPrinterDriverDirectory",
+            ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 2] = "DsRolerDcAsDc",
+            ["a4f1db00-ca47-1067-b31f-00dd010662da", 1] = "EcDoDisconnect",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 40] = "ApiGetKeySecurity",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 4] = "RpcWinStationRename",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 34] = "R_DhcpGetClientInfoV4",
+            ["5422fd3a-d4b8-4cef-a12e-e87d4ca22e90", 6] = "Request2",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 25] = "Opnum25NotUsedOnWire",
+            ["0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7", 5] = "AuthrzModifyClaims",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 15] = "Opnum15NotUsedOnWire",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 23] = "NetrDfsAddRootTarget",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 6] = "EnumKeys",
+            ["12345778-1234-abcd-ef00-0123456789ab", 6] = "LsarOpenPolicy",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 9] = "EfsRpcAddUsersToFile",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 11] = "NetrFileClose",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 0] = "RpcSrvEnableDhcp",
+            ["12345678-1234-abcd-ef00-0123456789ab", 82] = "RpcDeletePrinterKey",
+            ["d2d79df7-3400-11d0-b40b-00aa005ff586", 3] = "ObjectsChanged",
+            ["367abb81-9844-35f1-ad32-98f038001003", 8] = "UnlockServiceDatabase",
+            ["e65e8028-83e8-491b-9af7-aaf6bd51a0ce", 5] = "GetRawReportEx",
+            ["11899a43-2b68-4a76-92e3-a3d6ad8c26ce", 2] = "RpcWaitAsyncNotification",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 183] = "ApiAddGroupToGroupSetEx",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 8] = "LlsrProductAddW",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 29] = "NetrSetPrimaryComputerName",
+            ["12345778-1234-abcd-ef00-0123456789ac", 57] = "SamrConnect2",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 8] = "EvtRpcLocalizeExportLog",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 17] = "NspiGetNamesFromIDs",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 13] = "R_FtpClearStatistics2",
+            ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 3] = "KeyrEnumerateProvContainers",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 64] = "RRPC_FWQueryAuthenticationSets2_20",
+            ["a8e0653c-2744-4389-a61d-7373df8b2292", 4] = "CommitShadowCopySet",
+            ["e8fb8620-588f-11d2-9d61-00c04f79c5fe", 9] = "Reboot",
+            ["e65e8028-83e8-491b-9af7-aaf6bd51a0ce", 3] = "GetReport",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 7] = "NetrDfsMove",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f", 6] = "InitializeSyncHandle",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f", 14] = "SetICSInterfaces",
+            ["00000143-0000-0000-c000-000000000046", 3] = "RemQueryInterface",
+            ["21546ae8-4da5-445e-987f-627fea39c5e8", 9] = "IsEnabled",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 87] = "R_DhcpSetDnsRegCredentialsV5",
+            ["afa8bd80-7d8a-11c9-bef4-08002b102989", 2] = "is_server_listening",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 31] = "Opnum31NotUsedOnWire",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 13] = "R_DhcpGetOptionValue",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 47] = "RRPC_FWSetFirewallRule2_10",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 59] = "Opnum59NotUsedOnWire",
+            ["338cd001-2244-31f1-aaaa-900038001003", 10] = "BaseRegEnumValue",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 5] = "ResubmitRequest",
+            ["12345678-1234-abcd-ef00-01234567cffb", 47] = "unused",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 66] = "ApiOpenNode",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 184] = "ApiChangeResourceGroupEx",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 94] = "R_DhcpV4FailoverAddScopeToRelationship",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 17] = "RpcAsyncGetPrinterDataEx",
+            ["481e06cf-ab04-4498-8ffe-124a0a34296d", 12] = "ComputeEvents",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 70] = "HrGetErrorData",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 55] = "AudioVolumeGetChannelVolumeLevelScalar",
+            ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 5] = "RpcGetEnumResult",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 10] = "R_DhcpSetMClientInfo",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 32] = "PolicyConfigSetDeviceFormat",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 52] = "QueryChangePartitionNumbers",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 49] = "RpcAsyncAddPort",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 13] = "NetrWorkstationStatisticsGet",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 13] = "RpcAsyncEndPagePrinter",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 79] = "R_DhcpSetSubnetDelayOffer",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 5] = "CreatePartition",
+            ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 16] = "GetProcessList",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 45] = "AudioVolumeConnect",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 69] = "AbortTask",
+            ["367abb81-9844-35f1-ad32-98f038001003", 43] = "ScSendTSMessage",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 15] = "RawGetFileDataAsync",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 38] = "SplitMirror",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 12] = "ElfrClearELFA",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 69] = "RpcAsyncResetPrinter",
+            ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 9] = "KeyrImportCert",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 7] = "R_InetInfoClearStatistics",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 38] = "R_DhcpDeleteSuperScopeV4",
+            ["20d15747-6c48-4254-a358-65039fd8c63c", 16] = "GetCompressedReport",
+            ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 11] = "RpcQuerySessionData",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 31] = "R_DhcpGetMCastMibInfo",
+            ["2f5f6520-ca46-1067-b319-00dd010662da", 0] = "ClientAttach",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 2] = "S_DSGetProps",
+            ["12345678-1234-abcd-ef00-01234567cffb", 39] = "NetrLogonSamLogonEx",
+            ["29822ab7-f302-11d0-9953-00c04fd919c1", 6] = "AppGetStatus",
+            ["12345678-1234-abcd-ef00-0123456789ab", 21] = "RpcAbortPrinter",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 155] = "ApiAddNotifyResourceTypeV2",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 68] = "LlsrProductSecuritySetA",
+            ["12345678-1234-abcd-ef00-0123456789ab", 58] = "RpcReplyOpenPrinter",
+            ["e8fb8620-588f-11d2-9d61-00c04f79c5fe", 8] = "Start",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 16] = "NetrShareGetInfo",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 21] = "AudioSessionSetVolume",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 49] = "NetrDfsDeleteExitPoint",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 15] = "NetrLogonDomainNameDel",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 36] = "AddMirror",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 51] = "AudioVolumeGetMasterVolumeLevelScalar",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 34] = "GrowVolume",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 77] = "AddAccessPath",
+            ["00020401-0000-0000-c000-000000000046", 8] = "GetRefTypeOfImplType",
+            ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 15] = "GetServerName",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 2] = "AudioServerInitialize",
+            ["12345778-1234-abcd-ef00-0123456789ab", 67] = "CredrProfileLoaded",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 57] = "ApiAddNotifyCluster",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 7] = "NetrCharDevQPurgeSelf",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 71] = "RRPC_FWSetFirewallRule2_24",
+            ["00020401-0000-0000-c000-000000000046", 4] = "GetTypeComp",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 40] = "UninitializeDisk",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 67] = "ApiCloseNode",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 19] = "RpcAsyncSetPrinterDataEx",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 20] = "FTReplaceParityStripePartition",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 134] = "ApiCancelClusterGroupOperation",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 6] = "NspiResortRestriction",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 15] = "SchRpcScheduledRuntimes",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 49] = "RestartVolume",
+            ["f309ad18-d86a-11d0-a075-00c04fb68820", 3] = "EstablishPosition",
+            ["e33c0cc4-0482-101a-bc0c-02608c6ba218", 3] = "I_nsi_entry_object_inq_next",
+            ["a8e0653c-2744-4389-a61d-7373df8b2292", 3] = "AddToShadowCopySet",
+            ["12345678-1234-abcd-ef00-0123456789ab", 46] = "RpcAddMonitor",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 10] = "ElfrReadELW",
+            ["20d15747-6c48-4254-a358-65039fd8c63c", 9] = "GetReport",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 16] = "NetrJoinDomain",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 47] = "R_DhcpCreateOptionV6",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 38] = "NetrShareDelCommit",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 17] = "Opnum17NotUsedOnWire",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 42] = "RpcWinStationCheckForApplicationName",
+            ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 4] = "KeyrCloseKeyService",
+            ["12345678-1234-abcd-ef00-0123456789ab", 38] = "RpcConfigurePort",
+            ["338cd001-2244-31f1-aaaa-900038001003", 34] = "BaseRegQueryMultipleValues2",
+            ["12345778-1234-abcd-ef00-0123456789ac", 35] = "SamrDeleteUser",
+            ["12345778-1234-abcd-ef00-0123456789ab", 25] = "LsarOpenTrustedDomain",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 65] = "AudioVolumeStepUp",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 0] = "LlsrConnect",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 32] = "CreateVolumeAssignAndFormatEx",
+            ["12345678-1234-abcd-ef00-0123456789ab", 41] = "RpcPlayGdiScriptOnPrinterIC",
+            ["e33c0cc4-0482-101a-bc0c-02608c6ba218", 2] = "I_nsi_lookup_next",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 6] = "EfsRpcQueryUsersOnFile",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 169] = "ApiMoveGroupToGroupSet",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 3] = "RpcSrvReleaseLease",
+            ["12345778-1234-abcd-ef00-0123456789ab", 35] = "LsarEnumerateAccountsWithUserRight",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 29] = "IDL_DRSWriteNgcKey",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 43] = "R_DhcpSetDnsRegCredentials",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 23] = "BackupGetBackupLogs",
+            ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 10] = "RpcGetAllSessions",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 128] = "ApiResumeNodeEx",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 96] = "R_DhcpV4FailoverGetScopeRelationship",
+            ["01954e6b-9254-4e6e-808c-c9e05d007696", 4] = "Skip",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 3] = "NetrCharDevQEnum",
+            ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53", 3] = "ItSrvSetDetectionParameters",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 11] = "DeleteClassAsync",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 131] = "R_DhcpV4CreateClientInfoEx",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 60] = "Opnum60NotUsedOnWire",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 40] = "RRPC_FWQueryAuthenticationSets",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 39] = "RemoveMirror",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 13] = "EfsRpcDuplicateEncryptionInfoFile",
+            ["497d95a6-2d27-4bf5-9bbd-a6046957133c", 4] = "RpcIsListening",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 7] = "LlsrProductEnumA",
+            ["f5cc59b4-4264-101a-8c59-08002b2f8426", 1] = "FrsRpcVerifyPromotionParent",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 58] = "R_DhcpEnumSubnetsV6",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f", 0] = "RegisterServiceRpc",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 6] = "DenyRequest",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 42] = "GetOfficerRights",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 16] = "LlsrUserEnumW",
+            ["12345678-1234-abcd-ef00-01234567cffb", 26] = "NetrServerAuthenticate3",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 51] = "ReplaceRaid5Column",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 34] = "Opnum34NotUsedOnWire",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 28] = "ImportCertificate",
+            ["12345678-1234-abcd-ef00-0123456789ab", 76] = "RpcClusterSplIsAlive",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 125] = "R_DhcpV4FailoverGetAddressStatus",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 30] = "EnumBackups",
+            ["afa8bd80-7d8a-11c9-bef4-08002b102989", 1] = "inq_stats",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 5] = "DnssrvOperation2",
+            ["481e06cf-ab04-4498-8ffe-124a0a34296d", 15] = "ModifySchedule",
+            ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53", 2] = "ItSrvProcessIdleTasks",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 3] = "R_DhcpEnumMScopes",
+            ["12345678-1234-abcd-ef00-0123456789ab", 17] = "RpcStartDocPrinter",
+            ["d99e6e70-fc88-11d0-b498-00a0c90312f3", 4] = "GetCACert",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 21] = "ExecQueryAsync",
+            ["12345778-1234-abcd-ef00-0123456789ab", 3] = "LsarQuerySecurityObject",
+            ["338cd001-2244-31f1-aaaa-900038001003", 14] = "BaseRegNotifyChangeKeyValue",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 45] = "ApiGetGroupState",
+            ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 9] = "ExecuteAccountingQuery",
+            ["8fb6d884-2388-11d0-8c35-00c04fda2795", 5] = "W32TimeQueryConfiguration",
+            ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 16] = "DumpAccountingData",
+            ["8fb6d884-2388-11d0-8c35-00c04fda2795", 0] = "W32TimeSync",
+            ["1ff70682-0a51-30e8-076d-740be8cee98b", 3] = "NetrJobGetInfo",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 3] = "EvtRpcRemoteSubscriptionWaitAsync",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 13] = "RpcSrvEnumInterfaces",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 102] = "ApiGetClusterVersion2",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 77] = "RRPC_FWQueryFirewallRules2_25",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 5] = "QueryObjectSink",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 44] = "NetrDfsCreateLocalPartition",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 13] = "ElfrBackupELFA",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 5] = "RpcWinStationQueryInformation",
+            ["12345778-1234-abcd-ef00-0123456789ac", 22] = "SamrAddMemberToGroup",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 20] = "nsi_mgmt_inq_exp_age",
+            ["d95afe70-a6d5-4259-822e-2c84da1ddb0d", 1] = "WsdrAbortShutdown",
+            ["ccd8c074-d0e5-4a40-92b4-d074faa6ba28", 4] = "WitnessrRegisterEx",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 13] = "LlsrProductServerEnumA",
+            ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 1] = "DsRolerDnsNameToFlatName",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 79] = "ApiNodeControl",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 3] = "EfsRpcCloseRaw",
+            ["00020401-0000-0000-c000-000000000046", 16] = "CreateInstance",
+            ["12345778-1234-abcd-ef00-0123456789ab", 73] = "LsarQueryForestTrustInformation",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 64] = "R_DhcpEnumSubnetClientsV6",
+            ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 0] = "DsRolerGetPrimaryDomainInformation",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 10] = "DnssrvUpdateRecord3",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 47] = "PNP_AddResDes",
+            ["12345678-1234-abcd-ef00-0123456789ab", 110] = "RpcGetJobNamedPropertyValue",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 2] = "RRPC_FWRestoreDefaults",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 29] = "ApiCreateKey",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 23] = "ImportFromBlobGetHash",
+            ["ae1c7110-2f60-11d3-8a39-00c04f72d8e3", 4] = "Skip",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 7] = "CreatePartitionAssignandFormatEx",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 12] = "RpcAsyncWritePrinter",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 49] = "R_DhcpGetSubnetInfoVQ",
+            ["12345778-1234-abcd-ef00-0123456789ab", 74] = "LsarSetForestTrustInformation",
+            ["12345778-1234-abcd-ef00-0123456789ab", 81] = "LsarAdtReportSecurityEvent",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 4] = "EfsRpcEncryptFileSrv",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 100] = "R_DhcpV4FailoverTriggerAddrAllocation",
+            ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 7] = "RetrieveEventList",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 74] = "PNP_DeleteServiceDevices",
+            ["12345678-1234-abcd-ef00-0123456789ab", 57] = "RpcRouterFindFirstPrinterChangeNotificationOld",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 50] = "Opnum50NotUsedOnWire",
+            ["00000143-0000-0000-c000-000000000046", 5] = "RemRelease",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 66] = "RpcConnectCallback",
+            ["00020400-0000-0000-c000-000000000046", 6] = "Invoke",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 24] = "EnumLocalFileSystems",
+            ["12345678-1234-abcd-ef00-0123456789ab", 53] = "RpcGetPrinterDriver2",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 38] = "R_DhcpEnumSubnetElementsV5",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 2] = "ApiSetClusterName",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 63] = "RpcWinStationUpdateClientCachedCredentials",
+            ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 8] = "CreatePolicy",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 18] = "RpcAsyncSetPrinterData",
+            ["034634fd-ba3f-11d1-856a-00a0c944138c", 8] = "TerminateSession",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 98] = "ApiNetInterfaceControl",
+            ["12345678-1234-abcd-ef00-0123456789ab", 112] = "RpcDeleteJobNamedProperty",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 53] = "NetrServerTransportDelEx",
+            ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 6] = "RpcFilterBySessionType",
+            ["00000000-0000-0000-c000-000000000046", 2] = "Opnum2NotUsedOnWire",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 104] = "ApiBackupClusterDatabase",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 1] = "ApiCloseCluster",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 21] = "LlsrUserInfoSetA",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 30] = "CreateVolume",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 18] = "FTRegenerateParityStripe",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 31] = "NetrWorkstationResetDfsCache",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 16] = "PNP_CreateKey",
+            ["12345678-1234-abcd-ef00-01234567cffb", 42] = "NetrServerTrustPasswordsGet",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 73] = "PNP_SetActiveService",
+            ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 0] = "Opnum0NotUsedOnWire",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 17] = "FTResyncMirror",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 8] = "ElfrRegisterEventSourceW",
+            ["12345678-1234-abcd-ef00-01234567cffb", 5] = "NetrServerAuthenticate",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 36] = "ApiEnumValue",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 8] = "R_DhcpCreateOption",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 9] = "nsi_profile_elt_inq_begin",
+            ["12345778-1234-abcd-ef00-0123456789ab", 133] = "LsarSetForestTrustInformation2",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 10] = "EvtRpcMessageRenderDefault",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 58] = "PNP_RunDetection",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 0] = "PNP_Disconnect",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 27] = "RpcAsyncEnumPrinterData",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 1] = "NspiUnbind",
+            ["0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7", 3] = "AuthrzAccessCheck",
+            ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 6] = "DsRolerGetDcOperationResults",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 10] = "R_W3QueryStatistics2",
+            ["5422fd3a-d4b8-4cef-a12e-e87d4ca22e90", 7] = "GetCAProperty",
+            ["12345678-1234-abcd-ef00-0123456789ab", 86] = "RpcDeletePerMachineConnection",
+            ["29822ab7-f302-11d0-9953-00c04fd919c1", 8] = "AppRecover",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 29] = "Opnum29NotUsedOnWire",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 182] = "ApiChangeCsvStateEx",
+            ["12345778-1234-abcd-ef00-0123456789ab", 78] = "LsarOpenPolicySce",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c3", 0] = "nsi_binding_export",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 82] = "R_DhcpAddFilterV4",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 102] = "R_DhcpV4SetOptionValues",
+            ["12345778-1234-abcd-ef00-0123456789ac", 23] = "SamrDeleteGroup",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 131] = "ApiOfflineGroupEx",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 20] = "Opnum20NotUsedOnWire",
+            ["e3d0d746-d2af-40fd-8a7a-0d7078bb7092", 0] = "ExchangePublicKeys",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 1] = "RpcSrvRenewLease",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 58] = "ApiAddNotifyNode",
+            ["12345778-1234-abcd-ef00-0123456789ab", 130] = "LsarOpenPolicy3",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 76] = "R_DhcpDeleteClassV6",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 42] = "RRPC_FWEnumNetworks",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 37] = "GetMaxAdjustedFreeSpace",
+            ["12345778-1234-abcd-ef00-0123456789ac", 62] = "SamrConnect4",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 15] = "Opnum15NotUsedOnWire",
+            ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 13] = "GetServiceList",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 127] = "R_DhcpV4GetPolicyEx",
+            ["0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7", 2] = "AuthrzInitializeCompoundContext",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 70] = "RpcAsyncGetJobNamedPropertyValue",
+            ["338cd001-2244-31f1-aaaa-900038001003", 12] = "BaseRegGetKeySecurity",
+            ["12345678-1234-abcd-ef00-01234567cffb", 4] = "NetrServerReqChallenge",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 8] = "R_WinsDelDbRecs",
+            ["12345678-1234-abcd-ef00-0123456789ab", 100] = "RpcUploadPrinterDriverPackage",
+            ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 10] = "ExportXMLFiles",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 42] = "Opnum42NotUsedOnWire",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 21] = "RRPC_FWEnumAuthenticationSets",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 44] = "ApiCloseGroup",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 4] = "RpcSrvSetFallbackParams",
+            ["12345678-1234-abcd-ef00-01234567cffb", 35] = "NetrLogonGetTimeServiceParentDomain",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 45] = "NetrDfsDeleteLocalPartition",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 20] = "SaveData",
+            ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 1] = "ept_delete",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 49] = "PNP_GetNextResDes",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 40] = "SplitMirror",
+            ["deb01010-3a37-4d26-99df-e2bb6ae3ac61", 3] = "RefreshEx",
+            ["12345678-1234-abcd-ef00-0123456789ab", 113] = "RpcEnumJobNamedProperties",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 69] = "RpcRemoteAssistancePrepareSystemRestore",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 4] = "NspiSeekEntries",
+            ["21546ae8-4da5-445e-987f-627fea39c5e8", 7] = "GetConfig",
+            ["f5cc59b4-4264-101a-8c59-08002b2f8426", 10] = "FrsRpcVerifyPromotionParentEx",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 2] = "R_DhcpGetMScopeInfo",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 0] = "CheckConnectivity",
+            ["12345778-1234-abcd-ef00-0123456789ac", 38] = "SamrChangePasswordUser",
+            ["12b81e99-f207-4a4c-85d3-77b42f76fd14", 1] = "SeclCreateProcessWithLogonExW",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 5] = "NetrCharDevQSetInfo",
+            ["00020401-0000-0000-c000-000000000046", 9] = "GetImplTypeFlags",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 47] = "ApiGetGroupId",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 13] = "Opnum13NotUsedOnWire",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 12] = "EfsRpcFileKeyInfo",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 17] = "NetrDfsSetDcAddress",
+            ["338cd001-2244-31f1-aaaa-900038001003", 15] = "BaseRegOpenKey",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 33] = "R_GetServerGuid",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 114] = "ApiCreateBatchPort",
+            ["12345778-1234-abcd-ef00-0123456789ac", 26] = "SamrSetMemberAttributesOfGroup",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 0] = "nsi_group_delete",
+            ["338cd001-2244-31f1-aaaa-900038001003", 18] = "BaseRegReplaceKey",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 17] = "R_DhcpEnumOptionsV5",
+            ["e33c0cc4-0482-101a-bc0c-02608c6ba218", 0] = "I_nsi_lookup_begin",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 110] = "ApiGetResourceDependencyExpression",
+            ["d049b186-814f-11d1-9a3c-00c04fc9b232", 2] = "Opnum2NotUsedOnWire",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 38] = "RRPC_FWQueryConnectionSecurityRules",
+            ["12345778-1234-abcd-ef00-0123456789ac", 7] = "SamrOpenDomain",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 48] = "PNP_FreeResDes",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 47] = "AudioVolumeGetChannelCount",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 44] = "Opnum44NotUsedOnWire",
+            ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 11] = "RpcGetAllSessionsEx",
+            ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 4] = "gfxAddGfx",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 16] = "ElfrOpenBELA",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 42] = "UninitializeDisk",
+            ["12345778-1234-abcd-ef00-0123456789ab", 55] = "LsarOpenTrustedDomainByName",
+            ["12345678-1234-abcd-ef00-01234567cffb", 10] = "NetrAccountSync",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 10] = "NetrDfsAddFtRoot",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 126] = "ApiPauseNodeEx",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 8] = "NspiGetPropList",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 50] = "AudioVolumeGetMasterVolumeLevel",
+            ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 16] = "GetCurrentMemory",
+            ["497d95a6-2d27-4bf5-9bbd-a6046957133c", 0] = "RpcOpenListener",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 31] = "CreateVolumeAssignAndFormat",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 57] = "R_DhcpCreateSubnetV6",
+            ["12345778-1234-abcd-ef00-0123456789ab", 26] = "LsarQueryInfoTrustedDomain",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 45] = "R_DhcpSetClientInfoVQ",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 19] = "RpcWinStationShadowTarget",
+            ["12345778-1234-abcd-ef00-0123456789ab", 2] = "LsarEnumeratePrivileges",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 21] = "EfsRpcEncryptFileExServ",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 57] = "RpcAsyncEnumPerMachineConnections",
+            ["f50aac00-c7f3-428e-a022-a6b71bfb9d43", 0] = "SSCatDBAddCatalog",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 62] = "RRPC_FWAddAuthenticationSet2_20",
+            ["57674cd0-5200-11ce-a897-08002b2e9c6d", 0] = "LlsrLicenseRequestW",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 49] = "ApiOnlineGroup",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 27] = "Opnum27NotUsedOnWire",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 11] = "NspiModProps",
+            ["d049b186-814f-11d1-9a3c-00c04fc9b232", 10] = "NtFrsApi_Rpc_ForceReplication",
+            ["367abb81-9844-35f1-ad32-98f038001003", 29] = "QueryServiceConfigA",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 54] = "AudioVolumeGetChannelVolumeLevel",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 23] = "FreeDriveLetter",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 50] = "LlsrLocalProductInfoGetW",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 5] = "nsi_group_mbr_inq_done",
+            ["01954e6b-9254-4e6e-808c-c9e05d007696", 5] = "Reset",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 5] = "EfsDecryptFileSrv",
+            ["2f5f3220-c126-1076-b549-074d078619da", 13] = "NDdeGetTrustedShareA",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 38] = "AudioSessionManagerDestroy",
+            ["01954e6b-9254-4e6e-808c-c9e05d007696", 3] = "Next",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 40] = "RpcWinStationNtsdDebug",
+            ["12345778-1234-abcd-ef00-0123456789ac", 36] = "SamrQueryInformationUser",
+            ["367abb81-9844-35f1-ad32-98f038001003", 41] = "EnumServicesStatusExA",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 9] = "LlsrProductAddA",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 75] = "RpcWinStationOpenSessionDirectory",
+            ["8298d101-f992-43b7-8eca-5052d885b995", 36] = "Export",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 81] = "LlsrLocalServiceEnumW",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 21] = "EfsRpcEncryptFileExServ",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 70] = "RRPC_FWAddFirewallRule2_24",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 5] = "NspiGetMatches",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 15] = "LlsrProductLicenseEnumA",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 56] = "R_DhcpGetAllOptionValuesV6",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 39] = "Opnum39NotUsedOnWire",
+            ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 12] = "KeyrEnroll_V2",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 39] = "PNP_RequestEjectPC",
+            ["12345678-1234-abcd-ef00-0123456789ab", 0] = "RpcEnumPrinters",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 71] = "Initialize",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 10] = "SchRpcStopInstance",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 4] = "R_DhcpAddSubnetElement",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 45] = "SetConfigEntry",
+            ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 5] = "RpcLicensingGetAvailablePolicyIds",
+            ["22e5386d-8b12-4bf0-b0ec-6a1ea419e366", 0] = "RpcNetEventOpenSession",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 64] = "ApiReAddNotifyResource",
+            ["1a927394-352e-4553-ae3f-7cf4aafca620", 0] = "WdsRpcMessage",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 166] = "ApiDeleteGroupSet",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c3", 1] = "nsi_binding_unexport",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 65] = "RRPC_FWAddFirewallRule2_20",
+            ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 5] = "KeyrGetDefaultProvider",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 8] = "RpcLogonIdFromWinStationName",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 55] = "RRPC_FWAddCryptoSet2_10",
+            ["367abb81-9844-35f1-ad32-98f038001003", 37] = "ChangeServiceConfig2W",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 30] = "PNP_GetDeviceStatus",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 36] = "R_DhcpSetSuperScopeV4",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 35] = "R_DhcpEnumSubnetClientsV4",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 44] = "GetConfigEntry",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 20] = "EfsRpcFlushEfsCache",
+            ["bc681469-9dd9-4bf4-9b3d-709f69efe431", 11] = "RenameResourceGroup",
+            ["12345778-1234-abcd-ef00-0123456789ac", 66] = "SamrSetDSRMPassword",
+            ["12345678-1234-abcd-ef00-0123456789ab", 95] = "RpcSendRecvBidiData",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 25] = "RpcWinStationQueryLicense",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 5] = "CreatePartition",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 4] = "NetrWkstaUserSetInfo",
+            ["83da7c00-e84f-11d2-9807-00c04f8ec850", 2] = "SfcSrv_FileException",
+            ["7c4e1804-e342-483d-a43e-a850cfcc8d18", 9] = "GetProcessMode",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 30] = "LlsrMappingInfoGetW",
+            ["300f3532-38cc-11d0-a3f0-0020af6b0add", 12] = "LnkSearchMachine",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 12] = "NetrSessionEnum",
+            ["00000143-0000-0000-c000-000000000046", 1] = "AddRef",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 22] = "EvtRpcGetPublisherList",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 20] = "ExecQuery",
+            ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 8] = "GetSystemAffinity",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 33] = "GrowVolume",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 36] = "GetCASecurity",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 82] = "LlsrLocalServiceEnumA",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 9] = "R_DhcpCreateMClientInfo",
+            ["12345778-1234-abcd-ef00-0123456789ac", 41] = "SamrGetDisplayEnumerationIndex",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 77] = "ShutDownSystem",
+            ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 12] = "DeleteAccountingData",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 0] = "NetrDfsManagerGetVersion",
+            ["12345778-1234-abcd-ef00-0123456789ab", 52] = "LsarCloseTrustedDomainEx",
+            ["300f3532-38cc-11d0-a3f0-0020af6b0add", 3] = "Opnum3NotUsedOnWire",
+            ["12345678-1234-abcd-ef00-01234567cffb", 23] = "NetrLogonGetTrustRid",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 13] = "NetrDfsRemoveStdRoot",
+            ["12345678-1234-abcd-ef00-01234567cffb", 48] = "DsrUpdateReadOnlyServerDnsRecords",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 0] = "EvtRpcRegisterRemoteSubscription",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f", 9] = "GetNotificationRpc",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 86] = "LlsrLocalServiceInfoSetA",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 6] = "nsi_profile_delete",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 10] = "Opnum10NotUsedOnWire",
+            ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 11] = "GetNextAccountingDataBatch",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 26] = "AudioSessionGetChannelVolume",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 24] = "R_DhcpCreateClass",
+            ["367abb81-9844-35f1-ad32-98f038001003", 13] = "EnumDependentServicesW",
+            ["2f5f3220-c126-1076-b549-074d078619da", 0] = "NDdeShareAddW",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 39] = "NetrpGetFileSecurity",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 79] = "RRPC_FWSetFirewallRule2_26",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 46] = "ApiSetGroupName",
+            ["11899a43-2b68-4a76-92e3-a3d6ad8c26ce", 0] = "RpcWaitForSessionState",
+            ["e8fb8620-588f-11d2-9d61-00c04f79c5fe", 11] = "Kill",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 55] = "PNP_SetHwProf",
+            ["d3fbb514-0e3b-11cb-8fad-08002b1d29c3", 0] = "nsi_binding_lookup_begin",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 18] = "DnssrvEnumRecords4",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 65] = "PNP_GetObjectPropKeys",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 37] = "GetAudioSessionManager",
+            ["338cd001-2244-31f1-aaaa-900038001003", 2] = "OpenLocalMachine",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 18] = "CreateInstanceEnum",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 8] = "DnssrvEnumRecords2",
+            ["12345778-1234-abcd-ef00-0123456789ab", 80] = "LsarAdtUnregisterSecurityEventSource",
+            ["12345678-1234-abcd-ef00-01234567cffb", 13] = "NetrGetAnyDCName",
+            ["2f5f3220-c126-1076-b549-074d078619da", 12] = "NDdeSetTrustedShareW",
+            ["2f5f3220-c126-1076-b549-074d078619da", 5] = "NDdeSetShareSecurityA",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 28] = "ApiGetRootKey",
+            ["367abb81-9844-35f1-ad32-98f038001003", 18] = "QueryServiceLockStatusW",
+            ["12345778-1234-abcd-ef00-0123456789ab", 33] = "LsarLookupPrivilegeDisplayName",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 51] = "NetrDfsFixLocalVolume",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 114] = "R_DhcpV4RemovePolicyRange",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 36] = "Opnum36NotUsedOnWire",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 38] = "Opnum38NotUsedOnWire",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 3] = "nsi_group_mbr_inq_begin",
+            ["367abb81-9844-35f1-ad32-98f038001003", 23] = "ChangeServiceConfigA",
+            ["12345778-1234-abcd-ef00-0123456789ab", 21] = "LsarGetQuotasForAccount",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 5] = "NetrDfsEnum",
+            ["12345678-1234-abcd-ef00-0123456789ab", 55] = "RpcFindNextPrinterChangeNotification",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 14] = "SchRpcRename",
+            ["2a3eb639-d134-422d-90d8-aaa1b5216202", 10] = "ExportXml",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 7] = "R_DhcpDeleteSubnet",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 18] = "Ping",
+            ["12345678-1234-abcd-ef00-0123456789ab", 64] = "RpcResetPrinterEx",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 15] = "CopyData",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 72] = "R_DhcpGetClientInfoV6",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 17] = "NetrUnjoinDomain",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 2] = "NetrDfsRemove",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 23] = "ExecNotificationQueryAsync",
+            ["1a1bb35f-abb8-451c-a1ae-33d98f1bef4a", 4] = "ReportError",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 46] = "PNP_GetLogConfPriority",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 14] = "PutInstance",
+            ["12345778-1234-abcd-ef00-0123456789ab", 16] = "LsarCreateSecret",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 52] = "PNP_ModifyResDes",
+            ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 14] = "CancelAccountingQuery",
+            ["fc910418-55ca-45ef-b264-83d4ce7d30e0", 9] = "RefreshRemoteSessionWeights",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 88] = "LlsrLocalServiceInfoGetA",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 74] = "RescanDisks",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 12] = "GetViewDefaultColumnSet",
+            ["12345678-1234-abcd-ef00-01234567cffb", 14] = "NetrLogonControl2",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 14] = "NetrShareAdd",
+            ["8298d101-f992-43b7-8eca-5052d885b995", 35] = "RestoreWithPasswrd",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 5] = "RpcSrvGetFallbackParams",
+            ["12345778-1234-abcd-ef00-0123456789ab", 65] = "CredrDelete",
+            ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 8] = "TsProxySetupReceivePipe",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 19] = "Opnum19NotUsedOnWire",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 24] = "DRSQuerySitesByCost",
+            ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 5] = "Opnum5NotUsedOnWire",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 14] = "LlsrProductLicenseEnumW",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 12] = "DRSCrackNames",
+            ["12345778-1234-abcd-ef00-0123456789ab", 56] = "LsarTestCall",
+            ["bc681469-9dd9-4bf4-9b3d-709f69efe431", 9] = "CreateResourceGroup",
+            ["53b46b02-c73b-4a3e-8dee-b16b80672fc0", 0] = "RpcGetSessionIP",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 12] = "NetrMessageBufferSend",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 1] = "NetrWkstaSetInfo",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 126] = "R_DhcpV4CreatePolicyEx",
+            ["00020401-0000-0000-c000-000000000046", 12] = "GetDocumentation",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 28] = "IDL_DRSAddCloneDC",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 20] = "R_WinsStatusWHdl",
+            ["2f5f3220-c126-1076-b549-074d078619da", 4] = "NDdeGetShareSecurityW",
+            ["497d95a6-2d27-4bf5-9bbd-a6046957133c", 2] = "RpcStopListener",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 12] = "R_DhcpDeleteMClientInfo",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 16] = "R_DhcpGetOptionInfoV5",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 127] = "ApiPauseNodeWithDrainTarget",
+            ["bc681469-9dd9-4bf4-9b3d-709f69efe431", 8] = "ModifyResourceGroup",
+            ["481e06cf-ab04-4498-8ffe-124a0a34296d", 17] = "RenameSchedule",
+            ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 0] = "KeyrOpenKeyService",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 50] = "RpcAsyncSetPort",
+            ["99fcfec4-5260-101b-bbcb-00aa0021347a", 4] = "ResolveOxid2",
+            ["4d9f4ab8-7d1c-11cf-861e-0020af6e7c57", 0] = "RemoteActivation",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f", 2] = "DeregisterServiceRpc",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 38] = "ApiQueryInfoKey",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 6] = "R_DhcpRemoveSubnetElement",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 37] = "RRPC_FWQueryFirewallRules",
+            ["a8e0653c-2744-4389-a61d-7373df8b2292", 11] = "DeleteShareMapping",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 20] = "LlsrUserInfoSetW",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 67] = "PNP_SetObjectProp",
+            ["12345678-1234-abcd-ef00-0123456789ab", 91] = "RpcGetSpoolFileInfo",
+            ["6bffd098-a112-3610-9833-012892020162", 11] = "BrowserrServerEnumEx",
+            ["338cd001-2244-31f1-aaaa-900038001003", 17] = "BaseRegQueryValue",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 3] = "ApiGetClusterName",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 66] = "R_DhcpServerGetConfigV6",
+            ["22e5386d-8b12-4bf0-b0ec-6a1ea419e366", 2] = "RpcNetEventCloseSession",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 59] = "RpcWinStationShadowStop",
+            ["12345678-1234-abcd-ef00-0123456789ab", 37] = "RpcAddPort",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 6] = "NetrCharDevQPurge",
+            ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 10] = "DeleteMachineGroup",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 35] = "NetprNameCompare",
+            ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 4] = "DsRolerDemoteDc",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 9] = "InitializeDiskStyle",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 3] = "EnumDisksEx",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 11] = "ApiCloseResource",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 22] = "S_DSValidateServer",
+            ["d049b186-814f-11d1-9a3c-00c04fc9b232", 8] = "NtFrsApi_Rpc_IsPathReplicated",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 18] = "EfsRpcGetEncryptedFileMetadata",
+            ["367abb81-9844-35f1-ad32-98f038001003", 14] = "EnumServicesStatusW",
+            ["338cd001-2244-31f1-aaaa-900038001003", 16] = "BaseRegQueryInfoKey",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 22] = "R_DhcpGetMibInfo",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 10] = "R_DhcpGetOptionInfo",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 34] = "Opnum34NotUsedOnWire",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 22] = "RpcWinStationEnumerateLicenses",
+            ["12345778-1234-abcd-ef00-0123456789ac", 44] = "SamrGetUserDomainPasswordInformation",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 3] = "R_InetInfoSetAdminInformation",
+            ["6bffd098-a112-3610-9833-012892020162", 4] = "BrowserrDebugTrace",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 82] = "ApiCloseNetwork",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 10] = "RpcWinStationConnect",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 28] = "RpcWinStationCallback",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 11] = "R_DhcpGetMClientInfo",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 25] = "Opnum25NotUsedOnWire",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 60] = "ApiAddNotifyResource",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 69] = "PNP_ApplyPowerSettings",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 74] = "RpcAsyncLogJobInfoForBranchOffice",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 124] = "R_DhcpV6CreateClientInfo",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 32] = "Opnum32NotUsedOnWire",
+            ["f5cc59b4-4264-101a-8c59-08002b2f8426", 2] = "FrsRpcStartPromotionParent",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 128] = "R_DhcpV4SetPolicyEx",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 147] = "ApiGetNotifyAsync",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 4] = "nsi_group_mbr_inq_next",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 45] = "LlsrServerEnumA",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 42] = "ApiCreateGroup",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 73] = "RpcWinStationAutoReconnect",
+            ["12345678-1234-abcd-ef00-0123456789ab", 71] = "RpcSetPort",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 10] = "Opnum10NotUsedOnWire",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 19] = "EvtRpcGetChannelList",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 14] = "DeleteAllData",
+            ["12345778-1234-abcd-ef00-0123456789ab", 0] = "LsarClose",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 17] = "DnssrvUpdateRecord4",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 34] = "PNP_AddID",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 25] = "GetInstalledFileSystems",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 62] = "Opnum62NotUsedOnWire",
+            ["12345678-1234-abcd-ef00-0123456789ab", 18] = "RpcStartPagePrinter",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 18] = "Opnum18NotUsedOnWire",
+            ["12345778-1234-abcd-ef00-0123456789ab", 24] = "LsarSetSystemAccessAccount",
+            ["12345778-1234-abcd-ef00-0123456789ac", 63] = "SamrUnicodeChangePasswordUser3",
+            ["811109bf-a4e1-11d1-ab54-00a0c91e9b45", 1] = "R_WinsCheckAccess",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 9] = "R_SetData",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 12] = "IsInstallRemote",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 17] = "RpcSrvSetClientId",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 21] = "nsi_mgmt_inq_set_age",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 6] = "RpcAsyncScheduleJob",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 12] = "RpcSrvDeRegisterParams",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 92] = "R_DhcpV4FailoverGetRelationship",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 2] = "EstablishSession",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 44] = "ImportDiskGroup",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 16] = "GetCertInfoRemote",
+            ["300f3532-38cc-11d0-a3f0-0020af6b0add", 10] = "Opnum10NotUsedOnWire",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 23] = "NetrServerDiskEnum",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 41] = "InitializeDiskEx",
+            ["e33c0cc4-0482-101a-bc0c-02608c6ba218", 4] = "I_nsi_ping_locator",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 32] = "LlsrMappingInfoSetW",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 67] = "RpcAsyncDeletePrinterDriverPackage",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 6] = "RequestRecords",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 16] = "DRSDomainControllerInfo",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 16] = "Opnum16NotUsedOnWire",
+            ["7c44d7d4-31d5-424c-bd5e-2b3e1f323d22", 1] = "IDL_DSAExecuteScript",
+            ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 7] = "Opnum7NotUsedOnWire",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 19] = "ApiAddResourceDependency",
+            ["12345778-1234-abcd-ef00-0123456789ac", 60] = "SamrGetBootKeyInformation",
+            ["12345678-1234-abcd-ef00-0123456789ab", 7] = "RpcSetPrinter",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 39] = "R_DhcpRemoveSubnetElementV5",
+            ["00000131-0000-0000-c000-000000000046", 5] = "RemRelease",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 22] = "DRSReplicaVerifyObjects",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 25] = "RpcAsyncEnumForms",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 23] = "EvtRpcGetPublisherListForChannel",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 12] = "DnssrvOperation3",
+            ["2f5f3220-c126-1076-b549-074d078619da", 6] = "NDdeSetShareSecurityW",
+            ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 13] = "DefragmentDB",
+            ["7c4e1804-e342-483d-a43e-a850cfcc8d18", 7] = "EnumerateApplicationsInPool",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 53] = "ApiCreateGroupResourceEnum",
+            ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 3] = "DsRolerDcAsReplica",
+            ["a8e0653c-2744-4389-a61d-7373df8b2292", 9] = "IsPathShadowCopied",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 62] = "AudioMeterGetPeakValue",
+            ["12345678-1234-abcd-ef00-0123456789ab", 36] = "RpcEnumMonitors",
+            ["12345778-1234-abcd-ef00-0123456789ac", 11] = "SamrEnumerateGroupsInDomain",
+            ["481e06cf-ab04-4498-8ffe-124a0a34296d", 19] = "MoveAfterCalendar",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 2] = "LlsrLicenseEnumW",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 0] = "RRPC_FWOpenPolicyStore",
+            ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 1] = "RpcCloseEnum",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 90] = "ApiAddNotifyNetwork",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 4] = "DRSUpdateRefs",
+            ["481e06cf-ab04-4498-8ffe-124a0a34296d", 11] = "RenameCalendar",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 8] = "RawGetFileData",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 77] = "LlsrReplicationCertDbAddW",
+            ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 15] = "DeleteMachine",
+            ["a8e0653c-2744-4389-a61d-7373df8b2292", 2] = "StartShadowCopySet",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 38] = "RpcServerNWLogonSetAdmin",
+            ["12345678-1234-abcd-ef00-0123456789ab", 34] = "RpcEnumForms",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 56] = "RpcAsyncDeletePerMachineConnection",
+            ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 4] = "RpcGetRemoteAddress",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 3] = "EfsRpcCloseRaw",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 13] = "DnssrvQuery3",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 14] = "OpenView",
+            ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 12] = "wdmDriverOpenDrvRegKey",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 90] = "R_DhcpV4FailoverSetRelationship",
+            ["338cd001-2244-31f1-aaaa-900038001003", 33] = "OpenPerformanceNlsText",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 18] = "RRPC_FWSetAuthenticationSet",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 33] = "RRPC_FWSetMainModeRule",
+            ["367abb81-9844-35f1-ad32-98f038001003", 45] = "CreateServiceWOW64W",
+            ["a4f1db00-ca47-1067-b31f-00dd010662da", 0] = "EcDoConnect",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 28] = "RpcAsyncEnumPrinterDataEx",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 18] = "R_DhcpRemoveOptionV5",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 63] = "ApiReAddNotifyGroup",
+            ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 7] = "CreateMachineGroup",
+            ["367abb81-9844-35f1-ad32-98f038001003", 11] = "ChangeServiceConfigW",
+            ["f5cc59b4-4264-101a-8c59-08002b2f8426", 6] = "FrsBackupComplete",
+            ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 10] = "DsRolerAbortDownlevelServerUpgrade",
+            ["12345678-1234-abcd-ef00-01234567cffb", 29] = "NetrLogonGetDomainInfo",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 171] = "ApiAddGroupSetDependency",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 16] = "ApiFailResource",
+            ["034634fd-ba3f-11d1-856a-00a0c944138c", 7] = "GetTelnetSessions",
+            ["12345778-1234-abcd-ef00-0123456789ab", 44] = "LsarOpenPolicy2",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 62] = "RpcWinStationGetMachinePolicy",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 4] = "EfsRpcEncryptFileSrv",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 71] = "RescanDisks",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 60] = "R_DhcpEnumSubnetElementsV6",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 4] = "RpcAsyncEnumJobs",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 19] = "PNP_GetClassName",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 42] = "Opnum42NotUsedOnWire",
+            ["8fb6d884-2388-11d0-8c35-00c04fda2795", 7] = "W32TimeLog",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 76] = "LlsrCertificateClaimAddW",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 70] = "RpcWinStationGetAllProcesses_NT6",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 19] = "RpcSrvNotifyMediaReconnected",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 50] = "R_DhcpSetSubnetInfoVQ",
+            ["12345778-1234-abcd-ef00-0123456789ab", 41] = "LsarDeleteTrustedDomain",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 38] = "RpcAsyncEnumPrinters",
+            ["367abb81-9844-35f1-ad32-98f038001003", 21] = "GetServiceKeyNameW",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 48] = "DeleteRow",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 0] = "NetrWkstaGetInfo",
+            ["12345778-1234-abcd-ef00-0123456789ac", 61] = "SamrConnect3",
+            ["12345678-1234-abcd-ef00-0123456789ab", 51] = "RpcEnumPrintProcessorDatatypes",
+            ["027947e1-d731-11ce-a357-000000000001", 4] = "Next",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 31] = "RpcWinStationWaitForConnect",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 26] = "RpcWinStationSetPoolCount",
+            ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 10] = "GetRawAccountingData",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 27] = "EvtRpcGetNextEventMetadata",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 18] = "CloseKey",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 143] = "ApiCreateGroupEnum",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 43] = "ReConnectDisk",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 58] = "RpcSyncRegisterForRemoteNotifications",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 15] = "EfsRpcAddUsersToFileEx",
+            ["ae1c7110-2f60-11d3-8a39-00c04f72d8e3", 5] = "Reset",
+            ["d99e6e70-fc88-11d0-b498-00a0c90312f3", 5] = "Ping",
+            ["300f3532-38cc-11d0-a3f0-0020af6b0add", 11] = "Opnum11NotUsedOnWire",
+            ["300f3532-38cc-11d0-a3f0-0020af6b0add", 7] = "Opnum7NotUsedOnWire",
+            ["f309ad18-d86a-11d0-a075-00c04fb68820", 6] = "NTLMLogin",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 1] = "EstablishConnection",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 15] = "NetrShareEnum",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 118] = "R_DhcpV6GetStatelessStatistics",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 51] = "LlsrLocalProductInfoGetA",
+            ["12345778-1234-abcd-ef00-0123456789ab", 87] = "LsarEnumerateAuditSubCategories",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 5] = "DRSReplicaAdd",
+            ["367abb81-9844-35f1-ad32-98f038001003", 38] = "QueryServiceConfig2A",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 15] = "RpcSrvSetClassId",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 5] = "AudioServerDestroyStream",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 6] = "SchRpcEnumFolder",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 27] = "RpcWinStationQueryUpdateRequired",
+            ["afa8bd80-7d8a-11c9-bef4-08002b102989", 3] = "stop_server_listening",
+            ["12345678-1234-abcd-ef00-0123456789ab", 9] = "RpcAddPrinterDriver",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 138] = "ApiAddNotifyV2",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 2] = "R_InsetInfoGetSites",
+            ["f5cc59b4-4264-101a-8c59-08002b2f8426", 9] = "FrsBackupComplete",
+            ["12345778-1234-abcd-ef00-0123456789ab", 75] = "CredrRename",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 63] = "RRPC_FWEnumAuthenticationSets2_20",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 53] = "RpcAsyncDeletePrintProcessor",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 5] = "DeleteChildKEys",
+            ["00020401-0000-0000-c000-000000000046", 13] = "GetDllEntry",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 11] = "EfsRpcNotSupported",
+            ["ae1c7110-2f60-11d3-8a39-00c04f72d8e3", 3] = "Next",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 70] = "LlsrProductLicensesGetW",
+            ["338cd001-2244-31f1-aaaa-900038001003", 6] = "BaseRegCreateKey",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 17] = "FTResyncMirror",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 39] = "R_DhcpServerSetConfigV4",
+            ["214a0f28-b737-4026-b847-4f9e37d79529", 7] = "QueryDiffAreaOnVolume",
+            ["12345778-1234-abcd-ef00-0123456789ab", 1] = "LsarDelete",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 6] = "AudioServerGetStreamLatency",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 25] = "IDL_DRSInitDemotion",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 21] = "DRSGetMemberships2",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 1] = "SchRpcRegisterTask",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 3] = "ElfrDeregisterEventSource",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 58] = "Opnum58NotUsedOnWire",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 43] = "Opnum43NotUsedOnWire",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 35] = "DeleteVolume",
+            ["12345778-1234-abcd-ef00-0123456789ab", 47] = "LsarSetInformationPolicy2",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 24] = "AudioSessionGetChannelCount",
+            ["12345778-1234-abcd-ef00-0123456789ac", 45] = "SamrRemoveMemberFromForeignDomain",
+            ["99fcfec4-5260-101b-bbcb-00aa0021347a", 0] = "ResolveOxid",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 3] = "NspiQueryRows",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 1] = "RpcWinStationCloseServer",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 180] = "ApiCreateGroupSetEnum",
+            ["338cd001-2244-31f1-aaaa-900038001003", 9] = "BaseRegEnumKey",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 11] = "R_DhcpRemoveOption",
+            ["12345778-1234-abcd-ef00-0123456789ac", 47] = "SamrQueryInformationUser2",
+            ["5422fd3a-d4b8-4cef-a12e-e87d4ca22e90", 9] = "Ping2",
+            ["000001a0-0000-0000-c000-000000000046", 1] = "AddRefIRemoteISCMActivator",
+            ["12345778-1234-abcd-ef00-0123456789ac", 1] = "SamrCloseHandle",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 21] = "NetrServerGetInfo",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 53] = "AudioVolumeSetChannelVolumeLevelScalar",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 93] = "ApiCloseNetInterface",
+            ["708cca10-9569-11d1-b2a5-0060977d8118", 0] = "S_DSGetComputerSites",
+            ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 9] = "ImportXMLFiles",
+            ["00000131-0000-0000-c000-000000000046", 3] = "RemQueryInterface",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 75] = "EnumAccessPath",
+            ["12345678-1234-abcd-ef00-0123456789ab", 103] = "RpcGetPrinterDriverPackagePath",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 178] = "ApiRemoveGroupSetDependency",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 10] = "DRSInterDomainMove",
+            ["12345678-1234-abcd-ef00-0123456789ab", 43] = "RpcAddPrinterConnection",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 40] = "R_DhcpServerGetConfigV4",
+            ["12345678-1234-abcd-ef00-0123456789ab", 77] = "RpcSetPrinterDataEx",
+            ["112b1dff-d9dc-41f7-869f-d67fee7cb591", 4] = "DestroyVirtualSmartCard",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 16] = "RRPC_FWEnumConnectionSecurityRules",
+            ["367abb81-9844-35f1-ad32-98f038001003", 42] = "EnumServicesStatusExW",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 144] = "ApiCreateResourceEnum",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 145] = "ApiExecuteReadBatch",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 3] = "AddKey",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 72] = "Uninitialize",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 11] = "EfsRpcNotSupported",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 104] = "R_DhcpV4RemoveOptionValue",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 17] = "R_WinsGetBrowserNames",
+            ["12345678-1234-abcd-ef00-0123456789ab", 99] = "RpcInstallPrinterDriverFromPackage",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 22] = "NetrDfsSetInfo2",
+            ["12345778-1234-abcd-ef00-0123456789ab", 13] = "LsarEnumerateTrustedDomains",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 22] = "BackupGetAttachmentInformation",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 52] = "RestartVolume",
+            ["12345678-1234-abcd-ef00-01234567cffb", 1] = "NetrLogonUasLogoff",
+            ["300f3532-38cc-11d0-a3f0-0020af6b0add", 6] = "Opnum6NotUsedOnWire",
+            ["fa7df749-66e7-4986-a27f-e2f04ae53772", 4] = "QueryVolumesSupportedForSnapshots",
+            ["367abb81-9844-35f1-ad32-98f038001003", 52] = "ScSendPnPMessage",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 13] = "NetrSessionDel",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 11] = "PNP_GetDeviceListSize",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 13] = "PNP_GetDeviceRegProp",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 7] = "ElfrOpenELW",
+            ["12345778-1234-abcd-ef00-0123456789ab", 20] = "LsarRemovePrivilegesFromAccount",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 109] = "ApiSetResourceDependencyExpression",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 75] = "RefreshFileSys",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 25] = "NetrDfsGetSupportedNamespaceVersion",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 73] = "ApiResourceControl",
+            ["c4b0c7d9-abe0-4733-a1e1-9fdedf260c7a", 7] = "DeleteObject",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 24] = "R_DhcpSetOptionValues",
+            ["12345678-1234-abcd-ef00-01234567cffb", 49] = "NetrChainSetClientAttributes",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 10] = "R_GetData",
+            ["12345678-1234-abcd-ef00-0123456789ab", 12] = "RpcGetPrinterDriverDirectory",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 6] = "ApiSetQuorumResource",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 19] = "NetrRenameMachineInDomain",
+            ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 7] = "TsProxyCloseTunnel",
+            ["12345778-1234-abcd-ef00-0123456789ab", 31] = "LsarLookupPrivilegeValue",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 24] = "EnumLocalFileSystems",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 43] = "ApiDeleteGroup",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 18] = "AudioSessionGetSessionClass",
+            ["12345778-1234-abcd-ef00-0123456789ac", 8] = "SamrQueryInformationDomain",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 54] = "EncapsulateDiskEx",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 20] = "DRSAddSidHistory",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 28] = "R_DhcpGetVersion",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 7] = "R_WinsBackup",
+            ["a4f1db00-ca47-1067-b31f-00dd010662da", 4] = "EcRRegisterPushNotification",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 97] = "ApiNodeNetInterfaceControl",
+            ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 6] = "Opnum6NotUsedOnWire",
+            ["481e06cf-ab04-4498-8ffe-124a0a34296d", 16] = "DeleteSchedule",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 48] = "RpcAsyncEnumMonitors",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 47] = "NetrDfsSetServerInfo",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 7] = "RpcSrvStaticRefreshParams",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 24] = "RpcSrvDeRegisterConnectionStateNotification",
+            ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 2] = "RpcGetProtocolStatus",
+            ["f612954d-3b0b-4c56-9563-227b7be624b4", 40] = "GetChildPaths",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 24] = "NetrRenameMachineInDomain2",
+            ["338cd001-2244-31f1-aaaa-900038001003", 4] = "OpenUsers",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 73] = "LlsrCertificateClaimAddCheckA",
+            ["12345778-1234-abcd-ef00-0123456789ab", 63] = "CredrWriteDomainCredentials",
+            ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 13] = "MoveAfter",
+            ["484809d6-4239-471b-b5bc-61df8c23ac48", 3] = "RpcUnRegisterAsyncNotification",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 16] = "RpcWinStationWaitSystemEvent",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 30] = "CreateVolumeAssignAndFormat",
+            ["00000143-0000-0000-c000-000000000046", 4] = "RemAddRef",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 53] = "RRPC_FWSetAuthenticationSet2_10",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 25] = "GetInstalledFileSystems",
+            ["12345678-1234-abcd-ef00-0123456789ab", 40] = "RpcCreatePrinterIC",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 4] = "EnumDiskRegionsEx",
+            ["12345778-1234-abcd-ef00-0123456789ab", 19] = "LsarAddPrivilegesToAccount",
+            ["3c745a97-f375-4150-be17-5950f694c699", 6] = "CreateVirtualSmartCardWithAttestation",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 15] = "FTDeleteVolume",
+            ["12345778-1234-abcd-ef00-0123456789ac", 53] = "SamrRemoveMultipleMembersFromAlias",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 59] = "RpcSyncUnRegisterForRemoteNotifications",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 2] = "EfsRpcWriteFileRaw",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 17] = "ApiOnlineResource",
+            ["0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7", 1] = "AuthzrInitializeContextFromSid",
+            ["12345778-1234-abcd-ef00-0123456789ac", 52] = "SamrAddMultipleMembersToAlias",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 11] = "S_DSGetPropsGuid",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 68] = "Initialize",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 9] = "R_DhcpSetOptionInfo",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 61] = "RpcAsyncGetRemoteNotifications",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 112] = "R_DhcpV4EnumPolicies",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 48] = "AudioVolumeSetMasterVolumeLevel",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 20] = "BackupPrepare",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 62] = "RpcAsyncInstallPrinterDriverFromPackage",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 5] = "PNP_ReportLogOn",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 61] = "PNP_GetCustomDevProp",
+            ["12345678-1234-abcd-ef00-0123456789ab", 54] = "RpcClientFindFirstPrinterChangeNotification",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 20] = "S_DSCreateServersCache",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 40] = "AudioSessionManagerGetCurrentSession",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 63] = "AudioMeterGetChannelsPeakValues",
+            ["497d95a6-2d27-4bf5-9bbd-a6046957133c", 1] = "RpcCloseListener",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 7] = "CopyKey",
+            ["99fcfec4-5260-101b-bbcb-00aa0021347a", 2] = "ComplexPing",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 1] = "NetrCharDevGetInfo",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 61] = "R_DhcpRemoveSubnetElementV6",
+            ["12345678-1234-abcd-ef00-0123456789ab", 63] = "RpcSpoolerInit",
+            ["000001a0-0000-0000-c000-000000000046", 0] = "QueryInterfaceIRemoteSCMActivator",
+            ["367abb81-9844-35f1-ad32-98f038001003", 54] = "ScOpenServiceStatusHandle",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 14] = "S_DSSetObjectSecurityGuid",
+            ["21546ae8-4da5-445e-987f-627fea39c5e8", 13] = "WSRMActivate",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 38] = "PNP_IsDockStationPresent",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 113] = "ApiExecuteBatch",
+            ["12345678-1234-abcd-ef00-0123456789ab", 116] = "RpcLogJobInfoForBranchOffice",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 22] = "EfsRpcQueryProtectors",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 43] = "R_DhcpGetMibInfoVQ",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 64] = "Opnum64NotUsedOnWire",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 19] = "ElfrRegisterClusterSvc",
+            ["367abb81-9844-35f1-ad32-98f038001003", 47] = "NotifyServiceStatusChange",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 42] = "PNP_AddEmptyLogConf",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 37] = "ApiCloseKey",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 24] = "ExecMethod",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 15] = "R_IISDisconnectedUser",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 33] = "R_DhcpAuditLogGetParams",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 41] = "Opnum41NotUsedOnWire",
+            ["300f3532-38cc-11d0-a3f0-0020af6b0add", 1] = "Opnum1NotUsedOnWire",
+            ["fa7df749-66e7-4986-a27f-e2f04ae53772", 3] = "GetProviderMgmtInterface",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 122] = "ApiOpenNetInterfaceEx",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 19] = "EfsRpcSetEncryptedFileMetadata",
+            ["12345678-1234-abcd-ef00-0123456789ab", 62] = "RpcRemoteFindFirstPrinterChangeNotification",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 9] = "RpcSrvRequestParams",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 42] = "Opnum42NotUsedOnWire",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 112] = "ApiGetResourceNetworkName",
+            ["367abb81-9844-35f1-ad32-98f038001003", 4] = "QueryServiceObjectSecurity",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 21] = "PNP_GetInterfaceDeviceAlias",
+            ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 6] = "ept_mgmt_delete",
+            ["5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc", 0] = "NetrSendMessage",
+            ["12345778-1234-abcd-ef00-0123456789ab", 17] = "LsarOpenAccount",
+            ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 7] = "gfxLogon",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 3] = "NetrDfsSetInfo",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 13] = "nsi_entry_object_inq_next",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 4] = "R_InetInfoGetGlobalAdminInformation",
+            ["12345678-1234-abcd-ef00-0123456789ab", 27] = "RpcSetPrinterData",
+            ["00000000-0000-0000-c000-000000000046", 0] = "Opnum0NotUsedOnWire",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 33] = "SetCAProperty",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 83] = "LlsrLocalServiceAddA",
+            ["12345678-1234-abcd-ef00-0123456789ab", 88] = "RpcXcvData",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 100] = "ApiReAddNotifyNetInterface",
+            ["12345778-1234-abcd-ef00-0123456789ac", 73] = "SamrUnicodeChangePasswordUser4",
+            ["f50aac00-c7f3-428e-a022-a6b71bfb9d43", 5] = "SSCatDBRebuildDatabase",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 52] = "R_DhcpSetOptionValueV6",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 10] = "RpcSrvPersistentRequestParams",
+            ["a4f1db00-ca47-1067-b31f-00dd010662da", 10] = "EcDoConnectEx",
+            ["12345778-1234-abcd-ef00-0123456789ac", 12] = "SamrCreateUserInDomain",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 22] = "ElfrGetLogInformation",
+            ["12345778-1234-abcd-ef00-0123456789ab", 45] = "LsarGetUserName",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 33] = "NetprNameValidate",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 4] = "AudioServerCreateStream",
+            ["12345778-1234-abcd-ef00-0123456789ab", 28] = "LsarOpenSecret",
+            ["f50aac00-c7f3-428e-a022-a6b71bfb9d43", 3] = "SSCatDBRegisterForChangeNotification",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 18] = "RpcSrvGetClientId",
+            ["f5cc59b4-4264-101a-8c59-08002b2f8426", 8] = "FrsBackupComplete",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 60] = "RRPC_FWEnumConnectionSecurityRules2_20",
+            ["12345778-1234-abcd-ef00-0123456789ab", 7] = "LsarQueryInformationPolicy",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 3] = "DRSGetNCChanges",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 34] = "R_DhcpServerQueryAttribute",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 173] = "ApiNodeGroupSetControl",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 72] = "RRPC_FWEnumFirewallRules2_24",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 0] = "R_DhcpCreateSubnet",
+            ["8fb6d884-2388-11d0-8c35-00c04fda2795", 3] = "W32TimeQuerySource",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 176] = "ApiRemoveClusterGroupDependency",
+            ["12345778-1234-abcd-ef00-0123456789ab", 4] = "LsarSetSecurityObject",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 0] = "EfsRpcOpenFileRaw",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 15] = "EvtRpcAssertConfig",
+            ["29822ab7-f302-11d0-9953-00c04fd919c1", 3] = "AppCreate",
+            ["12345778-1234-abcd-ef00-0123456789ab", 71] = "LsarGenAuditEvent",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 61] = "Opnum61NotUsedOnWire",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 119] = "ApiOpenGroupEx",
+            ["1ff70682-0a51-30e8-076d-740be8cee98b", 0] = "NetrJobAdd",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 14] = "Opnum14NotUsedOnWire",
+            ["00020400-0000-0000-c000-000000000046", 3] = "GetTypeInfoCount",
+            ["12345678-1234-abcd-ef00-01234567cffb", 21] = "NetrLogonGetCapabilities",
+            ["4da1c422-943d-11d1-acae-00c04fc2aa3f", 1] = "LnkSvrMessageCallback",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 38] = "LlsrMappingUserDeleteW",
+            ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 4] = "TsProxyCreateChannel",
+            ["367abb81-9844-35f1-ad32-98f038001003", 6] = "QueryServiceStatus",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 28] = "EvtRpcGetClassicLogDisplayName",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 76] = "SecureSystemPartition",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 21] = "GetHandleInfo",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 46] = "Opnum46NotUsedOnWire",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 96] = "ApiGetNetInterfaceId",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 78] = "LlsrReplicationProductSecurityAddW",
+            ["a8e0653c-2744-4389-a61d-7373df8b2292", 10] = "GetShareMapping",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 14] = "IsExportableRemote",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 26] = "ElfrReportEventExA",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 146] = "ApiRestartResource",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 44] = "PNP_GetFirstLogConf",
+            ["338cd001-2244-31f1-aaaa-900038001003", 21] = "BaseRegSetKeySecurity",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 66] = "AudioVolumeStepDown",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 115] = "R_DhcpV4EnumSubnetClients",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 47] = "RpcWinStationBroadcastSystemMessage",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 16] = "FTBreakMirror",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 3] = "SchRpcCreateFolder",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 17] = "ServerControl",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 4] = "NetrDfsGetInfo",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 1] = "S_DSDeleteObject",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 25] = "PNP_UnregisterDeviceClassAssociation",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 4] = "S_DSGetObjectSecurity",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 24] = "Opnum24NotUsedOnWire",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 85] = "R_DhcpGetFilterV4",
+            ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 11] = "winmmSessionConnectState",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 3] = "SetExtension",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 19] = "GetServerState",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 9] = "PNP_EnumerateSubKeys",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 22] = "NetrJoinDomain2",
+            ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 8] = "GetMachineGroupInfo",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 18] = "LlsrUserInfoGetW",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 30] = "RpcAsyncDeletePrinterData",
+            ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 12] = "AddMachine",
+            ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 6] = "gfxOpenGfx",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 26] = "Opnum26NotUsedOnWire",
+            ["12345778-1234-abcd-ef00-0123456789ab", 59] = "LsarCreateTrustedDomainEx2",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 18] = "FTRegenerateParityStripe",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 42] = "NetrServerSetServiceBitsEx",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 12] = "NetrDfsAddStdRoot",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 16] = "Opnum16NotUsedOnWire",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 19] = "NspiResolveNames",
+            ["338cd001-2244-31f1-aaaa-900038001003", 25] = "BaseAbortSystemShutdown",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 37] = "RemoveMirror",
+            ["12345778-1234-abcd-ef00-0123456789ab", 62] = "CredrEnumerate",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f", 15] = "SetICSOff",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 49] = "R_DhcpGetOptionInfoV6",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 17] = "Opnum17NotUsedOnWire",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 58] = "LlsrReplConnect",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 7] = "nsi_profile_elt_add",
+            ["0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7", 4] = "AuthrzGetInformationFromContext",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 36] = "PNP_QueryRemove",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 32] = "UnmarshalInterface",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 8] = "R_InetInfoFlushMemoryCache",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 54] = "SetDontShow",
+            ["a4f1db00-ca47-1067-b31f-00dd010662da", 11] = "EcDoRpcExt2",
+            ["12345678-1234-abcd-ef00-0123456789ab", 74] = "RpcClusterSplOpen",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 44] = "AudioSessionManagerAddAudioSessionClientNotification",
+            ["11899a43-2b68-4a76-92e3-a3d6ad8c26ce", 3] = "RpcUnRegisterAsyncNotification",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 71] = "LlsrCertificateClaimEnumA",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 7] = "DnssrvComplexOperation2",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 61] = "RRPC_FWQueryConnectionSecurityRules2_20",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 8] = "PublishCRL",
+            ["000001a0-0000-0000-c000-000000000046", 2] = "ReleaseIRemoteISCMActivator",
+            ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 6] = "TsProxyCloseChannel",
+            ["12345778-1234-abcd-ef00-0123456789ab", 9] = "LsarClearAuditLog",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 85] = "LlsrLocalServiceInfoSetW",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 26] = "EvtRpcGetEventMetadataEnum",
+            ["1ff70682-0a51-30e8-076d-740be8cee98b", 1] = "NetrJobDel",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 110] = "R_DhcpV4SetPolicy",
+            ["5422fd3a-d4b8-4cef-a12e-e87d4ca22e90", 5] = "Ping",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 31] = "ApiEnumKey",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 175] = "ApiSetGroupDependencyExpression",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 43] = "RpcWinStationGetAllProcesses",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 61] = "AudioMeterGetChannelsRMS",
+            ["fc910418-55ca-45ef-b264-83d4ce7d30e0", 7] = "GetRemoteUserCategories",
+            ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 8] = "RpcGetSessionIds",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f", 12] = "EnableDeviceHost",
+            ["12345778-1234-abcd-ef00-0123456789ab", 90] = "LsarSetAuditSecurity",
+            ["12345778-1234-abcd-ef00-0123456789ac", 34] = "SamrOpenUser",
+            ["367abb81-9844-35f1-ad32-98f038001003", 35] = "EnumServiceGroupW",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 66] = "PNP_GetObjectProp",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 43] = "RpcAsyncDeletePrinterDriverEx",
+            ["2f5f3220-c126-1076-b549-074d078619da", 9] = "NDdeShareGetInfoW",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 23] = "FreeDriveLetter",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 11] = "LlsrProductUserEnumA",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 5] = "AsyncPoll",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 30] = "Opnum30NotUsedOnWire",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 24] = "RpcWinStationRemoveLicense",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 99] = "R_DhcpV4FailoverGetSystemTime",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 39] = "RpcAsyncAddPrinterDriver",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 109] = "R_DhcpV4GetPolicy",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 69] = "ApiPauseNode",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 40] = "Opnum40NotUsedOnWire",
+            ["12345678-1234-abcd-ef00-01234567cffb", 46] = "NetrServerGetTrustInfo",
+            ["6bffd098-a112-3610-9833-012892020162", 7] = "NetrBrowserStatisticsClear",
+            ["2a3eb639-d134-422d-90d8-aaa1b5216202", 9] = "ImportXml",
+            ["6bffd098-a112-3610-9833-012892020162", 10] = "BrowserrQueryEmulatedDomains",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 21] = "ElfrWriteClusterEvents",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 68] = "RpcAsyncReadPrinter",
+            ["367abb81-9844-35f1-ad32-98f038001003", 32] = "GetServiceDisplayNameA",
+            ["12345678-1234-abcd-ef00-0123456789ab", 81] = "RpcDeletePrinterDataEx",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 36] = "PolicyConfigSetShareMode",
+            ["12345778-1234-abcd-ef00-0123456789ac", 51] = "SamrQueryDisplayInformation3",
+            ["12345678-1234-abcd-ef00-01234567cffb", 12] = "NetrLogonControl",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 15] = "RpcAsyncAbortPrinter",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 93] = "R_DhcpV4FailoverEnumRelationship",
+            ["338cd001-2244-31f1-aaaa-900038001003", 23] = "BaseRegUnLoadKey",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 9] = "R_InetInfoGetServerCapabilities",
+            ["4bb8ab1d-9ef9-4100-8eb6-dd4b4e418b72", 4] = "DeleteObject",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 46] = "AudioVolumeDisconnect",
+            ["367abb81-9844-35f1-ad32-98f038001003", 3] = "LockServiceDatabase",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 67] = "EnumTasks",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 14] = "AudioSessionGetLastInactivation",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 24] = "NetrDfsRemoveRootTarget",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 85] = "ApiCreateNetworkEnum",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 44] = "Opnum44NotUsedOnWire",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 0] = "RpcAsyncOpenPrinter",
+            ["f50aac00-c7f3-428e-a022-a6b71bfb9d43", 2] = "SSCatDBEnumCatalogs",
+            ["12345678-1234-abcd-ef00-01234567cffb", 20] = "DsrGetDcName",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 13] = "NspiGetTemplateInfo",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 21] = "BackupEnd",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 15] = "ApiGetResourceType",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 62] = "ApiReAddNotifyNode",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 16] = "RpcSrvGetClassId",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 31] = "CreateVolumeAssignAndFormatEx",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 74] = "RRPC_FWAddFirewallRule2_25",
+            ["12345678-1234-abcd-ef00-0123456789ab", 11] = "RpcGetPrinterDriver",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 41] = "SetAuditFilter",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 56] = "DeletePartitionNumberInfoFromRegistry",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 16] = "R_DhcpCreateClientInfo",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 28] = "Opnum28NotUsedOnWire",
+            ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 11] = "RenameAllocationPolicy",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 73] = "Refresh",
+            ["338cd001-2244-31f1-aaaa-900038001003", 35] = "BaseRegDeleteKeyEx",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 29] = "Opnum29NotUsedOnWire",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 76] = "EnumAccessPathForVolume",
+            ["f5cc59b4-4264-101a-8c59-08002b2f8426", 4] = "FrsBackupComplete",
+            ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 0] = "RpcOpenEnum",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 15] = "RpcWinStationShutdownSystem",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 28] = "Opnum28NotUsedOnWire",
+            ["12345778-1234-abcd-ef00-0123456789ac", 31] = "SamrAddMemberToAlias",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 89] = "ApiNetworkControl",
+            ["367abb81-9844-35f1-ad32-98f038001003", 53] = "ScValidatePnPService",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 74] = "ShutDownSystem",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 5] = "SchRpcGetSecurity",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 41] = "LlsrMappingAddA",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 1] = "PNP_Connect",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 9] = "AudioServerGetDevicePeriod",
+            ["12345778-1234-abcd-ef00-0123456789ac", 4] = "SamrShutdownSamServer",
+            ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 2] = "gfxCreateGfxList",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 9] = "WriteSignature",
+            ["12345678-1234-abcd-ef00-01234567cffb", 30] = "NetrServerPasswordSet2",
+            ["21546ae8-4da5-445e-987f-627fea39c5e8", 8] = "SetConfig",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 5] = "R_InetInfoSetGlobalAdminInformation",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 42] = "RpcAsyncDeletePrinterDriver",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 50] = "GetEncapsulateDiskInfoEx",
+            ["a4f1db00-ca47-1067-b31f-00dd010662da", 9] = "EcDoRpcExt",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 0] = "ElfrClearELFW",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 1] = "ElfrBackupELFW",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 11] = "SchRpcStop",
+            ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 8] = "GetAccountingMetadata",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 66] = "LlsrProductSecurityGetA",
+            ["367abb81-9844-35f1-ad32-98f038001003", 56] = "QueryServiceConfigEx",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 35] = "RpcWinStationAnnoyancePopup",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 43] = "PNP_FreeLogConf",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 17] = "Opnum17NotUsedOnWire",
+            ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 14] = "SetCalDefaultPolicyName",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 51] = "RRPC_FWEnumConnectionSecurityRules2_10",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 11] = "EnumViewColumn",
+            ["12345678-1234-abcd-ef00-01234567cffb", 38] = "DsrGetDcSiteCoverageW",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 32] = "R_DhcpCreateClientInfoV4",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 95] = "R_DhcpV4FailoverDeleteScopeFromRelationship",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 32] = "Opnum32NotUsedOnWire",
+            ["12345778-1234-abcd-ef00-0123456789ab", 69] = "CredrGetSessionTypes",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 31] = "PublishCRLs",
+            ["99fcfec4-5260-101b-bbcb-00aa0021347a", 3] = "ServerAlive",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 5] = "ApiGetQuorumResource",
+            ["d049b186-814f-11d1-9a3c-00c04fc9b232", 5] = "NtFrsApi_Rpc_Get_DsPollingIntervalW",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 41] = "RRPC_FWQueryCryptoSets",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 0] = "RpcWinStationOpenServer",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 55] = "RpcWinStationQueryLogonCredentials",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 11] = "ElfrReportEventW",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 7] = "PNP_GetRootDeviceInstance",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 14] = "RRPC_FWDeleteConnectionSecurityRule",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 23] = "PNP_GetInterfaceDeviceListSize",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 59] = "ApiAddNotifyGroup",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 6] = "ElfrChangeNotify",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 9] = "Opnum9NotUsedOnWire",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 10] = "MarkActivePartition",
+            ["12345778-1234-abcd-ef00-0123456789ac", 56] = "SamrGetDomainPasswordInformation",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 43] = "SetOfficerRights",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 53] = "DeletePartitionNumberInfoFromRegistry",
+            ["338cd001-2244-31f1-aaaa-900038001003", 7] = "BaseRegDeleteKey",
+            ["5422fd3a-d4b8-4cef-a12e-e87d4ca22e90", 8] = "GetCAPropertyInfo",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 17] = "ElfrReadELA",
+            ["338cd001-2244-31f1-aaaa-900038001003", 27] = "OpenCurrentConfig",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 3] = "RpcAsyncGetJob",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 32] = "GetVolumeMountName",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 91] = "ApiReAddNotifyNetwork",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 0] = "DnssrvOperation",
+            ["12345778-1234-abcd-ef00-0123456789ab", 15] = "LsarLookupSids",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 83] = "ApiGetNetworkState",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 61] = "ApiAddNotifyKey",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 29] = "LlsrMappingEnumA",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 37] = "Opnum37NotUsedOnWire",
+            ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 6] = "KeyrSetDefaultProvider",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 3] = "PNP_GetGlobalState",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 18] = "Opnum18NotUsedOnWire",
+            ["d049b186-814f-11d1-9a3c-00c04fc9b232", 1] = "Opnum1NotUsedOnWire",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 105] = "R_DhcpV4GetAllOptionValues",
+            ["f50aac00-c7f3-428e-a022-a6b71bfb9d43", 4] = "KeyrCloseKeyService",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 7] = "EfsRpcQueryRecoveryAgents",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 29] = "PNP_DeviceInstanceAction",
+            ["12345778-1234-abcd-ef00-0123456789ab", 27] = "LsarSetInformationTrustedDomain",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 17] = "SchRpcGetTaskInfo",
+            ["12345778-1234-abcd-ef00-0123456789ac", 27] = "SamrOpenAlias",
+            ["12345778-1234-abcd-ef00-0123456789ab", 82] = "CredrFindBestCredential",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 25] = "R_DhcpServerSetConfig",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 16] = "AudioSessionGetDisplayName",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 30] = "Opnum30NotUsedOnWire",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 106] = "ApiClusterControl",
+            ["12345778-1234-abcd-ef00-0123456789ac", 19] = "SamrOpenGroup",
+            ["12345678-1234-abcd-ef00-01234567cffb", 17] = "NetrDatabaseRedo",
+            ["481e06cf-ab04-4498-8ffe-124a0a34296d", 14] = "CreateSchedule",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 67] = "LlsrProductSecuritySetW",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 22] = "AssignDriveLetter",
+            ["17fdd703-1827-4e34-79d4-24a55c53bb37", 0] = "NetrMessageNameAdd",
+            ["481e06cf-ab04-4498-8ffe-124a0a34296d", 8] = "CreateCalendar",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 17] = "NetrShareSetInfo",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 15] = "DRSRemoveDsDomain",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 4] = "PNP_InitDetection",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 27] = "AudioSessionSetAllVolumes",
+            ["12345778-1234-abcd-ef00-0123456789ab", 14] = "LsarLookupNames",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 79] = "LlsrReplicationUserAddExW",
+            ["12345678-1234-abcd-ef00-0123456789ab", 4] = "RpcEnumJobs",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 71] = "PNP_DriverStoreDeleteDriverPackage",
+            ["ccd8c074-d0e5-4a40-92b4-d074faa6ba28", 0] = "WitnessrGetInterfaceList",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 40] = "GetAuditFilter",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 9] = "NetrDfsManagerSendSiteInfo",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 10] = "R_WinsSetPriorityClass",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 14] = "R_WinsGetBrowserNames_Old",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 4] = "ApiGetClusterVersion",
+            ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 5] = "Opnum5NotUsedOnWire",
+            ["367abb81-9844-35f1-ad32-98f038001003", 12] = "CreateServiceW",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 11] = "AudioSessionGetProcessId",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 5] = "RRPC_FWAddFirewallRule",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 8] = "PNP_GetRelatedDeviceInstance",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 62] = "PNP_GetVersionInternal",
+            ["027947e1-d731-11ce-a357-000000000001", 3] = "Reset",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 11] = "R_WinsResetCounters",
+            ["12345678-1234-abcd-ef00-01234567cffb", 8] = "NetrDatabaseSync",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 60] = "AudioMeterGetAverageRMS",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 65] = "GetTaskDetail",
+            ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 15] = "RegisterAccountingClient",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 19] = "R_WinsStatusNew",
+            ["12345778-1234-abcd-ef00-0123456789ac", 13] = "SamrEnumerateUsersInDomain",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 8] = "EfsRpcRemoveUsersFromFile",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 16] = "SchRpcGetLastRunInfo",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 34] = "PolicyConfigSetProcessingPeriod",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 5] = "ElfrOldestRecord",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 1] = "EfsRpcReadFileRaw",
+            ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 3] = "ept_map",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 46] = "R_DhcpGetClientInfoVQ",
+            ["12345678-1234-abcd-ef00-0123456789ab", 8] = "RpcGetPrinter",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 28] = "NetrRemoteTOD",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 20] = "FTReplaceParityStripePartition",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 20] = "PNP_DeleteClassKey",
+            ["0d72a7d4-6148-11d1-b4aa-00c04fb66ea0", 0] = "SSCertProtectFunction",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 53] = "RpcWinStationGetLanAdapterName",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 15] = "EnumView",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 2] = "DRSReplicaSync",
+            ["2f5f3220-c126-1076-b549-074d078619da", 14] = "NDdeGetTrustedShareW",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 51] = "PNP_GetResDesDataSize",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 76] = "ApiNodeGroupControl",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 17] = "AudioSessionSetDisplayName",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 105] = "ApiNodeClusterControl",
+            ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 3] = "gfxRemoveGfx",
+            ["12345678-1234-abcd-ef00-01234567cffb", 16] = "NetrDatabaseSync2",
+            ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 2] = "ept_lookup",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 5] = "EfsDecryptFileSrv",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 72] = "PNP_RegisterServiceNotification",
+            ["12345778-1234-abcd-ef00-0123456789ab", 54] = "LsarSetDomainInformationPolicy",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 84] = "R_DhcpSetFilterV4",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 24] = "Opnum24NotUsedOnWire",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 7] = "Opnum7NotUsedOnWire",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 6] = "RRPC_FWSetFirewallRule",
+            ["29822ab8-f302-11d0-9953-00c04fd919c1", 9] = "AppCreate2",
+            ["12345778-1234-abcd-ef00-0123456789ac", 65] = "SamrRidToSid",
+            ["12345678-1234-abcd-ef00-0123456789ab", 49] = "RpcAddPrintProvidor",
+            ["214a0f28-b737-4026-b847-4f9e37d79529", 3] = "AddDiffArea",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 13] = "ApiSetResourceName",
+            ["12345778-1234-abcd-ef00-0123456789ab", 58] = "LsarLookupNames2",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 11] = "RdcGetFileData",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 27] = "LlsrUserProductDeleteA",
+            ["12345778-1234-abcd-ef00-0123456789ac", 37] = "SamrSetInformationUser",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 24] = "NetrServerStatisticsGet",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 48] = "Opnum48NotUsedOnWire",
+            ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 3] = "RpcLicensingUnloadPolicy",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 4] = "EvtRpcRegisterControllableOperation",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426", 10] = "NspiCompareMIds",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 73] = "RpcAsyncEnumJobNamedProperties",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 130] = "R_DhcpV4EnumSubnetClientsEx",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 12] = "Opnum12NotUsedOnWire",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 15] = "EfsRpcAddUsersToFileEx",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 25] = "ApiChangeResourceGroup",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 41] = "ReConnectDisk",
+            ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 9] = "ModifyMachineGroup",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 71] = "RpcWinStationRegisterNotificationEvent",
+            ["12345778-1234-abcd-ef00-0123456789ac", 21] = "SamrSetInformationGroup",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673", 14] = "NetrDfsManagerInitialize",
+            ["12345678-1234-abcd-ef00-01234567cffb", 33] = "DsrAddressToSiteNamesW",
+            ["12345678-1234-abcd-ef00-0123456789ab", 87] = "RpcEnumPerMachineConnections",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 24] = "RRPC_FWDeleteCryptoSet",
+            ["367abb81-9844-35f1-ad32-98f038001003", 7] = "SetServiceStatus",
+            ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 4] = "RpcEnumAddFilter",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 31] = "DeleteBackup",
+            ["12345678-1234-abcd-ef00-0123456789ab", 79] = "RpcEnumPrinterDataEx",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 8] = "RRPC_FWDeleteAllFirewallRules",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 25] = "BackupReadFile",
+            ["e65e8028-83e8-491b-9af7-aaf6bd51a0ce", 6] = "GetReferenceVersionVectors",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 6] = "CreatePartitionAssignAndFormat",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 136] = "ApiOfflineResourceEx",
+            ["034634fd-ba3f-11d1-856a-00a0c944138c", 9] = "SendMsgToASession",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 11] = "Opnum11NotUsedOnWire",
+            ["12345678-1234-abcd-ef00-0123456789ab", 1] = "RpcOpenPrinter",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 22] = "PNP_GetInterfaceDeviceList",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 38] = "Ping2",
+            ["deb01010-3a37-4d26-99df-e2bb6ae3ac61", 4] = "GetVolumeDeviceName",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 24] = "LlsrUserProductEnumW",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 56] = "RRPC_FWSetCryptoSet2_10",
+            ["12345678-1234-abcd-ef00-01234567cffb", 18] = "NetrLogonControl2Ex",
+            ["12345678-1234-abcd-ef00-01234567cffb", 7] = "NetrDatabaseDeltas",
+            ["214a0f28-b737-4026-b847-4f9e37d79529", 4] = "ChangeDiffAreaMaximizeSize",
+            ["12345778-1234-abcd-ef00-0123456789ac", 10] = "SamrCreateGroupInDomain",
+            ["12345678-1234-abcd-ef00-0123456789ab", 52] = "RpcResetPrinter",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 48] = "R_DhcpSetOptionInfoV6",
+            ["11899a43-2b68-4a76-92e3-a3d6ad8c26ce", 1] = "RpcRegisterAsyncNotification",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 4] = "DnssrvUpdateRecord",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 5] = "LlsrLicenseAddA",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 11] = "DnssrvEnumRecords3",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 7] = "R_DhcpDeleteMScope",
+            ["367abb81-9844-35f1-ad32-98f038001003", 5] = "SetServiceObjectSecurity",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 18] = "R_WinsGetDbRecsByName",
+            ["12345778-1234-abcd-ef00-0123456789ac", 58] = "SamrSetInformationUser2",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 12] = "R_EnumData",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 20] = "R_DhcpEnumSubnetClients",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 19] = "LlsrUserInfoGetA",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 39] = "AudioSessionManagerGetAudioSession",
+            ["12345678-1234-abcd-ef00-0123456789ab", 66] = "RpcRouterReplyPrinterEx",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 46] = "ImportKey",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 46] = "RRPC_FWAddFirewallRule2_10",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 1] = "EvtRpcRemoteSubscriptionNextAsync",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 54] = "PNP_QueryResConfList",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6", 3] = "RpcSrvRequestParams",
+            ["338cd001-2244-31f1-aaaa-900038001003", 26] = "BaseRegGetVersion",
+            ["2f5f3220-c126-1076-b549-074d078619da", 15] = "NDdeTrustedShareEnumA",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 35] = "RRPC_FWDeleteAllMainModeRules",
+            ["2f5f3220-c126-1076-b549-074d078619da", 16] = "NDdeTrustedShareEnumW",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 52] = "RpcAsyncDeleteMonitor",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 78] = "EnumAccessPath",
+            ["12345778-1234-abcd-ef00-0123456789ab", 57] = "LsarLookupSids2",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 70] = "R_DhcpSetServerBindingInfoV6",
+            ["2f5f6520-ca46-1067-b319-00dd010662da", 2] = "ClientDetach",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 52] = "RpcServerQueryInetConnectorInformation",
+            ["21546ae8-4da5-445e-987f-627fea39c5e8", 10] = "EnableDisable",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 33] = "Opnum33NotUsedOnWire",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 8] = "RpcAsyncSetPrinter",
+            ["c4b0c7d9-abe0-4733-a1e1-9fdedf260c7a", 8] = "ModifyObject",
+            ["338cd001-2244-31f1-aaaa-900038001003", 19] = "BaseRegRestoreKey",
+            ["00020401-0000-0000-c000-000000000046", 5] = "GetFuncDesc",
+            ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 9] = "winmmRegisterSessionNotificationEvent",
+            ["338cd001-2244-31f1-aaaa-900038001003", 3] = "OpenPerformanceData",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 21] = "Opnum21NotUsedOnWire",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 19] = "AudioSessionSetSessionClass",
+            ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 10] = "RpcGetUserCertificates",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 17] = "EvtRpcOpenLogHandle",
+            ["c3fcc19e-a970-11d2-8b5a-00a0c9b7c9c4", 3] = "GetSerializedBuffer",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 89] = "LlsrCloseEx",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 47] = "ReAttachDisk",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 37] = "NetrShareDelStart",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 31] = "LlsrMappingInfoGetA",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe", 21] = "R_WinsDoScavengingNew",
+            ["12345678-1234-abcd-ef00-0123456789ab", 24] = "RpcAddJob",
+            ["d049b186-814f-11d1-9a3c-00c04fc9b232", 3] = "Opnum3NotUsedOnWire",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 8] = "S_DSLookupEnd",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 22] = "ImportFromBlob",
+            ["86d35949-83c9-4044-b424-db363231fd0c", 19] = "SchRpcEnableTask",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 72] = "RefreshFileSys",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 12] = "ApiGetResourceState",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 71] = "R_DhcpSetClientInfoV6",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 68] = "PNP_InstallDevInst",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 95] = "ApiGetNetInterface",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 3] = "NetrWkstaUserGetInfo",
+            ["83da7c00-e84f-11d2-9807-00c04f8ec850", 1] = "SfcSrv_IsFileProtected",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 179] = "ApiRemoveClusterGroupToGroupSetDependency",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 23] = "LlsrUserDeleteA",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 88] = "R_DhcpEnumSubnetClientsFilterStatusInfo",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 26] = "R_DhcpServerGetConfig",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 43] = "LlsrMappingDeleteA",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 47] = "GetMyRoles",
+            ["12345678-1234-abcd-ef00-0123456789ab", 48] = "RpcDeletePrintProcessor",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 76] = "RRPC_FWEnumFirewallRules2_25",
+            ["12345778-1234-abcd-ef00-0123456789ac", 39] = "SamrGetGroupsForUser",
+            ["12345678-1234-abcd-ef00-01234567cffb", 44] = "NetrGetForestTrustInformation",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 24] = "RpcAsyncSetForm",
+            ["3a410f21-553f-11d1-8e5e-00a0c92c9d5d", 3] = "CreateRemoteObject",
+            ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 8] = "RpcLicensingDeactivateCurrentPolicy",
+            ["367abb81-9844-35f1-ad32-98f038001003", 64] = "OpenSCManager2",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea", 4] = "ElfrNumberOfRecords",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 5] = "EvtRpcRegisterLogQuery",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 0] = "S_DSCreateObject",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 25] = "NetrValidateName2",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 16] = "CloseView",
+            ["82ad4280-036b-11cf-972c-00aa006887b0", 14] = "R_IISDEnumerateUsers",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 92] = "ApiOpenNetInterface",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 20] = "NetrShareCheck",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 27] = "S_DSGetServerPort",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 54] = "R_DhcpRemoveOptionValueV6",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 0] = "R_DhcpEnumSubnetClientsV5",
+            ["2f5f6521-ca47-1068-b319-00dd010662db", 0] = "RemoteSPAttach",
+            ["12345778-1234-abcd-ef00-0123456789ac", 46] = "SamrQueryInformationDomain2",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 46] = "LlsrServerProductEnumW",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 123] = "R_DhcpV4GetClientInfo",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 0] = "DRSBind",
+            ["12345778-1234-abcd-ef00-0123456789ac", 69] = "SamrPerformGenericOperation",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 19] = "nsi_mgmt_entry_inq_if_ids",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 73] = "R_DhcpDeleteClientInfoV6",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 12] = "LlsrProductServerEnumW",
+            ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 21] = "SetConditionalPolicy",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 10] = "RdcPushSourceNeeds",
+            ["708cca10-9569-11d1-b2a5-0060977d8118", 8] = "S_DSGetGCListInDomain",
+            ["12345778-1234-abcd-ef00-0123456789ab", 12] = "LsarCreateTrustedDomain",
+            ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 10] = "KeyrEnumerateAvailableCertTypes",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 2] = "NetrWkstaUserEnum",
+            ["12345778-1234-abcd-ef00-0123456789ab", 10] = "LsarCreateAccount",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 1] = "RpcAsyncAddPrinter",
+            ["12345678-1234-abcd-ef00-0123456789ab", 15] = "RpcEnumPrintProcessors",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 45] = "RpcAsyncEnumPrintProcessors",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 6] = "R_DhcpRemoveMScopeElement",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 19] = "RRPC_FWDeleteAuthenticationSet",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 20] = "AudioSessionGetVolume",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 21] = "R_DhcpGetClientOptions",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 19] = "S_DSQMSetMachineProperties",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 17] = "OpenKey",
+            ["12345678-1234-abcd-ef00-0123456789ab", 111] = "RpcSetJobNamedProperty",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 43] = "ImportDiskGroup",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 84] = "ApiSetNetworkName",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 42] = "AudioSessionManagerAddAudioSessionClientNotification",
+            ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 12] = "MoveBefore",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 32] = "RpcWinStationNotifyLogon",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 11] = "RpcSrvRegisterParams",
+            ["2f5f3220-c126-1076-b549-074d078619da", 8] = "NDdeShareEnumW",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 14] = "R_DhcpCreateOptionV5",
+            ["2f5f6520-ca46-1067-b319-00dd010662da", 1] = "ClientRequest",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 50] = "ApiOfflineGroup",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 16] = "DnssrvQuery4",
+            ["6bffd098-a112-3610-9833-012892020162", 6] = "BrowserrResetStatistics",
+            ["7c4e1804-e342-483d-a43e-a850cfcc8d18", 5] = "CreateApplicationPool",
+            ["12345678-1234-abcd-ef00-0123456789ab", 20] = "RpcEndPagePrinter",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 12] = "Opnum12NotUsedOnWire",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 172] = "ApiAddGroupToGroupSetDependency",
+            ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 12] = "GetDependencies",
+            ["e33c0cc4-0482-101a-bc0c-02608c6ba218", 5] = "I_nsi_entry_object_inq_done",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 137] = "ApiCreateNotifyV2",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 27] = "Opnum27NotUsedOnWire",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 34] = "RpcWinStationEnumerateProcesses",
+            ["12345778-1234-abcd-ef00-0123456789ab", 50] = "LsarEnumerateTrustedDomainsEx",
+            ["12345678-1234-abcd-ef00-01234567cffb", 25] = "NetrLogonComputeClientDigest",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 35] = "PNP_RegisterDriver",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 73] = "RRPC_FWQueryFirewallRules2_24",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 69] = "RRPC_FWQueryFirewallRules2_20",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 52] = "AudioVolumeSetChannelVolumeLevel",
+            ["00020401-0000-0000-c000-000000000046", 18] = "GetContainingTypeLib",
+            ["12345778-1234-abcd-ef00-0123456789ab", 85] = "LsarEnumerateAuditPolicy",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 50] = "R_DhcpEnumOptionsV6",
+            ["12345678-1234-abcd-ef00-0123456789ab", 5] = "RpcAddPrinter",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 14] = "RpcSrvQueryLeaseInfo",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 9] = "DnssrvUpdateRecord2",
+            ["83da7c00-e84f-11d2-9807-00c04f8ec850", 5] = "SfcSrv_SetCacheSize",
+            ["338cd001-2244-31f1-aaaa-900038001003", 22] = "BaseRegSetValue",
+            ["12345678-1234-abcd-ef00-01234567cffb", 11] = "NetrGetDCName",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 57] = "RpcWinStationUnRegisterConsoleNotification",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 30] = "R_DhcpEnumSubnetElementsV4",
+            ["3dde7c30-165d-11d1-ab8f-00805f14db40", 0] = "bkrp_BackupKey",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 55] = "RpcAsyncAddPerMachineConnection",
+            ["12345778-1234-abcd-ef00-0123456789ac", 16] = "SamrGetAliasMembership",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 5] = "NetrWkstaTransportEnum",
+            ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 3] = "TsProxyMakeTunnelCall",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 45] = "DiskMergeQuery",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 26] = "Opnum26NotUsedOnWire",
+            ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 5] = "DsRolerGetDcOperationProgress",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db", 21] = "R_DhcpGetOptionValueV5",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 30] = "AudioServerGetMixFormat",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 7] = "RRPC_FWDeleteFirewallRule",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 20] = "ApiRemoveResourceDependency",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d", 0] = "EfsRpcOpenFileRaw",
+            ["77df7a80-f298-11d0-8358-00a024c480a8", 23] = "S_DSCloseServerHandle",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 9] = "EfsRpcAddUsersToFile",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 13] = "EnumAttributesOrExtensions",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 48] = "RRPC_FWEnumFirewallRules2_10",
+            ["12345778-1234-abcd-ef00-0123456789ab", 64] = "CredrReadDomainCredentials",
+            ["6bffd098-a112-3610-9833-46c3f874532d", 17] = "R_DhcpSetClientInfo",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f", 7] = "RemoveSyncHandle",
+            ["8298d101-f992-43b7-8eca-5052d885b995", 34] = "BackupWithPasswrd",
+            ["17fdd703-1827-4e34-79d4-24a55c53bb37", 2] = "NetrMessageNameGetInfo",
+            ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 1] = "TsProxyCreateTunnel",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 22] = "LlsrUserDeleteW",
+            ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 9] = "TsProxySendToServer",
+            ["12345778-1234-abcd-ef00-0123456789ac", 3] = "SamrQuerySecurityObject",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 9] = "RRPC_FWEnumFirewallRules",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 26] = "Format",
+            ["6bffd098-a112-3610-9833-46c3f87e345a", 27] = "NetrAddAlternateComputerName",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e", 43] = "Opnum43NotUsedOnWire",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 7] = "RpcAsyncDeletePrinter",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 12] = "RRPC_FWAddConnectionSecurityRule",
+            ["12345778-1234-abcd-ef00-0123456789ab", 61] = "CredrRead",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209", 66] = "RpcAsyncGetPrinterDriverPackagePath",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 12] = "AudioSessionGetState",
+            ["12345778-1234-abcd-ef00-0123456789ac", 18] = "SamrLookupIdsInDomain",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 58] = "GetDontShow",
+            ["c386ca3e-9061-4a72-821e-498d83be188f", 64] = "AudioVolumeGetStepInfo",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7", 12] = "CreateClassEnum",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 50] = "NetrDfsModifyPrefix",
+            ["027947e1-d731-11ce-a357-000000000001", 6] = "Clone",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586", 28] = "EnumVolumes",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 81] = "RRPC_FWQueryFirewallRules2_26"
+         }
+
+
+
+.. zeek:id:: DCE_RPC::pipe_name_to_common_uuid
+   :source-code: base/protocols/dce-rpc/consts.zeek 242 242
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            ["spoolss"] = "12345678-1234-abcd-ef00-0123456789ab",
+            ["srvsvc"] = "4b324fc8-1670-01d3-1278-5a47bf6ee188",
+            ["winreg"] = "338cd001-2244-31f1-aaaa-900038001003"
+         }
+
+
+   This table is to map pipe names to the most common
+   service used over that pipe.  It helps in cases
+   where the pipe binding wasn't seen.
+
+.. zeek:id:: DCE_RPC::uuid_endpoint_map
+   :source-code: base/protocols/dce-rpc/consts.zeek 5 5
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            ["943991a5-b3fe-41fa-9696-7f7b656ee34b"] = "IWRMMachineGroup",
+            ["fdf8a2b9-02de-47f4-bc26-aa85ab5e5267"] = "ITpmVirtualSmartCardManager2",
+            ["3c745a97-f375-4150-be17-5950f694c699"] = "ITpmVirtualSmartCardManager3",
+            ["03837543-098b-11d8-9414-505054503030"] = "IFolderAction",
+            ["66a2db20-d706-11d0-a37b-00c04fc9da04"] = "IRemoteRouterRestart",
+            ["91ae6020-9e3c-11cf-8d7c-00aa00c091be"] = "ICertPassage",
+            ["906b0ce0-c70b-1067-b317-00dd010662da"] = "IXnRemote",
+            ["03837533-098b-11d8-9414-505054503030"] = "IValueMapItem",
+            ["0383751a-098b-11d8-9414-505054503030"] = "IApiTracingDataCollector",
+            ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd"] = "ICertAdminD2",
+            ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe"] = "RCMPublic",
+            ["5ff9bdf6-bd91-4d8b-a614-d6317acc8dd8"] = "IRemoteSstpCertCheck",
+            ["8d9f4e40-a03d-11ce-8f69-08003e30051b"] = "pnp",
+            ["76f03f96-cdfd-44fc-a22c-64950a001209"] = "IRemoteWinspool",
+            ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53"] = "idletask",
+            ["8165b19e-8d3a-4d0b-80c8-97de310db583"] = "IServicedComponentInfo",
+            ["6bffd098-a112-3610-9833-46c3f87e345a"] = "wkssvc",
+            ["9556dc99-828c-11cf-a37e-00aa003240c7"] = "IWbemServices",
+            ["3a410f21-553f-11d1-8e5e-00a0c92c9d5d"] = "IDMRemoteServer",
+            ["03837506-098b-11d8-9414-505054503030"] = "IPerformanceCounterDataCollector",
+            ["1c1c45ee-4395-11d2-b60b-00104b703efd"] = "IWbemFetchSmartEnum interface",
+            ["12345778-1234-abcd-ef00-0123456789ab"] = "lsarpc",
+            ["ccd8c074-d0e5-4a40-92b4-d074faa6ba28"] = "Witness",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4"] = "NsiM",
+            ["db90832f-6910-4d46-9f5e-9fd6bfa73903"] = "INtmsLibraryControl2",
+            ["03837510-098b-11d8-9414-505054503030"] = "ITraceDataProviderCollection",
+            ["51c82175-844e-4750-b0d8-ec255555bc06"] = "KMS",
+            ["481e06cf-ab04-4498-8ffe-124a0a34296d"] = "IWRMCalendar",
+            ["03837502-098b-11d8-9414-505054503030"] = "IDataCollectorCollection",
+            ["03837541-098b-11d8-9414-505054503030"] = "IDataManager",
+            ["4da1c422-943d-11d1-acae-00c04fc2aa3f"] = "trksvr",
+            ["d2d79df7-3400-11d0-b40b-00aa005ff586"] = "IDMNotify",
+            ["894de0c0-0d55-11d3-a322-00c04fa321a1"] = "InitShutdown",
+            ["00020400-0000-0000-c000-000000000046"] = "IDispatch",
+            ["7c4e1804-e342-483d-a43e-a850cfcc8d18"] = "IIISApplicationAdmin",
+            ["00020403-0000-0000-c000-000000000046"] = "ITypeComp",
+            ["135698d2-3a37-4d26-99df-e2bb6ae3ac61"] = "IVolumeClient3",
+            ["4e934f30-341a-11d1-8fb1-00a024cb6019"] = "INtmsLibraryControl1",
+            ["d02e4be0-3419-11d1-8fb1-00a024cb6019"] = "INtmsMediaServices1",
+            ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d"] = "IWRMAccounting",
+            ["b057dc50-3059-11d1-8faf-00a024cb6019"] = "INtmsObjectManagement1",
+            ["8298d101-f992-43b7-8eca-5052d885b995"] = "IMSAdminBase2W",
+            ["0b6edbfa-4a24-4fc6-8a23-942b1eca65d1"] = "IRPCAsyncNotify",
+            ["afc07e2e-311c-4435-808c-c483ffeec7c9"] = "lsacap",
+            ["c49e32c7-bc8b-11d2-85d4-00105a1f8304"] = "IWbemBackupRestore interface",
+            ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4"] = "IResourceManager",
+            ["03837544-098b-11d8-9414-505054503030"] = "IFolderActionCollection",
+            ["82ad4280-036b-11cf-972c-00aa006887b0"] = "inetinfo",
+            ["c3fcc19e-a970-11d2-8b5a-00a0c9b7c9c4"] = "IManagedObject",
+            ["bc681469-9dd9-4bf4-9b3d-709f69efe431"] = "IWRMResourceGroup",
+            ["484809d6-4239-471b-b5bc-61df8c23ac48"] = "TermSrvSession",
+            ["1a1bb35f-abb8-451c-a1ae-33d98f1bef4a"] = "ITpmVirtualSmartCardManagerStatusCallback",
+            ["da5a86c5-12c2-4943-ab30-7f74a813d853"] = "PerflibV2",
+            ["038374ff-098b-11d8-9414-505054503030"] = "IDataCollector",
+            ["1257b580-ce2f-4109-82d6-a9459d0bf6bc"] = "SessEnvPublicRpc",
+            ["e65e8028-83e8-491b-9af7-aaf6bd51a0ce"] = "IServerHealthReport",
+            ["f5cc5a18-4264-101a-8c59-08002b2f8426"] = "nspi",
+            ["6b5bdd1e-528c-422c-af8c-a4079be4fe48"] = "RemoteFW",
+            ["4b112204-0e19-11d3-b42b-0000f81feb9f"] = "ssdpsrv",
+            ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5"] = "AudioSrv",
+            ["000001a0-0000-0000-c000-000000000046"] = "IRemoteSCMActivator",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6"] = "dhcpcsvc6",
+            ["29822ab7-f302-11d0-9953-00c04fd919c1"] = "IWamAdmin",
+            ["11899a43-2b68-4a76-92e3-a3d6ad8c26ce"] = "TermServNotification",
+            ["2c9273e0-1dc3-11d3-b364-00105a1f8177"] = "IWbemRefreshingServices interface",
+            ["44aca675-e8fc-11d0-a07c-00c04fb68820"] = "IWbemCallResult interface",
+            ["1ff70682-0a51-30e8-076d-740be8cee98b"] = "atsvc",
+            ["a4f1db00-ca47-1067-b31f-00dd010662da"] = "exchange_mapi",
+            ["6bffd098-a112-3610-9833-012892020162"] = "browser",
+            ["541679AB-2E5F-11d3-B34E-00104BCC4B4A"] = "IWbemLoginHelper interface",
+            ["2f5f6521-ca47-1068-b319-00dd010662db"] = "remotesp",
+            ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c3"] = "NsiS",
+            ["5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc"] = "msgsvcsend",
+            ["4bb8ab1d-9ef9-4100-8eb6-dd4b4e418b72"] = "IADProxy",
+            ["d95afe70-a6d5-4259-822e-2c84da1ddb0d"] = "WindowsShutdown",
+            ["0383753d-098b-11d8-9414-505054503030"] = "IScheduleCollection",
+            ["03837524-098b-11d8-9414-505054503030"] = "IDataCollectorSetCollection",
+            ["8da03f40-3419-11d1-8fb1-00a024cb6019"] = "INtmsSession1",
+            ["03837512-098b-11d8-9414-505054503030"] = "ITraceDataProvider",
+            ["5b821720-f63b-11d0-aad2-00c04fc324db"] = "dhcpsrv2",
+            ["00020404-0000-0000-c000-000000000046"] = "IEnumVARIANT",
+            ["112b1dff-d9dc-41f7-869f-d67fee7cb591"] = "ITpmVirtualSmartCardManager",
+            ["6139d8a4-e508-4ebb-bac7-d7f275145897"] = "IRemoteIPV6Config",
+            ["00020401-0000-0000-c000-000000000046"] = "ITypeInfo",
+            ["1088a980-eae5-11d0-8d9b-00a02453c337"] = "qm2qm",
+            ["d2d79df5-3400-11d0-b40b-00aa005ff586"] = "IVolumeClient",
+            ["367abb81-9844-35f1-ad32-98f038001003"] = "svcctl",
+            ["0383753a-098b-11d8-9414-505054503030"] = "ISchedule",
+            ["df1941c5-fe89-4e79-bf10-463657acf44d"] = "efsrpc",
+            ["2a3eb639-d134-422d-90d8-aaa1b5216202"] = "IResourceManager2",
+            ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2"] = "IIISCertObj",
+            ["88143fd0-c28d-4b2b-8fef-8d882f6a9390"] = "TermServEnumeration",
+            ["2f5f3220-c126-1076-b549-074d078619da"] = "nddeapi",
+            ["76d12b80-3467-11d3-91ff-0090272f9ea3"] = "qmcomm2",
+            ["fdb3a030-065f-11d1-bb9b-00a024ea5525"] = "qmcomm",
+            ["01954e6b-9254-4e6e-808c-c9e05d007696"] = "IVssEnumMgmtObject",
+            ["3bbed8d9-2c9a-4b21-8936-acb2f995be6c"] = "INtmsObjectManagement3",
+            ["f612954d-3b0b-4c56-9563-227b7be624b4"] = "IMSAdminBase3W",
+            ["c49e32c6-bc8b-11d2-85d4-00105a1f8304"] = "IWbemBackupRestoreEx interface",
+            ["12b81e99-f207-4a4c-85d3-77b42f76fd14"] = "ISeclogon",
+            ["ea0a3165-4834-11d2-a6f8-00c04fa346cc"] = "fax",
+            ["d049b186-814f-11d1-9a3c-00c04fc9b232"] = "NtFrsApi",
+            ["d99e6e70-fc88-11d0-b498-00a0c90312f3"] = "ICertRequestD",
+            ["300f3532-38cc-11d0-a3f0-0020af6b0add"] = "trkwks",
+            ["3919286a-b10c-11d0-9ba8-00c04fd92ef5"] = "dssetup",
+            ["03837534-098b-11d8-9414-505054503030"] = "IValueMap",
+            ["879c8bbe-41b0-11d1-be11-00c04fb6bf70"] = "IClientSink",
+            ["338cd001-2244-31f1-aaaa-900038001003"] = "winreg",
+            ["895a2c86-270d-489d-a6c0-dc2a9b35280e"] = "INtmsObjectManagement2",
+            ["027947e1-d731-11ce-a357-000000000001"] = "IEnumWbemClassObject interface",
+            ["e8fb8620-588f-11d2-9d61-00c04f79c5fe"] = "IIisServiceControl",
+            ["833e4100-aff7-4ac3-aac2-9f24c1457bce"] = "IPCHCollection",
+            ["66a2db22-d706-11d0-a37b-00c04fc9da04"] = "IRemoteICFICSConfig",
+            ["f50aac00-c7f3-428e-a022-a6b71bfb9d43"] = "ICatDBSvc",
+            ["44e265dd-7daf-42cd-8560-3cdb6e7a2729"] = "TsProxyRpcInterface",
+            ["53b46b02-c73b-4a3e-8dee-b16b80672fc0"] = "TSVIPPublic",
+            ["70b51430-b6ca-11d0-b9b9-00a0c922e750"] = "IMSAdminBaseW",
+            ["86d35949-83c9-4044-b424-db363231fd0c"] = "ITaskSchedulerService",
+            ["423ec01e-2e35-11d2-b604-00104b703efd"] = "IWbemWCOSmartEnum interface",
+            ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15"] = "IWRMPolicy",
+            ["d4781cd6-e5d3-44df-ad94-930efe48a887"] = "IWbemLoginClientID",
+            ["4d9f4ab8-7d1c-11cf-861e-0020af6e7c57"] = "IActivation",
+            ["12345678-1234-abcd-ef00-0123456789ab"] = "spoolss",
+            ["57674cd0-5200-11ce-a897-08002b2e9c6d"] = "lls_license",
+            ["50abc2a4-574d-40b3-9d66-ee4fd5fba076"] = "dnsserver",
+            ["b97db8b2-4c63-11cf-bff6-08002be23f2f"] = "clusapi",
+            ["ae33069b-a2a8-46ee-a235-ddfd339be281"] = "IRPCRemoteObject",
+            ["d99e6e71-fc88-11d0-b498-00a0c90312f3"] = "ICertAdminD",
+            ["12345678-1234-abcd-ef00-01234567cffb"] = "netlogon",
+            ["6099fc12-3eff-11d0-abd0-00c04fd91a4e"] = "faxclient",
+            ["82273fdc-e32a-18c3-3f78-827929dc23ea"] = "eventlog",
+            ["e1af8308-5d1f-11c9-91a4-08002b14a0fa"] = "epmapper",
+            ["497d95a6-2d27-4bf5-9bbd-a6046957133c"] = "RCMListener",
+            ["20610036-fa22-11cf-9823-00a0c911e5df"] = "rasrpc",
+            ["8f09f000-b7ed-11ce-bbd2-00001a181cad"] = "dimsvc",
+            ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5"] = "RpcSrvDHCPC",
+            ["fa7df749-66e7-4986-a27f-e2f04ae53772"] = "IVssSnapshotMgmt",
+            ["4590f812-1d3a-11d0-891f-00aa004b2e24"] = "IWbemClassObject unmarshaler",
+            ["41208ee0-e970-11d1-9b9e-00e02c064c39"] = "qmmgmt",
+            ["081e7188-c080-4ff3-9238-29f66d6cabfd"] = "IMessenger",
+            ["5ca4a760-ebb1-11cf-8611-00a0245420ed"] = "winstation_rpc",
+            ["7c857801-7381-11cf-884d-00aa004b2e24"] = "IWbemObjectSink interface",
+            ["22e5386d-8b12-4bf0-b0ec-6a1ea419e366"] = "NetEventForwarder",
+            ["c8cb7687-e6d3-11d2-a958-00c04f682e16"] = "DAV RPC SERVICE",
+            ["d3fbb514-0e3b-11cb-8fad-08002b1d29c3"] = "NsiC",
+            ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c"] = "IEventService",
+            ["77df7a80-f298-11d0-8358-00a024c480a8"] = "dscomm",
+            ["83da7c00-e84f-11d2-9807-00c04f8ec850"] = "sfcapi",
+            ["bb39332c-bfee-4380-ad8a-badc8aff5bb6"] = "INtmsNotifySink",
+            ["6619a740-8154-43be-a186-0319578e02db"] = "IRemoteDispatch",
+            ["7c44d7d4-31d5-424c-bd5e-2b3e1f323d22"] = "dsaop",
+            ["342cfd40-3c6c-11ce-a893-08002b2e9c6d"] = "llsrpc",
+            ["5261574a-4572-206e-b268-6b199213b4e4"] = "AsyncEMSMDB",
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188"] = "srvsvc",
+            ["674b6698-ee92-11d0-ad71-00c04fd8fdff"] = "IWbemContext unmarshaler",
+            ["0d72a7d4-6148-11d1-b4aa-00c04fb66ea0"] = "ICertProtect",
+            ["708cca10-9569-11d1-b2a5-0060977d8118"] = "dscomm2",
+            ["214a0f28-b737-4026-b847-4f9e37d79529"] = "IVssDifferentialSoftwareSnapshotMgmt",
+            ["ae1c7110-2f60-11d3-8a39-00c04f72d8e3"] = "IVssEnumObject",
+            ["03837516-098b-11d8-9414-505054503030"] = "IAlertDataCollector",
+            ["21546ae8-4da5-445e-987f-627fea39c5e8"] = "IWRMConfig",
+            ["034634fd-ba3f-11d1-856a-00a0c944138c"] = "IManageTelnetSessions",
+            ["1544f5e0-613c-11d1-93df-00c04fd7bd09"] = "exchange_rfr",
+            ["4fc742e0-4a10-11cf-8273-00aa004ae673"] = "netdfs",
+            ["f309ad18-d86a-11d0-a075-00c04fb68820"] = "IWbemLevel1Login",
+            ["20d15747-6c48-4254-a358-65039fd8c63c"] = "IServerHealthReport2",
+            ["f5cc59b4-4264-101a-8c59-08002b2f8426"] = "FrsRpc",
+            ["b9785960-524f-11df-8b6d-83dcded72085"] = "ISDKey",
+            ["784b693d-95f3-420b-8126-365c098659f2"] = "IOCSPAdminD",
+            ["e3514235-4b06-11d1-ab04-00c04fc2dcd2"] = "drsuapi",
+            ["6bffd098-a112-3610-9833-46c3f874532d"] = "dhcpsrv",
+            ["e3d0d746-d2af-40fd-8a7a-0d7078bb7092"] = "BitsPeerAuth",
+            ["fc910418-55ca-45ef-b264-83d4ce7d30e0"] = "IWRMRemoteSessionMgmt",
+            ["833e41aa-aff7-4ac3-aac2-9f24c1457bce"] = "ISAFSession",
+            ["dc12a681-737f-11cf-884d-00aa004b2e24"] = "IWbemClassObject interface",
+            ["00020411-0000-0000-c000-000000000046"] = "ITypeLib2",
+            ["1a927394-352e-4553-ae3f-7cf4aafca620"] = "WdsRpcInterface",
+            ["0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7"] = "authzr",
+            ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b"] = "IKeySvc",
+            ["5422fd3a-d4b8-4cef-a12e-e87d4ca22e90"] = "ICertRequestD2",
+            ["f1e9c5b2-f59b-11d2-b362-00105a1f8177"] = "IWbemRemoteRefresher interface",
+            ["811109bf-a4e1-11d1-ab54-00a0c91e9b45"] = "winsi2",
+            ["c386ca3e-9061-4a72-821e-498d83be188f"] = "AudioRpc",
+            ["69ab7050-3059-11d1-8faf-00a024cb6019"] = "INtmsObjectInfo1",
+            ["a8e0653c-2744-4389-a61d-7373df8b2292"] = "FileServerVssAgent",
+            ["0383750b-098b-11d8-9414-505054503030"] = "ITraceDataCollector",
+            ["833e4200-aff7-4ac3-aac2-9f24c1457bce"] = "IPCHService",
+            ["03837520-098b-11d8-9414-505054503030"] = "IDataCollectorSet",
+            ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8"] = "lcrpc",
+            ["00020412-0000-0000-c000-000000000046"] = "ITypeInfo2",
+            ["8fb6d884-2388-11d0-8c35-00c04fda2795"] = "W32Time",
+            ["f120a684-b926-447f-9df4-c966cb785648"] = "IRASrv",
+            ["4bdafc52-fe6a-11d2-93f8-00105a11164a"] = "IVolumeClient2",
+            ["c4b0c7d9-abe0-4733-a1e1-9fdedf260c7a"] = "IADProxy2",
+            ["03837514-098b-11d8-9414-505054503030"] = "IConfigurationDataCollector",
+            ["7d07f313-a53f-459a-bb12-012c15b1846e"] = "IRobustNtmsMediaServices1",
+            ["00000131-0000-0000-c000-000000000046"] = "IRemUnknown",
+            ["2f5f6520-ca46-1067-b319-00dd010662da"] = "tapsrv",
+            ["00020402-0000-0000-c000-000000000046"] = "ITypeLib",
+            ["c681d488-d850-11d0-8c52-00c04fd90f7e"] = "efsrpc2",
+            ["897e2e5f-93f3-4376-9c9c-fd2277495c27"] = "FrsTransport",
+            ["00000143-0000-0000-c000-000000000046"] = "IRemUnknown2",
+            ["17fdd703-1827-4e34-79d4-24a55c53bb37"] = "msgsvc",
+            ["45f52c28-7f9f-101a-b52b-08002b2efabe"] = "winspipe",
+            ["66a2db1b-d706-11d0-a37b-00c04fc9da04"] = "IRemoteNetworkConfig",
+            ["a359dec5-e813-4834-8a2a-ba7f1d777d76"] = "IWbemBackupRestoreEx interface",
+            ["99fcfec4-5260-101b-bbcb-00aa0021347a"] = "IObjectExporter",
+            ["67e08fc2-2984-4b62-b92e-fc1aae64bbbb"] = "IRemoteStringIdConfig",
+            ["9a653086-174f-11d2-b5f9-00104b703efd"] = "IWbemClassObject interface",
+            ["1a9134dd-7b39-45ba-ad88-44d01ca47f28"] = "RemoteRead",
+            ["e33c0cc4-0482-101a-bc0c-02608c6ba218"] = "locator",
+            ["deb01010-3a37-4d26-99df-e2bb6ae3ac61"] = "IVolumeClient4",
+            ["3d267954-eeb7-11d1-b94e-00c04fa3080d"] = "HydraLsPipe",
+            ["66a2db21-d706-11d0-a37b-00c04fc9da04"] = "IRemoteSetDnsConfig",
+            ["68b58241-c259-4f03-a2e5-a2651dcbc930"] = "IKeySvc2",
+            ["12345778-1234-abcd-ef00-0123456789ac"] = "samr",
+            ["44aca674-e8fc-11d0-a07c-00c04fb68820"] = "IWbemContext interface",
+            ["f31931a9-832d-481c-9503-887a0e6a79f0"] = "IWRMProtocol",
+            ["378e52b0-c0a9-11cf-822d-00aa0051e40f"] = "sasec",
+            ["29822ab8-f302-11d0-9953-00c04fd919c1"] = "IWamAdmin2",
+            ["00000000-0000-0000-c000-000000000046"] = "IUnknown",
+            ["3dde7c30-165d-11d1-ab8f-00805f14db40"] = "BackupKey",
+            ["d61a27c6-8f53-11d0-bfa0-00a024151983"] = "CNtmsSvr",
+            ["afa8bd80-7d8a-11c9-bef4-08002b102989"] = "mgmt"
+         }
+
+
+
+
diff --git a/doc/scripts/base/protocols/dce-rpc/index.rst b/doc/scripts/base/protocols/dce-rpc/index.rst
new file mode 100644
index 0000000000..f8529d1170
--- /dev/null
+++ b/doc/scripts/base/protocols/dce-rpc/index.rst
@@ -0,0 +1,17 @@
+:orphan:
+
+Package: base/protocols/dce-rpc
+===============================
+
+Support for DCE/RPC (Distributed Computing Environment/Remote Procedure
+Calls) protocol analysis.
+
+:doc:`/scripts/base/protocols/dce-rpc/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/dce-rpc/consts.zeek`
+
+
+:doc:`/scripts/base/protocols/dce-rpc/main.zeek`
+
+
diff --git a/doc/scripts/base/protocols/dce-rpc/main.zeek.rst b/doc/scripts/base/protocols/dce-rpc/main.zeek.rst
new file mode 100644
index 0000000000..57a0575bf0
--- /dev/null
+++ b/doc/scripts/base/protocols/dce-rpc/main.zeek.rst
@@ -0,0 +1,194 @@
+:tocdepth: 3
+
+base/protocols/dce-rpc/main.zeek
+================================
+.. zeek:namespace:: DCE_RPC
+
+
+:Namespace: DCE_RPC
+:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/dce-rpc/consts.zeek </scripts/base/protocols/dce-rpc/consts.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+============================================================================== ===============================================================
+:zeek:id:`DCE_RPC::ignored_operations`: :zeek:type:`table` :zeek:attr:`&redef` These are DCE-RPC operations that are ignored, typically due to
+                                                                               the operations being noisy and low value on most networks.
+============================================================================== ===============================================================
+
+Types
+#####
+======================================================= =
+:zeek:type:`DCE_RPC::BackingState`: :zeek:type:`record` 
+:zeek:type:`DCE_RPC::Info`: :zeek:type:`record`         
+:zeek:type:`DCE_RPC::State`: :zeek:type:`record`        
+======================================================= =
+
+Redefinitions
+#############
+======================================================================= =======================================================================================================================
+:zeek:id:`DPD::ignore_violations`: :zeek:type:`set` :zeek:attr:`&redef` 
+:zeek:type:`Log::ID`: :zeek:type:`enum`                                 
+                                                                        
+                                                                        * :zeek:enum:`DCE_RPC::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                            
+                                                                        
+                                                                        :New Fields: :zeek:type:`connection`
+                                                                        
+                                                                          dce_rpc: :zeek:type:`DCE_RPC::Info` :zeek:attr:`&optional`
+                                                                        
+                                                                          dce_rpc_state: :zeek:type:`DCE_RPC::State` :zeek:attr:`&optional`
+                                                                        
+                                                                          dce_rpc_backing: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`DCE_RPC::BackingState` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`    
+======================================================================= =======================================================================================================================
+
+Hooks
+#####
+==================================================================== ==========================
+:zeek:id:`DCE_RPC::finalize_dce_rpc`: :zeek:type:`Conn::RemovalHook` DCE_RPC finalization hook.
+:zeek:id:`DCE_RPC::log_policy`: :zeek:type:`Log::PolicyHook`         
+==================================================================== ==========================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: DCE_RPC::ignored_operations
+   :source-code: base/protocols/dce-rpc/main.zeek 45 45
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            ["spoolss"] = {
+               "RpcSplOpenPrinter",
+               "RpcClosePrinter"
+            },
+            ["wkssvc"] = {
+               "NetrWkstaGetInfo"
+            },
+            ["winreg"] = {
+               "BaseRegCloseKey",
+               "BaseRegGetVersion",
+               "BaseRegOpenKey",
+               "BaseRegDeleteKeyEx",
+               "BaseRegEnumKey",
+               "OpenLocalMachine",
+               "BaseRegQueryValue",
+               "OpenClassesRoot"
+            }
+         }
+
+
+   These are DCE-RPC operations that are ignored, typically due to
+   the operations being noisy and low value on most networks.
+
+Types
+#####
+.. zeek:type:: DCE_RPC::BackingState
+   :source-code: base/protocols/dce-rpc/main.zeek 59 62
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: info :zeek:type:`DCE_RPC::Info`
+
+
+   .. zeek:field:: state :zeek:type:`DCE_RPC::State`
+
+
+
+.. zeek:type:: DCE_RPC::Info
+   :source-code: base/protocols/dce-rpc/main.zeek 11 41
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the event happened.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: rtt :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Round trip time from the request to the response.
+      If either the request or response wasn't seen,
+      this will be null.
+
+
+   .. zeek:field:: named_pipe :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Remote pipe name.
+      
+      Note that this value is from the "sec_addr" field in the
+      protocol. Zeek uses the "named_pipe" name for historical reasons,
+      but it may also contain local port numbers rather than named pipes.
+      
+      If you prefer to use the "secondary address" name, consider
+      using :zeek:see:`Log::default_field_name_map`, a ``Log::Filter``'s
+      :zeek:field:`Log::Filter$field_name_map` field, or removing
+      the :zeek:attr:`&log` attribute from this field, adding a
+      new :zeek:field:`sec_addr` field and populating it in a custom
+      :zeek:see:`dce_rpc_bind_ack` event handler based on the
+      :zeek:field:`named_pipe` value.
+
+
+   .. zeek:field:: endpoint :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Endpoint name looked up from the uuid.
+
+
+   .. zeek:field:: operation :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Operation seen in the call.
+
+
+
+.. zeek:type:: DCE_RPC::State
+   :source-code: base/protocols/dce-rpc/main.zeek 51 55
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: uuid :zeek:type:`string` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: named_pipe :zeek:type:`string` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: ctx_to_uuid :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string` :zeek:attr:`&optional`
+
+
+
+Hooks
+#####
+.. zeek:id:: DCE_RPC::finalize_dce_rpc
+   :source-code: base/protocols/dce-rpc/main.zeek 248 280
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   DCE_RPC finalization hook.  Remaining DCE_RPC info may get logged when it's called.
+
+.. zeek:id:: DCE_RPC::log_policy
+   :source-code: base/protocols/dce-rpc/main.zeek 9 9
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/dhcp/__load__.zeek.rst b/doc/scripts/base/protocols/dhcp/__load__.zeek.rst
new file mode 100644
index 0000000000..1ecfe50720
--- /dev/null
+++ b/doc/scripts/base/protocols/dhcp/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/dhcp/__load__.zeek
+=================================
+
+
+:Imports: :doc:`base/protocols/dhcp/consts.zeek </scripts/base/protocols/dhcp/consts.zeek>`, :doc:`base/protocols/dhcp/main.zeek </scripts/base/protocols/dhcp/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/dhcp/consts.zeek.rst b/doc/scripts/base/protocols/dhcp/consts.zeek.rst
new file mode 100644
index 0000000000..6372cdd0e1
--- /dev/null
+++ b/doc/scripts/base/protocols/dhcp/consts.zeek.rst
@@ -0,0 +1,231 @@
+:tocdepth: 3
+
+base/protocols/dhcp/consts.zeek
+===============================
+.. zeek:namespace:: DHCP
+
+Types, errors, and fields for analyzing DHCP data.  A helper file
+for DHCP analysis scripts.
+
+:Namespace: DHCP
+
+Summary
+~~~~~~~
+Constants
+#########
+================================================================================================ ===================================
+:zeek:id:`DHCP::message_types`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Types of DHCP messages.
+:zeek:id:`DHCP::option_types`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`  Option types mapped to their names.
+================================================================================================ ===================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: DHCP::message_types
+   :source-code: base/protocols/dhcp/consts.zeek 9 9
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "OFFER",
+            [14] = "BULKLEASEQUERY",
+            [6] = "NAK",
+            [15] = "LEASEQUERYDONE",
+            [16] = "ACTIVELEASEQUERY",
+            [8] = "INFORM",
+            [9] = "FORCERENEW",
+            [1] = "DISCOVER",
+            [11] = "LEASEUNASSIGNED",
+            [7] = "RELEASE",
+            [5] = "ACK",
+            [10] = "LEASEQUERY",
+            [4] = "DECLINE",
+            [12] = "LEASEUNKNOWN",
+            [13] = "LEASEACTIVE",
+            [18] = "TLS",
+            [3] = "REQUEST",
+            [17] = "LEASEQUERYSTATUS"
+         }
+
+
+   Types of DHCP messages. See :rfc:`1533`, :rfc:`3203`,
+   :rfc:`4388`, :rfc:`6926`, and :rfc:`7724`.
+
+.. zeek:id:: DHCP::option_types
+   :source-code: base/protocols/dhcp/consts.zeek 31 31
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [39] = "Keepalive Data",
+            [73] = "Finger-Server",
+            [46] = "NETBIOS Node Type",
+            [28] = "Broadcast Address",
+            [212] = "OPTION_6RD",
+            [9] = "LPR Server",
+            [68] = "Home-Agent-Addrs",
+            [53] = "DHCP Msg Type",
+            [71] = "NNTP-Server",
+            [52] = "Overload",
+            [41] = "NIS Servers",
+            [17] = "Root Path",
+            [119] = "Domain Search",
+            [81] = "Client FQDN",
+            [88] = "BCMCS Controller Domain Name list",
+            [29] = "Mask Discovery",
+            [133] = "IEEE 802.1D/p Layer 2 Priority",
+            [176] = "IP Telephone (Tentatively Assigned - 2005-06-23)",
+            [213] = "OPTION_V4_ACCESS_DOMAIN",
+            [54] = "DHCP Server Id",
+            [95] = "LDAP",
+            [90] = "Authentication",
+            [252] = "auto-proxy-config",
+            [146] = "RDNSS Selection",
+            [86] = "NDS Tree Name",
+            [1] = "Subnet Mask",
+            [116] = "Auto-Config",
+            [158] = "OPTION_V4_PCP_SERVER",
+            [35] = "ARP Timeout",
+            [135] = "HTTP Proxy for phone-specific applications",
+            [3] = "Router",
+            [114] = "URL",
+            [140] = "OPTION-IPv4_FQDN-MoS",
+            [44] = "NETBIOS Name Srv",
+            [129] = "PXE - undefined (vendor specific)",
+            [34] = "Trailers",
+            [45] = "NETBIOS Dist Srv",
+            [14] = "Merit Dump File",
+            [31] = "Router Discovery",
+            [82] = "Relay Agent Information",
+            [56] = "DHCP Message",
+            [7] = "Log Server",
+            [66] = "Server-Name",
+            [26] = "MTU Interface",
+            [128] = "PXE - undefined (vendor specific)",
+            [175] = "Etherboot (Tentatively Assigned - 2005-06-23)",
+            [47] = "NETBIOS Scope",
+            [70] = "POP3-Server",
+            [93] = "Client System",
+            [2] = "Time Offset",
+            [132] = "IEEE 802.1Q VLAN ID",
+            [72] = "WWW-Server",
+            [24] = "MTU Timeout",
+            [69] = "SMTP-Server",
+            [99] = "GEOCONF_CIVIC",
+            [161] = "OPTION_MUD_URL_V4 (TEMPORARY - registered 2016-11-17)",
+            [61] = "Client Id",
+            [60] = "Class Id",
+            [51] = "Address Time",
+            [37] = "Default TCP TTL",
+            [18] = "Extension File",
+            [157] = "data-source",
+            [0] = "Pad",
+            [220] = "Subnet Allocation Option",
+            [137] = "OPTION_V4_LOST",
+            [94] = "Client NDI",
+            [19] = "Forward On/Off",
+            [20] = "SrcRte On/Off",
+            [33] = "Static Route",
+            [75] = "StreetTalk-Server",
+            [67] = "Bootfile-Name",
+            [30] = "Mask Supplier",
+            [15] = "Domain Name",
+            [77] = "User-Class",
+            [64] = "NIS-Domain-Name",
+            [211] = "Reboot Time",
+            [91] = "client-last-transaction-time option",
+            [156] = "dhcp-state",
+            [177] = "PacketCable and CableHome (replaced by 122)",
+            [97] = "UUID/GUID",
+            [55] = "Parameter List",
+            [21] = "Policy Filter",
+            [221] = "Virtual Subnet Selection (VSS) Option",
+            [4] = "Time Server",
+            [124] = "V-I Vendor Class",
+            [130] = "PXE - undefined (vendor specific)",
+            [12] = "Hostname",
+            [155] = "query-end-time",
+            [58] = "Renewal Time",
+            [134] = "Diffserv Code Point (DSCP) for VoIP signalling and media streams",
+            [80] = "Rapid Commit",
+            [150] = "TFTP server address",
+            [76] = "STDA-Server",
+            [25] = "MTU Plateau",
+            [142] = "OPTION-IPv4_Address-ANDSF",
+            [16] = "Swap Server",
+            [255] = "End",
+            [59] = "Rebinding Time",
+            [210] = "Path Prefix",
+            [38] = "Keepalive Time",
+            [154] = "query-start-time",
+            [63] = "NetWare/IP Option",
+            [42] = "NTP Servers",
+            [57] = "DHCP Max Msg Size",
+            [78] = "Directory Agent",
+            [98] = "User-Auth",
+            [113] = "Netinfo Tag",
+            [11] = "RLP Server",
+            [22] = "Max DG Assembly",
+            [43] = "Vendor Specific",
+            [136] = "OPTION_PANA_AGENT",
+            [144] = "GeoLoc",
+            [40] = "NIS Domain",
+            [151] = "status-code",
+            [208] = "PXELINUX Magic",
+            [36] = "Ethernet",
+            [6] = "Domain Server",
+            [141] = "SIP UA Configuration Service Domains",
+            [125] = "V-I Vendor-Specific Information",
+            [8] = "Quotes Server",
+            [23] = "Default IP TTL",
+            [27] = "MTU Subnet",
+            [145] = "FORCERENEW_NONCE_CAPABLE",
+            [83] = "iSNS",
+            [122] = "CCC",
+            [159] = "OPTION_V4_PORTPARAMS",
+            [92] = "associated-ip option",
+            [10] = "Impress Server",
+            [65] = "NIS-Server-Addr",
+            [13] = "Boot File Size",
+            [32] = "Router Request",
+            [74] = "IRC-Server",
+            [62] = "NetWare/IP Domain",
+            [101] = "TCode",
+            [89] = "BCMCS Controller IPv4 address option",
+            [118] = "Subnet Selection Option",
+            [138] = "OPTION_CAPWAP_AC_V4",
+            [160] = "DHCP Captive-Portal",
+            [139] = "OPTION-IPv4_Address-MoS",
+            [120] = "SIP Servers DHCP Option",
+            [152] = "base-time",
+            [50] = "Address Request",
+            [79] = "Service Scope",
+            [121] = "Classless Static Route Option",
+            [48] = "X Window Font",
+            [85] = "NDS Servers",
+            [49] = "X Window Manager",
+            [209] = "Configuration File",
+            [112] = "Netinfo Address",
+            [5] = "Name Server",
+            [100] = "PCode",
+            [117] = "Name Service Search",
+            [123] = "GeoConf Option",
+            [131] = "PXE - undefined (vendor specific)",
+            [87] = "NDS Context",
+            [153] = "start-time-of-state"
+         }
+
+
+   Option types mapped to their names.
+
+
diff --git a/doc/scripts/base/protocols/dhcp/index.rst b/doc/scripts/base/protocols/dhcp/index.rst
new file mode 100644
index 0000000000..df4d909b76
--- /dev/null
+++ b/doc/scripts/base/protocols/dhcp/index.rst
@@ -0,0 +1,23 @@
+:orphan:
+
+Package: base/protocols/dhcp
+============================
+
+Support for Dynamic Host Configuration Protocol (DHCP) analysis.
+
+:doc:`/scripts/base/protocols/dhcp/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/dhcp/consts.zeek`
+
+   Types, errors, and fields for analyzing DHCP data.  A helper file
+   for DHCP analysis scripts.
+
+:doc:`/scripts/base/protocols/dhcp/main.zeek`
+
+   Analyze DHCP traffic and provide a log that is organized around
+   the idea of a DHCP "conversation" defined by messages exchanged within
+   a relatively short period of time using the same transaction ID.
+   The log will have information from clients and servers to give a more
+   complete picture of what happened.
+
diff --git a/doc/scripts/base/protocols/dhcp/main.zeek.rst b/doc/scripts/base/protocols/dhcp/main.zeek.rst
new file mode 100644
index 0000000000..d7911b7abc
--- /dev/null
+++ b/doc/scripts/base/protocols/dhcp/main.zeek.rst
@@ -0,0 +1,360 @@
+:tocdepth: 3
+
+base/protocols/dhcp/main.zeek
+=============================
+.. zeek:namespace:: DHCP
+
+Analyze DHCP traffic and provide a log that is organized around
+the idea of a DHCP "conversation" defined by messages exchanged within
+a relatively short period of time using the same transaction ID.
+The log will have information from clients and servers to give a more
+complete picture of what happened.
+
+:Namespace: DHCP
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/protocols/dhcp/consts.zeek </scripts/base/protocols/dhcp/consts.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+==================================================================================== ================================================================
+:zeek:id:`DHCP::max_msg_types_per_log_entry`: :zeek:type:`count` :zeek:attr:`&redef` The maximum number of msg_types allowed in a single log entry.
+:zeek:id:`DHCP::max_txid_watch_time`: :zeek:type:`interval` :zeek:attr:`&redef`      The maximum amount of time that a transaction ID will be watched
+                                                                                     for to try and tie messages together into a single DHCP
+                                                                                     transaction narrative.
+:zeek:id:`DHCP::max_uids_per_log_entry`: :zeek:type:`count` :zeek:attr:`&redef`      The maximum number of uids allowed in a single log entry.
+==================================================================================== ================================================================
+
+State Variables
+###############
+================================================== ========================================================
+:zeek:id:`DHCP::log_info`: :zeek:type:`DHCP::Info` This is a global variable that is only to be used in the
+                                                   :zeek:see:`DHCP::aggregate_msgs` event.
+================================================== ========================================================
+
+Types
+#####
+============================================ =================================================================
+:zeek:type:`DHCP::Info`: :zeek:type:`record` The record type which contains the column fields of the DHCP log.
+============================================ =================================================================
+
+Redefinitions
+#############
+==================================================================== ===========================================================
+:zeek:type:`DHCP::Info`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`DHCP::Info`
+                                                                     
+                                                                       last_message_ts: :zeek:type:`time` :zeek:attr:`&optional`
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`DHCP::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       dhcp: :zeek:type:`DHCP::Info` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ===========================================================
+
+Events
+######
+=================================================== ================================================================
+:zeek:id:`DHCP::aggregate_msgs`: :zeek:type:`event` This event is used internally to distribute data around clusters
+                                                    since DHCP doesn't follow the normal "connection" model used by
+                                                    most protocols.
+:zeek:id:`DHCP::log_dhcp`: :zeek:type:`event`       Event that can be handled to access the DHCP
+                                                    record as it is sent on to the logging framework.
+=================================================== ================================================================
+
+Hooks
+#####
+========================================================= =
+:zeek:id:`DHCP::log_policy`: :zeek:type:`Log::PolicyHook` 
+========================================================= =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: DHCP::max_msg_types_per_log_entry
+   :source-code: base/protocols/dhcp/main.zeek 98 98
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``50``
+
+   The maximum number of msg_types allowed in a single log entry.
+
+.. zeek:id:: DHCP::max_txid_watch_time
+   :source-code: base/protocols/dhcp/main.zeek 92 92
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``30.0 secs``
+
+   The maximum amount of time that a transaction ID will be watched
+   for to try and tie messages together into a single DHCP
+   transaction narrative.
+
+.. zeek:id:: DHCP::max_uids_per_log_entry
+   :source-code: base/protocols/dhcp/main.zeek 95 95
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10``
+
+   The maximum number of uids allowed in a single log entry.
+
+State Variables
+###############
+.. zeek:id:: DHCP::log_info
+   :source-code: base/protocols/dhcp/main.zeek 110 110
+
+   :Type: :zeek:type:`DHCP::Info`
+   :Default:
+
+      ::
+
+         {
+            ts=<uninitialized>
+            uids={
+
+            }
+            client_addr=<uninitialized>
+            server_addr=<uninitialized>
+            client_port=<uninitialized>
+            server_port=<uninitialized>
+            mac=<uninitialized>
+            host_name=<uninitialized>
+            client_fqdn=<uninitialized>
+            domain=<uninitialized>
+            requested_addr=<uninitialized>
+            assigned_addr=<uninitialized>
+            lease_time=<uninitialized>
+            client_message=<uninitialized>
+            server_message=<uninitialized>
+            msg_types=[]
+            duration=0 secs
+            client_chaddr=<uninitialized>
+            last_message_ts=<uninitialized>
+            msg_orig=[]
+            client_software=<uninitialized>
+            server_software=<uninitialized>
+            circuit_id=<uninitialized>
+            agent_remote_id=<uninitialized>
+            subscriber_id=<uninitialized>
+         }
+
+
+   This is a global variable that is only to be used in the
+   :zeek:see:`DHCP::aggregate_msgs` event. It can be used to avoid
+   looking up the info record for a transaction ID in every event handler
+   for :zeek:see:`DHCP::aggregate_msgs`.
+
+Types
+#####
+.. zeek:type:: DHCP::Info
+   :source-code: base/protocols/dhcp/main.zeek 18 87
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      The earliest time at which a DHCP message over the
+      associated connection is observed.
+
+
+   .. zeek:field:: uids :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log`
+
+      A series of unique identifiers of the connections over which
+      DHCP is occurring.  This behavior with multiple connections is
+      unique to DHCP because of the way it uses broadcast packets
+      on local networks.
+
+
+   .. zeek:field:: client_addr :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      IP address of the client.  If a transaction
+      is only a client sending INFORM messages then
+      there is no lease information exchanged so this
+      is helpful to know who sent the messages.
+      Getting an address in this field does require
+      that the client sources at least one DHCP message
+      using a non-broadcast address.
+
+
+   .. zeek:field:: server_addr :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      IP address of the server involved in actually
+      handing out the lease.  There could be other
+      servers replying with OFFER messages which won't
+      be represented here.  Getting an address in this
+      field also requires that the server handing out
+      the lease also sources packets from a non-broadcast
+      IP address.
+
+
+   .. zeek:field:: client_port :zeek:type:`port` :zeek:attr:`&optional`
+
+      Client port number seen at time of server handing out IP (expected
+      as 68/udp).
+
+
+   .. zeek:field:: server_port :zeek:type:`port` :zeek:attr:`&optional`
+
+      Server port number seen at time of server handing out IP (expected
+      as 67/udp).
+
+
+   .. zeek:field:: mac :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Client's hardware address.
+
+
+   .. zeek:field:: host_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Name given by client in Hostname option 12.
+
+
+   .. zeek:field:: client_fqdn :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      FQDN given by client in Client FQDN option 81.
+
+
+   .. zeek:field:: domain :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Domain given by the server in option 15.
+
+
+   .. zeek:field:: requested_addr :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      IP address requested by the client.
+
+
+   .. zeek:field:: assigned_addr :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      IP address assigned by the server.
+
+
+   .. zeek:field:: lease_time :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      IP address lease interval.
+
+
+   .. zeek:field:: client_message :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Message typically accompanied with a DHCP_DECLINE
+      so the client can tell the server why it rejected
+      an address.
+
+
+   .. zeek:field:: server_message :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Message typically accompanied with a DHCP_NAK to let
+      the client know why it rejected the request.
+
+
+   .. zeek:field:: msg_types :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+
+      The DHCP message types seen by this DHCP transaction
+
+
+   .. zeek:field:: duration :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&default` = ``0 secs`` :zeek:attr:`&optional`
+
+      Duration of the DHCP "session" representing the
+      time from the first message to the last.
+
+
+   .. zeek:field:: client_chaddr :zeek:type:`string` :zeek:attr:`&optional`
+
+      The CHADDR field sent by the client.
+
+
+   .. zeek:field:: last_message_ts :zeek:type:`time` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: msg_orig :zeek:type:`vector` of :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/dhcp/msg-orig.zeek` is loaded)
+
+      The address that originated each message from the
+      `msg_types` field.
+
+
+   .. zeek:field:: client_software :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/dhcp/software.zeek` is loaded)
+
+      Software reported by the client in the `vendor_class` option.
+
+
+   .. zeek:field:: server_software :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/dhcp/software.zeek` is loaded)
+
+      Software reported by the server in the `vendor_class` option.
+
+
+   .. zeek:field:: circuit_id :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/dhcp/sub-opts.zeek` is loaded)
+
+      Added by DHCP relay agents which terminate switched or
+      permanent circuits.  It encodes an agent-local identifier
+      of the circuit from which a DHCP client-to-server packet was
+      received.  Typically it should represent a router or switch
+      interface number.
+
+
+   .. zeek:field:: agent_remote_id :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/dhcp/sub-opts.zeek` is loaded)
+
+      A globally unique identifier added by relay agents to identify
+      the remote host end of the circuit.
+
+
+   .. zeek:field:: subscriber_id :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/dhcp/sub-opts.zeek` is loaded)
+
+      The subscriber ID is a value independent of the physical
+      network configuration so that a customer's DHCP configuration
+      can be given to them correctly no matter where they are
+      physically connected.
+
+
+   The record type which contains the column fields of the DHCP log.
+
+Events
+######
+.. zeek:id:: DHCP::aggregate_msgs
+   :source-code: base/protocols/dhcp/main.zeek 104 104
+
+   :Type: :zeek:type:`event` (ts: :zeek:type:`time`, id: :zeek:type:`conn_id`, uid: :zeek:type:`string`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`DHCP::Msg`, options: :zeek:type:`DHCP::Options`)
+
+   This event is used internally to distribute data around clusters
+   since DHCP doesn't follow the normal "connection" model used by
+   most protocols. It can also be handled to extend the DHCP log.
+   :zeek:see:`DHCP::log_info`.
+
+.. zeek:id:: DHCP::log_dhcp
+   :source-code: policy/protocols/dhcp/software.zeek 40 65
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`DHCP::Info`)
+
+   Event that can be handled to access the DHCP
+   record as it is sent on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: DHCP::log_policy
+   :source-code: base/protocols/dhcp/main.zeek 15 15
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/dnp3/__load__.zeek.rst b/doc/scripts/base/protocols/dnp3/__load__.zeek.rst
new file mode 100644
index 0000000000..4b580117df
--- /dev/null
+++ b/doc/scripts/base/protocols/dnp3/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/dnp3/__load__.zeek
+=================================
+
+
+:Imports: :doc:`base/protocols/dnp3/main.zeek </scripts/base/protocols/dnp3/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/dnp3/consts.zeek.rst b/doc/scripts/base/protocols/dnp3/consts.zeek.rst
new file mode 100644
index 0000000000..9030c29e47
--- /dev/null
+++ b/doc/scripts/base/protocols/dnp3/consts.zeek.rst
@@ -0,0 +1,75 @@
+:tocdepth: 3
+
+base/protocols/dnp3/consts.zeek
+===============================
+.. zeek:namespace:: DNP3
+
+
+:Namespace: DNP3
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+===================================================================================================================== =======================================
+:zeek:id:`DNP3::function_codes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef` Standard defined Modbus function codes.
+===================================================================================================================== =======================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: DNP3::function_codes
+   :source-code: base/protocols/dnp3/consts.zeek 6 6
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            [19] = "SAVE_CONFIG",
+            [20] = "ENABLE_UNSOLICITED",
+            [33] = "AUTHENTICATE_REQ_NR",
+            [14] = "WARM_RESTART",
+            [15] = "INITIALIZE_DATA",
+            [6] = "DIRECT_OPERATE_NR",
+            [30] = "ABORT_FILE",
+            [31] = "ACTIVATE_CONFIG",
+            [28] = "GET_FILE_INFO",
+            [23] = "DELAY_MEASURE",
+            [8] = "IMMED_FREEZE_NR",
+            [27] = "DELETE_FILE",
+            [9] = "FREEZE_CLEAR",
+            [7] = "IMMED_FREEZE",
+            [10] = "FREEZE_CLEAR_NR",
+            [21] = "DISABLE_UNSOLICITED",
+            [4] = "OPERATE",
+            [26] = "CLOSE_FILE",
+            [13] = "COLD_RESTART",
+            [12] = "FREEZE_AT_TIME_NR",
+            [32] = "AUTHENTICATE_REQ",
+            [130] = "UNSOLICITED_RESPONSE",
+            [17] = "START_APPL",
+            [25] = "OPEN_FILE",
+            [2] = "WRITE",
+            [29] = "AUTHENTICATE_FILE",
+            [16] = "INITIALIZE_APPL",
+            [24] = "RECORD_CURRENT_TIME",
+            [1] = "READ",
+            [11] = "FREEZE_AT_TIME",
+            [5] = "DIRECT_OPERATE",
+            [22] = "ASSIGN_CLASS",
+            [18] = "STOP_APPL",
+            [3] = "SELECT",
+            [0] = "CONFIRM",
+            [131] = "AUTHENTICATE_RESP",
+            [129] = "RESPONSE"
+         }
+
+
+   Standard defined Modbus function codes.
+
+
diff --git a/doc/scripts/base/protocols/dnp3/index.rst b/doc/scripts/base/protocols/dnp3/index.rst
new file mode 100644
index 0000000000..210b2dd1e7
--- /dev/null
+++ b/doc/scripts/base/protocols/dnp3/index.rst
@@ -0,0 +1,17 @@
+:orphan:
+
+Package: base/protocols/dnp3
+============================
+
+Support for Distributed Network Protocol (DNP3) analysis.
+
+:doc:`/scripts/base/protocols/dnp3/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/dnp3/main.zeek`
+
+   A very basic DNP3 analysis script that just logs requests and replies.
+
+:doc:`/scripts/base/protocols/dnp3/consts.zeek`
+
+
diff --git a/doc/scripts/base/protocols/dnp3/main.zeek.rst b/doc/scripts/base/protocols/dnp3/main.zeek.rst
new file mode 100644
index 0000000000..3797bc994c
--- /dev/null
+++ b/doc/scripts/base/protocols/dnp3/main.zeek.rst
@@ -0,0 +1,115 @@
+:tocdepth: 3
+
+base/protocols/dnp3/main.zeek
+=============================
+.. zeek:namespace:: DNP3
+
+A very basic DNP3 analysis script that just logs requests and replies.
+
+:Namespace: DNP3
+:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/dnp3/consts.zeek </scripts/base/protocols/dnp3/consts.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+============================================ =
+:zeek:type:`DNP3::Info`: :zeek:type:`record` 
+============================================ =
+
+Redefinitions
+#############
+==================================================================== ======================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`DNP3::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       dnp3: :zeek:type:`DNP3::Info` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ======================================================
+
+Events
+######
+============================================= ====================================================================
+:zeek:id:`DNP3::log_dnp3`: :zeek:type:`event` Event that can be handled to access the DNP3 record as it is sent on
+                                              to the logging framework.
+============================================= ====================================================================
+
+Hooks
+#####
+============================================================== =======================
+:zeek:id:`DNP3::finalize_dnp3`: :zeek:type:`Conn::RemovalHook` DNP3 finalization hook.
+:zeek:id:`DNP3::log_policy`: :zeek:type:`Log::PolicyHook`      
+============================================================== =======================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: DNP3::Info
+   :source-code: base/protocols/dnp3/main.zeek 13 26
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Time of the request.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique identifier for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      Identifier for the connection.
+
+
+   .. zeek:field:: fc_request :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The name of the function message in the request.
+
+
+   .. zeek:field:: fc_reply :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The name of the function message in the reply.
+
+
+   .. zeek:field:: iin :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The response's "internal indication number".
+
+
+
+Events
+######
+.. zeek:id:: DNP3::log_dnp3
+   :source-code: base/protocols/dnp3/main.zeek 30 30
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`DNP3::Info`)
+
+   Event that can be handled to access the DNP3 record as it is sent on
+   to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: DNP3::finalize_dnp3
+   :source-code: base/protocols/dnp3/main.zeek 78 85
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   DNP3 finalization hook.  Remaining DNP3 info may get logged when it's called.
+
+.. zeek:id:: DNP3::log_policy
+   :source-code: base/protocols/dnp3/main.zeek 11 11
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/dns/__load__.zeek.rst b/doc/scripts/base/protocols/dns/__load__.zeek.rst
new file mode 100644
index 0000000000..45908eabee
--- /dev/null
+++ b/doc/scripts/base/protocols/dns/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/dns/__load__.zeek
+================================
+
+
+:Imports: :doc:`base/protocols/dns/check-event-handlers.zeek </scripts/base/protocols/dns/check-event-handlers.zeek>`, :doc:`base/protocols/dns/consts.zeek </scripts/base/protocols/dns/consts.zeek>`, :doc:`base/protocols/dns/main.zeek </scripts/base/protocols/dns/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/dns/check-event-handlers.zeek.rst b/doc/scripts/base/protocols/dns/check-event-handlers.zeek.rst
new file mode 100644
index 0000000000..502d4b699c
--- /dev/null
+++ b/doc/scripts/base/protocols/dns/check-event-handlers.zeek.rst
@@ -0,0 +1,17 @@
+:tocdepth: 3
+
+base/protocols/dns/check-event-handlers.zeek
+============================================
+.. zeek:namespace:: DNS
+
+This script checks if DNS event handlers that will not be raised
+are used and raises a warning in those cases.
+
+:Namespace: DNS
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/dns/consts.zeek.rst b/doc/scripts/base/protocols/dns/consts.zeek.rst
new file mode 100644
index 0000000000..728e4c1a51
--- /dev/null
+++ b/doc/scripts/base/protocols/dns/consts.zeek.rst
@@ -0,0 +1,325 @@
+:tocdepth: 3
+
+base/protocols/dns/consts.zeek
+==============================
+.. zeek:namespace:: DNS
+
+Types, errors, and fields for analyzing DNS data.  A helper file
+for DNS analysis scripts.
+
+:Namespace: DNS
+
+Summary
+~~~~~~~
+Constants
+#########
+=============================================================================================== ======================================================================
+:zeek:id:`DNS::ANY`: :zeek:type:`count`                                                         A QTYPE value describing a request for all records.
+:zeek:id:`DNS::EDNS`: :zeek:type:`count`                                                        An OPT RR TYPE value described by EDNS.
+:zeek:id:`DNS::PTR`: :zeek:type:`count`                                                         RR TYPE value for a domain name pointer.
+:zeek:id:`DNS::algorithms`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`    Possible values of the algorithms used in DNSKEY, DS and RRSIG records
+:zeek:id:`DNS::base_errors`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`   Errors used for non-TSIG/EDNS types.
+:zeek:id:`DNS::classes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`       Possible values of the CLASS field in resource records or QCLASS
+                                                                                                field in query messages.
+:zeek:id:`DNS::digests`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`       Possible digest types used in DNSSEC.
+:zeek:id:`DNS::edns_zfield`: :zeek:type:`table` :zeek:attr:`&default` = ``"?"``                 This deciphers EDNS Z field values.
+:zeek:id:`DNS::query_types`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`   Mapping of DNS query type codes to human readable string
+                                                                                                representation.
+:zeek:id:`DNS::svcparam_keys`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` SVCB/HTTPS SvcParam keys as defined in
+                                                                                                https://datatracker.ietf.org/doc/html/rfc9460#name-initial-contents
+                                                                                                Keep in sync with src/analyzer/protocol/dns/DNS.h SVCPARAM_Key.
+=============================================================================================== ======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: DNS::ANY
+   :source-code: base/protocols/dns/consts.zeek 9 9
+
+   :Type: :zeek:type:`count`
+   :Default: ``255``
+
+   A QTYPE value describing a request for all records.
+
+.. zeek:id:: DNS::EDNS
+   :source-code: base/protocols/dns/consts.zeek 8 8
+
+   :Type: :zeek:type:`count`
+   :Default: ``41``
+
+   An OPT RR TYPE value described by EDNS.
+
+.. zeek:id:: DNS::PTR
+   :source-code: base/protocols/dns/consts.zeek 7 7
+
+   :Type: :zeek:type:`count`
+   :Default: ``12``
+
+   RR TYPE value for a domain name pointer.
+
+.. zeek:id:: DNS::algorithms
+   :source-code: base/protocols/dns/consts.zeek 154 154
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [254] = "PrivateOID",
+            [2] = "Diffie_Hellman",
+            [15] = "Ed25519",
+            [6] = "DSA_NSEC3_SHA1",
+            [14] = "ECDSA_curveP384withSHA384",
+            [16] = "Ed448",
+            [255] = "reserved255",
+            [8] = "RSA_SHA256",
+            [252] = "Indirect",
+            [253] = "PrivateDNS",
+            [1] = "RSA_MD5",
+            [5] = "RSA_SHA1",
+            [7] = "RSA_SHA1_NSEC3_SHA1",
+            [10] = "RSA_SHA512",
+            [4] = "Elliptic_Curve",
+            [12] = "GOST_R_34_10_2001",
+            [13] = "ECDSA_curveP256withSHA256",
+            [3] = "DSA_SHA1",
+            [0] = "reserved0"
+         }
+
+
+   Possible values of the algorithms used in DNSKEY, DS and RRSIG records
+
+.. zeek:id:: DNS::base_errors
+   :source-code: base/protocols/dns/consts.zeek 107 107
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [19] = "BADMODE",
+            [3842] = "BADSIG",
+            [20] = "BADNAME",
+            [2] = "SERVFAIL",
+            [14] = "unassigned-14",
+            [15] = "unassigned-15",
+            [6] = "YXDOMAIN",
+            [16] = "BADVERS",
+            [8] = "NXRRSet",
+            [23] = "BADCOOKIE",
+            [9] = "NOTAUTH",
+            [1] = "FORMERR",
+            [11] = "unassigned-11",
+            [7] = "YXRRSET",
+            [5] = "REFUSED",
+            [10] = "NOTZONE",
+            [21] = "BADALG",
+            [4] = "NOTIMP",
+            [22] = "BADTRUNC",
+            [13] = "unassigned-13",
+            [12] = "unassigned-12",
+            [18] = "BADTIME",
+            [17] = "BADKEY",
+            [3] = "NXDOMAIN",
+            [0] = "NOERROR"
+         }
+
+
+   Errors used for non-TSIG/EDNS types.
+
+.. zeek:id:: DNS::classes
+   :source-code: base/protocols/dns/consts.zeek 144 144
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [254] = "C_NONE",
+            [2] = "C_CSNET",
+            [3] = "C_CHAOS",
+            [255] = "C_ANY",
+            [4] = "C_HESIOD",
+            [1] = "C_INTERNET"
+         }
+
+
+   Possible values of the CLASS field in resource records or QCLASS
+   field in query messages.
+
+.. zeek:id:: DNS::digests
+   :source-code: base/protocols/dns/consts.zeek 177 177
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [0] = "reserved0",
+            [2] = "SHA256",
+            [4] = "SHA384",
+            [1] = "SHA1",
+            [3] = "GOST_R_34_11_94"
+         }
+
+
+   Possible digest types used in DNSSEC.
+
+.. zeek:id:: DNS::edns_zfield
+   :source-code: base/protocols/dns/consts.zeek 137 137
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = ``"?"``
+   :Default:
+
+      ::
+
+         {
+            [0] = "NOVALUE",
+            [32768] = "DNS_SEC_OK"
+         }
+
+
+   This deciphers EDNS Z field values.
+
+.. zeek:id:: DNS::query_types
+   :source-code: base/protocols/dns/consts.zeek 13 13
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [19] = "X25",
+            [20] = "ISDN",
+            [33] = "SRV",
+            [39] = "DNAME",
+            [30] = "NXT",
+            [46] = "RRSIG",
+            [15] = "MX",
+            [65422] = "XPF",
+            [28] = "AAAA",
+            [64] = "SVCB",
+            [106] = "L64",
+            [9] = "MR",
+            [253] = "MAILB",
+            [107] = "LP",
+            [53] = "SMIMEA",
+            [55] = "HIP",
+            [52] = "TLSA",
+            [251] = "IXFR",
+            [21] = "RT",
+            [4] = "MF",
+            [12] = "PTR",
+            [41] = "OPT",
+            [58] = "TALINK",
+            [17] = "RP",
+            [105] = "L32",
+            [254] = "MAILA",
+            [32768] = "TA",
+            [25] = "KEY",
+            [32769] = "DLV",
+            [65281] = "WINS",
+            [29] = "LOC",
+            [16] = "TXT",
+            [255] = "*",
+            [59] = "CDS",
+            [38] = "A6",
+            [252] = "AXFR",
+            [63] = "ZONEMD",
+            [42] = "APL",
+            [57] = "RKEY",
+            [1] = "A",
+            [11] = "WKS",
+            [35] = "NAPTR",
+            [108] = "EUI48",
+            [22] = "NSAP",
+            [256] = "URI",
+            [43] = "DS",
+            [102] = "GID",
+            [257] = "CAA",
+            [65521] = "INTEGRITY",
+            [3] = "MD",
+            [44] = "SSHFP",
+            [34] = "ATMA",
+            [45] = "IPSECKEY",
+            [40] = "SINK",
+            [36] = "KX",
+            [250] = "TSIG",
+            [14] = "MINFO",
+            [6] = "SOA",
+            [31] = "EID",
+            [23] = "NSAP-PTR",
+            [8] = "MG",
+            [27] = "GPOS",
+            [56] = "NINFO",
+            [7] = "MB",
+            [10] = "NULL",
+            [32] = "NIMLOC",
+            [13] = "HINFO",
+            [26] = "PX",
+            [65] = "HTTPS",
+            [62] = "CSYNC",
+            [101] = "UID",
+            [47] = "NSEC",
+            [50] = "NSEC3",
+            [2] = "NS",
+            [65282] = "WINS-R",
+            [48] = "DNSKEY",
+            [24] = "SIG",
+            [99] = "SPF",
+            [49] = "DHCID",
+            [109] = "EUI64",
+            [249] = "TKEY",
+            [103] = "UNSPEC",
+            [5] = "CNAME",
+            [104] = "NID",
+            [61] = "OPENPGPKEY",
+            [60] = "CDNSKEY",
+            [100] = "UINFO",
+            [51] = "NSEC3PARAM",
+            [37] = "CERT",
+            [18] = "AFSDB"
+         }
+
+
+   Mapping of DNS query type codes to human readable string
+   representation.
+
+.. zeek:id:: DNS::svcparam_keys
+   :source-code: base/protocols/dns/consts.zeek 188 188
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "no-default-alpn",
+            [3] = "port",
+            [5] = "ech",
+            [0] = "mandatory",
+            [6] = "ipv6hint",
+            [4] = "ipv4hint",
+            [1] = "alpn"
+         }
+
+
+   SVCB/HTTPS SvcParam keys as defined in
+   https://datatracker.ietf.org/doc/html/rfc9460#name-initial-contents
+   Keep in sync with src/analyzer/protocol/dns/DNS.h SVCPARAM_Key.
+
+
diff --git a/doc/scripts/base/protocols/dns/index.rst b/doc/scripts/base/protocols/dns/index.rst
new file mode 100644
index 0000000000..6f3228c611
--- /dev/null
+++ b/doc/scripts/base/protocols/dns/index.rst
@@ -0,0 +1,25 @@
+:orphan:
+
+Package: base/protocols/dns
+===========================
+
+Support for Domain Name System (DNS) protocol analysis.
+
+:doc:`/scripts/base/protocols/dns/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/dns/consts.zeek`
+
+   Types, errors, and fields for analyzing DNS data.  A helper file
+   for DNS analysis scripts.
+
+:doc:`/scripts/base/protocols/dns/main.zeek`
+
+   Base DNS analysis script which tracks and logs DNS queries along with
+   their responses.
+
+:doc:`/scripts/base/protocols/dns/check-event-handlers.zeek`
+
+   This script checks if DNS event handlers that will not be raised
+   are used and raises a warning in those cases.
+
diff --git a/doc/scripts/base/protocols/dns/main.zeek.rst b/doc/scripts/base/protocols/dns/main.zeek.rst
new file mode 100644
index 0000000000..42580099c8
--- /dev/null
+++ b/doc/scripts/base/protocols/dns/main.zeek.rst
@@ -0,0 +1,377 @@
+:tocdepth: 3
+
+base/protocols/dns/main.zeek
+============================
+.. zeek:namespace:: DNS
+
+Base DNS analysis script which tracks and logs DNS queries along with
+their responses.
+
+:Namespace: DNS
+:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/dns/consts.zeek </scripts/base/protocols/dns/consts.zeek>`, :doc:`base/utils/queue.zeek </scripts/base/utils/queue.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+============================================================================= =======================================================================
+:zeek:id:`DNS::max_pending_msgs`: :zeek:type:`count` :zeek:attr:`&redef`      Give up trying to match pending DNS queries or replies for a given
+                                                                              query/transaction ID once this number of unmatched queries or replies
+                                                                              is reached (this shouldn't happen unless either the DNS server/resolver
+                                                                              is broken, Zeek is not seeing all the DNS traffic, or an AXFR query
+                                                                              response is ongoing).
+:zeek:id:`DNS::max_pending_query_ids`: :zeek:type:`count` :zeek:attr:`&redef` Give up trying to match pending DNS queries or replies across all
+                                                                              query/transaction IDs once there is at least one unmatched query or
+                                                                              reply across this number of different query IDs.
+============================================================================= =======================================================================
+
+Types
+#####
+===================================================== ================================================================
+:zeek:type:`DNS::Info`: :zeek:type:`record`           The record type which contains the column fields of the DNS log.
+:zeek:type:`DNS::PendingMessages`: :zeek:type:`table` Yields a queue of :zeek:see:`DNS::Info` objects for a given
+                                                      DNS message query/transaction ID.
+:zeek:type:`DNS::State`: :zeek:type:`record`          A record type which tracks the status of DNS queries for a given
+                                                      :zeek:type:`connection`.
+===================================================== ================================================================
+
+Redefinitions
+#############
+==================================================================== ===========================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              The DNS logging stream identifier.
+                                                                     
+                                                                     * :zeek:enum:`DNS::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       dns: :zeek:type:`DNS::Info` :zeek:attr:`&optional`
+                                                                     
+                                                                       dns_state: :zeek:type:`DNS::State` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ===========================================================
+
+Events
+######
+=========================================== =================================================================
+:zeek:id:`DNS::log_dns`: :zeek:type:`event` An event that can be handled to access the :zeek:type:`DNS::Info`
+                                            record as it is sent to the logging framework.
+=========================================== =================================================================
+
+Hooks
+#####
+============================================================ =================================================================
+:zeek:id:`DNS::do_reply`: :zeek:type:`hook`                  This is called by the specific dns_*_reply events with a "reply"
+                                                             which may not represent the full data available from the resource
+                                                             record, but it's generally considered a summarization of the
+                                                             responses.
+:zeek:id:`DNS::finalize_dns`: :zeek:type:`Conn::RemovalHook` DNS finalization hook.
+:zeek:id:`DNS::log_policy`: :zeek:type:`Log::PolicyHook`     A default logging policy hook for the stream.
+:zeek:id:`DNS::set_session`: :zeek:type:`hook`               A hook that is called whenever a session is being set.
+============================================================ =================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: DNS::max_pending_msgs
+   :source-code: base/protocols/dns/main.zeek 126 126
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``50``
+
+   Give up trying to match pending DNS queries or replies for a given
+   query/transaction ID once this number of unmatched queries or replies
+   is reached (this shouldn't happen unless either the DNS server/resolver
+   is broken, Zeek is not seeing all the DNS traffic, or an AXFR query
+   response is ongoing).
+
+.. zeek:id:: DNS::max_pending_query_ids
+   :source-code: base/protocols/dns/main.zeek 131 131
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``50``
+
+   Give up trying to match pending DNS queries or replies across all
+   query/transaction IDs once there is at least one unmatched query or
+   reply across this number of different query IDs.
+
+Types
+#####
+.. zeek:type:: DNS::Info
+   :source-code: base/protocols/dns/main.zeek 18 86
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      The earliest time at which a DNS protocol message over the
+      associated connection is observed.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      A unique identifier of the connection over which DNS messages
+      are being transferred.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: proto :zeek:type:`transport_proto` :zeek:attr:`&log`
+
+      The transport layer protocol of the connection.
+
+
+   .. zeek:field:: trans_id :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      A 16-bit identifier assigned by the program that generated
+      the DNS query.  Also used in responses to match up replies to
+      outstanding queries.
+
+
+   .. zeek:field:: rtt :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Round trip time for the query and response. This indicates
+      the delay between when the request was seen until the
+      answer started.
+
+
+   .. zeek:field:: query :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The domain name that is the subject of the DNS query.
+
+
+   .. zeek:field:: qclass :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The QCLASS value specifying the class of the query.
+
+
+   .. zeek:field:: qclass_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      A descriptive name for the class of the query.
+
+
+   .. zeek:field:: qtype :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      A QTYPE value specifying the type of the query.
+
+
+   .. zeek:field:: qtype_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      A descriptive name for the type of the query.
+
+
+   .. zeek:field:: rcode :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The response code value in DNS response messages.
+
+
+   .. zeek:field:: rcode_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      A descriptive name for the response code value.
+
+
+   .. zeek:field:: AA :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      The Authoritative Answer bit for response messages specifies
+      that the responding name server is an authority for the
+      domain name in the question section.
+
+
+   .. zeek:field:: TC :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      The Truncation bit specifies that the message was truncated.
+
+
+   .. zeek:field:: RD :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      The Recursion Desired bit in a request message indicates that
+      the client wants recursive service for this query.
+
+
+   .. zeek:field:: RA :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      The Recursion Available bit in a response message indicates
+      that the name server supports recursive queries.
+
+
+   .. zeek:field:: Z :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      A reserved field that is zero in queries and responses unless
+      using DNSSEC. This field represents the 3-bit Z field using
+      the specification from RFC 1035.
+
+
+   .. zeek:field:: answers :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The set of resource descriptions in the query answer.
+
+
+   .. zeek:field:: TTLs :zeek:type:`vector` of :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The caching intervals of the associated RRs described by the
+      *answers* field.
+
+
+   .. zeek:field:: rejected :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      The DNS query was rejected by the server.
+
+
+   .. zeek:field:: total_answers :zeek:type:`count` :zeek:attr:`&optional`
+
+      The total number of resource records in a reply message's
+      answer section.
+
+
+   .. zeek:field:: total_replies :zeek:type:`count` :zeek:attr:`&optional`
+
+      The total number of resource records in a reply message's
+      answer, authority, and additional sections.
+
+
+   .. zeek:field:: saw_query :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Whether the full DNS query has been seen.
+
+
+   .. zeek:field:: saw_reply :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Whether the full DNS reply has been seen.
+
+
+   .. zeek:field:: auth :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/dns/auth-addl.zeek` is loaded)
+
+      Authoritative responses for the query.
+
+
+   .. zeek:field:: addl :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/dns/auth-addl.zeek` is loaded)
+
+      Additional responses for the query.
+
+
+   .. zeek:field:: original_query :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/dns/log-original-query-case.zeek` is loaded)
+
+      Query with original letter casing
+
+
+   The record type which contains the column fields of the DNS log.
+
+.. zeek:type:: DNS::PendingMessages
+   :source-code: base/protocols/dns/main.zeek 119 119
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`Queue::Queue`
+
+   Yields a queue of :zeek:see:`DNS::Info` objects for a given
+   DNS message query/transaction ID.
+
+.. zeek:type:: DNS::State
+   :source-code: base/protocols/dns/main.zeek 135 150
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: pending_query :zeek:type:`DNS::Info` :zeek:attr:`&optional`
+
+      A single query that hasn't been matched with a response yet.
+      Note this is maintained separate from the *pending_queries*
+      field solely for performance reasons -- it's possible that
+      *pending_queries* contains further queries for which a response
+      has not yet been seen, even for the same transaction ID.
+
+
+   .. zeek:field:: pending_queries :zeek:type:`DNS::PendingMessages` :zeek:attr:`&optional`
+
+      Indexed by query id, returns Info record corresponding to
+      queries that haven't been matched with a response yet.
+
+
+   .. zeek:field:: pending_replies :zeek:type:`DNS::PendingMessages` :zeek:attr:`&optional`
+
+      Indexed by query id, returns Info record corresponding to
+      replies that haven't been matched with a query yet.
+
+
+   A record type which tracks the status of DNS queries for a given
+   :zeek:type:`connection`.
+
+Events
+######
+.. zeek:id:: DNS::log_dns
+   :source-code: base/protocols/dns/main.zeek 90 90
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`DNS::Info`)
+
+   An event that can be handled to access the :zeek:type:`DNS::Info`
+   record as it is sent to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: DNS::do_reply
+   :source-code: base/protocols/dns/main.zeek 104 104
+
+   :Type: :zeek:type:`hook` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, reply: :zeek:type:`string`) : :zeek:type:`bool`
+
+   This is called by the specific dns_*_reply events with a "reply"
+   which may not represent the full data available from the resource
+   record, but it's generally considered a summarization of the
+   responses.
+   
+
+   :param c: The connection record for which to fill in DNS reply data.
+   
+
+   :param msg: The DNS message header information for the response.
+   
+
+   :param ans: The general information of a RR response.
+   
+
+   :param reply: The specific response information according to RR type/class.
+
+.. zeek:id:: DNS::finalize_dns
+   :source-code: base/protocols/dns/main.zeek 643 658
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   DNS finalization hook.  Remaining DNS info may get logged when it's called.
+
+.. zeek:id:: DNS::log_policy
+   :source-code: base/protocols/dns/main.zeek 15 15
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+.. zeek:id:: DNS::set_session
+   :source-code: base/protocols/dns/main.zeek 238 346
+
+   :Type: :zeek:type:`hook` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, is_query: :zeek:type:`bool`) : :zeek:type:`bool`
+
+   A hook that is called whenever a session is being set.
+   This can be used if additional initialization logic needs to happen
+   when creating a new session value.
+   
+
+   :param c: The connection involved in the new session.
+   
+
+   :param msg: The DNS message header information.
+   
+
+   :param is_query: Indicator for if this is being called for a query or a response.
+
+
diff --git a/doc/scripts/base/protocols/finger/__load__.zeek.rst b/doc/scripts/base/protocols/finger/__load__.zeek.rst
new file mode 100644
index 0000000000..d17a504b79
--- /dev/null
+++ b/doc/scripts/base/protocols/finger/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/finger/__load__.zeek
+===================================
+
+
+:Imports: :doc:`base/protocols/finger/main.zeek </scripts/base/protocols/finger/main.zeek>`, :doc:`base/protocols/finger/spicy-events.zeek </scripts/base/protocols/finger/spicy-events.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/finger/index.rst b/doc/scripts/base/protocols/finger/index.rst
new file mode 100644
index 0000000000..2956f3f4c2
--- /dev/null
+++ b/doc/scripts/base/protocols/finger/index.rst
@@ -0,0 +1,18 @@
+:orphan:
+
+Package: base/protocols/finger
+==============================
+
+
+:doc:`/scripts/base/protocols/finger/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/finger/spicy-events.zeek`
+
+   Events generated by the Finger analyzer.
+
+:doc:`/scripts/base/protocols/finger/main.zeek`
+
+   Implements base functionality for Finger analysis. We currently do not generate
+   a log file, but just configure the analyzer.
+
diff --git a/doc/scripts/base/protocols/finger/main.zeek.rst b/doc/scripts/base/protocols/finger/main.zeek.rst
new file mode 100644
index 0000000000..cf33fd81c4
--- /dev/null
+++ b/doc/scripts/base/protocols/finger/main.zeek.rst
@@ -0,0 +1,45 @@
+:tocdepth: 3
+
+base/protocols/finger/main.zeek
+===============================
+.. zeek:namespace:: Finger
+
+Implements base functionality for Finger analysis. We currently do not generate
+a log file, but just configure the analyzer.
+
+:Namespace: Finger
+
+Summary
+~~~~~~~
+Constants
+#########
+========================================== =
+:zeek:id:`Finger::ports`: :zeek:type:`set` 
+========================================== =
+
+Redefinitions
+#############
+==================================================================== =
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: Finger::ports
+   :source-code: base/protocols/finger/main.zeek 7 7
+
+   :Type: :zeek:type:`set` [:zeek:type:`port`]
+   :Default:
+
+      ::
+
+         {
+            79/tcp
+         }
+
+
+
+
diff --git a/doc/scripts/base/protocols/finger/spicy-events.zeek.rst b/doc/scripts/base/protocols/finger/spicy-events.zeek.rst
new file mode 100644
index 0000000000..49da13a87c
--- /dev/null
+++ b/doc/scripts/base/protocols/finger/spicy-events.zeek.rst
@@ -0,0 +1,65 @@
+:tocdepth: 3
+
+base/protocols/finger/spicy-events.zeek
+=======================================
+
+Events generated by the Finger analyzer.
+
+
+Summary
+~~~~~~~
+Events
+######
+============================================= ==============================
+:zeek:id:`finger_reply`: :zeek:type:`event`   Generated for Finger replies.
+:zeek:id:`finger_request`: :zeek:type:`event` Generated for Finger requests.
+============================================= ==============================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: finger_reply
+   :source-code: base/protocols/finger/spicy-events.zeek 31 31
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, reply_line: :zeek:type:`string`)
+
+   Generated for Finger replies.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
+   information about the Finger protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param reply_line: The reply as returned by the server
+   
+   .. zeek:see:: finger_request
+
+.. zeek:id:: finger_request
+   :source-code: base/protocols/finger/spicy-events.zeek 19 19
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, full: :zeek:type:`bool`, username: :zeek:type:`string`, hostname: :zeek:type:`string`)
+
+   Generated for Finger requests.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
+   information about the Finger protocol.
+   
+
+   :param c: The connection.
+   
+
+   :param full: True if verbose information is requested (``/W`` switch).
+   
+
+   :param username: The request's user name.
+   
+
+   :param hostname: The request's host name.
+   
+   .. zeek:see:: finger_reply
+
+
diff --git a/doc/scripts/base/protocols/ftp/__load__.zeek.rst b/doc/scripts/base/protocols/ftp/__load__.zeek.rst
new file mode 100644
index 0000000000..7c2cbfb224
--- /dev/null
+++ b/doc/scripts/base/protocols/ftp/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/ftp/__load__.zeek
+================================
+
+
+:Imports: :doc:`base/protocols/ftp/files.zeek </scripts/base/protocols/ftp/files.zeek>`, :doc:`base/protocols/ftp/gridftp.zeek </scripts/base/protocols/ftp/gridftp.zeek>`, :doc:`base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>`, :doc:`base/protocols/ftp/main.zeek </scripts/base/protocols/ftp/main.zeek>`, :doc:`base/protocols/ftp/utils-commands.zeek </scripts/base/protocols/ftp/utils-commands.zeek>`, :doc:`base/protocols/ftp/utils.zeek </scripts/base/protocols/ftp/utils.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/ftp/files.zeek.rst b/doc/scripts/base/protocols/ftp/files.zeek.rst
new file mode 100644
index 0000000000..48aaa381a6
--- /dev/null
+++ b/doc/scripts/base/protocols/ftp/files.zeek.rst
@@ -0,0 +1,49 @@
+:tocdepth: 3
+
+base/protocols/ftp/files.zeek
+=============================
+.. zeek:namespace:: FTP
+
+
+:Namespace: FTP
+:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>`, :doc:`base/protocols/ftp/main.zeek </scripts/base/protocols/ftp/main.zeek>`, :doc:`base/protocols/ftp/utils.zeek </scripts/base/protocols/ftp/utils.zeek>`, :doc:`base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================================= ====================================================
+:zeek:type:`fa_file`: :zeek:type:`record` :zeek:attr:`&redef` 
+                                                              
+                                                              :New Fields: :zeek:type:`fa_file`
+                                                              
+                                                                ftp: :zeek:type:`FTP::Info` :zeek:attr:`&optional`
+============================================================= ====================================================
+
+Functions
+#########
+====================================================== =====================================
+:zeek:id:`FTP::describe_file`: :zeek:type:`function`   Describe the file being transferred.
+:zeek:id:`FTP::get_file_handle`: :zeek:type:`function` Default file handle provider for FTP.
+====================================================== =====================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: FTP::describe_file
+   :source-code: base/protocols/ftp/files.zeek 29 41
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`string`
+
+   Describe the file being transferred.
+
+.. zeek:id:: FTP::get_file_handle
+   :source-code: base/protocols/ftp/files.zeek 21 27
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
+
+   Default file handle provider for FTP.
+
+
diff --git a/doc/scripts/base/protocols/ftp/gridftp.zeek.rst b/doc/scripts/base/protocols/ftp/gridftp.zeek.rst
new file mode 100644
index 0000000000..1c0ff83707
--- /dev/null
+++ b/doc/scripts/base/protocols/ftp/gridftp.zeek.rst
@@ -0,0 +1,138 @@
+:tocdepth: 3
+
+base/protocols/ftp/gridftp.zeek
+===============================
+.. zeek:namespace:: GridFTP
+
+A detection script for GridFTP data and control channels.
+
+GridFTP control channels are identified by FTP control channels
+that successfully negotiate the GSSAPI method of an AUTH request
+and for which the exchange involved an encoded TLS/SSL handshake,
+indicating the GSI mechanism for GSSAPI was used.  This analysis
+is all supported internally, this script simply adds the "gridftp"
+label to the *service* field of the control channel's
+:zeek:type:`connection` record.
+
+GridFTP data channels are identified by a heuristic that relies on
+the fact that default settings for GridFTP clients typically
+mutually authenticate the data channel with TLS/SSL and negotiate a
+NULL bulk cipher (no encryption). Connections with those attributes
+are marked as GridFTP if the data transfer within the first two minutes
+is big enough to indicate a GripFTP data channel that would be
+undesirable to analyze further (e.g. stop TCP reassembly).  A side
+effect is that true connection sizes are not logged, but at the benefit
+of saving CPU cycles that would otherwise go to analyzing the large
+(and likely benign) connections.
+
+:Namespace: GridFTP
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`, :doc:`base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>`, :doc:`base/protocols/ftp/main.zeek </scripts/base/protocols/ftp/main.zeek>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+========================================================================== ===================================================================
+:zeek:id:`GridFTP::max_time`: :zeek:type:`interval` :zeek:attr:`&redef`    Time during which we check whether a connection's size exceeds the
+                                                                           :zeek:see:`GridFTP::size_threshold`.
+:zeek:id:`GridFTP::size_threshold`: :zeek:type:`count` :zeek:attr:`&redef` Number of bytes transferred before guessing a connection is a
+                                                                           GridFTP data channel.
+:zeek:id:`GridFTP::skip_data`: :zeek:type:`bool` :zeek:attr:`&redef`       Whether to skip further processing of the GridFTP data channel once
+                                                                           detected, which may help performance.
+========================================================================== ===================================================================
+
+Redefinitions
+#############
+=========================================== =================================================================
+:zeek:type:`FTP::Info`: :zeek:type:`record` 
+                                            
+                                            :New Fields: :zeek:type:`FTP::Info`
+                                            
+                                              last_auth_requested: :zeek:type:`string` :zeek:attr:`&optional`
+=========================================== =================================================================
+
+Events
+######
+============================================================= ===============================================
+:zeek:id:`GridFTP::data_channel_detected`: :zeek:type:`event` Raised when a GridFTP data channel is detected.
+============================================================= ===============================================
+
+Functions
+#########
+============================================================================================ ==================================================================
+:zeek:id:`GridFTP::data_channel_initial_criteria`: :zeek:type:`function` :zeek:attr:`&redef` The initial criteria used to determine whether to start polling
+                                                                                             the connection for the :zeek:see:`GridFTP::size_threshold` to have
+                                                                                             been exceeded.
+============================================================================================ ==================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: GridFTP::max_time
+   :source-code: base/protocols/ftp/gridftp.zeek 37 37
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``2.0 mins``
+
+   Time during which we check whether a connection's size exceeds the
+   :zeek:see:`GridFTP::size_threshold`.
+
+.. zeek:id:: GridFTP::size_threshold
+   :source-code: base/protocols/ftp/gridftp.zeek 33 33
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1073741824``
+
+   Number of bytes transferred before guessing a connection is a
+   GridFTP data channel.
+
+.. zeek:id:: GridFTP::skip_data
+   :source-code: base/protocols/ftp/gridftp.zeek 41 41
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Whether to skip further processing of the GridFTP data channel once
+   detected, which may help performance.
+
+Events
+######
+.. zeek:id:: GridFTP::data_channel_detected
+   :source-code: base/protocols/ftp/gridftp.zeek 46 46
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Raised when a GridFTP data channel is detected.
+   
+
+   :param c: The connection pertaining to the GridFTP data channel.
+
+Functions
+#########
+.. zeek:id:: GridFTP::data_channel_initial_criteria
+   :source-code: base/protocols/ftp/gridftp.zeek 108 113
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`) : :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+
+   The initial criteria used to determine whether to start polling
+   the connection for the :zeek:see:`GridFTP::size_threshold` to have
+   been exceeded.  This is called in a :zeek:see:`ssl_established` event
+   handler and by default looks for both a client and server certificate
+   and for a NULL bulk cipher.  One way in which this function could be
+   redefined is to make it also consider client/server certificate
+   issuer subjects.
+   
+
+   :param c: The connection which may possibly be a GridFTP data channel.
+   
+
+   :returns: true if the connection should be further polled for an
+            exceeded :zeek:see:`GridFTP::size_threshold`, else false.
+
+
diff --git a/doc/scripts/base/protocols/ftp/index.rst b/doc/scripts/base/protocols/ftp/index.rst
new file mode 100644
index 0000000000..a89cc97cba
--- /dev/null
+++ b/doc/scripts/base/protocols/ftp/index.rst
@@ -0,0 +1,54 @@
+:orphan:
+
+Package: base/protocols/ftp
+===========================
+
+Support for File Transfer Protocol (FTP) analysis.
+
+:doc:`/scripts/base/protocols/ftp/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/ftp/utils-commands.zeek`
+
+
+:doc:`/scripts/base/protocols/ftp/info.zeek`
+
+   Defines data structures for tracking and logging FTP sessions.
+
+:doc:`/scripts/base/protocols/ftp/main.zeek`
+
+   The logging this script does is primarily focused on logging FTP commands
+   along with metadata.  For example, if files are transferred, the argument
+   will take on the full path that the client is at along with the requested
+   file name.
+
+:doc:`/scripts/base/protocols/ftp/utils.zeek`
+
+   Utilities specific for FTP processing.
+
+:doc:`/scripts/base/protocols/ftp/files.zeek`
+
+
+:doc:`/scripts/base/protocols/ftp/gridftp.zeek`
+
+   A detection script for GridFTP data and control channels.
+   
+   GridFTP control channels are identified by FTP control channels
+   that successfully negotiate the GSSAPI method of an AUTH request
+   and for which the exchange involved an encoded TLS/SSL handshake,
+   indicating the GSI mechanism for GSSAPI was used.  This analysis
+   is all supported internally, this script simply adds the "gridftp"
+   label to the *service* field of the control channel's
+   :zeek:type:`connection` record.
+   
+   GridFTP data channels are identified by a heuristic that relies on
+   the fact that default settings for GridFTP clients typically
+   mutually authenticate the data channel with TLS/SSL and negotiate a
+   NULL bulk cipher (no encryption). Connections with those attributes
+   are marked as GridFTP if the data transfer within the first two minutes
+   is big enough to indicate a GripFTP data channel that would be
+   undesirable to analyze further (e.g. stop TCP reassembly).  A side
+   effect is that true connection sizes are not logged, but at the benefit
+   of saving CPU cycles that would otherwise go to analyzing the large
+   (and likely benign) connections.
+
diff --git a/doc/scripts/base/protocols/ftp/info.zeek.rst b/doc/scripts/base/protocols/ftp/info.zeek.rst
new file mode 100644
index 0000000000..b56f82e5b4
--- /dev/null
+++ b/doc/scripts/base/protocols/ftp/info.zeek.rst
@@ -0,0 +1,185 @@
+:tocdepth: 3
+
+base/protocols/ftp/info.zeek
+============================
+.. zeek:namespace:: FTP
+
+Defines data structures for tracking and logging FTP sessions.
+
+:Namespace: FTP
+:Imports: :doc:`base/protocols/ftp/utils-commands.zeek </scripts/base/protocols/ftp/utils-commands.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=============================================================================== ==========================================================
+:zeek:id:`FTP::default_capture_password`: :zeek:type:`bool` :zeek:attr:`&redef` This setting changes if passwords used in FTP sessions are
+                                                                                captured or not.
+=============================================================================== ==========================================================
+
+Types
+#####
+========================================================== ==============================================
+:zeek:type:`FTP::ExpectedDataChannel`: :zeek:type:`record` The expected endpoints of an FTP data channel.
+:zeek:type:`FTP::Info`: :zeek:type:`record`                
+========================================================== ==============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: FTP::default_capture_password
+   :source-code: base/protocols/ftp/info.zeek 11 11
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   This setting changes if passwords used in FTP sessions are
+   captured or not.
+
+Types
+#####
+.. zeek:type:: FTP::ExpectedDataChannel
+   :source-code: base/protocols/ftp/info.zeek 14 24
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: passive :zeek:type:`bool` :zeek:attr:`&log`
+
+      Whether PASV mode is toggled for control channel.
+
+
+   .. zeek:field:: orig_h :zeek:type:`addr` :zeek:attr:`&log`
+
+      The host that will be initiating the data connection.
+
+
+   .. zeek:field:: resp_h :zeek:type:`addr` :zeek:attr:`&log`
+
+      The host that will be accepting the data connection.
+
+
+   .. zeek:field:: resp_p :zeek:type:`port` :zeek:attr:`&log`
+
+      The port at which the acceptor is listening for the data
+      connection.
+
+
+   The expected endpoints of an FTP data channel.
+
+.. zeek:type:: FTP::Info
+   :source-code: base/protocols/ftp/info.zeek 26 78
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Time when the command was sent.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: user :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``"<unknown>"`` :zeek:attr:`&optional`
+
+      User name for the current FTP session.
+
+
+   .. zeek:field:: password :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Password for the current FTP session if captured.
+
+
+   .. zeek:field:: command :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Command given by the client.
+
+
+   .. zeek:field:: arg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Argument for the command if one is given.
+
+
+   .. zeek:field:: mime_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Sniffed mime type of file.
+
+
+   .. zeek:field:: file_size :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Size of the file if the command indicates a file transfer.
+
+
+   .. zeek:field:: reply_code :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Reply code from the server in response to the command.
+
+
+   .. zeek:field:: reply_msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Reply message from the server in response to the command.
+
+
+   .. zeek:field:: data_channel :zeek:type:`FTP::ExpectedDataChannel` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Expected FTP data channel.
+
+
+   .. zeek:field:: cwd :zeek:type:`string` :zeek:attr:`&default` = ``"."`` :zeek:attr:`&optional`
+
+      Current working directory that this session is in.  By making
+      the default value '.', we can indicate that unless something
+      more concrete is discovered that the existing but unknown
+      directory is ok to use.
+
+
+   .. zeek:field:: cmdarg :zeek:type:`FTP::CmdArg` :zeek:attr:`&optional`
+
+      Command that is currently waiting for a response.
+
+
+   .. zeek:field:: pending_commands :zeek:type:`FTP::PendingCmds`
+
+      Queue for commands that have been sent but not yet responded
+      to are tracked here.
+
+
+   .. zeek:field:: command_seq :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Sequence number of previous command.
+
+
+   .. zeek:field:: passive :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Indicates if the session is in active or passive mode.
+
+
+   .. zeek:field:: capture_password :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`FTP::default_capture_password` :zeek:attr:`&optional`
+
+      Determines if the password will be captured for this request.
+
+
+   .. zeek:field:: fuid :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      File unique ID.
+
+
+   .. zeek:field:: last_auth_requested :zeek:type:`string` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ftp/gridftp.zeek` is loaded)
+
+
+
+
diff --git a/doc/scripts/base/protocols/ftp/main.zeek.rst b/doc/scripts/base/protocols/ftp/main.zeek.rst
new file mode 100644
index 0000000000..4f79fc7823
--- /dev/null
+++ b/doc/scripts/base/protocols/ftp/main.zeek.rst
@@ -0,0 +1,244 @@
+:tocdepth: 3
+
+base/protocols/ftp/main.zeek
+============================
+.. zeek:namespace:: FTP
+
+The logging this script does is primarily focused on logging FTP commands
+along with metadata.  For example, if files are transferred, the argument
+will take on the full path that the client is at along with the requested
+file name.
+
+:Namespace: FTP
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>`, :doc:`base/protocols/ftp/utils-commands.zeek </scripts/base/protocols/ftp/utils-commands.zeek>`, :doc:`base/protocols/ftp/utils.zeek </scripts/base/protocols/ftp/utils.zeek>`, :doc:`base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>`, :doc:`base/utils/numbers.zeek </scripts/base/utils/numbers.zeek>`, :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+============================================================================ ======================================================================
+:zeek:id:`FTP::guest_ids`: :zeek:type:`set` :zeek:attr:`&redef`              User IDs that can be considered "anonymous".
+:zeek:id:`FTP::logged_commands`: :zeek:type:`set` :zeek:attr:`&redef`        List of commands that should have their command/response pairs logged.
+:zeek:id:`FTP::max_arg_length`: :zeek:type:`count` :zeek:attr:`&redef`       Truncate the arg field in the log to that many bytes to avoid
+                                                                             excessive logging volume.
+:zeek:id:`FTP::max_password_length`: :zeek:type:`count` :zeek:attr:`&redef`  Truncate the password field in the log to that many bytes to avoid
+                                                                             excessive logging volume as this values is replicated in each
+                                                                             of the entries related to an FTP session.
+:zeek:id:`FTP::max_pending_commands`: :zeek:type:`count` :zeek:attr:`&redef` Allow a client to send this many commands before the server
+                                                                             sends a reply.
+:zeek:id:`FTP::max_reply_msg_length`: :zeek:type:`count` :zeek:attr:`&redef` Truncate the reply_msg field in the log to that many bytes to avoid
+                                                                             excessive logging volume.
+:zeek:id:`FTP::max_user_length`: :zeek:type:`count` :zeek:attr:`&redef`      Truncate the user field in the log to that many bytes to avoid
+                                                                             excessive logging volume as this values is replicated in each
+                                                                             of the entries related to an FTP session.
+============================================================================ ======================================================================
+
+Types
+#####
+================================================ ===============================================
+:zeek:type:`FTP::ReplyCode`: :zeek:type:`record` This record is to hold a parsed FTP reply code.
+================================================ ===============================================
+
+Redefinitions
+#############
+==================================================================== ========================================================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              The FTP protocol logging stream identifier.
+                                                                     
+                                                                     * :zeek:enum:`FTP::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       ftp: :zeek:type:`FTP::Info` :zeek:attr:`&optional`
+                                                                     
+                                                                       ftp_data_reuse: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ========================================================================================
+
+Events
+######
+=========================================== ==============================================================
+:zeek:id:`FTP::log_ftp`: :zeek:type:`event` Event that can be handled to access the :zeek:type:`FTP::Info`
+                                            record as it is sent on to the logging framework.
+=========================================== ==============================================================
+
+Hooks
+#####
+============================================================ =============================================
+:zeek:id:`FTP::finalize_ftp`: :zeek:type:`Conn::RemovalHook` FTP finalization hook.
+:zeek:id:`FTP::finalize_ftp_data`: :zeek:type:`hook`         FTP data finalization hook.
+:zeek:id:`FTP::log_policy`: :zeek:type:`Log::PolicyHook`     A default logging policy hook for the stream.
+============================================================ =============================================
+
+Functions
+#########
+=========================================================== =====================================================================
+:zeek:id:`FTP::parse_ftp_reply_code`: :zeek:type:`function` Parse FTP reply codes into the three constituent single digit values.
+=========================================================== =====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: FTP::guest_ids
+   :source-code: base/protocols/ftp/main.zeek 32 32
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            "guest",
+            "anonymous",
+            "ftpuser",
+            "ftp"
+         }
+
+
+   User IDs that can be considered "anonymous".
+
+.. zeek:id:: FTP::logged_commands
+   :source-code: base/protocols/ftp/main.zeek 26 26
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            "ACCT",
+            "DELE",
+            "APPE",
+            "RETR",
+            "PORT",
+            "STOR",
+            "EPRT",
+            "PASV",
+            "STOU",
+            "EPSV"
+         }
+
+
+   List of commands that should have their command/response pairs logged.
+
+.. zeek:id:: FTP::max_arg_length
+   :source-code: base/protocols/ftp/main.zeek 73 73
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``4096``
+
+   Truncate the arg field in the log to that many bytes to avoid
+   excessive logging volume.
+
+.. zeek:id:: FTP::max_password_length
+   :source-code: base/protocols/ftp/main.zeek 69 69
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``128``
+
+   Truncate the password field in the log to that many bytes to avoid
+   excessive logging volume as this values is replicated in each
+   of the entries related to an FTP session.
+
+.. zeek:id:: FTP::max_pending_commands
+   :source-code: base/protocols/ftp/main.zeek 59 59
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``20``
+
+   Allow a client to send this many commands before the server
+   sends a reply. If this value is exceeded a weird named
+   FTP_too_many_pending_commands is logged for the connection.
+
+.. zeek:id:: FTP::max_reply_msg_length
+   :source-code: base/protocols/ftp/main.zeek 77 77
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``4096``
+
+   Truncate the reply_msg field in the log to that many bytes to avoid
+   excessive logging volume.
+
+.. zeek:id:: FTP::max_user_length
+   :source-code: base/protocols/ftp/main.zeek 64 64
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``128``
+
+   Truncate the user field in the log to that many bytes to avoid
+   excessive logging volume as this values is replicated in each
+   of the entries related to an FTP session.
+
+Types
+#####
+.. zeek:type:: FTP::ReplyCode
+   :source-code: base/protocols/ftp/main.zeek 36 40
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: x :zeek:type:`count`
+
+
+   .. zeek:field:: y :zeek:type:`count`
+
+
+   .. zeek:field:: z :zeek:type:`count`
+
+
+   This record is to hold a parsed FTP reply code.  For example, for the
+   201 status code, the digits would be parsed as: x->2, y->0, z->1.
+
+Events
+######
+.. zeek:id:: FTP::log_ftp
+   :source-code: base/protocols/ftp/main.zeek 47 47
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`FTP::Info`)
+
+   Event that can be handled to access the :zeek:type:`FTP::Info`
+   record as it is sent on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: FTP::finalize_ftp
+   :source-code: base/protocols/ftp/main.zeek 479 488
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   FTP finalization hook.  Remaining FTP info may get logged when it's called.
+
+.. zeek:id:: FTP::finalize_ftp_data
+   :source-code: base/protocols/ftp/main.zeek 466 476
+
+   :Type: :zeek:type:`hook` (c: :zeek:type:`connection`) : :zeek:type:`bool`
+
+   FTP data finalization hook.  Expected FTP data channel state may
+   get purged when called.
+
+.. zeek:id:: FTP::log_policy
+   :source-code: base/protocols/ftp/main.zeek 23 23
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+Functions
+#########
+.. zeek:id:: FTP::parse_ftp_reply_code
+   :source-code: base/protocols/ftp/main.zeek 141 154
+
+   :Type: :zeek:type:`function` (code: :zeek:type:`count`) : :zeek:type:`FTP::ReplyCode`
+
+   Parse FTP reply codes into the three constituent single digit values.
+
+
diff --git a/doc/scripts/base/protocols/ftp/utils-commands.zeek.rst b/doc/scripts/base/protocols/ftp/utils-commands.zeek.rst
new file mode 100644
index 0000000000..d37d7de1ce
--- /dev/null
+++ b/doc/scripts/base/protocols/ftp/utils-commands.zeek.rst
@@ -0,0 +1,416 @@
+:tocdepth: 3
+
+base/protocols/ftp/utils-commands.zeek
+======================================
+.. zeek:namespace:: FTP
+
+
+:Namespace: FTP
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+==================================================================== ===========================================================
+:zeek:id:`FTP::cmd_reply_code`: :zeek:type:`set` :zeek:attr:`&redef` Possible response codes for a wide variety of FTP commands.
+==================================================================== ===========================================================
+
+Types
+#####
+================================================= ====================================================================
+:zeek:type:`FTP::CmdArg`: :zeek:type:`record`     
+:zeek:type:`FTP::PendingCmds`: :zeek:type:`table` Structure for tracking pending commands in the event that the client
+                                                  sends a large number of commands before the server has a chance to
+                                                  reply.
+================================================= ====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: FTP::cmd_reply_code
+   :source-code: base/protocols/ftp/utils-commands.zeek 24 24
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`, :zeek:type:`count`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            ["ABOR", 226] ,
+            ["REIN", 120] ,
+            ["STOU", 553] ,
+            ["MLSD", 150] ,
+            ["RNTO", 503] ,
+            ["CDUP", 530] ,
+            ["CDUP", 501] ,
+            ["APPE", 425] ,
+            ["SYST", 530] ,
+            ["PORT", 421] ,
+            ["TYPE", 501] ,
+            ["LIST", 125] ,
+            ["RNTO", 530] ,
+            ["PWD", 501] ,
+            ["STOR", 125] ,
+            ["CDUP", 200] ,
+            ["MLSD", 250] ,
+            ["SITE", 500] ,
+            ["CWD", 550] ,
+            ["CDUP", 550] ,
+            ["QUIT", 500] ,
+            ["MKD", 257] ,
+            ["ALLO", 500] ,
+            ["LIST", 425] ,
+            ["CLNT", 200] ,
+            ["<init>", 0] ,
+            ["ABOR", 501] ,
+            ["FEAT", 502] ,
+            ["MLST", 150] ,
+            ["APPE", 150] ,
+            ["STOU", 550] ,
+            ["USER", 332] ,
+            ["PASV", 227] ,
+            ["SYST", 421] ,
+            ["STRU", 530] ,
+            ["EPRT", 501] ,
+            ["PASV", 530] ,
+            ["USER", 530] ,
+            ["APPE", 125] ,
+            ["CDUP", 421] ,
+            ["STOU", 451] ,
+            ["HELP", 214] ,
+            ["NLST", 426] ,
+            ["RNFR", 450] ,
+            ["LPRT", 521] ,
+            ["ALLO", 530] ,
+            ["STAT", 501] ,
+            ["MACB", 550] ,
+            ["PASS", 332] ,
+            ["SITE", 502] ,
+            ["SIZE", 550] ,
+            ["LIST", 451] ,
+            ["LIST", 426] ,
+            ["APPE", 426] ,
+            ["SMNT", 530] ,
+            ["MLST", 250] ,
+            ["TYPE", 530] ,
+            ["HELP", 500] ,
+            ["RNTO", 553] ,
+            ["STOR", 530] ,
+            ["NLST", 150] ,
+            ["NLST", 451] ,
+            ["SMNT", 501] ,
+            ["ACCT", 230] ,
+            ["MDTM", 550] ,
+            ["APPE", 452] ,
+            ["LIST", 450] ,
+            ["NLST", 250] ,
+            ["MDTM", 500] ,
+            ["RETR", 450] ,
+            ["NLST", 502] ,
+            ["TYPE", 504] ,
+            ["MLSD", 550] ,
+            ["MODE", 421] ,
+            ["OPTS", 451] ,
+            ["RETR", 426] ,
+            ["APPE", 530] ,
+            ["STRU", 504] ,
+            ["STAT", 502] ,
+            ["RETR", 125] ,
+            ["EPRT", 200] ,
+            ["ALLO", 202] ,
+            ["MKD", 502] ,
+            ["STOU", 501] ,
+            ["SYST", 502] ,
+            ["REIN", 220] ,
+            ["MLSD", 501] ,
+            ["DELE", 530] ,
+            ["USER", 421] ,
+            ["NLST", 530] ,
+            ["TYPE", 200] ,
+            ["RMD", 250] ,
+            ["DELE", 421] ,
+            ["FEAT", 211] ,
+            ["APPE", 500] ,
+            ["RETR", 501] ,
+            ["ABOR", 225] ,
+            ["CWD", 250] ,
+            ["STOU", 110] ,
+            ["ALLO", 504] ,
+            ["RNTO", 532] ,
+            ["PWD", 500] ,
+            ["STOR", 110] ,
+            ["MODE", 502] ,
+            ["PORT", 200] ,
+            ["NLST", 125] ,
+            ["RETR", 110] ,
+            ["ACCT", 503] ,
+            ["RMD", 502] ,
+            ["REST", 200] ,
+            ["RETR", 226] ,
+            ["PASV", 500] ,
+            ["STRU", 501] ,
+            ["LIST", 502] ,
+            ["STAT", 530] ,
+            ["RETR", 500] ,
+            ["PASS", 501] ,
+            ["STOR", 553] ,
+            ["APPE", 550] ,
+            ["SMNT", 550] ,
+            ["PASV", 501] ,
+            ["SYST", 501] ,
+            ["MKD", 550] ,
+            ["PASV", 502] ,
+            ["MODE", 530] ,
+            ["STAT", 450] ,
+            ["APPE", 226] ,
+            ["MACB", 500] ,
+            ["PASS", 230] ,
+            ["STAT", 212] ,
+            ["PASV", 421] ,
+            ["STOU", 530] ,
+            ["PASS", 530] ,
+            ["SITE", 202] ,
+            ["PASS", 500] ,
+            ["APPE", 450] ,
+            ["STOR", 450] ,
+            ["LIST", 250] ,
+            ["NLST", 500] ,
+            ["PWD", 502] ,
+            ["RNFR", 500] ,
+            ["STOR", 501] ,
+            ["DELE", 500] ,
+            ["HELP", 421] ,
+            ["NLST", 425] ,
+            ["NLST", 550] ,
+            ["STOR", 451] ,
+            ["SYST", 215] ,
+            ["RETR", 425] ,
+            ["APPE", 532] ,
+            ["LIST", 150] ,
+            ["CWD", 500] ,
+            ["USER", 331] ,
+            ["OPTS", 501] ,
+            ["PASS", 503] ,
+            ["STOU", 532] ,
+            ["STOU", 150] ,
+            ["QUIT", 221] ,
+            ["ACCT", 202] ,
+            ["STOR", 425] ,
+            ["MKD", 421] ,
+            ["TYPE", 500] ,
+            ["STOU", 125] ,
+            ["SYST", 500] ,
+            ["CDUP", 502] ,
+            ["RETR", 451] ,
+            ["RNFR", 502] ,
+            ["TYPE", 421] ,
+            ["STOR", 500] ,
+            ["SIZE", 500] ,
+            ["HELP", 211] ,
+            ["RNTO", 250] ,
+            ["REIN", 502] ,
+            ["STRU", 200] ,
+            ["RMD", 421] ,
+            ["<init>", 421] ,
+            ["STAT", 211] ,
+            ["<init>", 120] ,
+            ["LIST", 550] ,
+            ["ABOR", 500] ,
+            ["NOOP", 200] ,
+            ["REIN", 421] ,
+            ["STOR", 150] ,
+            ["SMNT", 502] ,
+            ["CDUP", 250] ,
+            ["PORT", 501] ,
+            ["MODE", 504] ,
+            ["STAT", 421] ,
+            ["MODE", 501] ,
+            ["MDTM", 213] ,
+            ["MKD", 501] ,
+            ["LIST", 421] ,
+            ["MLST", 226] ,
+            ["STOR", 226] ,
+            ["NOOP", 421] ,
+            ["PWD", 421] ,
+            ["FEAT", 500] ,
+            ["APPE", 250] ,
+            ["CLNT", 500] ,
+            ["LIST", 501] ,
+            ["STOU", 425] ,
+            ["LIST", 530] ,
+            ["SITE", 530] ,
+            ["STOU", 250] ,
+            ["RETR", 150] ,
+            ["RNTO", 500] ,
+            ["MLST", 501] ,
+            ["REST", 501] ,
+            ["MKD", 530] ,
+            ["RNFR", 530] ,
+            ["ALLO", 200] ,
+            ["STRU", 500] ,
+            ["MLSD", 500] ,
+            ["STOU", 426] ,
+            ["STAT", 213] ,
+            ["RNFR", 421] ,
+            ["ALLO", 501] ,
+            ["RETR", 421] ,
+            ["APPE", 421] ,
+            ["USER", 501] ,
+            ["QUIT", 0] ,
+            ["USER", 230] ,
+            ["RNFR", 350] ,
+            ["STOU", 551] ,
+            ["MODE", 500] ,
+            ["STOR", 426] ,
+            ["REST", 530] ,
+            ["SMNT", 421] ,
+            ["ABOR", 502] ,
+            ["ACCT", 421] ,
+            ["APPE", 502] ,
+            ["SITE", 214] ,
+            ["CWD", 421] ,
+            ["NLST", 450] ,
+            ["STOU", 226] ,
+            ["EPRT", 522] ,
+            ["REST", 500] ,
+            ["RMD", 550] ,
+            ["LPRT", 501] ,
+            ["EPSV", 501] ,
+            ["HELP", 501] ,
+            ["DELE", 450] ,
+            ["NLST", 501] ,
+            ["EPSV", 500] ,
+            ["APPE", 552] ,
+            ["EPRT", 500] ,
+            ["PWD", 257] ,
+            ["MODE", 200] ,
+            ["NLST", 226] ,
+            ["RMD", 500] ,
+            ["CWD", 530] ,
+            ["APPE", 501] ,
+            ["RMD", 530] ,
+            ["STOR", 452] ,
+            ["<missing>", 0] ,
+            ["RETR", 530] ,
+            ["NOOP", 500] ,
+            ["REIN", 500] ,
+            ["STOR", 532] ,
+            ["ABOR", 421] ,
+            ["APPE", 551] ,
+            ["SMNT", 500] ,
+            ["STOR", 550] ,
+            ["RNFR", 501] ,
+            ["USER", 500] ,
+            ["ALLO", 421] ,
+            ["ACCT", 500] ,
+            ["RNTO", 502] ,
+            ["MKD", 500] ,
+            ["PASS", 421] ,
+            ["STOU", 552] ,
+            ["STOU", 452] ,
+            ["CWD", 501] ,
+            ["PORT", 500] ,
+            ["MLST", 500] ,
+            ["STOU", 450] ,
+            ["STOU", 421] ,
+            ["ACCT", 530] ,
+            ["STRU", 421] ,
+            ["STOU", 500] ,
+            ["SIZE", 501] ,
+            ["MDTM", 501] ,
+            ["ACCT", 501] ,
+            ["REST", 502] ,
+            ["STOR", 421] ,
+            ["RNTO", 421] ,
+            ["RETR", 250] ,
+            ["MLSD", 226] ,
+            ["LIST", 500] ,
+            ["DELE", 502] ,
+            ["SMNT", 250] ,
+            ["OPTS", 200] ,
+            ["SITE", 501] ,
+            ["APPE", 553] ,
+            ["PASS", 202] ,
+            ["SIZE", 213] ,
+            ["STOR", 250] ,
+            ["DELE", 250] ,
+            ["STOR", 551] ,
+            ["PWD", 550] ,
+            ["STAT", 500] ,
+            ["RMD", 501] ,
+            ["RNTO", 501] ,
+            ["HELP", 200] ,
+            ["MACB", 200] ,
+            ["DELE", 501] ,
+            ["LPRT", 500] ,
+            ["LIST", 226] ,
+            ["REST", 350] ,
+            ["CDUP", 500] ,
+            ["APPE", 451] ,
+            ["EPSV", 229] ,
+            ["RETR", 550] ,
+            ["DELE", 550] ,
+            ["PORT", 530] ,
+            ["CWD", 502] ,
+            ["STOR", 552] ,
+            ["NLST", 421] ,
+            ["HELP", 502] ,
+            ["SITE", 200] ,
+            ["<init>", 220] ,
+            ["SMNT", 202] ,
+            ["RNFR", 550] ,
+            ["MLST", 550] ,
+            ["REST", 421] 
+         }
+
+
+   Possible response codes for a wide variety of FTP commands.
+
+Types
+#####
+.. zeek:type:: FTP::CmdArg
+   :source-code: base/protocols/ftp/utils-commands.zeek 4 16
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time`
+
+      Time when the command was sent.
+
+
+   .. zeek:field:: cmd :zeek:type:`string` :zeek:attr:`&default` = ``"<unknown>"`` :zeek:attr:`&optional`
+
+      Command.
+
+
+   .. zeek:field:: arg :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      Argument for the command if one was given.
+
+
+   .. zeek:field:: seq :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Counter to track how many commands have been executed.
+
+
+   .. zeek:field:: cwd_consumed :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Flag indicating if the arg of this CmdArg has been used
+      to update cwd of c$ftp.
+
+
+
+.. zeek:type:: FTP::PendingCmds
+   :source-code: base/protocols/ftp/utils-commands.zeek 21 21
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`FTP::CmdArg`
+
+   Structure for tracking pending commands in the event that the client
+   sends a large number of commands before the server has a chance to
+   reply.
+
+
diff --git a/doc/scripts/base/protocols/ftp/utils.zeek.rst b/doc/scripts/base/protocols/ftp/utils.zeek.rst
new file mode 100644
index 0000000000..2dba6f7f90
--- /dev/null
+++ b/doc/scripts/base/protocols/ftp/utils.zeek.rst
@@ -0,0 +1,60 @@
+:tocdepth: 3
+
+base/protocols/ftp/utils.zeek
+=============================
+.. zeek:namespace:: FTP
+
+Utilities specific for FTP processing.
+
+:Namespace: FTP
+:Imports: :doc:`base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>`, :doc:`base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>`, :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`
+
+Summary
+~~~~~~~
+Functions
+#########
+==================================================== ===========================================================
+:zeek:id:`FTP::build_url`: :zeek:type:`function`     Creates a URL from an :zeek:type:`FTP::Info` record.
+:zeek:id:`FTP::build_url_ftp`: :zeek:type:`function` Creates a URL from an :zeek:type:`FTP::Info` record.
+:zeek:id:`FTP::describe`: :zeek:type:`function`      Create an extremely shortened representation of a log line.
+==================================================== ===========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: FTP::build_url
+   :source-code: base/protocols/ftp/utils.zeek 28 38
+
+   :Type: :zeek:type:`function` (rec: :zeek:type:`FTP::Info`) : :zeek:type:`string`
+
+   Creates a URL from an :zeek:type:`FTP::Info` record.
+   
+
+   :param rec: An :zeek:type:`FTP::Info` record.
+   
+
+   :returns: A URL, not prefixed by ``"ftp://"``.
+
+.. zeek:id:: FTP::build_url_ftp
+   :source-code: base/protocols/ftp/utils.zeek 40 43
+
+   :Type: :zeek:type:`function` (rec: :zeek:type:`FTP::Info`) : :zeek:type:`string`
+
+   Creates a URL from an :zeek:type:`FTP::Info` record.
+   
+
+   :param rec: An :zeek:type:`FTP::Info` record.
+   
+
+   :returns: A URL prefixed with ``"ftp://"``.
+
+.. zeek:id:: FTP::describe
+   :source-code: base/protocols/ftp/utils.zeek 45 48
+
+   :Type: :zeek:type:`function` (rec: :zeek:type:`FTP::Info`) : :zeek:type:`string`
+
+   Create an extremely shortened representation of a log line.
+
+
diff --git a/doc/scripts/base/protocols/http/__load__.zeek.rst b/doc/scripts/base/protocols/http/__load__.zeek.rst
new file mode 100644
index 0000000000..a503b47450
--- /dev/null
+++ b/doc/scripts/base/protocols/http/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/http/__load__.zeek
+=================================
+
+
+:Imports: :doc:`base/protocols/http/entities.zeek </scripts/base/protocols/http/entities.zeek>`, :doc:`base/protocols/http/files.zeek </scripts/base/protocols/http/files.zeek>`, :doc:`base/protocols/http/main.zeek </scripts/base/protocols/http/main.zeek>`, :doc:`base/protocols/http/utils.zeek </scripts/base/protocols/http/utils.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/http/entities.zeek.rst b/doc/scripts/base/protocols/http/entities.zeek.rst
new file mode 100644
index 0000000000..122a497a18
--- /dev/null
+++ b/doc/scripts/base/protocols/http/entities.zeek.rst
@@ -0,0 +1,130 @@
+:tocdepth: 3
+
+base/protocols/http/entities.zeek
+=================================
+.. zeek:namespace:: HTTP
+
+Analysis and logging for MIME entities found in HTTP sessions.
+
+:Namespace: HTTP
+:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>`, :doc:`base/protocols/http/main.zeek </scripts/base/protocols/http/main.zeek>`, :doc:`base/utils/files.zeek </scripts/base/utils/files.zeek>`, :doc:`base/utils/strings.zeek </scripts/base/utils/strings.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+======================================================================= ==========================================
+:zeek:id:`HTTP::max_files_orig`: :zeek:type:`count` :zeek:attr:`&redef` Maximum number of originator files to log.
+:zeek:id:`HTTP::max_files_resp`: :zeek:type:`count` :zeek:attr:`&redef` Maximum number of responder files to log.
+======================================================================= ==========================================
+
+Types
+#####
+============================================== =
+:zeek:type:`HTTP::Entity`: :zeek:type:`record` 
+============================================== =
+
+Redefinitions
+#############
+============================================================= ======================================================================================================
+:zeek:type:`HTTP::Info`: :zeek:type:`record`                  
+                                                              
+                                                              :New Fields: :zeek:type:`HTTP::Info`
+                                                              
+                                                                orig_fuids: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                  An ordered vector of file unique IDs.
+                                                              
+                                                                orig_filenames: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                  An ordered vector of filenames from the client.
+                                                              
+                                                                orig_mime_types: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                  An ordered vector of mime types.
+                                                              
+                                                                resp_fuids: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                  An ordered vector of file unique IDs.
+                                                              
+                                                                resp_filenames: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                  An ordered vector of filenames from the server.
+                                                              
+                                                                resp_mime_types: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                  An ordered vector of mime types.
+                                                              
+                                                                current_entity: :zeek:type:`HTTP::Entity` :zeek:attr:`&optional`
+                                                                  The current entity.
+                                                              
+                                                                orig_mime_depth: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                                                  Current number of MIME entities in the HTTP request message
+                                                                  body.
+                                                              
+                                                                resp_mime_depth: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                                                  Current number of MIME entities in the HTTP response message
+                                                                  body.
+:zeek:type:`fa_file`: :zeek:type:`record` :zeek:attr:`&redef` 
+                                                              
+                                                              :New Fields: :zeek:type:`fa_file`
+                                                              
+                                                                http: :zeek:type:`HTTP::Info` :zeek:attr:`&optional`
+============================================================= ======================================================================================================
+
+Hooks
+#####
+==================================================== ================================================================
+:zeek:id:`HTTP::max_files_policy`: :zeek:type:`hook` Called when reaching the max number of files across a given HTTP
+                                                     connection according to :zeek:see:`HTTP::max_files_orig`
+                                                     or :zeek:see:`HTTP::max_files_resp`.
+==================================================== ================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: HTTP::max_files_orig
+   :source-code: base/protocols/http/entities.zeek 20 20
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``15``
+
+   Maximum number of originator files to log.
+   :zeek:see:`HTTP::max_files_policy` even is called once this
+   limit is reached to determine if it's enforced.
+
+.. zeek:id:: HTTP::max_files_resp
+   :source-code: base/protocols/http/entities.zeek 25 25
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``15``
+
+   Maximum number of responder files to log.
+   :zeek:see:`HTTP::max_files_policy` even is called once this
+   limit is reached to determine if it's enforced.
+
+Types
+#####
+.. zeek:type:: HTTP::Entity
+   :source-code: base/protocols/http/entities.zeek 12 15
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: filename :zeek:type:`string` :zeek:attr:`&optional`
+
+      Filename for the entity if discovered from a header.
+
+
+
+Hooks
+#####
+.. zeek:id:: HTTP::max_files_policy
+   :source-code: base/protocols/http/entities.zeek 31 31
+
+   :Type: :zeek:type:`hook` (f: :zeek:type:`fa_file`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
+
+   Called when reaching the max number of files across a given HTTP
+   connection according to :zeek:see:`HTTP::max_files_orig`
+   or :zeek:see:`HTTP::max_files_resp`.  Break from the hook
+   early to signal that the file limit should not be applied.
+
+
diff --git a/doc/scripts/base/protocols/http/files.zeek.rst b/doc/scripts/base/protocols/http/files.zeek.rst
new file mode 100644
index 0000000000..a205d7aa8c
--- /dev/null
+++ b/doc/scripts/base/protocols/http/files.zeek.rst
@@ -0,0 +1,39 @@
+:tocdepth: 3
+
+base/protocols/http/files.zeek
+==============================
+.. zeek:namespace:: HTTP
+
+
+:Namespace: HTTP
+:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/http/entities.zeek </scripts/base/protocols/http/entities.zeek>`, :doc:`base/protocols/http/main.zeek </scripts/base/protocols/http/main.zeek>`, :doc:`base/protocols/http/utils.zeek </scripts/base/protocols/http/utils.zeek>`, :doc:`base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>`
+
+Summary
+~~~~~~~
+Functions
+#########
+======================================================= ======================================
+:zeek:id:`HTTP::describe_file`: :zeek:type:`function`   Default file describer for HTTP.
+:zeek:id:`HTTP::get_file_handle`: :zeek:type:`function` Default file handle provider for HTTP.
+======================================================= ======================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: HTTP::describe_file
+   :source-code: base/protocols/http/files.zeek 37 49
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`string`
+
+   Default file describer for HTTP.
+
+.. zeek:id:: HTTP::get_file_handle
+   :source-code: base/protocols/http/files.zeek 17 35
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
+
+   Default file handle provider for HTTP.
+
+
diff --git a/doc/scripts/base/protocols/http/index.rst b/doc/scripts/base/protocols/http/index.rst
new file mode 100644
index 0000000000..1de47c056a
--- /dev/null
+++ b/doc/scripts/base/protocols/http/index.rst
@@ -0,0 +1,27 @@
+:orphan:
+
+Package: base/protocols/http
+============================
+
+Support for Hypertext Transfer Protocol (HTTP) analysis.
+
+:doc:`/scripts/base/protocols/http/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/http/main.zeek`
+
+   Implements base functionality for HTTP analysis.  The logging model is
+   to log request/response pairs and all relevant metadata together in
+   a single record.
+
+:doc:`/scripts/base/protocols/http/entities.zeek`
+
+   Analysis and logging for MIME entities found in HTTP sessions.
+
+:doc:`/scripts/base/protocols/http/utils.zeek`
+
+   Utilities specific for HTTP processing.
+
+:doc:`/scripts/base/protocols/http/files.zeek`
+
+
diff --git a/doc/scripts/base/protocols/http/main.zeek.rst b/doc/scripts/base/protocols/http/main.zeek.rst
new file mode 100644
index 0000000000..2d46951d49
--- /dev/null
+++ b/doc/scripts/base/protocols/http/main.zeek.rst
@@ -0,0 +1,498 @@
+:tocdepth: 3
+
+base/protocols/http/main.zeek
+=============================
+.. zeek:namespace:: HTTP
+
+Implements base functionality for HTTP analysis.  The logging model is
+to log request/response pairs and all relevant metadata together in
+a single record.
+
+:Namespace: HTTP
+:Imports: :doc:`base/frameworks/tunnels </scripts/base/frameworks/tunnels/index>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/utils/files.zeek </scripts/base/utils/files.zeek>`, :doc:`base/utils/numbers.zeek </scripts/base/utils/numbers.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+================================================================================ ====================================================================
+:zeek:id:`HTTP::default_capture_password`: :zeek:type:`bool` :zeek:attr:`&redef` This setting changes if passwords used in Basic-Auth are captured or
+                                                                                 not.
+:zeek:id:`HTTP::http_methods`: :zeek:type:`set` :zeek:attr:`&redef`              A list of HTTP methods.
+:zeek:id:`HTTP::max_pending_requests`: :zeek:type:`count` :zeek:attr:`&redef`    Only allow that many pending requests on a single connection.
+:zeek:id:`HTTP::proxy_headers`: :zeek:type:`set` :zeek:attr:`&redef`             A list of HTTP headers typically used to indicate proxied requests.
+================================================================================ ====================================================================
+
+Redefinable Options
+###################
+======================================================================================= =======================================================================
+:zeek:id:`HTTP::default_max_field_string_bytes`: :zeek:type:`count` :zeek:attr:`&redef` The maximum number of bytes that a single string field can contain when
+                                                                                        logging.
+======================================================================================= =======================================================================
+
+Types
+#####
+============================================= ===================================================================
+:zeek:type:`HTTP::Info`: :zeek:type:`record`  The record type which contains the fields of the HTTP log.
+:zeek:type:`HTTP::State`: :zeek:type:`record` Structure to maintain state for an HTTP connection with multiple
+                                              requests and responses.
+:zeek:type:`HTTP::Tags`: :zeek:type:`enum`    Indicate a type of attack or compromise in the record to be logged.
+============================================= ===================================================================
+
+Redefinitions
+#############
+==================================================================== =============================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`HTTP::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       http: :zeek:type:`HTTP::Info` :zeek:attr:`&optional`
+                                                                     
+                                                                       http_state: :zeek:type:`HTTP::State` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== =============================================================
+
+Events
+######
+============================================= ====================================================================
+:zeek:id:`HTTP::log_http`: :zeek:type:`event` Event that can be handled to access the HTTP record as it is sent on
+                                              to the logging framework.
+============================================= ====================================================================
+
+Hooks
+#####
+============================================================== =======================
+:zeek:id:`HTTP::finalize_http`: :zeek:type:`Conn::RemovalHook` HTTP finalization hook.
+:zeek:id:`HTTP::log_policy`: :zeek:type:`Log::PolicyHook`      
+============================================================== =======================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: HTTP::default_capture_password
+   :source-code: base/protocols/http/main.zeek 25 25
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   This setting changes if passwords used in Basic-Auth are captured or
+   not.
+
+.. zeek:id:: HTTP::http_methods
+   :source-code: base/protocols/http/main.zeek 120 120
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            "POST",
+            "PUT",
+            "CONNECT",
+            "BMOVE",
+            "SEARCH",
+            "TRACE",
+            "LOCK",
+            "PROPPATCH",
+            "HEAD",
+            "OPTIONS",
+            "POLL",
+            "REPORT",
+            "SUBSCRIBE",
+            "MOVE",
+            "GET",
+            "UNLOCK",
+            "DELETE",
+            "COPY",
+            "MKCOL",
+            "PROPFIND"
+         }
+
+
+   A list of HTTP methods. Other methods will generate a weird. Note
+   that the HTTP analyzer will only accept methods consisting solely
+   of letters ``[A-Za-z]``.
+
+.. zeek:id:: HTTP::max_pending_requests
+   :source-code: base/protocols/http/main.zeek 141 141
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100``
+
+   Only allow that many pending requests on a single connection.
+   If this number is exceeded, all pending requests are flushed
+   out and request/response tracking reset to prevent unbounded
+   state growth.
+
+.. zeek:id:: HTTP::proxy_headers
+   :source-code: base/protocols/http/main.zeek 107 107
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            "CLIENT-IP",
+            "X-FORWARDED-FROM",
+            "VIA",
+            "XROXY-CONNECTION",
+            "PROXY-CONNECTION",
+            "X-FORWARDED-FOR",
+            "FORWARDED"
+         }
+
+
+   A list of HTTP headers typically used to indicate proxied requests.
+
+Redefinable Options
+###################
+.. zeek:id:: HTTP::default_max_field_string_bytes
+   :source-code: base/protocols/http/main.zeek 149 149
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0``
+
+   The maximum number of bytes that a single string field can contain when
+   logging. If a string reaches this limit, the log output for the field will be
+   truncated. Setting this to zero disables the limiting. HTTP has no maximum
+   length for various fields such as the URI, so this is set to zero by default.
+   
+   .. zeek:see:: Log::default_max_field_string_bytes
+
+Types
+#####
+.. zeek:type:: HTTP::Info
+   :source-code: base/protocols/http/main.zeek 28 89
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the request happened.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: trans_depth :zeek:type:`count` :zeek:attr:`&log`
+
+      Represents the pipelined depth into the connection of this
+      request/response transaction.
+
+
+   .. zeek:field:: method :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Verb used in the HTTP request (GET, POST, HEAD, etc.).
+
+
+   .. zeek:field:: host :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Value of the HOST header.
+
+
+   .. zeek:field:: uri :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      URI used in the request.
+
+
+   .. zeek:field:: referrer :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Value of the "referer" header.  The comment is deliberately
+      misspelled like the standard declares, but the name used here
+      is "referrer", spelled correctly.
+
+
+   .. zeek:field:: version :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Value of the version portion of the reply. If you require
+      message-level detail, consider the :zeek:see:`http_request` and
+      :zeek:see:`http_reply` events, which report each message's
+      version string.
+
+
+   .. zeek:field:: user_agent :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Value of the User-Agent header from the client.
+
+
+   .. zeek:field:: origin :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Value of the Origin header from the client.
+
+
+   .. zeek:field:: request_body_len :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Actual uncompressed content size of the data transferred from
+      the client.
+
+
+   .. zeek:field:: response_body_len :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Actual uncompressed content size of the data transferred from
+      the server.
+
+
+   .. zeek:field:: status_code :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Status code returned by the server.
+
+
+   .. zeek:field:: status_msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Status message returned by the server.
+
+
+   .. zeek:field:: info_code :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Last seen 1xx informational reply code returned by the server.
+
+
+   .. zeek:field:: info_msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Last seen 1xx informational reply message returned by the server.
+
+
+   .. zeek:field:: tags :zeek:type:`set` [:zeek:type:`HTTP::Tags`] :zeek:attr:`&log`
+
+      A set of indicators of various attributes discovered and
+      related to a particular request/response pair.
+
+
+   .. zeek:field:: username :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Username if basic-auth is performed for the request.
+
+
+   .. zeek:field:: password :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Password if basic-auth is performed for the request.
+
+
+   .. zeek:field:: capture_password :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`HTTP::default_capture_password` :zeek:attr:`&optional`
+
+      Determines if the password will be captured for this request.
+
+
+   .. zeek:field:: proxied :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      All of the headers that may indicate if the request was proxied.
+
+
+   .. zeek:field:: range_request :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Indicates if this request can assume 206 partial content in
+      response.
+
+
+   .. zeek:field:: orig_fuids :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
+
+      An ordered vector of file unique IDs.
+      Limited to :zeek:see:`HTTP::max_files_orig` entries.
+
+
+   .. zeek:field:: orig_filenames :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
+
+      An ordered vector of filenames from the client.
+      Limited to :zeek:see:`HTTP::max_files_orig` entries.
+
+
+   .. zeek:field:: orig_mime_types :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
+
+      An ordered vector of mime types.
+      Limited to :zeek:see:`HTTP::max_files_orig` entries.
+
+
+   .. zeek:field:: resp_fuids :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
+
+      An ordered vector of file unique IDs.
+      Limited to :zeek:see:`HTTP::max_files_resp` entries.
+
+
+   .. zeek:field:: resp_filenames :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
+
+      An ordered vector of filenames from the server.
+      Limited to :zeek:see:`HTTP::max_files_resp` entries.
+
+
+   .. zeek:field:: resp_mime_types :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
+
+      An ordered vector of mime types.
+      Limited to :zeek:see:`HTTP::max_files_resp` entries.
+
+
+   .. zeek:field:: current_entity :zeek:type:`HTTP::Entity` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
+
+      The current entity.
+
+
+   .. zeek:field:: orig_mime_depth :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
+
+      Current number of MIME entities in the HTTP request message
+      body.
+
+
+   .. zeek:field:: resp_mime_depth :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
+
+      Current number of MIME entities in the HTTP response message
+      body.
+
+
+   .. zeek:field:: client_header_names :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/http/header-names.zeek` is loaded)
+
+      The vector of HTTP header names sent by the client.  No
+      header values are included here, just the header names.
+
+
+   .. zeek:field:: server_header_names :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/http/header-names.zeek` is loaded)
+
+      The vector of HTTP header names sent by the server.  No
+      header values are included here, just the header names.
+
+
+   .. zeek:field:: omniture :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/http/software-browser-plugins.zeek` is loaded)
+
+      Indicates if the server is an omniture advertising server.
+
+
+   .. zeek:field:: flash_version :zeek:type:`string` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/http/software-browser-plugins.zeek` is loaded)
+
+      The unparsed Flash version, if detected.
+
+
+   .. zeek:field:: cookie_vars :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      (present if :doc:`/scripts/policy/protocols/http/var-extraction-cookies.zeek` is loaded)
+
+      Variable names extracted from all cookies.
+
+
+   .. zeek:field:: uri_vars :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      (present if :doc:`/scripts/policy/protocols/http/var-extraction-uri.zeek` is loaded)
+
+      Variable names from the URI.
+
+
+   The record type which contains the fields of the HTTP log.
+
+.. zeek:type:: HTTP::State
+   :source-code: base/protocols/http/main.zeek 93 104
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: pending :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`HTTP::Info`
+
+      Pending requests.
+
+
+   .. zeek:field:: current_request :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Current request in the pending queue.
+
+
+   .. zeek:field:: current_response :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Current response in the pending queue.
+
+
+   .. zeek:field:: trans_depth :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Track the current deepest transaction.
+      This is meant to cope with missing requests
+      and responses.
+
+
+   Structure to maintain state for an HTTP connection with multiple
+   requests and responses.
+
+.. zeek:type:: HTTP::Tags
+   :source-code: base/protocols/http/main.zeek 18 22
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: HTTP::EMPTY HTTP::Tags
+
+         Placeholder.
+
+      .. zeek:enum:: HTTP::URI_SQLI HTTP::Tags
+
+         (present if :doc:`/scripts/policy/protocols/http/detect-sql-injection.zeek` is loaded)
+
+
+         Indicator of a URI based SQL injection attack.
+
+   Indicate a type of attack or compromise in the record to be logged.
+
+Events
+######
+.. zeek:id:: HTTP::log_http
+   :source-code: base/protocols/http/main.zeek 132 132
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`HTTP::Info`)
+
+   Event that can be handled to access the HTTP record as it is sent on
+   to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: HTTP::finalize_http
+   :source-code: base/protocols/http/main.zeek 393 405
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   HTTP finalization hook.  Remaining HTTP info may get logged when it's called.
+
+.. zeek:id:: HTTP::log_policy
+   :source-code: base/protocols/http/main.zeek 15 15
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/http/utils.zeek.rst b/doc/scripts/base/protocols/http/utils.zeek.rst
new file mode 100644
index 0000000000..22f207a568
--- /dev/null
+++ b/doc/scripts/base/protocols/http/utils.zeek.rst
@@ -0,0 +1,82 @@
+:tocdepth: 3
+
+base/protocols/http/utils.zeek
+==============================
+.. zeek:namespace:: HTTP
+
+Utilities specific for HTTP processing.
+
+:Namespace: HTTP
+:Imports: :doc:`base/protocols/http/main.zeek </scripts/base/protocols/http/main.zeek>`, :doc:`base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>`
+
+Summary
+~~~~~~~
+Functions
+#########
+====================================================== ====================================================================
+:zeek:id:`HTTP::build_url`: :zeek:type:`function`      Creates a URL from an :zeek:type:`HTTP::Info` record.
+:zeek:id:`HTTP::build_url_http`: :zeek:type:`function` Creates a URL from an :zeek:type:`HTTP::Info` record.
+:zeek:id:`HTTP::describe`: :zeek:type:`function`       Create an extremely shortened representation of a log line.
+:zeek:id:`HTTP::extract_keys`: :zeek:type:`function`   Given a string containing a series of key-value pairs separated
+                                                       by "=", this function can be used to parse out all of the key names.
+====================================================== ====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: HTTP::build_url
+   :source-code: base/protocols/http/utils.zeek 55 66
+
+   :Type: :zeek:type:`function` (rec: :zeek:type:`HTTP::Info`) : :zeek:type:`string`
+
+   Creates a URL from an :zeek:type:`HTTP::Info` record.  This should
+   handle edge cases such as proxied requests appropriately.
+   
+
+   :param rec: An :zeek:type:`HTTP::Info` record.
+   
+
+   :returns: A URL, not prefixed by ``"http://"``.
+
+.. zeek:id:: HTTP::build_url_http
+   :source-code: base/protocols/http/utils.zeek 68 71
+
+   :Type: :zeek:type:`function` (rec: :zeek:type:`HTTP::Info`) : :zeek:type:`string`
+
+   Creates a URL from an :zeek:type:`HTTP::Info` record.  This should
+   handle edge cases such as proxied requests appropriately.
+   
+
+   :param rec: An :zeek:type:`HTTP::Info` record.
+   
+
+   :returns: A URL prefixed with ``"http://"``.
+
+.. zeek:id:: HTTP::describe
+   :source-code: base/protocols/http/utils.zeek 73 76
+
+   :Type: :zeek:type:`function` (rec: :zeek:type:`HTTP::Info`) : :zeek:type:`string`
+
+   Create an extremely shortened representation of a log line.
+
+.. zeek:id:: HTTP::extract_keys
+   :source-code: base/protocols/http/utils.zeek 41 53
+
+   :Type: :zeek:type:`function` (data: :zeek:type:`string`, kv_splitter: :zeek:type:`pattern`) : :zeek:type:`string_vec`
+
+   Given a string containing a series of key-value pairs separated
+   by "=", this function can be used to parse out all of the key names.
+   
+
+   :param data: The raw data, such as a URL or cookie value.
+   
+
+   :param kv_splitter: A regular expression representing the separator between
+                key-value pairs.
+   
+
+   :returns: A vector of strings containing the keys.
+
+
diff --git a/doc/scripts/base/protocols/imap/__load__.zeek.rst b/doc/scripts/base/protocols/imap/__load__.zeek.rst
new file mode 100644
index 0000000000..a85a047fe3
--- /dev/null
+++ b/doc/scripts/base/protocols/imap/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/imap/__load__.zeek
+=================================
+
+
+:Imports: :doc:`base/protocols/imap/main.zeek </scripts/base/protocols/imap/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/imap/index.rst b/doc/scripts/base/protocols/imap/index.rst
new file mode 100644
index 0000000000..d98c587f7a
--- /dev/null
+++ b/doc/scripts/base/protocols/imap/index.rst
@@ -0,0 +1,17 @@
+:orphan:
+
+Package: base/protocols/imap
+============================
+
+Support for the Internet Message Access Protocol (IMAP).
+
+Note that currently the IMAP analyzer only supports analyzing IMAP sessions
+until they do or do not switch to TLS using StartTLS. Hence, we do not get
+mails from IMAP sessions, only X509 certificates.
+
+:doc:`/scripts/base/protocols/imap/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/imap/main.zeek`
+
+
diff --git a/doc/scripts/base/protocols/imap/main.zeek.rst b/doc/scripts/base/protocols/imap/main.zeek.rst
new file mode 100644
index 0000000000..48cce3523f
--- /dev/null
+++ b/doc/scripts/base/protocols/imap/main.zeek.rst
@@ -0,0 +1,21 @@
+:tocdepth: 3
+
+base/protocols/imap/main.zeek
+=============================
+.. zeek:namespace:: IMAP
+
+
+:Namespace: IMAP
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+==================================================================== =
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/irc/__load__.zeek.rst b/doc/scripts/base/protocols/irc/__load__.zeek.rst
new file mode 100644
index 0000000000..54ee785a65
--- /dev/null
+++ b/doc/scripts/base/protocols/irc/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/irc/__load__.zeek
+================================
+
+
+:Imports: :doc:`base/protocols/irc/dcc-send.zeek </scripts/base/protocols/irc/dcc-send.zeek>`, :doc:`base/protocols/irc/files.zeek </scripts/base/protocols/irc/files.zeek>`, :doc:`base/protocols/irc/main.zeek </scripts/base/protocols/irc/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/irc/dcc-send.zeek.rst b/doc/scripts/base/protocols/irc/dcc-send.zeek.rst
new file mode 100644
index 0000000000..ae0c072f27
--- /dev/null
+++ b/doc/scripts/base/protocols/irc/dcc-send.zeek.rst
@@ -0,0 +1,56 @@
+:tocdepth: 3
+
+base/protocols/irc/dcc-send.zeek
+================================
+.. zeek:namespace:: IRC
+
+File extraction and introspection for DCC transfers over IRC.
+
+There is a major problem with this script in the cluster context because
+we might see A send B a message that a DCC connection is to be expected,
+but that connection will actually be between B and C which could be
+analyzed on a different worker.
+
+
+:Namespace: IRC
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/irc/main.zeek </scripts/base/protocols/irc/main.zeek>`, :doc:`base/utils/files.zeek </scripts/base/utils/files.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+=========================================== =============================================================================
+:zeek:type:`IRC::Info`: :zeek:type:`record` 
+                                            
+                                            :New Fields: :zeek:type:`IRC::Info`
+                                            
+                                              dcc_file_name: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                DCC filename requested.
+                                            
+                                              dcc_file_size: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Size of the DCC transfer as indicated by the sender.
+                                            
+                                              dcc_mime_type: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Sniffed mime type of the file.
+=========================================== =============================================================================
+
+Hooks
+#####
+================================================================= ===============================
+:zeek:id:`IRC::finalize_irc_data`: :zeek:type:`Conn::RemovalHook` IRC DCC data finalization hook.
+================================================================= ===============================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Hooks
+#####
+.. zeek:id:: IRC::finalize_irc_data
+   :source-code: base/protocols/irc/dcc-send.zeek 135 146
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   IRC DCC data finalization hook.  Remaining expected IRC DCC state may be
+   purged when it's called.
+
+
diff --git a/doc/scripts/base/protocols/irc/files.zeek.rst b/doc/scripts/base/protocols/irc/files.zeek.rst
new file mode 100644
index 0000000000..6d5c6e4b10
--- /dev/null
+++ b/doc/scripts/base/protocols/irc/files.zeek.rst
@@ -0,0 +1,47 @@
+:tocdepth: 3
+
+base/protocols/irc/files.zeek
+=============================
+.. zeek:namespace:: IRC
+
+
+:Namespace: IRC
+:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/irc/dcc-send.zeek </scripts/base/protocols/irc/dcc-send.zeek>`, :doc:`base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================================= ====================================================================
+:zeek:type:`IRC::Info`: :zeek:type:`record`                   
+                                                              
+                                                              :New Fields: :zeek:type:`IRC::Info`
+                                                              
+                                                                fuid: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                  File unique ID.
+:zeek:type:`fa_file`: :zeek:type:`record` :zeek:attr:`&redef` 
+                                                              
+                                                              :New Fields: :zeek:type:`fa_file`
+                                                              
+                                                                irc: :zeek:type:`IRC::Info` :zeek:attr:`&optional`
+============================================================= ====================================================================
+
+Functions
+#########
+====================================================== =====================================
+:zeek:id:`IRC::get_file_handle`: :zeek:type:`function` Default file handle provider for IRC.
+====================================================== =====================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: IRC::get_file_handle
+   :source-code: base/protocols/irc/files.zeek 21 24
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
+
+   Default file handle provider for IRC.
+
+
diff --git a/doc/scripts/base/protocols/irc/index.rst b/doc/scripts/base/protocols/irc/index.rst
new file mode 100644
index 0000000000..76c8ae5124
--- /dev/null
+++ b/doc/scripts/base/protocols/irc/index.rst
@@ -0,0 +1,29 @@
+:orphan:
+
+Package: base/protocols/irc
+===========================
+
+Support for Internet Relay Chat (IRC) protocol analysis.
+
+:doc:`/scripts/base/protocols/irc/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/irc/main.zeek`
+
+   Implements the core IRC analysis support.  The logging model is to log
+   IRC commands along with the associated response and some additional
+   metadata about the connection if it's available.
+
+:doc:`/scripts/base/protocols/irc/dcc-send.zeek`
+
+   File extraction and introspection for DCC transfers over IRC.
+   
+   There is a major problem with this script in the cluster context because
+   we might see A send B a message that a DCC connection is to be expected,
+   but that connection will actually be between B and C which could be
+   analyzed on a different worker.
+   
+
+:doc:`/scripts/base/protocols/irc/files.zeek`
+
+
diff --git a/doc/scripts/base/protocols/irc/main.zeek.rst b/doc/scripts/base/protocols/irc/main.zeek.rst
new file mode 100644
index 0000000000..db4fd11981
--- /dev/null
+++ b/doc/scripts/base/protocols/irc/main.zeek.rst
@@ -0,0 +1,147 @@
+:tocdepth: 3
+
+base/protocols/irc/main.zeek
+============================
+.. zeek:namespace:: IRC
+
+Implements the core IRC analysis support.  The logging model is to log
+IRC commands along with the associated response and some additional
+metadata about the connection if it's available.
+
+:Namespace: IRC
+
+Summary
+~~~~~~~
+Types
+#####
+=========================================== =
+:zeek:type:`IRC::Info`: :zeek:type:`record` 
+=========================================== =
+
+Redefinitions
+#############
+==================================================================== ====================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`IRC::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       irc: :zeek:type:`IRC::Info` :zeek:attr:`&optional`
+                                                                         IRC session information.
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ====================================================
+
+Events
+######
+=========================================== ===================================================================
+:zeek:id:`IRC::irc_log`: :zeek:type:`event` Event that can be handled to access the IRC record as it is sent on
+                                            to the logging framework.
+=========================================== ===================================================================
+
+Hooks
+#####
+======================================================== =
+:zeek:id:`IRC::log_policy`: :zeek:type:`Log::PolicyHook` 
+======================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: IRC::Info
+   :source-code: base/protocols/irc/main.zeek 13 31
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp when the command was seen.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: nick :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Nickname given for the connection.
+
+
+   .. zeek:field:: user :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Username given for the connection.
+
+
+   .. zeek:field:: command :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Command given by the client.
+
+
+   .. zeek:field:: value :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Value for the command given by the client.
+
+
+   .. zeek:field:: addl :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Any additional data for the command.
+
+
+   .. zeek:field:: dcc_file_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/irc/dcc-send.zeek` is loaded)
+
+      DCC filename requested.
+
+
+   .. zeek:field:: dcc_file_size :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/irc/dcc-send.zeek` is loaded)
+
+      Size of the DCC transfer as indicated by the sender.
+
+
+   .. zeek:field:: dcc_mime_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/irc/dcc-send.zeek` is loaded)
+
+      Sniffed mime type of the file.
+
+
+   .. zeek:field:: fuid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/irc/files.zeek` is loaded)
+
+      File unique ID.
+
+
+
+Events
+######
+.. zeek:id:: IRC::irc_log
+   :source-code: base/protocols/irc/main.zeek 35 35
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`IRC::Info`)
+
+   Event that can be handled to access the IRC record as it is sent on
+   to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: IRC::log_policy
+   :source-code: base/protocols/irc/main.zeek 11 11
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/krb/__load__.zeek.rst b/doc/scripts/base/protocols/krb/__load__.zeek.rst
new file mode 100644
index 0000000000..576052606b
--- /dev/null
+++ b/doc/scripts/base/protocols/krb/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/krb/__load__.zeek
+================================
+
+
+:Imports: :doc:`base/protocols/krb/files.zeek </scripts/base/protocols/krb/files.zeek>`, :doc:`base/protocols/krb/main.zeek </scripts/base/protocols/krb/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/krb/consts.zeek.rst b/doc/scripts/base/protocols/krb/consts.zeek.rst
new file mode 100644
index 0000000000..90d2758c06
--- /dev/null
+++ b/doc/scripts/base/protocols/krb/consts.zeek.rst
@@ -0,0 +1,140 @@
+:tocdepth: 3
+
+base/protocols/krb/consts.zeek
+==============================
+.. zeek:namespace:: KRB
+
+
+:Namespace: KRB
+
+Summary
+~~~~~~~
+Constants
+#########
+============================================================================================= =
+:zeek:id:`KRB::cipher_name`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` 
+:zeek:id:`KRB::error_msg`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`   
+============================================================================================= =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: KRB::cipher_name
+   :source-code: base/protocols/krb/consts.zeek 76 76
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "des-cbc-md4",
+            [25] = "camellia128-cts-cmac",
+            [14] = "rsaES-OAEP-ENV-OID",
+            [15] = "des-ede3-cbc-Env-OID",
+            [16] = "des3-cbc-sha1-kd",
+            [24] = "rc4-hmac-exp",
+            [23] = "rc4-hmac",
+            [9] = "dsaWithSHA1-CmsOID",
+            [1] = "des-cbc-crc",
+            [11] = "sha1WithRSAEncryption-CmsOID",
+            [7] = "des3-cbc-sha1",
+            [5] = "des3-cbc-md5",
+            [10] = "md5WithRSAEncryption-CmsOID",
+            [13] = "rsaEncryption-EnvOID",
+            [12] = "rc2CBC-EnvOID",
+            [26] = "camellia256-cts-cmac",
+            [65] = "subkey-keymaterial",
+            [18] = "aes256-cts-hmac-sha1-96",
+            [3] = "des-cbc-md5",
+            [17] = "aes128-cts-hmac-sha1-96"
+         }
+
+
+
+.. zeek:id:: KRB::error_msg
+   :source-code: base/protocols/krb/consts.zeek 5 5
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [19] = "KDC_ERR_SERVICE_REVOKED",
+            [20] = "KDC_ERR_TGT_REVOKED",
+            [33] = "KRB_AP_ERR_TKT_NYV",
+            [39] = "KRB_AP_ERR_BADVERSION",
+            [67] = "KRB_AP_ERR_NO_TGT",
+            [73] = "KDC_ERR_REVOCATION_STATUS_UNKNOWN",
+            [75] = "KDC_ERR_CLIENT_NAME_MISMATCH",
+            [46] = "KRB_AP_ERR_MUT_FAIL",
+            [15] = "KDC_ERR_SUMTYPE_NOSUPP",
+            [64] = "KDC_ERROR_INVALID_SIG",
+            [28] = "KDC_ERR_PATH_NOT_ACCEPTED",
+            [9] = "KDC_ERR_NULL_KEY",
+            [68] = "KDC_ERR_WRONG_REALM",
+            [71] = "KDC_ERR_INVALID_CERTIFICATE",
+            [52] = "KRB_ERR_RESPONSE_TOO_BIG",
+            [21] = "KDC_ERR_CLIENT_NOTYET",
+            [4] = "KDC_ERR_C_OLD_MAST_KVNO",
+            [12] = "KDC_ERR_POLICY",
+            [41] = "KRB_AP_ERR_MODIFIED",
+            [17] = "KDC_ERR_TRTYPE_NOSUPP",
+            [25] = "KDC_ERR_PREAUTH_REQUIRED",
+            [76] = "KDC_ERR_KDC_NAME_MISMATCH",
+            [29] = "KDC_ERR_SVC_UNAVAILABLE",
+            [16] = "KDC_ERR_PADATA_TYPE_NOSUPP",
+            [38] = "KRB_AP_ERR_BADADDR",
+            [63] = "KDC_ERROR_KDC_NOT_TRUSTED",
+            [42] = "KRB_AP_ERR_BADORDER",
+            [1] = "KDC_ERR_NAME_EXP",
+            [11] = "KDC_ERR_NEVER_VALID",
+            [35] = "KRB_AP_ERR_NOT_US",
+            [22] = "KDC_ERR_SERVICE_NOTYET",
+            [3] = "KDC_ERR_BAD_PVNO",
+            [44] = "KRB_AP_ERR_BADKEYVER",
+            [34] = "KRB_AP_ERR_REPEAT",
+            [45] = "KRB_AP_ERR_NOKEY",
+            [40] = "KRB_AP_ERR_MSG_TYPE",
+            [36] = "KRB_AP_ERR_BADMATCH",
+            [14] = "KDC_ERR_ETYPE_NOSUPP",
+            [6] = "KDC_ERR_C_PRINCIPAL_UNKNOWN",
+            [31] = "KRB_AP_ERR_BAD_INTEGRITY",
+            [8] = "KDC_ERR_PRINCIPAL_NOT_UNIQUE",
+            [23] = "KDC_ERR_KEY_EXPIRED",
+            [27] = "KDC_ERR_MUST_USE_USER2USER",
+            [7] = "KDC_ERR_S_PRINCIPAL_UNKNOWN",
+            [66] = "KDC_ERR_CERTIFICATE_MISMATCH",
+            [10] = "KDC_ERR_CANNOT_POSTDATE",
+            [32] = "KRB_AP_ERR_TKT_EXPIRED",
+            [13] = "KDC_ERR_BADOPTION",
+            [26] = "KDC_ERR_SERVER_NOMATCH",
+            [65] = "KDC_ERR_KEY_TOO_WEAK",
+            [62] = "KDC_ERROR_CLIENT_NOT_TRUSTED",
+            [74] = "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE",
+            [47] = "KRB_AP_ERR_BADDIRECTION",
+            [70] = "KDC_ERR_CANT_VERIFY_CERTIFICATE",
+            [50] = "KRB_AP_ERR_INAPP_CKSUM",
+            [2] = "KDC_ERR_SERVICE_EXP",
+            [72] = "KDC_ERR_REVOKED_CERTIFICATE",
+            [48] = "KRB_AP_ERR_METHOD",
+            [24] = "KDC_ERR_PREAUTH_FAILED",
+            [69] = "KRB_AP_ERR_USER_TO_USER_REQUIRED",
+            [49] = "KRB_AP_ERR_BADSEQ",
+            [5] = "KDC_ERR_S_OLD_MAST_KVNO",
+            [61] = "KRB_ERR_FIELD_TOOLONG",
+            [60] = "KRB_ERR_GENERIC",
+            [51] = "KRB_AP_PATH_NOT_ACCEPTED",
+            [37] = "KRB_AP_ERR_SKEW",
+            [18] = "KDC_ERR_CLIENT_REVOKED",
+            [0] = "KDC_ERR_NONE"
+         }
+
+
+
+
diff --git a/doc/scripts/base/protocols/krb/files.zeek.rst b/doc/scripts/base/protocols/krb/files.zeek.rst
new file mode 100644
index 0000000000..6057476ced
--- /dev/null
+++ b/doc/scripts/base/protocols/krb/files.zeek.rst
@@ -0,0 +1,65 @@
+:tocdepth: 3
+
+base/protocols/krb/files.zeek
+=============================
+.. zeek:namespace:: KRB
+
+
+:Namespace: KRB
+:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/krb/main.zeek </scripts/base/protocols/krb/main.zeek>`, :doc:`base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+=========================================== ===================================================================================
+:zeek:type:`KRB::Info`: :zeek:type:`record` 
+                                            
+                                            :New Fields: :zeek:type:`KRB::Info`
+                                            
+                                              client_cert: :zeek:type:`Files::Info` :zeek:attr:`&optional`
+                                                Client certificate
+                                            
+                                              client_cert_subject: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Subject of client certificate, if any
+                                            
+                                              client_cert_fuid: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                File unique ID of client cert, if any
+                                            
+                                              server_cert: :zeek:type:`Files::Info` :zeek:attr:`&optional`
+                                                Server certificate
+                                            
+                                              server_cert_subject: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Subject of server certificate, if any
+                                            
+                                              server_cert_fuid: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                File unique ID of server cert, if any
+=========================================== ===================================================================================
+
+Functions
+#########
+====================================================== =====================================
+:zeek:id:`KRB::describe_file`: :zeek:type:`function`   Default file describer for KRB.
+:zeek:id:`KRB::get_file_handle`: :zeek:type:`function` Default file handle provider for KRB.
+====================================================== =====================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: KRB::describe_file
+   :source-code: base/protocols/krb/files.zeek 38 62
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`string`
+
+   Default file describer for KRB.
+
+.. zeek:id:: KRB::get_file_handle
+   :source-code: base/protocols/krb/files.zeek 32 36
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
+
+   Default file handle provider for KRB.
+
+
diff --git a/doc/scripts/base/protocols/krb/index.rst b/doc/scripts/base/protocols/krb/index.rst
new file mode 100644
index 0000000000..8d4d9b6fdd
--- /dev/null
+++ b/doc/scripts/base/protocols/krb/index.rst
@@ -0,0 +1,21 @@
+:orphan:
+
+Package: base/protocols/krb
+===========================
+
+Support for Kerberos protocol analysis.
+
+:doc:`/scripts/base/protocols/krb/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/krb/main.zeek`
+
+   Implements base functionality for KRB analysis. Generates the kerberos.log
+   file.
+
+:doc:`/scripts/base/protocols/krb/consts.zeek`
+
+
+:doc:`/scripts/base/protocols/krb/files.zeek`
+
+
diff --git a/doc/scripts/base/protocols/krb/main.zeek.rst b/doc/scripts/base/protocols/krb/main.zeek.rst
new file mode 100644
index 0000000000..782c0b7471
--- /dev/null
+++ b/doc/scripts/base/protocols/krb/main.zeek.rst
@@ -0,0 +1,243 @@
+:tocdepth: 3
+
+base/protocols/krb/main.zeek
+============================
+.. zeek:namespace:: KRB
+
+Implements base functionality for KRB analysis. Generates the kerberos.log
+file.
+
+:Namespace: KRB
+:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/krb/consts.zeek </scripts/base/protocols/krb/consts.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+==================================================================== =======================================================
+:zeek:id:`KRB::ignored_errors`: :zeek:type:`set` :zeek:attr:`&redef` The server response error texts which are *not* logged.
+==================================================================== =======================================================
+
+Types
+#####
+=========================================== =
+:zeek:type:`KRB::Info`: :zeek:type:`record` 
+=========================================== =
+
+Redefinitions
+#############
+==================================================================== ====================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`KRB::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       krb: :zeek:type:`KRB::Info` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ====================================================
+
+Events
+######
+=========================================== ===================================================================
+:zeek:id:`KRB::log_krb`: :zeek:type:`event` Event that can be handled to access the KRB record as it is sent on
+                                            to the logging framework.
+=========================================== ===================================================================
+
+Hooks
+#####
+============================================================ ===========================
+:zeek:id:`KRB::finalize_krb`: :zeek:type:`Conn::RemovalHook` Kerberos finalization hook.
+:zeek:id:`KRB::log_policy`: :zeek:type:`Log::PolicyHook`     
+============================================================ ===========================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: KRB::ignored_errors
+   :source-code: base/protocols/krb/main.zeek 54 54
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            "NEEDED_PREAUTH",
+            "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ"
+         }
+
+
+   The server response error texts which are *not* logged.
+
+Types
+#####
+.. zeek:type:: KRB::Info
+   :source-code: base/protocols/krb/main.zeek 14 51
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the event happened.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: request_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Request type - Authentication Service ("AS") or
+      Ticket Granting Service ("TGS")
+
+
+   .. zeek:field:: client :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Client
+
+
+   .. zeek:field:: service :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Service
+
+
+   .. zeek:field:: success :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Request result
+
+
+   .. zeek:field:: error_code :zeek:type:`count` :zeek:attr:`&optional`
+
+      Error code
+
+
+   .. zeek:field:: error_msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Error message
+
+
+   .. zeek:field:: from :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Ticket valid from
+
+
+   .. zeek:field:: till :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Ticket valid till
+
+
+   .. zeek:field:: cipher :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Ticket encryption type
+
+
+   .. zeek:field:: forwardable :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Forwardable ticket requested
+
+
+   .. zeek:field:: renewable :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Renewable ticket requested
+
+
+   .. zeek:field:: logged :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      We've already logged this
+
+
+   .. zeek:field:: client_cert :zeek:type:`Files::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
+
+      Client certificate
+
+
+   .. zeek:field:: client_cert_subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
+
+      Subject of client certificate, if any
+
+
+   .. zeek:field:: client_cert_fuid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
+
+      File unique ID of client cert, if any
+
+
+   .. zeek:field:: server_cert :zeek:type:`Files::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
+
+      Server certificate
+
+
+   .. zeek:field:: server_cert_subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
+
+      Subject of server certificate, if any
+
+
+   .. zeek:field:: server_cert_fuid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
+
+      File unique ID of server cert, if any
+
+
+   .. zeek:field:: auth_ticket :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/krb/ticket-logging.zeek` is loaded)
+
+      Hash of ticket used to authorize request/transaction
+
+
+   .. zeek:field:: new_ticket :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/krb/ticket-logging.zeek` is loaded)
+
+      Hash of ticket returned by the KDC
+
+
+
+Events
+######
+.. zeek:id:: KRB::log_krb
+   :source-code: base/protocols/krb/main.zeek 68 68
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`KRB::Info`)
+
+   Event that can be handled to access the KRB record as it is sent on
+   to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: KRB::finalize_krb
+   :source-code: base/protocols/krb/main.zeek 71 71
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   Kerberos finalization hook.  Remaining Kerberos info may get logged when it's called.
+
+.. zeek:id:: KRB::log_policy
+   :source-code: base/protocols/krb/main.zeek 12 12
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/ldap/__load__.zeek.rst b/doc/scripts/base/protocols/ldap/__load__.zeek.rst
new file mode 100644
index 0000000000..b13697d938
--- /dev/null
+++ b/doc/scripts/base/protocols/ldap/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/ldap/__load__.zeek
+=================================
+
+
+:Imports: :doc:`base/protocols/ldap/consts.zeek </scripts/base/protocols/ldap/consts.zeek>`, :doc:`base/protocols/ldap/main.zeek </scripts/base/protocols/ldap/main.zeek>`, :doc:`base/protocols/ldap/spicy-events.zeek </scripts/base/protocols/ldap/spicy-events.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/ldap/consts.zeek.rst b/doc/scripts/base/protocols/ldap/consts.zeek.rst
new file mode 100644
index 0000000000..325e343bd2
--- /dev/null
+++ b/doc/scripts/base/protocols/ldap/consts.zeek.rst
@@ -0,0 +1,241 @@
+:tocdepth: 3
+
+base/protocols/ldap/consts.zeek
+===============================
+.. zeek:namespace:: LDAP
+
+
+:Namespace: LDAP
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+================================================================================================================ =
+:zeek:id:`LDAP::EXTENDED_REQUESTS`: :zeek:type:`table` :zeek:attr:`&default` = ``"unknown"`` :zeek:attr:`&redef` 
+================================================================================================================ =
+
+Constants
+#########
+=============================================================================================== =
+:zeek:id:`LDAP::BIND_SASL`: :zeek:type:`string`                                                 
+:zeek:id:`LDAP::BIND_SICILY_NEGOTIATE`: :zeek:type:`string`                                     
+:zeek:id:`LDAP::BIND_SICILY_RESPONSE`: :zeek:type:`string`                                      
+:zeek:id:`LDAP::BIND_SIMPLE`: :zeek:type:`string`                                               
+:zeek:id:`LDAP::PROTOCOL_OPCODES`: :zeek:type:`table` :zeek:attr:`&default` = ``"unknown"``     
+:zeek:id:`LDAP::RESULT_CODES`: :zeek:type:`table` :zeek:attr:`&default` = ``"unknown"``         
+:zeek:id:`LDAP::SEARCH_DEREF_ALIASES`: :zeek:type:`table` :zeek:attr:`&default` = ``"unknown"`` 
+:zeek:id:`LDAP::SEARCH_SCOPES`: :zeek:type:`table` :zeek:attr:`&default` = ``"unknown"``        
+=============================================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: LDAP::EXTENDED_REQUESTS
+   :source-code: base/protocols/ldap/consts.zeek 126 126
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = ``"unknown"`` :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            ["1.3.6.1.4.1.1466.20037"] = "StartTLS",
+            ["1.3.6.1.4.1.4203.1.11.3"] = "whoami"
+         }
+
+
+
+Constants
+#########
+.. zeek:id:: LDAP::BIND_SASL
+   :source-code: base/protocols/ldap/consts.zeek 28 28
+
+   :Type: :zeek:type:`string`
+   :Default: ``"bind SASL"``
+
+
+.. zeek:id:: LDAP::BIND_SICILY_NEGOTIATE
+   :source-code: base/protocols/ldap/consts.zeek 29 29
+
+   :Type: :zeek:type:`string`
+   :Default: ``"sicily_negotiate"``
+
+
+.. zeek:id:: LDAP::BIND_SICILY_RESPONSE
+   :source-code: base/protocols/ldap/consts.zeek 30 30
+
+   :Type: :zeek:type:`string`
+   :Default: ``"sicily_response"``
+
+
+.. zeek:id:: LDAP::BIND_SIMPLE
+   :source-code: base/protocols/ldap/consts.zeek 27 27
+
+   :Type: :zeek:type:`string`
+   :Default: ``"bind simple"``
+
+
+.. zeek:id:: LDAP::PROTOCOL_OPCODES
+   :source-code: base/protocols/ldap/consts.zeek 4 4
+
+   :Type: :zeek:type:`table` [:zeek:type:`LDAP::ProtocolOpcode`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = ``"unknown"``
+   :Default:
+
+      ::
+
+         {
+            [LDAP::ProtocolOpcode_SEARCH_RESULT_REFERENCE] = "search",
+            [LDAP::ProtocolOpcode_UNBIND_REQUEST] = "unbind",
+            [LDAP::ProtocolOpcode_INTERMEDIATE_RESPONSE] = "intermediate",
+            [LDAP::ProtocolOpcode_COMPARE_REQUEST] = "compare",
+            [LDAP::ProtocolOpcode_COMPARE_RESPONSE] = "compare",
+            [LDAP::ProtocolOpcode_MODIFY_REQUEST] = "modify",
+            [LDAP::ProtocolOpcode_ABANDON_REQUEST] = "abandon",
+            [LDAP::ProtocolOpcode_EXTENDED_RESPONSE] = "extended",
+            [LDAP::ProtocolOpcode_ADD_REQUEST] = "add",
+            [LDAP::ProtocolOpcode_EXTENDED_REQUEST] = "extended",
+            [LDAP::ProtocolOpcode_ADD_RESPONSE] = "add",
+            [LDAP::ProtocolOpcode_BIND_RESPONSE] = "bind",
+            [LDAP::ProtocolOpcode_DEL_RESPONSE] = "delete",
+            [LDAP::ProtocolOpcode_MODIFY_RESPONSE] = "modify",
+            [LDAP::ProtocolOpcode_SEARCH_RESULT_DONE] = "search",
+            [LDAP::ProtocolOpcode_DEL_REQUEST] = "delete",
+            [LDAP::ProtocolOpcode_SEARCH_RESULT_ENTRY] = "search",
+            [LDAP::ProtocolOpcode_MOD_DN_RESPONSE] = "modify",
+            [LDAP::ProtocolOpcode_MOD_DN_REQUEST] = "modify",
+            [LDAP::ProtocolOpcode_SEARCH_REQUEST] = "search",
+            [LDAP::ProtocolOpcode_BIND_REQUEST] = "bind"
+         }
+
+
+
+.. zeek:id:: LDAP::RESULT_CODES
+   :source-code: base/protocols/ldap/consts.zeek 32 32
+
+   :Type: :zeek:type:`table` [:zeek:type:`LDAP::ResultCode`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = ``"unknown"``
+   :Default:
+
+      ::
+
+         {
+            [LDAP::ResultCode_NO_RESULTS_RETURNED] = "no results returned",
+            [LDAP::ResultCode_CONSTRAINT_VIOLATION] = "constraint violation",
+            [LDAP::ResultCode_ATTRIBUTE_OR_VALUE_EXISTS] = "attribute or value exists",
+            [LDAP::ResultCode_ALIAS_PROBLEM] = "alias problem",
+            [LDAP::ResultCode_CLIENT_LOOP] = "client loop",
+            [LDAP::ResultCode_NOT_ALLOWED_ON_RDN] = "not allowed on RDN",
+            [LDAP::ResultCode_NAMING_VIOLATION] = "naming violation",
+            [LDAP::ResultCode_CONNECT_ERROR] = "connect error",
+            [LDAP::ResultCode_PARTIAL_RESULTS] = "partial results",
+            [LDAP::ResultCode_ENTRY_ALREADY_EXISTS] = "entry already exists",
+            [LDAP::ResultCode_REFERRAL_LIMIT_EXCEEDED] = "referral limit exceeded",
+            [LDAP::ResultCode_UNWILLING_TO_PERFORM] = "unwilling to perform",
+            [LDAP::ResultCode_AFFECTS_MULTIPLE_DSAS] = "affects multiple DSAs",
+            [LDAP::ResultCode_UNAVAILABLE] = "unavailable",
+            [LDAP::ResultCode_INVALID_ATTRIBUTE_SYNTAX] = "invalid attribute syntax",
+            [LDAP::ResultCode_SIZE_LIMIT_EXCEEDED] = "size limit exceeded",
+            [LDAP::ResultCode_UNAVAILABLE_CRITICAL_EXTENSION] = "unavailable critical extension",
+            [LDAP::ResultCode_UNDEFINED_ATTRIBUTE_TYPE] = "undefined attribute type",
+            [LDAP::ResultCode_NO_SUCH_OPERATION] = "no such operation",
+            [LDAP::ResultCode_OTHER] = "other",
+            [LDAP::ResultCode_SERVER_DOWN] = "server down",
+            [LDAP::ResultCode_USER_CANCELED] = "user canceled",
+            [LDAP::ResultCode_CONTROL_ERROR] = "control error",
+            [LDAP::ResultCode_NO_SUCH_ATTRIBUTE] = "no such attribute",
+            [LDAP::ResultCode_LCUP_INVALID_DATA] = "LCUP invalid data",
+            [LDAP::ResultCode_LOOP_DETECT] = "loop detect",
+            [LDAP::ResultCode_MORE_RESULTS_TO_RETURN] = "more results to return",
+            [LDAP::ResultCode_NO_MEMORY] = "no memory",
+            [LDAP::ResultCode_OPERATIONS_ERROR] = "operations error",
+            [LDAP::ResultCode_AUTH_UNKNOWN] = "auth unknown",
+            [LDAP::ResultCode_LCUP_UNSUPPORTED_SCHEME] = "LCUP unsupported scheme",
+            [LDAP::ResultCode_ADMIN_LIMIT_EXCEEDED] = "admin limit exceeded",
+            [LDAP::ResultCode_INTERMEDIATE_RESPONSE] = "intermediate response",
+            [LDAP::ResultCode_TIME_LIMIT_EXCEEDED] = "time limit exceeded",
+            [LDAP::ResultCode_UNKNOWN_TYPE] = "unknown type",
+            [LDAP::ResultCode_INVALID_DNSYNTAX] = "invalid DN syntax",
+            [LDAP::ResultCode_ALIAS_DEREFERENCING_PROBLEM] = "alias dereferencing problem",
+            [LDAP::ResultCode_COMPARE_TRUE] = "compare true",
+            [LDAP::ResultCode_SASL_BIND_IN_PROGRESS] = "SASL bind in progress",
+            [LDAP::ResultCode_STRONGER_AUTH_REQUIRED] = "stronger auth required",
+            [LDAP::ResultCode_ENCODING_ERROR] = "encoding error",
+            [LDAP::ResultCode_LOCAL_ERROR] = "local error",
+            [LDAP::ResultCode_ASSERTION_FAILED] = "assertion failed",
+            [LDAP::ResultCode_AUTH_METHOD_NOT_SUPPORTED] = "auth method not supported",
+            [LDAP::ResultCode_NOT_ALLOWED_ON_NON_LEAF] = "not allowed on non-leaf",
+            [LDAP::ResultCode_NOT_SUPPORTED] = "not supported",
+            [LDAP::ResultCode_REFERRAL] = "referral",
+            [LDAP::ResultCode_OBJECT_CLASS_VIOLATION] = "object class violation",
+            [LDAP::ResultCode_NO_SUCH_OBJECT] = "no such object",
+            [LDAP::ResultCode_CONFIDENTIALITY_REQUIRED] = "confidentiality required",
+            [LDAP::ResultCode_AMBIGUOUS_RESPONSE] = "ambiguous response",
+            [LDAP::ResultCode_PARAM_ERROR] = "param error",
+            [LDAP::ResultCode_CANCELED] = "canceled",
+            [LDAP::ResultCode_RESULTS_TOO_LARGE] = "results too large",
+            [LDAP::ResultCode_CONTROL_NOT_FOUND] = "control not found",
+            [LDAP::ResultCode_INSUFFICIENT_ACCESS_RIGHTS] = "insufficient access rights",
+            [LDAP::ResultCode_TOO_LATE] = "too late",
+            [LDAP::ResultCode_PROTOCOL_ERROR] = "protocol error",
+            [LDAP::ResultCode_CANNOT_CANCEL] = "cannot cancel",
+            [LDAP::ResultCode_INAPPROPRIATE_AUTHENTICATION] = "inappropriate authentication",
+            [LDAP::ResultCode_OBJECT_CLASS_MODS_PROHIBITED] = "object class mods prohibited",
+            [LDAP::ResultCode_TIMEOUT] = "timeout",
+            [LDAP::ResultCode_INVALID_CREDENTIALS] = "invalid credentials",
+            [LDAP::ResultCode_COMPARE_FALSE] = "compare false",
+            [LDAP::ResultCode_TLS_NOT_SUPPORTED] = "TLS not supported",
+            [LDAP::ResultCode_OFFSET_RANGE_ERROR] = "offset range error",
+            [LDAP::ResultCode_SORT_CONTROL_MISSING] = "sort control missing",
+            [LDAP::ResultCode_INVALID_RESPONSE] = "invalid response",
+            [LDAP::ResultCode_BUSY] = "busy",
+            [LDAP::ResultCode_INAPPROPRIATE_MATCHING] = "inappropriate matching",
+            [LDAP::ResultCode_LCUP_RELOAD_REQUIRED] = "LCUP reload required",
+            [LDAP::ResultCode_SUCCESS] = "success",
+            [LDAP::ResultCode_AUTHORIZATION_DENIED] = "authorization denied",
+            [LDAP::ResultCode_FILTER_ERROR] = "filter error",
+            [LDAP::ResultCode_DECODING_ERROR] = "decoding error"
+         }
+
+
+
+.. zeek:id:: LDAP::SEARCH_DEREF_ALIASES
+   :source-code: base/protocols/ldap/consts.zeek 120 120
+
+   :Type: :zeek:type:`table` [:zeek:type:`LDAP::SearchDerefAlias`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = ``"unknown"``
+   :Default:
+
+      ::
+
+         {
+            [LDAP::SearchDerefAlias_DEREF_NEVER] = "never",
+            [LDAP::SearchDerefAlias_DEREF_FINDING_BASE] = "finding",
+            [LDAP::SearchDerefAlias_DEREF_ALWAYS] = "always",
+            [LDAP::SearchDerefAlias_DEREF_IN_SEARCHING] = "searching"
+         }
+
+
+
+.. zeek:id:: LDAP::SEARCH_SCOPES
+   :source-code: base/protocols/ldap/consts.zeek 116 116
+
+   :Type: :zeek:type:`table` [:zeek:type:`LDAP::SearchScope`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = ``"unknown"``
+   :Default:
+
+      ::
+
+         {
+            [LDAP::SearchScope_SEARCH_BASE] = "base",
+            [LDAP::SearchScope_SEARCH_TREE] = "tree",
+            [LDAP::SearchScope_SEARCH_SINGLE] = "single"
+         }
+
+
+
+
diff --git a/doc/scripts/base/protocols/ldap/index.rst b/doc/scripts/base/protocols/ldap/index.rst
new file mode 100644
index 0000000000..e656114f8c
--- /dev/null
+++ b/doc/scripts/base/protocols/ldap/index.rst
@@ -0,0 +1,21 @@
+:orphan:
+
+Package: base/protocols/ldap
+============================
+
+
+:doc:`/scripts/base/protocols/ldap/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/ldap/spicy-events.zeek`
+
+   Events generated by the LDAP analyzer.
+   
+   See See `RFC4511 <https://tools.ietf.org/html/rfc4511>`__.
+
+:doc:`/scripts/base/protocols/ldap/consts.zeek`
+
+
+:doc:`/scripts/base/protocols/ldap/main.zeek`
+
+
diff --git a/doc/scripts/base/protocols/ldap/main.zeek.rst b/doc/scripts/base/protocols/ldap/main.zeek.rst
new file mode 100644
index 0000000000..e74e911d4f
--- /dev/null
+++ b/doc/scripts/base/protocols/ldap/main.zeek.rst
@@ -0,0 +1,256 @@
+:tocdepth: 3
+
+base/protocols/ldap/main.zeek
+=============================
+.. zeek:namespace:: LDAP
+
+
+:Namespace: LDAP
+:Imports: :doc:`base/frameworks/reporter </scripts/base/frameworks/reporter/index>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/ldap/consts.zeek </scripts/base/protocols/ldap/consts.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+===================================================================================== =================================================
+:zeek:id:`LDAP::default_capture_password`: :zeek:type:`bool` :zeek:attr:`&redef`      Whether clear text passwords are captured or not.
+:zeek:id:`LDAP::default_log_search_attributes`: :zeek:type:`bool` :zeek:attr:`&redef` Whether to log LDAP search attributes or not.
+===================================================================================== =================================================
+
+Redefinable Options
+###################
+================================================================ ==================================================
+:zeek:id:`LDAP::ports_tcp`: :zeek:type:`set` :zeek:attr:`&redef` TCP ports which should be considered for analysis.
+:zeek:id:`LDAP::ports_udp`: :zeek:type:`set` :zeek:attr:`&redef` UDP ports which should be considered for analysis.
+================================================================ ==================================================
+
+Types
+#####
+=================================================== =
+:zeek:type:`LDAP::MessageInfo`: :zeek:type:`record` 
+:zeek:type:`LDAP::SearchInfo`: :zeek:type:`record`  
+:zeek:type:`LDAP::State`: :zeek:type:`record`       
+=================================================== =
+
+Redefinitions
+#############
+==================================================================== =======================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`LDAP::LDAP_LOG`
+                                                                     
+                                                                     * :zeek:enum:`LDAP::LDAP_SEARCH_LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       ldap: :zeek:type:`LDAP::State` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== =======================================================
+
+Events
+######
+==================================================== =
+:zeek:id:`LDAP::log_ldap`: :zeek:type:`event`        
+:zeek:id:`LDAP::log_ldap_search`: :zeek:type:`event` 
+==================================================== =
+
+Hooks
+#####
+================================================================ ================================================
+:zeek:id:`LDAP::finalize_ldap`: :zeek:type:`Conn::RemovalHook`   LDAP finalization hook.
+:zeek:id:`LDAP::log_policy`: :zeek:type:`Log::PolicyHook`        Default logging policy hook for LDAP_LOG.
+:zeek:id:`LDAP::log_policy_search`: :zeek:type:`Log::PolicyHook` Default logging policy hook for LDAP_SEARCH_LOG.
+================================================================ ================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: LDAP::default_capture_password
+   :source-code: base/protocols/ldap/main.zeek 20 20
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Whether clear text passwords are captured or not.
+
+.. zeek:id:: LDAP::default_log_search_attributes
+   :source-code: base/protocols/ldap/main.zeek 23 23
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Whether to log LDAP search attributes or not.
+
+Redefinable Options
+###################
+.. zeek:id:: LDAP::ports_tcp
+   :source-code: base/protocols/ldap/main.zeek 14 14
+
+   :Type: :zeek:type:`set` [:zeek:type:`port`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            3268/tcp,
+            389/tcp
+         }
+
+
+   TCP ports which should be considered for analysis.
+
+.. zeek:id:: LDAP::ports_udp
+   :source-code: base/protocols/ldap/main.zeek 17 17
+
+   :Type: :zeek:type:`set` [:zeek:type:`port`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            389/udp
+         }
+
+
+   UDP ports which should be considered for analysis.
+
+Types
+#####
+.. zeek:type:: LDAP::MessageInfo
+   :source-code: base/protocols/ldap/main.zeek 37 67
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+
+   .. zeek:field:: message_id :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: version :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: opcode :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: result :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: diagnostic_message :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: object :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: argument :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+
+.. zeek:type:: LDAP::SearchInfo
+   :source-code: base/protocols/ldap/main.zeek 72 106
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+
+   .. zeek:field:: message_id :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: scope :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: deref_aliases :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: base_object :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: result_count :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: result :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: diagnostic_message :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: filter :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: attributes :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+
+.. zeek:type:: LDAP::State
+   :source-code: base/protocols/ldap/main.zeek 108 111
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: messages :zeek:type:`table` [:zeek:type:`int`] of :zeek:type:`LDAP::MessageInfo` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: searches :zeek:type:`table` [:zeek:type:`int`] of :zeek:type:`LDAP::SearchInfo` :zeek:attr:`&optional`
+
+
+
+Events
+######
+.. zeek:id:: LDAP::log_ldap
+   :source-code: base/protocols/ldap/main.zeek 115 115
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`LDAP::MessageInfo`)
+
+
+.. zeek:id:: LDAP::log_ldap_search
+   :source-code: base/protocols/ldap/main.zeek 116 116
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`LDAP::SearchInfo`)
+
+
+Hooks
+#####
+.. zeek:id:: LDAP::finalize_ldap
+   :source-code: base/protocols/ldap/main.zeek 400 419
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   LDAP finalization hook.
+
+.. zeek:id:: LDAP::log_policy
+   :source-code: base/protocols/ldap/main.zeek 26 26
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   Default logging policy hook for LDAP_LOG.
+
+.. zeek:id:: LDAP::log_policy_search
+   :source-code: base/protocols/ldap/main.zeek 29 29
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   Default logging policy hook for LDAP_SEARCH_LOG.
+
+
diff --git a/doc/scripts/base/protocols/ldap/spicy-events.zeek.rst b/doc/scripts/base/protocols/ldap/spicy-events.zeek.rst
new file mode 100644
index 0000000000..b0b989bbb7
--- /dev/null
+++ b/doc/scripts/base/protocols/ldap/spicy-events.zeek.rst
@@ -0,0 +1,191 @@
+:tocdepth: 3
+
+base/protocols/ldap/spicy-events.zeek
+=====================================
+
+Events generated by the LDAP analyzer.
+
+See See `RFC4511 <https://tools.ietf.org/html/rfc4511>`__.
+
+
+Summary
+~~~~~~~
+Events
+######
+======================================================== =================================================================
+:zeek:id:`LDAP::bind_request`: :zeek:type:`event`        Event generated for each LDAPMessage containing a BindRequest.
+:zeek:id:`LDAP::extended_request`: :zeek:type:`event`    Event generated for each ExtendedRequest in LDAP messages.
+:zeek:id:`LDAP::extended_response`: :zeek:type:`event`   Event generated for each ExtendedResponse in LDAP messages.
+:zeek:id:`LDAP::message`: :zeek:type:`event`             Event generated for each LDAPMessage (either direction).
+:zeek:id:`LDAP::search_request`: :zeek:type:`event`      Event generated for each LDAPMessage containing a SearchRequest.
+:zeek:id:`LDAP::search_result_entry`: :zeek:type:`event` Event generated for each SearchResultEntry in LDAP messages.
+:zeek:id:`LDAP::starttls`: :zeek:type:`event`            Event generated when a plaintext LDAP connection switched to TLS.
+======================================================== =================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: LDAP::bind_request
+   :source-code: base/protocols/ldap/main.zeek 366 397
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, version: :zeek:type:`int`, name: :zeek:type:`string`, auth_type: :zeek:type:`LDAP::BindAuthType`, auth_info: :zeek:type:`string`)
+
+   Event generated for each LDAPMessage containing a BindRequest.
+   
+
+   :param c: The connection.
+   
+
+   :param message_id: The messageID element.
+   
+
+   :param version: The version field in the BindRequest.
+   
+
+   :param name: The name field in the BindRequest.
+   
+
+   :param auth_type: The auth type field in the BindRequest.
+   
+
+   :param auth_info: Additional information related to the used auth type.
+
+.. zeek:id:: LDAP::extended_request
+   :source-code: base/protocols/ldap/spicy-events.zeek 111 111
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, request_name: :zeek:type:`string`, request_value: :zeek:type:`string`)
+
+   Event generated for each ExtendedRequest in LDAP messages.
+   
+
+   :param c: The connection.
+   
+
+   :param message_id: The messageID element.
+   
+
+   :param request_name: The name of the extended request.
+   
+
+   :param request_value: The value of the extended request (empty if missing).
+
+.. zeek:id:: LDAP::extended_response
+   :source-code: base/protocols/ldap/spicy-events.zeek 129 129
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, result: :zeek:type:`LDAP::ResultCode`, response_name: :zeek:type:`string`, response_value: :zeek:type:`string`)
+
+   Event generated for each ExtendedResponse in LDAP messages.
+   
+
+   :param c: The connection.
+   
+
+   :param message_id: The messageID element.
+   
+
+   :param result: The result code of the response.
+   
+
+   :param response_name: The name of the extended response (empty if missing).
+   
+
+   :param response_value: The value of the extended response (empty if missing).
+
+.. zeek:id:: LDAP::message
+   :source-code: base/protocols/ldap/main.zeek 188 287
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, opcode: :zeek:type:`LDAP::ProtocolOpcode`, result: :zeek:type:`LDAP::ResultCode`, matched_dn: :zeek:type:`string`, diagnostic_message: :zeek:type:`string`, object: :zeek:type:`string`, argument: :zeek:type:`string`)
+
+   Event generated for each LDAPMessage (either direction).
+   
+
+   :param c: The connection.
+   
+
+   :param message_id: The messageID element.
+   
+
+   :param opcode: The protocolOp field in the message.
+   
+
+   :param result: The result code if the message contains a result.
+   
+
+   :param matched_dn: The DN if the message contains a result.
+   
+
+   :param diagnostic_message: Diagnostic message if the LDAP message contains a result.
+   
+
+   :param object: The object name this message refers to.
+   
+
+   :param argument: Additional arguments this message includes.
+
+.. zeek:id:: LDAP::search_request
+   :source-code: base/protocols/ldap/main.zeek 299 348
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, base_object: :zeek:type:`string`, scope: :zeek:type:`LDAP::SearchScope`, deref: :zeek:type:`LDAP::SearchDerefAlias`, size_limit: :zeek:type:`int`, time_limit: :zeek:type:`int`, types_only: :zeek:type:`bool`, filter: :zeek:type:`string`, attributes: :zeek:type:`vector` of :zeek:type:`string`)
+
+   Event generated for each LDAPMessage containing a SearchRequest.
+   
+
+   :param c: The connection.
+   
+
+   :param message_id: The messageID element.
+   
+
+   :param base_object: The baseObject field in the SearchRequest.
+   
+
+   :param scope: The scope field in the SearchRequest.
+   
+
+   :param deref_alias: The derefAlias field in the SearchRequest
+   
+
+   :param size_limit: The sizeLimit field in the SearchRequest.
+   
+
+   :param time_limit: The timeLimit field in the SearchRequest.
+   
+
+   :param types_only: The typesOnly field in the SearchRequest.
+   
+
+   :param filter: The string representation of the filter field in the SearchRequest.
+   
+
+   :param attributes: Additional attributes of the SearchRequest.
+
+.. zeek:id:: LDAP::search_result_entry
+   :source-code: base/protocols/ldap/main.zeek 353 358
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, object_name: :zeek:type:`string`)
+
+   Event generated for each SearchResultEntry in LDAP messages.
+   
+
+   :param c: The connection.
+   
+
+   :param message_id: The messageID element.
+   
+
+   :param object_name: The object name in the SearchResultEntry.
+
+.. zeek:id:: LDAP::starttls
+   :source-code: base/protocols/ldap/spicy-events.zeek 141 141
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Event generated when a plaintext LDAP connection switched to TLS.
+   
+
+   :param c: The connection.
+   
+
+
diff --git a/doc/scripts/base/protocols/modbus/__load__.zeek.rst b/doc/scripts/base/protocols/modbus/__load__.zeek.rst
new file mode 100644
index 0000000000..73e14c5d1c
--- /dev/null
+++ b/doc/scripts/base/protocols/modbus/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/modbus/__load__.zeek
+===================================
+
+
+:Imports: :doc:`base/protocols/modbus/consts.zeek </scripts/base/protocols/modbus/consts.zeek>`, :doc:`base/protocols/modbus/main.zeek </scripts/base/protocols/modbus/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/modbus/consts.zeek.rst b/doc/scripts/base/protocols/modbus/consts.zeek.rst
new file mode 100644
index 0000000000..83231b47e3
--- /dev/null
+++ b/doc/scripts/base/protocols/modbus/consts.zeek.rst
@@ -0,0 +1,94 @@
+:tocdepth: 3
+
+base/protocols/modbus/consts.zeek
+=================================
+.. zeek:namespace:: Modbus
+
+
+:Namespace: Modbus
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+======================================================================================================================== =======================================
+:zeek:id:`Modbus::exception_codes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef` 
+:zeek:id:`Modbus::function_codes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`  Standard defined Modbus function codes.
+======================================================================================================================== =======================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Modbus::exception_codes
+   :source-code: base/protocols/modbus/consts.zeek 43 43
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            [2] = "ILLEGAL_DATA_ADDRESS",
+            [8] = "MEMORY_PARITY_ERROR",
+            [11] = "GATEWAY_TARGET_DEVICE_FAILED_TO_RESPOND",
+            [5] = "ACKNOWLEDGE",
+            [3] = "ILLEGAL_DATA_VALUE",
+            [10] = "GATEWAY_PATH_UNAVAILABLE",
+            [6] = "SLAVE_DEVICE_BUSY",
+            [4] = "SLAVE_DEVICE_FAILURE",
+            [1] = "ILLEGAL_FUNCTION"
+         }
+
+
+
+.. zeek:id:: Modbus::function_codes
+   :source-code: base/protocols/modbus/consts.zeek 6 6
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            [40] = "PROGRAM_CONCEPT",
+            [19] = "RESET_COMM_LINK_884_U84",
+            [20] = "READ_FILE_RECORD",
+            [15] = "WRITE_MULTIPLE_COILS",
+            [6] = "WRITE_SINGLE_REGISTER",
+            [14] = "POLL_584_984",
+            [125] = "FIRMWARE_REPLACEMENT",
+            [8] = "DIAGNOSTICS",
+            [23] = "READ_WRITE_MULTIPLE_REGISTERS",
+            [91] = "OBJECT_MESSAGING",
+            [9] = "PROGRAM_484",
+            [7] = "READ_EXCEPTION_STATUS",
+            [127] = "REPORT_LOCAL_ADDRESS",
+            [21] = "WRITE_FILE_RECORD",
+            [10] = "POLL_484",
+            [4] = "READ_INPUT_REGISTERS",
+            [13] = "PROGRAM_584_984",
+            [12] = "GET_COMM_EVENT_LOG",
+            [41] = "MULTIPLE_FUNCTION_CODES",
+            [17] = "REPORT_SLAVE_ID",
+            [2] = "READ_DISCRETE_INPUTS",
+            [16] = "WRITE_MULTIPLE_REGISTERS",
+            [24] = "READ_FIFO_QUEUE",
+            [90] = "PROGRAM_UNITY",
+            [1] = "READ_COILS",
+            [11] = "GET_COMM_EVENT_COUNTER",
+            [5] = "WRITE_SINGLE_COIL",
+            [126] = "PROGRAM_584_984_2",
+            [22] = "MASK_WRITE_REGISTER",
+            [43] = "ENCAP_INTERFACE_TRANSPORT",
+            [18] = "PROGRAM_884_U84",
+            [3] = "READ_HOLDING_REGISTERS"
+         }
+
+
+   Standard defined Modbus function codes.
+
+
diff --git a/doc/scripts/base/protocols/modbus/index.rst b/doc/scripts/base/protocols/modbus/index.rst
new file mode 100644
index 0000000000..42fa7d25d8
--- /dev/null
+++ b/doc/scripts/base/protocols/modbus/index.rst
@@ -0,0 +1,17 @@
+:orphan:
+
+Package: base/protocols/modbus
+==============================
+
+Support for Modbus protocol analysis.
+
+:doc:`/scripts/base/protocols/modbus/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/modbus/consts.zeek`
+
+
+:doc:`/scripts/base/protocols/modbus/main.zeek`
+
+   Base Modbus analysis script.
+
diff --git a/doc/scripts/base/protocols/modbus/main.zeek.rst b/doc/scripts/base/protocols/modbus/main.zeek.rst
new file mode 100644
index 0000000000..bf0ef22906
--- /dev/null
+++ b/doc/scripts/base/protocols/modbus/main.zeek.rst
@@ -0,0 +1,122 @@
+:tocdepth: 3
+
+base/protocols/modbus/main.zeek
+===============================
+.. zeek:namespace:: Modbus
+
+Base Modbus analysis script.
+
+:Namespace: Modbus
+:Imports: :doc:`base/protocols/modbus/consts.zeek </scripts/base/protocols/modbus/consts.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+============================================== =
+:zeek:type:`Modbus::Info`: :zeek:type:`record` 
+============================================== =
+
+Redefinitions
+#############
+==================================================================== ==========================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`Modbus::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       modbus: :zeek:type:`Modbus::Info` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ==========================================================
+
+Events
+######
+================================================= ===================================================================
+:zeek:id:`Modbus::log_modbus`: :zeek:type:`event` Event that can be handled to access the Modbus record as it is sent
+                                                  on to the logging framework.
+================================================= ===================================================================
+
+Hooks
+#####
+=========================================================== =
+:zeek:id:`Modbus::log_policy`: :zeek:type:`Log::PolicyHook` 
+=========================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Modbus::Info
+   :source-code: base/protocols/modbus/main.zeek 12 29
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Time of the request.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique identifier for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      Identifier for the connection.
+
+
+   .. zeek:field:: tid :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Modbus transaction ID
+
+
+   .. zeek:field:: unit :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The terminal unit identifier for the message
+
+
+   .. zeek:field:: func :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The name of the function message that was sent.
+
+
+   .. zeek:field:: pdu_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Whether this PDU was a response ("RESP") or request ("REQ")
+
+
+   .. zeek:field:: exception :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The exception if the response was a failure.
+
+
+   .. zeek:field:: track_address :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/modbus/track-memmap.zeek` is loaded)
+
+
+
+Events
+######
+.. zeek:id:: Modbus::log_modbus
+   :source-code: base/protocols/modbus/main.zeek 33 33
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Modbus::Info`)
+
+   Event that can be handled to access the Modbus record as it is sent
+   on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: Modbus::log_policy
+   :source-code: base/protocols/modbus/main.zeek 10 10
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/mqtt/__load__.zeek.rst b/doc/scripts/base/protocols/mqtt/__load__.zeek.rst
new file mode 100644
index 0000000000..54ce63f8ec
--- /dev/null
+++ b/doc/scripts/base/protocols/mqtt/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/mqtt/__load__.zeek
+=================================
+
+
+:Imports: :doc:`base/protocols/mqtt/consts.zeek </scripts/base/protocols/mqtt/consts.zeek>`, :doc:`base/protocols/mqtt/main.zeek </scripts/base/protocols/mqtt/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/mqtt/consts.zeek.rst b/doc/scripts/base/protocols/mqtt/consts.zeek.rst
new file mode 100644
index 0000000000..0a4770f351
--- /dev/null
+++ b/doc/scripts/base/protocols/mqtt/consts.zeek.rst
@@ -0,0 +1,109 @@
+:tocdepth: 3
+
+base/protocols/mqtt/consts.zeek
+===============================
+.. zeek:namespace:: MQTT
+
+Constants definitions for MQTT.
+
+:Namespace: MQTT
+
+Summary
+~~~~~~~
+Constants
+#########
+=============================================================================================== =
+:zeek:id:`MQTT::msg_types`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`    
+:zeek:id:`MQTT::qos_levels`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`   
+:zeek:id:`MQTT::return_codes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` 
+:zeek:id:`MQTT::versions`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`     
+=============================================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: MQTT::msg_types
+   :source-code: base/protocols/mqtt/consts.zeek 6 6
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "connack",
+            [11] = "unsuback",
+            [5] = "pubrec",
+            [7] = "pubcomp",
+            [6] = "pubrel",
+            [10] = "unsubscribe",
+            [14] = "disconnect",
+            [4] = "puback",
+            [13] = "pingresp",
+            [12] = "pingreq",
+            [8] = "subscribe",
+            [3] = "publish",
+            [9] = "suback",
+            [1] = "connect"
+         }
+
+
+
+.. zeek:id:: MQTT::qos_levels
+   :source-code: base/protocols/mqtt/consts.zeek 29 29
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [0] = "at most once",
+            [2] = "exactly once",
+            [1] = "at least once"
+         }
+
+
+
+.. zeek:id:: MQTT::return_codes
+   :source-code: base/protocols/mqtt/consts.zeek 35 35
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "Refused: identifier rejected",
+            [3] = "Refused: server unavailable",
+            [5] = "Refused: not authorized",
+            [0] = "Connection Accepted",
+            [4] = "Refused: bad user name or password",
+            [1] = "Refused: unacceptable protocol version"
+         }
+
+
+
+.. zeek:id:: MQTT::versions
+   :source-code: base/protocols/mqtt/consts.zeek 23 23
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [4] = "3.1.1",
+            [3] = "3.1",
+            [5] = "5.0"
+         }
+
+
+
+
diff --git a/doc/scripts/base/protocols/mqtt/index.rst b/doc/scripts/base/protocols/mqtt/index.rst
new file mode 100644
index 0000000000..d9e6f66999
--- /dev/null
+++ b/doc/scripts/base/protocols/mqtt/index.rst
@@ -0,0 +1,19 @@
+:orphan:
+
+Package: base/protocols/mqtt
+============================
+
+Support for MQTT protocol analysis.
+
+:doc:`/scripts/base/protocols/mqtt/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/mqtt/consts.zeek`
+
+   Constants definitions for MQTT.
+
+:doc:`/scripts/base/protocols/mqtt/main.zeek`
+
+   Implements base functionality for MQTT (v3.1.1) analysis.
+   Generates the mqtt.log file.
+
diff --git a/doc/scripts/base/protocols/mqtt/main.zeek.rst b/doc/scripts/base/protocols/mqtt/main.zeek.rst
new file mode 100644
index 0000000000..127de2a82a
--- /dev/null
+++ b/doc/scripts/base/protocols/mqtt/main.zeek.rst
@@ -0,0 +1,338 @@
+:tocdepth: 3
+
+base/protocols/mqtt/main.zeek
+=============================
+.. zeek:namespace:: MQTT
+
+Implements base functionality for MQTT (v3.1.1) analysis.
+Generates the mqtt.log file.
+
+:Namespace: MQTT
+:Imports: :doc:`base/protocols/mqtt/consts.zeek </scripts/base/protocols/mqtt/consts.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+================================================================== ======================================================================
+:zeek:type:`MQTT::ConnectInfo`: :zeek:type:`record`                
+:zeek:type:`MQTT::PublishInfo`: :zeek:type:`record`                
+:zeek:type:`MQTT::State`: :zeek:type:`record`                      Data structure to track pub/sub messaging state of a given connection.
+:zeek:type:`MQTT::SubUnsub`: :zeek:type:`enum` :zeek:attr:`&redef` 
+:zeek:type:`MQTT::SubscribeInfo`: :zeek:type:`record`              
+================================================================== ======================================================================
+
+Redefinitions
+#############
+==================================================================== =============================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`MQTT::CONNECT_LOG`
+                                                                     
+                                                                     * :zeek:enum:`MQTT::PUBLISH_LOG`
+                                                                     
+                                                                     * :zeek:enum:`MQTT::SUBSCRIBE_LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       mqtt: :zeek:type:`MQTT::ConnectInfo` :zeek:attr:`&optional`
+                                                                     
+                                                                       mqtt_state: :zeek:type:`MQTT::State` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== =============================================================
+
+Events
+######
+============================================= ====================================================================
+:zeek:id:`MQTT::log_mqtt`: :zeek:type:`event` Event that can be handled to access the MQTT record as it is sent on
+                                              to the logging framework.
+============================================= ====================================================================
+
+Hooks
+#####
+=================================================================== =
+:zeek:id:`MQTT::log_policy_connect`: :zeek:type:`Log::PolicyHook`   
+:zeek:id:`MQTT::log_policy_publish`: :zeek:type:`Log::PolicyHook`   
+:zeek:id:`MQTT::log_policy_subscribe`: :zeek:type:`Log::PolicyHook` 
+=================================================================== =
+
+Functions
+#########
+======================================================== ==========================================================================
+:zeek:id:`MQTT::publish_expire`: :zeek:type:`function`   The expiration function for published messages that haven't been logged
+                                                         yet simply causes the message to be logged.
+:zeek:id:`MQTT::subscribe_expire`: :zeek:type:`function` The expiration function for subscription messages that haven't been logged
+                                                         yet simply causes the message to be logged.
+======================================================== ==========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: MQTT::ConnectInfo
+   :source-code: base/protocols/mqtt/main.zeek 24 45
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the event happened
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports
+
+
+   .. zeek:field:: proto_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Indicates the protocol name
+
+
+   .. zeek:field:: proto_version :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The version of the protocol in use
+
+
+   .. zeek:field:: client_id :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Unique identifier for the client
+
+
+   .. zeek:field:: connect_status :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Status message from the server in response to the connect request
+
+
+   .. zeek:field:: will_topic :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Topic to publish a "last will and testament" message to
+
+
+   .. zeek:field:: will_payload :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Payload to publish as a "last will and testament"
+
+
+
+.. zeek:type:: MQTT::PublishInfo
+   :source-code: base/protocols/mqtt/main.zeek 67 107
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the publish message started
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      UID for the connection
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      ID fields for the connection
+
+
+   .. zeek:field:: from_client :zeek:type:`bool` :zeek:attr:`&log`
+
+      Indicates if the message was published by the client of
+      this connection or published to the client.
+
+
+   .. zeek:field:: retain :zeek:type:`bool` :zeek:attr:`&log`
+
+      Indicates if the message was to be retained by the server
+
+
+   .. zeek:field:: qos :zeek:type:`string` :zeek:attr:`&log`
+
+      QoS level set for the message
+
+
+   .. zeek:field:: status :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``"incomplete_qos"`` :zeek:attr:`&optional`
+
+      Status of the published message. This will be set to "incomplete_qos"
+      if the full back and forth for the requested level of QoS was not seen.
+      Otherwise if it's successful the field will be "ok".
+
+
+   .. zeek:field:: topic :zeek:type:`string` :zeek:attr:`&log`
+
+      Topic the message was published to
+
+
+   .. zeek:field:: payload :zeek:type:`string` :zeek:attr:`&log`
+
+      Payload of the message
+
+
+   .. zeek:field:: payload_len :zeek:type:`count` :zeek:attr:`&log`
+
+      The actual length of the payload in the case the *payload*
+      field's contents were truncated according to
+      :zeek:see:`MQTT::max_payload_size`.
+
+
+   .. zeek:field:: ack :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Track if the message was acked
+
+
+   .. zeek:field:: rec :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Indicates if the server sent the RECEIVED qos message
+
+
+   .. zeek:field:: rel :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Indicates if the client sent the RELEASE qos message
+
+
+   .. zeek:field:: comp :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Indicates if the server sent the COMPLETE qos message
+
+
+   .. zeek:field:: qos_level :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Internally used for comparing numeric qos level
+
+
+
+.. zeek:type:: MQTT::State
+   :source-code: base/protocols/mqtt/main.zeek 122 128
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: publish :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`MQTT::PublishInfo` :zeek:attr:`&optional` :zeek:attr:`&write_expire` = ``5.0 secs`` :zeek:attr:`&expire_func` = :zeek:see:`MQTT::publish_expire`
+
+      Published messages that haven't been logged yet.
+
+
+   .. zeek:field:: subscribe :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`MQTT::SubscribeInfo` :zeek:attr:`&optional` :zeek:attr:`&write_expire` = ``5.0 secs`` :zeek:attr:`&expire_func` = :zeek:see:`MQTT::subscribe_expire`
+
+      Subscription/unsubscription messages that haven't been ACK'd or
+      logged yet.
+
+
+   Data structure to track pub/sub messaging state of a given connection.
+
+.. zeek:type:: MQTT::SubUnsub
+   :source-code: base/protocols/mqtt/main.zeek 19 23
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: MQTT::SUBSCRIBE MQTT::SubUnsub
+
+      .. zeek:enum:: MQTT::UNSUBSCRIBE MQTT::SubUnsub
+   :Attributes: :zeek:attr:`&redef`
+
+
+.. zeek:type:: MQTT::SubscribeInfo
+   :source-code: base/protocols/mqtt/main.zeek 47 65
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the subscribe or unsubscribe request started
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      UID for the connection
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      ID fields for the connection
+
+
+   .. zeek:field:: action :zeek:type:`MQTT::SubUnsub` :zeek:attr:`&log`
+
+      Indicates if a subscribe or unsubscribe action is taking place
+
+
+   .. zeek:field:: topics :zeek:type:`string_vec` :zeek:attr:`&log`
+
+      The topics (or topic patterns) being subscribed to
+
+
+   .. zeek:field:: qos_levels :zeek:type:`index_vec` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      QoS levels requested for messages from subscribed topics
+
+
+   .. zeek:field:: granted_qos_level :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      QoS level the server granted
+
+
+   .. zeek:field:: ack :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Indicates if the request was acked by the server
+
+
+
+Events
+######
+.. zeek:id:: MQTT::log_mqtt
+   :source-code: base/protocols/mqtt/main.zeek 111 111
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`MQTT::ConnectInfo`)
+
+   Event that can be handled to access the MQTT record as it is sent on
+   to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: MQTT::log_policy_connect
+   :source-code: base/protocols/mqtt/main.zeek 15 15
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+.. zeek:id:: MQTT::log_policy_publish
+   :source-code: base/protocols/mqtt/main.zeek 17 17
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+.. zeek:id:: MQTT::log_policy_subscribe
+   :source-code: base/protocols/mqtt/main.zeek 16 16
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+Functions
+#########
+.. zeek:id:: MQTT::publish_expire
+   :source-code: base/protocols/mqtt/main.zeek 131 135
+
+   :Type: :zeek:type:`function` (tbl: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`MQTT::PublishInfo`, idx: :zeek:type:`count`) : :zeek:type:`interval`
+
+   The expiration function for published messages that haven't been logged
+   yet simply causes the message to be logged.
+
+.. zeek:id:: MQTT::subscribe_expire
+   :source-code: base/protocols/mqtt/main.zeek 137 141
+
+   :Type: :zeek:type:`function` (tbl: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`MQTT::SubscribeInfo`, idx: :zeek:type:`count`) : :zeek:type:`interval`
+
+   The expiration function for subscription messages that haven't been logged
+   yet simply causes the message to be logged.
+
+
diff --git a/doc/scripts/base/protocols/mysql/__load__.zeek.rst b/doc/scripts/base/protocols/mysql/__load__.zeek.rst
new file mode 100644
index 0000000000..cb854918c9
--- /dev/null
+++ b/doc/scripts/base/protocols/mysql/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/mysql/__load__.zeek
+==================================
+
+
+:Imports: :doc:`base/protocols/mysql/main.zeek </scripts/base/protocols/mysql/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/mysql/consts.zeek.rst b/doc/scripts/base/protocols/mysql/consts.zeek.rst
new file mode 100644
index 0000000000..ed5a16edaa
--- /dev/null
+++ b/doc/scripts/base/protocols/mysql/consts.zeek.rst
@@ -0,0 +1,69 @@
+:tocdepth: 3
+
+base/protocols/mysql/consts.zeek
+================================
+.. zeek:namespace:: MySQL
+
+
+:Namespace: MySQL
+
+Summary
+~~~~~~~
+Constants
+#########
+============================================================================================ =
+:zeek:id:`MySQL::commands`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` 
+============================================================================================ =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: MySQL::commands
+   :source-code: base/protocols/mysql/consts.zeek 4 4
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [19] = "table_dump",
+            [20] = "connect_out",
+            [14] = "ping",
+            [15] = "time",
+            [6] = "drop_db",
+            [30] = "binlog_dump_gtid",
+            [31] = "reset_connection",
+            [28] = "stmt_fetch",
+            [23] = "stmt_execute",
+            [8] = "shutdown",
+            [27] = "set_option",
+            [9] = "statistics",
+            [7] = "refresh",
+            [10] = "process_info",
+            [21] = "register_slave",
+            [4] = "field_list",
+            [26] = "stmt_reset",
+            [13] = "debug",
+            [12] = "process_kill",
+            [17] = "change_user",
+            [25] = "stmt_close",
+            [2] = "init_db",
+            [29] = "daemon",
+            [16] = "delayed_insert",
+            [24] = "stmt_send_long_data",
+            [1] = "quit",
+            [11] = "connect",
+            [5] = "create_db",
+            [22] = "stmt_prepare",
+            [18] = "binlog_dump",
+            [3] = "query",
+            [0] = "sleep"
+         }
+
+
+
+
diff --git a/doc/scripts/base/protocols/mysql/index.rst b/doc/scripts/base/protocols/mysql/index.rst
new file mode 100644
index 0000000000..100827ce44
--- /dev/null
+++ b/doc/scripts/base/protocols/mysql/index.rst
@@ -0,0 +1,17 @@
+:orphan:
+
+Package: base/protocols/mysql
+=============================
+
+Support for MySQL protocol analysis.
+
+:doc:`/scripts/base/protocols/mysql/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/mysql/main.zeek`
+
+   Implements base functionality for MySQL analysis. Generates the mysql.log file.
+
+:doc:`/scripts/base/protocols/mysql/consts.zeek`
+
+
diff --git a/doc/scripts/base/protocols/mysql/main.zeek.rst b/doc/scripts/base/protocols/mysql/main.zeek.rst
new file mode 100644
index 0000000000..45f873b2fa
--- /dev/null
+++ b/doc/scripts/base/protocols/mysql/main.zeek.rst
@@ -0,0 +1,124 @@
+:tocdepth: 3
+
+base/protocols/mysql/main.zeek
+==============================
+.. zeek:namespace:: MySQL
+
+Implements base functionality for MySQL analysis. Generates the mysql.log file.
+
+:Namespace: MySQL
+:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/mysql/consts.zeek </scripts/base/protocols/mysql/consts.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+============================================= =
+:zeek:type:`MySQL::Info`: :zeek:type:`record` 
+============================================= =
+
+Redefinitions
+#############
+============================================ ========================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`      
+                                             
+                                             * :zeek:enum:`mysql::LOG`
+:zeek:type:`connection`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`connection`
+                                             
+                                               mysql: :zeek:type:`MySQL::Info` :zeek:attr:`&optional`
+============================================ ========================================================
+
+Events
+######
+=============================================== =====================================================================
+:zeek:id:`MySQL::log_mysql`: :zeek:type:`event` Event that can be handled to access the MySQL record as it is sent on
+                                                to the logging framework.
+=============================================== =====================================================================
+
+Hooks
+#####
+================================================================ ========================
+:zeek:id:`MySQL::finalize_mysql`: :zeek:type:`Conn::RemovalHook` MySQL finalization hook.
+:zeek:id:`MySQL::log_policy`: :zeek:type:`Log::PolicyHook`       
+================================================================ ========================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: MySQL::Info
+   :source-code: base/protocols/mysql/main.zeek 13 30
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the event happened.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: cmd :zeek:type:`string` :zeek:attr:`&log`
+
+      The command that was issued
+
+
+   .. zeek:field:: arg :zeek:type:`string` :zeek:attr:`&log`
+
+      The argument issued to the command
+
+
+   .. zeek:field:: success :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Did the server tell us that the command succeeded?
+
+
+   .. zeek:field:: rows :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The number of affected rows, if any
+
+
+   .. zeek:field:: response :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Server message, if any
+
+
+
+Events
+######
+.. zeek:id:: MySQL::log_mysql
+   :source-code: base/protocols/mysql/main.zeek 34 34
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`MySQL::Info`)
+
+   Event that can be handled to access the MySQL record as it is sent on
+   to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: MySQL::finalize_mysql
+   :source-code: base/protocols/mysql/main.zeek 157 164
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   MySQL finalization hook.  Remaining MySQL info may get logged when it's called.
+
+.. zeek:id:: MySQL::log_policy
+   :source-code: base/protocols/mysql/main.zeek 11 11
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/ntlm/__load__.zeek.rst b/doc/scripts/base/protocols/ntlm/__load__.zeek.rst
new file mode 100644
index 0000000000..0363e48626
--- /dev/null
+++ b/doc/scripts/base/protocols/ntlm/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/ntlm/__load__.zeek
+=================================
+
+
+:Imports: :doc:`base/protocols/ntlm/main.zeek </scripts/base/protocols/ntlm/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/ntlm/index.rst b/doc/scripts/base/protocols/ntlm/index.rst
new file mode 100644
index 0000000000..8942feb89f
--- /dev/null
+++ b/doc/scripts/base/protocols/ntlm/index.rst
@@ -0,0 +1,13 @@
+:orphan:
+
+Package: base/protocols/ntlm
+============================
+
+Support for NT LAN Manager (NTLM) protocol analysis.
+
+:doc:`/scripts/base/protocols/ntlm/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/ntlm/main.zeek`
+
+
diff --git a/doc/scripts/base/protocols/ntlm/main.zeek.rst b/doc/scripts/base/protocols/ntlm/main.zeek.rst
new file mode 100644
index 0000000000..5e824c12af
--- /dev/null
+++ b/doc/scripts/base/protocols/ntlm/main.zeek.rst
@@ -0,0 +1,123 @@
+:tocdepth: 3
+
+base/protocols/ntlm/main.zeek
+=============================
+.. zeek:namespace:: NTLM
+
+
+:Namespace: NTLM
+:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+============================================ =
+:zeek:type:`NTLM::Info`: :zeek:type:`record` 
+============================================ =
+
+Redefinitions
+#############
+======================================================================= ======================================================
+:zeek:id:`DPD::ignore_violations`: :zeek:type:`set` :zeek:attr:`&redef` 
+:zeek:type:`Log::ID`: :zeek:type:`enum`                                 
+                                                                        
+                                                                        * :zeek:enum:`NTLM::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                            
+                                                                        
+                                                                        :New Fields: :zeek:type:`connection`
+                                                                        
+                                                                          ntlm: :zeek:type:`NTLM::Info` :zeek:attr:`&optional`
+======================================================================= ======================================================
+
+Hooks
+#####
+============================================================== =======================
+:zeek:id:`NTLM::finalize_ntlm`: :zeek:type:`Conn::RemovalHook` NTLM finalization hook.
+:zeek:id:`NTLM::log_policy`: :zeek:type:`Log::PolicyHook`      
+============================================================== =======================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: NTLM::Info
+   :source-code: base/protocols/ntlm/main.zeek 10 38
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the event happened.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: username :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Username given by the client.
+
+
+   .. zeek:field:: hostname :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Hostname given by the client.
+
+
+   .. zeek:field:: domainname :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Domainname given by the client.
+
+
+   .. zeek:field:: server_nb_computer_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      NetBIOS name given by the server in a CHALLENGE.
+
+
+   .. zeek:field:: server_dns_computer_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      DNS name given by the server in a CHALLENGE.
+
+
+   .. zeek:field:: server_tree_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Tree name given by the server in a CHALLENGE.
+
+
+   .. zeek:field:: success :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Indicate whether or not the authentication was successful.
+
+
+   .. zeek:field:: done :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Internally used field to indicate if the login attempt
+      has already been logged.
+
+
+
+Hooks
+#####
+.. zeek:id:: NTLM::finalize_ntlm
+   :source-code: base/protocols/ntlm/main.zeek 117 123
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   NTLM finalization hook.  Remaining NTLM info may get logged when it's called.
+
+.. zeek:id:: NTLM::log_policy
+   :source-code: base/protocols/ntlm/main.zeek 8 8
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/ntp/__load__.zeek.rst b/doc/scripts/base/protocols/ntp/__load__.zeek.rst
new file mode 100644
index 0000000000..e6678dd6a1
--- /dev/null
+++ b/doc/scripts/base/protocols/ntp/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/ntp/__load__.zeek
+================================
+
+
+:Imports: :doc:`base/protocols/ntp/consts.zeek </scripts/base/protocols/ntp/consts.zeek>`, :doc:`base/protocols/ntp/main.zeek </scripts/base/protocols/ntp/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/ntp/consts.zeek.rst b/doc/scripts/base/protocols/ntp/consts.zeek.rst
new file mode 100644
index 0000000000..08283d23b8
--- /dev/null
+++ b/doc/scripts/base/protocols/ntp/consts.zeek.rst
@@ -0,0 +1,47 @@
+:tocdepth: 3
+
+base/protocols/ntp/consts.zeek
+==============================
+.. zeek:namespace:: NTP
+
+
+:Namespace: NTP
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+=========================================================================================================== ====================================================
+:zeek:id:`NTP::modes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef` The descriptions of the NTP mode value, as described
+                                                                                                            in :rfc:`5905`, Figure 1
+=========================================================================================================== ====================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: NTP::modes
+   :source-code: base/protocols/ntp/consts.zeek 6 6
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            [2] = "symmetric passive",
+            [5] = "broadcast server",
+            [3] = "client",
+            [7] = "reserved",
+            [6] = "broadcast client",
+            [4] = "server",
+            [1] = "symmetric active"
+         }
+
+
+   The descriptions of the NTP mode value, as described
+   in :rfc:`5905`, Figure 1
+
+
diff --git a/doc/scripts/base/protocols/ntp/index.rst b/doc/scripts/base/protocols/ntp/index.rst
new file mode 100644
index 0000000000..809f1a6e55
--- /dev/null
+++ b/doc/scripts/base/protocols/ntp/index.rst
@@ -0,0 +1,15 @@
+:orphan:
+
+Package: base/protocols/ntp
+===========================
+
+
+:doc:`/scripts/base/protocols/ntp/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/ntp/main.zeek`
+
+
+:doc:`/scripts/base/protocols/ntp/consts.zeek`
+
+
diff --git a/doc/scripts/base/protocols/ntp/main.zeek.rst b/doc/scripts/base/protocols/ntp/main.zeek.rst
new file mode 100644
index 0000000000..dd1f918d38
--- /dev/null
+++ b/doc/scripts/base/protocols/ntp/main.zeek.rst
@@ -0,0 +1,161 @@
+:tocdepth: 3
+
+base/protocols/ntp/main.zeek
+============================
+.. zeek:namespace:: NTP
+
+
+:Namespace: NTP
+
+Summary
+~~~~~~~
+Types
+#####
+=========================================== =
+:zeek:type:`NTP::Info`: :zeek:type:`record` 
+=========================================== =
+
+Redefinitions
+#############
+==================================================================== ====================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`NTP::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       ntp: :zeek:type:`NTP::Info` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ====================================================
+
+Events
+######
+=========================================== ===================================================================
+:zeek:id:`NTP::log_ntp`: :zeek:type:`event` Event that can be handled to access the NTP record as it is sent on
+                                            to the logging framework.
+=========================================== ===================================================================
+
+Hooks
+#####
+======================================================== =
+:zeek:id:`NTP::log_policy`: :zeek:type:`Log::PolicyHook` 
+======================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: NTP::Info
+   :source-code: base/protocols/ntp/main.zeek 8 47
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the event happened.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: version :zeek:type:`count` :zeek:attr:`&log`
+
+      The NTP version number (1, 2, 3, 4).
+
+
+   .. zeek:field:: mode :zeek:type:`count` :zeek:attr:`&log`
+
+      The NTP mode being used.
+
+
+   .. zeek:field:: stratum :zeek:type:`count` :zeek:attr:`&log`
+
+      The stratum (primary server, secondary server, etc.).
+
+
+   .. zeek:field:: poll :zeek:type:`interval` :zeek:attr:`&log`
+
+      The maximum interval between successive messages.
+
+
+   .. zeek:field:: precision :zeek:type:`interval` :zeek:attr:`&log`
+
+      The precision of the system clock.
+
+
+   .. zeek:field:: root_delay :zeek:type:`interval` :zeek:attr:`&log`
+
+      Total round-trip delay to the reference clock.
+
+
+   .. zeek:field:: root_disp :zeek:type:`interval` :zeek:attr:`&log`
+
+      Total dispersion to the reference clock.
+
+
+   .. zeek:field:: ref_id :zeek:type:`string` :zeek:attr:`&log`
+
+      For stratum 0, 4 character string used for debugging.
+      For stratum 1, ID assigned to the reference clock by IANA.
+      Above stratum 1, when using IPv4, the IP address of the reference
+      clock.  Note that the NTP protocol did not originally specify a
+      large enough field to represent IPv6 addresses, so they use
+      the first four bytes of the MD5 hash of the reference clock's
+      IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).
+
+
+   .. zeek:field:: ref_time :zeek:type:`time` :zeek:attr:`&log`
+
+      Time when the system clock was last set or correct.
+
+
+   .. zeek:field:: org_time :zeek:type:`time` :zeek:attr:`&log`
+
+      Time at the client when the request departed for the NTP server.
+
+
+   .. zeek:field:: rec_time :zeek:type:`time` :zeek:attr:`&log`
+
+      Time at the server when the request arrived from the NTP client.
+
+
+   .. zeek:field:: xmt_time :zeek:type:`time` :zeek:attr:`&log`
+
+      Time at the server when the response departed for the NTP client.
+
+
+   .. zeek:field:: num_exts :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Number of extension fields (which are not currently parsed).
+
+
+
+Events
+######
+.. zeek:id:: NTP::log_ntp
+   :source-code: base/protocols/ntp/main.zeek 51 51
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`NTP::Info`)
+
+   Event that can be handled to access the NTP record as it is sent on
+   to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: NTP::log_policy
+   :source-code: base/protocols/ntp/main.zeek 6 6
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/pop3/__load__.zeek.rst b/doc/scripts/base/protocols/pop3/__load__.zeek.rst
new file mode 100644
index 0000000000..387e362f0a
--- /dev/null
+++ b/doc/scripts/base/protocols/pop3/__load__.zeek.rst
@@ -0,0 +1,13 @@
+:tocdepth: 3
+
+base/protocols/pop3/__load__.zeek
+=================================
+
+
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/pop3/index.rst b/doc/scripts/base/protocols/pop3/index.rst
new file mode 100644
index 0000000000..5f78e95a9b
--- /dev/null
+++ b/doc/scripts/base/protocols/pop3/index.rst
@@ -0,0 +1,10 @@
+:orphan:
+
+Package: base/protocols/pop3
+============================
+
+Support for POP3 (Post Office Protocol) protocol analysis.
+
+:doc:`/scripts/base/protocols/pop3/__load__.zeek`
+
+
diff --git a/doc/scripts/base/protocols/postgresql/__load__.zeek.rst b/doc/scripts/base/protocols/postgresql/__load__.zeek.rst
new file mode 100644
index 0000000000..75cb8e23aa
--- /dev/null
+++ b/doc/scripts/base/protocols/postgresql/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/postgresql/__load__.zeek
+=======================================
+
+
+:Imports: :doc:`base/protocols/postgresql/consts.zeek </scripts/base/protocols/postgresql/consts.zeek>`, :doc:`base/protocols/postgresql/main.zeek </scripts/base/protocols/postgresql/main.zeek>`, :doc:`base/protocols/postgresql/spicy-events.zeek </scripts/base/protocols/postgresql/spicy-events.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/postgresql/consts.zeek.rst b/doc/scripts/base/protocols/postgresql/consts.zeek.rst
new file mode 100644
index 0000000000..24e2f87b58
--- /dev/null
+++ b/doc/scripts/base/protocols/postgresql/consts.zeek.rst
@@ -0,0 +1,79 @@
+:tocdepth: 3
+
+base/protocols/postgresql/consts.zeek
+=====================================
+.. zeek:namespace:: PostgreSQL
+
+
+:Namespace: PostgreSQL
+
+Summary
+~~~~~~~
+State Variables
+###############
+====================================================================================================================== =
+:zeek:id:`PostgreSQL::auth_ids`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`  
+:zeek:id:`PostgreSQL::error_ids`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef` 
+====================================================================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+State Variables
+###############
+.. zeek:id:: PostgreSQL::auth_ids
+   :source-code: base/protocols/postgresql/consts.zeek 26 26
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            [2] = "KerberosV5",
+            [8] = "GSSAPIContinue",
+            [11] = "SASLContinue",
+            [3] = "CleartextPassword",
+            [7] = "GSSAPI",
+            [5] = "MD5Password",
+            [9] = "SSPI",
+            [10] = "SASL",
+            [12] = "SASLFinal"
+         }
+
+
+
+.. zeek:id:: PostgreSQL::error_ids
+   :source-code: base/protocols/postgresql/consts.zeek 5 5
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            ["R"] = "Routine",
+            ["H"] = "Hint",
+            ["D"] = "Detail",
+            ["S"] = "SeverityLocalized",
+            ["d"] = "Data",
+            ["p"] = "InternalPosition",
+            ["W"] = "Where",
+            ["M"] = "Message",
+            ["n"] = "Constraint",
+            ["c"] = "Column",
+            ["V"] = "Severity",
+            ["t"] = "Table",
+            ["C"] = "Code",
+            ["F"] = "File",
+            ["P"] = "Position",
+            ["s"] = "Schema",
+            ["q"] = "InternalQuery",
+            ["L"] = "Line"
+         }
+
+
+
+
diff --git a/doc/scripts/base/protocols/postgresql/index.rst b/doc/scripts/base/protocols/postgresql/index.rst
new file mode 100644
index 0000000000..2bbf2c1f1c
--- /dev/null
+++ b/doc/scripts/base/protocols/postgresql/index.rst
@@ -0,0 +1,20 @@
+:orphan:
+
+Package: base/protocols/postgresql
+==================================
+
+
+:doc:`/scripts/base/protocols/postgresql/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/postgresql/consts.zeek`
+
+
+:doc:`/scripts/base/protocols/postgresql/spicy-events.zeek`
+
+   Events generated by the PostgreSQL analyzer.
+
+:doc:`/scripts/base/protocols/postgresql/main.zeek`
+
+   Implements base functionality for PostgreSQL analysis.
+
diff --git a/doc/scripts/base/protocols/postgresql/main.zeek.rst b/doc/scripts/base/protocols/postgresql/main.zeek.rst
new file mode 100644
index 0000000000..31582a70f3
--- /dev/null
+++ b/doc/scripts/base/protocols/postgresql/main.zeek.rst
@@ -0,0 +1,189 @@
+:tocdepth: 3
+
+base/protocols/postgresql/main.zeek
+===================================
+.. zeek:namespace:: PostgreSQL
+
+Implements base functionality for PostgreSQL analysis.
+
+:Namespace: PostgreSQL
+:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/postgresql/consts.zeek </scripts/base/protocols/postgresql/consts.zeek>`, :doc:`base/protocols/postgresql/spicy-events.zeek </scripts/base/protocols/postgresql/spicy-events.zeek>`
+
+Summary
+~~~~~~~
+State Variables
+###############
+================================================================== =
+:zeek:id:`PostgreSQL::ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+================================================================== =
+
+Types
+#####
+===================================================== ===============================================================
+:zeek:type:`PostgreSQL::Info`: :zeek:type:`record`    Record type containing the column fields of the PostgreSQL log.
+:zeek:type:`PostgreSQL::State`: :zeek:type:`record`   
+:zeek:type:`PostgreSQL::Version`: :zeek:type:`record` 
+===================================================== ===============================================================
+
+Redefinitions
+#############
+==================================================================== =========================================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              Log stream identifier.
+                                                                     
+                                                                     * :zeek:enum:`PostgreSQL::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       postgresql: :zeek:type:`PostgreSQL::Info` :zeek:attr:`&optional`
+                                                                     
+                                                                       postgresql_state: :zeek:type:`PostgreSQL::State` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== =========================================================================
+
+Events
+######
+========================================================= =====================================
+:zeek:id:`PostgreSQL::log_postgresql`: :zeek:type:`event` Default hook into PostgreSQL logging.
+========================================================= =====================================
+
+Hooks
+#####
+========================================================================== =
+:zeek:id:`PostgreSQL::finalize_postgresql`: :zeek:type:`Conn::RemovalHook` 
+========================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+State Variables
+###############
+.. zeek:id:: PostgreSQL::ports
+   :source-code: base/protocols/postgresql/main.zeek 65 65
+
+   :Type: :zeek:type:`set` [:zeek:type:`port`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            5432/tcp
+         }
+
+
+
+Types
+#####
+.. zeek:type:: PostgreSQL::Info
+   :source-code: base/protocols/postgresql/main.zeek 20 49
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the activity happened.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: user :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      The user as found in the StartupMessage.
+
+
+   .. zeek:field:: database :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      The database as found in the StartupMessage.
+
+
+   .. zeek:field:: application_name :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      The application name as found in the StartupMessage.
+
+
+   .. zeek:field:: frontend :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: frontend_arg :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: backend :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: backend_arg :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: success :zeek:type:`bool` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   .. zeek:field:: rows :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+
+   Record type containing the column fields of the PostgreSQL log.
+
+.. zeek:type:: PostgreSQL::State
+   :source-code: base/protocols/postgresql/main.zeek 51 58
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: version :zeek:type:`PostgreSQL::Version` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: user :zeek:type:`string` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: database :zeek:type:`string` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: application_name :zeek:type:`string` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: rows :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: errors :zeek:type:`vector` of :zeek:type:`string`
+
+
+
+.. zeek:type:: PostgreSQL::Version
+   :source-code: base/protocols/postgresql/main.zeek 14 17
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: major :zeek:type:`count`
+
+
+   .. zeek:field:: minor :zeek:type:`count`
+
+
+
+Events
+######
+.. zeek:id:: PostgreSQL::log_postgresql
+   :source-code: base/protocols/postgresql/main.zeek 61 61
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`PostgreSQL::Info`)
+
+   Default hook into PostgreSQL logging.
+
+Hooks
+#####
+.. zeek:id:: PostgreSQL::finalize_postgresql
+   :source-code: base/protocols/postgresql/main.zeek 248 250
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+
+
diff --git a/doc/scripts/base/protocols/postgresql/spicy-events.zeek.rst b/doc/scripts/base/protocols/postgresql/spicy-events.zeek.rst
new file mode 100644
index 0000000000..68f5fe75d8
--- /dev/null
+++ b/doc/scripts/base/protocols/postgresql/spicy-events.zeek.rst
@@ -0,0 +1,293 @@
+:tocdepth: 3
+
+base/protocols/postgresql/spicy-events.zeek
+===========================================
+
+Events generated by the PostgreSQL analyzer.
+
+
+Summary
+~~~~~~~
+Events
+######
+=========================================================================== =========================================================================
+:zeek:id:`PostgreSQL::authentication_ok`: :zeek:type:`event`                Event generated for backend authentication requests indicating successful
+                                                                            authentication.
+:zeek:id:`PostgreSQL::authentication_request`: :zeek:type:`event`           Event generated for backend authentication requests.
+:zeek:id:`PostgreSQL::authentication_response`: :zeek:type:`event`          Event generated for frontend authentication responses.
+:zeek:id:`PostgreSQL::backend_key_data`: :zeek:type:`event`                 Generated for a BackendKeyData message for cancellation.
+:zeek:id:`PostgreSQL::data_row`: :zeek:type:`event`                         Event generated for every backend DataRow message.
+:zeek:id:`PostgreSQL::error_response`: :zeek:type:`event`                   Event generated for a ErrorResponse.
+:zeek:id:`PostgreSQL::error_response_identified_field`: :zeek:type:`event`  Event generated for identified field within an ErrorResponse.
+:zeek:id:`PostgreSQL::not_implemented`: :zeek:type:`event`                  Event generated for not implemented messages.
+:zeek:id:`PostgreSQL::notice_response`: :zeek:type:`event`                  Event generated for a NoticeResponse.
+:zeek:id:`PostgreSQL::notice_response_identified_field`: :zeek:type:`event` Event generated for identified field within a NoticeResponse.
+:zeek:id:`PostgreSQL::parameter_status`: :zeek:type:`event`                 Event generated for backend runtime parameter status reports.
+:zeek:id:`PostgreSQL::ready_for_query`: :zeek:type:`event`                  Event generated for every backed ReadyForQuery message.
+:zeek:id:`PostgreSQL::simple_query`: :zeek:type:`event`                     Event generated for every frontend SimpleQuery message.
+:zeek:id:`PostgreSQL::ssl_reply`: :zeek:type:`event`                        Event generated for backend SSL reply.
+:zeek:id:`PostgreSQL::ssl_request`: :zeek:type:`event`                      Event generated for frontend SSLRequest messages.
+:zeek:id:`PostgreSQL::startup_message`: :zeek:type:`event`                  Event generated for a StartupMessage.
+:zeek:id:`PostgreSQL::startup_parameter`: :zeek:type:`event`                Event generated for every parameter in a StartupMessage.
+:zeek:id:`PostgreSQL::terminate`: :zeek:type:`event`                        Event generated For a frontend Terminate message.
+=========================================================================== =========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: PostgreSQL::authentication_ok
+   :source-code: base/protocols/postgresql/main.zeek 195 200
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Event generated for backend authentication requests indicating successful
+   authentication.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: PostgreSQL::authentication_request
+   .. zeek:see:: PostgreSQL::authentication_response
+
+.. zeek:id:: PostgreSQL::authentication_request
+   :source-code: base/protocols/postgresql/main.zeek 181 193
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, identifier: :zeek:type:`count`, data: :zeek:type:`string`)
+
+   Event generated for backend authentication requests.
+   
+
+   :param c: The connection.
+   
+
+   :param identifier: The identifier in the request.
+   
+
+   :param data: The request data, if any.
+   
+   .. zeek:see:: PostgreSQL::authentication_response
+   .. zeek:see:: PostgreSQL::authentication_ok
+
+.. zeek:id:: PostgreSQL::authentication_response
+   :source-code: base/protocols/postgresql/spicy-events.zeek 44 44
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`string`)
+
+   Event generated for frontend authentication responses.
+   
+
+   :param c: The connection.
+   
+
+   :param data: The response data, if any.
+   
+   .. zeek:see:: PostgreSQL::authentication_request
+   .. zeek:see:: PostgreSQL::authentication_ok
+
+.. zeek:id:: PostgreSQL::backend_key_data
+   :source-code: base/protocols/postgresql/spicy-events.zeek 139 139
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, process_id: :zeek:type:`count`, secret_key: :zeek:type:`count`)
+
+   Generated for a BackendKeyData message for cancellation.
+   
+
+   :param c: The connection.
+   
+
+   :param process_id: The process ID of the backend.
+   
+
+   :param secret_key: The secret key of the backend.
+
+.. zeek:id:: PostgreSQL::data_row
+   :source-code: base/protocols/postgresql/main.zeek 222 229
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, column_values: :zeek:type:`count`)
+
+   Event generated for every backend DataRow message.
+   
+
+   :param c: The connection.
+   
+
+   :param column_values: The number of columns in this row.
+
+.. zeek:id:: PostgreSQL::error_response
+   :source-code: base/protocols/postgresql/main.zeek 160 179
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Event generated for a ErrorResponse.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: PostgreSQL::error_response_identified_field
+
+.. zeek:id:: PostgreSQL::error_response_identified_field
+   :source-code: base/protocols/postgresql/main.zeek 143 148
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, code: :zeek:type:`string`, value: :zeek:type:`string`)
+
+   Event generated for identified field within an ErrorResponse.
+   
+
+   :param c: The connection.
+   
+
+   :param code: The code (https://www.postgresql.org/docs/current/protocol-error-fields.html)
+   
+
+   :param value: The field value.
+   
+   .. zeek:see:: PostgreSQL::error_response
+
+.. zeek:id:: PostgreSQL::not_implemented
+   :source-code: base/protocols/postgresql/spicy-events.zeek 147 147
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, typ: :zeek:type:`string`, chunk: :zeek:type:`string`)
+
+   Event generated for not implemented messages.
+
+.. zeek:id:: PostgreSQL::notice_response
+   :source-code: base/protocols/postgresql/spicy-events.zeek 113 113
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Event generated for a NoticeResponse.
+   
+
+   :param c: The connection.
+   
+   .. zeek:see:: PostgreSQL::notice_response_identified_field
+
+.. zeek:id:: PostgreSQL::notice_response_identified_field
+   :source-code: base/protocols/postgresql/main.zeek 150 158
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, code: :zeek:type:`string`, value: :zeek:type:`string`)
+
+   Event generated for identified field within a NoticeResponse.
+   
+
+   :param c: The connection.
+   
+
+   :param code: The code (https://www.postgresql.org/docs/current/protocol-error-fields.html)
+   
+
+   :param value: The field value.
+   
+   .. zeek:see:: PostgreSQL::notice_response
+
+.. zeek:id:: PostgreSQL::parameter_status
+   :source-code: base/protocols/postgresql/spicy-events.zeek 130 130
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, name: :zeek:type:`string`, value: :zeek:type:`string`)
+
+   Event generated for backend runtime parameter status reports.
+   
+
+   :param c: The connection.
+   
+
+   :param name: The name of the runtime parameter.
+   
+
+   :param value: The current value of the parameter.
+   
+
+.. zeek:id:: PostgreSQL::ready_for_query
+   :source-code: base/protocols/postgresql/main.zeek 231 246
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, transaction_status: :zeek:type:`string`)
+
+   Event generated for every backed ReadyForQuery message.
+   
+
+   :param c: The connection.
+   
+
+   :param transaction_status: I (idle), T (in transaction block), E (error).
+
+.. zeek:id:: PostgreSQL::simple_query
+   :source-code: base/protocols/postgresql/main.zeek 211 220
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, query: :zeek:type:`string`)
+
+   Event generated for every frontend SimpleQuery message.
+   
+
+   :param c: The connection.
+   
+
+   :param query: The query string.
+
+.. zeek:id:: PostgreSQL::ssl_reply
+   :source-code: base/protocols/postgresql/main.zeek 114 122
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`string`)
+
+   Event generated for backend SSL reply.
+   
+
+   :param c: The connection.
+   
+
+   :param data: The server's reply: S for secure, N for unencrypted.
+
+.. zeek:id:: PostgreSQL::ssl_request
+   :source-code: base/protocols/postgresql/main.zeek 108 112
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Event generated for frontend SSLRequest messages.
+   
+
+   :param c: The connection.
+
+.. zeek:id:: PostgreSQL::startup_message
+   :source-code: base/protocols/postgresql/main.zeek 136 141
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, major: :zeek:type:`count`, minor: :zeek:type:`count`)
+
+   Event generated for a StartupMessage.
+   
+
+   :param c: The connection.
+   
+
+   :param major: The major protocol version.
+   
+
+   :param minor: The minor protocol version.
+
+.. zeek:id:: PostgreSQL::startup_parameter
+   :source-code: base/protocols/postgresql/main.zeek 124 134
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, name: :zeek:type:`string`, value: :zeek:type:`string`)
+
+   Event generated for every parameter in a StartupMessage.
+   
+
+   :param c: The connection.
+   
+
+   :param name: The name of the parameter.
+   
+
+   :param value: The value of the parameter.
+
+.. zeek:id:: PostgreSQL::terminate
+   :source-code: base/protocols/postgresql/main.zeek 202 209
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Event generated For a frontend Terminate message.
+   
+
+   :param c: The connection.
+
+
diff --git a/doc/scripts/base/protocols/quic/__load__.zeek.rst b/doc/scripts/base/protocols/quic/__load__.zeek.rst
new file mode 100644
index 0000000000..1341d2e996
--- /dev/null
+++ b/doc/scripts/base/protocols/quic/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/quic/__load__.zeek
+=================================
+
+
+:Imports: :doc:`base/protocols/quic/consts.zeek </scripts/base/protocols/quic/consts.zeek>`, :doc:`base/protocols/quic/main.zeek </scripts/base/protocols/quic/main.zeek>`, :doc:`base/protocols/quic/spicy-events.zeek </scripts/base/protocols/quic/spicy-events.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/quic/consts.zeek.rst b/doc/scripts/base/protocols/quic/consts.zeek.rst
new file mode 100644
index 0000000000..9dfbff1b29
--- /dev/null
+++ b/doc/scripts/base/protocols/quic/consts.zeek.rst
@@ -0,0 +1,61 @@
+:tocdepth: 3
+
+base/protocols/quic/consts.zeek
+===============================
+.. zeek:namespace:: QUIC
+
+
+:Namespace: QUIC
+
+Summary
+~~~~~~~
+Constants
+#########
+================================================================================================== ==============================================================
+:zeek:id:`QUIC::version_strings`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` A mapping from QUIC's raw version numbers to readable strings.
+================================================================================================== ==============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: QUIC::version_strings
+   :source-code: base/protocols/quic/consts.zeek 7 7
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [4207849486] = "mvfst (faceb00e)",
+            [4278190112] = "draft-32",
+            [4278190110] = "draft-30",
+            [4278190111] = "draft-30",
+            [4278190114] = "draft-34",
+            [4207849474] = "mvfst (faceb002)",
+            [4278190108] = "draft-28",
+            [4278190113] = "draft-33",
+            [4278190104] = "draft-24",
+            [4278190105] = "draft-25",
+            [1] = "1",
+            [1798521807] = "quicv2",
+            [4207849491] = "mvfst (faceb013)",
+            [4207849489] = "mvfst (faceb011)",
+            [4278190106] = "draft-26",
+            [4207849490] = "mvfst (faceb012)",
+            [4278190107] = "draft-27",
+            [4278190103] = "draft-23",
+            [4278190102] = "draft-22",
+            [4278190109] = "draft-29",
+            [4207849473] = "mvfst (faceb001)"
+         }
+
+
+   A mapping from QUIC's raw version numbers to readable strings.
+   Unexpected versions become "unknown-<hex>", with a hexadecimal
+   rendering of the version number.
+
+
diff --git a/doc/scripts/base/protocols/quic/index.rst b/doc/scripts/base/protocols/quic/index.rst
new file mode 100644
index 0000000000..b6931232bc
--- /dev/null
+++ b/doc/scripts/base/protocols/quic/index.rst
@@ -0,0 +1,22 @@
+:orphan:
+
+Package: base/protocols/quic
+============================
+
+
+:doc:`/scripts/base/protocols/quic/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/quic/spicy-events.zeek`
+
+   Events generated by the QUIC analyzer.
+   
+   See See `RFC9000 <https://tools.ietf.org/html/rfc9000>`__.
+
+:doc:`/scripts/base/protocols/quic/consts.zeek`
+
+
+:doc:`/scripts/base/protocols/quic/main.zeek`
+
+   Implements base functionality for QUIC analysis. Generates quic.log.
+
diff --git a/doc/scripts/base/protocols/quic/main.zeek.rst b/doc/scripts/base/protocols/quic/main.zeek.rst
new file mode 100644
index 0000000000..9058e3ce21
--- /dev/null
+++ b/doc/scripts/base/protocols/quic/main.zeek.rst
@@ -0,0 +1,176 @@
+:tocdepth: 3
+
+base/protocols/quic/main.zeek
+=============================
+.. zeek:namespace:: QUIC
+
+Implements base functionality for QUIC analysis. Generates quic.log.
+
+:Namespace: QUIC
+:Imports: :doc:`base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/quic/consts.zeek </scripts/base/protocols/quic/consts.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=========================================================================== ========================================
+:zeek:id:`QUIC::max_history_length`: :zeek:type:`count` :zeek:attr:`&redef` The maximum length of the history field.
+=========================================================================== ========================================
+
+Types
+#####
+============================================ =
+:zeek:type:`QUIC::Info`: :zeek:type:`record` 
+============================================ =
+
+Redefinitions
+#############
+============================================ ======================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`      
+                                             
+                                             * :zeek:enum:`QUIC::LOG`
+:zeek:type:`connection`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`connection`
+                                             
+                                               quic: :zeek:type:`QUIC::Info` :zeek:attr:`&optional`
+============================================ ======================================================
+
+Events
+######
+============================================= =
+:zeek:id:`QUIC::log_quic`: :zeek:type:`event` 
+============================================= =
+
+Hooks
+#####
+============================================================== =
+:zeek:id:`QUIC::finalize_quic`: :zeek:type:`Conn::RemovalHook` 
+:zeek:id:`QUIC::log_policy`: :zeek:type:`Log::PolicyHook`      
+============================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: QUIC::max_history_length
+   :source-code: base/protocols/quic/main.zeek 79 79
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100``
+
+   The maximum length of the history field.
+
+Types
+#####
+.. zeek:type:: QUIC::Info
+   :source-code: base/protocols/quic/main.zeek 13 70
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp of first QUIC packet for this entry.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: version :zeek:type:`string` :zeek:attr:`&log`
+
+      QUIC version as found in the first INITIAL packet from
+      the client. This will often be "1" or "quicv2", but see
+      the :zeek:see:`QUIC::version_strings` table for details.
+
+
+   .. zeek:field:: client_initial_dcid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      First Destination Connection ID used by client. This is
+      random and unpredictable, but used for packet protection
+      by client and server.
+
+
+   .. zeek:field:: client_scid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Client's Source Connection ID from the first INITIAL packet.
+
+
+   .. zeek:field:: server_scid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Server chosen Connection ID usually from server's first
+      INITIAL packet. This is to be used by the client in
+      subsequent packets.
+
+
+   .. zeek:field:: server_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Server name extracted from SNI extension in ClientHello
+      packet if available.
+
+
+   .. zeek:field:: client_protocol :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      First protocol extracted from ALPN extension in ClientHello
+      packet if available.
+
+
+   .. zeek:field:: history :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      QUIC history.
+      
+      Letters have the following meaning with client-sent
+      letters being capitalized:
+      
+      ======  ====================================================
+      Letter  Meaning
+      ======  ====================================================
+      I       INIT packet
+      H       HANDSHAKE packet
+      Z       0RTT packet
+      R       RETRY packet
+      C       CONNECTION_CLOSE packet
+      S       SSL Client/Server Hello
+      U       Unfamiliar QUIC version
+      ======  ====================================================
+
+
+   .. zeek:field:: history_state :zeek:type:`vector` of :zeek:type:`string`
+
+
+   .. zeek:field:: logged :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+
+
+Events
+######
+.. zeek:id:: QUIC::log_quic
+   :source-code: base/protocols/quic/main.zeek 72 72
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`QUIC::Info`)
+
+
+Hooks
+#####
+.. zeek:id:: QUIC::finalize_quic
+   :source-code: base/protocols/quic/main.zeek 229 235
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+
+.. zeek:id:: QUIC::log_policy
+   :source-code: base/protocols/quic/main.zeek 74 74
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/quic/spicy-events.zeek.rst b/doc/scripts/base/protocols/quic/spicy-events.zeek.rst
new file mode 100644
index 0000000000..0ea7777ec4
--- /dev/null
+++ b/doc/scripts/base/protocols/quic/spicy-events.zeek.rst
@@ -0,0 +1,176 @@
+:tocdepth: 3
+
+base/protocols/quic/spicy-events.zeek
+=====================================
+
+Events generated by the QUIC analyzer.
+
+See See `RFC9000 <https://tools.ietf.org/html/rfc9000>`__.
+
+
+Summary
+~~~~~~~
+Events
+######
+=========================================================== ============================================
+:zeek:id:`QUIC::connection_close_frame`: :zeek:type:`event` Generated for a QUIC CONNECTION_CLOSE frame.
+:zeek:id:`QUIC::handshake_packet`: :zeek:type:`event`       Generated for a QUIC Handshake packet.
+:zeek:id:`QUIC::initial_packet`: :zeek:type:`event`         Generated for a QUIC Initial packet.
+:zeek:id:`QUIC::retry_packet`: :zeek:type:`event`           Generated for a QUIC Retry packet.
+:zeek:id:`QUIC::unhandled_version`: :zeek:type:`event`      Generated for an unrecognized QUIC version.
+:zeek:id:`QUIC::zero_rtt_packet`: :zeek:type:`event`        Generated for a QUIC 0-RTT packet.
+=========================================================== ============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: QUIC::connection_close_frame
+   :source-code: base/protocols/quic/main.zeek 182 192
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`, error_code: :zeek:type:`count`, reason_phrase: :zeek:type:`string`)
+
+   Generated for a QUIC CONNECTION_CLOSE frame.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+   
+
+   :param error_code: Count indicating the reason for closing this connection.
+   
+
+   :param reason_phrase: Additional diagnostic information for the closure.
+   
+   .. note:: Packets with CONNECTION_CLOSE frames are usually encrypted after connection establishment and not visible to Zeek.
+
+.. zeek:id:: QUIC::handshake_packet
+   :source-code: base/protocols/quic/main.zeek 142 146
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`)
+
+   Generated for a QUIC Handshake packet.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+
+.. zeek:id:: QUIC::initial_packet
+   :source-code: base/protocols/quic/main.zeek 136 140
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`)
+
+   Generated for a QUIC Initial packet.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+   
+
+.. zeek:id:: QUIC::retry_packet
+   :source-code: base/protocols/quic/main.zeek 155 165
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`, retry_token: :zeek:type:`string`, retry_integrity_tag: :zeek:type:`string`)
+
+   Generated for a QUIC Retry packet.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+   
+
+   :param retry_token: The Retry Token field.
+   
+
+   :param integrity_tag: The Retry Integrity Tag field.
+
+.. zeek:id:: QUIC::unhandled_version
+   :source-code: base/protocols/quic/main.zeek 168 178
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`)
+
+   Generated for an unrecognized QUIC version.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+
+.. zeek:id:: QUIC::zero_rtt_packet
+   :source-code: base/protocols/quic/main.zeek 148 152
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`)
+
+   Generated for a QUIC 0-RTT packet.
+   
+
+   :param c: The connection.
+   
+
+   :param is_orig: True if the packet is from the the connection's originator.
+   
+
+   :param version: The Version field.
+   
+
+   :param dcid: The Destination Connection ID field.
+   
+
+   :param scid: The Source Connection ID field.
+
+
diff --git a/doc/scripts/base/protocols/radius/__load__.zeek.rst b/doc/scripts/base/protocols/radius/__load__.zeek.rst
new file mode 100644
index 0000000000..a46a44e34e
--- /dev/null
+++ b/doc/scripts/base/protocols/radius/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/radius/__load__.zeek
+===================================
+
+
+:Imports: :doc:`base/protocols/radius/main.zeek </scripts/base/protocols/radius/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/radius/consts.zeek.rst b/doc/scripts/base/protocols/radius/consts.zeek.rst
new file mode 100644
index 0000000000..ae92ccd356
--- /dev/null
+++ b/doc/scripts/base/protocols/radius/consts.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+base/protocols/radius/consts.zeek
+=================================
+.. zeek:namespace:: RADIUS
+
+
+:Namespace: RADIUS
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/radius/index.rst b/doc/scripts/base/protocols/radius/index.rst
new file mode 100644
index 0000000000..8acc5ce95f
--- /dev/null
+++ b/doc/scripts/base/protocols/radius/index.rst
@@ -0,0 +1,17 @@
+:orphan:
+
+Package: base/protocols/radius
+==============================
+
+Support for RADIUS protocol analysis.
+
+:doc:`/scripts/base/protocols/radius/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/radius/main.zeek`
+
+   Implements base functionality for RADIUS analysis. Generates the radius.log file.
+
+:doc:`/scripts/base/protocols/radius/consts.zeek`
+
+
diff --git a/doc/scripts/base/protocols/radius/main.zeek.rst b/doc/scripts/base/protocols/radius/main.zeek.rst
new file mode 100644
index 0000000000..ee8c474c70
--- /dev/null
+++ b/doc/scripts/base/protocols/radius/main.zeek.rst
@@ -0,0 +1,154 @@
+:tocdepth: 3
+
+base/protocols/radius/main.zeek
+===============================
+.. zeek:namespace:: RADIUS
+
+Implements base functionality for RADIUS analysis. Generates the radius.log file.
+
+:Namespace: RADIUS
+:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/radius/consts.zeek </scripts/base/protocols/radius/consts.zeek>`, :doc:`base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+============================================== =
+:zeek:type:`RADIUS::Info`: :zeek:type:`record` 
+============================================== =
+
+Redefinitions
+#############
+==================================================================== ==========================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`RADIUS::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       radius: :zeek:type:`RADIUS::Info` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ==========================================================
+
+Events
+######
+================================================= ======================================================================
+:zeek:id:`RADIUS::log_radius`: :zeek:type:`event` Event that can be handled to access the RADIUS record as it is sent on
+                                                  to the logging framework.
+================================================= ======================================================================
+
+Hooks
+#####
+================================================================== =========================
+:zeek:id:`RADIUS::finalize_radius`: :zeek:type:`Conn::RemovalHook` RADIUS finalization hook.
+:zeek:id:`RADIUS::log_policy`: :zeek:type:`Log::PolicyHook`        
+================================================================== =========================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: RADIUS::Info
+   :source-code: base/protocols/radius/main.zeek 14 49
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the event happened.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: username :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The username, if present.
+
+
+   .. zeek:field:: mac :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      MAC address, if present.
+
+
+   .. zeek:field:: framed_addr :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The address given to the network access server, if
+      present.  This is only a hint from the RADIUS server
+      and the network access server is not required to honor
+      the address.
+
+
+   .. zeek:field:: tunnel_client :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel,
+      if present.  This is collected from the Tunnel-Client-Endpoint
+      attribute.
+
+
+   .. zeek:field:: connect_info :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Connect info, if present.
+
+
+   .. zeek:field:: reply_msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Reply message from the server challenge. This is
+      frequently shown to the user authenticating.
+
+
+   .. zeek:field:: result :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Successful or failed authentication.
+
+
+   .. zeek:field:: ttl :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The duration between the first request and
+      either the "Access-Accept" message or an error.
+      If the field is empty, it means that either
+      the request or response was not seen.
+
+
+   .. zeek:field:: logged :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Whether this has already been logged and can be ignored.
+
+
+
+Events
+######
+.. zeek:id:: RADIUS::log_radius
+   :source-code: base/protocols/radius/main.zeek 53 53
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`RADIUS::Info`)
+
+   Event that can be handled to access the RADIUS record as it is sent on
+   to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: RADIUS::finalize_radius
+   :source-code: base/protocols/radius/main.zeek 148 155
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   RADIUS finalization hook.  Remaining RADIUS info may get logged when it's called.
+
+.. zeek:id:: RADIUS::log_policy
+   :source-code: base/protocols/radius/main.zeek 12 12
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/rdp/__load__.zeek.rst b/doc/scripts/base/protocols/rdp/__load__.zeek.rst
new file mode 100644
index 0000000000..97cebe3ddd
--- /dev/null
+++ b/doc/scripts/base/protocols/rdp/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/rdp/__load__.zeek
+================================
+
+
+:Imports: :doc:`base/protocols/rdp/consts.zeek </scripts/base/protocols/rdp/consts.zeek>`, :doc:`base/protocols/rdp/main.zeek </scripts/base/protocols/rdp/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/rdp/consts.zeek.rst b/doc/scripts/base/protocols/rdp/consts.zeek.rst
new file mode 100644
index 0000000000..0b0826afd5
--- /dev/null
+++ b/doc/scripts/base/protocols/rdp/consts.zeek.rst
@@ -0,0 +1,567 @@
+:tocdepth: 3
+
+base/protocols/rdp/consts.zeek
+==============================
+.. zeek:namespace:: RDP
+
+
+:Namespace: RDP
+
+Summary
+~~~~~~~
+Constants
+#########
+==================================================================================================== =
+:zeek:id:`RDP::builds`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`             
+:zeek:id:`RDP::cert_types`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`         
+:zeek:id:`RDP::color_depths`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`       
+:zeek:id:`RDP::encryption_levels`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`  
+:zeek:id:`RDP::encryption_methods`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` 
+:zeek:id:`RDP::failure_codes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`      
+:zeek:id:`RDP::high_color_depths`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`  
+:zeek:id:`RDP::languages`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`          
+:zeek:id:`RDP::results`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`            
+:zeek:id:`RDP::security_protocols`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` 
+==================================================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: RDP::builds
+   :source-code: base/protocols/rdp/consts.zeek 5 5
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2195] = "RDP 5.0",
+            [7601] = "RDP 7.1",
+            [6001] = "RDP 6.1",
+            [6000] = "RDP 6.0",
+            [419] = "RDP 4.0",
+            [25282] = "RDP 8.0 (Mac)",
+            [3790] = "RDP 5.2",
+            [2600] = "RDP 5.1",
+            [6002] = "RDP 6.2",
+            [2221] = "RDP 5.0",
+            [7600] = "RDP 7.0",
+            [9600] = "RDP 8.1",
+            [25189] = "RDP 8.0 (Mac)",
+            [9200] = "RDP 8.0"
+         }
+
+
+
+.. zeek:id:: RDP::cert_types
+   :source-code: base/protocols/rdp/consts.zeek 38 38
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "X.509",
+            [1] = "RSA"
+         }
+
+
+
+.. zeek:id:: RDP::color_depths
+   :source-code: base/protocols/rdp/consts.zeek 67 67
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [8] = "32bit",
+            [4] = "15bit",
+            [2] = "16bit",
+            [1] = "24bit"
+         }
+
+
+
+.. zeek:id:: RDP::encryption_levels
+   :source-code: base/protocols/rdp/consts.zeek 51 51
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [0] = "None",
+            [2] = "Client compatible",
+            [4] = "FIPS",
+            [1] = "Low",
+            [3] = "High"
+         }
+
+
+
+.. zeek:id:: RDP::encryption_methods
+   :source-code: base/protocols/rdp/consts.zeek 43 43
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [0] = "None",
+            [10] = "FIPS",
+            [8] = "56bit",
+            [2] = "128bit",
+            [1] = "40bit"
+         }
+
+
+
+.. zeek:id:: RDP::failure_codes
+   :source-code: base/protocols/rdp/consts.zeek 29 29
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "SSL_NOT_ALLOWED_BY_SERVER",
+            [5] = "HYBRID_REQUIRED_BY_SERVER",
+            [3] = "SSL_CERT_NOT_ON_SERVER",
+            [6] = "SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER",
+            [4] = "INCONSISTENT_FLAGS",
+            [1] = "SSL_REQUIRED_BY_SERVER"
+         }
+
+
+
+.. zeek:id:: RDP::high_color_depths
+   :source-code: base/protocols/rdp/consts.zeek 59 59
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [15] = "15bit",
+            [16] = "16bit",
+            [8] = "8bit",
+            [4] = "4bit",
+            [24] = "24bit"
+         }
+
+
+
+.. zeek:id:: RDP::languages
+   :source-code: base/protocols/rdp/consts.zeek 84 84
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [1154] = "Occitan",
+            [66628] = "Tatar",
+            [6153] = "English - Ireland",
+            [658432] = "Phags-pa",
+            [1080] = "Faroese",
+            [67596] = "Belgian (Comma)",
+            [11273] = "English - Trinidad",
+            [71689] = "Scottish Gaelic",
+            [263177] = "English - United States (Dvorak for right hand)",
+            [1117184] = "Javanese",
+            [1153] = "Maori - New Zealand",
+            [1155] = "Corsican",
+            [14337] = "Arabic - U.A.E.",
+            [1140] = "Guarani - Paraguay",
+            [66652] = "Cherokee Nation Phonetic",
+            [1033] = "English - United States",
+            [1129] = "Ibibio - Nigeria",
+            [1053] = "Swedish",
+            [12314] = "Serbian (Cyrillic) - Montenegro",
+            [1134] = "Luxembourgish",
+            [12297] = "English - Zimbabwe",
+            [3079] = "German - Austria",
+            [2070] = "Portuguese - Portugal",
+            [66569] = "English - United States (Dvorak)",
+            [5124] = "Chinese - Macao SAR",
+            [68608] = "Myanmar",
+            [1070] = "Sorbian",
+            [1079] = "Georgian",
+            [9226] = "Spanish - Colombia",
+            [1089] = "Swahili",
+            [66650] = "Syriac Phonetic",
+            [1105] = "Tibetan - People's Republic of China",
+            [17417] = "English - Malaysia",
+            [1164] = "Dari",
+            [9242] = "Serbian (Latin) - Serbia",
+            [1064] = "Tajik",
+            [14346] = "Spanish - Uruguay",
+            [66604] = "Azerbaijani (Standard)",
+            [1109] = "Burmese",
+            [1158] = "K'iche",
+            [1075] = "Venda",
+            [4122] = "Croatian (Bosnia/Herzegovina)",
+            [1128] = "Hausa - Nigeria",
+            [1137] = "Kanuri - Nigeria",
+            [66606] = "Sorbian Extended",
+            [986112] = "Old Italic",
+            [2141] = "Inuktitut (Latin) - Canada",
+            [10249] = "English - Belize",
+            [66565] = "Czech (QWERTY)",
+            [11265] = "Arabic - Jordan",
+            [197634] = "Bulgarian",
+            [1081] = "Hindi",
+            [1036] = "French - France",
+            [1093] = "Bengali (India)",
+            [132139] = "Armenian Phonetic",
+            [4097] = "Arabic - Libya",
+            [1133] = "Bashkir",
+            [7227] = "Sami (Southern) - Sweden",
+            [1039] = "Icelandic",
+            [5146] = "Bosnian (Bosnia/Herzegovina)",
+            [1059] = "Belarusian",
+            [1088] = "Kyrgyz (Cyrillic)",
+            [17418] = "Spanish - El Salvador",
+            [22538] = "Spanish - Latin America",
+            [6156] = "French - Monaco",
+            [66568] = "Uyghur",
+            [66641] = "Tibetan (PRC - Standard)",
+            [132105] = "English - United States (International)",
+            [66562] = "Bulgarian (Latin)",
+            [1091] = "Uzbek (Latin)",
+            [2128] = "Mongolian (Mongolian)",
+            [66590] = "Thai Pattachote",
+            [1043] = "Dutch - Netherlands",
+            [132098] = "Bulgarian (phonetic layout)",
+            [1052] = "Albanian - Albania",
+            [1029] = "Czech",
+            [2145] = "Nepali - India",
+            [6154] = "Spanish - Panama",
+            [197662] = "Thai Pattachote (non-ShiftLock)",
+            [1115] = "Sinhalese - Sri Lanka",
+            [328745] = "Persian (Standard)",
+            [132134] = "Latvian (Standard)",
+            [1135] = "Greenlandic",
+            [9228] = "French - Democratic Rep. of Congo",
+            [4155] = "Sami (Lule) - Norway",
+            [66619] = "Sami Extended Norway",
+            [1090] = "Turkmen",
+            [66615] = "Georgian (QWERTY)",
+            [199680] = "Tai Le",
+            [1152] = "Uighur - China",
+            [1065] = "Farsi",
+            [10266] = "Serbian (Cyrillic) - Serbia",
+            [3098] = "Serbian (Cyrillic)",
+            [132151] = "Georgian (Ergonomic)",
+            [2144] = "Kashmiri",
+            [10241] = "Arabic - Syria",
+            [2064] = "Italian - Switzerland",
+            [1047] = "Rhaeto-Romanic",
+            [1160] = "Wolof",
+            [66688] = "Uyghur",
+            [3076] = "Chinese - Hong Kong SAR",
+            [2067] = "Dutch - Belgium",
+            [13313] = "Arabic - Kuwait",
+            [132165] = "Bangla (India)",
+            [132142] = "Sorbian Standard",
+            [2049] = "Arabic - Iraq",
+            [132130] = "Ukrainian (Enhanced)",
+            [3073] = "Arabic - Egypt",
+            [1030] = "Danish",
+            [15370] = "Spanish - Paraguay",
+            [1131] = "Quecha - Bolivia",
+            [1077] = "Zulu",
+            [16394] = "Spanish - Bolivia",
+            [132135] = "Lithuanian Standard",
+            [1026] = "Bulgarian",
+            [2055] = "German - Switzerland",
+            [1082] = "Maltese",
+            [8204] = "French - Reunion",
+            [1071] = "FYRO Macedonian",
+            [8218] = "Bosnian (Cyrillic) - Bosnia and Herzegovina",
+            [12300] = "French - Cote d'Ivoire",
+            [461824] = "Lisu (Basic)",
+            [13321] = "English - Philippines",
+            [1121] = "Nepali",
+            [20490] = "Spanish - Puerto Rico",
+            [3084] = "French - Canada",
+            [69641] = "Canadian Multilingual Standard",
+            [2155] = "Quecha - Ecuador",
+            [1114] = "Syriac",
+            [1066] = "Vietnamese",
+            [1092] = "Tatar",
+            [5132] = "French - Luxembourg",
+            [1132] = "Sepedi",
+            [263176] = "Greek (319) Latin",
+            [14348] = "French - Morocco",
+            [2074] = "Serbian (Latin)",
+            [1098] = "Telugu",
+            [1156] = "Alsatian",
+            [1055] = "Turkish",
+            [7178] = "Spanish - Dominican Republic",
+            [9275] = "Sami (Inari) - Finland",
+            [1083] = "Sami (Lappish)",
+            [4106] = "Spanish - Guatemala",
+            [3081] = "English - Australia",
+            [5129] = "English - New Zealand",
+            [1146] = "Mapudungun",
+            [1037] = "Hebrew",
+            [66598] = "Latvian (Legacy)",
+            [1182720] = "Futhark",
+            [1159] = "Kinyarwanda",
+            [2057] = "English - United Kingdom",
+            [2108] = "Irish",
+            [1032] = "Greek",
+            [1049] = "Russian",
+            [2058] = "Spanish - Mexico",
+            [132101] = "Czech Programmers",
+            [132097] = "Arabic (102) AZERTY",
+            [1067] = "Armenian - Armenia",
+            [1054] = "Thai",
+            [1143] = "Somali",
+            [1031] = "German - Germany",
+            [4108] = "French - Switzerland",
+            [1103] = "Sanskrit",
+            [15369] = "English - Hong Kong SAR",
+            [133200] = "Mongolian (Mongolian Script - Standard)",
+            [66585] = "Russian (Typewriter)",
+            [197675] = "Armenian Typewriter",
+            [9225] = "English - Caribbean",
+            [2151] = "Pular - Senegal",
+            [66561] = "Arabic (102)",
+            [330752] = "Tifinagh (Basic)",
+            [3153] = "Dzongkha",
+            [66607] = "Macedonia (FYROM) - Standard",
+            [1097] = "Tamil",
+            [8201] = "English - Jamaica",
+            [15361] = "Arabic - Bahrain",
+            [4191] = "Central Atlas Tamazight (Tifinagh) - Morocco",
+            [2115] = "Uzbek (Cyrillic)",
+            [1062] = "Latvian",
+            [4105] = "English - Canada",
+            [1120] = "Kashmiri (Arabic)",
+            [7169] = "Arabic - Tunisia",
+            [2143] = "Tamazight (Latin)",
+            [2118] = "Punjabi (Pakistan)",
+            [13324] = "French - Mali",
+            [66599] = "Lithuanian",
+            [3082] = "Spanish - Spain (Modern Sort)",
+            [8202] = "Spanish - Venezuela",
+            [12289] = "Arabic - Lebanon",
+            [7180] = "French - West Indies",
+            [66629] = "Bangla (India - Legacy)",
+            [67643] = "Finnish with Sami",
+            [1142] = "Latin",
+            [1074] = "Tswana",
+            [1058] = "Ukrainian",
+            [5130] = "Spanish - Costa Rica",
+            [66603] = "Armenian Western",
+            [1141] = "Hawaiian - United States",
+            [1042] = "Korean",
+            [8193] = "Arabic - Oman",
+            [1086] = "Malay - Malaysia",
+            [1106] = "Welsh",
+            [197641] = "English - United States (Dvorak for left hand)",
+            [66643] = "Khmer (NIDA)",
+            [1122] = "French - West Indies",
+            [1095] = "Gujarati",
+            [18442] = "Spanish - Honduras",
+            [1099] = "Kannada",
+            [1087] = "Kazakh",
+            [1094] = "Punjabi",
+            [1035] = "Finnish",
+            [66581] = "Polish (214)",
+            [11274] = "Spanish - Argentina",
+            [1069] = "Basque",
+            [1111] = "Konkani",
+            [1126] = "Edo",
+            [3131] = "Sami (Northern) - Finland",
+            [10252] = "French - Senegal",
+            [1078] = "Afrikaans - South Africa",
+            [1068] = "Azeri (Latin)",
+            [592896] = "N'ko",
+            [1124] = "Filipino",
+            [2080] = "Urdu - India",
+            [2052] = "Chinese - People's Republic of China",
+            [1044] = "Norwegian (Bokmal)",
+            [2068] = "Norwegian (Nynorsk)",
+            [7177] = "English - South Africa",
+            [1051648] = "Sora",
+            [1034] = "Spanish - Spain (Traditional Sort)",
+            [1028] = "Chinese - Taiwan",
+            [66587] = "Slovak (QWERTY)",
+            [133179] = "Sami Extended Finland-Sweden",
+            [11290] = "Serbian (Latin) - Montenegro",
+            [1084] = "Scottish Gaelic",
+            [13322] = "Spanish - Chile",
+            [132126] = "Thai Kedmanee (non-ShiftLock)",
+            [6170] = "Serbian (Latin) - Bosnia and Herzegovina",
+            [66584] = "Romanian (Standard)",
+            [1051] = "Slovak",
+            [66618] = "Maltese 48-key",
+            [1096] = "Oriya",
+            [2110] = "Malay - Brunei Darussalam",
+            [31748] = "Chinese - Traditional",
+            [328712] = "Greek Latin",
+            [1116] = "Cherokee - United States",
+            [396288] = "Tifinagh (Full)",
+            [66567] = "German (IBM)",
+            [58380] = "French - North Africa",
+            [1038] = "Hungarian",
+            [1061] = "Estonian",
+            [16385] = "Arabic - Qatar",
+            [527360] = "Lisu (Standard)",
+            [1112] = "Manipuri",
+            [789504] = "Gothic",
+            [2060] = "French - Belgium",
+            [16393] = "English - India",
+            [132120] = "Romanian (Programmers)",
+            [1025] = "Arabic - Saudi Arabia",
+            [1119] = "Tamazight (Arabic)",
+            [1104] = "Mongolian (Cyrillic)",
+            [2129] = "Tibetan - Bhutan",
+            [15372] = "French - Haiti",
+            [1073] = "Tsonga",
+            [66617] = "Hindi Traditional",
+            [6203] = "Sami (Southern) - Norway",
+            [19466] = "Spanish - Nicaragua",
+            [5179] = "Sami (Lule) - Sweden",
+            [6145] = "Arabic - Morocco",
+            [1117] = "Inuktitut",
+            [1138] = "Oromo",
+            [197687] = "Georgian Ministry of Education and Science Schools",
+            [263170] = "Bulgarian (phonetic traditional)",
+            [920576] = "Osmanya",
+            [10250] = "Spanish - Peru",
+            [1041] = "Japanese",
+            [4100] = "Chinese - Singapore",
+            [21514] = "Spanish - United States",
+            [1056] = "Urdu",
+            [2121] = "Tamil - Sri Lanka",
+            [1100] = "Malayalam",
+            [1102] = "Marathi",
+            [1125] = "Divehi",
+            [1101] = "Assamese",
+            [132121] = "Russian - Mnemonic",
+            [2137] = "Sindhi - Pakistan",
+            [2072] = "Romanian - Moldava",
+            [2092] = "Azeri (Cyrillic)",
+            [1130] = "Yoruba",
+            [1127] = "Fulfulde - Nigeria",
+            [1148] = "Mohawk",
+            [66576] = "Italian (142)",
+            [1139] = "Tigrigna - Ethiopia",
+            [1048] = "Romanian",
+            [12298] = "Spanish - Ecuador",
+            [66570] = "Spanish Variation",
+            [1110] = "Galician",
+            [5121] = "Arabic - Algeria",
+            [18441] = "English - Singapore",
+            [2077] = "Swedish - Finland",
+            [1076] = "Xhosa",
+            [66582] = "Portuguese (Brazilian ABNT2)",
+            [1108] = "Lao",
+            [2073] = "Russian - Moldava",
+            [263223] = "Georgian (Old Alphabets)",
+            [1136] = "Igbo - Nigeria",
+            [197640] = "Greek (220) Latin",
+            [1150] = "Breton",
+            [1113] = "Sindhi - India",
+            [1050] = "Croatian",
+            [1157] = "Yakut",
+            [4103] = "German - Luxembourg",
+            [394248] = "Greek Polytonic",
+            [132104] = "Greek (319)",
+            [1123] = "Pashto",
+            [66651] = "Sinhala - wij 9",
+            [8251] = "Sami (Skolt) - Finland",
+            [1057] = "Indonesian",
+            [2163] = "Tigrigna - Eritrea",
+            [11276] = "French - Cameroon",
+            [9217] = "Arabic - Yemen",
+            [1107] = "Khmer",
+            [2117] = "Bengali (Bangladesh)",
+            [1063] = "Lithuanian",
+            [1085] = "Yiddish",
+            [14345] = "English - Indonesia",
+            [855040] = "Ol Chiki",
+            [1279] = "HID (Human Interface Device)",
+            [1072] = "Sutu",
+            [2107] = "Sami (Northern) - Sweden",
+            [3179] = "Quecha - Peru\x09CB",
+            [1145] = "Papiamentu",
+            [5127] = "German - Liechtenstein",
+            [66574] = "Hungarian 101-key",
+            [1144] = "Yi",
+            [66653] = "Inuktitut - Naqittaut",
+            [1027] = "Catalan",
+            [1060] = "Slovenian",
+            [1046] = "Portuguese - Brazil",
+            [1118] = "Amharic - Ethiopia",
+            [723968] = "Buginese",
+            [1040] = "Italian - Italy",
+            [66661] = "Divehi Typewriter",
+            [134144] = "New Tai Lue",
+            [66591] = "Turkish F",
+            [1045] = "Polish"
+         }
+
+
+
+.. zeek:id:: RDP::results
+   :source-code: base/protocols/rdp/consts.zeek 74 74
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [0] = "Success",
+            [2] = "Resources not available",
+            [4] = "Locked conference",
+            [1] = "User rejected",
+            [3] = "Rejected for symmetry breaking"
+         }
+
+
+
+.. zeek:id:: RDP::security_protocols
+   :source-code: base/protocols/rdp/consts.zeek 22 22
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [0] = "RDP",
+            [8] = "HYBRID_EX",
+            [2] = "HYBRID",
+            [1] = "SSL"
+         }
+
+
+
+
diff --git a/doc/scripts/base/protocols/rdp/index.rst b/doc/scripts/base/protocols/rdp/index.rst
new file mode 100644
index 0000000000..5963a95a67
--- /dev/null
+++ b/doc/scripts/base/protocols/rdp/index.rst
@@ -0,0 +1,17 @@
+:orphan:
+
+Package: base/protocols/rdp
+===========================
+
+Support for Remote Desktop Protocol (RDP) analysis.
+
+:doc:`/scripts/base/protocols/rdp/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/rdp/consts.zeek`
+
+
+:doc:`/scripts/base/protocols/rdp/main.zeek`
+
+   Implements base functionality for RDP analysis. Generates the rdp.log file.
+
diff --git a/doc/scripts/base/protocols/rdp/main.zeek.rst b/doc/scripts/base/protocols/rdp/main.zeek.rst
new file mode 100644
index 0000000000..cb44ccd0fa
--- /dev/null
+++ b/doc/scripts/base/protocols/rdp/main.zeek.rst
@@ -0,0 +1,249 @@
+:tocdepth: 3
+
+base/protocols/rdp/main.zeek
+============================
+.. zeek:namespace:: RDP
+
+Implements base functionality for RDP analysis. Generates the rdp.log file.
+
+:Namespace: RDP
+:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/rdp/consts.zeek </scripts/base/protocols/rdp/consts.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+======================================================================================= ==================================================================
+:zeek:id:`RDP::disable_analyzer_after_detection`: :zeek:type:`bool` :zeek:attr:`&redef` If true, detach the RDP analyzer from the connection to prevent
+                                                                                        continuing to process encrypted traffic.
+:zeek:id:`RDP::rdp_check_interval`: :zeek:type:`interval` :zeek:attr:`&redef`           The amount of time to monitor an RDP session from when it is first
+                                                                                        identified.
+======================================================================================= ==================================================================
+
+Types
+#####
+=========================================== =
+:zeek:type:`RDP::Info`: :zeek:type:`record` 
+=========================================== =
+
+Redefinitions
+#############
+==================================================================== ==============================================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`RDP::LOG`
+:zeek:type:`RDP::Info`: :zeek:type:`record`                          
+                                                                     
+                                                                     :New Fields: :zeek:type:`RDP::Info`
+                                                                     
+                                                                       analyzer_id: :zeek:type:`count` :zeek:attr:`&optional`
+                                                                         The analyzer ID used for the analyzer instance attached
+                                                                         to each connection.
+                                                                     
+                                                                       done: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+                                                                         Track status of logging RDP connections.
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       rdp: :zeek:type:`RDP::Info` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ==============================================================================
+
+Events
+######
+=========================================== ===================================================================
+:zeek:id:`RDP::log_rdp`: :zeek:type:`event` Event that can be handled to access the rdp record as it is sent on
+                                            to the logging framework.
+=========================================== ===================================================================
+
+Hooks
+#####
+============================================================ ======================
+:zeek:id:`RDP::finalize_rdp`: :zeek:type:`Conn::RemovalHook` RDP finalization hook.
+:zeek:id:`RDP::log_policy`: :zeek:type:`Log::PolicyHook`     
+============================================================ ======================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: RDP::disable_analyzer_after_detection
+   :source-code: base/protocols/rdp/main.zeek 67 67
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If true, detach the RDP analyzer from the connection to prevent
+   continuing to process encrypted traffic.
+
+.. zeek:id:: RDP::rdp_check_interval
+   :source-code: base/protocols/rdp/main.zeek 71 71
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10.0 secs``
+
+   The amount of time to monitor an RDP session from when it is first
+   identified. When this interval is reached, the session is logged.
+
+Types
+#####
+.. zeek:type:: RDP::Info
+   :source-code: base/protocols/rdp/main.zeek 13 63
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the event happened.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: cookie :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Cookie value used by the client machine.
+      This is typically a username, but note that it will often
+      be truncated on the wire, to a maximum of 9 characters.
+
+
+   .. zeek:field:: result :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Status result for the connection.  It's a mix between
+      RDP negotiation failure messages and GCC server create
+      response messages.
+
+
+   .. zeek:field:: security_protocol :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Security protocol chosen by the server.
+
+
+   .. zeek:field:: client_channels :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The channels requested by the client
+
+
+   .. zeek:field:: keyboard_layout :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Keyboard layout (language) of the client machine.
+
+
+   .. zeek:field:: client_build :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      RDP client version used by the client machine.
+
+
+   .. zeek:field:: client_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Name of the client machine.
+
+
+   .. zeek:field:: client_dig_product_id :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Product ID of the client machine.
+
+
+   .. zeek:field:: desktop_width :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Desktop width of the client machine.
+
+
+   .. zeek:field:: desktop_height :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Desktop height of the client machine.
+
+
+   .. zeek:field:: requested_color_depth :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The color depth requested by the client in
+      the high_color_depth field.
+
+
+   .. zeek:field:: cert_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      If the connection is being encrypted with native
+      RDP encryption, this is the type of cert
+      being used.
+
+
+   .. zeek:field:: cert_count :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      The number of certs seen.  X.509 can transfer an
+      entire certificate chain.
+
+
+   .. zeek:field:: cert_permanent :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Indicates if the provided certificate or certificate
+      chain is permanent or temporary.
+
+
+   .. zeek:field:: encryption_level :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Encryption level of the connection.
+
+
+   .. zeek:field:: encryption_method :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Encryption method of the connection.
+
+
+   .. zeek:field:: analyzer_id :zeek:type:`count` :zeek:attr:`&optional`
+
+      The analyzer ID used for the analyzer instance attached
+      to each connection.  It is not used for logging since it's a
+      meaningless arbitrary number.
+
+
+   .. zeek:field:: done :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Track status of logging RDP connections.
+
+
+   .. zeek:field:: ssl :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/rdp/indicate_ssl.zeek` is loaded)
+
+      Flag the connection if it was seen over SSL.
+
+
+
+Events
+######
+.. zeek:id:: RDP::log_rdp
+   :source-code: base/protocols/rdp/main.zeek 75 75
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`RDP::Info`)
+
+   Event that can be handled to access the rdp record as it is sent on
+   to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: RDP::finalize_rdp
+   :source-code: base/protocols/rdp/main.zeek 296 303
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   RDP finalization hook.  Remaining RDP info may get logged when it's called.
+
+.. zeek:id:: RDP::log_policy
+   :source-code: base/protocols/rdp/main.zeek 11 11
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/redis/__load__.zeek.rst b/doc/scripts/base/protocols/redis/__load__.zeek.rst
new file mode 100644
index 0000000000..2ed7c03a0e
--- /dev/null
+++ b/doc/scripts/base/protocols/redis/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/redis/__load__.zeek
+==================================
+
+
+:Imports: :doc:`base/protocols/redis/main.zeek </scripts/base/protocols/redis/main.zeek>`, :doc:`base/protocols/redis/spicy-events.zeek </scripts/base/protocols/redis/spicy-events.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/redis/index.rst b/doc/scripts/base/protocols/redis/index.rst
new file mode 100644
index 0000000000..b42f669c81
--- /dev/null
+++ b/doc/scripts/base/protocols/redis/index.rst
@@ -0,0 +1,16 @@
+:orphan:
+
+Package: base/protocols/redis
+=============================
+
+
+:doc:`/scripts/base/protocols/redis/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/redis/spicy-events.zeek`
+
+   Events and records generated by the Redis analyzer.
+
+:doc:`/scripts/base/protocols/redis/main.zeek`
+
+
diff --git a/doc/scripts/base/protocols/redis/main.zeek.rst b/doc/scripts/base/protocols/redis/main.zeek.rst
new file mode 100644
index 0000000000..abbc45239e
--- /dev/null
+++ b/doc/scripts/base/protocols/redis/main.zeek.rst
@@ -0,0 +1,280 @@
+:tocdepth: 3
+
+base/protocols/redis/main.zeek
+==============================
+.. zeek:namespace:: Redis
+
+
+:Namespace: Redis
+:Imports: :doc:`base/frameworks/signatures </scripts/base/frameworks/signatures/index>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/redis/spicy-events.zeek </scripts/base/protocols/redis/spicy-events.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+============================================================================== =
+:zeek:id:`Redis::max_pending_commands`: :zeek:type:`count` :zeek:attr:`&redef` 
+============================================================================== =
+
+Redefinable Options
+###################
+============================================================= ================================
+:zeek:id:`Redis::ports`: :zeek:type:`set` :zeek:attr:`&redef` The ports to register Redis for.
+============================================================= ================================
+
+State Variables
+###############
+========================================================= =
+:zeek:id:`Redis::enter_subscribed_mode`: :zeek:type:`set` 
+:zeek:id:`Redis::exit_subscribed_mode`: :zeek:type:`set`  
+:zeek:id:`Redis::no_response_commands`: :zeek:type:`set`  
+========================================================= =
+
+Types
+#####
+===================================================== ===============================================================================
+:zeek:type:`Redis::Info`: :zeek:type:`record`         Record type containing the column fields of the Redis log.
+:zeek:type:`Redis::NoReplyRange`: :zeek:type:`record` Which numbered commands should not expect a reply due to CLIENT REPLY commands.
+:zeek:type:`Redis::RESPVersion`: :zeek:type:`enum`    
+:zeek:type:`Redis::State`: :zeek:type:`record`        
+===================================================== ===============================================================================
+
+Redefinitions
+#############
+==================================================================== ===============================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              Log stream identifier.
+                                                                     
+                                                                     * :zeek:enum:`Redis::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       redis: :zeek:type:`Redis::Info` :zeek:attr:`&optional`
+                                                                     
+                                                                       redis_state: :zeek:type:`Redis::State` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ===============================================================
+
+Hooks
+#####
+================================================================ =============================================
+:zeek:id:`Redis::finalize_redis`: :zeek:type:`Conn::RemovalHook` 
+:zeek:id:`Redis::log_policy`: :zeek:type:`Log::PolicyHook`       A default logging policy hook for the stream.
+================================================================ =============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Redis::max_pending_commands
+   :source-code: base/protocols/redis/main.zeek 74 74
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10000``
+
+
+Redefinable Options
+###################
+.. zeek:id:: Redis::ports
+   :source-code: base/protocols/redis/main.zeek 13 13
+
+   :Type: :zeek:type:`set` [:zeek:type:`port`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            6379/tcp
+         }
+
+
+   The ports to register Redis for.
+
+State Variables
+###############
+.. zeek:id:: Redis::enter_subscribed_mode
+   :source-code: base/protocols/redis/main.zeek 77 77
+
+   :Type: :zeek:type:`set` [:zeek:type:`Redis::RedisCommand`]
+   :Default:
+
+      ::
+
+         {
+            Redis::RedisCommand_PSUBSCRIBE,
+            Redis::RedisCommand_SSUBSCRIBE,
+            Redis::RedisCommand_SUBSCRIBE
+         }
+
+
+
+.. zeek:id:: Redis::exit_subscribed_mode
+   :source-code: base/protocols/redis/main.zeek 81 81
+
+   :Type: :zeek:type:`set` [:zeek:type:`Redis::RedisCommand`]
+   :Default:
+
+      ::
+
+         {
+            Redis::RedisCommand_RESET,
+            Redis::RedisCommand_QUIT
+         }
+
+
+
+.. zeek:id:: Redis::no_response_commands
+   :source-code: base/protocols/redis/main.zeek 84 84
+
+   :Type: :zeek:type:`set` [:zeek:type:`Redis::RedisCommand`]
+   :Default:
+
+      ::
+
+         {
+            Redis::RedisCommand_SSUBSCRIBE,
+            Redis::RedisCommand_SUBSCRIBE,
+            Redis::RedisCommand_PUNSUBSCRIBE,
+            Redis::RedisCommand_SUNSUBSCRIBE,
+            Redis::RedisCommand_UNSUBSCRIBE,
+            Redis::RedisCommand_PSUBSCRIBE
+         }
+
+
+
+Types
+#####
+.. zeek:type:: Redis::Info
+   :source-code: base/protocols/redis/main.zeek 16 29
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the activity happened.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: cmd :zeek:type:`Redis::Command` :zeek:attr:`&log`
+
+      The Redis command.
+
+
+   .. zeek:field:: success :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      If the command was successful. Only set if the server responded.
+
+
+   .. zeek:field:: reply :zeek:type:`Redis::ReplyData` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The reply for the command.
+
+
+   Record type containing the column fields of the Redis log.
+
+.. zeek:type:: Redis::NoReplyRange
+   :source-code: base/protocols/redis/main.zeek 39 42
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: begin :zeek:type:`count`
+
+
+   .. zeek:field:: end :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   Which numbered commands should not expect a reply due to CLIENT REPLY commands.
+   These commands may simply skip one, or they may turn off replies then later
+   reenable them. Thus, the end of the interval is optional.
+
+.. zeek:type:: Redis::RESPVersion
+   :source-code: base/protocols/redis/main.zeek 44 48
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Redis::RESP2 Redis::RESPVersion
+
+      .. zeek:enum:: Redis::RESP3 Redis::RESPVersion
+
+
+.. zeek:type:: Redis::State
+   :source-code: base/protocols/redis/main.zeek 49 70
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: pending :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`Redis::Info`
+
+      Pending commands.
+
+
+   .. zeek:field:: current_command :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Current command in the pending queue.
+
+
+   .. zeek:field:: current_reply :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Current reply in the pending queue.
+
+
+   .. zeek:field:: no_reply_ranges :zeek:type:`vector` of :zeek:type:`Redis::NoReplyRange`
+
+      Ranges where we do not expect a reply due to CLIENT REPLY commands.
+      Each range is one or two elements, one meaning it's unbounded, two meaning
+      it begins at one and ends at the second.
+
+
+   .. zeek:field:: skip_commands :zeek:type:`set` [:zeek:type:`count`]
+
+      The command indexes (from current_command and current_reply) that will
+      not get responses no matter what.
+
+
+   .. zeek:field:: violation :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      We store if this analyzer had a violation to avoid logging if so.
+      This should not be super necessary, but worth a shot.
+
+
+   .. zeek:field:: subscribed_mode :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      If we are in "subscribed" mode
+
+
+   .. zeek:field:: resp_version :zeek:type:`Redis::RESPVersion` :zeek:attr:`&default` = ``Redis::RESP2`` :zeek:attr:`&optional`
+
+      The RESP version
+
+
+
+Hooks
+#####
+.. zeek:id:: Redis::finalize_redis
+   :source-code: base/protocols/redis/main.zeek 339 357
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+
+.. zeek:id:: Redis::log_policy
+   :source-code: base/protocols/redis/main.zeek 32 32
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+
diff --git a/doc/scripts/base/protocols/redis/spicy-events.zeek.rst b/doc/scripts/base/protocols/redis/spicy-events.zeek.rst
new file mode 100644
index 0000000000..afacc1f22c
--- /dev/null
+++ b/doc/scripts/base/protocols/redis/spicy-events.zeek.rst
@@ -0,0 +1,305 @@
+:tocdepth: 3
+
+base/protocols/redis/spicy-events.zeek
+======================================
+.. zeek:namespace:: Redis
+
+Events and records generated by the Redis analyzer.
+
+:Namespace: Redis
+
+Summary
+~~~~~~~
+Types
+#####
+===================================================== ========================================
+:zeek:type:`Redis::AuthCommand`: :zeek:type:`record`  The Redis AUTH command.
+:zeek:type:`Redis::Command`: :zeek:type:`record`      A generic Redis command from the client.
+:zeek:type:`Redis::HelloCommand`: :zeek:type:`record` The Redis HELLO command (handshake).
+:zeek:type:`Redis::ReplyData`: :zeek:type:`record`    A generic Redis reply from the client.
+:zeek:type:`Redis::SetCommand`: :zeek:type:`record`   The Redis SET command.
+===================================================== ========================================
+
+Events
+######
+=================================================== =======================================================================
+:zeek:id:`Redis::auth_command`: :zeek:type:`event`  Generated for Redis AUTH commands sent to the Redis server.
+:zeek:id:`Redis::command`: :zeek:type:`event`       Generated for every command sent by the client to the Redis server.
+:zeek:id:`Redis::error`: :zeek:type:`event`         Generated for every error response sent by the Redis server to the
+                                                    client.
+:zeek:id:`Redis::get_command`: :zeek:type:`event`   Generated for Redis GET commands sent to the Redis server.
+:zeek:id:`Redis::hello_command`: :zeek:type:`event` Generated for Redis HELLO commands sent to the Redis server.
+:zeek:id:`Redis::reply`: :zeek:type:`event`         Generated for every successful response sent by the Redis server to the
+                                                    client.
+:zeek:id:`Redis::server_push`: :zeek:type:`event`   Generated for out-of-band data, outside of the request-response
+                                                    model.
+:zeek:id:`Redis::set_command`: :zeek:type:`event`   Generated for Redis SET commands sent to the Redis server.
+=================================================== =======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Redis::AuthCommand
+   :source-code: base/protocols/redis/spicy-events.zeek 33 38
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: username :zeek:type:`string` :zeek:attr:`&optional`
+
+      The username getting authenticated.
+
+
+   .. zeek:field:: password :zeek:type:`string`
+
+      The password authenticated with.
+
+
+   The Redis AUTH command.
+
+.. zeek:type:: Redis::Command
+   :source-code: base/protocols/redis/spicy-events.zeek 47 59
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: raw :zeek:type:`vector` of :zeek:type:`string`
+
+      The raw command, exactly as parsed
+
+
+   .. zeek:field:: name :zeek:type:`string` :zeek:attr:`&log`
+
+      The first element of the command. Some commands are two strings, meaning
+      this is inaccurate for those cases.
+
+
+   .. zeek:field:: key :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The key, if this command is known to have a key
+
+
+   .. zeek:field:: value :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The value, if this command is known to have a value
+
+
+   .. zeek:field:: known :zeek:type:`Redis::RedisCommand` :zeek:attr:`&optional`
+
+      The command in an enum if it was known
+
+
+   A generic Redis command from the client.
+
+.. zeek:type:: Redis::HelloCommand
+   :source-code: base/protocols/redis/spicy-events.zeek 41 44
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: requested_resp_version :zeek:type:`string` :zeek:attr:`&optional`
+
+      The sent requested RESP version, such as "2" or "3"
+
+
+   The Redis HELLO command (handshake).
+
+.. zeek:type:: Redis::ReplyData
+   :source-code: base/protocols/redis/spicy-events.zeek 62 69
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: attributes :zeek:type:`string` :zeek:attr:`&optional`
+
+      The RESP3 attributes applied to this, if any
+
+
+   .. zeek:field:: value :zeek:type:`string` :zeek:attr:`&log`
+
+      The string version of the reply data
+
+
+   .. zeek:field:: min_protocol_version :zeek:type:`count`
+
+      The minimum RESP version that supports this reply type
+
+
+   A generic Redis reply from the client.
+
+.. zeek:type:: Redis::SetCommand
+   :source-code: base/protocols/redis/spicy-events.zeek 7 30
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: key :zeek:type:`string` :zeek:attr:`&log`
+
+      The key the SET command is setting.
+
+
+   .. zeek:field:: value :zeek:type:`string` :zeek:attr:`&log`
+
+      The value the SET command is setting key to.
+
+
+   .. zeek:field:: nx :zeek:type:`bool`
+
+      If NX is set -- only set the key if it does not exist.
+
+
+   .. zeek:field:: xx :zeek:type:`bool`
+
+      If XX is set -- only set the key if it already exists.
+
+
+   .. zeek:field:: get :zeek:type:`bool`
+
+      If GET is set -- return the old string stored at key.
+
+
+   .. zeek:field:: ex :zeek:type:`count` :zeek:attr:`&optional`
+
+      EX option -- set the specified expire time, in seconds.
+
+
+   .. zeek:field:: px :zeek:type:`count` :zeek:attr:`&optional`
+
+      PX option -- set the specified expire time, in milliseconds.
+
+
+   .. zeek:field:: exat :zeek:type:`count` :zeek:attr:`&optional`
+
+      EXAT option-- set the specified Unix time at which the key will
+      expire, in seconds.
+
+
+   .. zeek:field:: pxat :zeek:type:`count` :zeek:attr:`&optional`
+
+      PXAT option -- set the specified Unix time at which the key will
+      expire, in milliseconds.
+
+
+   .. zeek:field:: keep_ttl :zeek:type:`bool`
+
+      If KEEPTTL is set -- retain the time to live associated with the key.
+
+
+   The Redis SET command.
+
+Events
+######
+.. zeek:id:: Redis::auth_command
+   :source-code: base/protocols/redis/spicy-events.zeek 91 91
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, command: :zeek:type:`Redis::AuthCommand`)
+
+   Generated for Redis AUTH commands sent to the Redis server.
+   
+
+   :param c: The connection.
+   
+
+   :param command: The AUTH command sent to the server and its data.
+
+.. zeek:id:: Redis::command
+   :source-code: base/protocols/redis/main.zeek 159 238
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, cmd: :zeek:type:`Redis::Command`)
+
+   Generated for every command sent by the client to the Redis server.
+   
+
+   :param c: The connection.
+   
+
+   :param cmd: The command sent to the server.
+
+.. zeek:id:: Redis::error
+   :source-code: base/protocols/redis/main.zeek 325 337
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`Redis::ReplyData`)
+
+   Generated for every error response sent by the Redis server to the
+   client.
+   
+
+   :param c: The connection.
+   
+
+   :param data: The server data sent to the client.
+
+.. zeek:id:: Redis::get_command
+   :source-code: base/protocols/redis/spicy-events.zeek 84 84
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, key: :zeek:type:`string`)
+
+   Generated for Redis GET commands sent to the Redis server.
+   
+
+   :param c: The connection.
+   
+
+   :param command: The GET command sent to the server and its data.
+
+.. zeek:id:: Redis::hello_command
+   :source-code: base/protocols/redis/main.zeek 150 157
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, command: :zeek:type:`Redis::HelloCommand`)
+
+   Generated for Redis HELLO commands sent to the Redis server.
+   
+
+   :param c: The connection.
+   
+
+   :param command: The HELLO command sent to the server and its data.
+
+.. zeek:id:: Redis::reply
+   :source-code: base/protocols/redis/main.zeek 294 323
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`Redis::ReplyData`)
+
+   Generated for every successful response sent by the Redis server to the
+   client. For RESP2, this includes "push" messages, which are out of band.
+   These will also raise a server_push event. RESP3 push messages will only
+   raise a server_push event.
+   
+
+   :param c: The connection.
+   
+
+   :param data: The server data sent to the client.
+   
+   .. zeek:see:: Redis::server_push
+
+.. zeek:id:: Redis::server_push
+   :source-code: base/protocols/redis/spicy-events.zeek 133 133
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`Redis::ReplyData`)
+
+   Generated for out-of-band data, outside of the request-response
+   model.
+   
+
+   :param c: The connection.
+   
+
+   :param data: The server data sent to the client.
+
+.. zeek:id:: Redis::set_command
+   :source-code: base/protocols/redis/spicy-events.zeek 77 77
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, command: :zeek:type:`Redis::SetCommand`)
+
+   Generated for Redis SET commands sent to the Redis server.
+   
+
+   :param c: The connection.
+   
+
+   :param command: The SET command sent to the server and its data.
+
+
diff --git a/doc/scripts/base/protocols/rfb/__load__.zeek.rst b/doc/scripts/base/protocols/rfb/__load__.zeek.rst
new file mode 100644
index 0000000000..73cd44f82b
--- /dev/null
+++ b/doc/scripts/base/protocols/rfb/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/rfb/__load__.zeek
+================================
+
+
+:Imports: :doc:`base/protocols/rfb/main.zeek </scripts/base/protocols/rfb/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/rfb/index.rst b/doc/scripts/base/protocols/rfb/index.rst
new file mode 100644
index 0000000000..b9f246451e
--- /dev/null
+++ b/doc/scripts/base/protocols/rfb/index.rst
@@ -0,0 +1,13 @@
+:orphan:
+
+Package: base/protocols/rfb
+===========================
+
+Support for Remote FrameBuffer analysis.  This includes all VNC servers.
+
+:doc:`/scripts/base/protocols/rfb/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/rfb/main.zeek`
+
+
diff --git a/doc/scripts/base/protocols/rfb/main.zeek.rst b/doc/scripts/base/protocols/rfb/main.zeek.rst
new file mode 100644
index 0000000000..f4ebafee35
--- /dev/null
+++ b/doc/scripts/base/protocols/rfb/main.zeek.rst
@@ -0,0 +1,152 @@
+:tocdepth: 3
+
+base/protocols/rfb/main.zeek
+============================
+.. zeek:namespace:: RFB
+
+
+:Namespace: RFB
+:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+=========================================== =========================================================
+:zeek:type:`RFB::Info`: :zeek:type:`record` The record type which contains the fields of the RFB log.
+=========================================== =========================================================
+
+Redefinitions
+#############
+============================================ ====================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`      
+                                             
+                                             * :zeek:enum:`RFB::LOG`
+:zeek:type:`connection`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`connection`
+                                             
+                                               rfb: :zeek:type:`RFB::Info` :zeek:attr:`&optional`
+============================================ ====================================================
+
+Events
+######
+=========================================== =
+:zeek:id:`RFB::log_rfb`: :zeek:type:`event` 
+=========================================== =
+
+Hooks
+#####
+============================================================ ======================
+:zeek:id:`RFB::finalize_rfb`: :zeek:type:`Conn::RemovalHook` RFB finalization hook.
+:zeek:id:`RFB::log_policy`: :zeek:type:`Log::PolicyHook`     
+============================================================ ======================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: RFB::Info
+   :source-code: base/protocols/rfb/main.zeek 11 45
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the event happened.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: client_major_version :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Major version of the client.
+
+
+   .. zeek:field:: client_minor_version :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Minor version of the client.
+
+
+   .. zeek:field:: server_major_version :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Major version of the server.
+
+
+   .. zeek:field:: server_minor_version :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Minor version of the server.
+
+
+   .. zeek:field:: authentication_method :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Identifier of authentication method used.
+
+
+   .. zeek:field:: auth :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Whether or not authentication was successful.
+
+
+   .. zeek:field:: share_flag :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Whether the client has an exclusive or a shared session.
+
+
+   .. zeek:field:: desktop_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Name of the screen that is being shared.
+
+
+   .. zeek:field:: width :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Width of the screen that is being shared.
+
+
+   .. zeek:field:: height :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Height of the screen that is being shared.
+
+
+   .. zeek:field:: done :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Internally used value to determine if this connection
+      has already been logged.
+
+
+   The record type which contains the fields of the RFB log.
+
+Events
+######
+.. zeek:id:: RFB::log_rfb
+   :source-code: base/protocols/rfb/main.zeek 47 47
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`RFB::Info`)
+
+
+Hooks
+#####
+.. zeek:id:: RFB::finalize_rfb
+   :source-code: base/protocols/rfb/main.zeek 162 168
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   RFB finalization hook.  Remaining RFB info may get logged when it's called.
+
+.. zeek:id:: RFB::log_policy
+   :source-code: base/protocols/rfb/main.zeek 8 8
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/sip/__load__.zeek.rst b/doc/scripts/base/protocols/sip/__load__.zeek.rst
new file mode 100644
index 0000000000..03430b9b17
--- /dev/null
+++ b/doc/scripts/base/protocols/sip/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/sip/__load__.zeek
+================================
+
+
+:Imports: :doc:`base/protocols/sip/main.zeek </scripts/base/protocols/sip/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/sip/index.rst b/doc/scripts/base/protocols/sip/index.rst
new file mode 100644
index 0000000000..0c388ea598
--- /dev/null
+++ b/doc/scripts/base/protocols/sip/index.rst
@@ -0,0 +1,16 @@
+:orphan:
+
+Package: base/protocols/sip
+===========================
+
+Support for Session Initiation Protocol (SIP) analysis.
+
+:doc:`/scripts/base/protocols/sip/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/sip/main.zeek`
+
+   Implements base functionality for SIP analysis.  The logging model is
+   to log request/response pairs and all relevant metadata together in
+   a single record.
+
diff --git a/doc/scripts/base/protocols/sip/main.zeek.rst b/doc/scripts/base/protocols/sip/main.zeek.rst
new file mode 100644
index 0000000000..94365a8d0c
--- /dev/null
+++ b/doc/scripts/base/protocols/sip/main.zeek.rst
@@ -0,0 +1,271 @@
+:tocdepth: 3
+
+base/protocols/sip/main.zeek
+============================
+.. zeek:namespace:: SIP
+
+Implements base functionality for SIP analysis.  The logging model is
+to log request/response pairs and all relevant metadata together in
+a single record.
+
+:Namespace: SIP
+:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/utils/files.zeek </scripts/base/utils/files.zeek>`, :doc:`base/utils/numbers.zeek </scripts/base/utils/numbers.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+================================================================= ======================
+:zeek:id:`SIP::sip_methods`: :zeek:type:`set` :zeek:attr:`&redef` A list of SIP methods.
+================================================================= ======================
+
+Types
+#####
+============================================ =========================================================
+:zeek:type:`SIP::Info`: :zeek:type:`record`  The record type which contains the fields of the SIP log.
+:zeek:type:`SIP::State`: :zeek:type:`record` 
+============================================ =========================================================
+
+Redefinitions
+#############
+==================================================================== ===========================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`SIP::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       sip: :zeek:type:`SIP::Info` :zeek:attr:`&optional`
+                                                                     
+                                                                       sip_state: :zeek:type:`SIP::State` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ===========================================================
+
+Events
+######
+=========================================== ===================================================================
+:zeek:id:`SIP::log_sip`: :zeek:type:`event` Event that can be handled to access the SIP record as it is sent on
+                                            to the logging framework.
+=========================================== ===================================================================
+
+Hooks
+#####
+============================================================ ======================
+:zeek:id:`SIP::finalize_sip`: :zeek:type:`Conn::RemovalHook` SIP finalization hook.
+:zeek:id:`SIP::log_policy`: :zeek:type:`Log::PolicyHook`     
+============================================================ ======================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: SIP::sip_methods
+   :source-code: base/protocols/sip/main.zeek 86 86
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            "BYE",
+            "SUBSCRIBE",
+            "NOTIFY",
+            "REGISTER",
+            "INVITE",
+            "CANCEL",
+            "OPTIONS",
+            "ACK"
+         }
+
+
+   A list of SIP methods. Other methods will generate a weird. Note
+   that the SIP analyzer will only accept methods consisting solely
+   of letters ``[A-Za-z]``.
+
+Types
+#####
+.. zeek:type:: SIP::Info
+   :source-code: base/protocols/sip/main.zeek 17 72
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the request happened.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: trans_depth :zeek:type:`count` :zeek:attr:`&log`
+
+      Represents the pipelined depth into the connection of this
+      request/response transaction.
+
+
+   .. zeek:field:: method :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Verb used in the SIP request (INVITE, REGISTER etc.).
+
+
+   .. zeek:field:: uri :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      URI used in the request.
+
+
+   .. zeek:field:: date :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the Date: header from the client
+
+
+   .. zeek:field:: request_from :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the request From: header
+      Note: The tag= value that's usually appended to the sender
+      is stripped off and not logged.
+
+
+   .. zeek:field:: request_to :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the To: header
+
+
+   .. zeek:field:: response_from :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the response From: header
+      Note: The ``tag=`` value that's usually appended to the sender
+      is stripped off and not logged.
+
+
+   .. zeek:field:: response_to :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the response To: header
+
+
+   .. zeek:field:: reply_to :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the Reply-To: header
+
+
+   .. zeek:field:: call_id :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the Call-ID: header from the client
+
+
+   .. zeek:field:: seq :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the CSeq: header from the client
+
+
+   .. zeek:field:: subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the Subject: header from the client
+
+
+   .. zeek:field:: request_path :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The client message transmission path, as extracted from the headers.
+
+
+   .. zeek:field:: response_path :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The server message transmission path, as extracted from the headers.
+
+
+   .. zeek:field:: user_agent :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the User-Agent: header from the client
+
+
+   .. zeek:field:: status_code :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Status code returned by the server.
+
+
+   .. zeek:field:: status_msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Status message returned by the server.
+
+
+   .. zeek:field:: warning :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the Warning: header
+
+
+   .. zeek:field:: request_body_len :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the Content-Length: header from the client
+
+
+   .. zeek:field:: response_body_len :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the Content-Length: header from the server
+
+
+   .. zeek:field:: content_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the Content-Type: header from the server
+
+
+   The record type which contains the fields of the SIP log.
+
+.. zeek:type:: SIP::State
+   :source-code: base/protocols/sip/main.zeek 74 81
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: pending :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`SIP::Info`
+
+      Pending requests.
+
+
+   .. zeek:field:: current_request :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Current request in the pending queue.
+
+
+   .. zeek:field:: current_response :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Current response in the pending queue.
+
+
+
+Events
+######
+.. zeek:id:: SIP::log_sip
+   :source-code: base/protocols/sip/main.zeek 92 92
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`SIP::Info`)
+
+   Event that can be handled to access the SIP record as it is sent on
+   to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: SIP::finalize_sip
+   :source-code: base/protocols/sip/main.zeek 300 309
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   SIP finalization hook.  Remaining SIP info may get logged when it's called.
+
+.. zeek:id:: SIP::log_policy
+   :source-code: base/protocols/sip/main.zeek 14 14
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/smb/__load__.zeek.rst b/doc/scripts/base/protocols/smb/__load__.zeek.rst
new file mode 100644
index 0000000000..a4d63ef6f1
--- /dev/null
+++ b/doc/scripts/base/protocols/smb/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/smb/__load__.zeek
+================================
+
+
+:Imports: :doc:`base/protocols/smb/const-dos-error.zeek </scripts/base/protocols/smb/const-dos-error.zeek>`, :doc:`base/protocols/smb/const-nt-status.zeek </scripts/base/protocols/smb/const-nt-status.zeek>`, :doc:`base/protocols/smb/consts.zeek </scripts/base/protocols/smb/consts.zeek>`, :doc:`base/protocols/smb/files.zeek </scripts/base/protocols/smb/files.zeek>`, :doc:`base/protocols/smb/main.zeek </scripts/base/protocols/smb/main.zeek>`, :doc:`base/protocols/smb/smb1-main.zeek </scripts/base/protocols/smb/smb1-main.zeek>`, :doc:`base/protocols/smb/smb2-main.zeek </scripts/base/protocols/smb/smb2-main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/smb/const-dos-error.zeek.rst b/doc/scripts/base/protocols/smb/const-dos-error.zeek.rst
new file mode 100644
index 0000000000..d2e132fac9
--- /dev/null
+++ b/doc/scripts/base/protocols/smb/const-dos-error.zeek.rst
@@ -0,0 +1,22 @@
+:tocdepth: 3
+
+base/protocols/smb/const-dos-error.zeek
+=======================================
+.. zeek:namespace:: SMB
+
+
+:Namespace: SMB
+:Imports: :doc:`base/protocols/smb/consts.zeek </scripts/base/protocols/smb/consts.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================================================================================== =
+:zeek:id:`SMB::statuses`: :zeek:type:`table` :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function` 
+============================================================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/smb/const-nt-status.zeek.rst b/doc/scripts/base/protocols/smb/const-nt-status.zeek.rst
new file mode 100644
index 0000000000..9ed4be9eaa
--- /dev/null
+++ b/doc/scripts/base/protocols/smb/const-nt-status.zeek.rst
@@ -0,0 +1,22 @@
+:tocdepth: 3
+
+base/protocols/smb/const-nt-status.zeek
+=======================================
+.. zeek:namespace:: SMB
+
+
+:Namespace: SMB
+:Imports: :doc:`base/protocols/smb/consts.zeek </scripts/base/protocols/smb/consts.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================================================================================== =
+:zeek:id:`SMB::statuses`: :zeek:type:`table` :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function` 
+============================================================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/smb/consts.zeek.rst b/doc/scripts/base/protocols/smb/consts.zeek.rst
new file mode 100644
index 0000000000..52f0e60bf4
--- /dev/null
+++ b/doc/scripts/base/protocols/smb/consts.zeek.rst
@@ -0,0 +1,518 @@
+:tocdepth: 3
+
+base/protocols/smb/consts.zeek
+==============================
+.. zeek:namespace:: SMB
+.. zeek:namespace:: SMB1
+.. zeek:namespace:: SMB2
+
+
+:Namespaces: SMB, SMB1, SMB2
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+================================================================================================================== ============================================
+:zeek:id:`SMB::rpc_sub_cmds`: :zeek:type:`table` :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function` The subcommands for RPC endpoints.
+:zeek:id:`SMB::rpc_uuids`: :zeek:type:`table` :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function`    The UUIDs used by the various RPC endpoints.
+:zeek:id:`SMB::srv_cmds`: :zeek:type:`table` :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function`     Server service sub commands.
+:zeek:id:`SMB::statuses`: :zeek:type:`table` :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function`     
+:zeek:id:`SMB::wksta_cmds`: :zeek:type:`table` :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function`   Workstation service sub commands.
+================================================================================================================== ============================================
+
+Constants
+#########
+====================================================================================================== =
+:zeek:id:`SMB1::commands`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`            
+:zeek:id:`SMB1::trans2_sub_commands`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` 
+:zeek:id:`SMB1::trans_sub_commands`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`  
+:zeek:id:`SMB2::commands`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`            
+:zeek:id:`SMB2::dialects`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`            
+:zeek:id:`SMB2::share_types`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`         
+====================================================================================================== =
+
+Types
+#####
+=================================================== =
+:zeek:type:`SMB::StatusCode`: :zeek:type:`record`   
+:zeek:type:`SMB::rpc_cmd_table`: :zeek:type:`table` 
+=================================================== =
+
+Redefinitions
+#############
+==================================================================== ================================================
+:zeek:id:`SMB::pipe_filenames`: :zeek:type:`set` :zeek:attr:`&redef` Heuristic detection of named pipes when the pipe
+                                                                     mapping isn't seen.
+==================================================================== ================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: SMB::rpc_sub_cmds
+   :source-code: base/protocols/smb/consts.zeek 112 112
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`SMB::rpc_cmd_table`
+   :Attributes: :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188"] = {
+               [40] = "NetrSetFileSecurity",
+               [45] = "NetrDfsDeleteLocalPartition",
+               [19] = "NetrShareDelSticky",
+               [20] = "NetrShareCheck",
+               [33] = "NetprNameValidate",
+               [39] = "NetrGetFileSecurity",
+               [36] = "NetrShareEnumSticky",
+               [30] = "NetprPathType",
+               [14] = "NetrShareAdd",
+               [15] = "NetrShareEnum",
+               [46] = "NetrDfsSetLocalVolumeState",
+               [31] = "NetprPathCanonicalize",
+               [28] = "NetrRemoteTOD",
+               [8] = "NetrConnectionEnum",
+               [23] = "NetrServerDiskEnum",
+               [27] = "NetrServerTransportDel",
+               [9] = "NetrFileEnum",
+               [53] = "NetrServerTransportDelEx",
+               [55] = "NetrServerAliasEnum",
+               [56] = "NetrServerAliasDel",
+               [52] = "NetrDfsManagerReportSiteInfo",
+               [21] = "NetrServerGetInfo",
+               [10] = "NetrFileGetInfo",
+               [32] = "NetprPathCompare",
+               [12] = "NetrSessionEnum",
+               [13] = "NetrSessionDel",
+               [26] = "NetrServerTransportEnum",
+               [41] = "NetrServerTransportAddEx",
+               [17] = "NetrShareSetInfo",
+               [50] = "NetrDfsModifyPrefix",
+               [25] = "NetrServerTransportAdd",
+               [16] = "NetrShareGetInfo",
+               [24] = "NetrServerStatisticsGet",
+               [48] = "NetrDfsCreateExitPoint",
+               [38] = "NetrShareDelCommit",
+               [54] = "NetrServerAliasAdd",
+               [49] = "NetrDfsDeleteExitPoint",
+               [57] = "NetrShareDelEx",
+               [11] = "NetrFileClose",
+               [35] = "NetprNameCompare",
+               [22] = "NetrServerSetInfo",
+               [43] = "NetrDfsGetVersion",
+               [51] = "NetrDfsFixLocalVolume",
+               [18] = "NetrShareDel",
+               [37] = "NetrShareDelStart",
+               [44] = "NetrDfsCreateLocalPartition",
+               [34] = "NetprNameCanonicalize"
+            },
+            ["6bffd098-a112-3610-9833-46c3f87e345a"] = {
+               [2] = "NetrWkstaUserEnum",
+               [25] = "NetrValidateName2",
+               [20] = "NetrGetJoinInformation",
+               [29] = "NetrSetPrimaryComputerName",
+               [6] = "NetrWkstaTransportAdd",
+               [30] = "NetrEnumerateComputerNames",
+               [24] = "NetrRenameMachineInDomain2",
+               [28] = "NetrRemoveAlternateComputerName",
+               [23] = "NetrUnjoinDomain2",
+               [8] = "NetrUseAdd",
+               [9] = "NetrUseGetInfo",
+               [27] = "NetrAddAlternateComputerName",
+               [1] = "NetrWkstaSetInfo",
+               [11] = "NetrUseEnum",
+               [7] = "NetrWkstaTransportDel",
+               [5] = "NetrWkstaTransportEnum",
+               [10] = "NetrUseDel",
+               [22] = "NetrJoinDomain2",
+               [13] = "NetrWorkstationStatisticsGet",
+               [26] = "NetrGetJoinableOUs2",
+               [0] = "NetrWkstaGetInfo"
+            }
+         }
+
+
+   The subcommands for RPC endpoints.
+
+.. zeek:id:: SMB::rpc_uuids
+   :source-code: base/protocols/smb/consts.zeek 28 28
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            ["4b324fc8-1670-01d3-1278-5a47bf6ee188"] = "Server Service",
+            ["6bffd098-a112-3610-9833-46c3f87e345a"] = "Workstation Service"
+         }
+
+
+   The UUIDs used by the various RPC endpoints.
+
+.. zeek:id:: SMB::srv_cmds
+   :source-code: base/protocols/smb/consts.zeek 34 34
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [40] = "NetrSetFileSecurity",
+            [45] = "NetrDfsDeleteLocalPartition",
+            [19] = "NetrShareDelSticky",
+            [20] = "NetrShareCheck",
+            [33] = "NetprNameValidate",
+            [39] = "NetrGetFileSecurity",
+            [36] = "NetrShareEnumSticky",
+            [30] = "NetprPathType",
+            [14] = "NetrShareAdd",
+            [15] = "NetrShareEnum",
+            [46] = "NetrDfsSetLocalVolumeState",
+            [31] = "NetprPathCanonicalize",
+            [28] = "NetrRemoteTOD",
+            [8] = "NetrConnectionEnum",
+            [23] = "NetrServerDiskEnum",
+            [27] = "NetrServerTransportDel",
+            [9] = "NetrFileEnum",
+            [53] = "NetrServerTransportDelEx",
+            [55] = "NetrServerAliasEnum",
+            [56] = "NetrServerAliasDel",
+            [52] = "NetrDfsManagerReportSiteInfo",
+            [21] = "NetrServerGetInfo",
+            [10] = "NetrFileGetInfo",
+            [32] = "NetprPathCompare",
+            [12] = "NetrSessionEnum",
+            [13] = "NetrSessionDel",
+            [26] = "NetrServerTransportEnum",
+            [41] = "NetrServerTransportAddEx",
+            [17] = "NetrShareSetInfo",
+            [50] = "NetrDfsModifyPrefix",
+            [25] = "NetrServerTransportAdd",
+            [16] = "NetrShareGetInfo",
+            [24] = "NetrServerStatisticsGet",
+            [48] = "NetrDfsCreateExitPoint",
+            [38] = "NetrShareDelCommit",
+            [54] = "NetrServerAliasAdd",
+            [49] = "NetrDfsDeleteExitPoint",
+            [57] = "NetrShareDelEx",
+            [11] = "NetrFileClose",
+            [35] = "NetprNameCompare",
+            [22] = "NetrServerSetInfo",
+            [43] = "NetrDfsGetVersion",
+            [51] = "NetrDfsFixLocalVolume",
+            [18] = "NetrShareDel",
+            [37] = "NetrShareDelStart",
+            [44] = "NetrDfsCreateLocalPartition",
+            [34] = "NetprNameCanonicalize"
+         }
+
+
+   Server service sub commands.
+
+.. zeek:id:: SMB::statuses
+   :source-code: base/protocols/smb/consts.zeek 9 9
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`SMB::StatusCode`
+   :Attributes: :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [0] = [id="SUCCESS", desc="The operation completed successfully."]
+         }
+
+   :Redefinition: from :doc:`/scripts/base/protocols/smb/const-dos-error.zeek`
+
+      ``+=``::
+
+         65537 = [$id=badfunc, $desc=Incorrect function.], 65538 = [$id=error, $desc=Incorrect function.], 131073 = [$id=badfile, $desc=The system cannot find the file specified.], 131074 = [$id=badpw, $desc=Bad password.], 196609 = [$id=badpath, $desc=The system cannot find the path specified.], 196610 = [$id=badtype, $desc=reserved], 262145 = [$id=nofids, $desc=The system cannot open the file.], 262146 = [$id=access, $desc=The client does not have the necessary access rights to perform the requested function.], 327681 = [$id=noaccess, $desc=Access is denied.], 327682 = [$id=invnid, $desc=The TID specified was invalid.], 393217 = [$id=badfid, $desc=The handle is invalid.], 393218 = [$id=invnetname, $desc=The network name cannot be found.], 458753 = [$id=badmcb, $desc=The storage control blocks were destroyed.], 458754 = [$id=invdevice, $desc=The device specified is invalid.], 524289 = [$id=nomem, $desc=Not enough storage is available to process this command.], 589825 = [$id=badmem, $desc=The storage control block address is invalid.], 655361 = [$id=badenv, $desc=The environment is incorrect.], 786433 = [$id=badaccess, $desc=The access code is invalid.], 851969 = [$id=baddata, $desc=The data is invalid.], 917505 = [$id=res, $desc=reserved], 983041 = [$id=baddrive, $desc=The system cannot find the drive specified.], 1048577 = [$id=remcd, $desc=The directory cannot be removed.], 1114113 = [$id=diffdevice, $desc=The system cannot move the file to a different disk drive.], 1179649 = [$id=nofiles, $desc=There are no more files.], 1245187 = [$id=nowrite, $desc=The media is write protected.], 1310723 = [$id=badunit, $desc=The system cannot find the device specified.], 1376259 = [$id=notready, $desc=The device is not ready.], 1441794 = [$id=unknownsmb, $desc=The device does not recognize the command.], 1441795 = [$id=badcmd, $desc=The device does not recognize the command.], 1507331 = [$id=data, $desc=Data error (cyclic redundancy check).], 1572867 = [$id=badreq, $desc=The program issued a command but the command length is incorrect.], 1638403 = [$id=seek, $desc=The drive cannot locate a specific area or track on the disk.], 1703939 = [$id=badmedia, $desc=The specified disk or diskette cannot be accessed.], 1769475 = [$id=badsector, $desc=The drive cannot find the sector requested.], 1835011 = [$id=nopaper, $desc=The printer is out of paper.], 1900547 = [$id=write, $desc=The system cannot write to the specified device.], 1966083 = [$id=read, $desc=The system cannot read from the specified device.], 2031617 = [$id=general, $desc=A device attached to the system is not functioning.], 2031619 = [$id=general, $desc=A device attached to the system is not functioning.], 2097153 = [$id=badshare, $desc=The process cannot access the file because it is being used by another process.], 2097155 = [$id=badshare, $desc=The process cannot access the file because it is being used by another process.], 2162689 = [$id=lock, $desc=The process cannot access the file because another process has locked a portion of the file.], 2162691 = [$id=lock, $desc=The process cannot access the file because another process has locked a portion of the file.], 2228227 = [$id=wrongdisk, $desc=The wrong diskette is in the drive.], 2293763 = [$id=FCBunavail, $desc=No FCBs are available to process the request.], 2359299 = [$id=sharebufexc, $desc=A sharing buffer has been exceeded.], 2555907 = [$id=diskfull, $desc=The disk is full.], 3211266 = [$id=qfull, $desc=The print queue is full.], 3276801 = [$id=unsup, $desc=The network request is not supported.], 3276802 = [$id=qtoobig, $desc=The queued item too big.], 3407874 = [$id=invpfid, $desc=The print file FID is invalid.], 3407873 = [$id=dupname, $desc=A duplicate name exists on the network.], 4194305 = [$id=netnamedel, $desc=The specified network name is no longer available.], 4194306 = [$id=smbcmd, $desc=The server did not recognize the command received.], 4259842 = [$id=srverror, $desc=The server encountered an internal error.], 4325377 = [$id=noipc, $desc=The network resource type is not correct.], 4390913 = [$id=nosuchshare, $desc=The network name cannot be found.], 4390914 = [$id=filespecs, $desc=The specified FID and pathname combination is invalid.], 4456450 = [$id=badlink, $desc=reserved], 4521986 = [$id=badpermits, $desc=The access permissions specified for a file or directory are not a valid combination.], 4587522 = [$id=badpid, $desc=reserved], 4653057 = [$id=nomoreconn, $desc=nomoreconn.], 4653058 = [$id=setattrmode, $desc=The attribute mode specified is invalid.], 5242881 = [$id=filexists, $desc=The file exists.], 5308418 = [$id=paused, $desc=The message server is paused.], 5373954 = [$id=msgoff, $desc=Not receiving messages.], 5439490 = [$id=noroom, $desc=No room to buffer message.], 5701633 = [$id=invalidparam, $desc=The parameter is incorrect.], 5701634 = [$id=rmuns, $desc=Too many remote usernames.], 5767170 = [$id=timeout, $desc=Operation timed out.], 5832706 = [$id=noresource, $desc=No resources currently available for request.], 5898242 = [$id=toomanyuids, $desc=Too many Uids active on this session.], 5963778 = [$id=baduid, $desc=The Uid is not known as a valid user identifier on this session.], 7143425 = [$id=brokenpipe, $desc=The pipe has been ended.], 7208961 = [$id=cannotopen, $desc=The system cannot open the device or file specified.], 7995393 = [$id=insufficientbuffer, $desc=The data area passed to a system call is too small.], 8060929 = [$id=invalidname, $desc=The filename, directory name, or volume label syntax is incorrect.], 8126465 = [$id=unknownlevel, $desc=The system call level is not correct.], 9502721 = [$id=notempty, $desc=The directory is not empty.], 10354689 = [$id=notlocked, $desc=The segment is already unlocked.], 11993089 = [$id=rename, $desc=Cannot create a file when that file already exists.], 15073281 = [$id=badpipe, $desc=The pipe state is invalid.], 15138817 = [$id=pipebusy, $desc=All pipe instances are busy.], 15204353 = [$id=pipeclosing, $desc=The pipe is being closed.], 15269889 = [$id=notconnected, $desc=No process is on the other end of the pipe.], 15335425 = [$id=moredata, $desc=More data is available.], 16384002 = [$id=usempx, $desc=Temporarily unable to support Raw, use Mpx mode.], 16449538 = [$id=usestd, $desc=Temporarily unable to support Raw, use standard read/write.], 16515074 = [$id=contmpx, $desc=Continue in MPX mode.], 16646146 = [$id=badPassword, $desc=reserved], 16973825 = [$id=nomoreitems, $desc=No more data is available.], 17498113 = [$id=baddirectory, $desc=The directory name is invalid.], 18481153 = [$id=easnotsupported, $desc=The mounted file system does not support extended attributes.], 67108866 = [$id=_NOTIFY_ENUM_DIR, $desc=Too many files have changed since the last time an NT_TRANSACT_NOTIFY_CHANGE was issued.], 86900737 = [$id=logonfailure, $desc=Logon failure: unknown user name or bad password.], 117637121 = [$id=driveralreadyinstalled, $desc=The specified printer driver is already installed.], 117702657 = [$id=unknownprinterport, $desc=The specified port is unknown.], 117768193 = [$id=unknownprinterdriver, $desc=The printer driver is unknown.], 117833729 = [$id=unknownprintprocessor, $desc=The print processor is unknown.], 117899265 = [$id=invalidseparatorfile, $desc=The specified separator file is invalid.], 117964801 = [$id=invalidjobpriority, $desc=The specified priority is invalid.], 118030337 = [$id=invalidprintername, $desc=The printer name is invalid.], 118095873 = [$id=printeralreadyexists, $desc=The printer already exists.], 118161409 = [$id=invalidprintercommand, $desc=The printer command is invalid.], 118226945 = [$id=invaliddatatype, $desc=The specified datatype is invalid.], 118292481 = [$id=invalidenvironment, $desc=The Environment specified is invalid.], 139132929 = [$id=buftoosmall, $desc=The API return buffer is too small.], 140378113 = [$id=unknownipc, $desc=The requested API is not supported on the remote server.], 140967937 = [$id=nosuchprintjob, $desc=The print job does not exist.], 146735106 = [$id=accountExpired, $desc=This user account has expired.], 146800642 = [$id=badClient, $desc=The user is not allowed to log on from this workstation.], 146866178 = [$id=badLogonTime, $desc=The user is not allowed to log on at this time.], 146931714 = [$id=passwordExpired, $desc=The password of this user has expired.], 160890881 = [$id=invgroup, $desc=invgroup], 196608001 = [$id=unknownprintmonitor, $desc=The specified print monitor is unknown.], 196673537 = [$id=printerdriverinuse, $desc=The specified printer driver is currently in use.], 196739073 = [$id=spoolfilenotfound, $desc=The spool file was not found.], 196804609 = [$id=nostartdoc, $desc=A StartDocPrinter call was not issued.], 196870145 = [$id=noaddjob, $desc=An AddJob call was not issued.], 196935681 = [$id=printprocessoralreadyinstalled, $desc=The specified print processor has already been installed.], 197001217 = [$id=printmonitoralreadyinstalled, $desc=The specified print monitor has already been installed.], 197066753 = [$id=invalidprintmonitor, $desc=The specified print monitor does not have the required functions.], 197132289 = [$id=printmonitorinuse, $desc=The specified print monitor is currently in use.], 197197825 = [$id=printerhasjobsqueued, $desc=The requested operation is not allowed when there are jobs queued to the printer.], 4294901762 = [$id=nosupport, $desc=Function not supported.]
+
+   :Redefinition: from :doc:`/scripts/base/protocols/smb/const-nt-status.zeek`
+
+      ``+=``::
+
+         1 = [$id=WAIT_1, $desc=The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.], 2 = [$id=WAIT_2, $desc=The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.], 3 = [$id=WAIT_3, $desc=The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.], 63 = [$id=WAIT_63, $desc=The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.], 128 = [$id=ABANDONED, $desc=The caller attempted to wait for a mutex that has been abandoned.], 191 = [$id=ABANDONED_WAIT_63, $desc=The caller attempted to wait for a mutex that has been abandoned.], 192 = [$id=USER_APC, $desc=A user-mode APC was delivered before the given Interval expired.], 257 = [$id=ALERTED, $desc=The delay completed because the thread was alerted.], 258 = [$id=TIMEOUT, $desc=The given Timeout interval expired.], 259 = [$id=PENDING, $desc=The operation that was requested is pending completion.], 260 = [$id=REPARSE, $desc=A reparse should be performed by the Object Manager because the name of the file resulted in a symbolic link.], 261 = [$id=MORE_ENTRIES, $desc=Returned by enumeration APIs to indicate more information is available to successive calls.], 262 = [$id=NOT_ALL_ASSIGNED, $desc=Indicates not all privileges or groups that are referenced are assigned to the caller. This allows, for example, all privileges to be disabled without having to know exactly which privileges are assigned.], 263 = [$id=SOME_NOT_MAPPED, $desc=Some of the information to be translated has not been translated.], 264 = [$id=OPLOCK_BREAK_IN_PROGRESS, $desc=An open/create operation completed while an opportunistic lock (oplock) break is underway.], 265 = [$id=VOLUME_MOUNTED, $desc=A new volume has been mounted by a file system.], 266 = [$id=RXACT_COMMITTED, $desc=This success level status indicates that the transaction state already exists for the registry subtree but that a transaction commit was previously aborted. The commit has now been completed.], 267 = [$id=NOTIFY_CLEANUP, $desc=Indicates that a notify change request has been completed due to closing the handle that made the notify change request.], 268 = [$id=NOTIFY_ENUM_DIR, $desc=Indicates that a notify change request is being completed and that the information is not being returned in the caller's buffer. The caller now needs to enumerate the files to find the changes.], 269 = [$id=NO_QUOTAS_FOR_ACCOUNT, $desc={No Quotas} No system quota limits are specifically set for this account.], 270 = [$id=PRIMARY_TRANSPORT_CONNECT_FAILED, $desc={Connect Failure on Primary Transport} An attempt was made to connect to the remote server %hs on the primary transport, but the connection failed. The computer WAS able to connect on a secondary transport.], 272 = [$id=PAGE_FAULT_TRANSITION, $desc=The page fault was a transition fault.], 273 = [$id=PAGE_FAULT_DEMAND_ZERO, $desc=The page fault was a demand zero fault.], 274 = [$id=PAGE_FAULT_COPY_ON_WRITE, $desc=The page fault was a demand zero fault.], 275 = [$id=PAGE_FAULT_GUARD_PAGE, $desc=The page fault was a demand zero fault.], 276 = [$id=PAGE_FAULT_PAGING_FILE, $desc=The page fault was satisfied by reading from a secondary storage device.], 277 = [$id=CACHE_PAGE_LOCKED, $desc=The cached page was locked during operation.], 278 = [$id=CRASH_DUMP, $desc=The crash dump exists in a paging file.], 279 = [$id=BUFFER_ALL_ZEROS, $desc=The specified buffer contains all zeros.], 280 = [$id=REPARSE_OBJECT, $desc=A reparse should be performed by the Object Manager because the name of the file resulted in a symbolic link.], 281 = [$id=RESOURCE_REQUIREMENTS_CHANGED, $desc=The device has succeeded a query-stop and its resource requirements have changed.], 288 = [$id=TRANSLATION_COMPLETE, $desc=The translator has translated these resources into the global space and no additional translations should be performed.], 289 = [$id=DS_MEMBERSHIP_EVALUATED_LOCALLY, $desc=The directory service evaluated group memberships locally, because it was unable to contact a global catalog server.], 290 = [$id=NOTHING_TO_TERMINATE, $desc=A process being terminated has no threads to terminate.], 291 = [$id=PROCESS_NOT_IN_JOB, $desc=The specified process is not part of a job.], 292 = [$id=PROCESS_IN_JOB, $desc=The specified process is part of a job.], 293 = [$id=VOLSNAP_HIBERNATE_READY, $desc={Volume Shadow Copy Service} The system is now ready for hibernation.], 294 = [$id=FSFILTER_OP_COMPLETED_SUCCESSFULLY, $desc=A file system or file system filter driver has successfully completed an FsFilter operation.], 295 = [$id=INTERRUPT_VECTOR_ALREADY_CONNECTED, $desc=The specified interrupt vector was already connected.], 296 = [$id=INTERRUPT_STILL_CONNECTED, $desc=The specified interrupt vector is still connected.], 297 = [$id=PROCESS_CLONED, $desc=The current process is a cloned process.], 298 = [$id=FILE_LOCKED_WITH_ONLY_READERS, $desc=The file was locked and all users of the file can only read.], 299 = [$id=FILE_LOCKED_WITH_WRITERS, $desc=The file was locked and at least one user of the file can write.], 514 = [$id=RESOURCEMANAGER_READ_ONLY, $desc=The specified ResourceManager made no changes or updates to the resource under this transaction.], 871 = [$id=WAIT_FOR_OPLOCK, $desc=An operation is blocked and waiting for an oplock.], 65537 = [$id=DBG_EXCEPTION_HANDLED, $desc=Debugger handled the exception.], 65538 = [$id=DBG_CONTINUE, $desc=The debugger continued.], 1835009 = [$id=FLT_IO_COMPLETE, $desc=The IO was completed by a filter.], 3221226599 = [$id=FILE_NOT_AVAILABLE, $desc=The file is temporarily unavailable.], 3221227297 = [$id=CALLBACK_RETURNED_THREAD_AFFINITY, $desc=A threadpool worker thread entered a callback at thread affinity %p and exited at affinity %p.], 1073741824 = [$id=OBJECT_NAME_EXISTS, $desc={Object Exists} An attempt was made to create an object but the object name already exists.], 1073741825 = [$id=THREAD_WAS_SUSPENDED, $desc={Thread Suspended} A thread termination occurred while the thread was suspended. The thread resumed, and termination proceeded.], 1073741826 = [$id=WORKING_SET_LIMIT_RANGE, $desc={Working Set Range Error} An attempt was made to set the working set minimum or maximum to values that are outside the allowable range.], 1073741827 = [$id=IMAGE_NOT_AT_BASE, $desc={Image Relocated} An image file could not be mapped at the address that is specified in the image file. Local fixes must be performed on this image.], 1073741828 = [$id=RXACT_STATE_CREATED, $desc=This informational level status indicates that a specified registry subtree transaction state did not yet exist and had to be created.], 1073741829 = [$id=SEGMENT_NOTIFICATION, $desc={Segment Load} A virtual DOS machine (VDM) is loading, unloading, or moving an MS-DOS or Win16 program segment image. An exception is raised so that a debugger can load, unload, or track symbols and breakpoints within these 16-bit segments.], 1073741830 = [$id=LOCAL_USER_SESSION_KEY, $desc={Local Session Key} A user session key was requested for a local remote procedure call (RPC) connection. The session key that is returned is a constant value and not unique to this connection.], 1073741831 = [$id=BAD_CURRENT_DIRECTORY, $desc={Invalid Current Directory} The process cannot switch to the startup current directory %hs. Select OK to set the current directory to %hs, or select CANCEL to exit.], 1073741832 = [$id=SERIAL_MORE_WRITES, $desc={Serial IOCTL Complete} A serial I/O operation was completed by another write to a serial port. (The IOCTL_SERIAL_XOFF_COUNTER reached zero.)], 1073741833 = [$id=REGISTRY_RECOVERED, $desc={Registry Recovery} One of the files that contains the system registry data had to be recovered by using a log or alternate copy. The recovery was successful.], 1073741834 = [$id=FT_READ_RECOVERY_FROM_BACKUP, $desc={Redundant Read} To satisfy a read request, the Windows NT fault-tolerant file system successfully read the requested data from a redundant copy. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device.], 1073741835 = [$id=FT_WRITE_RECOVERY, $desc={Redundant Write} To satisfy a write request, the Windows NT fault-tolerant file system successfully wrote a redundant copy of the information. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device.], 1073741836 = [$id=SERIAL_COUNTER_TIMEOUT, $desc={Serial IOCTL Timeout} A serial I/O operation completed because the time-out period expired. (The IOCTL_SERIAL_XOFF_COUNTER had not reached zero.)], 1073741837 = [$id=NULL_LM_PASSWORD, $desc={Password Too Complex} The Windows password is too complex to be converted to a LAN Manager password. The LAN Manager password that returned is a NULL string.], 1073741838 = [$id=IMAGE_MACHINE_TYPE_MISMATCH, $desc={Machine Type Mismatch} The image file %hs is valid but is for a machine type other than the current machine. Select OK to continue, or CANCEL to fail the DLL load.], 1073741839 = [$id=RECEIVE_PARTIAL, $desc={Partial Data Received} The network transport returned partial data to its client. The remaining data will be sent later.], 1073741840 = [$id=RECEIVE_EXPEDITED, $desc={Expedited Data Received} The network transport returned data to its client that was marked as expedited by the remote system.], 1073741841 = [$id=RECEIVE_PARTIAL_EXPEDITED, $desc={Partial Expedited Data Received} The network transport returned partial data to its client and this data was marked as expedited by the remote system. The remaining data will be sent later.], 1073741842 = [$id=EVENT_DONE, $desc={TDI Event Done} The TDI indication has completed successfully.], 1073741843 = [$id=EVENT_PENDING, $desc={TDI Event Pending} The TDI indication has entered the pending state.], 1073741844 = [$id=CHECKING_FILE_SYSTEM, $desc=Checking file system on %wZ.], 1073741845 = [$id=FATAL_APP_EXIT, $desc={Fatal Application Exit} %hs], 1073741846 = [$id=PREDEFINED_HANDLE, $desc=The specified registry key is referenced by a predefined handle.], 1073741847 = [$id=WAS_UNLOCKED, $desc={Page Unlocked} The page protection of a locked page was changed to 'No Access' and the page was unlocked from memory and from the process.], 1073741848 = [$id=SERVICE_NOTIFICATION, $desc=%hs], 1073741849 = [$id=WAS_LOCKED, $desc={Page Locked} One of the pages to lock was already locked.], 1073741850 = [$id=LOG_HARD_ERROR, $desc=Application popup: %1 : %2], 1073741851 = [$id=ALREADY_WIN32, $desc=A Win32 process already exists.], 1073741852 = [$id=WX86_UNSIMULATE, $desc=An exception status code that is used by the Win32 x86 emulation subsystem.], 1073741853 = [$id=WX86_CONTINUE, $desc=An exception status code that is used by the Win32 x86 emulation subsystem.], 1073741854 = [$id=WX86_SINGLE_STEP, $desc=An exception status code that is used by the Win32 x86 emulation subsystem.], 1073741855 = [$id=WX86_BREAKPOINT, $desc=An exception status code that is used by the Win32 x86 emulation subsystem.], 1073741856 = [$id=WX86_EXCEPTION_CONTINUE, $desc=An exception status code that is used by the Win32 x86 emulation subsystem.], 1073741857 = [$id=WX86_EXCEPTION_LASTCHANCE, $desc=An exception status code that is used by the Win32 x86 emulation subsystem.], 1073741858 = [$id=WX86_EXCEPTION_CHAIN, $desc=An exception status code that is used by the Win32 x86 emulation subsystem.], 1073741859 = [$id=IMAGE_MACHINE_TYPE_MISMATCH_EXE, $desc={Machine Type Mismatch} The image file %hs is valid but is for a machine type other than the current machine.], 1073741860 = [$id=NO_YIELD_PERFORMED, $desc=A yield execution was performed and no thread was available to run.], 1073741861 = [$id=TIMER_RESUME_IGNORED, $desc=The resume flag to a timer API was ignored.], 1073741862 = [$id=ARBITRATION_UNHANDLED, $desc=The arbiter has deferred arbitration of these resources to its parent.], 1073741863 = [$id=CARDBUS_NOT_SUPPORTED, $desc=The device has detected a CardBus card in its slot.], 1073741864 = [$id=WX86_CREATEWX86TIB, $desc=An exception status code that is used by the Win32 x86 emulation subsystem.], 1073741865 = [$id=MP_PROCESSOR_MISMATCH, $desc=The CPUs in this multiprocessor system are not all the same revision level. To use all processors, the operating system restricts itself to the features of the least capable processor in the system. If problems occur with this system, contact the CPU manufacturer to see if this mix of processors is supported.], 1073741866 = [$id=HIBERNATED, $desc=The system was put into hibernation.], 1073741867 = [$id=RESUME_HIBERNATION, $desc=The system was resumed from hibernation.], 1073741868 = [$id=FIRMWARE_UPDATED, $desc=0x4000002D<br />STATUS_DRIVERS_LEAKING_LOCKED_PAGES], 1073741870 = [$id=MESSAGE_RETRIEVED, $desc=The ALPC message being canceled has already been retrieved from the queue on the other side.], 1073741871 = [$id=SYSTEM_POWERSTATE_TRANSITION, $desc=The system power state is transitioning from %2 to %3.], 1073741872 = [$id=ALPC_CHECK_COMPLETION_LIST, $desc=The receive operation was successful. Check the ALPC completion list for the received message.], 1073741873 = [$id=SYSTEM_POWERSTATE_COMPLEX_TRANSITION, $desc=The system power state is transitioning from %2 to %3 but could enter %4.], 1073741874 = [$id=ACCESS_AUDIT_BY_POLICY, $desc=Access to %1 is monitored by policy rule %2.], 1073741875 = [$id=ABANDON_HIBERFILE, $desc=A valid hibernation file has been invalidated and should be abandoned.], 1073741876 = [$id=BIZRULES_NOT_ENABLED, $desc=Business rule scripts are disabled for the calling application.], 1073742484 = [$id=WAKE_SYSTEM, $desc=The system has awoken.], 1073742704 = [$id=DS_SHUTTING_DOWN, $desc=The directory service is shutting down.], 1073807361 = [$id=DBG_REPLY_LATER, $desc=Debugger will reply later.], 1073807362 = [$id=DBG_UNABLE_TO_PROVIDE_HANDLE, $desc=Debugger cannot provide a handle.], 1073807363 = [$id=DBG_TERMINATE_THREAD, $desc=Debugger terminated the thread.], 1073807364 = [$id=DBG_TERMINATE_PROCESS, $desc=Debugger terminated the process.], 1073807365 = [$id=DBG_CONTROL_C, $desc=Debugger obtained control of C.], 1073807366 = [$id=DBG_PRINTEXCEPTION_C, $desc=Debugger printed an exception on control C.], 1073807367 = [$id=DBG_RIPEXCEPTION, $desc=Debugger received a RIP exception.], 1073807368 = [$id=DBG_CONTROL_BREAK, $desc=Debugger received a control break.], 1073807369 = [$id=DBG_COMMAND_EXCEPTION, $desc=Debugger command communication exception.], 1073872982 = [$id=RPC_NT_UUID_LOCAL_ONLY, $desc=A UUID that is valid only on this computer has been allocated.], 1073873071 = [$id=RPC_NT_SEND_INCOMPLETE, $desc=Some data remains to be sent in the request buffer.], 1074397188 = [$id=CTX_CDM_CONNECT, $desc=The Client Drive Mapping Service has connected on Terminal Connection.], 1074397189 = [$id=CTX_CDM_DISCONNECT, $desc=The Client Drive Mapping Service has disconnected on Terminal Connection.], 1075118093 = [$id=SXS_RELEASE_ACTIVATION_CONTEXT, $desc=A kernel mode component is releasing a reference on an activation context.], 1075380276 = [$id=RECOVERY_NOT_NEEDED, $desc=The transactional resource manager is already consistent. Recovery is not needed.], 1075380277 = [$id=RM_ALREADY_STARTED, $desc=The transactional resource manager has already been started.], 1075445772 = [$id=LOG_NO_RESTART, $desc=The log service encountered a log stream with no restart area.], 1075511532 = [$id=VIDEO_DRIVER_DEBUG_REPORT_REQUEST, $desc={Display Driver Recovered From Failure} The %hs display driver has detected a failure and recovered from it. Some graphical operations may have failed. The next time you restart the machine, a dialog box appears, giving you an opportunity to upload data about this failure to Microsoft.], 1075707914 = [$id=GRAPHICS_PARTIAL_DATA_POPULATED, $desc=The specified buffer is not big enough to contain the entire requested dataset. Partial data is populated up to the size of the buffer.], 1075708183 = [$id=GRAPHICS_DRIVER_MISMATCH, $desc=The kernel driver detected a version mismatch between it and the user mode driver.], 1075708679 = [$id=GRAPHICS_MODE_NOT_PINNED, $desc=No mode is pinned on the specified VidPN source/target.], 1075708702 = [$id=GRAPHICS_NO_PREFERRED_MODE, $desc=The specified mode set does not specify a preference for one of its modes.], 1075708747 = [$id=GRAPHICS_DATASET_IS_EMPTY, $desc=The specified dataset (for example, mode set, frequency range set, descriptor set, or topology) is empty.], 1075708748 = [$id=GRAPHICS_NO_MORE_ELEMENTS_IN_DATASET, $desc=The specified dataset (for example, mode set, frequency range set, descriptor set, or topology) does not contain any more elements.], 1075708753 = [$id=GRAPHICS_PATH_CONTENT_GEOMETRY_TRANSFORMATION_NOT_PINNED, $desc=The specified content transformation is not pinned on the specified VidPN present path.], 1075708975 = [$id=GRAPHICS_UNKNOWN_CHILD_STATUS, $desc=The child device presence was not reliably detected.], 1075708983 = [$id=GRAPHICS_LEADLINK_START_DEFERRED, $desc=Starting the lead adapter in a linked configuration has been temporarily deferred.], 1075708985 = [$id=GRAPHICS_POLLING_TOO_FREQUENTLY, $desc=The display adapter is being polled for children too frequently at the same polling level.], 1075708986 = [$id=GRAPHICS_START_DEFERRED, $desc=Starting the adapter has been temporarily deferred.], 1076035585 = [$id=NDIS_INDICATION_REQUIRED, $desc=The request will be completed later by an NDIS status indication.], 2147483649 = [$id=GUARD_PAGE_VIOLATION, $desc={EXCEPTION} Guard Page Exception A page of memory that marks the end of a data structure, such as a stack or an array, has been accessed.], 2147483650 = [$id=DATATYPE_MISALIGNMENT, $desc={EXCEPTION} Alignment Fault A data type misalignment was detected in a load or store instruction.], 2147483651 = [$id=BREAKPOINT, $desc={EXCEPTION} Breakpoint A breakpoint has been reached.], 2147483652 = [$id=SINGLE_STEP, $desc={EXCEPTION} Single Step A single step or trace operation has just been completed.], 2147483653 = [$id=BUFFER_OVERFLOW, $desc={Buffer Overflow} The data was too large to fit into the specified buffer.], 2147483654 = [$id=NO_MORE_FILES, $desc={No More Files} No more files were found which match the file specification.], 2147483655 = [$id=WAKE_SYSTEM_DEBUGGER, $desc={Kernel Debugger Awakened} The system debugger was awakened by an interrupt.], 2147483658 = [$id=HANDLES_CLOSED, $desc={Handles Closed} Handles to objects have been automatically closed because of the requested operation.], 2147483659 = [$id=NO_INHERITANCE, $desc={Non-Inheritable ACL} An access control list (ACL) contains no components that can be inherited.], 2147483660 = [$id=GUID_SUBSTITUTION_MADE, $desc={GUID Substitution} During the translation of a globally unique identifier (GUID) to a Windows security ID (SID), no administratively defined GUID prefix was found. A substitute prefix was used, which will not compromise system security. However, this may provide a more restrictive access than intended.], 2147483661 = [$id=PARTIAL_COPY, $desc=Because of protection conflicts, not all the requested bytes could be copied.], 2147483662 = [$id=DEVICE_PAPER_EMPTY, $desc={Out of Paper} The printer is out of paper.], 2147483663 = [$id=DEVICE_POWERED_OFF, $desc={Device Power Is Off} The printer power has been turned off.], 2147483664 = [$id=DEVICE_OFF_LINE, $desc={Device Offline} The printer has been taken offline.], 2147483665 = [$id=DEVICE_BUSY, $desc={Device Busy} The device is currently busy.], 2147483666 = [$id=NO_MORE_EAS, $desc={No More EAs} No more extended attributes (EAs) were found for the file.], 2147483667 = [$id=INVALID_EA_NAME, $desc={Illegal EA} The specified extended attribute (EA) name contains at least one illegal character.], 2147483668 = [$id=EA_LIST_INCONSISTENT, $desc={Inconsistent EA List} The extended attribute (EA) list is inconsistent.], 2147483669 = [$id=INVALID_EA_FLAG, $desc={Invalid EA Flag} An invalid extended attribute (EA) flag was set.], 2147483670 = [$id=VERIFY_REQUIRED, $desc={Verifying Disk} The media has changed and a verify operation is in progress; therefore, no reads or writes may be performed to the device, except those that are used in the verify operation.], 2147483671 = [$id=EXTRANEOUS_INFORMATION, $desc={Too Much Information} The specified access control list (ACL) contained more information than was expected.], 2147483672 = [$id=RXACT_COMMIT_NECESSARY, $desc=This warning level status indicates that the transaction state already exists for the registry subtree, but that a transaction commit was previously aborted. The commit has NOT been completed but has not been rolled back either; therefore, it may still be committed, if needed.], 2147483674 = [$id=NO_MORE_ENTRIES, $desc={No More Entries} No more entries are available from an enumeration operation.], 2147483675 = [$id=FILEMARK_DETECTED, $desc={Filemark Found} A filemark was detected.], 2147483676 = [$id=MEDIA_CHANGED, $desc={Media Changed} The media may have changed.], 2147483677 = [$id=BUS_RESET, $desc={I/O Bus Reset} An I/O bus reset was detected.], 2147483678 = [$id=END_OF_MEDIA, $desc={End of Media} The end of the media was encountered.], 2147483679 = [$id=BEGINNING_OF_MEDIA, $desc=The beginning of a tape or partition has been detected.], 2147483680 = [$id=MEDIA_CHECK, $desc={Media Changed} The media may have changed.], 2147483681 = [$id=SETMARK_DETECTED, $desc=A tape access reached a set mark.], 2147483682 = [$id=NO_DATA_DETECTED, $desc=During a tape access, the end of the data written is reached.], 2147483683 = [$id=REDIRECTOR_HAS_OPEN_HANDLES, $desc=The redirector is in use and cannot be unloaded.], 2147483684 = [$id=SERVER_HAS_OPEN_HANDLES, $desc=The server is in use and cannot be unloaded.], 2147483685 = [$id=ALREADY_DISCONNECTED, $desc=The specified connection has already been disconnected.], 2147483686 = [$id=LONGJUMP, $desc=A long jump has been executed.], 2147483687 = [$id=CLEANER_CARTRIDGE_INSTALLED, $desc=A cleaner cartridge is present in the tape library.], 2147483688 = [$id=PLUGPLAY_QUERY_VETOED, $desc=The Plug and Play query operation was not successful.], 2147483689 = [$id=UNWIND_CONSOLIDATE, $desc=A frame consolidation has been executed.], 2147483690 = [$id=REGISTRY_HIVE_RECOVERED, $desc={Registry Hive Recovered} The registry hive (file): %hs was corrupted and it has been recovered. Some data might have been lost.], 2147483691 = [$id=DLL_MIGHT_BE_INSECURE, $desc=The application is attempting to run executable code from the module %hs. This may be insecure. An alternative, %hs, is available. Should the application use the secure module %hs?], 2147483692 = [$id=DLL_MIGHT_BE_INCOMPATIBLE, $desc=The application is loading executable code from the module %hs. This is secure but may be incompatible with previous releases of the operating system. An alternative, %hs, is available. Should the application use the secure module %hs?], 2147483693 = [$id=STOPPED_ON_SYMLINK, $desc=The create operation stopped after reaching a symbolic link.], 2147484296 = [$id=DEVICE_REQUIRES_CLEANING, $desc=The device has indicated that cleaning is necessary.], 2147484297 = [$id=DEVICE_DOOR_OPEN, $desc=The device has indicated that its door is open. Further operations require it closed and secured.], 2147485699 = [$id=DATA_LOST_REPAIR, $desc=0x80010001<br />DBG_EXCEPTION_NOT_HANDLED], 2148728833 = [$id=CLUSTER_NODE_ALREADY_UP, $desc=The cluster node is already up.], 2148728834 = [$id=CLUSTER_NODE_ALREADY_DOWN, $desc=The cluster node is already down.], 2148728835 = [$id=CLUSTER_NETWORK_ALREADY_ONLINE, $desc=The cluster network is already online.], 2148728836 = [$id=CLUSTER_NETWORK_ALREADY_OFFLINE, $desc=The cluster network is already offline.], 2148728837 = [$id=CLUSTER_NODE_ALREADY_MEMBER, $desc=The cluster node is already a member of the cluster.], 2149122057 = [$id=COULD_NOT_RESIZE_LOG, $desc=The log could not be set to the requested size.], 2149122089 = [$id=NO_TXF_METADATA, $desc=There is no transaction metadata on the file.], 2149122097 = [$id=CANT_RECOVER_WITH_HANDLE_OPEN, $desc=The file cannot be recovered because there is a handle still open on it.], 2149122113 = [$id=TXF_METADATA_ALREADY_PRESENT, $desc=Transaction metadata is already present on this file and cannot be superseded.], 2149122114 = [$id=TRANSACTION_SCOPE_CALLBACKS_NOT_SET, $desc=A transaction scope could not be entered because the scope handler has not been initialized.], 2149253355 = [$id=VIDEO_HUNG_DISPLAY_DRIVER_THREAD_RECOVERED, $desc={Display Driver Stopped Responding and recovered} The %hs display driver has stopped working normally. The recovery had been performed.], 2149318657 = [$id=FLT_BUFFER_TOO_SMALL, $desc={Buffer too small} The buffer is too small to contain the entry. No information has been written to the buffer.], 2149646337 = [$id=FVE_PARTIAL_METADATA, $desc=Volume metadata read or write is incomplete.], 2149646338 = [$id=FVE_TRANSIENT_STATE, $desc=BitLocker encryption keys were ignored because the volume was in a transient state.], 3221225473 = [$id=UNSUCCESSFUL, $desc={Operation Failed} The requested operation was unsuccessful.], 3221225474 = [$id=NOT_IMPLEMENTED, $desc={Not Implemented} The requested operation is not implemented.], 3221225475 = [$id=INVALID_INFO_CLASS, $desc={Invalid Parameter} The specified information class is not a valid information class for the specified object.], 3221225476 = [$id=INFO_LENGTH_MISMATCH, $desc=The specified information record length does not match the length that is required for the specified information class.], 3221225477 = [$id=ACCESS_VIOLATION, $desc=The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.], 3221225478 = [$id=IN_PAGE_ERROR, $desc=The instruction at 0x%08lx referenced memory at 0x%08lx. The required data was not placed into memory because of an I/O error status of 0x%08lx.], 3221225479 = [$id=PAGEFILE_QUOTA, $desc=The page file quota for the process has been exhausted.], 3221225480 = [$id=INVALID_HANDLE, $desc=An invalid HANDLE was specified.], 3221225481 = [$id=BAD_INITIAL_STACK, $desc=An invalid initial stack was specified in a call to NtCreateThread.], 3221225482 = [$id=BAD_INITIAL_PC, $desc=An invalid initial start address was specified in a call to NtCreateThread.], 3221225483 = [$id=INVALID_CID, $desc=An invalid client ID was specified.], 3221225484 = [$id=TIMER_NOT_CANCELED, $desc=An attempt was made to cancel or set a timer that has an associated APC and the specified thread is not the thread that originally set the timer with an associated APC routine.], 3221225485 = [$id=INVALID_PARAMETER, $desc=An invalid parameter was passed to a service or function.], 3221225486 = [$id=NO_SUCH_DEVICE, $desc=A device that does not exist was specified.], 3221225487 = [$id=NO_SUCH_FILE, $desc={File Not Found} The file %hs does not exist.], 3221225488 = [$id=INVALID_DEVICE_REQUEST, $desc=The specified request is not a valid operation for the target device.], 3221225489 = [$id=END_OF_FILE, $desc=The end-of-file marker has been reached. There is no valid data in the file beyond this marker.], 3221225490 = [$id=WRONG_VOLUME, $desc={Wrong Volume} The wrong volume is in the drive. Insert volume %hs into drive %hs.], 3221225491 = [$id=NO_MEDIA_IN_DEVICE, $desc={No Disk} There is no disk in the drive. Insert a disk into drive %hs.], 3221225492 = [$id=UNRECOGNIZED_MEDIA, $desc={Unknown Disk Format} The disk in drive %hs is not formatted properly. Check the disk, and reformat it, if needed.], 3221225493 = [$id=NONEXISTENT_SECTOR, $desc={Sector Not Found} The specified sector does not exist.], 3221225494 = [$id=MORE_PROCESSING_REQUIRED, $desc={Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.], 3221225495 = [$id=NO_MEMORY, $desc={Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation.], 3221225496 = [$id=CONFLICTING_ADDRESSES, $desc={Conflicting Address Range} The specified address range conflicts with the address space.], 3221225497 = [$id=NOT_MAPPED_VIEW, $desc=The address range to unmap is not a mapped view.], 3221225498 = [$id=UNABLE_TO_FREE_VM, $desc=The virtual memory cannot be freed.], 3221225499 = [$id=UNABLE_TO_DELETE_SECTION, $desc=The specified section cannot be deleted.], 3221225500 = [$id=INVALID_SYSTEM_SERVICE, $desc=An invalid system service was specified in a system service call.], 3221225501 = [$id=ILLEGAL_INSTRUCTION, $desc={EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction.], 3221225502 = [$id=INVALID_LOCK_SEQUENCE, $desc={Invalid Lock Sequence} An attempt was made to execute an invalid lock sequence.], 3221225503 = [$id=INVALID_VIEW_SIZE, $desc={Invalid Mapping} An attempt was made to create a view for a section that is bigger than the section.], 3221225504 = [$id=INVALID_FILE_FOR_SECTION, $desc={Bad File} The attributes of the specified mapping file for a section of memory cannot be read.], 3221225505 = [$id=ALREADY_COMMITTED, $desc={Already Committed} The specified address range is already committed.], 3221225506 = [$id=ACCESS_DENIED, $desc={Access Denied} A process has requested access to an object but has not been granted those access rights.], 3221225507 = [$id=BUFFER_TOO_SMALL, $desc={Buffer Too Small} The buffer is too small to contain the entry. No information has been written to the buffer.], 3221225508 = [$id=OBJECT_TYPE_MISMATCH, $desc={Wrong Type} There is a mismatch between the type of object that is required by the requested operation and the type of object that is specified in the request.], 3221225509 = [$id=NONCONTINUABLE_EXCEPTION, $desc={EXCEPTION} Cannot Continue Windows cannot continue from this exception.], 3221225510 = [$id=INVALID_DISPOSITION, $desc=An invalid exception disposition was returned by an exception handler.], 3221225511 = [$id=UNWIND, $desc=Unwind exception code.], 3221225512 = [$id=BAD_STACK, $desc=An invalid or unaligned stack was encountered during an unwind operation.], 3221225513 = [$id=INVALID_UNWIND_TARGET, $desc=An invalid unwind target was encountered during an unwind operation.], 3221225514 = [$id=NOT_LOCKED, $desc=An attempt was made to unlock a page of memory that was not locked.], 3221225515 = [$id=PARITY_ERROR, $desc=A device parity error on an I/O operation.], 3221225516 = [$id=UNABLE_TO_DECOMMIT_VM, $desc=An attempt was made to decommit uncommitted virtual memory.], 3221225517 = [$id=NOT_COMMITTED, $desc=An attempt was made to change the attributes on memory that has not been committed.], 3221225518 = [$id=INVALID_PORT_ATTRIBUTES, $desc=Invalid object attributes specified to NtCreatePort or invalid port attributes specified to NtConnectPort.], 3221225519 = [$id=PORT_MESSAGE_TOO_LONG, $desc=The length of the message that was passed to NtRequestPort or NtRequestWaitReplyPort is longer than the maximum message that is allowed by the port.], 3221225520 = [$id=INVALID_PARAMETER_MIX, $desc=An invalid combination of parameters was specified.], 3221225521 = [$id=INVALID_QUOTA_LOWER, $desc=An attempt was made to lower a quota limit below the current usage.], 3221225522 = [$id=DISK_CORRUPT_ERROR, $desc={Corrupt Disk} The file system structure on the disk is corrupt and unusable. Run the Chkdsk utility on the volume %hs.], 3221225523 = [$id=OBJECT_NAME_INVALID, $desc=The object name is invalid.], 3221225524 = [$id=OBJECT_NAME_NOT_FOUND, $desc=The object name is not found.], 3221225525 = [$id=OBJECT_NAME_COLLISION, $desc=The object name already exists.], 3221225527 = [$id=PORT_DISCONNECTED, $desc=An attempt was made to send a message to a disconnected communication port.], 3221225528 = [$id=DEVICE_ALREADY_ATTACHED, $desc=An attempt was made to attach to a device that was already attached to another device.], 3221225529 = [$id=OBJECT_PATH_INVALID, $desc=The object path component was not a directory object.], 3221225530 = [$id=OBJECT_PATH_NOT_FOUND, $desc={Path Not Found} The path %hs does not exist.], 3221225531 = [$id=OBJECT_PATH_SYNTAX_BAD, $desc=The object path component was not a directory object.], 3221225532 = [$id=DATA_OVERRUN, $desc={Data Overrun} A data overrun error occurred.], 3221225533 = [$id=DATA_LATE_ERROR, $desc={Data Late} A data late error occurred.], 3221225534 = [$id=DATA_ERROR, $desc={Data Error} An error occurred in reading or writing data.], 3221225535 = [$id=CRC_ERROR, $desc={Bad CRC} A cyclic redundancy check (CRC) checksum error occurred.], 3221225536 = [$id=SECTION_TOO_BIG, $desc={Section Too Large} The specified section is too big to map the file.], 3221225537 = [$id=PORT_CONNECTION_REFUSED, $desc=The NtConnectPort request is refused.], 3221225538 = [$id=INVALID_PORT_HANDLE, $desc=The type of port handle is invalid for the operation that is requested.], 3221225539 = [$id=SHARING_VIOLATION, $desc=A file cannot be opened because the share access flags are incompatible.], 3221225540 = [$id=QUOTA_EXCEEDED, $desc=Insufficient quota exists to complete the operation.], 3221225541 = [$id=INVALID_PAGE_PROTECTION, $desc=The specified page protection was not valid.], 3221225542 = [$id=MUTANT_NOT_OWNED, $desc=An attempt to release a mutant object was made by a thread that was not the owner of the mutant object.], 3221225543 = [$id=SEMAPHORE_LIMIT_EXCEEDED, $desc=An attempt was made to release a semaphore such that its maximum count would have been exceeded.], 3221225544 = [$id=PORT_ALREADY_SET, $desc=An attempt was made to set the DebugPort or ExceptionPort of a process, but a port already exists in the process, or an attempt was made to set the CompletionPort of a file but a port was already set in the file, or an attempt was made to set the associated completion port of an ALPC port but it is already set.], 3221225545 = [$id=SECTION_NOT_IMAGE, $desc=An attempt was made to query image information on a section that does not map an image.], 3221225546 = [$id=SUSPEND_COUNT_EXCEEDED, $desc=An attempt was made to suspend a thread whose suspend count was at its maximum.], 3221225547 = [$id=THREAD_IS_TERMINATING, $desc=An attempt was made to suspend a thread that has begun termination.], 3221225548 = [$id=BAD_WORKING_SET_LIMIT, $desc=An attempt was made to set the working set limit to an invalid value (for example, the minimum greater than maximum).], 3221225549 = [$id=INCOMPATIBLE_FILE_MAP, $desc=A section was created to map a file that is not compatible with an already existing section that maps the same file.], 3221225550 = [$id=SECTION_PROTECTION, $desc=A view to a section specifies a protection that is incompatible with the protection of the initial view.], 3221225551 = [$id=EAS_NOT_SUPPORTED, $desc=An operation involving EAs failed because the file system does not support EAs.], 3221225552 = [$id=EA_TOO_LARGE, $desc=An EA operation failed because the EA set is too large.], 3221225553 = [$id=NONEXISTENT_EA_ENTRY, $desc=An EA operation failed because the name or EA index is invalid.], 3221225554 = [$id=NO_EAS_ON_FILE, $desc=The file for which EAs were requested has no EAs.], 3221225555 = [$id=EA_CORRUPT_ERROR, $desc=The EA is corrupt and cannot be read.], 3221225556 = [$id=FILE_LOCK_CONFLICT, $desc=A requested read/write cannot be granted due to a conflicting file lock.], 3221225557 = [$id=LOCK_NOT_GRANTED, $desc=A requested file lock cannot be granted due to other existing locks.], 3221225558 = [$id=DELETE_PENDING, $desc=A non-close operation has been requested of a file object that has a delete pending.], 3221225559 = [$id=CTL_FILE_NOT_SUPPORTED, $desc=An attempt was made to set the control attribute on a file. This attribute is not supported in the destination file system.], 3221225560 = [$id=UNKNOWN_REVISION, $desc=Indicates a revision number that was encountered or specified is not one that is known by the service. It may be a more recent revision than the service is aware of.], 3221225561 = [$id=REVISION_MISMATCH, $desc=Indicates that two revision levels are incompatible.], 3221225562 = [$id=INVALID_OWNER, $desc=Indicates a particular security ID may not be assigned as the owner of an object.], 3221225563 = [$id=INVALID_PRIMARY_GROUP, $desc=Indicates a particular security ID may not be assigned as the primary group of an object.], 3221225564 = [$id=NO_IMPERSONATION_TOKEN, $desc=An attempt has been made to operate on an impersonation token by a thread that is not currently impersonating a client.], 3221225565 = [$id=CANT_DISABLE_MANDATORY, $desc=A mandatory group may not be disabled.], 3221225566 = [$id=NO_LOGON_SERVERS, $desc=No logon servers are currently available to service the logon request.], 3221225567 = [$id=NO_SUCH_LOGON_SESSION, $desc=A specified logon session does not exist. It may already have been terminated.], 3221225568 = [$id=NO_SUCH_PRIVILEGE, $desc=A specified privilege does not exist.], 3221225569 = [$id=PRIVILEGE_NOT_HELD, $desc=A required privilege is not held by the client.], 3221225570 = [$id=INVALID_ACCOUNT_NAME, $desc=The name provided is not a properly formed account name.], 3221225571 = [$id=USER_EXISTS, $desc=The specified account already exists.], 3221225572 = [$id=NO_SUCH_USER, $desc=The specified account does not exist.], 3221225573 = [$id=GROUP_EXISTS, $desc=The specified group already exists.], 3221225574 = [$id=NO_SUCH_GROUP, $desc=The specified group does not exist.], 3221225575 = [$id=MEMBER_IN_GROUP, $desc=The specified user account is already in the specified group account. Also used to indicate a group cannot be deleted because it contains a member.], 3221225576 = [$id=MEMBER_NOT_IN_GROUP, $desc=The specified user account is not a member of the specified group account.], 3221225577 = [$id=LAST_ADMIN, $desc=Indicates the requested operation would disable or delete the last remaining administration account. This is not allowed to prevent creating a situation in which the system cannot be administrated.], 3221225578 = [$id=WRONG_PASSWORD, $desc=When trying to update a password, this return status indicates that the value provided as the current password is not correct.], 3221225579 = [$id=ILL_FORMED_PASSWORD, $desc=When trying to update a password, this return status indicates that the value provided for the new password contains values that are not allowed in passwords.], 3221225580 = [$id=PASSWORD_RESTRICTION, $desc=When trying to update a password, this status indicates that some password update rule has been violated. For example, the password may not meet length criteria.], 3221225581 = [$id=LOGON_FAILURE, $desc=The attempted logon is invalid. This is either due to a bad username or authentication information.], 3221225582 = [$id=ACCOUNT_RESTRICTION, $desc=Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions).], 3221225583 = [$id=INVALID_LOGON_HOURS, $desc=The user account has time restrictions and may not be logged onto at this time.], 3221225584 = [$id=INVALID_WORKSTATION, $desc=The user account is restricted so that it may not be used to log on from the source workstation.], 3221225585 = [$id=PASSWORD_EXPIRED, $desc=The user account password has expired.], 3221225586 = [$id=ACCOUNT_DISABLED, $desc=The referenced account is currently disabled and may not be logged on to.], 3221225587 = [$id=NONE_MAPPED, $desc=None of the information to be translated has been translated.], 3221225588 = [$id=TOO_MANY_LUIDS_REQUESTED, $desc=The number of LUIDs requested may not be allocated with a single allocation.], 3221225589 = [$id=LUIDS_EXHAUSTED, $desc=Indicates there are no more LUIDs to allocate.], 3221225590 = [$id=INVALID_SUB_AUTHORITY, $desc=Indicates the sub-authority value is invalid for the particular use.], 3221225591 = [$id=INVALID_ACL, $desc=Indicates the ACL structure is not valid.], 3221225592 = [$id=INVALID_SID, $desc=Indicates the SID structure is not valid.], 3221225593 = [$id=INVALID_SECURITY_DESCR, $desc=Indicates the SECURITY_DESCRIPTOR structure is not valid.], 3221225594 = [$id=PROCEDURE_NOT_FOUND, $desc=Indicates the specified procedure address cannot be found in the DLL.], 3221225595 = [$id=INVALID_IMAGE_FORMAT, $desc={Bad Image} %hs is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.], 3221225596 = [$id=NO_TOKEN, $desc=An attempt was made to reference a token that does not exist. This is typically done by referencing the token that is associated with a thread when the thread is not impersonating a client.], 3221225597 = [$id=BAD_INHERITANCE_ACL, $desc=Indicates that an attempt to build either an inherited ACL or ACE was not successful. This can be caused by a number of things. One of the more probable causes is the replacement of a CreatorId with a SID that did not fit into the ACE or ACL.], 3221225598 = [$id=RANGE_NOT_LOCKED, $desc=The range specified in NtUnlockFile was not locked.], 3221225599 = [$id=DISK_FULL, $desc=An operation failed because the disk was full.], 3221225600 = [$id=SERVER_DISABLED, $desc=The GUID allocation server is disabled at the moment.], 3221225601 = [$id=SERVER_NOT_DISABLED, $desc=The GUID allocation server is enabled at the moment.], 3221225602 = [$id=TOO_MANY_GUIDS_REQUESTED, $desc=Too many GUIDs were requested from the allocation server at once.], 3221225603 = [$id=GUIDS_EXHAUSTED, $desc=The GUIDs could not be allocated because the Authority Agent was exhausted.], 3221225604 = [$id=INVALID_ID_AUTHORITY, $desc=The value provided was an invalid value for an identifier authority.], 3221225605 = [$id=AGENTS_EXHAUSTED, $desc=No more authority agent values are available for the particular identifier authority value.], 3221225606 = [$id=INVALID_VOLUME_LABEL, $desc=An invalid volume label has been specified.], 3221225607 = [$id=SECTION_NOT_EXTENDED, $desc=A mapped section could not be extended.], 3221225608 = [$id=NOT_MAPPED_DATA, $desc=Specified section to flush does not map a data file.], 3221225609 = [$id=RESOURCE_DATA_NOT_FOUND, $desc=Indicates the specified image file did not contain a resource section.], 3221225610 = [$id=RESOURCE_TYPE_NOT_FOUND, $desc=Indicates the specified resource type cannot be found in the image file.], 3221225611 = [$id=RESOURCE_NAME_NOT_FOUND, $desc=Indicates the specified resource name cannot be found in the image file.], 3221225612 = [$id=ARRAY_BOUNDS_EXCEEDED, $desc={EXCEPTION} Array bounds exceeded.], 3221225613 = [$id=FLOAT_DENORMAL_OPERAND, $desc={EXCEPTION} Floating-point denormal operand.], 3221225614 = [$id=FLOAT_DIVIDE_BY_ZERO, $desc={EXCEPTION} Floating-point division by zero.], 3221225615 = [$id=FLOAT_INEXACT_RESULT, $desc={EXCEPTION} Floating-point inexact result.], 3221225616 = [$id=FLOAT_INVALID_OPERATION, $desc={EXCEPTION} Floating-point invalid operation.], 3221225617 = [$id=FLOAT_OVERFLOW, $desc={EXCEPTION} Floating-point overflow.], 3221225618 = [$id=FLOAT_STACK_CHECK, $desc={EXCEPTION} Floating-point stack check.], 3221225619 = [$id=FLOAT_UNDERFLOW, $desc={EXCEPTION} Floating-point underflow.], 3221225620 = [$id=INTEGER_DIVIDE_BY_ZERO, $desc={EXCEPTION} Integer division by zero.], 3221225621 = [$id=INTEGER_OVERFLOW, $desc={EXCEPTION} Integer overflow.], 3221225622 = [$id=PRIVILEGED_INSTRUCTION, $desc={EXCEPTION} Privileged instruction.], 3221225623 = [$id=TOO_MANY_PAGING_FILES, $desc=An attempt was made to install more paging files than the system supports.], 3221225624 = [$id=FILE_INVALID, $desc=The volume for a file has been externally altered such that the opened file is no longer valid.], 3221225625 = [$id=ALLOTTED_SPACE_EXCEEDED, $desc=When a block of memory is allotted for future updates, such as the memory allocated to hold discretionary access control and primary group information, successive updates may exceed the amount of memory originally allotted. Because a quota may already have been charged to several processes that have handles to the object, it is not reasonable to alter the size of the allocated memory. Instead, a request that requires more memory than has been allotted must fail and the STATUS_ALLOTTED_SPACE_EXCEEDED error returned.], 3221225626 = [$id=INSUFFICIENT_RESOURCES, $desc=Insufficient system resources exist to complete the API.], 3221225627 = [$id=DFS_EXIT_PATH_FOUND, $desc=An attempt has been made to open a DFS exit path control file.], 3221225628 = [$id=DEVICE_DATA_ERROR, $desc=There are bad blocks (sectors) on the hard disk.], 3221225629 = [$id=DEVICE_NOT_CONNECTED, $desc=There is bad cabling, non-termination, or the controller is not able to obtain access to the hard disk.], 3221225631 = [$id=FREE_VM_NOT_AT_BASE, $desc=Virtual memory cannot be freed because the base address is not the base of the region and a region size of zero was specified.], 3221225632 = [$id=MEMORY_NOT_ALLOCATED, $desc=An attempt was made to free virtual memory that is not allocated.], 3221225633 = [$id=WORKING_SET_QUOTA, $desc=The working set is not big enough to allow the requested pages to be locked.], 3221225634 = [$id=MEDIA_WRITE_PROTECTED, $desc={Write Protect Error} The disk cannot be written to because it is write-protected. Remove the write protection from the volume %hs in drive %hs.], 3221225635 = [$id=DEVICE_NOT_READY, $desc={Drive Not Ready} The drive is not ready for use; its door may be open. Check drive %hs and make sure that a disk is inserted and that the drive door is closed.], 3221225636 = [$id=INVALID_GROUP_ATTRIBUTES, $desc=The specified attributes are invalid or are incompatible with the attributes for the group as a whole.], 3221225637 = [$id=BAD_IMPERSONATION_LEVEL, $desc=A specified impersonation level is invalid. Also used to indicate that a required impersonation level was not provided.], 3221225638 = [$id=CANT_OPEN_ANONYMOUS, $desc=An attempt was made to open an anonymous-level token. Anonymous tokens may not be opened.], 3221225639 = [$id=BAD_VALIDATION_CLASS, $desc=The validation information class requested was invalid.], 3221225640 = [$id=BAD_TOKEN_TYPE, $desc=The type of a token object is inappropriate for its attempted use.], 3221225641 = [$id=BAD_MASTER_BOOT_RECORD, $desc=The type of a token object is inappropriate for its attempted use.], 3221225642 = [$id=INSTRUCTION_MISALIGNMENT, $desc=An attempt was made to execute an instruction at an unaligned address and the host system does not support unaligned instruction references.], 3221225643 = [$id=INSTANCE_NOT_AVAILABLE, $desc=The maximum named pipe instance count has been reached.], 3221225644 = [$id=PIPE_NOT_AVAILABLE, $desc=An instance of a named pipe cannot be found in the listening state.], 3221225645 = [$id=INVALID_PIPE_STATE, $desc=The named pipe is not in the connected or closing state.], 3221225646 = [$id=PIPE_BUSY, $desc=The specified pipe is set to complete operations and there are current I/O operations queued so that it cannot be changed to queue operations.], 3221225647 = [$id=ILLEGAL_FUNCTION, $desc=The specified handle is not open to the server end of the named pipe.], 3221225648 = [$id=PIPE_DISCONNECTED, $desc=The specified named pipe is in the disconnected state.], 3221225649 = [$id=PIPE_CLOSING, $desc=The specified named pipe is in the closing state.], 3221225650 = [$id=PIPE_CONNECTED, $desc=The specified named pipe is in the connected state.], 3221225651 = [$id=PIPE_LISTENING, $desc=The specified named pipe is in the listening state.], 3221225652 = [$id=INVALID_READ_MODE, $desc=The specified named pipe is not in message mode.], 3221225653 = [$id=IO_TIMEOUT, $desc={Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.], 3221225654 = [$id=FILE_FORCED_CLOSED, $desc=The specified file has been closed by another process.], 3221225655 = [$id=PROFILING_NOT_STARTED, $desc=Profiling is not started.], 3221225656 = [$id=PROFILING_NOT_STOPPED, $desc=Profiling is not stopped.], 3221225657 = [$id=COULD_NOT_INTERPRET, $desc=The passed ACL did not contain the minimum required information.], 3221225658 = [$id=FILE_IS_A_DIRECTORY, $desc=The file that was specified as a target is a directory, and the caller specified that it could be anything but a directory.], 3221225659 = [$id=NOT_SUPPORTED, $desc=The request is not supported.], 3221225660 = [$id=REMOTE_NOT_LISTENING, $desc=This remote computer is not listening.], 3221225661 = [$id=DUPLICATE_NAME, $desc=A duplicate name exists on the network.], 3221225662 = [$id=BAD_NETWORK_PATH, $desc=The network path cannot be located.], 3221225663 = [$id=NETWORK_BUSY, $desc=The network is busy.], 3221225664 = [$id=DEVICE_DOES_NOT_EXIST, $desc=This device does not exist.], 3221225665 = [$id=TOO_MANY_COMMANDS, $desc=The network BIOS command limit has been reached.], 3221225666 = [$id=ADAPTER_HARDWARE_ERROR, $desc=An I/O adapter hardware error has occurred.], 3221225667 = [$id=INVALID_NETWORK_RESPONSE, $desc=The network responded incorrectly.], 3221225668 = [$id=UNEXPECTED_NETWORK_ERROR, $desc=An unexpected network error occurred.], 3221225669 = [$id=BAD_REMOTE_ADAPTER, $desc=The remote adapter is not compatible.], 3221225670 = [$id=PRINT_QUEUE_FULL, $desc=The print queue is full.], 3221225671 = [$id=NO_SPOOL_SPACE, $desc=Space to store the file that is waiting to be printed is not available on the server.], 3221225672 = [$id=PRINT_CANCELLED, $desc=The requested print file has been canceled.], 3221225673 = [$id=NETWORK_NAME_DELETED, $desc=The network name was deleted.], 3221225674 = [$id=NETWORK_ACCESS_DENIED, $desc=Network access is denied.], 3221225675 = [$id=BAD_DEVICE_TYPE, $desc={Incorrect Network Resource Type} The specified device type (LPT, for example) conflicts with the actual device type on the remote resource.], 3221225676 = [$id=BAD_NETWORK_NAME, $desc={Network Name Not Found} The specified share name cannot be found on the remote server.], 3221225677 = [$id=TOO_MANY_NAMES, $desc=The name limit for the network adapter card of the local computer was exceeded.], 3221225678 = [$id=TOO_MANY_SESSIONS, $desc=The network BIOS session limit was exceeded.], 3221225679 = [$id=SHARING_PAUSED, $desc=File sharing has been temporarily paused.], 3221225680 = [$id=REQUEST_NOT_ACCEPTED, $desc=No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections.], 3221225681 = [$id=REDIRECTOR_PAUSED, $desc=Print or disk redirection is temporarily paused.], 3221225682 = [$id=NET_WRITE_FAULT, $desc=A network data fault occurred.], 3221225683 = [$id=PROFILING_AT_LIMIT, $desc=The number of active profiling objects is at the maximum and no more may be started.], 3221225684 = [$id=NOT_SAME_DEVICE, $desc={Incorrect Volume} The destination file of a rename request is located on a different device than the source of the rename request.], 3221225685 = [$id=FILE_RENAMED, $desc=The specified file has been renamed and thus cannot be modified.], 3221225686 = [$id=VIRTUAL_CIRCUIT_CLOSED, $desc={Network Request Timeout} The session with a remote server has been disconnected because the time-out interval for a request has expired.], 3221225687 = [$id=NO_SECURITY_ON_OBJECT, $desc=Indicates an attempt was made to operate on the security of an object that does not have security associated with it.], 3221225688 = [$id=CANT_WAIT, $desc=Used to indicate that an operation cannot continue without blocking for I/O.], 3221225689 = [$id=PIPE_EMPTY, $desc=Used to indicate that a read operation was done on an empty pipe.], 3221225690 = [$id=CANT_ACCESS_DOMAIN_INFO, $desc=Configuration information could not be read from the domain controller, either because the machine is unavailable or access has been denied.], 3221225691 = [$id=CANT_TERMINATE_SELF, $desc=Indicates that a thread attempted to terminate itself by default (called NtTerminateThread with NULL) and it was the last thread in the current process.], 3221225692 = [$id=INVALID_SERVER_STATE, $desc=Indicates the Sam Server was in the wrong state to perform the desired operation.], 3221225693 = [$id=INVALID_DOMAIN_STATE, $desc=Indicates the domain was in the wrong state to perform the desired operation.], 3221225694 = [$id=INVALID_DOMAIN_ROLE, $desc=This operation is only allowed for the primary domain controller of the domain.], 3221225695 = [$id=NO_SUCH_DOMAIN, $desc=The specified domain did not exist.], 3221225696 = [$id=DOMAIN_EXISTS, $desc=The specified domain already exists.], 3221225697 = [$id=DOMAIN_LIMIT_EXCEEDED, $desc=An attempt was made to exceed the limit on the number of domains per server for this release.], 3221225698 = [$id=OPLOCK_NOT_GRANTED, $desc=An error status returned when the opportunistic lock (oplock) request is denied.], 3221225699 = [$id=INVALID_OPLOCK_PROTOCOL, $desc=An error status returned when an invalid opportunistic lock (oplock) acknowledgment is received by a file system.], 3221225700 = [$id=INTERNAL_DB_CORRUPTION, $desc=This error indicates that the requested operation cannot be completed due to a catastrophic media failure or an on-disk data structure corruption.], 3221225701 = [$id=INTERNAL_ERROR, $desc=An internal error occurred.], 3221225702 = [$id=GENERIC_NOT_MAPPED, $desc=Indicates generic access types were contained in an access mask which should already be mapped to non-generic access types.], 3221225703 = [$id=BAD_DESCRIPTOR_FORMAT, $desc=Indicates a security descriptor is not in the necessary format (absolute or self-relative).], 3221225704 = [$id=INVALID_USER_BUFFER, $desc=An access to a user buffer failed at an expected point in time. This code is defined because the caller does not want to accept STATUS_ACCESS_VIOLATION in its filter.], 3221225705 = [$id=UNEXPECTED_IO_ERROR, $desc=If an I/O error that is not defined in the standard FsRtl filter is returned, it is converted to the following error, which is guaranteed to be in the filter. In this case, information is lost; however, the filter correctly handles the exception.], 3221225706 = [$id=UNEXPECTED_MM_CREATE_ERR, $desc=If an MM error that is not defined in the standard FsRtl filter is returned, it is converted to one of the following errors, which are guaranteed to be in the filter. In this case, information is lost; however, the filter correctly handles the exception.], 3221225707 = [$id=UNEXPECTED_MM_MAP_ERROR, $desc=If an MM error that is not defined in the standard FsRtl filter is returned, it is converted to one of the following errors, which are guaranteed to be in the filter. In this case, information is lost; however, the filter correctly handles the exception.], 3221225708 = [$id=UNEXPECTED_MM_EXTEND_ERR, $desc=If an MM error that is not defined in the standard FsRtl filter is returned, it is converted to one of the following errors, which are guaranteed to be in the filter. In this case, information is lost; however, the filter correctly handles the exception.], 3221225709 = [$id=NOT_LOGON_PROCESS, $desc=The requested action is restricted for use by logon processes only. The calling process has not registered as a logon process.], 3221225710 = [$id=LOGON_SESSION_EXISTS, $desc=An attempt has been made to start a new session manager or LSA logon session by using an ID that is already in use.], 3221225711 = [$id=INVALID_PARAMETER_1, $desc=An invalid parameter was passed to a service or function as the first argument.], 3221225712 = [$id=INVALID_PARAMETER_2, $desc=An invalid parameter was passed to a service or function as the second argument.], 3221225713 = [$id=INVALID_PARAMETER_3, $desc=An invalid parameter was passed to a service or function as the third argument.], 3221225714 = [$id=INVALID_PARAMETER_4, $desc=An invalid parameter was passed to a service or function as the fourth argument.], 3221225715 = [$id=INVALID_PARAMETER_5, $desc=An invalid parameter was passed to a service or function as the fifth argument.], 3221225716 = [$id=INVALID_PARAMETER_6, $desc=An invalid parameter was passed to a service or function as the sixth argument.], 3221225717 = [$id=INVALID_PARAMETER_7, $desc=An invalid parameter was passed to a service or function as the seventh argument.], 3221225718 = [$id=INVALID_PARAMETER_8, $desc=An invalid parameter was passed to a service or function as the eighth argument.], 3221225719 = [$id=INVALID_PARAMETER_9, $desc=An invalid parameter was passed to a service or function as the ninth argument.], 3221225720 = [$id=INVALID_PARAMETER_10, $desc=An invalid parameter was passed to a service or function as the tenth argument.], 3221225721 = [$id=INVALID_PARAMETER_11, $desc=An invalid parameter was passed to a service or function as the eleventh argument.], 3221225722 = [$id=INVALID_PARAMETER_12, $desc=An invalid parameter was passed to a service or function as the twelfth argument.], 3221225723 = [$id=REDIRECTOR_NOT_STARTED, $desc=An attempt was made to access a network file, but the network software was not yet started.], 3221225724 = [$id=REDIRECTOR_STARTED, $desc=An attempt was made to start the redirector, but the redirector has already been started.], 3221225725 = [$id=STACK_OVERFLOW, $desc=A new guard page for the stack cannot be created.], 3221225726 = [$id=NO_SUCH_PACKAGE, $desc=A specified authentication package is unknown.], 3221225727 = [$id=BAD_FUNCTION_TABLE, $desc=A malformed function table was encountered during an unwind operation.], 3221225728 = [$id=VARIABLE_NOT_FOUND, $desc=Indicates the specified environment variable name was not found in the specified environment block.], 3221225729 = [$id=DIRECTORY_NOT_EMPTY, $desc=Indicates that the directory trying to be deleted is not empty.], 3221225730 = [$id=FILE_CORRUPT_ERROR, $desc={Corrupt File} The file or directory %hs is corrupt and unreadable. Run the Chkdsk utility.], 3221225731 = [$id=NOT_A_DIRECTORY, $desc=A requested opened file is not a directory.], 3221225732 = [$id=BAD_LOGON_SESSION_STATE, $desc=The logon session is not in a state that is consistent with the requested operation.], 3221225733 = [$id=LOGON_SESSION_COLLISION, $desc=An internal LSA error has occurred. An authentication package has requested the creation of a logon session but the ID of an already existing logon session has been specified.], 3221225734 = [$id=NAME_TOO_LONG, $desc=A specified name string is too long for its intended use.], 3221225735 = [$id=FILES_OPEN, $desc=The user attempted to force close the files on a redirected drive, but there were opened files on the drive, and the user did not specify a sufficient level of force.], 3221225736 = [$id=CONNECTION_IN_USE, $desc=The user attempted to force close the files on a redirected drive, but there were opened directories on the drive, and the user did not specify a sufficient level of force.], 3221225737 = [$id=MESSAGE_NOT_FOUND, $desc=RtlFindMessage could not locate the requested message ID in the message table resource.], 3221225738 = [$id=PROCESS_IS_TERMINATING, $desc=An attempt was made to duplicate an object handle into or out of an exiting process.], 3221225739 = [$id=INVALID_LOGON_TYPE, $desc=Indicates an invalid value has been provided for the LogonType requested.], 3221225740 = [$id=NO_GUID_TRANSLATION, $desc=Indicates that an attempt was made to assign protection to a file system file or directory and one of the SIDs in the security descriptor could not be translated into a GUID that could be stored by the file system. This causes the protection attempt to fail, which may cause a file creation attempt to fail.], 3221225741 = [$id=CANNOT_IMPERSONATE, $desc=Indicates that an attempt has been made to impersonate via a named pipe that has not yet been read from.], 3221225742 = [$id=IMAGE_ALREADY_LOADED, $desc=Indicates that the specified image is already loaded.], 3221225751 = [$id=NO_LDT, $desc=Indicates that an attempt was made to change the size of the LDT for a process that has no LDT.], 3221225752 = [$id=INVALID_LDT_SIZE, $desc=Indicates that an attempt was made to grow an LDT by setting its size, or that the size was not an even number of selectors.], 3221225753 = [$id=INVALID_LDT_OFFSET, $desc=Indicates that the starting value for the LDT information was not an integral multiple of the selector size.], 3221225754 = [$id=INVALID_LDT_DESCRIPTOR, $desc=Indicates that the user supplied an invalid descriptor when trying to set up LDT descriptors.], 3221225755 = [$id=INVALID_IMAGE_NE_FORMAT, $desc=The specified image file did not have the correct format. It appears to be NE format.], 3221225756 = [$id=RXACT_INVALID_STATE, $desc=Indicates that the transaction state of a registry subtree is incompatible with the requested operation. For example, a request has been made to start a new transaction with one already in progress, or a request has been made to apply a transaction when one is not currently in progress.], 3221225757 = [$id=RXACT_COMMIT_FAILURE, $desc=Indicates an error has occurred during a registry transaction commit. The database has been left in an unknown, but probably inconsistent, state. The state of the registry transaction is left as COMMITTING.], 3221225758 = [$id=MAPPED_FILE_SIZE_ZERO, $desc=An attempt was made to map a file of size zero with the maximum size specified as zero.], 3221225759 = [$id=TOO_MANY_OPENED_FILES, $desc=Too many files are opened on a remote server. This error should only be returned by the Windows redirector on a remote drive.], 3221225760 = [$id=CANCELLED, $desc=The I/O request was canceled.], 3221225761 = [$id=CANNOT_DELETE, $desc=An attempt has been made to remove a file or directory that cannot be deleted.], 3221225762 = [$id=INVALID_COMPUTER_NAME, $desc=Indicates a name that was specified as a remote computer name is syntactically invalid.], 3221225763 = [$id=FILE_DELETED, $desc=An I/O request other than close was performed on a file after it was deleted, which can only happen to a request that did not complete before the last handle was closed via NtClose.], 3221225764 = [$id=SPECIAL_ACCOUNT, $desc=Indicates an operation that is incompatible with built-in accounts has been attempted on a built-in (special) SAM account. For example, built-in accounts cannot be deleted.], 3221225765 = [$id=SPECIAL_GROUP, $desc=The operation requested may not be performed on the specified group because it is a built-in special group.], 3221225766 = [$id=SPECIAL_USER, $desc=The operation requested may not be performed on the specified user because it is a built-in special user.], 3221225767 = [$id=MEMBERS_PRIMARY_GROUP, $desc=Indicates a member cannot be removed from a group because the group is currently the member's primary group.], 3221225768 = [$id=FILE_CLOSED, $desc=An I/O request other than close and several other special case operations was attempted using a file object that had already been closed.], 3221225769 = [$id=TOO_MANY_THREADS, $desc=Indicates a process has too many threads to perform the requested action. For example, assignment of a primary token may only be performed when a process has zero or one threads.], 3221225770 = [$id=THREAD_NOT_IN_PROCESS, $desc=An attempt was made to operate on a thread within a specific process, but the specified thread is not in the specified process.], 3221225771 = [$id=TOKEN_ALREADY_IN_USE, $desc=An attempt was made to establish a token for use as a primary token but the token is already in use. A token can only be the primary token of one process at a time.], 3221225772 = [$id=PAGEFILE_QUOTA_EXCEEDED, $desc=The page file quota was exceeded.], 3221225773 = [$id=COMMITMENT_LIMIT, $desc={Out of Virtual Memory} Your system is low on virtual memory. To ensure that Windows runs correctly, increase the size of your virtual memory paging file. For more information, see Help.], 3221225774 = [$id=INVALID_IMAGE_LE_FORMAT, $desc=The specified image file did not have the correct format: it appears to be LE format.], 3221225775 = [$id=INVALID_IMAGE_NOT_MZ, $desc=The specified image file did not have the correct format: it did not have an initial MZ.], 3221225776 = [$id=INVALID_IMAGE_PROTECT, $desc=The specified image file did not have the correct format: it did not have a proper e_lfarlc in the MZ header.], 3221225777 = [$id=INVALID_IMAGE_WIN_16, $desc=The specified image file did not have the correct format: it appears to be a 16-bit Windows image.], 3221225778 = [$id=LOGON_SERVER_CONFLICT, $desc=The Netlogon service cannot start because another Netlogon service running in the domain conflicts with the specified role.], 3221225779 = [$id=TIME_DIFFERENCE_AT_DC, $desc=The time at the primary domain controller is different from the time at the backup domain controller or member server by too large an amount.], 3221225780 = [$id=SYNCHRONIZATION_REQUIRED, $desc=The SAM database on a Windows Server is significantly out of synchronization with the copy on the domain controller. A complete synchronization is required.], 3221225781 = [$id=DLL_NOT_FOUND, $desc={Unable To Locate Component} This application has failed to start because %hs was not found. Reinstalling the application may fix this problem.], 3221225782 = [$id=OPEN_FAILED, $desc=The NtCreateFile API failed. This error should never be returned to an application; it is a place holder for the Windows LAN Manager Redirector to use in its internal error-mapping routines.], 3221225783 = [$id=IO_PRIVILEGE_FAILED, $desc={Privilege Failed} The I/O permissions for the process could not be changed.], 3221225784 = [$id=ORDINAL_NOT_FOUND, $desc={Ordinal Not Found} The ordinal %ld could not be located in the dynamic link library %hs.], 3221225785 = [$id=ENTRYPOINT_NOT_FOUND, $desc={Entry Point Not Found} The procedure entry point %hs could not be located in the dynamic link library %hs.], 3221225786 = [$id=CONTROL_C_EXIT, $desc={Application Exit by CTRL+C} The application terminated as a result of a CTRL+C.], 3221225787 = [$id=LOCAL_DISCONNECT, $desc={Virtual Circuit Closed} The network transport on your computer has closed a network connection. There may or may not be I/O requests outstanding.], 3221225788 = [$id=REMOTE_DISCONNECT, $desc={Virtual Circuit Closed} The network transport on a remote computer has closed a network connection. There may or may not be I/O requests outstanding.], 3221225789 = [$id=REMOTE_RESOURCES, $desc={Insufficient Resources on Remote Computer} The remote computer has insufficient resources to complete the network request. For example, the remote computer may not have enough available memory to carry out the request at this time.], 3221225790 = [$id=LINK_FAILED, $desc={Virtual Circuit Closed} An existing connection (virtual circuit) has been broken at the remote computer. There is probably something wrong with the network software protocol or the network hardware on the remote computer.], 3221225791 = [$id=LINK_TIMEOUT, $desc={Virtual Circuit Closed} The network transport on your computer has closed a network connection because it had to wait too long for a response from the remote computer.], 3221225792 = [$id=INVALID_CONNECTION, $desc=The connection handle that was given to the transport was invalid.], 3221225793 = [$id=INVALID_ADDRESS, $desc=The address handle that was given to the transport was invalid.], 3221225794 = [$id=DLL_INIT_FAILED, $desc={DLL Initialization Failed} Initialization of the dynamic link library %hs failed. The process is terminating abnormally.], 3221225795 = [$id=MISSING_SYSTEMFILE, $desc={Missing System File} The required system file %hs is bad or missing.], 3221225796 = [$id=UNHANDLED_EXCEPTION, $desc={Application Error} The exception %s (0x%08lx) occurred in the application at location 0x%08lx.], 3221225797 = [$id=APP_INIT_FAILURE, $desc={Application Error} The application failed to initialize properly (0x%lx). Click OK to terminate the application.], 3221225798 = [$id=PAGEFILE_CREATE_FAILED, $desc={Unable to Create Paging File} The creation of the paging file %hs failed (%lx). The requested size was %ld.], 3221225799 = [$id=NO_PAGEFILE, $desc={No Paging File Specified} No paging file was specified in the system configuration.], 3221225800 = [$id=INVALID_LEVEL, $desc={Incorrect System Call Level} An invalid level was passed into the specified system call.], 3221225801 = [$id=WRONG_PASSWORD_CORE, $desc={Incorrect Password to LAN Manager Server} You specified an incorrect password to a LAN Manager 2.x or MS-NET server.], 3221225802 = [$id=ILLEGAL_FLOAT_CONTEXT, $desc={EXCEPTION} A real-mode application issued a floating-point instruction and floating-point hardware is not present.], 3221225803 = [$id=PIPE_BROKEN, $desc=The pipe operation has failed because the other end of the pipe has been closed.], 3221225804 = [$id=REGISTRY_CORRUPT, $desc={The Registry Is Corrupt} The structure of one of the files that contains registry data is corrupt; the image of the file in memory is corrupt; or the file could not be recovered because the alternate copy or log was absent or corrupt.], 3221225805 = [$id=REGISTRY_IO_FAILED, $desc=An I/O operation initiated by the Registry failed and cannot be recovered. The registry could not read in, write out, or flush one of the files that contain the system's image of the registry.], 3221225806 = [$id=NO_EVENT_PAIR, $desc=An event pair synchronization operation was performed using the thread-specific client/server event pair object, but no event pair object was associated with the thread.], 3221225807 = [$id=UNRECOGNIZED_VOLUME, $desc=The volume does not contain a recognized file system. Be sure that all required file system drivers are loaded and that the volume is not corrupt.], 3221225808 = [$id=SERIAL_NO_DEVICE_INITED, $desc=No serial device was successfully initialized. The serial driver will unload.], 3221225809 = [$id=NO_SUCH_ALIAS, $desc=The specified local group does not exist.], 3221225810 = [$id=MEMBER_NOT_IN_ALIAS, $desc=The specified account name is not a member of the group.], 3221225811 = [$id=MEMBER_IN_ALIAS, $desc=The specified account name is already a member of the group.], 3221225812 = [$id=ALIAS_EXISTS, $desc=The specified local group already exists.], 3221225813 = [$id=LOGON_NOT_GRANTED, $desc=A requested type of logon (for example, interactive, network, and service) is not granted by the local security policy of the target system. Ask the system administrator to grant the necessary form of logon.], 3221225814 = [$id=TOO_MANY_SECRETS, $desc=The maximum number of secrets that may be stored in a single system was exceeded. The length and number of secrets is limited to satisfy U.S. State Department export restrictions.], 3221225815 = [$id=SECRET_TOO_LONG, $desc=The length of a secret exceeds the maximum allowable length. The length and number of secrets is limited to satisfy U.S. State Department export restrictions.], 3221225816 = [$id=INTERNAL_DB_ERROR, $desc=The local security authority (LSA) database contains an internal inconsistency.], 3221225817 = [$id=FULLSCREEN_MODE, $desc=The requested operation cannot be performed in full-screen mode.], 3221225818 = [$id=TOO_MANY_CONTEXT_IDS, $desc=During a logon attempt, the user's security context accumulated too many security IDs. This is a very unusual situation. Remove the user from some global or local groups to reduce the number of security IDs to incorporate into the security context.], 3221225819 = [$id=LOGON_TYPE_NOT_GRANTED, $desc=A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.], 3221225820 = [$id=NOT_REGISTRY_FILE, $desc=The system has attempted to load or restore a file into the registry, and the specified file is not in the format of a registry file.], 3221225821 = [$id=NT_CROSS_ENCRYPTION_REQUIRED, $desc=An attempt was made to change a user password in the security account manager without providing the necessary Windows cross-encrypted password.], 3221225822 = [$id=DOMAIN_CTRLR_CONFIG_ERROR, $desc=A Windows Server has an incorrect configuration.], 3221225823 = [$id=FT_MISSING_MEMBER, $desc=An attempt was made to explicitly access the secondary copy of information via a device control to the fault tolerance driver and the secondary copy is not present in the system.], 3221225824 = [$id=ILL_FORMED_SERVICE_ENTRY, $desc=A configuration registry node that represents a driver service entry was ill-formed and did not contain the required value entries.], 3221225825 = [$id=ILLEGAL_CHARACTER, $desc=An illegal character was encountered. For a multibyte character set, this includes a lead byte without a succeeding trail byte. For the Unicode character set this includes the characters 0xFFFF and 0xFFFE.], 3221225826 = [$id=UNMAPPABLE_CHARACTER, $desc=No mapping for the Unicode character exists in the target multibyte code page.], 3221225827 = [$id=UNDEFINED_CHARACTER, $desc=The Unicode character is not defined in the Unicode character set that is installed on the system.], 3221225828 = [$id=FLOPPY_VOLUME, $desc=The paging file cannot be created on a floppy disk.], 3221225829 = [$id=FLOPPY_ID_MARK_NOT_FOUND, $desc={Floppy Disk Error} While accessing a floppy disk, an ID address mark was not found.], 3221225830 = [$id=FLOPPY_WRONG_CYLINDER, $desc={Floppy Disk Error} While accessing a floppy disk, the track address from the sector ID field was found to be different from the track address that is maintained by the controller.], 3221225831 = [$id=FLOPPY_UNKNOWN_ERROR, $desc={Floppy Disk Error} The floppy disk controller reported an error that is not recognized by the floppy disk driver.], 3221225832 = [$id=FLOPPY_BAD_REGISTERS, $desc={Floppy Disk Error} While accessing a floppy-disk, the controller returned inconsistent results via its registers.], 3221225833 = [$id=DISK_RECALIBRATE_FAILED, $desc={Hard Disk Error} While accessing the hard disk, a recalibrate operation failed, even after retries.], 3221225834 = [$id=DISK_OPERATION_FAILED, $desc={Hard Disk Error} While accessing the hard disk, a disk operation failed even after retries.], 3221225835 = [$id=DISK_RESET_FAILED, $desc={Hard Disk Error} While accessing the hard disk, a disk controller reset was needed, but even that failed.], 3221225836 = [$id=SHARED_IRQ_BUSY, $desc=An attempt was made to open a device that was sharing an interrupt request (IRQ) with other devices. At least one other device that uses that IRQ was already opened. Two concurrent opens of devices that share an IRQ and only work via interrupts is not supported for the particular bus type that the devices use.], 3221225837 = [$id=FT_ORPHANING, $desc={FT Orphaning} A disk that is part of a fault-tolerant volume can no longer be accessed.], 3221225838 = [$id=BIOS_FAILED_TO_CONNECT_INTERRUPT, $desc=The basic input/output system (BIOS) failed to connect a system interrupt to the device or bus for which the device is connected.], 3221225842 = [$id=PARTITION_FAILURE, $desc=The tape could not be partitioned.], 3221225843 = [$id=INVALID_BLOCK_LENGTH, $desc=When accessing a new tape of a multi-volume partition, the current blocksize is incorrect.], 3221225844 = [$id=DEVICE_NOT_PARTITIONED, $desc=The tape partition information could not be found when loading a tape.], 3221225845 = [$id=UNABLE_TO_LOCK_MEDIA, $desc=An attempt to lock the eject media mechanism failed.], 3221225846 = [$id=UNABLE_TO_UNLOAD_MEDIA, $desc=An attempt to unload media failed.], 3221225847 = [$id=EOM_OVERFLOW, $desc=The physical end of tape was detected.], 3221225848 = [$id=NO_MEDIA, $desc={No Media} There is no media in the drive. Insert media into drive %hs.], 3221225850 = [$id=NO_SUCH_MEMBER, $desc=A member could not be added to or removed from the local group because the member does not exist.], 3221225851 = [$id=INVALID_MEMBER, $desc=A new member could not be added to a local group because the member has the wrong account type.], 3221225852 = [$id=KEY_DELETED, $desc=An illegal operation was attempted on a registry key that has been marked for deletion.], 3221225853 = [$id=NO_LOG_SPACE, $desc=The system could not allocate the required space in a registry log.], 3221225854 = [$id=TOO_MANY_SIDS, $desc=Too many SIDs have been specified.], 3221225855 = [$id=LM_CROSS_ENCRYPTION_REQUIRED, $desc=An attempt was made to change a user password in the security account manager without providing the necessary LM cross-encrypted password.], 3221225856 = [$id=KEY_HAS_CHILDREN, $desc=An attempt was made to create a symbolic link in a registry key that already has subkeys or values.], 3221225857 = [$id=CHILD_MUST_BE_VOLATILE, $desc=An attempt was made to create a stable subkey under a volatile parent key.], 3221225858 = [$id=DEVICE_CONFIGURATION_ERROR, $desc=The I/O device is configured incorrectly or the configuration parameters to the driver are incorrect.], 3221225859 = [$id=DRIVER_INTERNAL_ERROR, $desc=An error was detected between two drivers or within an I/O driver.], 3221225860 = [$id=INVALID_DEVICE_STATE, $desc=The device is not in a valid state to perform this request.], 3221225861 = [$id=IO_DEVICE_ERROR, $desc=The I/O device reported an I/O error.], 3221225862 = [$id=DEVICE_PROTOCOL_ERROR, $desc=A protocol error was detected between the driver and the device.], 3221225863 = [$id=BACKUP_CONTROLLER, $desc=This operation is only allowed for the primary domain controller of the domain.], 3221225864 = [$id=LOG_FILE_FULL, $desc=The log file space is insufficient to support this operation.], 3221225865 = [$id=TOO_LATE, $desc=A write operation was attempted to a volume after it was dismounted.], 3221225866 = [$id=NO_TRUST_LSA_SECRET, $desc=The workstation does not have a trust secret for the primary domain in the local LSA database.], 3221225867 = [$id=NO_TRUST_SAM_ACCOUNT, $desc=The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.], 3221225868 = [$id=TRUSTED_DOMAIN_FAILURE, $desc=The logon request failed because the trust relationship between the primary domain and the trusted domain failed.], 3221225869 = [$id=TRUSTED_RELATIONSHIP_FAILURE, $desc=The logon request failed because the trust relationship between this workstation and the primary domain failed.], 3221225870 = [$id=EVENTLOG_FILE_CORRUPT, $desc=The Eventlog log file is corrupt.], 3221225871 = [$id=EVENTLOG_CANT_START, $desc=No Eventlog log file could be opened. The Eventlog service did not start.], 3221225872 = [$id=TRUST_FAILURE, $desc=The network logon failed. This may be because the validation authority cannot be reached.], 3221225873 = [$id=MUTANT_LIMIT_EXCEEDED, $desc=An attempt was made to acquire a mutant such that its maximum count would have been exceeded.], 3221225874 = [$id=NETLOGON_NOT_STARTED, $desc=An attempt was made to logon, but the NetLogon service was not started.], 3221225875 = [$id=ACCOUNT_EXPIRED, $desc=The user account has expired.], 3221225876 = [$id=POSSIBLE_DEADLOCK, $desc={EXCEPTION} Possible deadlock condition.], 3221225877 = [$id=NETWORK_CREDENTIAL_CONFLICT, $desc=Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.], 3221225878 = [$id=REMOTE_SESSION_LIMIT, $desc=An attempt was made to establish a session to a network server, but there are already too many sessions established to that server.], 3221225879 = [$id=EVENTLOG_FILE_CHANGED, $desc=The log file has changed between reads.], 3221225880 = [$id=NOLOGON_INTERDOMAIN_TRUST_ACCOUNT, $desc=The account used is an interdomain trust account. Use your global user account or local user account to access this server.], 3221225881 = [$id=NOLOGON_WORKSTATION_TRUST_ACCOUNT, $desc=The account used is a computer account. Use your global user account or local user account to access this server.], 3221225882 = [$id=NOLOGON_SERVER_TRUST_ACCOUNT, $desc=The account used is a server trust account. Use your global user account or local user account to access this server.], 3221225883 = [$id=DOMAIN_TRUST_INCONSISTENT, $desc=The name or SID of the specified domain is inconsistent with the trust information for that domain.], 3221225884 = [$id=FS_DRIVER_REQUIRED, $desc=A volume has been accessed for which a file system driver is required that has not yet been loaded.], 3221225885 = [$id=IMAGE_ALREADY_LOADED_AS_DLL, $desc=Indicates that the specified image is already loaded as a DLL.], 3221225886 = [$id=INCOMPATIBLE_WITH_GLOBAL_SHORT_NAME_REGISTRY_SETTING, $desc=Short name settings may not be changed on this volume due to the global registry setting.], 3221225887 = [$id=SHORT_NAMES_NOT_ENABLED_ON_VOLUME, $desc=Short names are not enabled on this volume.], 3221225888 = [$id=SECURITY_STREAM_IS_INCONSISTENT, $desc=The security stream for the given volume is in an inconsistent state. Please run CHKDSK on the volume.], 3221225889 = [$id=INVALID_LOCK_RANGE, $desc=A requested file lock operation cannot be processed due to an invalid byte range.], 3221225890 = [$id=INVALID_ACE_CONDITION, $desc=The specified access control entry (ACE) contains an invalid condition.], 3221225891 = [$id=IMAGE_SUBSYSTEM_NOT_PRESENT, $desc=The subsystem needed to support the image type is not present.], 3221225892 = [$id=NOTIFICATION_GUID_ALREADY_DEFINED, $desc=The specified file already has a notification GUID associated with it.], 3221225985 = [$id=NETWORK_OPEN_RESTRICTION, $desc=A remote open failed because the network open restrictions were not satisfied.], 3221225986 = [$id=NO_USER_SESSION_KEY, $desc=There is no user session key for the specified logon session.], 3221225987 = [$id=USER_SESSION_DELETED, $desc=The remote user session has been deleted.], 3221225988 = [$id=RESOURCE_LANG_NOT_FOUND, $desc=Indicates the specified resource language ID cannot be found in the image file.], 3221225989 = [$id=INSUFF_SERVER_RESOURCES, $desc=Insufficient server resources exist to complete the request.], 3221225990 = [$id=INVALID_BUFFER_SIZE, $desc=The size of the buffer is invalid for the specified operation.], 3221225991 = [$id=INVALID_ADDRESS_COMPONENT, $desc=The transport rejected the specified network address as invalid.], 3221225992 = [$id=INVALID_ADDRESS_WILDCARD, $desc=The transport rejected the specified network address due to invalid use of a wildcard.], 3221225993 = [$id=TOO_MANY_ADDRESSES, $desc=The transport address could not be opened because all the available addresses are in use.], 3221225994 = [$id=ADDRESS_ALREADY_EXISTS, $desc=The transport address could not be opened because it already exists.], 3221225995 = [$id=ADDRESS_CLOSED, $desc=The transport address is now closed.], 3221225996 = [$id=CONNECTION_DISCONNECTED, $desc=The transport connection is now disconnected.], 3221225997 = [$id=CONNECTION_RESET, $desc=The transport connection has been reset.], 3221225998 = [$id=TOO_MANY_NODES, $desc=The transport cannot dynamically acquire any more nodes.], 3221225999 = [$id=TRANSACTION_ABORTED, $desc=The transport aborted a pending transaction.], 3221226000 = [$id=TRANSACTION_TIMED_OUT, $desc=The transport timed out a request that is waiting for a response.], 3221226001 = [$id=TRANSACTION_NO_RELEASE, $desc=The transport did not receive a release for a pending response.], 3221226002 = [$id=TRANSACTION_NO_MATCH, $desc=The transport did not find a transaction that matches the specific token.], 3221226003 = [$id=TRANSACTION_RESPONDED, $desc=The transport had previously responded to a transaction request.], 3221226004 = [$id=TRANSACTION_INVALID_ID, $desc=The transport does not recognize the specified transaction request ID.], 3221226005 = [$id=TRANSACTION_INVALID_TYPE, $desc=The transport does not recognize the specified transaction request type.], 3221226006 = [$id=NOT_SERVER_SESSION, $desc=The transport can only process the specified request on the server side of a session.], 3221226007 = [$id=NOT_CLIENT_SESSION, $desc=The transport can only process the specified request on the client side of a session.], 3221226008 = [$id=CANNOT_LOAD_REGISTRY_FILE, $desc={Registry File Failure} The registry cannot load the hive (file): %hs or its log or alternate. It is corrupt, absent, or not writable.], 3221226009 = [$id=DEBUG_ATTACH_FAILED, $desc={Unexpected Failure in DebugActiveProcess} An unexpected failure occurred while processing a DebugActiveProcess API request. You may choose OK to terminate the process, or Cancel to ignore the error.], 3221226010 = [$id=SYSTEM_PROCESS_TERMINATED, $desc={Fatal System Error} The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x). The system has been shut down.], 3221226011 = [$id=DATA_NOT_ACCEPTED, $desc={Data Not Accepted} The TDI client could not handle the data received during an indication.], 3221226012 = [$id=NO_BROWSER_SERVERS_FOUND, $desc={Unable to Retrieve Browser Server List} The list of servers for this workgroup is not currently available.], 3221226013 = [$id=VDM_HARD_ERROR, $desc=NTVDM encountered a hard error.], 3221226014 = [$id=DRIVER_CANCEL_TIMEOUT, $desc={Cancel Timeout} The driver %hs failed to complete a canceled I/O request in the allotted time.], 3221226015 = [$id=REPLY_MESSAGE_MISMATCH, $desc={Reply Message Mismatch} An attempt was made to reply to an LPC message, but the thread specified by the client ID in the message was not waiting on that message.], 3221226016 = [$id=MAPPED_ALIGNMENT, $desc={Mapped View Alignment Incorrect} An attempt was made to map a view of a file, but either the specified base address or the offset into the file were not aligned on the proper allocation granularity.], 3221226017 = [$id=IMAGE_CHECKSUM_MISMATCH, $desc={Bad Image Checksum} The image %hs is possibly corrupt. The header checksum does not match the computed checksum.], 3221226018 = [$id=LOST_WRITEBEHIND_DATA, $desc={Delayed Write Failed} Windows was unable to save all the data for the file %hs. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Try to save this file elsewhere.], 3221226019 = [$id=CLIENT_SERVER_PARAMETERS_INVALID, $desc=The parameters passed to the server in the client/server shared memory window were invalid. Too much data may have been put in the shared memory window.], 3221226020 = [$id=PASSWORD_MUST_CHANGE, $desc=The user password must be changed before logging on the first time.], 3221226021 = [$id=NOT_FOUND, $desc=The object was not found.], 3221226022 = [$id=NOT_TINY_STREAM, $desc=The stream is not a tiny stream.], 3221226023 = [$id=RECOVERY_FAILURE, $desc=A transaction recovery failed.], 3221226024 = [$id=STACK_OVERFLOW_READ, $desc=The request must be handled by the stack overflow code.], 3221226025 = [$id=FAIL_CHECK, $desc=A consistency check failed.], 3221226026 = [$id=DUPLICATE_OBJECTID, $desc=The attempt to insert the ID in the index failed because the ID is already in the index.], 3221226027 = [$id=OBJECTID_EXISTS, $desc=The attempt to set the object ID failed because the object already has an ID.], 3221226028 = [$id=CONVERT_TO_LARGE, $desc=Internal OFS status codes indicating how an allocation operation is handled. Either it is retried after the containing oNode is moved or the extent stream is converted to a large stream.], 3221226029 = [$id=RETRY, $desc=The request needs to be retried.], 3221226030 = [$id=FOUND_OUT_OF_SCOPE, $desc=The attempt to find the object found an object on the volume that matches by ID; however, it is out of the scope of the handle that is used for the operation.], 3221226031 = [$id=ALLOCATE_BUCKET, $desc=The bucket array must be grown. Retry the transaction after doing so.], 3221226032 = [$id=PROPSET_NOT_FOUND, $desc=The specified property set does not exist on the object.], 3221226033 = [$id=MARSHALL_OVERFLOW, $desc=The user/kernel marshaling buffer has overflowed.], 3221226034 = [$id=INVALID_VARIANT, $desc=The supplied variant structure contains invalid data.], 3221226035 = [$id=DOMAIN_CONTROLLER_NOT_FOUND, $desc=A domain controller for this domain was not found.], 3221226036 = [$id=ACCOUNT_LOCKED_OUT, $desc=The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.], 3221226037 = [$id=HANDLE_NOT_CLOSABLE, $desc=NtClose was called on a handle that was protected from close via NtSetInformationObject.], 3221226038 = [$id=CONNECTION_REFUSED, $desc=The transport-connection attempt was refused by the remote system.], 3221226039 = [$id=GRACEFUL_DISCONNECT, $desc=The transport connection was gracefully closed.], 3221226040 = [$id=ADDRESS_ALREADY_ASSOCIATED, $desc=The transport endpoint already has an address associated with it.], 3221226041 = [$id=ADDRESS_NOT_ASSOCIATED, $desc=An address has not yet been associated with the transport endpoint.], 3221226042 = [$id=CONNECTION_INVALID, $desc=An operation was attempted on a nonexistent transport connection.], 3221226043 = [$id=CONNECTION_ACTIVE, $desc=An invalid operation was attempted on an active transport connection.], 3221226044 = [$id=NETWORK_UNREACHABLE, $desc=The remote network is not reachable by the transport.], 3221226045 = [$id=HOST_UNREACHABLE, $desc=The remote system is not reachable by the transport.], 3221226046 = [$id=PROTOCOL_UNREACHABLE, $desc=The remote system does not support the transport protocol.], 3221226047 = [$id=PORT_UNREACHABLE, $desc=No service is operating at the destination port of the transport on the remote system.], 3221226048 = [$id=REQUEST_ABORTED, $desc=The request was aborted.], 3221226049 = [$id=CONNECTION_ABORTED, $desc=The transport connection was aborted by the local system.], 3221226050 = [$id=BAD_COMPRESSION_BUFFER, $desc=The specified buffer contains ill-formed data.], 3221226051 = [$id=USER_MAPPED_FILE, $desc=The requested operation cannot be performed on a file with a user mapped section open.], 3221226052 = [$id=AUDIT_FAILED, $desc={Audit Failed} An attempt to generate a security audit failed.], 3221226053 = [$id=TIMER_RESOLUTION_NOT_SET, $desc=The timer resolution was not previously set by the current process.], 3221226054 = [$id=CONNECTION_COUNT_LIMIT, $desc=A connection to the server could not be made because the limit on the number of concurrent connections for this account has been reached.], 3221226055 = [$id=LOGIN_TIME_RESTRICTION, $desc=Attempting to log on during an unauthorized time of day for this account.], 3221226056 = [$id=LOGIN_WKSTA_RESTRICTION, $desc=The account is not authorized to log on from this station.], 3221226057 = [$id=IMAGE_MP_UP_MISMATCH, $desc={UP/MP Image Mismatch} The image %hs has been modified for use on a uniprocessor system, but you are running it on a multiprocessor machine. Reinstall the image file.], 3221226064 = [$id=INSUFFICIENT_LOGON_INFO, $desc=There is insufficient account information to log you on.], 3221226065 = [$id=BAD_DLL_ENTRYPOINT, $desc={Invalid DLL Entrypoint} The dynamic link library %hs is not written correctly. The stack pointer has been left in an inconsistent state. The entry point should be declared as WINAPI or STDCALL. Select YES to fail the DLL load. Select NO to continue execution. Selecting NO may cause the application to operate incorrectly.], 3221226066 = [$id=BAD_SERVICE_ENTRYPOINT, $desc={Invalid Service Callback Entrypoint} The %hs service is not written correctly. The stack pointer has been left in an inconsistent state. The callback entry point should be declared as WINAPI or STDCALL. Selecting OK will cause the service to continue operation. However, the service process may operate incorrectly.], 3221226067 = [$id=LPC_REPLY_LOST, $desc=The server received the messages but did not send a reply.], 3221226068 = [$id=IP_ADDRESS_CONFLICT1, $desc=There is an IP address conflict with another system on the network.], 3221226069 = [$id=IP_ADDRESS_CONFLICT2, $desc=There is an IP address conflict with another system on the network.], 3221226070 = [$id=REGISTRY_QUOTA_LIMIT, $desc={Low On Registry Space} The system has reached the maximum size that is allowed for the system part of the registry. Additional storage requests will be ignored.], 3221226071 = [$id=PATH_NOT_COVERED, $desc=The contacted server does not support the indicated part of the DFS namespace.], 3221226072 = [$id=NO_CALLBACK_ACTIVE, $desc=A callback return system service cannot be executed when no callback is active.], 3221226073 = [$id=LICENSE_QUOTA_EXCEEDED, $desc=The service being accessed is licensed for a particular number of connections. No more connections can be made to the service at this time because the service has already accepted the maximum number of connections.], 3221226074 = [$id=PWD_TOO_SHORT, $desc=The password provided is too short to meet the policy of your user account. Choose a longer password.], 3221226075 = [$id=PWD_TOO_RECENT, $desc=The policy of your user account does not allow you to change passwords too frequently. This is done to prevent users from changing back to a familiar, but potentially discovered, password. If you feel your password has been compromised, contact your administrator immediately to have a new one assigned.], 3221226076 = [$id=PWD_HISTORY_CONFLICT, $desc=You have attempted to change your password to one that you have used in the past. The policy of your user account does not allow this. Select a password that you have not previously used.], 3221226078 = [$id=PLUGPLAY_NO_DEVICE, $desc=You have attempted to load a legacy device driver while its device instance had been disabled.], 3221226079 = [$id=UNSUPPORTED_COMPRESSION, $desc=The specified compression format is unsupported.], 3221226080 = [$id=INVALID_HW_PROFILE, $desc=The specified hardware profile configuration is invalid.], 3221226081 = [$id=INVALID_PLUGPLAY_DEVICE_PATH, $desc=The specified Plug and Play registry device path is invalid.], 3221226082 = [$id=DRIVER_ORDINAL_NOT_FOUND, $desc={Driver Entry Point Not Found} The %hs device driver could not locate the ordinal %ld in driver %hs.], 3221226083 = [$id=DRIVER_ENTRYPOINT_NOT_FOUND, $desc={Driver Entry Point Not Found} The %hs device driver could not locate the entry point %hs in driver %hs.], 3221226084 = [$id=RESOURCE_NOT_OWNED, $desc={Application Error} The application attempted to release a resource it did not own. Click OK to terminate the application.], 3221226085 = [$id=TOO_MANY_LINKS, $desc=An attempt was made to create more links on a file than the file system supports.], 3221226086 = [$id=QUOTA_LIST_INCONSISTENT, $desc=The specified quota list is internally inconsistent with its descriptor.], 3221226087 = [$id=FILE_IS_OFFLINE, $desc=The specified file has been relocated to offline storage.], 3221226088 = [$id=EVALUATION_EXPIRATION, $desc={Windows Evaluation Notification} The evaluation period for this installation of Windows has expired. This system will shutdown in 1 hour. To restore access to this installation of Windows, upgrade this installation by using a licensed distribution of this product.], 3221226089 = [$id=ILLEGAL_DLL_RELOCATION, $desc={Illegal System DLL Relocation} The system DLL %hs was relocated in memory. The application will not run properly. The relocation occurred because the DLL %hs occupied an address range that is reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.], 3221226090 = [$id=LICENSE_VIOLATION, $desc={License Violation} The system has detected tampering with your registered product type. This is a violation of your software license. Tampering with the product type is not permitted.], 3221226091 = [$id=DLL_INIT_FAILED_LOGOFF, $desc={DLL Initialization Failed} The application failed to initialize because the window station is shutting down.], 3221226092 = [$id=DRIVER_UNABLE_TO_LOAD, $desc={Unable to Load Device Driver} %hs device driver could not be loaded. Error Status was 0x%x.], 3221226093 = [$id=DFS_UNAVAILABLE, $desc=DFS is unavailable on the contacted server.], 3221226094 = [$id=VOLUME_DISMOUNTED, $desc=An operation was attempted to a volume after it was dismounted.], 3221226095 = [$id=WX86_INTERNAL_ERROR, $desc=An internal error occurred in the Win32 x86 emulation subsystem.], 3221226096 = [$id=WX86_FLOAT_STACK_CHECK, $desc=Win32 x86 emulation subsystem floating-point stack check.], 3221226097 = [$id=VALIDATE_CONTINUE, $desc=The validation process needs to continue on to the next step.], 3221226098 = [$id=NO_MATCH, $desc=There was no match for the specified key in the index.], 3221226099 = [$id=NO_MORE_MATCHES, $desc=There are no more matches for the current index enumeration.], 3221226101 = [$id=NOT_A_REPARSE_POINT, $desc=The NTFS file or directory is not a reparse point.], 3221226102 = [$id=IO_REPARSE_TAG_INVALID, $desc=The Windows I/O reparse tag passed for the NTFS reparse point is invalid.], 3221226103 = [$id=IO_REPARSE_TAG_MISMATCH, $desc=The Windows I/O reparse tag does not match the one that is in the NTFS reparse point.], 3221226104 = [$id=IO_REPARSE_DATA_INVALID, $desc=The user data passed for the NTFS reparse point is invalid.], 3221226105 = [$id=IO_REPARSE_TAG_NOT_HANDLED, $desc=The layered file system driver for this I/O tag did not handle it when needed.], 3221226112 = [$id=REPARSE_POINT_NOT_RESOLVED, $desc=The NTFS symbolic link could not be resolved even though the initial file name is valid.], 3221226113 = [$id=DIRECTORY_IS_A_REPARSE_POINT, $desc=The NTFS directory is a reparse point.], 3221226114 = [$id=RANGE_LIST_CONFLICT, $desc=The range could not be added to the range list because of a conflict.], 3221226115 = [$id=SOURCE_ELEMENT_EMPTY, $desc=The specified medium changer source element contains no media.], 3221226116 = [$id=DESTINATION_ELEMENT_FULL, $desc=The specified medium changer destination element already contains media.], 3221226117 = [$id=ILLEGAL_ELEMENT_ADDRESS, $desc=The specified medium changer element does not exist.], 3221226118 = [$id=MAGAZINE_NOT_PRESENT, $desc=The specified element is contained in a magazine that is no longer present.], 3221226119 = [$id=REINITIALIZATION_NEEDED, $desc=The device requires re-initialization due to hardware errors.], 3221226122 = [$id=ENCRYPTION_FAILED, $desc=The file encryption attempt failed.], 3221226123 = [$id=DECRYPTION_FAILED, $desc=The file decryption attempt failed.], 3221226124 = [$id=RANGE_NOT_FOUND, $desc=The specified range could not be found in the range list.], 3221226125 = [$id=NO_RECOVERY_POLICY, $desc=There is no encryption recovery policy configured for this system.], 3221226126 = [$id=NO_EFS, $desc=The required encryption driver is not loaded for this system.], 3221226127 = [$id=WRONG_EFS, $desc=The file was encrypted with a different encryption driver than is currently loaded.], 3221226128 = [$id=NO_USER_KEYS, $desc=There are no EFS keys defined for the user.], 3221226129 = [$id=FILE_NOT_ENCRYPTED, $desc=The specified file is not encrypted.], 3221226130 = [$id=NOT_EXPORT_FORMAT, $desc=The specified file is not in the defined EFS export format.], 3221226131 = [$id=FILE_ENCRYPTED, $desc=The specified file is encrypted and the user does not have the ability to decrypt it.], 3221226133 = [$id=WMI_GUID_NOT_FOUND, $desc=The GUID passed was not recognized as valid by a WMI data provider.], 3221226134 = [$id=WMI_INSTANCE_NOT_FOUND, $desc=The instance name passed was not recognized as valid by a WMI data provider.], 3221226135 = [$id=WMI_ITEMID_NOT_FOUND, $desc=The data item ID passed was not recognized as valid by a WMI data provider.], 3221226136 = [$id=WMI_TRY_AGAIN, $desc=The WMI request could not be completed and should be retried.], 3221226137 = [$id=SHARED_POLICY, $desc=The policy object is shared and can only be modified at the root.], 3221226138 = [$id=POLICY_OBJECT_NOT_FOUND, $desc=The policy object does not exist when it should.], 3221226139 = [$id=POLICY_ONLY_IN_DS, $desc=The requested policy information only lives in the Ds.], 3221226140 = [$id=VOLUME_NOT_UPGRADED, $desc=The volume must be upgraded to enable this feature.], 3221226141 = [$id=REMOTE_STORAGE_NOT_ACTIVE, $desc=The remote storage service is not operational at this time.], 3221226142 = [$id=REMOTE_STORAGE_MEDIA_ERROR, $desc=The remote storage service encountered a media error.], 3221226143 = [$id=NO_TRACKING_SERVICE, $desc=The tracking (workstation) service is not running.], 3221226144 = [$id=SERVER_SID_MISMATCH, $desc=The server process is running under a SID that is different from the SID that is required by client.], 3221226145 = [$id=DS_NO_ATTRIBUTE_OR_VALUE, $desc=The specified directory service attribute or value does not exist.], 3221226146 = [$id=DS_INVALID_ATTRIBUTE_SYNTAX, $desc=The attribute syntax specified to the directory service is invalid.], 3221226147 = [$id=DS_ATTRIBUTE_TYPE_UNDEFINED, $desc=The attribute type specified to the directory service is not defined.], 3221226148 = [$id=DS_ATTRIBUTE_OR_VALUE_EXISTS, $desc=The specified directory service attribute or value already exists.], 3221226149 = [$id=DS_BUSY, $desc=The directory service is busy.], 3221226150 = [$id=DS_UNAVAILABLE, $desc=The directory service is unavailable.], 3221226151 = [$id=DS_NO_RIDS_ALLOCATED, $desc=The directory service was unable to allocate a relative identifier.], 3221226152 = [$id=DS_NO_MORE_RIDS, $desc=The directory service has exhausted the pool of relative identifiers.], 3221226153 = [$id=DS_INCORRECT_ROLE_OWNER, $desc=The requested operation could not be performed because the directory service is not the master for that type of operation.], 3221226154 = [$id=DS_RIDMGR_INIT_ERROR, $desc=The directory service was unable to initialize the subsystem that allocates relative identifiers.], 3221226155 = [$id=DS_OBJ_CLASS_VIOLATION, $desc=The requested operation did not satisfy one or more constraints that are associated with the class of the object.], 3221226156 = [$id=DS_CANT_ON_NON_LEAF, $desc=The directory service can perform the requested operation only on a leaf object.], 3221226157 = [$id=DS_CANT_ON_RDN, $desc=The directory service cannot perform the requested operation on the Relatively Defined Name (RDN) attribute of an object.], 3221226158 = [$id=DS_CANT_MOD_OBJ_CLASS, $desc=The directory service detected an attempt to modify the object class of an object.], 3221226159 = [$id=DS_CROSS_DOM_MOVE_FAILED, $desc=An error occurred while performing a cross domain move operation.], 3221226160 = [$id=DS_GC_NOT_AVAILABLE, $desc=Unable to contact the global catalog server.], 3221226161 = [$id=DIRECTORY_SERVICE_REQUIRED, $desc=The requested operation requires a directory service, and none was available.], 3221226162 = [$id=REPARSE_ATTRIBUTE_CONFLICT, $desc=The reparse attribute cannot be set because it is incompatible with an existing attribute.], 3221226163 = [$id=CANT_ENABLE_DENY_ONLY, $desc=A group marked "use for deny only" cannot be enabled.], 3221226164 = [$id=FLOAT_MULTIPLE_FAULTS, $desc={EXCEPTION} Multiple floating-point faults.], 3221226165 = [$id=FLOAT_MULTIPLE_TRAPS, $desc={EXCEPTION} Multiple floating-point traps.], 3221226166 = [$id=DEVICE_REMOVED, $desc=The device has been removed.], 3221226167 = [$id=JOURNAL_DELETE_IN_PROGRESS, $desc=The volume change journal is being deleted.], 3221226168 = [$id=JOURNAL_NOT_ACTIVE, $desc=The volume change journal is not active.], 3221226169 = [$id=NOINTERFACE, $desc=The requested interface is not supported.], 3221226177 = [$id=DS_ADMIN_LIMIT_EXCEEDED, $desc=A directory service resource limit has been exceeded.], 3221226178 = [$id=DRIVER_FAILED_SLEEP, $desc={System Standby Failed} The driver %hs does not support standby mode. Updating this driver may allow the system to go to standby mode.], 3221226179 = [$id=MUTUAL_AUTHENTICATION_FAILED, $desc=Mutual Authentication failed. The server password is out of date at the domain controller.], 3221226180 = [$id=CORRUPT_SYSTEM_FILE, $desc=The system file %1 has become corrupt and has been replaced.], 3221226181 = [$id=DATATYPE_MISALIGNMENT_ERROR, $desc={EXCEPTION} Alignment Error A data type misalignment error was detected in a load or store instruction.], 3221226182 = [$id=WMI_READ_ONLY, $desc=The WMI data item or data block is read-only.], 3221226183 = [$id=WMI_SET_FAILURE, $desc=The WMI data item or data block could not be changed.], 3221226184 = [$id=COMMITMENT_MINIMUM, $desc={Virtual Memory Minimum Too Low} Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file. During this process, memory requests for some applications may be denied. For more information, see Help.], 3221226185 = [$id=REG_NAT_CONSUMPTION, $desc={EXCEPTION} Register NaT consumption faults. A NaT value is consumed on a non-speculative instruction.], 3221226186 = [$id=TRANSPORT_FULL, $desc=The transport element of the medium changer contains media, which is causing the operation to fail.], 3221226187 = [$id=DS_SAM_INIT_FAILURE, $desc=Security Accounts Manager initialization failed because of the following error: %hs Error Status: 0x%x. Click OK to shut down this system and restart in Directory Services Restore Mode. Check the event log for more detailed information.], 3221226188 = [$id=ONLY_IF_CONNECTED, $desc=This operation is supported only when you are connected to the server.], 3221226189 = [$id=DS_SENSITIVE_GROUP_VIOLATION, $desc=Only an administrator can modify the membership list of an administrative group.], 3221226190 = [$id=PNP_RESTART_ENUMERATION, $desc=A device was removed so enumeration must be restarted.], 3221226191 = [$id=JOURNAL_ENTRY_DELETED, $desc=The journal entry has been deleted from the journal.], 3221226192 = [$id=DS_CANT_MOD_PRIMARYGROUPID, $desc=Cannot change the primary group ID of a domain controller account.], 3221226193 = [$id=SYSTEM_IMAGE_BAD_SIGNATURE, $desc={Fatal System Error} The system image %s is not properly signed. The file has been replaced with the signed file. The system has been shut down.], 3221226194 = [$id=PNP_REBOOT_REQUIRED, $desc=The device will not start without a reboot.], 3221226195 = [$id=POWER_STATE_INVALID, $desc=The power state of the current device cannot support this request.], 3221226196 = [$id=DS_INVALID_GROUP_TYPE, $desc=The specified group type is invalid.], 3221226197 = [$id=DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN, $desc=In a mixed domain, no nesting of a global group if the group is security enabled.], 3221226198 = [$id=DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN, $desc=In a mixed domain, cannot nest local groups with other local groups, if the group is security enabled.], 3221226199 = [$id=DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER, $desc=A global group cannot have a local group as a member.], 3221226200 = [$id=DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER, $desc=A global group cannot have a universal group as a member.], 3221226201 = [$id=DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER, $desc=A universal group cannot have a local group as a member.], 3221226202 = [$id=DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER, $desc=A global group cannot have a cross-domain member.], 3221226203 = [$id=DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER, $desc=A local group cannot have another cross-domain local group as a member.], 3221226204 = [$id=DS_HAVE_PRIMARY_MEMBERS, $desc=Cannot change to a security-disabled group because primary members are in this group.], 3221226205 = [$id=WMI_NOT_SUPPORTED, $desc=The WMI operation is not supported by the data block or method.], 3221226206 = [$id=INSUFFICIENT_POWER, $desc=There is not enough power to complete the requested operation.], 3221226207 = [$id=SAM_NEED_BOOTKEY_PASSWORD, $desc=The Security Accounts Manager needs to get the boot password.], 3221226208 = [$id=SAM_NEED_BOOTKEY_FLOPPY, $desc=The Security Accounts Manager needs to get the boot key from the floppy disk.], 3221226209 = [$id=DS_CANT_START, $desc=The directory service cannot start.], 3221226210 = [$id=DS_INIT_FAILURE, $desc=The directory service could not start because of the following error: %hs Error Status: 0x%x. Click OK to shut down this system and restart in Directory Services Restore Mode. Check the event log for more detailed information.], 3221226211 = [$id=SAM_INIT_FAILURE, $desc=The Security Accounts Manager initialization failed because of the following error: %hs Error Status: 0x%x. Click OK to shut down this system and restart in Safe Mode. Check the event log for more detailed information.], 3221226212 = [$id=DS_GC_REQUIRED, $desc=The requested operation can be performed only on a global catalog server.], 3221226213 = [$id=DS_LOCAL_MEMBER_OF_LOCAL_ONLY, $desc=A local group can only be a member of other local groups in the same domain.], 3221226214 = [$id=DS_NO_FPO_IN_UNIVERSAL_GROUPS, $desc=Foreign security principals cannot be members of universal groups.], 3221226215 = [$id=DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED, $desc=Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.], 3221226217 = [$id=CURRENT_DOMAIN_NOT_ALLOWED, $desc=This operation cannot be performed on the current domain.], 3221226218 = [$id=CANNOT_MAKE, $desc=The directory or file cannot be created.], 3221226219 = [$id=SYSTEM_SHUTDOWN, $desc=The system is in the process of shutting down.], 3221226220 = [$id=DS_INIT_FAILURE_CONSOLE, $desc=Directory Services could not start because of the following error: %hs Error Status: 0x%x. Click OK to shut down the system. You can use the recovery console to diagnose the system further.], 3221226221 = [$id=DS_SAM_INIT_FAILURE_CONSOLE, $desc=Security Accounts Manager initialization failed because of the following error: %hs Error Status: 0x%x. Click OK to shut down the system. You can use the recovery console to diagnose the system further.], 3221226222 = [$id=UNFINISHED_CONTEXT_DELETED, $desc=A security context was deleted before the context was completed. This is considered a logon failure.], 3221226223 = [$id=NO_TGT_REPLY, $desc=The client is trying to negotiate a context and the server requires user-to-user but did not send a TGT reply.], 3221226224 = [$id=OBJECTID_NOT_FOUND, $desc=An object ID was not found in the file.], 3221226225 = [$id=NO_IP_ADDRESSES, $desc=Unable to accomplish the requested task because the local machine does not have any IP addresses.], 3221226226 = [$id=WRONG_CREDENTIAL_HANDLE, $desc=The supplied credential handle does not match the credential that is associated with the security context.], 3221226227 = [$id=CRYPTO_SYSTEM_INVALID, $desc=The crypto system or checksum function is invalid because a required function is unavailable.], 3221226228 = [$id=MAX_REFERRALS_EXCEEDED, $desc=The number of maximum ticket referrals has been exceeded.], 3221226229 = [$id=MUST_BE_KDC, $desc=The local machine must be a Kerberos KDC (domain controller) and it is not.], 3221226230 = [$id=STRONG_CRYPTO_NOT_SUPPORTED, $desc=The other end of the security negotiation requires strong crypto but it is not supported on the local machine.], 3221226231 = [$id=TOO_MANY_PRINCIPALS, $desc=The KDC reply contained more than one principal name.], 3221226232 = [$id=NO_PA_DATA, $desc=Expected to find PA data for a hint of what etype to use, but it was not found.], 3221226233 = [$id=PKINIT_NAME_MISMATCH, $desc=The client certificate does not contain a valid UPN, or does not match the client name in the logon request. Contact your administrator.], 3221226234 = [$id=SMARTCARD_LOGON_REQUIRED, $desc=Smart card logon is required and was not used.], 3221226235 = [$id=KDC_INVALID_REQUEST, $desc=An invalid request was sent to the KDC.], 3221226236 = [$id=KDC_UNABLE_TO_REFER, $desc=The KDC was unable to generate a referral for the service requested.], 3221226237 = [$id=KDC_UNKNOWN_ETYPE, $desc=The encryption type requested is not supported by the KDC.], 3221226238 = [$id=SHUTDOWN_IN_PROGRESS, $desc=A system shutdown is in progress.], 3221226239 = [$id=SERVER_SHUTDOWN_IN_PROGRESS, $desc=The server machine is shutting down.], 3221226240 = [$id=NOT_SUPPORTED_ON_SBS, $desc=This operation is not supported on a computer running Windows Server 2003 for Small Business Server.], 3221226241 = [$id=WMI_GUID_DISCONNECTED, $desc=The WMI GUID is no longer available.], 3221226242 = [$id=WMI_ALREADY_DISABLED, $desc=Collection or events for the WMI GUID is already disabled.], 3221226243 = [$id=WMI_ALREADY_ENABLED, $desc=Collection or events for the WMI GUID is already enabled.], 3221226244 = [$id=MFT_TOO_FRAGMENTED, $desc=The master file table on the volume is too fragmented to complete this operation.], 3221226245 = [$id=COPY_PROTECTION_FAILURE, $desc=Copy protection failure.], 3221226246 = [$id=CSS_AUTHENTICATION_FAILURE, $desc=Copy protection error-DVD CSS Authentication failed.], 3221226247 = [$id=CSS_KEY_NOT_PRESENT, $desc=Copy protection error-The specified sector does not contain a valid key.], 3221226248 = [$id=CSS_KEY_NOT_ESTABLISHED, $desc=Copy protection error-DVD session key not established.], 3221226249 = [$id=CSS_SCRAMBLED_SECTOR, $desc=Copy protection error-The read failed because the sector is encrypted.], 3221226250 = [$id=CSS_REGION_MISMATCH, $desc=Copy protection error-The region of the specified DVD does not correspond to the region setting of the drive.], 3221226251 = [$id=CSS_RESETS_EXHAUSTED, $desc=Copy protection error-The region setting of the drive may be permanent.], 3221226272 = [$id=PKINIT_FAILURE, $desc=The Kerberos protocol encountered an error while validating the KDC certificate during smart card logon. There is more information in the system event log.], 3221226273 = [$id=SMARTCARD_SUBSYSTEM_FAILURE, $desc=The Kerberos protocol encountered an error while attempting to use the smart card subsystem.], 3221226274 = [$id=NO_KERB_KEY, $desc=The target server does not have acceptable Kerberos credentials.], 3221226320 = [$id=HOST_DOWN, $desc=The transport determined that the remote system is down.], 3221226321 = [$id=UNSUPPORTED_PREAUTH, $desc=An unsupported pre-authentication mechanism was presented to the Kerberos package.], 3221226322 = [$id=EFS_ALG_BLOB_TOO_BIG, $desc=The encryption algorithm that is used on the source file needs a bigger key buffer than the one that is used on the destination file.], 3221226323 = [$id=PORT_NOT_SET, $desc=An attempt to remove a processes DebugPort was made, but a port was not already associated with the process.], 3221226324 = [$id=DEBUGGER_INACTIVE, $desc=An attempt to do an operation on a debug port failed because the port is in the process of being deleted.], 3221226325 = [$id=DS_VERSION_CHECK_FAILURE, $desc=This version of Windows is not compatible with the behavior version of the directory forest, domain, or domain controller.], 3221226326 = [$id=AUDITING_DISABLED, $desc=The specified event is currently not being audited.], 3221226327 = [$id=PRENT4_MACHINE_ACCOUNT, $desc=The machine account was created prior to Windows NT 4.0. The account needs to be recreated.], 3221226328 = [$id=DS_AG_CANT_HAVE_UNIVERSAL_MEMBER, $desc=An account group cannot have a universal group as a member.], 3221226329 = [$id=INVALID_IMAGE_WIN_32, $desc=The specified image file did not have the correct format; it appears to be a 32-bit Windows image.], 3221226330 = [$id=INVALID_IMAGE_WIN_64, $desc=The specified image file did not have the correct format; it appears to be a 64-bit Windows image.], 3221226331 = [$id=BAD_BINDINGS, $desc=The client's supplied SSPI channel bindings were incorrect.], 3221226332 = [$id=NETWORK_SESSION_EXPIRED, $desc=The client session has expired; so the client must re-authenticate to continue accessing the remote resources.], 3221226333 = [$id=APPHELP_BLOCK, $desc=The AppHelp dialog box canceled; thus preventing the application from starting.], 3221226334 = [$id=ALL_SIDS_FILTERED, $desc=The SID filtering operation removed all SIDs.], 3221226335 = [$id=NOT_SAFE_MODE_DRIVER, $desc=The driver was not loaded because the system is starting in safe mode.], 3221226337 = [$id=ACCESS_DISABLED_BY_POLICY_DEFAULT, $desc=Access to %1 has been restricted by your Administrator by the default software restriction policy level.], 3221226338 = [$id=ACCESS_DISABLED_BY_POLICY_PATH, $desc=Access to %1 has been restricted by your Administrator by location with policy rule %2 placed on path %3.], 3221226339 = [$id=ACCESS_DISABLED_BY_POLICY_PUBLISHER, $desc=Access to %1 has been restricted by your Administrator by software publisher policy.], 3221226340 = [$id=ACCESS_DISABLED_BY_POLICY_OTHER, $desc=Access to %1 has been restricted by your Administrator by policy rule %2.], 3221226341 = [$id=FAILED_DRIVER_ENTRY, $desc=The driver was not loaded because it failed its initialization call.], 3221226342 = [$id=DEVICE_ENUMERATION_ERROR, $desc=The device encountered an error while applying power or reading the device configuration. This may be caused by a failure of your hardware or by a poor connection.], 3221226344 = [$id=MOUNT_POINT_NOT_RESOLVED, $desc=The create operation failed because the name contained at least one mount point that resolves to a volume to which the specified device object is not attached.], 3221226345 = [$id=INVALID_DEVICE_OBJECT_PARAMETER, $desc=The device object parameter is either not a valid device object or is not attached to the volume that is specified by the file name.], 3221226346 = [$id=MCA_OCCURED, $desc=A machine check error has occurred. Check the system event log for additional information.], 3221226347 = [$id=DRIVER_BLOCKED_CRITICAL, $desc=Driver %2 has been blocked from loading.], 3221226348 = [$id=DRIVER_BLOCKED, $desc=Driver %2 has been blocked from loading.], 3221226349 = [$id=DRIVER_DATABASE_ERROR, $desc=There was error [%2] processing the driver database.], 3221226350 = [$id=SYSTEM_HIVE_TOO_LARGE, $desc=System hive size has exceeded its limit.], 3221226351 = [$id=INVALID_IMPORT_OF_NON_DLL, $desc=A dynamic link library (DLL) referenced a module that was neither a DLL nor the process's executable image.], 3221226353 = [$id=NO_SECRETS, $desc=The local account store does not contain secret material for the specified account.], 3221226354 = [$id=ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY, $desc=Access to %1 has been restricted by your Administrator by policy rule %2.], 3221226355 = [$id=FAILED_STACK_SWITCH, $desc=The system was not able to allocate enough memory to perform a stack switch.], 3221226356 = [$id=HEAP_CORRUPTION, $desc=A heap has been corrupted.], 3221226368 = [$id=SMARTCARD_WRONG_PIN, $desc=An incorrect PIN was presented to the smart card.], 3221226369 = [$id=SMARTCARD_CARD_BLOCKED, $desc=The smart card is blocked.], 3221226370 = [$id=SMARTCARD_CARD_NOT_AUTHENTICATED, $desc=No PIN was presented to the smart card.], 3221226371 = [$id=SMARTCARD_NO_CARD, $desc=No smart card is available.], 3221226372 = [$id=SMARTCARD_NO_KEY_CONTAINER, $desc=The requested key container does not exist on the smart card.], 3221226373 = [$id=SMARTCARD_NO_CERTIFICATE, $desc=The requested certificate does not exist on the smart card.], 3221226374 = [$id=SMARTCARD_NO_KEYSET, $desc=The requested keyset does not exist.], 3221226375 = [$id=SMARTCARD_IO_ERROR, $desc=A communication error with the smart card has been detected.], 3221226376 = [$id=DOWNGRADE_DETECTED, $desc=The system detected a possible attempt to compromise security. Ensure that you can contact the server that authenticated you.], 3221226377 = [$id=SMARTCARD_CERT_REVOKED, $desc=The smart card certificate used for authentication has been revoked. Contact your system administrator. There may be additional information in the event log.], 3221226378 = [$id=ISSUING_CA_UNTRUSTED, $desc=An untrusted certificate authority was detected while processing the smart card certificate that is used for authentication. Contact your system administrator.], 3221226379 = [$id=REVOCATION_OFFLINE_C, $desc=The revocation status of the smart card certificate that is used for authentication could not be determined. Contact your system administrator.], 3221226380 = [$id=PKINIT_CLIENT_FAILURE, $desc=The smart card certificate used for authentication was not trusted. Contact your system administrator.], 3221226381 = [$id=SMARTCARD_CERT_EXPIRED, $desc=The smart card certificate used for authentication has expired. Contact your system administrator.], 3221226382 = [$id=DRIVER_FAILED_PRIOR_UNLOAD, $desc=The driver could not be loaded because a previous version of the driver is still in memory.], 3221226383 = [$id=SMARTCARD_SILENT_CONTEXT, $desc=The smart card provider could not perform the action because the context was acquired as silent.], 3221226497 = [$id=PER_USER_TRUST_QUOTA_EXCEEDED, $desc=The delegated trust creation quota of the current user has been exceeded.], 3221226498 = [$id=ALL_USER_TRUST_QUOTA_EXCEEDED, $desc=The total delegated trust creation quota has been exceeded.], 3221226499 = [$id=USER_DELETE_TRUST_QUOTA_EXCEEDED, $desc=The delegated trust deletion quota of the current user has been exceeded.], 3221226500 = [$id=DS_NAME_NOT_UNIQUE, $desc=The requested name already exists as a unique identifier.], 3221226501 = [$id=DS_DUPLICATE_ID_FOUND, $desc=The requested object has a non-unique identifier and cannot be retrieved.], 3221226502 = [$id=DS_GROUP_CONVERSION_ERROR, $desc=The group cannot be converted due to attribute restrictions on the requested group type.], 3221226503 = [$id=VOLSNAP_PREPARE_HIBERNATE, $desc={Volume Shadow Copy Service} Wait while the Volume Shadow Copy Service prepares volume %hs for hibernation.], 3221226504 = [$id=USER2USER_REQUIRED, $desc=Kerberos sub-protocol User2User is required.], 3221226505 = [$id=STACK_BUFFER_OVERRUN, $desc=The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.], 3221226506 = [$id=NO_S4U_PROT_SUPPORT, $desc=The Kerberos subsystem encountered an error. A service for user protocol request was made against a domain controller which does not support service for user.], 3221226507 = [$id=CROSSREALM_DELEGATION_FAILURE, $desc=An attempt was made by this server to make a Kerberos constrained delegation request for a target that is outside the server realm. This action is not supported and the resulting error indicates a misconfiguration on the allowed-to-delegate-to list for this server. Contact your administrator.], 3221226508 = [$id=REVOCATION_OFFLINE_KDC, $desc=The revocation status of the domain controller certificate used for smart card authentication could not be determined. There is additional information in the system event log. Contact your system administrator.], 3221226509 = [$id=ISSUING_CA_UNTRUSTED_KDC, $desc=An untrusted certificate authority was detected while processing the domain controller certificate used for authentication. There is additional information in the system event log. Contact your system administrator.], 3221226510 = [$id=KDC_CERT_EXPIRED, $desc=The domain controller certificate used for smart card logon has expired. Contact your system administrator with the contents of your system event log.], 3221226511 = [$id=KDC_CERT_REVOKED, $desc=The domain controller certificate used for smart card logon has been revoked. Contact your system administrator with the contents of your system event log.], 3221226512 = [$id=PARAMETER_QUOTA_EXCEEDED, $desc=Data present in one of the parameters is more than the function can operate on.], 3221226513 = [$id=HIBERNATION_FAILURE, $desc=The system has failed to hibernate (The error code is %hs). Hibernation will be disabled until the system is restarted.], 3221226514 = [$id=DELAY_LOAD_FAILED, $desc=An attempt to delay-load a .dll or get a function address in a delay-loaded .dll failed.], 3221226515 = [$id=AUTHENTICATION_FIREWALL_FAILED, $desc=Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.], 3221226516 = [$id=VDM_DISALLOWED, $desc=%hs is a 16-bit application. You do not have permissions to execute 16-bit applications. Check your permissions with your system administrator.], 3221226517 = [$id=HUNG_DISPLAY_DRIVER_THREAD, $desc={Display Driver Stopped Responding} The %hs display driver has stopped working normally. Save your work and reboot the system to restore full display functionality. The next time you reboot the machine a dialog will be displayed giving you a chance to report this failure to Microsoft.], 3221226518 = [$id=INSUFFICIENT_RESOURCE_FOR_SPECIFIED_SHARED_SECTION_SIZE, $desc=The Desktop heap encountered an error while allocating session memory. There is more information in the system event log.], 3221226519 = [$id=INVALID_CRUNTIME_PARAMETER, $desc=An invalid parameter was passed to a C runtime function.], 3221226520 = [$id=NTLM_BLOCKED, $desc=The authentication failed because NTLM was blocked.], 3221226521 = [$id=DS_SRC_SID_EXISTS_IN_FOREST, $desc=The source object's SID already exists in destination forest.], 3221226522 = [$id=DS_DOMAIN_NAME_EXISTS_IN_FOREST, $desc=The domain name of the trusted domain already exists in the forest.], 3221226523 = [$id=DS_FLAT_NAME_EXISTS_IN_FOREST, $desc=The flat name of the trusted domain already exists in the forest.], 3221226524 = [$id=INVALID_USER_PRINCIPAL_NAME, $desc=The User Principal Name (UPN) is invalid.], 3221226528 = [$id=ASSERTION_FAILURE, $desc=There has been an assertion failure.], 3221226529 = [$id=VERIFIER_STOP, $desc=Application verifier has found an error in the current process.], 3221226531 = [$id=CALLBACK_POP_STACK, $desc=A user mode unwind is in progress.], 3221226532 = [$id=INCOMPATIBLE_DRIVER_BLOCKED, $desc=%2 has been blocked from loading due to incompatibility with this system. Contact your software vendor for a compatible version of the driver.], 3221226533 = [$id=HIVE_UNLOADED, $desc=Illegal operation attempted on a registry key which has already been unloaded.], 3221226534 = [$id=COMPRESSION_DISABLED, $desc=Compression is disabled for this volume.], 3221226535 = [$id=FILE_SYSTEM_LIMITATION, $desc=The requested operation could not be completed due to a file system limitation.], 3221226536 = [$id=INVALID_IMAGE_HASH, $desc=The hash for image %hs cannot be found in the system catalogs. The image is likely corrupt or the victim of tampering.], 3221226537 = [$id=NOT_CAPABLE, $desc=The implementation is not capable of performing the request.], 3221226538 = [$id=REQUEST_OUT_OF_SEQUENCE, $desc=The requested operation is out of order with respect to other operations.], 3221226539 = [$id=IMPLEMENTATION_LIMIT, $desc=An operation attempted to exceed an implementation-defined limit.], 3221226540 = [$id=ELEVATION_REQUIRED, $desc=The requested operation requires elevation.], 3221226541 = [$id=NO_SECURITY_CONTEXT, $desc=The required security context does not exist.], 3221226542 = [$id=PKU2U_CERT_FAILURE, $desc=The PKU2U protocol encountered an error while attempting to utilize the associated certificates.], 3221226546 = [$id=BEYOND_VDL, $desc=The operation was attempted beyond the valid data length of the file.], 3221226547 = [$id=ENCOUNTERED_WRITE_IN_PROGRESS, $desc=The attempted write operation encountered a write already in progress for some portion of the range.], 3221226548 = [$id=PTE_CHANGED, $desc=The page fault mappings changed in the middle of processing a fault so the operation must be retried.], 3221226549 = [$id=PURGE_FAILED, $desc=The attempt to purge this file from memory failed to purge some or all the data from memory.], 3221226560 = [$id=CRED_REQUIRES_CONFIRMATION, $desc=The requested credential requires confirmation.], 3221226561 = [$id=CS_ENCRYPTION_INVALID_SERVER_RESPONSE, $desc=The remote server sent an invalid response for a file being opened with Client Side Encryption.], 3221226562 = [$id=CS_ENCRYPTION_UNSUPPORTED_SERVER, $desc=Client Side Encryption is not supported by the remote server even though it claims to support it.], 3221226563 = [$id=CS_ENCRYPTION_EXISTING_ENCRYPTED_FILE, $desc=File is encrypted and should be opened in Client Side Encryption mode.], 3221226564 = [$id=CS_ENCRYPTION_NEW_ENCRYPTED_FILE, $desc=A new encrypted file is being created and a $EFS needs to be provided.], 3221226565 = [$id=CS_ENCRYPTION_FILE_NOT_CSE, $desc=The SMB client requested a CSE FSCTL on a non-CSE file.], 3221226566 = [$id=INVALID_LABEL, $desc=Indicates a particular Security ID may not be assigned as the label of an object.], 3221226576 = [$id=DRIVER_PROCESS_TERMINATED, $desc=The process hosting the driver for this device has terminated.], 3221226577 = [$id=AMBIGUOUS_SYSTEM_DEVICE, $desc=The requested system device cannot be identified due to multiple indistinguishable devices potentially matching the identification criteria.], 3221226578 = [$id=SYSTEM_DEVICE_NOT_FOUND, $desc=The requested system device cannot be found.], 3221226579 = [$id=RESTART_BOOT_APPLICATION, $desc=This boot application must be restarted.], 3221226580 = [$id=INSUFFICIENT_NVRAM_RESOURCES, $desc=Insufficient NVRAM resources exist to complete the API.  A reboot might be required.], 3221226592 = [$id=NO_RANGES_PROCESSED, $desc=No ranges for the specified operation were able to be processed.], 3221226595 = [$id=DEVICE_FEATURE_NOT_SUPPORTED, $desc=The storage device does not support Offload Write.], 3221226596 = [$id=DEVICE_UNREACHABLE, $desc=Data cannot be moved because the source device cannot communicate with the destination device.], 3221226597 = [$id=INVALID_TOKEN, $desc=The token representing the data is invalid or expired.], 3221226752 = [$id=INVALID_TASK_NAME, $desc=The specified task name is invalid.], 3221226753 = [$id=INVALID_TASK_INDEX, $desc=The specified task index is invalid.], 3221226754 = [$id=THREAD_ALREADY_IN_TASK, $desc=The specified thread is already joining a task.], 3221226755 = [$id=CALLBACK_BYPASS, $desc=A callback has requested to bypass native code.], 3221227010 = [$id=FAIL_FAST_EXCEPTION, $desc=A fail fast exception occurred. Exception handlers will not be invoked and the process will be terminated immediately.], 3221227011 = [$id=IMAGE_CERT_REVOKED, $desc=Windows cannot verify the digital signature for this file. The signing certificate for this file has been revoked.], 3221227264 = [$id=PORT_CLOSED, $desc=The ALPC port is closed.], 3221227265 = [$id=MESSAGE_LOST, $desc=The ALPC message requested is no longer available.], 3221227266 = [$id=INVALID_MESSAGE, $desc=The ALPC message supplied is invalid.], 3221227267 = [$id=REQUEST_CANCELED, $desc=The ALPC message has been canceled.], 3221227268 = [$id=RECURSIVE_DISPATCH, $desc=Invalid recursive dispatch attempt.], 3221227269 = [$id=LPC_RECEIVE_BUFFER_EXPECTED, $desc=No receive buffer has been supplied in a synchronous request.], 3221227270 = [$id=LPC_INVALID_CONNECTION_USAGE, $desc=The connection port is used in an invalid context.], 3221227271 = [$id=LPC_REQUESTS_NOT_ALLOWED, $desc=The ALPC port does not accept new request messages.], 3221227272 = [$id=RESOURCE_IN_USE, $desc=The resource requested is already in use.], 3221227273 = [$id=HARDWARE_MEMORY_ERROR, $desc=The hardware has reported an uncorrectable memory error.], 3221227274 = [$id=THREADPOOL_HANDLE_EXCEPTION, $desc=Status 0x%08x was returned, waiting on handle 0x%x for wait 0x%p, in waiter 0x%p.], 3221227275 = [$id=THREADPOOL_SET_EVENT_ON_COMPLETION_FAILED, $desc=After a callback to 0x%p(0x%p), a completion call to Set event(0x%p) failed with status 0x%08x.], 3221227276 = [$id=THREADPOOL_RELEASE_SEMAPHORE_ON_COMPLETION_FAILED, $desc=After a callback to 0x%p(0x%p), a completion call to ReleaseSemaphore(0x%p, %d) failed with status 0x%08x.], 3221227277 = [$id=THREADPOOL_RELEASE_MUTEX_ON_COMPLETION_FAILED, $desc=After a callback to 0x%p(0x%p), a completion call to ReleaseMutex(%p) failed with status 0x%08x.], 3221227278 = [$id=THREADPOOL_FREE_LIBRARY_ON_COMPLETION_FAILED, $desc=After a callback to 0x%p(0x%p), a completion call to FreeLibrary(%p) failed with status 0x%08x.], 3221227279 = [$id=THREADPOOL_RELEASED_DURING_OPERATION, $desc=The thread pool 0x%p was released while a thread was posting a callback to 0x%p(0x%p) to it.], 3221227280 = [$id=CALLBACK_RETURNED_WHILE_IMPERSONATING, $desc=A thread pool worker thread is impersonating a client, after a callback to 0x%p(0x%p). This is unexpected, indicating that the callback is missing a call to revert the impersonation.], 3221227281 = [$id=APC_RETURNED_WHILE_IMPERSONATING, $desc=A thread pool worker thread is impersonating a client, after executing an APC. This is unexpected, indicating that the APC is missing a call to revert the impersonation.], 3221227282 = [$id=PROCESS_IS_PROTECTED, $desc=Either the target process, or the target thread's containing process, is a protected process.], 3221227283 = [$id=MCA_EXCEPTION, $desc=A thread is getting dispatched with MCA EXCEPTION because of MCA.], 3221227284 = [$id=CERTIFICATE_MAPPING_NOT_UNIQUE, $desc=The client certificate account mapping is not unique.], 3221227285 = [$id=SYMLINK_CLASS_DISABLED, $desc=The symbolic link cannot be followed because its type is disabled.], 3221227286 = [$id=INVALID_IDN_NORMALIZATION, $desc=Indicates that the specified string is not valid for IDN normalization.], 3221227287 = [$id=NO_UNICODE_TRANSLATION, $desc=No mapping for the Unicode character exists in the target multi-byte code page.], 3221227288 = [$id=ALREADY_REGISTERED, $desc=The provided callback is already registered.], 3221227289 = [$id=CONTEXT_MISMATCH, $desc=The provided context did not match the target.], 3221227290 = [$id=PORT_ALREADY_HAS_COMPLETION_LIST, $desc=The specified port already has a completion list.], 3221227291 = [$id=CALLBACK_RETURNED_THREAD_PRIORITY, $desc=A threadpool worker thread entered a callback at thread base priority 0x%x and exited at priority 0x%x.], 3221227292 = [$id=INVALID_THREAD, $desc=An invalid thread, handle %p, is specified for this operation. Possibly, a threadpool worker thread was specified.], 3221227293 = [$id=CALLBACK_RETURNED_TRANSACTION, $desc=A threadpool worker thread entered a callback, which left transaction state.], 3221227294 = [$id=CALLBACK_RETURNED_LDR_LOCK, $desc=A threadpool worker thread entered a callback, which left the loader lock held.], 3221227295 = [$id=CALLBACK_RETURNED_LANG, $desc=A threadpool worker thread entered a callback, which left with preferred languages set.], 3221227296 = [$id=CALLBACK_RETURNED_PRI_BACK, $desc=A threadpool worker thread entered a callback, which left with background priorities set.], 3221227520 = [$id=DISK_REPAIR_DISABLED, $desc=The attempted operation required self healing to be enabled.], 3221227521 = [$id=DS_DOMAIN_RENAME_IN_PROGRESS, $desc=The directory service cannot perform the requested operation because a domain rename operation is in progress.], 3221227522 = [$id=DISK_QUOTA_EXCEEDED, $desc=An operation failed because the storage quota was exceeded.], 3221227524 = [$id=CONTENT_BLOCKED, $desc=An operation failed because the content was blocked.], 3221227525 = [$id=BAD_CLUSTERS, $desc=The operation could not be completed due to bad clusters on disk.], 3221227526 = [$id=VOLUME_DIRTY, $desc=The operation could not be completed because the volume is dirty. Please run the Chkdsk utility and try again. ], 3221227777 = [$id=FILE_CHECKED_OUT, $desc=This file is checked out or locked for editing by another user.], 3221227778 = [$id=CHECKOUT_REQUIRED, $desc=The file must be checked out before saving changes.], 3221227779 = [$id=BAD_FILE_TYPE, $desc=The file type being saved or retrieved has been blocked.], 3221227780 = [$id=FILE_TOO_LARGE, $desc=The file size exceeds the limit allowed and cannot be saved.], 3221227781 = [$id=FORMS_AUTH_REQUIRED, $desc=Access Denied. Before opening files in this location, you must first browse to the e.g. site and select the option to log on automatically.], 3221227782 = [$id=VIRUS_INFECTED, $desc=The operation did not complete successfully because the file contains a virus.], 3221227783 = [$id=VIRUS_DELETED, $desc=This file contains a virus and cannot be opened. Due to the nature of this virus, the file has been removed from this location.], 3221227784 = [$id=BAD_MCFG_TABLE, $desc=The resources required for this device conflict with the MCFG table.], 3221227785 = [$id=CANNOT_BREAK_OPLOCK, $desc=The operation did not complete successfully because it would cause an oplock to be broken. The caller has requested that existing oplocks not be broken.], 3221264536 = [$id=WOW_ASSERTION, $desc=WOW Assertion Error.], 3221266432 = [$id=INVALID_SIGNATURE, $desc=The cryptographic signature is invalid.], 3221266433 = [$id=HMAC_NOT_SUPPORTED, $desc=The cryptographic provider does not support HMAC.], 3221266448 = [$id=IPSEC_QUEUE_OVERFLOW, $desc=The IPsec queue overflowed.], 3221266449 = [$id=ND_QUEUE_OVERFLOW, $desc=The neighbor discovery queue overflowed.], 3221266450 = [$id=HOPLIMIT_EXCEEDED, $desc=An Internet Control Message Protocol (ICMP) hop limit exceeded error was received.], 3221266451 = [$id=PROTOCOL_NOT_SUPPORTED, $desc=The protocol is not installed on the local machine.], 3221266560 = [$id=LOST_WRITEBEHIND_DATA_NETWORK_DISCONNECTED, $desc={Delayed Write Failed} Windows was unable to save all the data for the file %hs; the data has been lost. This error may be caused by network connectivity issues. Try to save this file elsewhere.], 3221266561 = [$id=LOST_WRITEBEHIND_DATA_NETWORK_SERVER_ERROR, $desc={Delayed Write Failed} Windows was unable to save all the data for the file %hs; the data has been lost. This error was returned by the server on which the file exists. Try to save this file elsewhere.], 3221266562 = [$id=LOST_WRITEBEHIND_DATA_LOCAL_DISK_ERROR, $desc={Delayed Write Failed} Windows was unable to save all the data for the file %hs; the data has been lost. This error may be caused if the device has been removed or the media is write-protected.], 3221266563 = [$id=XML_PARSE_ERROR, $desc=Windows was unable to parse the requested XML data.], 3221266564 = [$id=XMLDSIG_ERROR, $desc=An error was encountered while processing an XML digital signature.], 3221266565 = [$id=WRONG_COMPARTMENT, $desc=This indicates that the caller made the connection request in the wrong routing compartment.], 3221266566 = [$id=AUTHIP_FAILURE, $desc=This indicates that there was an AuthIP failure when attempting to connect to the remote host.], 3221266567 = [$id=DS_OID_MAPPED_GROUP_CANT_HAVE_MEMBERS, $desc=OID mapped groups cannot have members.], 3221266568 = [$id=DS_OID_NOT_FOUND, $desc=The specified OID cannot be found.], 3221266688 = [$id=HASH_NOT_SUPPORTED, $desc=Hash generation for the specified version and hash type is not enabled on server.], 3221266689 = [$id=HASH_NOT_PRESENT, $desc=The hash requests is not present or not up to date with the current file contents.], 3221267105 = [$id=OFFLOAD_READ_FLT_NOT_SUPPORTED, $desc=A file system filter on the server has not opted in for Offload Read support.], 3221267106 = [$id=OFFLOAD_WRITE_FLT_NOT_SUPPORTED, $desc=A file system filter on the server has not opted in for Offload Write support.], 3221267107 = [$id=OFFLOAD_READ_FILE_NOT_SUPPORTED, $desc=Offload read operations cannot be performed on:], 3221267108 = [$id=OFFLOAD_WRITE_FILE_NOT_SUPPORTED, $desc=Offload write operations cannot be performed on:], 3221291009 = [$id=DBG_NO_STATE_CHANGE, $desc=The debugger did not perform a state change.], 3221291010 = [$id=DBG_APP_NOT_IDLE, $desc=The debugger found that the application is not idle.], 3221356545 = [$id=RPC_NT_INVALID_STRING_BINDING, $desc=The string binding is invalid.], 3221356546 = [$id=RPC_NT_WRONG_KIND_OF_BINDING, $desc=The binding handle is not the correct type.], 3221356547 = [$id=RPC_NT_INVALID_BINDING, $desc=The binding handle is invalid.], 3221356548 = [$id=RPC_NT_PROTSEQ_NOT_SUPPORTED, $desc=The RPC protocol sequence is not supported.], 3221356549 = [$id=RPC_NT_INVALID_RPC_PROTSEQ, $desc=The RPC protocol sequence is invalid.], 3221356550 = [$id=RPC_NT_INVALID_STRING_UUID, $desc=The string UUID is invalid.], 3221356551 = [$id=RPC_NT_INVALID_ENDPOINT_FORMAT, $desc=The endpoint format is invalid.], 3221356552 = [$id=RPC_NT_INVALID_NET_ADDR, $desc=The network address is invalid.], 3221356553 = [$id=RPC_NT_NO_ENDPOINT_FOUND, $desc=No endpoint was found.], 3221356554 = [$id=RPC_NT_INVALID_TIMEOUT, $desc=The time-out value is invalid.], 3221356555 = [$id=RPC_NT_OBJECT_NOT_FOUND, $desc=The object UUID was not found.], 3221356556 = [$id=RPC_NT_ALREADY_REGISTERED, $desc=The object UUID has already been registered.], 3221356557 = [$id=RPC_NT_TYPE_ALREADY_REGISTERED, $desc=The type UUID has already been registered.], 3221356558 = [$id=RPC_NT_ALREADY_LISTENING, $desc=The RPC server is already listening.], 3221356559 = [$id=RPC_NT_NO_PROTSEQS_REGISTERED, $desc=No protocol sequences have been registered.], 3221356560 = [$id=RPC_NT_NOT_LISTENING, $desc=The RPC server is not listening.], 3221356561 = [$id=RPC_NT_UNKNOWN_MGR_TYPE, $desc=The manager type is unknown.], 3221356562 = [$id=RPC_NT_UNKNOWN_IF, $desc=The interface is unknown.], 3221356563 = [$id=RPC_NT_NO_BINDINGS, $desc=There are no bindings.], 3221356564 = [$id=RPC_NT_NO_PROTSEQS, $desc=There are no protocol sequences.], 3221356565 = [$id=RPC_NT_CANT_CREATE_ENDPOINT, $desc=The endpoint cannot be created.], 3221356566 = [$id=RPC_NT_OUT_OF_RESOURCES, $desc=Insufficient resources are available to complete this operation.], 3221356567 = [$id=RPC_NT_SERVER_UNAVAILABLE, $desc=The RPC server is unavailable.], 3221356568 = [$id=RPC_NT_SERVER_TOO_BUSY, $desc=The RPC server is too busy to complete this operation.], 3221356569 = [$id=RPC_NT_INVALID_NETWORK_OPTIONS, $desc=The network options are invalid.], 3221356570 = [$id=RPC_NT_NO_CALL_ACTIVE, $desc=No RPCs are active on this thread.], 3221356571 = [$id=RPC_NT_CALL_FAILED, $desc=The RPC failed.], 3221356572 = [$id=RPC_NT_CALL_FAILED_DNE, $desc=The RPC failed and did not execute.], 3221356573 = [$id=RPC_NT_PROTOCOL_ERROR, $desc=An RPC protocol error occurred.], 3221356575 = [$id=RPC_NT_UNSUPPORTED_TRANS_SYN, $desc=The RPC server does not support the transfer syntax.], 3221356577 = [$id=RPC_NT_UNSUPPORTED_TYPE, $desc=The type UUID is not supported.], 3221356578 = [$id=RPC_NT_INVALID_TAG, $desc=The tag is invalid.], 3221356579 = [$id=RPC_NT_INVALID_BOUND, $desc=The array bounds are invalid.], 3221356580 = [$id=RPC_NT_NO_ENTRY_NAME, $desc=The binding does not contain an entry name.], 3221356581 = [$id=RPC_NT_INVALID_NAME_SYNTAX, $desc=The name syntax is invalid.], 3221356582 = [$id=RPC_NT_UNSUPPORTED_NAME_SYNTAX, $desc=The name syntax is not supported.], 3221356584 = [$id=RPC_NT_UUID_NO_ADDRESS, $desc=No network address is available to construct a UUID.], 3221356585 = [$id=RPC_NT_DUPLICATE_ENDPOINT, $desc=The endpoint is a duplicate.], 3221356586 = [$id=RPC_NT_UNKNOWN_AUTHN_TYPE, $desc=The authentication type is unknown.], 3221356587 = [$id=RPC_NT_MAX_CALLS_TOO_SMALL, $desc=The maximum number of calls is too small.], 3221356588 = [$id=RPC_NT_STRING_TOO_LONG, $desc=The string is too long.], 3221356589 = [$id=RPC_NT_PROTSEQ_NOT_FOUND, $desc=The RPC protocol sequence was not found.], 3221356590 = [$id=RPC_NT_PROCNUM_OUT_OF_RANGE, $desc=The procedure number is out of range.], 3221356591 = [$id=RPC_NT_BINDING_HAS_NO_AUTH, $desc=The binding does not contain any authentication information.], 3221356592 = [$id=RPC_NT_UNKNOWN_AUTHN_SERVICE, $desc=The authentication service is unknown.], 3221356593 = [$id=RPC_NT_UNKNOWN_AUTHN_LEVEL, $desc=The authentication level is unknown.], 3221356594 = [$id=RPC_NT_INVALID_AUTH_IDENTITY, $desc=The security context is invalid.], 3221356595 = [$id=RPC_NT_UNKNOWN_AUTHZ_SERVICE, $desc=The authorization service is unknown.], 3221356596 = [$id=EPT_NT_INVALID_ENTRY, $desc=The entry is invalid.], 3221356597 = [$id=EPT_NT_CANT_PERFORM_OP, $desc=The operation cannot be performed.], 3221356598 = [$id=EPT_NT_NOT_REGISTERED, $desc=No more endpoints are available from the endpoint mapper.], 3221356599 = [$id=RPC_NT_NOTHING_TO_EXPORT, $desc=No interfaces have been exported.], 3221356600 = [$id=RPC_NT_INCOMPLETE_NAME, $desc=The entry name is incomplete.], 3221356601 = [$id=RPC_NT_INVALID_VERS_OPTION, $desc=The version option is invalid.], 3221356602 = [$id=RPC_NT_NO_MORE_MEMBERS, $desc=There are no more members.], 3221356603 = [$id=RPC_NT_NOT_ALL_OBJS_UNEXPORTED, $desc=There is nothing to unexport.], 3221356604 = [$id=RPC_NT_INTERFACE_NOT_FOUND, $desc=The interface was not found.], 3221356605 = [$id=RPC_NT_ENTRY_ALREADY_EXISTS, $desc=The entry already exists.], 3221356606 = [$id=RPC_NT_ENTRY_NOT_FOUND, $desc=The entry was not found.], 3221356607 = [$id=RPC_NT_NAME_SERVICE_UNAVAILABLE, $desc=The name service is unavailable.], 3221356608 = [$id=RPC_NT_INVALID_NAF_ID, $desc=The network address family is invalid.], 3221356609 = [$id=RPC_NT_CANNOT_SUPPORT, $desc=The requested operation is not supported.], 3221356610 = [$id=RPC_NT_NO_CONTEXT_AVAILABLE, $desc=No security context is available to allow impersonation.], 3221356611 = [$id=RPC_NT_INTERNAL_ERROR, $desc=An internal error occurred in the RPC.], 3221356612 = [$id=RPC_NT_ZERO_DIVIDE, $desc=The RPC server attempted to divide an integer by zero.], 3221356613 = [$id=RPC_NT_ADDRESS_ERROR, $desc=An addressing error occurred in the RPC server.], 3221356614 = [$id=RPC_NT_FP_DIV_ZERO, $desc=A floating point operation at the RPC server caused a divide by zero.], 3221356615 = [$id=RPC_NT_FP_UNDERFLOW, $desc=A floating point underflow occurred at the RPC server.], 3221356616 = [$id=RPC_NT_FP_OVERFLOW, $desc=A floating point overflow occurred at the RPC server.], 3221356617 = [$id=RPC_NT_CALL_IN_PROGRESS, $desc=An RPC is already in progress for this thread.], 3221356618 = [$id=RPC_NT_NO_MORE_BINDINGS, $desc=There are no more bindings.], 3221356619 = [$id=RPC_NT_GROUP_MEMBER_NOT_FOUND, $desc=The group member was not found.], 3221356620 = [$id=EPT_NT_CANT_CREATE, $desc=The endpoint mapper database entry could not be created.], 3221356621 = [$id=RPC_NT_INVALID_OBJECT, $desc=The object UUID is the nil UUID.], 3221356623 = [$id=RPC_NT_NO_INTERFACES, $desc=No interfaces have been registered.], 3221356624 = [$id=RPC_NT_CALL_CANCELLED, $desc=The RPC was canceled.], 3221356625 = [$id=RPC_NT_BINDING_INCOMPLETE, $desc=The binding handle does not contain all the required information.], 3221356626 = [$id=RPC_NT_COMM_FAILURE, $desc=A communications failure occurred during an RPC.], 3221356627 = [$id=RPC_NT_UNSUPPORTED_AUTHN_LEVEL, $desc=The requested authentication level is not supported.], 3221356628 = [$id=RPC_NT_NO_PRINC_NAME, $desc=No principal name was registered.], 3221356629 = [$id=RPC_NT_NOT_RPC_ERROR, $desc=The error specified is not a valid Windows RPC error code.], 3221356631 = [$id=RPC_NT_SEC_PKG_ERROR, $desc=A security package-specific error occurred.], 3221356632 = [$id=RPC_NT_NOT_CANCELLED, $desc=The thread was not canceled.], 3221356642 = [$id=RPC_NT_INVALID_ASYNC_HANDLE, $desc=Invalid asynchronous RPC handle.], 3221356643 = [$id=RPC_NT_INVALID_ASYNC_CALL, $desc=Invalid asynchronous RPC call handle for this operation.], 3221356644 = [$id=RPC_NT_PROXY_ACCESS_DENIED, $desc=Access to the HTTP proxy is denied.], 3221422081 = [$id=RPC_NT_NO_MORE_ENTRIES, $desc=The list of RPC servers available for auto-handle binding has been exhausted.], 3221422082 = [$id=RPC_NT_SS_CHAR_TRANS_OPEN_FAIL, $desc=The file designated by DCERPCCHARTRANS cannot be opened.], 3221422083 = [$id=RPC_NT_SS_CHAR_TRANS_SHORT_FILE, $desc=The file containing the character translation table has fewer than 512 bytes.], 3221422084 = [$id=RPC_NT_SS_IN_NULL_CONTEXT, $desc=A null context handle is passed as an [in] parameter.], 3221422085 = [$id=RPC_NT_SS_CONTEXT_MISMATCH, $desc=The context handle does not match any known context handles.], 3221422086 = [$id=RPC_NT_SS_CONTEXT_DAMAGED, $desc=The context handle changed during a call.], 3221422087 = [$id=RPC_NT_SS_HANDLES_MISMATCH, $desc=The binding handles passed to an RPC do not match.], 3221422088 = [$id=RPC_NT_SS_CANNOT_GET_CALL_HANDLE, $desc=The stub is unable to get the call handle.], 3221422089 = [$id=RPC_NT_NULL_REF_POINTER, $desc=A null reference pointer was passed to the stub.], 3221422090 = [$id=RPC_NT_ENUM_VALUE_OUT_OF_RANGE, $desc=The enumeration value is out of range.], 3221422091 = [$id=RPC_NT_BYTE_COUNT_TOO_SMALL, $desc=The byte count is too small.], 3221422092 = [$id=RPC_NT_BAD_STUB_DATA, $desc=The stub received bad data.], 3221422169 = [$id=RPC_NT_INVALID_ES_ACTION, $desc=Invalid operation on the encoding/decoding handle.], 3221422170 = [$id=RPC_NT_WRONG_ES_VERSION, $desc=Incompatible version of the serializing package.], 3221422171 = [$id=RPC_NT_WRONG_STUB_VERSION, $desc=Incompatible version of the RPC stub.], 3221422172 = [$id=RPC_NT_INVALID_PIPE_OBJECT, $desc=The RPC pipe object is invalid or corrupt.], 3221422173 = [$id=RPC_NT_INVALID_PIPE_OPERATION, $desc=An invalid operation was attempted on an RPC pipe object.], 3221422174 = [$id=RPC_NT_WRONG_PIPE_VERSION, $desc=Unsupported RPC pipe version.], 3221422175 = [$id=RPC_NT_PIPE_CLOSED, $desc=The RPC pipe object has already been closed.], 3221422176 = [$id=RPC_NT_PIPE_DISCIPLINE_ERROR, $desc=The RPC call completed before all pipes were processed.], 3221422177 = [$id=RPC_NT_PIPE_EMPTY, $desc=No more data is available from the RPC pipe.], 3221487669 = [$id=PNP_BAD_MPS_TABLE, $desc=A device is missing in the system BIOS MPS table. This device will not be used. Contact your system vendor for a system BIOS update.], 3221487670 = [$id=PNP_TRANSLATION_FAILED, $desc=A translator failed to translate resources.], 3221487671 = [$id=PNP_IRQ_TRANSLATION_FAILED, $desc=An IRQ translator failed to translate resources.], 3221487672 = [$id=PNP_INVALID_ID, $desc=Driver %2 returned an invalid ID for a child device (%3).], 3221487673 = [$id=IO_REISSUE_AS_CACHED, $desc=Reissue the given operation as a cached I/O operation], 3221880833 = [$id=CTX_WINSTATION_NAME_INVALID, $desc=Session name %1 is invalid.], 3221880834 = [$id=CTX_INVALID_PD, $desc=The protocol driver %1 is invalid.], 3221880835 = [$id=CTX_PD_NOT_FOUND, $desc=The protocol driver %1 was not found in the system path.], 3221880838 = [$id=CTX_CLOSE_PENDING, $desc=A close operation is pending on the terminal connection.], 3221880839 = [$id=CTX_NO_OUTBUF, $desc=No free output buffers are available.], 3221880840 = [$id=CTX_MODEM_INF_NOT_FOUND, $desc=The MODEM.INF file was not found.], 3221880841 = [$id=CTX_INVALID_MODEMNAME, $desc=The modem (%1) was not found in the MODEM.INF file.], 3221880842 = [$id=CTX_RESPONSE_ERROR, $desc=The modem did not accept the command sent to it. Verify that the configured modem name matches the attached modem.], 3221880843 = [$id=CTX_MODEM_RESPONSE_TIMEOUT, $desc=The modem did not respond to the command sent to it. Verify that the modem cable is properly attached and the modem is turned on.], 3221880844 = [$id=CTX_MODEM_RESPONSE_NO_CARRIER, $desc=Carrier detection has failed or the carrier has been dropped due to disconnection.], 3221880845 = [$id=CTX_MODEM_RESPONSE_NO_DIALTONE, $desc=A dial tone was not detected within the required time. Verify that the phone cable is properly attached and functional.], 3221880846 = [$id=CTX_MODEM_RESPONSE_BUSY, $desc=A busy signal was detected at a remote site on callback.], 3221880847 = [$id=CTX_MODEM_RESPONSE_VOICE, $desc=A voice was detected at a remote site on callback.], 3221880848 = [$id=CTX_TD_ERROR, $desc=Transport driver error.], 3221880850 = [$id=CTX_LICENSE_CLIENT_INVALID, $desc=The client you are using is not licensed to use this system. Your logon request is denied.], 3221880851 = [$id=CTX_LICENSE_NOT_AVAILABLE, $desc=The system has reached its licensed logon limit. Try again later.], 3221880852 = [$id=CTX_LICENSE_EXPIRED, $desc=The system license has expired. Your logon request is denied.], 3221880853 = [$id=CTX_WINSTATION_NOT_FOUND, $desc=The specified session cannot be found.], 3221880854 = [$id=CTX_WINSTATION_NAME_COLLISION, $desc=The specified session name is already in use.], 3221880855 = [$id=CTX_WINSTATION_BUSY, $desc=The requested operation cannot be completed because the terminal connection is currently processing a connect, disconnect, reset, or delete operation.], 3221880856 = [$id=CTX_BAD_VIDEO_MODE, $desc=An attempt has been made to connect to a session whose video mode is not supported by the current client.], 3221880866 = [$id=CTX_GRAPHICS_INVALID, $desc=The application attempted to enable DOS graphics mode. DOS graphics mode is not supported.], 3221880868 = [$id=CTX_NOT_CONSOLE, $desc=The requested operation can be performed only on the system console. This is most often the result of a driver or system DLL requiring direct console access.], 3221880870 = [$id=CTX_CLIENT_QUERY_TIMEOUT, $desc=The client failed to respond to the server connect message.], 3221880871 = [$id=CTX_CONSOLE_DISCONNECT, $desc=Disconnecting the console session is not supported.], 3221880872 = [$id=CTX_CONSOLE_CONNECT, $desc=Reconnecting a disconnected session to the console is not supported.], 3221880874 = [$id=CTX_SHADOW_DENIED, $desc=The request to control another session remotely was denied.], 3221880875 = [$id=CTX_WINSTATION_ACCESS_DENIED, $desc=A process has requested access to a session, but has not been granted those access rights.], 3221880878 = [$id=CTX_INVALID_WD, $desc=The terminal connection driver %1 is invalid.], 3221880879 = [$id=CTX_WD_NOT_FOUND, $desc=The terminal connection driver %1 was not found in the system path.], 3221880880 = [$id=CTX_SHADOW_INVALID, $desc=The requested session cannot be controlled remotely. You cannot control your own session, a session that is trying to control your session, a session that has no user logged on, or other sessions from the console.], 3221880881 = [$id=CTX_SHADOW_DISABLED, $desc=The requested session is not configured to allow remote control.], 3221880882 = [$id=RDP_PROTOCOL_ERROR, $desc=The RDP protocol component %2 detected an error in the protocol stream and has disconnected the client.], 3221880883 = [$id=CTX_CLIENT_LICENSE_NOT_SET, $desc=Your request to connect to this terminal server has been rejected. Your terminal server client license number has not been entered for this copy of the terminal client. Contact your system administrator for help in entering a valid, unique license number for this terminal server client. Click OK to continue.], 3221880884 = [$id=CTX_CLIENT_LICENSE_IN_USE, $desc=Your request to connect to this terminal server has been rejected. Your terminal server client license number is currently being used by another user. Contact your system administrator to obtain a new copy of the terminal server client with a valid, unique license number. Click OK to continue.], 3221880885 = [$id=CTX_SHADOW_ENDED_BY_MODE_CHANGE, $desc=The remote control of the console was terminated because the display mode was changed. Changing the display mode in a remote control session is not supported.], 3221880886 = [$id=CTX_SHADOW_NOT_RUNNING, $desc=Remote control could not be terminated because the specified session is not currently being remotely controlled.], 3221880887 = [$id=CTX_LOGON_DISABLED, $desc=Your interactive logon privilege has been disabled. Contact your system administrator.], 3221880888 = [$id=CTX_SECURITY_LAYER_ERROR, $desc=The terminal server security layer detected an error in the protocol stream and has disconnected the client.], 3221880889 = [$id=TS_INCOMPATIBLE_SESSIONS, $desc=The target session is incompatible with the current session.], 3221946369 = [$id=MUI_FILE_NOT_FOUND, $desc=The resource loader failed to find an MUI file.], 3221946370 = [$id=MUI_INVALID_FILE, $desc=The resource loader failed to load an MUI file because the file failed to pass validation.], 3221946371 = [$id=MUI_INVALID_RC_CONFIG, $desc=The RC manifest is corrupted with garbage data, is an unsupported version, or is missing a required item.], 3221946372 = [$id=MUI_INVALID_LOCALE_NAME, $desc=The RC manifest has an invalid culture name.], 3221946373 = [$id=MUI_INVALID_ULTIMATEFALLBACK_NAME, $desc=The RC manifest has and invalid ultimate fallback name.], 3221946374 = [$id=MUI_FILE_NOT_LOADED, $desc=The resource loader cache does not have a loaded MUI entry.], 3221946375 = [$id=RESOURCE_ENUM_USER_STOP, $desc=The user stopped resource enumeration.], 3222470657 = [$id=CLUSTER_INVALID_NODE, $desc=The cluster node is not valid.], 3222470658 = [$id=CLUSTER_NODE_EXISTS, $desc=The cluster node already exists.], 3222470659 = [$id=CLUSTER_JOIN_IN_PROGRESS, $desc=A node is in the process of joining the cluster.], 3222470660 = [$id=CLUSTER_NODE_NOT_FOUND, $desc=The cluster node was not found.], 3222470661 = [$id=CLUSTER_LOCAL_NODE_NOT_FOUND, $desc=The cluster local node information was not found.], 3222470662 = [$id=CLUSTER_NETWORK_EXISTS, $desc=The cluster network already exists.], 3222470663 = [$id=CLUSTER_NETWORK_NOT_FOUND, $desc=The cluster network was not found.], 3222470664 = [$id=CLUSTER_NETINTERFACE_EXISTS, $desc=The cluster network interface already exists.], 3222470665 = [$id=CLUSTER_NETINTERFACE_NOT_FOUND, $desc=The cluster network interface was not found.], 3222470666 = [$id=CLUSTER_INVALID_REQUEST, $desc=The cluster request is not valid for this object.], 3222470667 = [$id=CLUSTER_INVALID_NETWORK_PROVIDER, $desc=The cluster network provider is not valid.], 3222470668 = [$id=CLUSTER_NODE_DOWN, $desc=The cluster node is down.], 3222470669 = [$id=CLUSTER_NODE_UNREACHABLE, $desc=The cluster node is not reachable.], 3222470670 = [$id=CLUSTER_NODE_NOT_MEMBER, $desc=The cluster node is not a member of the cluster.], 3222470671 = [$id=CLUSTER_JOIN_NOT_IN_PROGRESS, $desc=A cluster join operation is not in progress.], 3222470672 = [$id=CLUSTER_INVALID_NETWORK, $desc=The cluster network is not valid.], 3222470673 = [$id=CLUSTER_NO_NET_ADAPTERS, $desc=No network adapters are available.], 3222470674 = [$id=CLUSTER_NODE_UP, $desc=The cluster node is up.], 3222470675 = [$id=CLUSTER_NODE_PAUSED, $desc=The cluster node is paused.], 3222470676 = [$id=CLUSTER_NODE_NOT_PAUSED, $desc=The cluster node is not paused.], 3222470677 = [$id=CLUSTER_NO_SECURITY_CONTEXT, $desc=No cluster security context is available.], 3222470678 = [$id=CLUSTER_NETWORK_NOT_INTERNAL, $desc=The cluster network is not configured for internal cluster communication.], 3222470679 = [$id=CLUSTER_POISONED, $desc=The cluster node has been poisoned.], 3222536193 = [$id=ACPI_INVALID_OPCODE, $desc=An attempt was made to run an invalid AML opcode.], 3222536194 = [$id=ACPI_STACK_OVERFLOW, $desc=The AML interpreter stack has overflowed.], 3222536195 = [$id=ACPI_ASSERT_FAILED, $desc=An inconsistent state has occurred.], 3222536196 = [$id=ACPI_INVALID_INDEX, $desc=An attempt was made to access an array outside its bounds.], 3222536197 = [$id=ACPI_INVALID_ARGUMENT, $desc=A required argument was not specified.], 3222536198 = [$id=ACPI_FATAL, $desc=A fatal error has occurred.], 3222536199 = [$id=ACPI_INVALID_SUPERNAME, $desc=An invalid SuperName was specified.], 3222536200 = [$id=ACPI_INVALID_ARGTYPE, $desc=An argument with an incorrect type was specified.], 3222536201 = [$id=ACPI_INVALID_OBJTYPE, $desc=An object with an incorrect type was specified.], 3222536202 = [$id=ACPI_INVALID_TARGETTYPE, $desc=A target with an incorrect type was specified.], 3222536203 = [$id=ACPI_INCORRECT_ARGUMENT_COUNT, $desc=An incorrect number of arguments was specified.], 3222536204 = [$id=ACPI_ADDRESS_NOT_MAPPED, $desc=An address failed to translate.], 3222536205 = [$id=ACPI_INVALID_EVENTTYPE, $desc=An incorrect event type was specified.], 3222536206 = [$id=ACPI_HANDLER_COLLISION, $desc=A handler for the target already exists.], 3222536207 = [$id=ACPI_INVALID_DATA, $desc=Invalid data for the target was specified.], 3222536208 = [$id=ACPI_INVALID_REGION, $desc=An invalid region for the target was specified.], 3222536209 = [$id=ACPI_INVALID_ACCESS_SIZE, $desc=An attempt was made to access a field outside the defined range.], 3222536210 = [$id=ACPI_ACQUIRE_GLOBAL_LOCK, $desc=The global system lock could not be acquired.], 3222536211 = [$id=ACPI_ALREADY_INITIALIZED, $desc=An attempt was made to reinitialize the ACPI subsystem.], 3222536212 = [$id=ACPI_NOT_INITIALIZED, $desc=The ACPI subsystem has not been initialized.], 3222536213 = [$id=ACPI_INVALID_MUTEX_LEVEL, $desc=An incorrect mutex was specified.], 3222536214 = [$id=ACPI_MUTEX_NOT_OWNED, $desc=The mutex is not currently owned.], 3222536215 = [$id=ACPI_MUTEX_NOT_OWNER, $desc=An attempt was made to access the mutex by a process that was not the owner.], 3222536216 = [$id=ACPI_RS_ACCESS, $desc=An error occurred during an access to region space.], 3222536217 = [$id=ACPI_INVALID_TABLE, $desc=An attempt was made to use an incorrect table.], 3222536224 = [$id=ACPI_REG_HANDLER_FAILED, $desc=The registration of an ACPI event failed.], 3222536225 = [$id=ACPI_POWER_REQUEST_FAILED, $desc=An ACPI power object failed to transition state.], 3222601729 = [$id=SXS_SECTION_NOT_FOUND, $desc=The requested section is not present in the activation context.], 3222601730 = [$id=SXS_CANT_GEN_ACTCTX, $desc=0xC0150003<br />STATUS_SXS_INVALID_ACTCTXDATA_FORMAT], 3222601732 = [$id=SXS_ASSEMBLY_NOT_FOUND, $desc=The referenced assembly is not installed on the system.], 3222601733 = [$id=SXS_MANIFEST_FORMAT_ERROR, $desc=The manifest file does not begin with the required tag and format information.], 3222601734 = [$id=SXS_MANIFEST_PARSE_ERROR, $desc=The manifest file contains one or more syntax errors.], 3222601735 = [$id=SXS_ACTIVATION_CONTEXT_DISABLED, $desc=The application attempted to activate a disabled activation context.], 3222601736 = [$id=SXS_KEY_NOT_FOUND, $desc=The requested lookup key was not found in any active activation context.], 3222601737 = [$id=SXS_VERSION_CONFLICT, $desc=A component version required by the application conflicts with another component version that is already active.], 3222601738 = [$id=SXS_WRONG_SECTION_TYPE, $desc=The type requested activation context section does not match the query API used.], 3222601739 = [$id=SXS_THREAD_QUERIES_DISABLED, $desc=Lack of system resources has required isolated activation to be disabled for the current thread of execution.], 3222601740 = [$id=SXS_ASSEMBLY_MISSING, $desc=The referenced assembly could not be found.], 3222601742 = [$id=SXS_PROCESS_DEFAULT_ALREADY_SET, $desc=An attempt to set the process default activation context failed because the process default activation context was already set.], 3222601743 = [$id=SXS_EARLY_DEACTIVATION, $desc=The activation context being deactivated is not the most recently activated one.], 3222601744 = [$id=SXS_INVALID_DEACTIVATION, $desc=The activation context being deactivated is not active for the current thread of execution.], 3222601745 = [$id=SXS_MULTIPLE_DEACTIVATION, $desc=The activation context being deactivated has already been deactivated.], 3222601746 = [$id=SXS_SYSTEM_DEFAULT_ACTIVATION_CONTEXT_EMPTY, $desc=The activation context of the system default assembly could not be generated.], 3222601747 = [$id=SXS_PROCESS_TERMINATION_REQUESTED, $desc=A component used by the isolation facility has requested that the process be terminated.], 3222601748 = [$id=SXS_CORRUPT_ACTIVATION_STACK, $desc=The activation context activation stack for the running thread of execution is corrupt.], 3222601749 = [$id=SXS_CORRUPTION, $desc=The application isolation metadata for this process or thread has become corrupt.], 3222601750 = [$id=SXS_INVALID_IDENTITY_ATTRIBUTE_VALUE, $desc=The value of an attribute in an identity is not within the legal range.], 3222601751 = [$id=SXS_INVALID_IDENTITY_ATTRIBUTE_NAME, $desc=The name of an attribute in an identity is not within the legal range.], 3222601752 = [$id=SXS_IDENTITY_DUPLICATE_ATTRIBUTE, $desc=An identity contains two definitions for the same attribute.], 3222601753 = [$id=SXS_IDENTITY_PARSE_ERROR, $desc=The identity string is malformed. This may be due to a trailing comma, more than two unnamed attributes, a missing attribute name, or a missing attribute value.], 3222601754 = [$id=SXS_COMPONENT_STORE_CORRUPT, $desc=The component store has become corrupted.], 3222601755 = [$id=SXS_FILE_HASH_MISMATCH, $desc=A component's file does not match the verification information present in the component manifest.], 3222601756 = [$id=SXS_MANIFEST_IDENTITY_SAME_BUT_CONTENTS_DIFFERENT, $desc=The identities of the manifests are identical, but their contents are different.], 3222601757 = [$id=SXS_IDENTITIES_DIFFERENT, $desc=The component identities are different.], 3222601758 = [$id=SXS_ASSEMBLY_IS_NOT_A_DEPLOYMENT, $desc=The assembly is not a deployment.], 3222601759 = [$id=SXS_FILE_NOT_PART_OF_ASSEMBLY, $desc=The file is not a part of the assembly.], 3222601760 = [$id=ADVANCED_INSTALLER_FAILED, $desc=An advanced installer failed during setup or servicing.], 3222601761 = [$id=XML_ENCODING_MISMATCH, $desc=The character encoding in the XML declaration did not match the encoding used in the document.], 3222601762 = [$id=SXS_MANIFEST_TOO_BIG, $desc=The size of the manifest exceeds the maximum allowed.], 3222601763 = [$id=SXS_SETTING_NOT_REGISTERED, $desc=The setting is not registered.], 3222601764 = [$id=SXS_TRANSACTION_CLOSURE_INCOMPLETE, $desc=One or more required transaction members are not present.], 3222601765 = [$id=SMI_PRIMITIVE_INSTALLER_FAILED, $desc=The SMI primitive installer failed during setup or servicing.], 3222601766 = [$id=GENERIC_COMMAND_FAILED, $desc=A generic command executable returned a result that indicates failure.], 3222601767 = [$id=SXS_FILE_HASH_MISSING, $desc=A component is missing file verification information in its manifest.], 3222863873 = [$id=TRANSACTIONAL_CONFLICT, $desc=The function attempted to use a name that is reserved for use by another transaction.], 3222863874 = [$id=INVALID_TRANSACTION, $desc=The transaction handle associated with this operation is invalid.], 3222863875 = [$id=TRANSACTION_NOT_ACTIVE, $desc=The requested operation was made in the context of a transaction that is no longer active.], 3222863876 = [$id=TM_INITIALIZATION_FAILED, $desc=The transaction manager was unable to be successfully initialized. Transacted operations are not supported.], 3222863877 = [$id=RM_NOT_ACTIVE, $desc=Transaction support within the specified file system resource manager was not started or was shut down due to an error.], 3222863878 = [$id=RM_METADATA_CORRUPT, $desc=The metadata of the resource manager has been corrupted. The resource manager will not function.], 3222863879 = [$id=TRANSACTION_NOT_JOINED, $desc=The resource manager attempted to prepare a transaction that it has not successfully joined.], 3222863880 = [$id=DIRECTORY_NOT_RM, $desc=The specified directory does not contain a file system resource manager.], 3222863882 = [$id=TRANSACTIONS_UNSUPPORTED_REMOTE, $desc=The remote server or share does not support transacted file operations.], 3222863883 = [$id=LOG_RESIZE_INVALID_SIZE, $desc=The requested log size for the file system resource manager is invalid.], 3222863884 = [$id=REMOTE_FILE_VERSION_MISMATCH, $desc=The remote server sent mismatching version number or Fid for a file opened with transactions.], 3222863887 = [$id=CRM_PROTOCOL_ALREADY_EXISTS, $desc=The resource manager tried to register a protocol that already exists.], 3222863888 = [$id=TRANSACTION_PROPAGATION_FAILED, $desc=The attempt to propagate the transaction failed.], 3222863889 = [$id=CRM_PROTOCOL_NOT_FOUND, $desc=The requested propagation protocol was not registered as a CRM.], 3222863890 = [$id=TRANSACTION_SUPERIOR_EXISTS, $desc=The transaction object already has a superior enlistment, and the caller attempted an operation that would have created a new superior. Only a single superior enlistment is allowed.], 3222863891 = [$id=TRANSACTION_REQUEST_NOT_VALID, $desc=The requested operation is not valid on the transaction object in its current state.], 3222863892 = [$id=TRANSACTION_NOT_REQUESTED, $desc=The caller has called a response API, but the response is not expected because the transaction manager did not issue the corresponding request to the caller.], 3222863893 = [$id=TRANSACTION_ALREADY_ABORTED, $desc=It is too late to perform the requested operation, because the transaction has already been aborted.], 3222863894 = [$id=TRANSACTION_ALREADY_COMMITTED, $desc=It is too late to perform the requested operation, because the transaction has already been committed.], 3222863895 = [$id=TRANSACTION_INVALID_MARSHALL_BUFFER, $desc=The buffer passed in to NtPushTransaction or NtPullTransaction is not in a valid format.], 3222863896 = [$id=CURRENT_TRANSACTION_NOT_VALID, $desc=The current transaction context associated with the thread is not a valid handle to a transaction object.], 3222863897 = [$id=LOG_GROWTH_FAILED, $desc=An attempt to create space in the transactional resource manager's log failed. The failure status has been recorded in the event log.], 3222863905 = [$id=OBJECT_NO_LONGER_EXISTS, $desc=The object (file, stream, or link) that corresponds to the handle has been deleted by a transaction savepoint rollback.], 3222863906 = [$id=STREAM_MINIVERSION_NOT_FOUND, $desc=The specified file miniversion was not found for this transacted file open.], 3222863907 = [$id=STREAM_MINIVERSION_NOT_VALID, $desc=The specified file miniversion was found but has been invalidated. The most likely cause is a transaction savepoint rollback.], 3222863908 = [$id=MINIVERSION_INACCESSIBLE_FROM_SPECIFIED_TRANSACTION, $desc=A miniversion may be opened only in the context of the transaction that created it.], 3222863909 = [$id=CANT_OPEN_MINIVERSION_WITH_MODIFY_INTENT, $desc=It is not possible to open a miniversion with modify access.], 3222863910 = [$id=CANT_CREATE_MORE_STREAM_MINIVERSIONS, $desc=It is not possible to create any more miniversions for this stream.], 3222863912 = [$id=HANDLE_NO_LONGER_VALID, $desc=The handle has been invalidated by a transaction. The most likely cause is the presence of memory mapping on a file or an open handle when the transaction ended or rolled back to savepoint.], 3222863920 = [$id=LOG_CORRUPTION_DETECTED, $desc=The log data is corrupt.], 3222863922 = [$id=RM_DISCONNECTED, $desc=The transaction outcome is unavailable because the resource manager responsible for it is disconnected.], 3222863923 = [$id=ENLISTMENT_NOT_SUPERIOR, $desc=The request was rejected because the enlistment in question is not a superior enlistment.], 3222863926 = [$id=FILE_IDENTITY_NOT_PERSISTENT, $desc=The file cannot be opened in a transaction because its identity depends on the outcome of an unresolved transaction.], 3222863927 = [$id=CANT_BREAK_TRANSACTIONAL_DEPENDENCY, $desc=The operation cannot be performed because another transaction is depending on this property not changing.], 3222863928 = [$id=CANT_CROSS_RM_BOUNDARY, $desc=The operation would involve a single file with two transactional resource managers and is, therefore, not allowed.], 3222863929 = [$id=TXF_DIR_NOT_EMPTY, $desc=The $Txf directory must be empty for this operation to succeed.], 3222863930 = [$id=INDOUBT_TRANSACTIONS_EXIST, $desc=The operation would leave a transactional resource manager in an inconsistent state and is therefore not allowed.], 3222863931 = [$id=TM_VOLATILE, $desc=The operation could not be completed because the transaction manager does not have a log.], 3222863932 = [$id=ROLLBACK_TIMER_EXPIRED, $desc=A rollback could not be scheduled because a previously scheduled rollback has already executed or been queued for execution.], 3222863933 = [$id=TXF_ATTRIBUTE_CORRUPT, $desc=The transactional metadata attribute on the file or directory %hs is corrupt and unreadable.], 3222863934 = [$id=EFS_NOT_ALLOWED_IN_TRANSACTION, $desc=The encryption operation could not be completed because a transaction is active.], 3222863935 = [$id=TRANSACTIONAL_OPEN_NOT_ALLOWED, $desc=This object is not allowed to be opened in a transaction.], 3222863936 = [$id=TRANSACTED_MAPPING_UNSUPPORTED_REMOTE, $desc=Memory mapping (creating a mapped section) a remote file under a transaction is not supported.], 3222863939 = [$id=TRANSACTION_REQUIRED_PROMOTION, $desc=Promotion was required to allow the resource manager to enlist, but the transaction was set to disallow it.], 3222863940 = [$id=CANNOT_EXECUTE_FILE_IN_TRANSACTION, $desc=This file is open for modification in an unresolved transaction and may be opened for execute only by a transacted reader.], 3222863941 = [$id=TRANSACTIONS_NOT_FROZEN, $desc=The request to thaw frozen transactions was ignored because transactions were not previously frozen.], 3222863942 = [$id=TRANSACTION_FREEZE_IN_PROGRESS, $desc=Transactions cannot be frozen because a freeze is already in progress.], 3222863943 = [$id=NOT_SNAPSHOT_VOLUME, $desc=The target volume is not a snapshot volume. This operation is valid only on a volume mounted as a snapshot.], 3222863944 = [$id=NO_SAVEPOINT_WITH_OPEN_FILES, $desc=The savepoint operation failed because files are open on the transaction, which is not permitted.], 3222863945 = [$id=SPARSE_NOT_ALLOWED_IN_TRANSACTION, $desc=The sparse operation could not be completed because a transaction is active on the file.], 3222863946 = [$id=TM_IDENTITY_MISMATCH, $desc=The call to create a transaction manager object failed because the Tm Identity that is stored in the log file does not match the Tm Identity that was passed in as an argument.], 3222863947 = [$id=FLOATED_SECTION, $desc=I/O was attempted on a section object that has been floated as a result of a transaction ending. There is no valid data.], 3222863948 = [$id=CANNOT_ACCEPT_TRANSACTED_WORK, $desc=The transactional resource manager cannot currently accept transacted work due to a transient condition, such as low resources.], 3222863949 = [$id=CANNOT_ABORT_TRANSACTIONS, $desc=The transactional resource manager had too many transactions outstanding that could not be aborted. The transactional resource manager has been shut down.], 3222863950 = [$id=TRANSACTION_NOT_FOUND, $desc=The specified transaction was unable to be opened because it was not found.], 3222863951 = [$id=RESOURCEMANAGER_NOT_FOUND, $desc=The specified resource manager was unable to be opened because it was not found.], 3222863952 = [$id=ENLISTMENT_NOT_FOUND, $desc=The specified enlistment was unable to be opened because it was not found.], 3222863953 = [$id=TRANSACTIONMANAGER_NOT_FOUND, $desc=The specified transaction manager was unable to be opened because it was not found.], 3222863954 = [$id=TRANSACTIONMANAGER_NOT_ONLINE, $desc=The specified resource manager was unable to create an enlistment because its associated transaction manager is not online.], 3222863955 = [$id=TRANSACTIONMANAGER_RECOVERY_NAME_COLLISION, $desc=The specified transaction manager was unable to create the objects contained in its log file in the Ob namespace. Therefore, the transaction manager was unable to recover.], 3222863956 = [$id=TRANSACTION_NOT_ROOT, $desc=The call to create a superior enlistment on this transaction object could not be completed because the transaction object specified for the enlistment is a subordinate branch of the transaction. Only the root of the transaction can be enlisted as a superior.], 3222863957 = [$id=TRANSACTION_OBJECT_EXPIRED, $desc=Because the associated transaction manager or resource manager has been closed, the handle is no longer valid.], 3222863958 = [$id=COMPRESSION_NOT_ALLOWED_IN_TRANSACTION, $desc=The compression operation could not be completed because a transaction is active on the file.], 3222863959 = [$id=TRANSACTION_RESPONSE_NOT_ENLISTED, $desc=The specified operation could not be performed on this superior enlistment because the enlistment was not created with the corresponding completion response in the NotificationMask.], 3222863960 = [$id=TRANSACTION_RECORD_TOO_LONG, $desc=The specified operation could not be performed because the record to be logged was too long. This can occur because either there are too many enlistments on this transaction or the combined RecoveryInformation being logged on behalf of those enlistments is too long.], 3222863961 = [$id=NO_LINK_TRACKING_IN_TRANSACTION, $desc=The link-tracking operation could not be completed because a transaction is active.], 3222863962 = [$id=OPERATION_NOT_SUPPORTED_IN_TRANSACTION, $desc=This operation cannot be performed in a transaction.], 3222863963 = [$id=TRANSACTION_INTEGRITY_VIOLATED, $desc=The kernel transaction manager had to abort or forget the transaction because it blocked forward progress.], 3222863968 = [$id=EXPIRED_HANDLE, $desc=The handle is no longer properly associated with its transaction.  It may have been opened in a transactional resource manager that was subsequently forced to restart.  Please close the handle and open a new one.], 3222863969 = [$id=TRANSACTION_NOT_ENLISTED, $desc=The specified operation could not be performed because the resource manager is not enlisted in the transaction.], 3222929409 = [$id=LOG_SECTOR_INVALID, $desc=The log service found an invalid log sector.], 3222929410 = [$id=LOG_SECTOR_PARITY_INVALID, $desc=The log service encountered a log sector with invalid block parity.], 3222929411 = [$id=LOG_SECTOR_REMAPPED, $desc=The log service encountered a remapped log sector.], 3222929412 = [$id=LOG_BLOCK_INCOMPLETE, $desc=The log service encountered a partial or incomplete log block.], 3222929413 = [$id=LOG_INVALID_RANGE, $desc=The log service encountered an attempt to access data outside the active log range.], 3222929414 = [$id=LOG_BLOCKS_EXHAUSTED, $desc=The log service user-log marshaling buffers are exhausted.], 3222929415 = [$id=LOG_READ_CONTEXT_INVALID, $desc=The log service encountered an attempt to read from a marshaling area with an invalid read context.], 3222929416 = [$id=LOG_RESTART_INVALID, $desc=The log service encountered an invalid log restart area.], 3222929417 = [$id=LOG_BLOCK_VERSION, $desc=The log service encountered an invalid log block version.], 3222929418 = [$id=LOG_BLOCK_INVALID, $desc=The log service encountered an invalid log block.], 3222929419 = [$id=LOG_READ_MODE_INVALID, $desc=The log service encountered an attempt to read the log with an invalid read mode.], 3222929421 = [$id=LOG_METADATA_CORRUPT, $desc=The log service encountered a corrupted metadata file.], 3222929422 = [$id=LOG_METADATA_INVALID, $desc=The log service encountered a metadata file that could not be created by the log file system.], 3222929423 = [$id=LOG_METADATA_INCONSISTENT, $desc=The log service encountered a metadata file with inconsistent data.], 3222929424 = [$id=LOG_RESERVATION_INVALID, $desc=The log service encountered an attempt to erroneously allocate or dispose reservation space.], 3222929425 = [$id=LOG_CANT_DELETE, $desc=The log service cannot delete the log file or the file system container.], 3222929426 = [$id=LOG_CONTAINER_LIMIT_EXCEEDED, $desc=The log service has reached the maximum allowable containers allocated to a log file.], 3222929427 = [$id=LOG_START_OF_LOG, $desc=The log service has attempted to read or write backward past the start of the log.], 3222929428 = [$id=LOG_POLICY_ALREADY_INSTALLED, $desc=The log policy could not be installed because a policy of the same type is already present.], 3222929429 = [$id=LOG_POLICY_NOT_INSTALLED, $desc=The log policy in question was not installed at the time of the request.], 3222929430 = [$id=LOG_POLICY_INVALID, $desc=The installed set of policies on the log is invalid.], 3222929431 = [$id=LOG_POLICY_CONFLICT, $desc=A policy on the log in question prevented the operation from completing.], 3222929432 = [$id=LOG_PINNED_ARCHIVE_TAIL, $desc=The log space cannot be reclaimed because the log is pinned by the archive tail.], 3222929433 = [$id=LOG_RECORD_NONEXISTENT, $desc=The log record is not a record in the log file.], 3222929434 = [$id=LOG_RECORDS_RESERVED_INVALID, $desc=The number of reserved log records or the adjustment of the number of reserved log records is invalid.], 3222929435 = [$id=LOG_SPACE_RESERVED_INVALID, $desc=The reserved log space or the adjustment of the log space is invalid.], 3222929436 = [$id=LOG_TAIL_INVALID, $desc=A new or existing archive tail or the base of the active log is invalid.], 3222929437 = [$id=LOG_FULL, $desc=The log space is exhausted.], 3222929438 = [$id=LOG_MULTIPLEXED, $desc=The log is multiplexed; no direct writes to the physical log are allowed.], 3222929439 = [$id=LOG_DEDICATED, $desc=The operation failed because the log is dedicated.], 3222929440 = [$id=LOG_ARCHIVE_NOT_IN_PROGRESS, $desc=The operation requires an archive context.], 3222929441 = [$id=LOG_ARCHIVE_IN_PROGRESS, $desc=Log archival is in progress.], 3222929442 = [$id=LOG_EPHEMERAL, $desc=The operation requires a nonephemeral log, but the log is ephemeral.], 3222929443 = [$id=LOG_NOT_ENOUGH_CONTAINERS, $desc=The log must have at least two containers before it can be read from or written to.], 3222929444 = [$id=LOG_CLIENT_ALREADY_REGISTERED, $desc=A log client has already registered on the stream.], 3222929445 = [$id=LOG_CLIENT_NOT_REGISTERED, $desc=A log client has not been registered on the stream.], 3222929446 = [$id=LOG_FULL_HANDLER_IN_PROGRESS, $desc=A request has already been made to handle the log full condition.], 3222929447 = [$id=LOG_CONTAINER_READ_FAILED, $desc=The log service encountered an error when attempting to read from a log container.], 3222929448 = [$id=LOG_CONTAINER_WRITE_FAILED, $desc=The log service encountered an error when attempting to write to a log container.], 3222929449 = [$id=LOG_CONTAINER_OPEN_FAILED, $desc=The log service encountered an error when attempting to open a log container.], 3222929450 = [$id=LOG_CONTAINER_STATE_INVALID, $desc=The log service encountered an invalid container state when attempting a requested action.], 3222929451 = [$id=LOG_STATE_INVALID, $desc=The log service is not in the correct state to perform a requested action.], 3222929452 = [$id=LOG_PINNED, $desc=The log space cannot be reclaimed because the log is pinned.], 3222929453 = [$id=LOG_METADATA_FLUSH_FAILED, $desc=The log metadata flush failed.], 3222929454 = [$id=LOG_INCONSISTENT_SECURITY, $desc=Security on the log and its containers is inconsistent.], 3222929455 = [$id=LOG_APPENDED_FLUSH_FAILED, $desc=Records were appended to the log or reservation changes were made, but the log could not be flushed.], 3222929456 = [$id=LOG_PINNED_RESERVATION, $desc=The log is pinned due to reservation consuming most of the log space. Free some reserved records to make space available.], 3222995178 = [$id=VIDEO_HUNG_DISPLAY_DRIVER_THREAD, $desc={Display Driver Stopped Responding} The %hs display driver has stopped working normally. Save your work and reboot the system to restore full display functionality. The next time you reboot the computer, a dialog box will allow you to upload data about this failure to Microsoft.], 3223060481 = [$id=FLT_NO_HANDLER_DEFINED, $desc=A handler was not defined by the filter for this operation.], 3223060482 = [$id=FLT_CONTEXT_ALREADY_DEFINED, $desc=A context is already defined for this object.], 3223060483 = [$id=FLT_INVALID_ASYNCHRONOUS_REQUEST, $desc=Asynchronous requests are not valid for this operation.], 3223060484 = [$id=FLT_DISALLOW_FAST_IO, $desc=This is an internal error code used by the filter manager to determine if a fast I/O operation should be forced down the input/output request packet (IRP) path. Minifilters should never return this value.], 3223060485 = [$id=FLT_INVALID_NAME_REQUEST, $desc=An invalid name request was made. The name requested cannot be retrieved at this time.], 3223060486 = [$id=FLT_NOT_SAFE_TO_POST_OPERATION, $desc=Posting this operation to a worker thread for further processing is not safe at this time because it could lead to a system deadlock.], 3223060487 = [$id=FLT_NOT_INITIALIZED, $desc=The Filter Manager was not initialized when a filter tried to register. Make sure that the Filter Manager is loaded as a driver.], 3223060488 = [$id=FLT_FILTER_NOT_READY, $desc=The filter is not ready for attachment to volumes because it has not finished initializing (FltStartFiltering has not been called).], 3223060489 = [$id=FLT_POST_OPERATION_CLEANUP, $desc=The filter must clean up any operation-specific context at this time because it is being removed from the system before the operation is completed by the lower drivers.], 3223060490 = [$id=FLT_INTERNAL_ERROR, $desc=The Filter Manager had an internal error from which it cannot recover; therefore, the operation has failed. This is usually the result of a filter returning an invalid value from a pre-operation callback.], 3223060491 = [$id=FLT_DELETING_OBJECT, $desc=The object specified for this action is in the process of being deleted; therefore, the action requested cannot be completed at this time.], 3223060492 = [$id=FLT_MUST_BE_NONPAGED_POOL, $desc=A nonpaged pool must be used for this type of context.], 3223060493 = [$id=FLT_DUPLICATE_ENTRY, $desc=A duplicate handler definition has been provided for an operation.], 3223060494 = [$id=FLT_CBDQ_DISABLED, $desc=The callback data queue has been disabled.], 3223060495 = [$id=FLT_DO_NOT_ATTACH, $desc=Do not attach the filter to the volume at this time.], 3223060496 = [$id=FLT_DO_NOT_DETACH, $desc=Do not detach the filter from the volume at this time.], 3223060497 = [$id=FLT_INSTANCE_ALTITUDE_COLLISION, $desc=An instance already exists at this altitude on the volume specified.], 3223060498 = [$id=FLT_INSTANCE_NAME_COLLISION, $desc=An instance already exists with this name on the volume specified.], 3223060499 = [$id=FLT_FILTER_NOT_FOUND, $desc=The system could not find the filter specified.], 3223060500 = [$id=FLT_VOLUME_NOT_FOUND, $desc=The system could not find the volume specified.], 3223060501 = [$id=FLT_INSTANCE_NOT_FOUND, $desc=The system could not find the instance specified.], 3223060502 = [$id=FLT_CONTEXT_ALLOCATION_NOT_FOUND, $desc=No registered context allocation definition was found for the given request.], 3223060503 = [$id=FLT_INVALID_CONTEXT_REGISTRATION, $desc=An invalid parameter was specified during context registration.], 3223060504 = [$id=FLT_NAME_CACHE_MISS, $desc=The name requested was not found in the Filter Manager name cache and could not be retrieved from the file system.], 3223060505 = [$id=FLT_NO_DEVICE_OBJECT, $desc=The requested device object does not exist for the given volume.], 3223060506 = [$id=FLT_VOLUME_ALREADY_MOUNTED, $desc=The specified volume is already mounted.], 3223060507 = [$id=FLT_ALREADY_ENLISTED, $desc=The specified transaction context is already enlisted in a transaction.], 3223060508 = [$id=FLT_CONTEXT_ALREADY_LINKED, $desc=The specified context is already attached to another object.], 3223060512 = [$id=FLT_NO_WAITER_FOR_REPLY, $desc=No waiter is present for the filter's reply to this message.], 3223126017 = [$id=MONITOR_NO_DESCRIPTOR, $desc=A monitor descriptor could not be obtained.], 3223126018 = [$id=MONITOR_UNKNOWN_DESCRIPTOR_FORMAT, $desc=This release does not support the format of the obtained monitor descriptor.], 3223126019 = [$id=MONITOR_INVALID_DESCRIPTOR_CHECKSUM, $desc=The checksum of the obtained monitor descriptor is invalid.], 3223126020 = [$id=MONITOR_INVALID_STANDARD_TIMING_BLOCK, $desc=The monitor descriptor contains an invalid standard timing block.], 3223126021 = [$id=MONITOR_WMI_DATABLOCK_REGISTRATION_FAILED, $desc=WMI data-block registration failed for one of the MSMonitorClass WMI subclasses.], 3223126022 = [$id=MONITOR_INVALID_SERIAL_NUMBER_MONDSC_BLOCK, $desc=The provided monitor descriptor block is either corrupted or does not contain the monitor's detailed serial number.], 3223126023 = [$id=MONITOR_INVALID_USER_FRIENDLY_MONDSC_BLOCK, $desc=The provided monitor descriptor block is either corrupted or does not contain the monitor's user-friendly name.], 3223126024 = [$id=MONITOR_NO_MORE_DESCRIPTOR_DATA, $desc=There is no monitor descriptor data at the specified (offset or size) region.], 3223126025 = [$id=MONITOR_INVALID_DETAILED_TIMING_BLOCK, $desc=The monitor descriptor contains an invalid detailed timing block.], 3223126026 = [$id=MONITOR_INVALID_MANUFACTURE_DATE, $desc=Monitor descriptor contains invalid manufacture date.], 3223191552 = [$id=GRAPHICS_NOT_EXCLUSIVE_MODE_OWNER, $desc=Exclusive mode ownership is needed to create an unmanaged primary allocation.], 3223191553 = [$id=GRAPHICS_INSUFFICIENT_DMA_BUFFER, $desc=The driver needs more DMA buffer space to complete the requested operation.], 3223191554 = [$id=GRAPHICS_INVALID_DISPLAY_ADAPTER, $desc=The specified display adapter handle is invalid.], 3223191555 = [$id=GRAPHICS_ADAPTER_WAS_RESET, $desc=The specified display adapter and all of its state have been reset.], 3223191556 = [$id=GRAPHICS_INVALID_DRIVER_MODEL, $desc=The driver stack does not match the expected driver model.], 3223191557 = [$id=GRAPHICS_PRESENT_MODE_CHANGED, $desc=Present happened but ended up into the changed desktop mode.], 3223191558 = [$id=GRAPHICS_PRESENT_OCCLUDED, $desc=Nothing to present due to desktop occlusion.], 3223191559 = [$id=GRAPHICS_PRESENT_DENIED, $desc=Not able to present due to denial of desktop access.], 3223191560 = [$id=GRAPHICS_CANNOTCOLORCONVERT, $desc=Not able to present with color conversion.], 3223191563 = [$id=GRAPHICS_PRESENT_REDIRECTION_DISABLED, $desc=Present redirection is disabled (desktop windowing management subsystem is off).], 3223191564 = [$id=GRAPHICS_PRESENT_UNOCCLUDED, $desc=Previous exclusive VidPn source owner has released its ownership], 3223191808 = [$id=GRAPHICS_NO_VIDEO_MEMORY, $desc=Not enough video memory is available to complete the operation.], 3223191809 = [$id=GRAPHICS_CANT_LOCK_MEMORY, $desc=Could not probe and lock the underlying memory of an allocation.], 3223191810 = [$id=GRAPHICS_ALLOCATION_BUSY, $desc=The allocation is currently busy.], 3223191811 = [$id=GRAPHICS_TOO_MANY_REFERENCES, $desc=An object being referenced has already reached the maximum reference count and cannot be referenced further.], 3223191812 = [$id=GRAPHICS_TRY_AGAIN_LATER, $desc=A problem could not be solved due to an existing condition. Try again later.], 3223191813 = [$id=GRAPHICS_TRY_AGAIN_NOW, $desc=A problem could not be solved due to an existing condition. Try again now.], 3223191814 = [$id=GRAPHICS_ALLOCATION_INVALID, $desc=The allocation is invalid.], 3223191815 = [$id=GRAPHICS_UNSWIZZLING_APERTURE_UNAVAILABLE, $desc=No more unswizzling apertures are currently available.], 3223191816 = [$id=GRAPHICS_UNSWIZZLING_APERTURE_UNSUPPORTED, $desc=The current allocation cannot be unswizzled by an aperture.], 3223191817 = [$id=GRAPHICS_CANT_EVICT_PINNED_ALLOCATION, $desc=The request failed because a pinned allocation cannot be evicted.], 3223191824 = [$id=GRAPHICS_INVALID_ALLOCATION_USAGE, $desc=The allocation cannot be used from its current segment location for the specified operation.], 3223191825 = [$id=GRAPHICS_CANT_RENDER_LOCKED_ALLOCATION, $desc=A locked allocation cannot be used in the current command buffer.], 3223191826 = [$id=GRAPHICS_ALLOCATION_CLOSED, $desc=The allocation being referenced has been closed permanently.], 3223191827 = [$id=GRAPHICS_INVALID_ALLOCATION_INSTANCE, $desc=An invalid allocation instance is being referenced.], 3223191828 = [$id=GRAPHICS_INVALID_ALLOCATION_HANDLE, $desc=An invalid allocation handle is being referenced.], 3223191829 = [$id=GRAPHICS_WRONG_ALLOCATION_DEVICE, $desc=The allocation being referenced does not belong to the current device.], 3223191830 = [$id=GRAPHICS_ALLOCATION_CONTENT_LOST, $desc=The specified allocation lost its content.], 3223192064 = [$id=GRAPHICS_GPU_EXCEPTION_ON_DEVICE, $desc=A GPU exception was detected on the given device. The device cannot be scheduled.], 3223192320 = [$id=GRAPHICS_INVALID_VIDPN_TOPOLOGY, $desc=The specified VidPN topology is invalid.], 3223192321 = [$id=GRAPHICS_VIDPN_TOPOLOGY_NOT_SUPPORTED, $desc=The specified VidPN topology is valid but is not supported by this model of the display adapter.], 3223192322 = [$id=GRAPHICS_VIDPN_TOPOLOGY_CURRENTLY_NOT_SUPPORTED, $desc=The specified VidPN topology is valid but is not currently supported by the display adapter due to allocation of its resources.], 3223192323 = [$id=GRAPHICS_INVALID_VIDPN, $desc=The specified VidPN handle is invalid.], 3223192324 = [$id=GRAPHICS_INVALID_VIDEO_PRESENT_SOURCE, $desc=The specified video present source is invalid.], 3223192325 = [$id=GRAPHICS_INVALID_VIDEO_PRESENT_TARGET, $desc=The specified video present target is invalid.], 3223192326 = [$id=GRAPHICS_VIDPN_MODALITY_NOT_SUPPORTED, $desc=The specified VidPN modality is not supported (for example, at least two of the pinned modes are not co-functional).], 3223192328 = [$id=GRAPHICS_INVALID_VIDPN_SOURCEMODESET, $desc=The specified VidPN source mode set is invalid.], 3223192329 = [$id=GRAPHICS_INVALID_VIDPN_TARGETMODESET, $desc=The specified VidPN target mode set is invalid.], 3223192330 = [$id=GRAPHICS_INVALID_FREQUENCY, $desc=The specified video signal frequency is invalid.], 3223192331 = [$id=GRAPHICS_INVALID_ACTIVE_REGION, $desc=The specified video signal active region is invalid.], 3223192332 = [$id=GRAPHICS_INVALID_TOTAL_REGION, $desc=The specified video signal total region is invalid.], 3223192336 = [$id=GRAPHICS_INVALID_VIDEO_PRESENT_SOURCE_MODE, $desc=The specified video present source mode is invalid.], 3223192337 = [$id=GRAPHICS_INVALID_VIDEO_PRESENT_TARGET_MODE, $desc=The specified video present target mode is invalid.], 3223192338 = [$id=GRAPHICS_PINNED_MODE_MUST_REMAIN_IN_SET, $desc=The pinned mode must remain in the set on the VidPN's co-functional modality enumeration.], 3223192339 = [$id=GRAPHICS_PATH_ALREADY_IN_TOPOLOGY, $desc=The specified video present path is already in the VidPN's topology.], 3223192340 = [$id=GRAPHICS_MODE_ALREADY_IN_MODESET, $desc=The specified mode is already in the mode set.], 3223192341 = [$id=GRAPHICS_INVALID_VIDEOPRESENTSOURCESET, $desc=The specified video present source set is invalid.], 3223192342 = [$id=GRAPHICS_INVALID_VIDEOPRESENTTARGETSET, $desc=The specified video present target set is invalid.], 3223192343 = [$id=GRAPHICS_SOURCE_ALREADY_IN_SET, $desc=The specified video present source is already in the video present source set.], 3223192344 = [$id=GRAPHICS_TARGET_ALREADY_IN_SET, $desc=The specified video present target is already in the video present target set.], 3223192345 = [$id=GRAPHICS_INVALID_VIDPN_PRESENT_PATH, $desc=The specified VidPN present path is invalid.], 3223192346 = [$id=GRAPHICS_NO_RECOMMENDED_VIDPN_TOPOLOGY, $desc=The miniport has no recommendation for augmenting the specified VidPN's topology.], 3223192347 = [$id=GRAPHICS_INVALID_MONITOR_FREQUENCYRANGESET, $desc=The specified monitor frequency range set is invalid.], 3223192348 = [$id=GRAPHICS_INVALID_MONITOR_FREQUENCYRANGE, $desc=The specified monitor frequency range is invalid.], 3223192349 = [$id=GRAPHICS_FREQUENCYRANGE_NOT_IN_SET, $desc=The specified frequency range is not in the specified monitor frequency range set.], 3223192351 = [$id=GRAPHICS_FREQUENCYRANGE_ALREADY_IN_SET, $desc=The specified frequency range is already in the specified monitor frequency range set.], 3223192352 = [$id=GRAPHICS_STALE_MODESET, $desc=The specified mode set is stale. Reacquire the new mode set.], 3223192353 = [$id=GRAPHICS_INVALID_MONITOR_SOURCEMODESET, $desc=The specified monitor source mode set is invalid.], 3223192354 = [$id=GRAPHICS_INVALID_MONITOR_SOURCE_MODE, $desc=The specified monitor source mode is invalid.], 3223192355 = [$id=GRAPHICS_NO_RECOMMENDED_FUNCTIONAL_VIDPN, $desc=The miniport does not have a recommendation regarding the request to provide a functional VidPN given the current display adapter configuration.], 3223192356 = [$id=GRAPHICS_MODE_ID_MUST_BE_UNIQUE, $desc=The ID of the specified mode is being used by another mode in the set.], 3223192357 = [$id=GRAPHICS_EMPTY_ADAPTER_MONITOR_MODE_SUPPORT_INTERSECTION, $desc=The system failed to determine a mode that is supported by both the display adapter and the monitor connected to it.], 3223192358 = [$id=GRAPHICS_VIDEO_PRESENT_TARGETS_LESS_THAN_SOURCES, $desc=The number of video present targets must be greater than or equal to the number of video present sources.], 3223192359 = [$id=GRAPHICS_PATH_NOT_IN_TOPOLOGY, $desc=The specified present path is not in the VidPN's topology.], 3223192360 = [$id=GRAPHICS_ADAPTER_MUST_HAVE_AT_LEAST_ONE_SOURCE, $desc=The display adapter must have at least one video present source.], 3223192361 = [$id=GRAPHICS_ADAPTER_MUST_HAVE_AT_LEAST_ONE_TARGET, $desc=The display adapter must have at least one video present target.], 3223192362 = [$id=GRAPHICS_INVALID_MONITORDESCRIPTORSET, $desc=The specified monitor descriptor set is invalid.], 3223192363 = [$id=GRAPHICS_INVALID_MONITORDESCRIPTOR, $desc=The specified monitor descriptor is invalid.], 3223192364 = [$id=GRAPHICS_MONITORDESCRIPTOR_NOT_IN_SET, $desc=The specified descriptor is not in the specified monitor descriptor set.], 3223192365 = [$id=GRAPHICS_MONITORDESCRIPTOR_ALREADY_IN_SET, $desc=The specified descriptor is already in the specified monitor descriptor set.], 3223192366 = [$id=GRAPHICS_MONITORDESCRIPTOR_ID_MUST_BE_UNIQUE, $desc=The ID of the specified monitor descriptor is being used by another descriptor in the set.], 3223192367 = [$id=GRAPHICS_INVALID_VIDPN_TARGET_SUBSET_TYPE, $desc=The specified video present target subset type is invalid.], 3223192368 = [$id=GRAPHICS_RESOURCES_NOT_RELATED, $desc=Two or more of the specified resources are not related to each other, as defined by the interface semantics.], 3223192369 = [$id=GRAPHICS_SOURCE_ID_MUST_BE_UNIQUE, $desc=The ID of the specified video present source is being used by another source in the set.], 3223192370 = [$id=GRAPHICS_TARGET_ID_MUST_BE_UNIQUE, $desc=The ID of the specified video present target is being used by another target in the set.], 3223192371 = [$id=GRAPHICS_NO_AVAILABLE_VIDPN_TARGET, $desc=The specified VidPN source cannot be used because there is no available VidPN target to connect it to.], 3223192372 = [$id=GRAPHICS_MONITOR_COULD_NOT_BE_ASSOCIATED_WITH_ADAPTER, $desc=The newly arrived monitor could not be associated with a display adapter.], 3223192373 = [$id=GRAPHICS_NO_VIDPNMGR, $desc=The particular display adapter does not have an associated VidPN manager.], 3223192374 = [$id=GRAPHICS_NO_ACTIVE_VIDPN, $desc=The VidPN manager of the particular display adapter does not have an active VidPN.], 3223192375 = [$id=GRAPHICS_STALE_VIDPN_TOPOLOGY, $desc=The specified VidPN topology is stale; obtain the new topology.], 3223192376 = [$id=GRAPHICS_MONITOR_NOT_CONNECTED, $desc=No monitor is connected on the specified video present target.], 3223192377 = [$id=GRAPHICS_SOURCE_NOT_IN_TOPOLOGY, $desc=The specified source is not part of the specified VidPN's topology.], 3223192378 = [$id=GRAPHICS_INVALID_PRIMARYSURFACE_SIZE, $desc=The specified primary surface size is invalid.], 3223192379 = [$id=GRAPHICS_INVALID_VISIBLEREGION_SIZE, $desc=The specified visible region size is invalid.], 3223192380 = [$id=GRAPHICS_INVALID_STRIDE, $desc=The specified stride is invalid.], 3223192381 = [$id=GRAPHICS_INVALID_PIXELFORMAT, $desc=The specified pixel format is invalid.], 3223192382 = [$id=GRAPHICS_INVALID_COLORBASIS, $desc=The specified color basis is invalid.], 3223192383 = [$id=GRAPHICS_INVALID_PIXELVALUEACCESSMODE, $desc=The specified pixel value access mode is invalid.], 3223192384 = [$id=GRAPHICS_TARGET_NOT_IN_TOPOLOGY, $desc=The specified target is not part of the specified VidPN's topology.], 3223192385 = [$id=GRAPHICS_NO_DISPLAY_MODE_MANAGEMENT_SUPPORT, $desc=Failed to acquire the display mode management interface.], 3223192386 = [$id=GRAPHICS_VIDPN_SOURCE_IN_USE, $desc=The specified VidPN source is already owned by a DMM client and cannot be used until that client releases it.], 3223192387 = [$id=GRAPHICS_CANT_ACCESS_ACTIVE_VIDPN, $desc=The specified VidPN is active and cannot be accessed.], 3223192388 = [$id=GRAPHICS_INVALID_PATH_IMPORTANCE_ORDINAL, $desc=The specified VidPN's present path importance ordinal is invalid.], 3223192389 = [$id=GRAPHICS_INVALID_PATH_CONTENT_GEOMETRY_TRANSFORMATION, $desc=The specified VidPN's present path content geometry transformation is invalid.], 3223192390 = [$id=GRAPHICS_PATH_CONTENT_GEOMETRY_TRANSFORMATION_NOT_SUPPORTED, $desc=The specified content geometry transformation is not supported on the respective VidPN present path.], 3223192391 = [$id=GRAPHICS_INVALID_GAMMA_RAMP, $desc=The specified gamma ramp is invalid.], 3223192392 = [$id=GRAPHICS_GAMMA_RAMP_NOT_SUPPORTED, $desc=The specified gamma ramp is not supported on the respective VidPN present path.], 3223192393 = [$id=GRAPHICS_MULTISAMPLING_NOT_SUPPORTED, $desc=Multisampling is not supported on the respective VidPN present path.], 3223192394 = [$id=GRAPHICS_MODE_NOT_IN_MODESET, $desc=The specified mode is not in the specified mode set.], 3223192397 = [$id=GRAPHICS_INVALID_VIDPN_TOPOLOGY_RECOMMENDATION_REASON, $desc=The specified VidPN topology recommendation reason is invalid.], 3223192398 = [$id=GRAPHICS_INVALID_PATH_CONTENT_TYPE, $desc=The specified VidPN present path content type is invalid.], 3223192399 = [$id=GRAPHICS_INVALID_COPYPROTECTION_TYPE, $desc=The specified VidPN present path copy protection type is invalid.], 3223192400 = [$id=GRAPHICS_UNASSIGNED_MODESET_ALREADY_EXISTS, $desc=Only one unassigned mode set can exist at any one time for a particular VidPN source or target.], 3223192402 = [$id=GRAPHICS_INVALID_SCANLINE_ORDERING, $desc=The specified scan line ordering type is invalid.], 3223192403 = [$id=GRAPHICS_TOPOLOGY_CHANGES_NOT_ALLOWED, $desc=The topology changes are not allowed for the specified VidPN.], 3223192404 = [$id=GRAPHICS_NO_AVAILABLE_IMPORTANCE_ORDINALS, $desc=All available importance ordinals are being used in the specified topology.], 3223192405 = [$id=GRAPHICS_INCOMPATIBLE_PRIVATE_FORMAT, $desc=The specified primary surface has a different private-format attribute than the current primary surface.], 3223192406 = [$id=GRAPHICS_INVALID_MODE_PRUNING_ALGORITHM, $desc=The specified mode-pruning algorithm is invalid.], 3223192407 = [$id=GRAPHICS_INVALID_MONITOR_CAPABILITY_ORIGIN, $desc=The specified monitor-capability origin is invalid.], 3223192408 = [$id=GRAPHICS_INVALID_MONITOR_FREQUENCYRANGE_CONSTRAINT, $desc=The specified monitor-frequency range constraint is invalid.], 3223192409 = [$id=GRAPHICS_MAX_NUM_PATHS_REACHED, $desc=The maximum supported number of present paths has been reached.], 3223192410 = [$id=GRAPHICS_CANCEL_VIDPN_TOPOLOGY_AUGMENTATION, $desc=The miniport requested that augmentation be canceled for the specified source of the specified VidPN's topology.], 3223192411 = [$id=GRAPHICS_INVALID_CLIENT_TYPE, $desc=The specified client type was not recognized.], 3223192412 = [$id=GRAPHICS_CLIENTVIDPN_NOT_SET, $desc=The client VidPN is not set on this adapter (for example, no user mode-initiated mode changes have taken place on this adapter).], 3223192576 = [$id=GRAPHICS_SPECIFIED_CHILD_ALREADY_CONNECTED, $desc=The specified display adapter child device already has an external device connected to it.], 3223192577 = [$id=GRAPHICS_CHILD_DESCRIPTOR_NOT_SUPPORTED, $desc=The display adapter child device does not support reporting a descriptor.], 3223192624 = [$id=GRAPHICS_NOT_A_LINKED_ADAPTER, $desc=The display adapter is not linked to any other adapters.], 3223192625 = [$id=GRAPHICS_LEADLINK_NOT_ENUMERATED, $desc=The lead adapter in a linked configuration was not enumerated yet.], 3223192626 = [$id=GRAPHICS_CHAINLINKS_NOT_ENUMERATED, $desc=Some chain adapters in a linked configuration have not yet been enumerated.], 3223192627 = [$id=GRAPHICS_ADAPTER_CHAIN_NOT_READY, $desc=The chain of linked adapters is not ready to start because of an unknown failure.], 3223192628 = [$id=GRAPHICS_CHAINLINKS_NOT_STARTED, $desc=An attempt was made to start a lead link display adapter when the chain links had not yet started.], 3223192629 = [$id=GRAPHICS_CHAINLINKS_NOT_POWERED_ON, $desc=An attempt was made to turn on a lead link display adapter when the chain links were turned off.], 3223192630 = [$id=GRAPHICS_INCONSISTENT_DEVICE_LINK_STATE, $desc=The adapter link was found in an inconsistent state. Not all adapters are in an expected PNP/power state.], 3223192632 = [$id=GRAPHICS_NOT_POST_DEVICE_DRIVER, $desc=The driver trying to start is not the same as the driver for the posted display adapter.], 3223192635 = [$id=GRAPHICS_ADAPTER_ACCESS_NOT_EXCLUDED, $desc=An operation is being attempted that requires the display adapter to be in a quiescent state.], 3223192832 = [$id=GRAPHICS_OPM_NOT_SUPPORTED, $desc=The driver does not support OPM.], 3223192833 = [$id=GRAPHICS_COPP_NOT_SUPPORTED, $desc=The driver does not support COPP.], 3223192834 = [$id=GRAPHICS_UAB_NOT_SUPPORTED, $desc=The driver does not support UAB.], 3223192835 = [$id=GRAPHICS_OPM_INVALID_ENCRYPTED_PARAMETERS, $desc=The specified encrypted parameters are invalid.], 3223192836 = [$id=GRAPHICS_OPM_PARAMETER_ARRAY_TOO_SMALL, $desc=An array passed to a function cannot hold all of the data that the function wants to put in it.], 3223192837 = [$id=GRAPHICS_OPM_NO_PROTECTED_OUTPUTS_EXIST, $desc=The GDI display device passed to this function does not have any active protected outputs.], 3223192838 = [$id=GRAPHICS_PVP_NO_DISPLAY_DEVICE_CORRESPONDS_TO_NAME, $desc=The PVP cannot find an actual GDI display device that corresponds to the passed-in GDI display device name.], 3223192839 = [$id=GRAPHICS_PVP_DISPLAY_DEVICE_NOT_ATTACHED_TO_DESKTOP, $desc=This function failed because the GDI display device passed to it was not attached to the Windows desktop.], 3223192840 = [$id=GRAPHICS_PVP_MIRRORING_DEVICES_NOT_SUPPORTED, $desc=The PVP does not support mirroring display devices because they do not have any protected outputs.], 3223192842 = [$id=GRAPHICS_OPM_INVALID_POINTER, $desc=The function failed because an invalid pointer parameter was passed to it. A pointer parameter is invalid if it is null, is not correctly aligned, or it points to an invalid address or a kernel mode address.], 3223192843 = [$id=GRAPHICS_OPM_INTERNAL_ERROR, $desc=An internal error caused an operation to fail.], 3223192844 = [$id=GRAPHICS_OPM_INVALID_HANDLE, $desc=The function failed because the caller passed in an invalid OPM user-mode handle.], 3223192845 = [$id=GRAPHICS_PVP_NO_MONITORS_CORRESPOND_TO_DISPLAY_DEVICE, $desc=This function failed because the GDI device passed to it did not have any monitors associated with it.], 3223192846 = [$id=GRAPHICS_PVP_INVALID_CERTIFICATE_LENGTH, $desc=A certificate could not be returned because the certificate buffer passed to the function was too small.], 3223192847 = [$id=GRAPHICS_OPM_SPANNING_MODE_ENABLED, $desc=DxgkDdiOpmCreateProtectedOutput() could not create a protected output because the video present yarget is in spanning mode.], 3223192848 = [$id=GRAPHICS_OPM_THEATER_MODE_ENABLED, $desc=DxgkDdiOpmCreateProtectedOutput() could not create a protected output because the video present target is in theater mode.], 3223192849 = [$id=GRAPHICS_PVP_HFS_FAILED, $desc=The function call failed because the display adapter's hardware functionality scan (HFS) failed to validate the graphics hardware.], 3223192850 = [$id=GRAPHICS_OPM_INVALID_SRM, $desc=The HDCP SRM passed to this function did not comply with section 5 of the HDCP 1.1 specification.], 3223192851 = [$id=GRAPHICS_OPM_OUTPUT_DOES_NOT_SUPPORT_HDCP, $desc=The protected output cannot enable the HDCP system because it does not support it.], 3223192852 = [$id=GRAPHICS_OPM_OUTPUT_DOES_NOT_SUPPORT_ACP, $desc=The protected output cannot enable analog copy protection because it does not support it.], 3223192853 = [$id=GRAPHICS_OPM_OUTPUT_DOES_NOT_SUPPORT_CGMSA, $desc=The protected output cannot enable the CGMS-A protection technology because it does not support it.], 3223192854 = [$id=GRAPHICS_OPM_HDCP_SRM_NEVER_SET, $desc=DxgkDdiOPMGetInformation() cannot return the version of the SRM being used because the application never successfully passed an SRM to the protected output.], 3223192855 = [$id=GRAPHICS_OPM_RESOLUTION_TOO_HIGH, $desc=DxgkDdiOPMConfigureProtectedOutput() cannot enable the specified output protection technology because the output's screen resolution is too high.], 3223192856 = [$id=GRAPHICS_OPM_ALL_HDCP_HARDWARE_ALREADY_IN_USE, $desc=DxgkDdiOPMConfigureProtectedOutput() cannot enable HDCP because other physical outputs are using the display adapter's HDCP hardware.], 3223192858 = [$id=GRAPHICS_OPM_PROTECTED_OUTPUT_NO_LONGER_EXISTS, $desc=The operating system asynchronously destroyed this OPM-protected output because the operating system state changed. This error typically occurs because the monitor PDO associated with this protected output was removed or stopped, the protected output's session became a nonconsole session, or the protected output's desktop became inactive.], 3223192859 = [$id=GRAPHICS_OPM_SESSION_TYPE_CHANGE_IN_PROGRESS, $desc=OPM functions cannot be called when a session is changing its type. Three types of sessions currently exist: console, disconnected, and remote (RDP or ICA).], 3223192860 = [$id=GRAPHICS_OPM_PROTECTED_OUTPUT_DOES_NOT_HAVE_COPP_SEMANTICS, $desc=The DxgkDdiOPMGetCOPPCompatibleInformation, DxgkDdiOPMGetInformation, or DxgkDdiOPMConfigureProtectedOutput function failed. This error is returned only if a protected output has OPM semantics. ], 3223192861 = [$id=GRAPHICS_OPM_INVALID_INFORMATION_REQUEST, $desc=The DxgkDdiOPMGetInformation and DxgkDdiOPMGetCOPPCompatibleInformation functions return this error code if the passed-in sequence number is not the expected sequence number or the passed-in OMAC value is invalid.], 3223192862 = [$id=GRAPHICS_OPM_DRIVER_INTERNAL_ERROR, $desc=The function failed because an unexpected error occurred inside a display driver.], 3223192863 = [$id=GRAPHICS_OPM_PROTECTED_OUTPUT_DOES_NOT_HAVE_OPM_SEMANTICS, $desc=The DxgkDdiOPMGetCOPPCompatibleInformation, DxgkDdiOPMGetInformation, or DxgkDdiOPMConfigureProtectedOutput function failed. This error is returned only if a protected output has COPP semantics. ], 3223192864 = [$id=GRAPHICS_OPM_SIGNALING_NOT_SUPPORTED, $desc=The DxgkDdiOPMGetCOPPCompatibleInformation and DxgkDdiOPMConfigureProtectedOutput functions return this error if the display driver does not support the DXGKMDT_OPM_GET_ACP_AND_CGMSA_SIGNALING and DXGKMDT_OPM_SET_ACP_AND_CGMSA_SIGNALING GUIDs.], 3223192865 = [$id=GRAPHICS_OPM_INVALID_CONFIGURATION_REQUEST, $desc=The DxgkDdiOPMConfigureProtectedOutput function returns this error code if the passed-in sequence number is not the expected sequence number or the passed-in OMAC value is invalid.], 3223192960 = [$id=GRAPHICS_I2C_NOT_SUPPORTED, $desc=The monitor connected to the specified video output does not have an I2C bus.], 3223192961 = [$id=GRAPHICS_I2C_DEVICE_DOES_NOT_EXIST, $desc=No device on the I2C bus has the specified address.], 3223192962 = [$id=GRAPHICS_I2C_ERROR_TRANSMITTING_DATA, $desc=An error occurred while transmitting data to the device on the I2C bus.], 3223192963 = [$id=GRAPHICS_I2C_ERROR_RECEIVING_DATA, $desc=An error occurred while receiving data from the device on the I2C bus.], 3223192964 = [$id=GRAPHICS_DDCCI_VCP_NOT_SUPPORTED, $desc=The monitor does not support the specified VCP code.], 3223192965 = [$id=GRAPHICS_DDCCI_INVALID_DATA, $desc=The data received from the monitor is invalid.], 3223192966 = [$id=GRAPHICS_DDCCI_MONITOR_RETURNED_INVALID_TIMING_STATUS_BYTE, $desc=A function call failed because a monitor returned an invalid timing status byte when the operating system used the DDC/CI get timing report and timing message command to get a timing report from a monitor.], 3223192967 = [$id=GRAPHICS_DDCCI_INVALID_CAPABILITIES_STRING, $desc=A monitor returned a DDC/CI capabilities string that did not comply with the ACCESS.bus 3.0, DDC/CI 1.1, or MCCS 2 Revision 1 specification.], 3223192968 = [$id=GRAPHICS_MCA_INTERNAL_ERROR, $desc=An internal error caused an operation to fail.], 3223192969 = [$id=GRAPHICS_DDCCI_INVALID_MESSAGE_COMMAND, $desc=An operation failed because a DDC/CI message had an invalid value in its command field.], 3223192970 = [$id=GRAPHICS_DDCCI_INVALID_MESSAGE_LENGTH, $desc=This error occurred because a DDC/CI message had an invalid value in its length field.], 3223192971 = [$id=GRAPHICS_DDCCI_INVALID_MESSAGE_CHECKSUM, $desc=This error occurred because the value in a DDC/CI message's checksum field did not match the message's computed checksum value. This error implies that the data was corrupted while it was being transmitted from a monitor to a computer.], 3223192972 = [$id=GRAPHICS_INVALID_PHYSICAL_MONITOR_HANDLE, $desc=This function failed because an invalid monitor handle was passed to it.], 3223192973 = [$id=GRAPHICS_MONITOR_NO_LONGER_EXISTS, $desc=The operating system asynchronously destroyed the monitor that corresponds to this handle because the operating system's state changed. This error typically occurs because the monitor PDO associated with this handle was removed or stopped, or a display mode change occurred. A display mode change occurs when Windows sends a WM_DISPLAYCHANGE message to applications.], 3223193056 = [$id=GRAPHICS_ONLY_CONSOLE_SESSION_SUPPORTED, $desc=This function can be used only if a program is running in the local console session. It cannot be used if a program is running on a remote desktop session or on a terminal server session.], 3223193057 = [$id=GRAPHICS_NO_DISPLAY_DEVICE_CORRESPONDS_TO_NAME, $desc=This function cannot find an actual GDI display device that corresponds to the specified GDI display device name.], 3223193058 = [$id=GRAPHICS_DISPLAY_DEVICE_NOT_ATTACHED_TO_DESKTOP, $desc=The function failed because the specified GDI display device was not attached to the Windows desktop.], 3223193059 = [$id=GRAPHICS_MIRRORING_DEVICES_NOT_SUPPORTED, $desc=This function does not support GDI mirroring display devices because GDI mirroring display devices do not have any physical monitors associated with them.], 3223193060 = [$id=GRAPHICS_INVALID_POINTER, $desc=The function failed because an invalid pointer parameter was passed to it. A pointer parameter is invalid if it is null, is not correctly aligned, or points to an invalid address or to a kernel mode address.], 3223193061 = [$id=GRAPHICS_NO_MONITORS_CORRESPOND_TO_DISPLAY_DEVICE, $desc=This function failed because the GDI device passed to it did not have a monitor associated with it.], 3223193062 = [$id=GRAPHICS_PARAMETER_ARRAY_TOO_SMALL, $desc=An array passed to the function cannot hold all of the data that the function must copy into the array.], 3223193063 = [$id=GRAPHICS_INTERNAL_ERROR, $desc=An internal error caused an operation to fail.], 3223193064 = [$id=GRAPHICS_SESSION_TYPE_CHANGE_IN_PROGRESS, $desc=The function failed because the current session is changing its type. This function cannot be called when the current session is changing its type. Three types of sessions currently exist: console, disconnected, and remote (RDP or ICA).], 3223388160 = [$id=FVE_LOCKED_VOLUME, $desc=The volume must be unlocked before it can be used.], 3223388161 = [$id=FVE_NOT_ENCRYPTED, $desc=The volume is fully decrypted and no key is available.], 3223388162 = [$id=FVE_BAD_INFORMATION, $desc=The control block for the encrypted volume is not valid.], 3223388163 = [$id=FVE_TOO_SMALL, $desc=Not enough free space remains on the volume to allow encryption.], 3223388164 = [$id=FVE_FAILED_WRONG_FS, $desc=The partition cannot be encrypted because the file system is not supported.], 3223388165 = [$id=FVE_FAILED_BAD_FS, $desc=The file system is inconsistent. Run the Check Disk utility.], 3223388166 = [$id=FVE_FS_NOT_EXTENDED, $desc=The file system does not extend to the end of the volume.], 3223388167 = [$id=FVE_FS_MOUNTED, $desc=This operation cannot be performed while a file system is mounted on the volume.], 3223388168 = [$id=FVE_NO_LICENSE, $desc=BitLocker Drive Encryption is not included with this version of Windows.], 3223388169 = [$id=FVE_ACTION_NOT_ALLOWED, $desc=The requested action was denied by the FVE control engine.], 3223388170 = [$id=FVE_BAD_DATA, $desc=The data supplied is malformed.], 3223388171 = [$id=FVE_VOLUME_NOT_BOUND, $desc=The volume is not bound to the system.], 3223388172 = [$id=FVE_NOT_DATA_VOLUME, $desc=The volume specified is not a data volume.], 3223388173 = [$id=FVE_CONV_READ_ERROR, $desc=A read operation failed while converting the volume.], 3223388174 = [$id=FVE_CONV_WRITE_ERROR, $desc=A write operation failed while converting the volume.], 3223388175 = [$id=FVE_OVERLAPPED_UPDATE, $desc=The control block for the encrypted volume was updated by another thread. Try again.], 3223388176 = [$id=FVE_FAILED_SECTOR_SIZE, $desc=The volume encryption algorithm cannot be used on this sector size.], 3223388177 = [$id=FVE_FAILED_AUTHENTICATION, $desc=BitLocker recovery authentication failed.], 3223388178 = [$id=FVE_NOT_OS_VOLUME, $desc=The volume specified is not the boot operating system volume.], 3223388179 = [$id=FVE_KEYFILE_NOT_FOUND, $desc=The BitLocker startup key or recovery password could not be read from external media.], 3223388180 = [$id=FVE_KEYFILE_INVALID, $desc=The BitLocker startup key or recovery password file is corrupt or invalid.], 3223388181 = [$id=FVE_KEYFILE_NO_VMK, $desc=The BitLocker encryption key could not be obtained from the startup key or the recovery password.], 3223388182 = [$id=FVE_TPM_DISABLED, $desc=The TPM is disabled.], 3223388183 = [$id=FVE_TPM_SRK_AUTH_NOT_ZERO, $desc=The authorization data for the SRK of the TPM is not zero.], 3223388184 = [$id=FVE_TPM_INVALID_PCR, $desc=The system boot information changed or the TPM locked out access to BitLocker encryption keys until the computer is restarted.], 3223388185 = [$id=FVE_TPM_NO_VMK, $desc=The BitLocker encryption key could not be obtained from the TPM.], 3223388186 = [$id=FVE_PIN_INVALID, $desc=The BitLocker encryption key could not be obtained from the TPM and PIN.], 3223388187 = [$id=FVE_AUTH_INVALID_APPLICATION, $desc=A boot application hash does not match the hash computed when BitLocker was turned on.], 3223388188 = [$id=FVE_AUTH_INVALID_CONFIG, $desc=The Boot Configuration Data (BCD) settings are not supported or have changed because BitLocker was enabled.], 3223388189 = [$id=FVE_DEBUGGER_ENABLED, $desc=Boot debugging is enabled. Run Windows Boot Configuration Data Store Editor (bcdedit.exe) to turn it off.], 3223388190 = [$id=FVE_DRY_RUN_FAILED, $desc=The BitLocker encryption key could not be obtained.], 3223388191 = [$id=FVE_BAD_METADATA_POINTER, $desc=The metadata disk region pointer is incorrect.], 3223388192 = [$id=FVE_OLD_METADATA_COPY, $desc=The backup copy of the metadata is out of date.], 3223388193 = [$id=FVE_REBOOT_REQUIRED, $desc=No action was taken because a system restart is required.], 3223388194 = [$id=FVE_RAW_ACCESS, $desc=No action was taken because BitLocker Drive Encryption is in RAW access mode.], 3223388195 = [$id=FVE_RAW_BLOCKED, $desc=BitLocker Drive Encryption cannot enter RAW access mode for this volume.], 3223388198 = [$id=FVE_NO_FEATURE_LICENSE, $desc=This feature of BitLocker Drive Encryption is not included with this version of Windows.], 3223388199 = [$id=FVE_POLICY_USER_DISABLE_RDV_NOT_ALLOWED, $desc=Group policy does not permit turning off BitLocker Drive Encryption on roaming data volumes.], 3223388200 = [$id=FVE_CONV_RECOVERY_FAILED, $desc=Bitlocker Drive Encryption failed to recover from aborted conversion. This could be due to either all conversion logs being corrupted or the media being write-protected.], 3223388201 = [$id=FVE_VIRTUALIZED_SPACE_TOO_BIG, $desc=The requested virtualization size is too big.], 3223388208 = [$id=FVE_VOLUME_TOO_SMALL, $desc=The drive is too small to be protected using BitLocker Drive Encryption.], 3223453697 = [$id=FWP_CALLOUT_NOT_FOUND, $desc=The callout does not exist.], 3223453698 = [$id=FWP_CONDITION_NOT_FOUND, $desc=The filter condition does not exist.], 3223453699 = [$id=FWP_FILTER_NOT_FOUND, $desc=The filter does not exist.], 3223453700 = [$id=FWP_LAYER_NOT_FOUND, $desc=The layer does not exist.], 3223453701 = [$id=FWP_PROVIDER_NOT_FOUND, $desc=The provider does not exist.], 3223453702 = [$id=FWP_PROVIDER_CONTEXT_NOT_FOUND, $desc=The provider context does not exist.], 3223453703 = [$id=FWP_SUBLAYER_NOT_FOUND, $desc=The sublayer does not exist.], 3223453704 = [$id=FWP_NOT_FOUND, $desc=The object does not exist.], 3223453705 = [$id=FWP_ALREADY_EXISTS, $desc=An object with that GUID or LUID already exists.], 3223453706 = [$id=FWP_IN_USE, $desc=The object is referenced by other objects and cannot be deleted.], 3223453707 = [$id=FWP_DYNAMIC_SESSION_IN_PROGRESS, $desc=The call is not allowed from within a dynamic session.], 3223453708 = [$id=FWP_WRONG_SESSION, $desc=The call was made from the wrong session and cannot be completed.], 3223453709 = [$id=FWP_NO_TXN_IN_PROGRESS, $desc=The call must be made from within an explicit transaction.], 3223453710 = [$id=FWP_TXN_IN_PROGRESS, $desc=The call is not allowed from within an explicit transaction.], 3223453711 = [$id=FWP_TXN_ABORTED, $desc=The explicit transaction has been forcibly canceled.], 3223453712 = [$id=FWP_SESSION_ABORTED, $desc=The session has been canceled.], 3223453713 = [$id=FWP_INCOMPATIBLE_TXN, $desc=The call is not allowed from within a read-only transaction.], 3223453714 = [$id=FWP_TIMEOUT, $desc=The call timed out while waiting to acquire the transaction lock.], 3223453715 = [$id=FWP_NET_EVENTS_DISABLED, $desc=The collection of network diagnostic events is disabled.], 3223453716 = [$id=FWP_INCOMPATIBLE_LAYER, $desc=The operation is not supported by the specified layer.], 3223453717 = [$id=FWP_KM_CLIENTS_ONLY, $desc=The call is allowed for kernel-mode callers only.], 3223453718 = [$id=FWP_LIFETIME_MISMATCH, $desc=The call tried to associate two objects with incompatible lifetimes.], 3223453719 = [$id=FWP_BUILTIN_OBJECT, $desc=The object is built-in and cannot be deleted.], 3223453720 = [$id=FWP_TOO_MANY_BOOTTIME_FILTERS, $desc=The maximum number of boot-time filters has been reached.], 3223453721 = [$id=FWP_NOTIFICATION_DROPPED, $desc=A notification could not be delivered because a message queue has reached maximum capacity.], 3223453722 = [$id=FWP_TRAFFIC_MISMATCH, $desc=The traffic parameters do not match those for the security association context.], 3223453723 = [$id=FWP_INCOMPATIBLE_SA_STATE, $desc=The call is not allowed for the current security association state.], 3223453724 = [$id=FWP_NULL_POINTER, $desc=A required pointer is null.], 3223453725 = [$id=FWP_INVALID_ENUMERATOR, $desc=An enumerator is not valid.], 3223453726 = [$id=FWP_INVALID_FLAGS, $desc=The flags field contains an invalid value.], 3223453727 = [$id=FWP_INVALID_NET_MASK, $desc=A network mask is not valid.], 3223453728 = [$id=FWP_INVALID_RANGE, $desc=An FWP_RANGE is not valid.], 3223453729 = [$id=FWP_INVALID_INTERVAL, $desc=The time interval is not valid.], 3223453730 = [$id=FWP_ZERO_LENGTH_ARRAY, $desc=An array that must contain at least one element has a zero length.], 3223453731 = [$id=FWP_NULL_DISPLAY_NAME, $desc=The displayData.name field cannot be null.], 3223453732 = [$id=FWP_INVALID_ACTION_TYPE, $desc=The action type is not one of the allowed action types for a filter.], 3223453733 = [$id=FWP_INVALID_WEIGHT, $desc=The filter weight is not valid.], 3223453734 = [$id=FWP_MATCH_TYPE_MISMATCH, $desc=A filter condition contains a match type that is not compatible with the operands.], 3223453735 = [$id=FWP_TYPE_MISMATCH, $desc=An FWP_VALUE or FWPM_CONDITION_VALUE is of the wrong type.], 3223453736 = [$id=FWP_OUT_OF_BOUNDS, $desc=An integer value is outside the allowed range.], 3223453737 = [$id=FWP_RESERVED, $desc=A reserved field is nonzero.], 3223453738 = [$id=FWP_DUPLICATE_CONDITION, $desc=A filter cannot contain multiple conditions operating on a single field.], 3223453739 = [$id=FWP_DUPLICATE_KEYMOD, $desc=A policy cannot contain the same keying module more than once.], 3223453740 = [$id=FWP_ACTION_INCOMPATIBLE_WITH_LAYER, $desc=The action type is not compatible with the layer.], 3223453741 = [$id=FWP_ACTION_INCOMPATIBLE_WITH_SUBLAYER, $desc=The action type is not compatible with the sublayer.], 3223453742 = [$id=FWP_CONTEXT_INCOMPATIBLE_WITH_LAYER, $desc=The raw context or the provider context is not compatible with the layer.], 3223453743 = [$id=FWP_CONTEXT_INCOMPATIBLE_WITH_CALLOUT, $desc=The raw context or the provider context is not compatible with the callout.], 3223453744 = [$id=FWP_INCOMPATIBLE_AUTH_METHOD, $desc=The authentication method is not compatible with the policy type.], 3223453745 = [$id=FWP_INCOMPATIBLE_DH_GROUP, $desc=The Diffie-Hellman group is not compatible with the policy type.], 3223453746 = [$id=FWP_EM_NOT_SUPPORTED, $desc=An IKE policy cannot contain an Extended Mode policy.], 3223453747 = [$id=FWP_NEVER_MATCH, $desc=The enumeration template or subscription will never match any objects.], 3223453748 = [$id=FWP_PROVIDER_CONTEXT_MISMATCH, $desc=The provider context is of the wrong type.], 3223453749 = [$id=FWP_INVALID_PARAMETER, $desc=The parameter is incorrect.], 3223453750 = [$id=FWP_TOO_MANY_SUBLAYERS, $desc=The maximum number of sublayers has been reached.], 3223453751 = [$id=FWP_CALLOUT_NOTIFICATION_FAILED, $desc=The notification function for a callout returned an error.], 3223453752 = [$id=FWP_INCOMPATIBLE_AUTH_CONFIG, $desc=The IPsec authentication configuration is not compatible with the authentication type.], 3223453753 = [$id=FWP_INCOMPATIBLE_CIPHER_CONFIG, $desc=The IPsec cipher configuration is not compatible with the cipher type.], 3223453756 = [$id=FWP_DUPLICATE_AUTH_METHOD, $desc=A policy cannot contain the same auth method more than once.], 3223453952 = [$id=FWP_TCPIP_NOT_READY, $desc=The TCP/IP stack is not ready.], 3223453953 = [$id=FWP_INJECT_HANDLE_CLOSING, $desc=The injection handle is being closed by another thread.], 3223453954 = [$id=FWP_INJECT_HANDLE_STALE, $desc=The injection handle is stale.], 3223453955 = [$id=FWP_CANNOT_PEND, $desc=The classify cannot be pended.], 3223519234 = [$id=NDIS_CLOSING, $desc=The binding to the network interface is being closed.], 3223519236 = [$id=NDIS_BAD_VERSION, $desc=An invalid version was specified.], 3223519237 = [$id=NDIS_BAD_CHARACTERISTICS, $desc=An invalid characteristics table was used.], 3223519238 = [$id=NDIS_ADAPTER_NOT_FOUND, $desc=Failed to find the network interface or the network interface is not ready.], 3223519239 = [$id=NDIS_OPEN_FAILED, $desc=Failed to open the network interface.], 3223519240 = [$id=NDIS_DEVICE_FAILED, $desc=The network interface has encountered an internal unrecoverable failure.], 3223519241 = [$id=NDIS_MULTICAST_FULL, $desc=The multicast list on the network interface is full.], 3223519242 = [$id=NDIS_MULTICAST_EXISTS, $desc=An attempt was made to add a duplicate multicast address to the list.], 3223519243 = [$id=NDIS_MULTICAST_NOT_FOUND, $desc=At attempt was made to remove a multicast address that was never added.], 3223519244 = [$id=NDIS_REQUEST_ABORTED, $desc=The network interface aborted the request.], 3223519245 = [$id=NDIS_RESET_IN_PROGRESS, $desc=The network interface cannot process the request because it is being reset.], 3223519247 = [$id=NDIS_INVALID_PACKET, $desc=An attempt was made to send an invalid packet on a network interface.], 3223519248 = [$id=NDIS_INVALID_DEVICE_REQUEST, $desc=The specified request is not a valid operation for the target device.], 3223519249 = [$id=NDIS_ADAPTER_NOT_READY, $desc=The network interface is not ready to complete this operation.], 3223519252 = [$id=NDIS_INVALID_LENGTH, $desc=The length of the buffer submitted for this operation is not valid.], 3223519253 = [$id=NDIS_INVALID_DATA, $desc=The data used for this operation is not valid.], 3223519254 = [$id=NDIS_BUFFER_TOO_SHORT, $desc=The length of the submitted buffer for this operation is too small.], 3223519255 = [$id=NDIS_INVALID_OID, $desc=The network interface does not support this object identifier.], 3223519256 = [$id=NDIS_ADAPTER_REMOVED, $desc=The network interface has been removed.], 3223519257 = [$id=NDIS_UNSUPPORTED_MEDIA, $desc=The network interface does not support this media type.], 3223519258 = [$id=NDIS_GROUP_ADDRESS_IN_USE, $desc=An attempt was made to remove a token ring group address that is in use by other components.], 3223519259 = [$id=NDIS_FILE_NOT_FOUND, $desc=An attempt was made to map a file that cannot be found.], 3223519260 = [$id=NDIS_ERROR_READING_FILE, $desc=An error occurred while NDIS tried to map the file.], 3223519261 = [$id=NDIS_ALREADY_MAPPED, $desc=An attempt was made to map a file that is already mapped.], 3223519262 = [$id=NDIS_RESOURCE_CONFLICT, $desc=An attempt to allocate a hardware resource failed because the resource is used by another component.], 3223519263 = [$id=NDIS_MEDIA_DISCONNECTED, $desc=The I/O operation failed because the network media is disconnected or the wireless access point is out of range.], 3223519266 = [$id=NDIS_INVALID_ADDRESS, $desc=The network address used in the request is invalid.], 3223519274 = [$id=NDIS_PAUSED, $desc=The offload operation on the network interface has been paused.], 3223519275 = [$id=NDIS_INTERFACE_NOT_FOUND, $desc=The network interface was not found.], 3223519276 = [$id=NDIS_UNSUPPORTED_REVISION, $desc=The revision number specified in the structure is not supported.], 3223519277 = [$id=NDIS_INVALID_PORT, $desc=The specified port does not exist on this network interface.], 3223519278 = [$id=NDIS_INVALID_PORT_STATE, $desc=The current state of the specified port on this network interface does not support the requested operation.], 3223519279 = [$id=NDIS_LOW_POWER_STATE, $desc=The miniport adapter is in a lower power state.], 3223519419 = [$id=NDIS_NOT_SUPPORTED, $desc=The network interface does not support this request.], 3223523343 = [$id=NDIS_OFFLOAD_POLICY, $desc=The TCP connection is not offloadable because of a local policy setting.], 3223523346 = [$id=NDIS_OFFLOAD_CONNECTION_REJECTED, $desc=The TCP connection is not offloadable by the Chimney offload target.], 3223523347 = [$id=NDIS_OFFLOAD_PATH_REJECTED, $desc=The IP Path object is not in an offloadable state.], 3223527424 = [$id=NDIS_DOT11_AUTO_CONFIG_ENABLED, $desc=The wireless LAN interface is in auto-configuration mode and does not support the requested parameter change operation.], 3223527425 = [$id=NDIS_DOT11_MEDIA_IN_USE, $desc=The wireless LAN interface is busy and cannot perform the requested operation.], 3223527426 = [$id=NDIS_DOT11_POWER_STATE_INVALID, $desc=The wireless LAN interface is power down and does not support the requested operation.], 3223527427 = [$id=NDIS_PM_WOL_PATTERN_LIST_FULL, $desc=The list of wake on LAN patterns is full.], 3223527428 = [$id=NDIS_PM_PROTOCOL_OFFLOAD_LIST_FULL, $desc=The list of low power protocol offloads is full.], 3224764417 = [$id=IPSEC_BAD_SPI, $desc=The SPI in the packet does not match a valid IPsec SA.], 3224764418 = [$id=IPSEC_SA_LIFETIME_EXPIRED, $desc=The packet was received on an IPsec SA whose lifetime has expired.], 3224764419 = [$id=IPSEC_WRONG_SA, $desc=The packet was received on an IPsec SA that does not match the packet characteristics.], 3224764420 = [$id=IPSEC_REPLAY_CHECK_FAILED, $desc=The packet sequence number replay check failed.], 3224764421 = [$id=IPSEC_INVALID_PACKET, $desc=The IPsec header and/or trailer in the packet is invalid.], 3224764422 = [$id=IPSEC_INTEGRITY_CHECK_FAILED, $desc=The IPsec integrity check failed.], 3224764423 = [$id=IPSEC_CLEAR_TEXT_DROP, $desc=IPsec dropped a clear text packet.], 3224764424 = [$id=IPSEC_AUTH_FIREWALL_DROP, $desc=IPsec dropped an incoming ESP packet in authenticated firewall mode.  This drop is benign.], 3224764425 = [$id=IPSEC_THROTTLE_DROP, $desc=IPsec dropped a packet due to DOS throttle.], 3224797184 = [$id=IPSEC_DOSP_BLOCK, $desc=IPsec Dos Protection matched an explicit block rule.], 3224797185 = [$id=IPSEC_DOSP_RECEIVED_MULTICAST, $desc=IPsec Dos Protection received an IPsec specific multicast packet which is not allowed.], 3224797186 = [$id=IPSEC_DOSP_INVALID_PACKET, $desc=IPsec Dos Protection received an incorrectly formatted packet.], 3224797187 = [$id=IPSEC_DOSP_STATE_LOOKUP_FAILED, $desc=IPsec Dos Protection failed to lookup state.], 3224797188 = [$id=IPSEC_DOSP_MAX_ENTRIES, $desc=IPsec Dos Protection failed to create state because there are already maximum number of entries allowed by policy.], 3224797189 = [$id=IPSEC_DOSP_KEYMOD_NOT_ALLOWED, $desc=IPsec Dos Protection received an IPsec negotiation packet for a keying module which is not allowed by policy.], 3224797190 = [$id=IPSEC_DOSP_MAX_PER_IP_RATELIMIT_QUEUES, $desc=IPsec Dos Protection failed to create per internal IP ratelimit queue because there is already maximum number of queues allowed by policy.], 3224895579 = [$id=VOLMGR_MIRROR_NOT_SUPPORTED, $desc=The system does not support mirrored volumes.], 3224895580 = [$id=VOLMGR_RAID5_NOT_SUPPORTED, $desc=The system does not support RAID-5 volumes.], 3225026580 = [$id=VIRTDISK_PROVIDER_NOT_FOUND, $desc=A virtual disk support provider for the specified file was not found.], 3225026581 = [$id=VIRTDISK_NOT_VIRTUAL_DISK, $desc=The specified disk is not a virtual disk.], 3225026582 = [$id=VHD_PARENT_VHD_ACCESS_DENIED, $desc=The chain of virtual hard disks is inaccessible. The process has not been granted access rights to the parent virtual hard disk for the differencing disk.], 3225026583 = [$id=VHD_CHILD_PARENT_SIZE_MISMATCH, $desc=The chain of virtual hard disks is corrupted. There is a mismatch in the virtual sizes of the parent virtual hard disk and differencing disk.], 3225026584 = [$id=VHD_DIFFERENCING_CHAIN_CYCLE_DETECTED, $desc=The chain of virtual hard disks is corrupted. A differencing disk is indicated in its own parent chain.], 3225026585 = [$id=VHD_DIFFERENCING_CHAIN_ERROR_IN_PARENT, $desc=The chain of virtual hard disks is inaccessible. There was an error opening a virtual hard disk further up the chain.]
+
+
+
+.. zeek:id:: SMB::wksta_cmds
+   :source-code: base/protocols/smb/consts.zeek 85 85
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "NetrWkstaUserEnum",
+            [25] = "NetrValidateName2",
+            [20] = "NetrGetJoinInformation",
+            [29] = "NetrSetPrimaryComputerName",
+            [6] = "NetrWkstaTransportAdd",
+            [30] = "NetrEnumerateComputerNames",
+            [24] = "NetrRenameMachineInDomain2",
+            [28] = "NetrRemoveAlternateComputerName",
+            [23] = "NetrUnjoinDomain2",
+            [8] = "NetrUseAdd",
+            [9] = "NetrUseGetInfo",
+            [27] = "NetrAddAlternateComputerName",
+            [1] = "NetrWkstaSetInfo",
+            [11] = "NetrUseEnum",
+            [7] = "NetrWkstaTransportDel",
+            [5] = "NetrWkstaTransportEnum",
+            [10] = "NetrUseDel",
+            [22] = "NetrJoinDomain2",
+            [13] = "NetrWorkstationStatisticsGet",
+            [26] = "NetrGetJoinableOUs2",
+            [0] = "NetrWkstaGetInfo"
+         }
+
+
+   Workstation service sub commands.
+
+Constants
+#########
+.. zeek:id:: SMB1::commands
+   :source-code: base/protocols/smb/consts.zeek 122 122
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [19] = "LOCK_AND_READ",
+            [20] = "WRITE_AND_UNLOCK",
+            [33] = "QUERY_SERVER",
+            [39] = "IOCTL",
+            [30] = "WRITE_MPX",
+            [46] = "READ_ANDX",
+            [15] = "CREATE_NEW",
+            [28] = "READ_MPX_SECONDARY",
+            [164] = "NT_CANCEL",
+            [9] = "SET_INFORMATION",
+            [53] = "FIND_NOTIFY_CLOSE",
+            [52] = "FIND_CLOSE2",
+            [4] = "CLOSE",
+            [12] = "LOCK_BYTE_RANGE",
+            [130] = "FIND",
+            [41] = "COPY",
+            [17] = "PROCESS_EXIT",
+            [29] = "WRITE_RAW",
+            [16] = "CHECK_DIRECTORY",
+            [115] = "SESSION_SETUP_ANDX",
+            [38] = "TRANSACTION_SECONDARY",
+            [165] = "NT_RENAME",
+            [193] = "WRITE_PRINT_FILE",
+            [42] = "MOVE",
+            [1] = "DELETE_DIRECTORY",
+            [116] = "LOGOFF_ANDX",
+            [11] = "WRITE",
+            [113] = "TREE_DISCONNECT",
+            [35] = "QUERY_INFORMATION2",
+            [216] = "READ_BULK",
+            [43] = "ECHO",
+            [114] = "NEGOTIATE",
+            [3] = "CREATE",
+            [44] = "WRITE_AND_CLOSE",
+            [129] = "SEARCH",
+            [34] = "SET_INFORMATION2",
+            [45] = "OPEN_ANDX",
+            [40] = "IOCTL_SECONDARY",
+            [194] = "CLOSE_PRINT_FILE",
+            [36] = "LOCKING_ANDX",
+            [14] = "CREATE_TEMPORARY",
+            [6] = "DELETE",
+            [31] = "WRITE_MPX_SECONDARY",
+            [8] = "QUERY_INFORMATION",
+            [192] = "OPEN_PRINT_FILE",
+            [27] = "READ_MPX",
+            [195] = "GET_PRINT_QUEUE",
+            [7] = "RENAME",
+            [10] = "READ",
+            [32] = "WRITE_COMPLETE",
+            [26] = "READ_RAW",
+            [13] = "UNLOCK_BYTE_RANGE",
+            [128] = "QUERY_INFORMATION_DISK",
+            [218] = "WRITE_BULK_DATA",
+            [217] = "WRITE_BULK",
+            [160] = "NT_TRANSACT",
+            [47] = "WRITE_ANDX",
+            [50] = "TRANSACTION2",
+            [2] = "OPEN",
+            [132] = "FIND_CLOSE",
+            [48] = "NEW_FILE_SIZE",
+            [49] = "CLOSE_AND_TREE_DISC",
+            [162] = "NT_CREATE_ANDX",
+            [5] = "FLUSH",
+            [112] = "TREE_CONNECT",
+            [161] = "NT_TRANSACT_SECONDARY",
+            [51] = "TRANSACTION2_SECONDARY",
+            [37] = "TRANSACTION",
+            [18] = "SEEK",
+            [117] = "TREE_CONNECT_ANDX",
+            [0] = "CREATE_DIRECTORY",
+            [131] = "FIND_UNIQUE"
+         }
+
+
+
+.. zeek:id:: SMB1::trans2_sub_commands
+   :source-code: base/protocols/smb/consts.zeek 197 197
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "FIND_NEXT2",
+            [6] = "SET_PATH_INFORMATION",
+            [14] = "SESSION_SETUP",
+            [16] = "GET_DFS_REFERRAL",
+            [8] = "SET_FILE_INFORMATION",
+            [9] = "FSCTL",
+            [1] = "FIND_FIRST2",
+            [11] = "FIND_NOTIFY_FIRST",
+            [7] = "QUERY_FILE_INFORMATION",
+            [5] = "QUERY_PATH_INFORMATION",
+            [10] = "IOCTL",
+            [4] = "SET_FS_INFORMATION",
+            [13] = "CREATE_DIRECTORY",
+            [12] = "FIND_NOTIFY_NEXT",
+            [3] = "QUERY_FS_INFORMATION",
+            [17] = "REPORT_DFS_INCONSISTENCY",
+            [0] = "OPEN2"
+         }
+
+
+
+.. zeek:id:: SMB1::trans_sub_commands
+   :source-code: base/protocols/smb/consts.zeek 217 217
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [55] = "WRITE_NMPIPE",
+            [38] = "TRANSACT_NMPIPE",
+            [54] = "READ_NMPIPE",
+            [33] = "QUERY_NMPIPE_STATE",
+            [17] = "RAW_READ_NMPIPE",
+            [35] = "PEEK_NMPIPE",
+            [49] = "RAW_WRITE_NMPIPE",
+            [34] = "QUERY_NMPIPE_INFO",
+            [1] = "SET_NMPIPE_STATE",
+            [83] = "WAIT_NMPIPE",
+            [84] = "CALL_NMPIPE"
+         }
+
+
+
+.. zeek:id:: SMB2::commands
+   :source-code: base/protocols/smb/consts.zeek 235 235
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "LOGOFF",
+            [14] = "QUERY_DIRECTORY",
+            [15] = "CHANGE_NOTIFY",
+            [6] = "CLOSE",
+            [16] = "QUERY_INFO",
+            [8] = "READ",
+            [9] = "WRITE",
+            [1] = "SESSION_SETUP",
+            [11] = "IOCTL",
+            [7] = "FLUSH",
+            [5] = "CREATE",
+            [10] = "LOCK",
+            [4] = "TREE_DISCONNECT",
+            [13] = "ECHO",
+            [12] = "CANCEL",
+            [18] = "OPLOCK_BREAK",
+            [3] = "TREE_CONNECT",
+            [17] = "SET_INFO",
+            [0] = "NEGOTIATE_PROTOCOL"
+         }
+
+
+
+.. zeek:id:: SMB2::dialects
+   :source-code: base/protocols/smb/consts.zeek 257 257
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [528] = "2.1",
+            [770] = "3.0.2",
+            [768] = "3.0",
+            [767] = "2.1+",
+            [514] = "2.0.2",
+            [785] = "3.1.1"
+         }
+
+
+
+.. zeek:id:: SMB2::share_types
+   :source-code: base/protocols/smb/consts.zeek 266 266
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "PIPE",
+            [1] = "DISK",
+            [3] = "PRINT"
+         }
+
+
+
+Types
+#####
+.. zeek:type:: SMB::StatusCode
+   :source-code: base/protocols/smb/consts.zeek 4 7
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`string`
+
+
+   .. zeek:field:: desc :zeek:type:`string`
+
+
+
+.. zeek:type:: SMB::rpc_cmd_table
+   :source-code: base/protocols/smb/consts.zeek 109 109
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+
+
+
diff --git a/doc/scripts/base/protocols/smb/files.zeek.rst b/doc/scripts/base/protocols/smb/files.zeek.rst
new file mode 100644
index 0000000000..2cb49c0b9d
--- /dev/null
+++ b/doc/scripts/base/protocols/smb/files.zeek.rst
@@ -0,0 +1,39 @@
+:tocdepth: 3
+
+base/protocols/smb/files.zeek
+=============================
+.. zeek:namespace:: SMB
+
+
+:Namespace: SMB
+:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/smb/main.zeek </scripts/base/protocols/smb/main.zeek>`
+
+Summary
+~~~~~~~
+Functions
+#########
+====================================================== =====================================
+:zeek:id:`SMB::describe_file`: :zeek:type:`function`   Default file describer for SMB.
+:zeek:id:`SMB::get_file_handle`: :zeek:type:`function` Default file handle provider for SMB.
+====================================================== =====================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: SMB::describe_file
+   :source-code: base/protocols/smb/files.zeek 36 48
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`string`
+
+   Default file describer for SMB.
+
+.. zeek:id:: SMB::get_file_handle
+   :source-code: base/protocols/smb/files.zeek 14 34
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
+
+   Default file handle provider for SMB.
+
+
diff --git a/doc/scripts/base/protocols/smb/index.rst b/doc/scripts/base/protocols/smb/index.rst
new file mode 100644
index 0000000000..3ccfc5f322
--- /dev/null
+++ b/doc/scripts/base/protocols/smb/index.rst
@@ -0,0 +1,31 @@
+:orphan:
+
+Package: base/protocols/smb
+===========================
+
+Support for SMB protocol analysis.
+
+:doc:`/scripts/base/protocols/smb/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/smb/consts.zeek`
+
+
+:doc:`/scripts/base/protocols/smb/const-dos-error.zeek`
+
+
+:doc:`/scripts/base/protocols/smb/const-nt-status.zeek`
+
+
+:doc:`/scripts/base/protocols/smb/main.zeek`
+
+
+:doc:`/scripts/base/protocols/smb/smb1-main.zeek`
+
+
+:doc:`/scripts/base/protocols/smb/smb2-main.zeek`
+
+
+:doc:`/scripts/base/protocols/smb/files.zeek`
+
+
diff --git a/doc/scripts/base/protocols/smb/main.zeek.rst b/doc/scripts/base/protocols/smb/main.zeek.rst
new file mode 100644
index 0000000000..83607e8179
--- /dev/null
+++ b/doc/scripts/base/protocols/smb/main.zeek.rst
@@ -0,0 +1,445 @@
+:tocdepth: 3
+
+base/protocols/smb/main.zeek
+============================
+.. zeek:namespace:: SMB
+
+
+:Namespace: SMB
+:Imports: :doc:`base/protocols/smb/const-dos-error.zeek </scripts/base/protocols/smb/const-dos-error.zeek>`, :doc:`base/protocols/smb/const-nt-status.zeek </scripts/base/protocols/smb/const-nt-status.zeek>`, :doc:`base/protocols/smb/consts.zeek </scripts/base/protocols/smb/consts.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+================================================================================ ===========================================================
+:zeek:id:`SMB::enable_clear_script_state`: :zeek:type:`bool` :zeek:attr:`&redef` Whether to reset a connection's SMB script state whenever a
+                                                                                 :zeek:see:`smb2_discarded_messages_state` event is raised.
+:zeek:id:`SMB::logged_file_actions`: :zeek:type:`set` :zeek:attr:`&redef`        The file actions which are logged.
+================================================================================ ===========================================================
+
+Types
+#####
+=============================================== =======================================================
+:zeek:type:`SMB::Action`: :zeek:type:`enum`     Abstracted actions for SMB file actions.
+:zeek:type:`SMB::CmdInfo`: :zeek:type:`record`  This record is for the smb_cmd.log
+:zeek:type:`SMB::FileInfo`: :zeek:type:`record` This record is for the smb_files.log
+:zeek:type:`SMB::State`: :zeek:type:`record`    This record stores the SMB state of in-flight commands,
+                                                the file and tree map of the connection.
+:zeek:type:`SMB::TreeInfo`: :zeek:type:`record` This record is for the smb_mapping.log
+=============================================== =======================================================
+
+Redefinitions
+#############
+==================================================================== ============================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`SMB::FILES_LOG`
+                                                                     
+                                                                     * :zeek:enum:`SMB::MAPPING_LOG`
+:zeek:type:`SMB::FileInfo`: :zeek:type:`record`                      
+                                                                     
+                                                                     :New Fields: :zeek:type:`SMB::FileInfo`
+                                                                     
+                                                                       fid: :zeek:type:`count` :zeek:attr:`&optional`
+                                                                         ID referencing this file.
+                                                                     
+                                                                       uuid: :zeek:type:`string` :zeek:attr:`&optional`
+                                                                         UUID referencing this file if DCE/RPC.
+:zeek:type:`connection`: :zeek:type:`record`                         Everything below here is used internally in the SMB scripts.
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       smb_state: :zeek:type:`SMB::State` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ============================================================
+
+Hooks
+#####
+================================================================ =
+:zeek:id:`SMB::log_policy_files`: :zeek:type:`Log::PolicyHook`   
+:zeek:id:`SMB::log_policy_mapping`: :zeek:type:`Log::PolicyHook` 
+================================================================ =
+
+Functions
+#########
+=========================================================================== ====================================
+:zeek:id:`SMB::set_current_file`: :zeek:type:`function` :zeek:attr:`&redef` This is an internally used function.
+:zeek:id:`SMB::write_file_log`: :zeek:type:`function` :zeek:attr:`&redef`   This is an internally used function.
+=========================================================================== ====================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: SMB::enable_clear_script_state
+   :source-code: base/protocols/smb/main.zeek 52 52
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Whether to reset a connection's SMB script state whenever a
+   :zeek:see:`smb2_discarded_messages_state` event is raised.
+   
+   This setting protects from unbounded script state growth in
+   environments with high capture loss or traffic anomalies.
+
+.. zeek:id:: SMB::logged_file_actions
+   :source-code: base/protocols/smb/main.zeek 38 38
+
+   :Type: :zeek:type:`set` [:zeek:type:`SMB::Action`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            SMB::PRINT_CLOSE,
+            SMB::FILE_DELETE,
+            SMB::FILE_OPEN,
+            SMB::FILE_RENAME,
+            SMB::PRINT_OPEN
+         }
+
+
+   The file actions which are logged.
+
+Types
+#####
+.. zeek:type:: SMB::Action
+   :source-code: base/protocols/smb/main.zeek 17 36
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: SMB::FILE_READ SMB::Action
+
+      .. zeek:enum:: SMB::FILE_WRITE SMB::Action
+
+      .. zeek:enum:: SMB::FILE_OPEN SMB::Action
+
+      .. zeek:enum:: SMB::FILE_CLOSE SMB::Action
+
+      .. zeek:enum:: SMB::FILE_DELETE SMB::Action
+
+      .. zeek:enum:: SMB::FILE_RENAME SMB::Action
+
+      .. zeek:enum:: SMB::FILE_SET_ATTRIBUTE SMB::Action
+
+      .. zeek:enum:: SMB::PIPE_READ SMB::Action
+
+      .. zeek:enum:: SMB::PIPE_WRITE SMB::Action
+
+      .. zeek:enum:: SMB::PIPE_OPEN SMB::Action
+
+      .. zeek:enum:: SMB::PIPE_CLOSE SMB::Action
+
+      .. zeek:enum:: SMB::PRINT_READ SMB::Action
+
+      .. zeek:enum:: SMB::PRINT_WRITE SMB::Action
+
+      .. zeek:enum:: SMB::PRINT_OPEN SMB::Action
+
+      .. zeek:enum:: SMB::PRINT_CLOSE SMB::Action
+
+   Abstracted actions for SMB file actions.
+
+.. zeek:type:: SMB::CmdInfo
+   :source-code: base/protocols/smb/main.zeek 101 136
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&default` = ``0.0`` :zeek:attr:`&optional`
+
+      Timestamp of the command request.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID of the connection the request was sent over.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      ID of the connection the request was sent over.
+
+
+   .. zeek:field:: command :zeek:type:`string` :zeek:attr:`&log`
+
+      The command sent by the client.
+
+
+   .. zeek:field:: sub_command :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The subcommand sent by the client, if present.
+
+
+   .. zeek:field:: argument :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Command argument sent by the client, if any.
+
+
+   .. zeek:field:: status :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Server reply to the client's command.
+
+
+   .. zeek:field:: rtt :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Round trip time from the request to the response.
+
+
+   .. zeek:field:: version :zeek:type:`string` :zeek:attr:`&log`
+
+      Version of SMB for the command.
+
+
+   .. zeek:field:: username :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Authenticated username, if available.
+
+
+   .. zeek:field:: tree :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      If this is related to a tree, this is the tree
+      that was used for the current command.
+
+
+   .. zeek:field:: tree_service :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The type of tree (disk share, printer share, named pipe, etc.).
+
+
+   .. zeek:field:: referenced_file :zeek:type:`SMB::FileInfo` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      If the command referenced a file, store it here.
+
+
+   .. zeek:field:: referenced_tree :zeek:type:`SMB::TreeInfo` :zeek:attr:`&optional`
+
+      If the command referenced a tree, store it here.
+
+
+   .. zeek:field:: smb1_offered_dialects :zeek:type:`string_vec` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/smb/smb1-main.zeek` is loaded)
+
+      Dialects offered by the client.
+
+
+   .. zeek:field:: smb2_offered_dialects :zeek:type:`index_vec` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/smb/smb2-main.zeek` is loaded)
+
+      Dialects offered by the client.
+
+
+   .. zeek:field:: smb2_create_options :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/smb/smb2-main.zeek` is loaded)
+
+      Keep the create_options in the command for
+      referencing later.
+
+
+   This record is for the smb_cmd.log
+
+.. zeek:type:: SMB::FileInfo
+   :source-code: base/protocols/smb/main.zeek 55 78
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&default` = ``0.0`` :zeek:attr:`&optional`
+
+      Time when the file was first discovered.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID of the connection the file was sent over.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      ID of the connection the file was sent over.
+
+
+   .. zeek:field:: fuid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Unique ID of the file.
+
+
+   .. zeek:field:: action :zeek:type:`SMB::Action` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Action this log record represents.
+
+
+   .. zeek:field:: path :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Path pulled from the tree this file was transferred to or from.
+
+
+   .. zeek:field:: name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Filename if one was seen.
+
+
+   .. zeek:field:: size :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Total size of the file.
+
+
+   .. zeek:field:: prev_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      If the rename action was seen, this will be
+      the file's previous name.
+
+
+   .. zeek:field:: times :zeek:type:`SMB::MACTimes` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Last time this file was modified.
+
+
+   .. zeek:field:: fid :zeek:type:`count` :zeek:attr:`&optional`
+
+      ID referencing this file.
+
+
+   .. zeek:field:: uuid :zeek:type:`string` :zeek:attr:`&optional`
+
+      UUID referencing this file if DCE/RPC.
+
+
+   This record is for the smb_files.log
+
+.. zeek:type:: SMB::State
+   :source-code: base/protocols/smb/main.zeek 140 161
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: current_cmd :zeek:type:`SMB::CmdInfo` :zeek:attr:`&optional`
+
+      A reference to the current command.
+
+
+   .. zeek:field:: current_file :zeek:type:`SMB::FileInfo` :zeek:attr:`&optional`
+
+      A reference to the current file.
+
+
+   .. zeek:field:: current_tree :zeek:type:`SMB::TreeInfo` :zeek:attr:`&optional`
+
+      A reference to the current tree.
+
+
+   .. zeek:field:: pending_cmds :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`SMB::CmdInfo` :zeek:attr:`&optional`
+
+      Indexed on MID to map responses to requests.
+
+
+   .. zeek:field:: fid_map :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`SMB::FileInfo` :zeek:attr:`&optional`
+
+      File map to retrieve file information based on the file ID.
+
+
+   .. zeek:field:: tid_map :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`SMB::TreeInfo` :zeek:attr:`&optional`
+
+      Tree map to retrieve tree information based on the tree ID.
+
+
+   .. zeek:field:: pipe_map :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string` :zeek:attr:`&optional`
+
+      Pipe map to retrieve UUID based on the file ID of a pipe.
+
+
+   .. zeek:field:: recent_files :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      A set of recent files to avoid logging the same
+      files over and over in the smb files log.
+      This only applies to files seen in a single connection.
+
+
+   This record stores the SMB state of in-flight commands,
+   the file and tree map of the connection.
+
+.. zeek:type:: SMB::TreeInfo
+   :source-code: base/protocols/smb/main.zeek 81 98
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&default` = ``0.0`` :zeek:attr:`&optional`
+
+      Time when the tree was mapped.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID of the connection the tree was mapped over.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      ID of the connection the tree was mapped over.
+
+
+   .. zeek:field:: path :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Name of the tree path.
+
+
+   .. zeek:field:: service :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The type of resource of the tree (disk share, printer share, named pipe, etc.).
+
+
+   .. zeek:field:: native_file_system :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      File system of the tree.
+
+
+   .. zeek:field:: share_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``"DISK"`` :zeek:attr:`&optional`
+
+      If this is SMB2, a share type will be included.  For SMB1,
+      the type of share will be deduced and included as well.
+
+
+   This record is for the smb_mapping.log
+
+Hooks
+#####
+.. zeek:id:: SMB::log_policy_files
+   :source-code: base/protocols/smb/main.zeek 13 13
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+.. zeek:id:: SMB::log_policy_mapping
+   :source-code: base/protocols/smb/main.zeek 14 14
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+Functions
+#########
+.. zeek:id:: SMB::set_current_file
+   :source-code: base/protocols/smb/main.zeek 195 205
+
+   :Type: :zeek:type:`function` (smb_state: :zeek:type:`SMB::State`, file_id: :zeek:type:`count`) : :zeek:type:`void`
+   :Attributes: :zeek:attr:`&redef`
+
+   This is an internally used function.
+
+.. zeek:id:: SMB::write_file_log
+   :source-code: base/protocols/smb/main.zeek 207 241
+
+   :Type: :zeek:type:`function` (state: :zeek:type:`SMB::State`) : :zeek:type:`void`
+   :Attributes: :zeek:attr:`&redef`
+
+   This is an internally used function.
+
+
diff --git a/doc/scripts/base/protocols/smb/smb1-main.zeek.rst b/doc/scripts/base/protocols/smb/smb1-main.zeek.rst
new file mode 100644
index 0000000000..2682e428f7
--- /dev/null
+++ b/doc/scripts/base/protocols/smb/smb1-main.zeek.rst
@@ -0,0 +1,27 @@
+:tocdepth: 3
+
+base/protocols/smb/smb1-main.zeek
+=================================
+.. zeek:namespace:: SMB1
+
+
+:Namespace: SMB1
+:Imports: :doc:`base/protocols/smb/main.zeek </scripts/base/protocols/smb/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================== =======================================================================
+:zeek:type:`SMB::CmdInfo`: :zeek:type:`record` 
+                                               
+                                               :New Fields: :zeek:type:`SMB::CmdInfo`
+                                               
+                                                 smb1_offered_dialects: :zeek:type:`string_vec` :zeek:attr:`&optional`
+                                                   Dialects offered by the client.
+============================================== =======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/smb/smb2-main.zeek.rst b/doc/scripts/base/protocols/smb/smb2-main.zeek.rst
new file mode 100644
index 0000000000..b7214d69e9
--- /dev/null
+++ b/doc/scripts/base/protocols/smb/smb2-main.zeek.rst
@@ -0,0 +1,31 @@
+:tocdepth: 3
+
+base/protocols/smb/smb2-main.zeek
+=================================
+.. zeek:namespace:: SMB2
+
+
+:Namespace: SMB2
+:Imports: :doc:`base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>`, :doc:`base/protocols/smb/main.zeek </scripts/base/protocols/smb/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================== ==============================================================================================
+:zeek:type:`SMB::CmdInfo`: :zeek:type:`record` 
+                                               
+                                               :New Fields: :zeek:type:`SMB::CmdInfo`
+                                               
+                                                 smb2_offered_dialects: :zeek:type:`index_vec` :zeek:attr:`&optional`
+                                                   Dialects offered by the client.
+                                               
+                                                 smb2_create_options: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                                   Keep the create_options in the command for
+                                                   referencing later.
+============================================== ==============================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/smtp/__load__.zeek.rst b/doc/scripts/base/protocols/smtp/__load__.zeek.rst
new file mode 100644
index 0000000000..836454efee
--- /dev/null
+++ b/doc/scripts/base/protocols/smtp/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/smtp/__load__.zeek
+=================================
+
+
+:Imports: :doc:`base/protocols/smtp/entities.zeek </scripts/base/protocols/smtp/entities.zeek>`, :doc:`base/protocols/smtp/files.zeek </scripts/base/protocols/smtp/files.zeek>`, :doc:`base/protocols/smtp/main.zeek </scripts/base/protocols/smtp/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/smtp/entities.zeek.rst b/doc/scripts/base/protocols/smtp/entities.zeek.rst
new file mode 100644
index 0000000000..fc71e9710d
--- /dev/null
+++ b/doc/scripts/base/protocols/smtp/entities.zeek.rst
@@ -0,0 +1,62 @@
+:tocdepth: 3
+
+base/protocols/smtp/entities.zeek
+=================================
+.. zeek:namespace:: SMTP
+
+Analysis and logging for MIME entities found in SMTP sessions.
+
+:Namespace: SMTP
+:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>`, :doc:`base/protocols/smtp/main.zeek </scripts/base/protocols/smtp/main.zeek>`, :doc:`base/utils/files.zeek </scripts/base/utils/files.zeek>`, :doc:`base/utils/strings.zeek </scripts/base/utils/strings.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+============================================== =
+:zeek:type:`SMTP::Entity`: :zeek:type:`record` 
+============================================== =
+
+Redefinitions
+#############
+============================================= =====================================================================================
+:zeek:type:`SMTP::Info`: :zeek:type:`record`  
+                                              
+                                              :New Fields: :zeek:type:`SMTP::Info`
+                                              
+                                                entity: :zeek:type:`SMTP::Entity` :zeek:attr:`&optional`
+                                                  The current entity being seen.
+:zeek:type:`SMTP::State`: :zeek:type:`record` 
+                                              
+                                              :New Fields: :zeek:type:`SMTP::State`
+                                              
+                                                mime_depth: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                                  Track the number of MIME encoded files transferred
+                                                  during a session.
+============================================= =====================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: SMTP::Entity
+   :source-code: base/protocols/smtp/entities.zeek 12 15
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: filename :zeek:type:`string` :zeek:attr:`&optional`
+
+      Filename for the entity if discovered from a header.
+
+
+   .. zeek:field:: excerpt :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/smtp/entities-excerpt.zeek` is loaded)
+
+      The entity body excerpt.
+
+
+
+
diff --git a/doc/scripts/base/protocols/smtp/files.zeek.rst b/doc/scripts/base/protocols/smtp/files.zeek.rst
new file mode 100644
index 0000000000..ee2cb56160
--- /dev/null
+++ b/doc/scripts/base/protocols/smtp/files.zeek.rst
@@ -0,0 +1,55 @@
+:tocdepth: 3
+
+base/protocols/smtp/files.zeek
+==============================
+.. zeek:namespace:: SMTP
+
+
+:Namespace: SMTP
+:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/smtp/entities.zeek </scripts/base/protocols/smtp/entities.zeek>`, :doc:`base/protocols/smtp/main.zeek </scripts/base/protocols/smtp/main.zeek>`, :doc:`base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================ ===========================================================================================================================
+:zeek:type:`SMTP::Info`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`SMTP::Info`
+                                             
+                                               fuids: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+                                                 An ordered vector of file unique IDs seen attached to
+                                                 the message.
+                                             
+                                               rfc822_msg_fuid: :zeek:type:`string` :zeek:attr:`&optional`
+                                                 Tracks the fuid of the top-level RFC822 mail message if
+                                                 :zeek:see:`SMTP::enable_rfc822_msg_file_analysis` is set.
+============================================ ===========================================================================================================================
+
+Functions
+#########
+======================================================= ======================================
+:zeek:id:`SMTP::describe_file`: :zeek:type:`function`   Default file describer for SMTP.
+:zeek:id:`SMTP::get_file_handle`: :zeek:type:`function` Default file handle provider for SMTP.
+======================================================= ======================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: SMTP::describe_file
+   :source-code: base/protocols/smtp/files.zeek 36 47
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`string`
+
+   Default file describer for SMTP.
+
+.. zeek:id:: SMTP::get_file_handle
+   :source-code: base/protocols/smtp/files.zeek 26 34
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
+
+   Default file handle provider for SMTP.
+
+
diff --git a/doc/scripts/base/protocols/smtp/index.rst b/doc/scripts/base/protocols/smtp/index.rst
new file mode 100644
index 0000000000..ef2e1394f5
--- /dev/null
+++ b/doc/scripts/base/protocols/smtp/index.rst
@@ -0,0 +1,20 @@
+:orphan:
+
+Package: base/protocols/smtp
+============================
+
+Support for Simple Mail Transfer Protocol (SMTP) analysis.
+
+:doc:`/scripts/base/protocols/smtp/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/smtp/main.zeek`
+
+
+:doc:`/scripts/base/protocols/smtp/entities.zeek`
+
+   Analysis and logging for MIME entities found in SMTP sessions.
+
+:doc:`/scripts/base/protocols/smtp/files.zeek`
+
+
diff --git a/doc/scripts/base/protocols/smtp/main.zeek.rst b/doc/scripts/base/protocols/smtp/main.zeek.rst
new file mode 100644
index 0000000000..b9df2bcae0
--- /dev/null
+++ b/doc/scripts/base/protocols/smtp/main.zeek.rst
@@ -0,0 +1,352 @@
+:tocdepth: 3
+
+base/protocols/smtp/main.zeek
+=============================
+.. zeek:namespace:: SMTP
+
+
+:Namespace: SMTP
+:Imports: :doc:`base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`, :doc:`base/utils/email.zeek </scripts/base/utils/email.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+====================================================================================== ================================================================
+:zeek:id:`SMTP::mail_path_capture`: :zeek:type:`Host` :zeek:attr:`&redef`              Direction to capture the full "Received from" path.
+:zeek:id:`SMTP::mail_transaction_validation`: :zeek:type:`bool` :zeek:attr:`&redef`    When seeing a RCPT TO or DATA command, validate that it has been
+                                                                                       preceded by a MAIL FROM or RCPT TO command, respectively, else
+                                                                                       log a weird and possibly disable the SMTP analyzer upon too
+                                                                                       many invalid transactions.
+:zeek:id:`SMTP::max_invalid_mail_transactions`: :zeek:type:`count` :zeek:attr:`&redef` Disable the SMTP analyzer when that many invalid transactions
+                                                                                       have been observed in an SMTP session.
+====================================================================================== ================================================================
+
+Types
+#####
+============================================= =
+:zeek:type:`SMTP::Info`: :zeek:type:`record`  
+:zeek:type:`SMTP::State`: :zeek:type:`record` 
+============================================= =
+
+Redefinitions
+#############
+==================================================================== =============================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`SMTP::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       smtp: :zeek:type:`SMTP::Info` :zeek:attr:`&optional`
+                                                                     
+                                                                       smtp_state: :zeek:type:`SMTP::State` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== =============================================================
+
+Events
+######
+============================================= =
+:zeek:id:`SMTP::log_smtp`: :zeek:type:`event` 
+============================================= =
+
+Hooks
+#####
+============================================================== =======================
+:zeek:id:`SMTP::finalize_smtp`: :zeek:type:`Conn::RemovalHook` SMTP finalization hook.
+:zeek:id:`SMTP::log_policy`: :zeek:type:`Log::PolicyHook`      
+============================================================== =======================
+
+Functions
+#########
+================================================ ===========================================================
+:zeek:id:`SMTP::describe`: :zeek:type:`function` Create an extremely shortened representation of a log line.
+================================================ ===========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: SMTP::mail_path_capture
+   :source-code: base/protocols/smtp/main.zeek 92 92
+
+   :Type: :zeek:type:`Host`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``ALL_HOSTS``
+
+   Direction to capture the full "Received from" path.
+      REMOTE_HOSTS - only capture the path until an internal host is found.
+      LOCAL_HOSTS - only capture the path until the external host is discovered.
+      ALL_HOSTS - always capture the entire path.
+      NO_HOSTS - never capture the path.
+
+.. zeek:id:: SMTP::mail_transaction_validation
+   :source-code: base/protocols/smtp/main.zeek 106 106
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   When seeing a RCPT TO or DATA command, validate that it has been
+   preceded by a MAIL FROM or RCPT TO command, respectively, else
+   log a weird and possibly disable the SMTP analyzer upon too
+   many invalid transactions.
+
+.. zeek:id:: SMTP::max_invalid_mail_transactions
+   :source-code: base/protocols/smtp/main.zeek 110 110
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``25``
+
+   Disable the SMTP analyzer when that many invalid transactions
+   have been observed in an SMTP session.
+
+Types
+#####
+.. zeek:type:: SMTP::Info
+   :source-code: base/protocols/smtp/main.zeek 14 69
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Time when the message was first seen.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: trans_depth :zeek:type:`count` :zeek:attr:`&log`
+
+      A count to represent the depth of this message transaction in
+      a single connection where multiple messages were transferred.
+
+
+   .. zeek:field:: helo :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the Helo header.
+
+
+   .. zeek:field:: mailfrom :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Email addresses found in the From header.
+
+
+   .. zeek:field:: rcptto :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Email addresses found in the Rcpt header.
+
+
+   .. zeek:field:: date :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the Date header.
+
+
+   .. zeek:field:: from :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the From header.
+
+
+   .. zeek:field:: to :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the To header.
+
+
+   .. zeek:field:: cc :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the CC header.
+
+
+   .. zeek:field:: reply_to :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the ReplyTo header.
+
+
+   .. zeek:field:: msg_id :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the MsgID header.
+
+
+   .. zeek:field:: in_reply_to :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the In-Reply-To header.
+
+
+   .. zeek:field:: subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the Subject header.
+
+
+   .. zeek:field:: x_originating_ip :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the X-Originating-IP header.
+
+
+   .. zeek:field:: first_received :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the first Received header.
+
+
+   .. zeek:field:: second_received :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Contents of the second Received header.
+
+
+   .. zeek:field:: last_reply :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The last message that the server sent to the client.
+
+
+   .. zeek:field:: path :zeek:type:`vector` of :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The message transmission path, as extracted from the headers.
+
+
+   .. zeek:field:: user_agent :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Value of the User-Agent header from the client.
+
+
+   .. zeek:field:: tls :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Indicates that the connection has switched to using TLS.
+
+
+   .. zeek:field:: process_received_from :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
+
+      Indicates if the "Received: from" headers should still be
+      processed.
+
+
+   .. zeek:field:: has_client_activity :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Indicates if client activity has been seen, but not yet logged.
+
+
+   .. zeek:field:: process_smtp_headers :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
+
+      Indicates if the SMTP headers should still be processed.
+
+
+   .. zeek:field:: entity_count :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: entity :zeek:type:`SMTP::Entity` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/smtp/entities.zeek` is loaded)
+
+      The current entity being seen.
+
+
+   .. zeek:field:: fuids :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/smtp/files.zeek` is loaded)
+
+      An ordered vector of file unique IDs seen attached to
+      the message.
+
+
+   .. zeek:field:: rfc822_msg_fuid :zeek:type:`string` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/smtp/files.zeek` is loaded)
+
+      Tracks the fuid of the top-level RFC822 mail message if
+      :zeek:see:`SMTP::enable_rfc822_msg_file_analysis` is set.
+
+
+   .. zeek:field:: is_webmail :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/smtp/software.zeek` is loaded)
+
+      Boolean indicator of if the message was sent through a
+      webmail interface.
+
+
+
+.. zeek:type:: SMTP::State
+   :source-code: base/protocols/smtp/main.zeek 71 85
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: helo :zeek:type:`string` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: messages_transferred :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Count the number of individual messages transmitted during
+      this SMTP session.  Note, this is not the number of
+      recipients, but the number of message bodies transferred.
+
+
+   .. zeek:field:: pending_messages :zeek:type:`set` [:zeek:type:`SMTP::Info`] :zeek:attr:`&optional`
+
+
+   .. zeek:field:: trans_mail_from_seen :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: trans_rcpt_to_seen :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: invalid_transactions :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: bdat_last_observed :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: analyzer_id :zeek:type:`count` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: mime_depth :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/smtp/entities.zeek` is loaded)
+
+      Track the number of MIME encoded files transferred
+      during a session.
+
+
+
+Events
+######
+.. zeek:id:: SMTP::log_smtp
+   :source-code: base/protocols/smtp/main.zeek 97 97
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`SMTP::Info`)
+
+
+Hooks
+#####
+.. zeek:id:: SMTP::finalize_smtp
+   :source-code: base/protocols/smtp/main.zeek 401 405
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   SMTP finalization hook.  Remaining SMTP info may get logged when it's called.
+
+.. zeek:id:: SMTP::log_policy
+   :source-code: base/protocols/smtp/main.zeek 12 12
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+Functions
+#########
+.. zeek:id:: SMTP::describe
+   :source-code: base/protocols/smtp/main.zeek 416 441
+
+   :Type: :zeek:type:`function` (rec: :zeek:type:`SMTP::Info`) : :zeek:type:`string`
+
+   Create an extremely shortened representation of a log line.
+
+
diff --git a/doc/scripts/base/protocols/snmp/__load__.zeek.rst b/doc/scripts/base/protocols/snmp/__load__.zeek.rst
new file mode 100644
index 0000000000..a4023f1a4d
--- /dev/null
+++ b/doc/scripts/base/protocols/snmp/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/snmp/__load__.zeek
+=================================
+
+
+:Imports: :doc:`base/protocols/snmp/main.zeek </scripts/base/protocols/snmp/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/snmp/index.rst b/doc/scripts/base/protocols/snmp/index.rst
new file mode 100644
index 0000000000..3f51e9795a
--- /dev/null
+++ b/doc/scripts/base/protocols/snmp/index.rst
@@ -0,0 +1,14 @@
+:orphan:
+
+Package: base/protocols/snmp
+============================
+
+Support for Simple Network Management Protocol (SNMP) analysis.
+
+:doc:`/scripts/base/protocols/snmp/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/snmp/main.zeek`
+
+   Enables analysis and logging of SNMP datagrams.
+
diff --git a/doc/scripts/base/protocols/snmp/main.zeek.rst b/doc/scripts/base/protocols/snmp/main.zeek.rst
new file mode 100644
index 0000000000..a95200ea7f
--- /dev/null
+++ b/doc/scripts/base/protocols/snmp/main.zeek.rst
@@ -0,0 +1,181 @@
+:tocdepth: 3
+
+base/protocols/snmp/main.zeek
+=============================
+.. zeek:namespace:: SNMP
+
+Enables analysis and logging of SNMP datagrams.
+
+:Namespace: SNMP
+:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+========================================================================================================== ========================================================
+:zeek:id:`SNMP::version_map`: :zeek:type:`table` :zeek:attr:`&redef` :zeek:attr:`&default` = ``"unknown"`` Maps an SNMP version integer to a human readable string.
+========================================================================================================== ========================================================
+
+Types
+#####
+============================================ =====================================
+:zeek:type:`SNMP::Info`: :zeek:type:`record` Information tracked per SNMP session.
+============================================ =====================================
+
+Redefinitions
+#############
+==================================================================== ======================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`SNMP::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       snmp: :zeek:type:`SNMP::Info` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ======================================================
+
+Events
+######
+============================================= ====================================================================
+:zeek:id:`SNMP::log_snmp`: :zeek:type:`event` Event that can be handled to access the SNMP record as it is sent on
+                                              to the logging framework.
+============================================= ====================================================================
+
+Hooks
+#####
+============================================================== =======================
+:zeek:id:`SNMP::finalize_snmp`: :zeek:type:`Conn::RemovalHook` SNMP finalization hook.
+:zeek:id:`SNMP::log_policy`: :zeek:type:`Log::PolicyHook`      
+============================================================== =======================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: SNMP::version_map
+   :source-code: base/protocols/snmp/main.zeek 52 52
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef` :zeek:attr:`&default` = ``"unknown"``
+   :Default:
+
+      ::
+
+         {
+            [0] = "1",
+            [1] = "2c",
+            [3] = "3"
+         }
+
+
+   Maps an SNMP version integer to a human readable string.
+
+Types
+#####
+.. zeek:type:: SNMP::Info
+   :source-code: base/protocols/snmp/main.zeek 13 49
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp of first packet belonging to the SNMP session.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      The unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 5-tuple of addresses/ports (ports inherently
+      include transport protocol information)
+
+
+   .. zeek:field:: duration :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&default` = ``0 secs`` :zeek:attr:`&optional`
+
+      The amount of time between the first packet belonging to
+      the SNMP session and the latest one seen.
+
+
+   .. zeek:field:: version :zeek:type:`string` :zeek:attr:`&log`
+
+      The version of SNMP being used.
+
+
+   .. zeek:field:: community :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The community string of the first SNMP packet associated with
+      the session.  This is used as part of SNMP's (v1 and v2c)
+      administrative/security framework.  See :rfc:`1157` or :rfc:`1901`.
+
+
+   .. zeek:field:: get_requests :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      The number of variable bindings in GetRequest/GetNextRequest PDUs
+      seen for the session.
+
+
+   .. zeek:field:: get_bulk_requests :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      The number of variable bindings in GetBulkRequest PDUs seen for
+      the session.
+
+
+   .. zeek:field:: get_responses :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      The number of variable bindings in GetResponse/Response PDUs seen
+      for the session.
+
+
+   .. zeek:field:: set_requests :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      The number of variable bindings in SetRequest PDUs seen for
+      the session.
+
+
+   .. zeek:field:: display_string :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      A system description of the SNMP responder endpoint.
+
+
+   .. zeek:field:: up_since :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The time at which the SNMP responder endpoint claims it's been
+      up since.
+
+
+   Information tracked per SNMP session.
+
+Events
+######
+.. zeek:id:: SNMP::log_snmp
+   :source-code: base/protocols/snmp/main.zeek 60 60
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`SNMP::Info`)
+
+   Event that can be handled to access the SNMP record as it is sent on
+   to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: SNMP::finalize_snmp
+   :source-code: base/protocols/snmp/main.zeek 103 107
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   SNMP finalization hook.  Remaining SNMP info may get logged when it's called.
+
+.. zeek:id:: SNMP::log_policy
+   :source-code: base/protocols/snmp/main.zeek 10 10
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/socks/__load__.zeek.rst b/doc/scripts/base/protocols/socks/__load__.zeek.rst
new file mode 100644
index 0000000000..1d50673fb8
--- /dev/null
+++ b/doc/scripts/base/protocols/socks/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/socks/__load__.zeek
+==================================
+
+
+:Imports: :doc:`base/protocols/socks/consts.zeek </scripts/base/protocols/socks/consts.zeek>`, :doc:`base/protocols/socks/main.zeek </scripts/base/protocols/socks/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/socks/consts.zeek.rst b/doc/scripts/base/protocols/socks/consts.zeek.rst
new file mode 100644
index 0000000000..8d964869a3
--- /dev/null
+++ b/doc/scripts/base/protocols/socks/consts.zeek.rst
@@ -0,0 +1,109 @@
+:tocdepth: 3
+
+base/protocols/socks/consts.zeek
+================================
+.. zeek:namespace:: SOCKS
+
+
+:Namespace: SOCKS
+
+Summary
+~~~~~~~
+Constants
+#########
+============================================================================================================= =
+:zeek:id:`SOCKS::v4_status`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`                 
+:zeek:id:`SOCKS::v5_authentication_methods`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` 
+:zeek:id:`SOCKS::v5_status`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`                 
+============================================================================================================= =
+
+Types
+#####
+================================================== =
+:zeek:type:`SOCKS::RequestType`: :zeek:type:`enum` 
+================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: SOCKS::v4_status
+   :source-code: base/protocols/socks/consts.zeek 22 22
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [92] = "request failed because client is not running identd",
+            [93] = "request failed because client's identd could not confirm the user ID string in the request",
+            [90] = "succeeded",
+            [91] = "general SOCKS server failure"
+         }
+
+
+
+.. zeek:id:: SOCKS::v5_authentication_methods
+   :source-code: base/protocols/socks/consts.zeek 10 10
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "Username/Password",
+            [8] = "Multi-Authentication Framework",
+            [7] = "NDS Authentication",
+            [5] = "Challenge-Response Authentication Method",
+            [3] = "Challenge-Handshake Authentication Protocol",
+            [0] = "No Authentication Required",
+            [6] = "Secure Sockets Layer",
+            [255] = "No Acceptable Methods",
+            [1] = "GSSAPI"
+         }
+
+
+
+.. zeek:id:: SOCKS::v5_status
+   :source-code: base/protocols/socks/consts.zeek 29 29
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "connection not allowed by ruleset",
+            [8] = "Address type not supported",
+            [5] = "Connection refused",
+            [7] = "Command not supported",
+            [3] = "Network unreachable",
+            [0] = "succeeded",
+            [6] = "TTL expired",
+            [4] = "Host unreachable",
+            [1] = "general SOCKS server failure"
+         }
+
+
+
+Types
+#####
+.. zeek:type:: SOCKS::RequestType
+   :source-code: base/protocols/socks/consts.zeek 4 9
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: SOCKS::CONNECTION SOCKS::RequestType
+
+      .. zeek:enum:: SOCKS::PORT SOCKS::RequestType
+
+      .. zeek:enum:: SOCKS::UDP_ASSOCIATE SOCKS::RequestType
+
+
+
diff --git a/doc/scripts/base/protocols/socks/index.rst b/doc/scripts/base/protocols/socks/index.rst
new file mode 100644
index 0000000000..970ffc84bc
--- /dev/null
+++ b/doc/scripts/base/protocols/socks/index.rst
@@ -0,0 +1,16 @@
+:orphan:
+
+Package: base/protocols/socks
+=============================
+
+Support for Socket Secure (SOCKS) protocol analysis.
+
+:doc:`/scripts/base/protocols/socks/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/socks/consts.zeek`
+
+
+:doc:`/scripts/base/protocols/socks/main.zeek`
+
+
diff --git a/doc/scripts/base/protocols/socks/main.zeek.rst b/doc/scripts/base/protocols/socks/main.zeek.rst
new file mode 100644
index 0000000000..ae15a659a4
--- /dev/null
+++ b/doc/scripts/base/protocols/socks/main.zeek.rst
@@ -0,0 +1,164 @@
+:tocdepth: 3
+
+base/protocols/socks/main.zeek
+==============================
+.. zeek:namespace:: SOCKS
+
+
+:Namespace: SOCKS
+:Imports: :doc:`base/frameworks/tunnels </scripts/base/frameworks/tunnels/index>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/socks/consts.zeek </scripts/base/protocols/socks/consts.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+================================================================================= ======================================
+:zeek:id:`SOCKS::default_capture_password`: :zeek:type:`bool` :zeek:attr:`&redef` Whether passwords are captured or not.
+================================================================================= ======================================
+
+Types
+#####
+============================================= ===========================================================
+:zeek:type:`SOCKS::Info`: :zeek:type:`record` The record type which contains the fields of the SOCKS log.
+============================================= ===========================================================
+
+Redefinitions
+#############
+==================================================================== ========================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`SOCKS::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       socks: :zeek:type:`SOCKS::Info` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ========================================================
+
+Events
+######
+=============================================== =================================================
+:zeek:id:`SOCKS::log_socks`: :zeek:type:`event` Event that can be handled to access the SOCKS
+                                                record as it is sent on to the logging framework.
+=============================================== =================================================
+
+Hooks
+#####
+================================================================ ========================
+:zeek:id:`SOCKS::finalize_socks`: :zeek:type:`Conn::RemovalHook` SOCKS finalization hook.
+:zeek:id:`SOCKS::log_policy`: :zeek:type:`Log::PolicyHook`       
+================================================================ ========================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: SOCKS::default_capture_password
+   :source-code: base/protocols/socks/main.zeek 13 13
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Whether passwords are captured or not.
+
+Types
+#####
+.. zeek:type:: SOCKS::Info
+   :source-code: base/protocols/socks/main.zeek 16 43
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Time when the proxy connection was first detected.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the tunnel - may correspond to connection uid
+      or be nonexistent.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: version :zeek:type:`count` :zeek:attr:`&log`
+
+      Protocol version of SOCKS.
+
+
+   .. zeek:field:: user :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Username used to request a login to the proxy.
+
+
+   .. zeek:field:: password :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Password used to request a login to the proxy.
+
+
+   .. zeek:field:: status :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Server status for the attempt at using the proxy.
+
+
+   .. zeek:field:: request :zeek:type:`SOCKS::Address` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Client requested SOCKS address. Could be an address, a name
+      or both.
+
+
+   .. zeek:field:: request_p :zeek:type:`port` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Client requested port.
+
+
+   .. zeek:field:: bound :zeek:type:`SOCKS::Address` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Server bound address. Could be an address, a name or both.
+
+
+   .. zeek:field:: bound_p :zeek:type:`port` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Server bound port.
+
+
+   .. zeek:field:: capture_password :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`SOCKS::default_capture_password` :zeek:attr:`&optional`
+
+      Determines if the password will be captured for this request.
+
+
+   The record type which contains the fields of the SOCKS log.
+
+Events
+######
+.. zeek:id:: SOCKS::log_socks
+   :source-code: base/protocols/socks/main.zeek 47 47
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`SOCKS::Info`)
+
+   Event that can be handled to access the SOCKS
+   record as it is sent on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: SOCKS::finalize_socks
+   :source-code: base/protocols/socks/main.zeek 123 129
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   SOCKS finalization hook.  Remaining SOCKS info may get logged when it's called.
+
+.. zeek:id:: SOCKS::log_policy
+   :source-code: base/protocols/socks/main.zeek 10 10
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/ssh/__load__.zeek.rst b/doc/scripts/base/protocols/ssh/__load__.zeek.rst
new file mode 100644
index 0000000000..da8ae1a7de
--- /dev/null
+++ b/doc/scripts/base/protocols/ssh/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/ssh/__load__.zeek
+================================
+
+
+:Imports: :doc:`base/protocols/ssh/main.zeek </scripts/base/protocols/ssh/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/ssh/index.rst b/doc/scripts/base/protocols/ssh/index.rst
new file mode 100644
index 0000000000..04bbcd284a
--- /dev/null
+++ b/doc/scripts/base/protocols/ssh/index.rst
@@ -0,0 +1,14 @@
+:orphan:
+
+Package: base/protocols/ssh
+===========================
+
+Support for SSH protocol analysis.
+
+:doc:`/scripts/base/protocols/ssh/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/ssh/main.zeek`
+
+   Implements base functionality for SSH analysis. Generates the ssh.log file.
+
diff --git a/doc/scripts/base/protocols/ssh/main.zeek.rst b/doc/scripts/base/protocols/ssh/main.zeek.rst
new file mode 100644
index 0000000000..fe054dd556
--- /dev/null
+++ b/doc/scripts/base/protocols/ssh/main.zeek.rst
@@ -0,0 +1,298 @@
+:tocdepth: 3
+
+base/protocols/ssh/main.zeek
+============================
+.. zeek:namespace:: GLOBAL
+.. zeek:namespace:: SSH
+
+Implements base functionality for SSH analysis. Generates the ssh.log file.
+
+:Namespaces: GLOBAL, SSH
+:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+======================================================================================= ====================================================================
+:zeek:id:`SSH::compression_algorithms`: :zeek:type:`set` :zeek:attr:`&redef`            The set of compression algorithms.
+:zeek:id:`SSH::disable_analyzer_after_detection`: :zeek:type:`bool` :zeek:attr:`&redef` If true, after detection detach the SSH analyzer from the connection
+                                                                                        to prevent continuing to process encrypted traffic.
+======================================================================================= ====================================================================
+
+Types
+#####
+=========================================== =========================================================
+:zeek:type:`SSH::Info`: :zeek:type:`record` The record type which contains the fields of the SSH log.
+=========================================== =========================================================
+
+Redefinitions
+#############
+==================================================================== ================================================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              The SSH protocol logging stream identifier.
+                                                                     
+                                                                     * :zeek:enum:`SSH::LOG`
+:zeek:type:`SSH::Info`: :zeek:type:`record`                          
+                                                                     
+                                                                     :New Fields: :zeek:type:`SSH::Info`
+                                                                     
+                                                                       logged: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+                                                                     
+                                                                       capabilities: :zeek:type:`SSH::Capabilities` :zeek:attr:`&optional`
+                                                                     
+                                                                       analyzer_id: :zeek:type:`count` :zeek:attr:`&optional`
+                                                                         Analyzer ID
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       ssh: :zeek:type:`SSH::Info` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ================================================================================
+
+Events
+######
+============================================== ===================================================================
+:zeek:id:`SSH::log_ssh`: :zeek:type:`event`    Event that can be handled to access the SSH record as it is sent on
+                                               to the logging framework.
+:zeek:id:`ssh_auth_failed`: :zeek:type:`event` This event is generated when an :abbr:`SSH (Secure Shell)`
+                                               connection was determined to have had a failed authentication.
+:zeek:id:`ssh_auth_result`: :zeek:type:`event` This event is generated when a determination has been made about
+                                               the final authentication result of an :abbr:`SSH (Secure Shell)`
+                                               connection.
+============================================== ===================================================================
+
+Hooks
+#####
+============================================================ =============================================
+:zeek:id:`SSH::finalize_ssh`: :zeek:type:`Conn::RemovalHook` SSH finalization hook.
+:zeek:id:`SSH::log_policy`: :zeek:type:`Log::PolicyHook`     A default logging policy hook for the stream.
+============================================================ =============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: SSH::compression_algorithms
+   :source-code: base/protocols/ssh/main.zeek 61 61
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            "zlib@openssh.com",
+            "zlib"
+         }
+
+
+   The set of compression algorithms. We can't accurately determine
+   authentication success or failure when compression is enabled.
+
+.. zeek:id:: SSH::disable_analyzer_after_detection
+   :source-code: base/protocols/ssh/main.zeek 66 66
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   If true, after detection detach the SSH analyzer from the connection
+   to prevent continuing to process encrypted traffic. Helps with performance
+   (especially with large file transfers).
+
+Types
+#####
+.. zeek:type:: SSH::Info
+   :source-code: base/protocols/ssh/main.zeek 16 57
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Time when the SSH connection began.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: version :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      SSH major version (1, 2, or unset). The version can be unset if the
+      client and server version strings are unset, malformed or incompatible
+      so no common version can be extracted. If no version can be extracted
+      even though both client and server versions are set a weird
+      will be generated.
+
+
+   .. zeek:field:: auth_success :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Authentication result (T=success, F=failure, unset=unknown)
+
+
+   .. zeek:field:: auth_attempts :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      The number of authentication attempts we observed. There's always
+      at least one, since some servers might support no authentication at all.
+      It's important to note that not all of these are failures, since
+      some servers require two-factor auth (e.g. password AND pubkey)
+
+
+   .. zeek:field:: direction :zeek:type:`Direction` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Direction of the connection. If the client was a local host
+      logging into an external host, this would be OUTBOUND. INBOUND
+      would be set for the opposite situation.
+
+
+   .. zeek:field:: client :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The client's version string
+
+
+   .. zeek:field:: server :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The server's version string
+
+
+   .. zeek:field:: cipher_alg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The encryption algorithm in use
+
+
+   .. zeek:field:: mac_alg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The signing (MAC) algorithm in use
+
+
+   .. zeek:field:: compression_alg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The compression algorithm in use
+
+
+   .. zeek:field:: kex_alg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The key exchange algorithm in use
+
+
+   .. zeek:field:: host_key_alg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The server host key's algorithm
+
+
+   .. zeek:field:: host_key :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The server's key fingerprint
+
+
+   .. zeek:field:: logged :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: capabilities :zeek:type:`SSH::Capabilities` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: analyzer_id :zeek:type:`count` :zeek:attr:`&optional`
+
+      Analyzer ID
+
+
+   .. zeek:field:: remote_location :zeek:type:`geo_location` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssh/geo-data.zeek` is loaded)
+
+      Add geographic data related to the "remote" host of the
+      connection.
+
+
+   The record type which contains the fields of the SSH log.
+
+Events
+######
+.. zeek:id:: SSH::log_ssh
+   :source-code: base/protocols/ssh/main.zeek 70 70
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`SSH::Info`)
+
+   Event that can be handled to access the SSH record as it is sent on
+   to the logging framework.
+
+.. zeek:id:: ssh_auth_failed
+   :source-code: base/protocols/ssh/main.zeek 94 94
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   This event is generated when an :abbr:`SSH (Secure Shell)`
+   connection was determined to have had a failed authentication. This
+   determination is based on packet size analysis, and errs on the
+   side of caution - that is, if there's any doubt about the
+   authentication failure, this event is *not* raised.
+   
+   This event is only raised once per connection.
+   
+
+   :param c: The connection over which the :abbr:`SSH (Secure Shell)`
+      connection took place.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version
+      ssh_auth_successful ssh_auth_result ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key
+
+.. zeek:id:: ssh_auth_result
+   :source-code: base/protocols/ssh/main.zeek 117 117
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, result: :zeek:type:`bool`, auth_attempts: :zeek:type:`count`)
+
+   This event is generated when a determination has been made about
+   the final authentication result of an :abbr:`SSH (Secure Shell)`
+   connection. This determination is based on packet size analysis,
+   and errs on the side of caution - that is, if there's any doubt
+   about the result of the authentication, this event is *not* raised.
+   
+   This event is only raised once per connection.
+   
+
+   :param c: The connection over which the :abbr:`SSH (Secure Shell)`
+      connection took place.
+   
+
+   :param result: True if the authentication was successful, false if not.
+   
+
+   :param auth_attempts: The number of authentication attempts that were
+      observed.
+   
+   .. zeek:see:: ssh_server_version ssh_client_version
+      ssh_auth_successful ssh_auth_failed ssh_auth_attempted
+      ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+      ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+      ssh2_gss_error ssh2_ecc_key
+
+Hooks
+#####
+.. zeek:id:: SSH::finalize_ssh
+   :source-code: base/protocols/ssh/main.zeek 312 336
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   SSH finalization hook.  Remaining SSH info may get logged when it's called.
+
+.. zeek:id:: SSH::log_policy
+   :source-code: base/protocols/ssh/main.zeek 13 13
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+
diff --git a/doc/scripts/base/protocols/ssl/__load__.zeek.rst b/doc/scripts/base/protocols/ssl/__load__.zeek.rst
new file mode 100644
index 0000000000..6414282986
--- /dev/null
+++ b/doc/scripts/base/protocols/ssl/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/ssl/__load__.zeek
+================================
+
+
+:Imports: :doc:`base/protocols/ssl/consts.zeek </scripts/base/protocols/ssl/consts.zeek>`, :doc:`base/protocols/ssl/ct-list.zeek </scripts/base/protocols/ssl/ct-list.zeek>`, :doc:`base/protocols/ssl/files.zeek </scripts/base/protocols/ssl/files.zeek>`, :doc:`base/protocols/ssl/main.zeek </scripts/base/protocols/ssl/main.zeek>`, :doc:`base/protocols/ssl/mozilla-ca-list.zeek </scripts/base/protocols/ssl/mozilla-ca-list.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/ssl/consts.zeek.rst b/doc/scripts/base/protocols/ssl/consts.zeek.rst
new file mode 100644
index 0000000000..0f14aa4a69
--- /dev/null
+++ b/doc/scripts/base/protocols/ssl/consts.zeek.rst
@@ -0,0 +1,4884 @@
+:tocdepth: 3
+
+base/protocols/ssl/consts.zeek
+==============================
+.. zeek:namespace:: SSL
+
+
+:Namespace: SSL
+
+Summary
+~~~~~~~
+Constants
+#########
+====================================================================================================== =====================================================================================
+:zeek:id:`SSL::ALERT`: :zeek:type:`count`                                                              
+:zeek:id:`SSL::APPLICATION_DATA`: :zeek:type:`count`                                                   
+:zeek:id:`SSL::CERTIFICATE`: :zeek:type:`count`                                                        
+:zeek:id:`SSL::CERTIFICATE_REQUEST`: :zeek:type:`count`                                                
+:zeek:id:`SSL::CERTIFICATE_STATUS`: :zeek:type:`count`                                                 
+:zeek:id:`SSL::CERTIFICATE_URL`: :zeek:type:`count`                                                    
+:zeek:id:`SSL::CERTIFICATE_VERIFY`: :zeek:type:`count`                                                 
+:zeek:id:`SSL::CHANGE_CIPHER_SPEC`: :zeek:type:`count`                                                 
+:zeek:id:`SSL::CLIENT_HELLO`: :zeek:type:`count`                                                       
+:zeek:id:`SSL::CLIENT_KEY_EXCHANGE`: :zeek:type:`count`                                                
+:zeek:id:`SSL::COMPRESSED_CERTIFICATE`: :zeek:type:`count`                                             
+:zeek:id:`SSL::DTLSv10`: :zeek:type:`count`                                                            
+:zeek:id:`SSL::DTLSv12`: :zeek:type:`count`                                                            
+:zeek:id:`SSL::DTLSv13`: :zeek:type:`count`                                                            
+:zeek:id:`SSL::EKT_KEY`: :zeek:type:`count`                                                            
+:zeek:id:`SSL::ENCRYPTED_EXTENSIONS`: :zeek:type:`count`                                               
+:zeek:id:`SSL::FINISHED`: :zeek:type:`count`                                                           
+:zeek:id:`SSL::HANDSHAKE`: :zeek:type:`count`                                                          
+:zeek:id:`SSL::HEARTBEAT`: :zeek:type:`count`                                                          
+:zeek:id:`SSL::HELLO_REQUEST`: :zeek:type:`count`                                                      
+:zeek:id:`SSL::HELLO_RETRY_REQUEST`: :zeek:type:`count`                                                
+:zeek:id:`SSL::HELLO_VERIFY_REQUEST`: :zeek:type:`count`                                               
+:zeek:id:`SSL::KEY_UPDATE`: :zeek:type:`count`                                                         
+:zeek:id:`SSL::RETURN_ROUTABILITY_CHECK`: :zeek:type:`count`                                           
+:zeek:id:`SSL::SERVER_HELLO`: :zeek:type:`count`                                                       
+:zeek:id:`SSL::SERVER_HELLO_DONE`: :zeek:type:`count`                                                  
+:zeek:id:`SSL::SERVER_KEY_EXCHANGE`: :zeek:type:`count`                                                
+:zeek:id:`SSL::SESSION_TICKET`: :zeek:type:`count`                                                     
+:zeek:id:`SSL::SSL_EXTENSION_APPLICATION_LAYER_PROTOCOL_NEGOTIATION`: :zeek:type:`count`               
+:zeek:id:`SSL::SSL_EXTENSION_APPLICATION_SETTING`: :zeek:type:`count`                                  
+:zeek:id:`SSL::SSL_EXTENSION_CACHED_INFO`: :zeek:type:`count`                                          
+:zeek:id:`SSL::SSL_EXTENSION_CERTIFICATE_AUTHORITIES`: :zeek:type:`count`                              
+:zeek:id:`SSL::SSL_EXTENSION_CERT_TYPE`: :zeek:type:`count`                                            
+:zeek:id:`SSL::SSL_EXTENSION_CHANNEL_ID`: :zeek:type:`count`                                           
+:zeek:id:`SSL::SSL_EXTENSION_CHANNEL_ID_NEW`: :zeek:type:`count`                                       
+:zeek:id:`SSL::SSL_EXTENSION_CLIENT_AUTHZ`: :zeek:type:`count`                                         
+:zeek:id:`SSL::SSL_EXTENSION_CLIENT_CERTIFICATE_TYPE`: :zeek:type:`count`                              
+:zeek:id:`SSL::SSL_EXTENSION_CLIENT_CERTIFICATE_URL`: :zeek:type:`count`                               
+:zeek:id:`SSL::SSL_EXTENSION_COMPRESS_CERTIFICATE`: :zeek:type:`count`                                 
+:zeek:id:`SSL::SSL_EXTENSION_CONNECTION_ID`: :zeek:type:`count`                                        
+:zeek:id:`SSL::SSL_EXTENSION_CONNECTION_ID_DEPRECATED`: :zeek:type:`count`                             
+:zeek:id:`SSL::SSL_EXTENSION_COOKIE`: :zeek:type:`count`                                               
+:zeek:id:`SSL::SSL_EXTENSION_DELEGATED_CREDENTIAL`: :zeek:type:`count`                                 
+:zeek:id:`SSL::SSL_EXTENSION_DNSSEC_CHAIN`: :zeek:type:`count`                                         
+:zeek:id:`SSL::SSL_EXTENSION_EARLY_DATA`: :zeek:type:`count`                                           
+:zeek:id:`SSL::SSL_EXTENSION_ECH_OUTER_EXTENSION`: :zeek:type:`count`                                  
+:zeek:id:`SSL::SSL_EXTENSION_EC_POINT_FORMATS`: :zeek:type:`count`                                     
+:zeek:id:`SSL::SSL_EXTENSION_ENCRYPTED_CLIENT_CERTIFICATES`: :zeek:type:`count`                        
+:zeek:id:`SSL::SSL_EXTENSION_ENCRYPTED_CLIENT_HELLO`: :zeek:type:`count`                               
+:zeek:id:`SSL::SSL_EXTENSION_ENCRYPT_THEN_MAC`: :zeek:type:`count`                                     
+:zeek:id:`SSL::SSL_EXTENSION_EXTENDED_MASTER_SECRET`: :zeek:type:`count`                               
+:zeek:id:`SSL::SSL_EXTENSION_EXTERNAL_ID_HASH`: :zeek:type:`count`                                     
+:zeek:id:`SSL::SSL_EXTENSION_EXTERNAL_SESSION_ID`: :zeek:type:`count`                                  
+:zeek:id:`SSL::SSL_EXTENSION_HEARTBEAT`: :zeek:type:`count`                                            
+:zeek:id:`SSL::SSL_EXTENSION_KEY_SHARE`: :zeek:type:`count`                                            
+:zeek:id:`SSL::SSL_EXTENSION_KEY_SHARE_OLD`: :zeek:type:`count`                                        
+:zeek:id:`SSL::SSL_EXTENSION_MAX_FRAGMENT_LENGTH`: :zeek:type:`count`                                  
+:zeek:id:`SSL::SSL_EXTENSION_NEXT_PROTOCOL_NEGOTIATION`: :zeek:type:`count`                            
+:zeek:id:`SSL::SSL_EXTENSION_OID_FILTERS`: :zeek:type:`count`                                          
+:zeek:id:`SSL::SSL_EXTENSION_ORIGIN_BOUND_CERTIFICATES`: :zeek:type:`count`                            
+:zeek:id:`SSL::SSL_EXTENSION_PADDING`: :zeek:type:`count`                                              
+:zeek:id:`SSL::SSL_EXTENSION_PADDING_TEMP`: :zeek:type:`count`                                         
+:zeek:id:`SSL::SSL_EXTENSION_PASSWORD_SALT`: :zeek:type:`count`                                        
+:zeek:id:`SSL::SSL_EXTENSION_POST_HANDSHAKE_AUTH`: :zeek:type:`count`                                  
+:zeek:id:`SSL::SSL_EXTENSION_PRE_SHARED_KEY`: :zeek:type:`count`                                       
+:zeek:id:`SSL::SSL_EXTENSION_PSK_KEY_EXCHANGE_MODES`: :zeek:type:`count`                               
+:zeek:id:`SSL::SSL_EXTENSION_PWD_CLEAR`: :zeek:type:`count`                                            
+:zeek:id:`SSL::SSL_EXTENSION_PWD_PROTECT`: :zeek:type:`count`                                          
+:zeek:id:`SSL::SSL_EXTENSION_QUIC_TRANSPORT_PARAMETERS`: :zeek:type:`count`                            
+:zeek:id:`SSL::SSL_EXTENSION_RECORD_SIZE_LIMIT`: :zeek:type:`count`                                    
+:zeek:id:`SSL::SSL_EXTENSION_RENEGOTIATION_INFO`: :zeek:type:`count`                                   
+:zeek:id:`SSL::SSL_EXTENSION_RRC`: :zeek:type:`count`                                                  
+:zeek:id:`SSL::SSL_EXTENSION_SEQUENCE_NUMBER_ENCRYPTION_ALGORITHMS`: :zeek:type:`count`                
+:zeek:id:`SSL::SSL_EXTENSION_SERVER_AUTHZ`: :zeek:type:`count`                                         
+:zeek:id:`SSL::SSL_EXTENSION_SERVER_CERTIFICATE_TYPE`: :zeek:type:`count`                              
+:zeek:id:`SSL::SSL_EXTENSION_SERVER_NAME`: :zeek:type:`count`                                          
+:zeek:id:`SSL::SSL_EXTENSION_SESSIONTICKET_TLS`: :zeek:type:`count`                                    
+:zeek:id:`SSL::SSL_EXTENSION_SIGNATURE_ALGORITHMS`: :zeek:type:`count`                                 
+:zeek:id:`SSL::SSL_EXTENSION_SIGNATURE_ALGORITHMS_CERT`: :zeek:type:`count`                            
+:zeek:id:`SSL::SSL_EXTENSION_SIGNED_CERTIFICATE_TIMESTAMP`: :zeek:type:`count`                         
+:zeek:id:`SSL::SSL_EXTENSION_SRP`: :zeek:type:`count`                                                  
+:zeek:id:`SSL::SSL_EXTENSION_STATUS_REQUEST`: :zeek:type:`count`                                       
+:zeek:id:`SSL::SSL_EXTENSION_STATUS_REQUEST_V2`: :zeek:type:`count`                                    
+:zeek:id:`SSL::SSL_EXTENSION_SUPPORTED_EKT_CIPHERS`: :zeek:type:`count`                                
+:zeek:id:`SSL::SSL_EXTENSION_SUPPORTED_GROUPS`: :zeek:type:`count`                                     
+:zeek:id:`SSL::SSL_EXTENSION_SUPPORTED_VERSIONS`: :zeek:type:`count`                                   
+:zeek:id:`SSL::SSL_EXTENSION_TICKETEARLYDATAINFO`: :zeek:type:`count`                                  
+:zeek:id:`SSL::SSL_EXTENSION_TICKET_PINNING`: :zeek:type:`count`                                       
+:zeek:id:`SSL::SSL_EXTENSION_TICKET_REQUEST`: :zeek:type:`count`                                       
+:zeek:id:`SSL::SSL_EXTENSION_TLMSP`: :zeek:type:`count`                                                
+:zeek:id:`SSL::SSL_EXTENSION_TLMSP_DELEGATE`: :zeek:type:`count`                                       
+:zeek:id:`SSL::SSL_EXTENSION_TLMSP_PROXYING`: :zeek:type:`count`                                       
+:zeek:id:`SSL::SSL_EXTENSION_TLS_CERT_WITH_EXTERN_PSK`: :zeek:type:`count`                             
+:zeek:id:`SSL::SSL_EXTENSION_TLS_FLAGS`: :zeek:type:`count`                                            
+:zeek:id:`SSL::SSL_EXTENSION_TLS_LTS`: :zeek:type:`count`                                              
+:zeek:id:`SSL::SSL_EXTENSION_TOKEN_BINDING`: :zeek:type:`count`                                        
+:zeek:id:`SSL::SSL_EXTENSION_TRANSPARENCY_INFO`: :zeek:type:`count`                                    
+:zeek:id:`SSL::SSL_EXTENSION_TRUNCATED_HMAC`: :zeek:type:`count`                                       
+:zeek:id:`SSL::SSL_EXTENSION_TRUSTED_CA_KEYS`: :zeek:type:`count`                                      
+:zeek:id:`SSL::SSL_EXTENSION_USER_MAPPING`: :zeek:type:`count`                                         
+:zeek:id:`SSL::SSL_EXTENSION_USE_SRTP`: :zeek:type:`count`                                             
+:zeek:id:`SSL::SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA`: :zeek:type:`count`                             
+:zeek:id:`SSL::SSL_FORTEZZA_KEA_WITH_NULL_SHA`: :zeek:type:`count`                                     
+:zeek:id:`SSL::SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                                 
+:zeek:id:`SSL::SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2`: :zeek:type:`count`                               
+:zeek:id:`SSL::SSL_RSA_FIPS_WITH_DES_CBC_SHA`: :zeek:type:`count`                                      
+:zeek:id:`SSL::SSL_RSA_FIPS_WITH_DES_CBC_SHA_2`: :zeek:type:`count`                                    
+:zeek:id:`SSL::SSL_RSA_WITH_3DES_EDE_CBC_MD5`: :zeek:type:`count`                                      
+:zeek:id:`SSL::SSL_RSA_WITH_DES_CBC_MD5`: :zeek:type:`count`                                           
+:zeek:id:`SSL::SSL_RSA_WITH_IDEA_CBC_MD5`: :zeek:type:`count`                                          
+:zeek:id:`SSL::SSL_RSA_WITH_RC2_CBC_MD5`: :zeek:type:`count`                                           
+:zeek:id:`SSL::SSLv2`: :zeek:type:`count`                                                              
+:zeek:id:`SSL::SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5`: :zeek:type:`count`                                
+:zeek:id:`SSL::SSLv20_CK_DES_64_CBC_WITH_MD5`: :zeek:type:`count`                                      
+:zeek:id:`SSL::SSLv20_CK_IDEA_128_CBC_WITH_MD5`: :zeek:type:`count`                                    
+:zeek:id:`SSL::SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5`: :zeek:type:`count`                            
+:zeek:id:`SSL::SSLv20_CK_RC2_128_CBC_WITH_MD5`: :zeek:type:`count`                                     
+:zeek:id:`SSL::SSLv20_CK_RC4_128_EXPORT40_WITH_MD5`: :zeek:type:`count`                                
+:zeek:id:`SSL::SSLv20_CK_RC4_128_WITH_MD5`: :zeek:type:`count`                                         
+:zeek:id:`SSL::SSLv3`: :zeek:type:`count`                                                              
+:zeek:id:`SSL::SUPPLEMENTAL_DATA`: :zeek:type:`count`                                                  
+:zeek:id:`SSL::TLS12_CID`: :zeek:type:`count`                                                          
+:zeek:id:`SSL::TLS13_ACK`: :zeek:type:`count`                                                          
+:zeek:id:`SSL::TLS_AEGIS_128L_SHA256`: :zeek:type:`count`                                              
+:zeek:id:`SSL::TLS_AEGIS_256_SHA384`: :zeek:type:`count`                                               
+:zeek:id:`SSL::TLS_AES_128_CCM_8_SHA256`: :zeek:type:`count`                                           
+:zeek:id:`SSL::TLS_AES_128_CCM_SHA256`: :zeek:type:`count`                                             
+:zeek:id:`SSL::TLS_AES_128_GCM_SHA256`: :zeek:type:`count`                                             
+:zeek:id:`SSL::TLS_AES_256_GCM_SHA384`: :zeek:type:`count`                                             
+:zeek:id:`SSL::TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256`: :zeek:type:`count`                     
+:zeek:id:`SSL::TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                             
+:zeek:id:`SSL::TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256`: :zeek:type:`count`                       
+:zeek:id:`SSL::TLS_CHACHA20_POLY1305_SHA256`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA`: :zeek:type:`count`                             
+:zeek:id:`SSL::TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD`: :zeek:type:`count`                                  
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                                  
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_AES_128_CBC_RMD`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_AES_128_CBC_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_AES_128_GCM_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_AES_256_CBC_RMD`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_AES_256_CBC_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_DES_CBC_SHA`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_RC4_128_SHA`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_DHE_DSS_WITH_SEED_CBC_SHA`: :zeek:type:`count`                                      
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                                  
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_AES_128_CBC_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_AES_128_CCM`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_AES_128_GCM_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_AES_256_CBC_SHA384`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_AES_256_CCM`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256`: :zeek:type:`count`                          
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_NULL_SHA256`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_NULL_SHA384`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_DHE_PSK_WITH_RC4_128_SHA`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD`: :zeek:type:`count`                                  
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                                  
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_AES_128_CBC_RMD`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_AES_128_CBC_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_AES_128_CCM`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_AES_128_CCM_8`: :zeek:type:`count`                                     
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_AES_128_GCM_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_AES_256_CBC_RMD`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_AES_256_CBC_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_AES_256_CCM`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_AES_256_CCM_8`: :zeek:type:`count`                                     
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256`: :zeek:type:`count`                          
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD`: :zeek:type:`count`                      
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_DES_CBC_SHA`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_DHE_RSA_WITH_SEED_CBC_SHA`: :zeek:type:`count`                                      
+:zeek:id:`SSL::TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                                  
+:zeek:id:`SSL::TLS_DH_ANON_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_DH_ANON_WITH_AES_128_CBC_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DH_ANON_WITH_AES_128_GCM_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DH_ANON_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_DH_ANON_WITH_AES_256_CBC_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DH_ANON_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_DH_ANON_WITH_DES_CBC_SHA`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_DH_ANON_WITH_RC4_128_MD5`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_DH_ANON_WITH_SEED_CBC_SHA`: :zeek:type:`count`                                      
+:zeek:id:`SSL::TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_DH_DSS_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                                    
+:zeek:id:`SSL::TLS_DH_DSS_WITH_AES_128_CBC_SHA256`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_DH_DSS_WITH_AES_128_GCM_SHA256`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_DH_DSS_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                                    
+:zeek:id:`SSL::TLS_DH_DSS_WITH_AES_256_CBC_SHA256`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_DH_DSS_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_DH_DSS_WITH_DES_CBC_SHA`: :zeek:type:`count`                                        
+:zeek:id:`SSL::TLS_DH_DSS_WITH_SEED_CBC_SHA`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_DH_RSA_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                                    
+:zeek:id:`SSL::TLS_DH_RSA_WITH_AES_128_CBC_SHA256`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_DH_RSA_WITH_AES_128_GCM_SHA256`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_DH_RSA_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                                    
+:zeek:id:`SSL::TLS_DH_RSA_WITH_AES_256_CBC_SHA256`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_DH_RSA_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_DH_RSA_WITH_DES_CBC_SHA`: :zeek:type:`count`                                        
+:zeek:id:`SSL::TLS_DH_RSA_WITH_SEED_CBC_SHA`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_ECCPWD_WITH_AES_128_CCM_SHA256`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_ECCPWD_WITH_AES_128_GCM_SHA256`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_ECCPWD_WITH_AES_256_CCM_SHA384`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_ECCPWD_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_AES_128_CCM`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_AES_256_CCM`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256`: :zeek:type:`count`                       
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256`: :zeek:type:`count`                       
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384`: :zeek:type:`count`                       
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384`: :zeek:type:`count`                       
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`: :zeek:type:`count`                      
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD`: :zeek:type:`count`                  
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_NULL_SHA`: :zeek:type:`count`                                      
+:zeek:id:`SSL::TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256_OLD`: :zeek:type:`count`                          
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256`: :zeek:type:`count`                             
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384`: :zeek:type:`count`                             
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256`: :zeek:type:`count`                         
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384`: :zeek:type:`count`                         
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256`: :zeek:type:`count`                        
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_NULL_SHA`: :zeek:type:`count`                                        
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_NULL_SHA256`: :zeek:type:`count`                                     
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_NULL_SHA384`: :zeek:type:`count`                                     
+:zeek:id:`SSL::TLS_ECDHE_PSK_WITH_RC4_128_SHA`: :zeek:type:`count`                                     
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256`: :zeek:type:`count`                             
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256`: :zeek:type:`count`                             
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384`: :zeek:type:`count`                             
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384`: :zeek:type:`count`                             
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256`: :zeek:type:`count`                         
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256`: :zeek:type:`count`                         
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384`: :zeek:type:`count`                         
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384`: :zeek:type:`count`                         
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`: :zeek:type:`count`                        
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD`: :zeek:type:`count`                    
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_NULL_SHA`: :zeek:type:`count`                                        
+:zeek:id:`SSL::TLS_ECDHE_RSA_WITH_RC4_128_SHA`: :zeek:type:`count`                                     
+:zeek:id:`SSL::TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_ECDH_ANON_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_ECDH_ANON_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_ECDH_ANON_WITH_NULL_SHA`: :zeek:type:`count`                                        
+:zeek:id:`SSL::TLS_ECDH_ANON_WITH_RC4_128_SHA`: :zeek:type:`count`                                     
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256`: :zeek:type:`count`                             
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256`: :zeek:type:`count`                             
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384`: :zeek:type:`count`                             
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                             
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256`: :zeek:type:`count`                        
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256`: :zeek:type:`count`                        
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384`: :zeek:type:`count`                        
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384`: :zeek:type:`count`                        
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_NULL_SHA`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_ECDH_ECDSA_WITH_RC4_128_SHA`: :zeek:type:`count`                                    
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                                  
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                                  
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256`: :zeek:type:`count`                          
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256`: :zeek:type:`count`                          
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384`: :zeek:type:`count`                          
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384`: :zeek:type:`count`                          
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_NULL_SHA`: :zeek:type:`count`                                         
+:zeek:id:`SSL::TLS_ECDH_RSA_WITH_RC4_128_SHA`: :zeek:type:`count`                                      
+:zeek:id:`SSL::TLS_EMPTY_RENEGOTIATION_INFO_SCSV`: :zeek:type:`count`                                  
+:zeek:id:`SSL::TLS_FALLBACK_SCSV`: :zeek:type:`count`                                                  
+:zeek:id:`SSL::TLS_GOSTR341001_WITH_28147_CNT_IMIT`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_GOSTR341001_WITH_NULL_GOSTR3411`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_GOSTR341094_WITH_28147_CNT_IMIT`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_GOSTR341094_WITH_NULL_GOSTR3411`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_GOSTR341112_256_WITH_28147_CNT_IMIT`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC`: :zeek:type:`count`                       
+:zeek:id:`SSL::TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L`: :zeek:type:`count`                          
+:zeek:id:`SSL::TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S`: :zeek:type:`count`                          
+:zeek:id:`SSL::TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC`: :zeek:type:`count`                            
+:zeek:id:`SSL::TLS_GOSTR341112_256_WITH_MAGMA_MGM_L`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_GOSTR341112_256_WITH_MAGMA_MGM_S`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_KRB5_EXPORT_WITH_RC4_40_MD5`: :zeek:type:`count`                                    
+:zeek:id:`SSL::TLS_KRB5_EXPORT_WITH_RC4_40_SHA`: :zeek:type:`count`                                    
+:zeek:id:`SSL::TLS_KRB5_WITH_3DES_EDE_CBC_MD5`: :zeek:type:`count`                                     
+:zeek:id:`SSL::TLS_KRB5_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                                     
+:zeek:id:`SSL::TLS_KRB5_WITH_DES_CBC_MD5`: :zeek:type:`count`                                          
+:zeek:id:`SSL::TLS_KRB5_WITH_DES_CBC_SHA`: :zeek:type:`count`                                          
+:zeek:id:`SSL::TLS_KRB5_WITH_IDEA_CBC_MD5`: :zeek:type:`count`                                         
+:zeek:id:`SSL::TLS_KRB5_WITH_IDEA_CBC_SHA`: :zeek:type:`count`                                         
+:zeek:id:`SSL::TLS_KRB5_WITH_RC4_128_MD5`: :zeek:type:`count`                                          
+:zeek:id:`SSL::TLS_KRB5_WITH_RC4_128_SHA`: :zeek:type:`count`                                          
+:zeek:id:`SSL::TLS_NULL_WITH_NULL_NULL`: :zeek:type:`count`                                            
+:zeek:id:`SSL::TLS_PSK_DHE_WITH_AES_128_CCM_8`: :zeek:type:`count`                                     
+:zeek:id:`SSL::TLS_PSK_DHE_WITH_AES_256_CCM_8`: :zeek:type:`count`                                     
+:zeek:id:`SSL::TLS_PSK_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                                      
+:zeek:id:`SSL::TLS_PSK_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_PSK_WITH_AES_128_CBC_SHA256`: :zeek:type:`count`                                    
+:zeek:id:`SSL::TLS_PSK_WITH_AES_128_CCM`: :zeek:type:`count`                                           
+:zeek:id:`SSL::TLS_PSK_WITH_AES_128_CCM_8`: :zeek:type:`count`                                         
+:zeek:id:`SSL::TLS_PSK_WITH_AES_128_GCM_SHA256`: :zeek:type:`count`                                    
+:zeek:id:`SSL::TLS_PSK_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_PSK_WITH_AES_256_CBC_SHA384`: :zeek:type:`count`                                    
+:zeek:id:`SSL::TLS_PSK_WITH_AES_256_CCM`: :zeek:type:`count`                                           
+:zeek:id:`SSL::TLS_PSK_WITH_AES_256_CCM_8`: :zeek:type:`count`                                         
+:zeek:id:`SSL::TLS_PSK_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                                    
+:zeek:id:`SSL::TLS_PSK_WITH_ARIA_128_CBC_SHA256`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_PSK_WITH_ARIA_128_GCM_SHA256`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_PSK_WITH_ARIA_256_CBC_SHA384`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_PSK_WITH_ARIA_256_GCM_SHA384`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_PSK_WITH_CHACHA20_POLY1305_SHA256`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_PSK_WITH_NULL_SHA256`: :zeek:type:`count`                                           
+:zeek:id:`SSL::TLS_PSK_WITH_NULL_SHA384`: :zeek:type:`count`                                           
+:zeek:id:`SSL::TLS_PSK_WITH_RC4_128_SHA`: :zeek:type:`count`                                           
+:zeek:id:`SSL::TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5`: :zeek:type:`count`                             
+:zeek:id:`SSL::TLS_RSA_EXPORT1024_WITH_RC4_56_MD5`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_RSA_EXPORT1024_WITH_RC4_56_SHA`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_RSA_EXPORT_WITH_DES40_CBC_SHA`: :zeek:type:`count`                                  
+:zeek:id:`SSL::TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5`: :zeek:type:`count`                                 
+:zeek:id:`SSL::TLS_RSA_EXPORT_WITH_RC4_40_MD5`: :zeek:type:`count`                                     
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                                  
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_AES_128_CBC_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_AES_128_GCM_SHA256`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_AES_256_CBC_SHA384`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                                
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384`: :zeek:type:`count`                           
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256`: :zeek:type:`count`                          
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_NULL_SHA256`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_NULL_SHA384`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_RSA_PSK_WITH_RC4_128_SHA`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_RSA_WITH_3DES_EDE_CBC_RMD`: :zeek:type:`count`                                      
+:zeek:id:`SSL::TLS_RSA_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                                      
+:zeek:id:`SSL::TLS_RSA_WITH_AES_128_CBC_RMD`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_RSA_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_RSA_WITH_AES_128_CBC_SHA256`: :zeek:type:`count`                                    
+:zeek:id:`SSL::TLS_RSA_WITH_AES_128_CCM`: :zeek:type:`count`                                           
+:zeek:id:`SSL::TLS_RSA_WITH_AES_128_CCM_8`: :zeek:type:`count`                                         
+:zeek:id:`SSL::TLS_RSA_WITH_AES_128_GCM_SHA256`: :zeek:type:`count`                                    
+:zeek:id:`SSL::TLS_RSA_WITH_AES_256_CBC_RMD`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_RSA_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                                       
+:zeek:id:`SSL::TLS_RSA_WITH_AES_256_CBC_SHA256`: :zeek:type:`count`                                    
+:zeek:id:`SSL::TLS_RSA_WITH_AES_256_CCM`: :zeek:type:`count`                                           
+:zeek:id:`SSL::TLS_RSA_WITH_AES_256_CCM_8`: :zeek:type:`count`                                         
+:zeek:id:`SSL::TLS_RSA_WITH_AES_256_GCM_SHA384`: :zeek:type:`count`                                    
+:zeek:id:`SSL::TLS_RSA_WITH_ARIA_128_CBC_SHA256`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_RSA_WITH_ARIA_128_GCM_SHA256`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_RSA_WITH_ARIA_256_CBC_SHA384`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_RSA_WITH_ARIA_256_GCM_SHA384`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_RSA_WITH_CAMELLIA_128_CBC_SHA`: :zeek:type:`count`                                  
+:zeek:id:`SSL::TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_RSA_WITH_CAMELLIA_256_CBC_SHA`: :zeek:type:`count`                                  
+:zeek:id:`SSL::TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_RSA_WITH_DES_CBC_SHA`: :zeek:type:`count`                                           
+:zeek:id:`SSL::TLS_RSA_WITH_IDEA_CBC_SHA`: :zeek:type:`count`                                          
+:zeek:id:`SSL::TLS_RSA_WITH_NULL_MD5`: :zeek:type:`count`                                              
+:zeek:id:`SSL::TLS_RSA_WITH_NULL_SHA`: :zeek:type:`count`                                              
+:zeek:id:`SSL::TLS_RSA_WITH_NULL_SHA256`: :zeek:type:`count`                                           
+:zeek:id:`SSL::TLS_RSA_WITH_RC4_128_MD5`: :zeek:type:`count`                                           
+:zeek:id:`SSL::TLS_RSA_WITH_RC4_128_SHA`: :zeek:type:`count`                                           
+:zeek:id:`SSL::TLS_RSA_WITH_SEED_CBC_SHA`: :zeek:type:`count`                                          
+:zeek:id:`SSL::TLS_SHA256_SHA256`: :zeek:type:`count`                                                  
+:zeek:id:`SSL::TLS_SHA384_SHA384`: :zeek:type:`count`                                                  
+:zeek:id:`SSL::TLS_SM4_CCM_SM3`: :zeek:type:`count`                                                    
+:zeek:id:`SSL::TLS_SM4_GCM_SM3`: :zeek:type:`count`                                                    
+:zeek:id:`SSL::TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                              
+:zeek:id:`SSL::TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                               
+:zeek:id:`SSL::TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA`: :zeek:type:`count`                                  
+:zeek:id:`SSL::TLS_SRP_SHA_WITH_AES_128_CBC_SHA`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLS_SRP_SHA_WITH_AES_256_CBC_SHA`: :zeek:type:`count`                                   
+:zeek:id:`SSL::TLSv10`: :zeek:type:`count`                                                             
+:zeek:id:`SSL::TLSv11`: :zeek:type:`count`                                                             
+:zeek:id:`SSL::TLSv12`: :zeek:type:`count`                                                             
+:zeek:id:`SSL::TLSv13`: :zeek:type:`count`                                                             
+:zeek:id:`SSL::V2_CLIENT_HELLO`: :zeek:type:`count`                                                    
+:zeek:id:`SSL::V2_CLIENT_MASTER_KEY`: :zeek:type:`count`                                               
+:zeek:id:`SSL::V2_ERROR`: :zeek:type:`count`                                                           
+:zeek:id:`SSL::V2_SERVER_HELLO`: :zeek:type:`count`                                                    
+:zeek:id:`SSL::alert_descriptions`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`   Mapping between numeric codes and human readable strings for alert
+                                                                                                       descriptions.
+:zeek:id:`SSL::alert_levels`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`         Mapping between numeric codes and human readable strings for alert
+                                                                                                       levels.
+:zeek:id:`SSL::cipher_desc`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`          This is a table of all known cipher specs.
+:zeek:id:`SSL::ec_curves`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`            Mapping between numeric codes and human readable string for SSL/TLS elliptic curves.
+:zeek:id:`SSL::ec_point_formats`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`     Mapping between numeric codes and human readable string for SSL/TLS EC point formats.
+:zeek:id:`SSL::extensions`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`           Mapping between numeric codes and human readable strings for SSL/TLS
+                                                                                                       extensions.
+:zeek:id:`SSL::hash_algorithms`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`      Mapping between numeric codes and human readable strings for hash
+                                                                                                       algorithms.
+:zeek:id:`SSL::signature_algorithms`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Mapping between numeric codes and human readable strings for signature
+                                                                                                       algorithms.
+:zeek:id:`SSL::version_strings`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`      Mapping between the constants and string values for SSL/TLS versions.
+====================================================================================================== =====================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: SSL::ALERT
+   :source-code: base/protocols/ssl/consts.zeek 37 37
+
+   :Type: :zeek:type:`count`
+   :Default: ``21``
+
+
+.. zeek:id:: SSL::APPLICATION_DATA
+   :source-code: base/protocols/ssl/consts.zeek 39 39
+
+   :Type: :zeek:type:`count`
+   :Default: ``23``
+
+
+.. zeek:id:: SSL::CERTIFICATE
+   :source-code: base/protocols/ssl/consts.zeek 57 57
+
+   :Type: :zeek:type:`count`
+   :Default: ``11``
+
+
+.. zeek:id:: SSL::CERTIFICATE_REQUEST
+   :source-code: base/protocols/ssl/consts.zeek 59 59
+
+   :Type: :zeek:type:`count`
+   :Default: ``13``
+
+
+.. zeek:id:: SSL::CERTIFICATE_STATUS
+   :source-code: base/protocols/ssl/consts.zeek 65 65
+
+   :Type: :zeek:type:`count`
+   :Default: ``22``
+
+
+.. zeek:id:: SSL::CERTIFICATE_URL
+   :source-code: base/protocols/ssl/consts.zeek 64 64
+
+   :Type: :zeek:type:`count`
+   :Default: ``21``
+
+
+.. zeek:id:: SSL::CERTIFICATE_VERIFY
+   :source-code: base/protocols/ssl/consts.zeek 61 61
+
+   :Type: :zeek:type:`count`
+   :Default: ``15``
+
+
+.. zeek:id:: SSL::CHANGE_CIPHER_SPEC
+   :source-code: base/protocols/ssl/consts.zeek 36 36
+
+   :Type: :zeek:type:`count`
+   :Default: ``20``
+
+
+.. zeek:id:: SSL::CLIENT_HELLO
+   :source-code: base/protocols/ssl/consts.zeek 51 51
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+
+.. zeek:id:: SSL::CLIENT_KEY_EXCHANGE
+   :source-code: base/protocols/ssl/consts.zeek 62 62
+
+   :Type: :zeek:type:`count`
+   :Default: ``16``
+
+
+.. zeek:id:: SSL::COMPRESSED_CERTIFICATE
+   :source-code: base/protocols/ssl/consts.zeek 68 68
+
+   :Type: :zeek:type:`count`
+   :Default: ``25``
+
+
+.. zeek:id:: SSL::DTLSv10
+   :source-code: base/protocols/ssl/consts.zeek 11 11
+
+   :Type: :zeek:type:`count`
+   :Default: ``65279``
+
+
+.. zeek:id:: SSL::DTLSv12
+   :source-code: base/protocols/ssl/consts.zeek 13 13
+
+   :Type: :zeek:type:`count`
+   :Default: ``65277``
+
+
+.. zeek:id:: SSL::DTLSv13
+   :source-code: base/protocols/ssl/consts.zeek 14 14
+
+   :Type: :zeek:type:`count`
+   :Default: ``65276``
+
+
+.. zeek:id:: SSL::EKT_KEY
+   :source-code: base/protocols/ssl/consts.zeek 69 69
+
+   :Type: :zeek:type:`count`
+   :Default: ``26``
+
+
+.. zeek:id:: SSL::ENCRYPTED_EXTENSIONS
+   :source-code: base/protocols/ssl/consts.zeek 56 56
+
+   :Type: :zeek:type:`count`
+   :Default: ``8``
+
+
+.. zeek:id:: SSL::FINISHED
+   :source-code: base/protocols/ssl/consts.zeek 63 63
+
+   :Type: :zeek:type:`count`
+   :Default: ``20``
+
+
+.. zeek:id:: SSL::HANDSHAKE
+   :source-code: base/protocols/ssl/consts.zeek 38 38
+
+   :Type: :zeek:type:`count`
+   :Default: ``22``
+
+
+.. zeek:id:: SSL::HEARTBEAT
+   :source-code: base/protocols/ssl/consts.zeek 40 40
+
+   :Type: :zeek:type:`count`
+   :Default: ``24``
+
+
+.. zeek:id:: SSL::HELLO_REQUEST
+   :source-code: base/protocols/ssl/consts.zeek 50 50
+
+   :Type: :zeek:type:`count`
+   :Default: ``0``
+
+
+.. zeek:id:: SSL::HELLO_RETRY_REQUEST
+   :source-code: base/protocols/ssl/consts.zeek 55 55
+
+   :Type: :zeek:type:`count`
+   :Default: ``6``
+
+
+.. zeek:id:: SSL::HELLO_VERIFY_REQUEST
+   :source-code: base/protocols/ssl/consts.zeek 53 53
+
+   :Type: :zeek:type:`count`
+   :Default: ``3``
+
+
+.. zeek:id:: SSL::KEY_UPDATE
+   :source-code: base/protocols/ssl/consts.zeek 67 67
+
+   :Type: :zeek:type:`count`
+   :Default: ``24``
+
+
+.. zeek:id:: SSL::RETURN_ROUTABILITY_CHECK
+   :source-code: base/protocols/ssl/consts.zeek 43 43
+
+   :Type: :zeek:type:`count`
+   :Default: ``26``
+
+
+.. zeek:id:: SSL::SERVER_HELLO
+   :source-code: base/protocols/ssl/consts.zeek 52 52
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+
+.. zeek:id:: SSL::SERVER_HELLO_DONE
+   :source-code: base/protocols/ssl/consts.zeek 60 60
+
+   :Type: :zeek:type:`count`
+   :Default: ``14``
+
+
+.. zeek:id:: SSL::SERVER_KEY_EXCHANGE
+   :source-code: base/protocols/ssl/consts.zeek 58 58
+
+   :Type: :zeek:type:`count`
+   :Default: ``12``
+
+
+.. zeek:id:: SSL::SESSION_TICKET
+   :source-code: base/protocols/ssl/consts.zeek 54 54
+
+   :Type: :zeek:type:`count`
+   :Default: ``4``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_APPLICATION_LAYER_PROTOCOL_NEGOTIATION
+   :source-code: base/protocols/ssl/consts.zeek 169 169
+
+   :Type: :zeek:type:`count`
+   :Default: ``16``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_APPLICATION_SETTING
+   :source-code: base/protocols/ssl/consts.zeek 219 219
+
+   :Type: :zeek:type:`count`
+   :Default: ``17513``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_CACHED_INFO
+   :source-code: base/protocols/ssl/consts.zeek 178 178
+
+   :Type: :zeek:type:`count`
+   :Default: ``25``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_CERTIFICATE_AUTHORITIES
+   :source-code: base/protocols/ssl/consts.zeek 200 200
+
+   :Type: :zeek:type:`count`
+   :Default: ``47``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_CERT_TYPE
+   :source-code: base/protocols/ssl/consts.zeek 162 162
+
+   :Type: :zeek:type:`count`
+   :Default: ``9``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_CHANNEL_ID
+   :source-code: base/protocols/ssl/consts.zeek 220 220
+
+   :Type: :zeek:type:`count`
+   :Default: ``30031``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_CHANNEL_ID_NEW
+   :source-code: base/protocols/ssl/consts.zeek 221 221
+
+   :Type: :zeek:type:`count`
+   :Default: ``30032``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_CLIENT_AUTHZ
+   :source-code: base/protocols/ssl/consts.zeek 160 160
+
+   :Type: :zeek:type:`count`
+   :Default: ``7``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_CLIENT_CERTIFICATE_TYPE
+   :source-code: base/protocols/ssl/consts.zeek 172 172
+
+   :Type: :zeek:type:`count`
+   :Default: ``19``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_CLIENT_CERTIFICATE_URL
+   :source-code: base/protocols/ssl/consts.zeek 155 155
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_COMPRESS_CERTIFICATE
+   :source-code: base/protocols/ssl/consts.zeek 180 180
+
+   :Type: :zeek:type:`count`
+   :Default: ``27``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_CONNECTION_ID
+   :source-code: base/protocols/ssl/consts.zeek 207 207
+
+   :Type: :zeek:type:`count`
+   :Default: ``54``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_CONNECTION_ID_DEPRECATED
+   :source-code: base/protocols/ssl/consts.zeek 206 206
+
+   :Type: :zeek:type:`count`
+   :Default: ``53``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_COOKIE
+   :source-code: base/protocols/ssl/consts.zeek 197 197
+
+   :Type: :zeek:type:`count`
+   :Default: ``44``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_DELEGATED_CREDENTIAL
+   :source-code: base/protocols/ssl/consts.zeek 187 187
+
+   :Type: :zeek:type:`count`
+   :Default: ``34``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_DNSSEC_CHAIN
+   :source-code: base/protocols/ssl/consts.zeek 212 212
+
+   :Type: :zeek:type:`count`
+   :Default: ``59``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_EARLY_DATA
+   :source-code: base/protocols/ssl/consts.zeek 195 195
+
+   :Type: :zeek:type:`count`
+   :Default: ``42``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_ECH_OUTER_EXTENSION
+   :source-code: base/protocols/ssl/consts.zeek 223 223
+
+   :Type: :zeek:type:`count`
+   :Default: ``64768``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_EC_POINT_FORMATS
+   :source-code: base/protocols/ssl/consts.zeek 164 164
+
+   :Type: :zeek:type:`count`
+   :Default: ``11``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_ENCRYPTED_CLIENT_CERTIFICATES
+   :source-code: base/protocols/ssl/consts.zeek 218 218
+
+   :Type: :zeek:type:`count`
+   :Default: ``13180``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_ENCRYPTED_CLIENT_HELLO
+   :source-code: base/protocols/ssl/consts.zeek 224 224
+
+   :Type: :zeek:type:`count`
+   :Default: ``65037``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_ENCRYPT_THEN_MAC
+   :source-code: base/protocols/ssl/consts.zeek 175 175
+
+   :Type: :zeek:type:`count`
+   :Default: ``22``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_EXTENDED_MASTER_SECRET
+   :source-code: base/protocols/ssl/consts.zeek 176 176
+
+   :Type: :zeek:type:`count`
+   :Default: ``23``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_EXTERNAL_ID_HASH
+   :source-code: base/protocols/ssl/consts.zeek 208 208
+
+   :Type: :zeek:type:`count`
+   :Default: ``55``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_EXTERNAL_SESSION_ID
+   :source-code: base/protocols/ssl/consts.zeek 209 209
+
+   :Type: :zeek:type:`count`
+   :Default: ``56``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_HEARTBEAT
+   :source-code: base/protocols/ssl/consts.zeek 168 168
+
+   :Type: :zeek:type:`count`
+   :Default: ``15``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_KEY_SHARE
+   :source-code: base/protocols/ssl/consts.zeek 204 204
+
+   :Type: :zeek:type:`count`
+   :Default: ``51``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_KEY_SHARE_OLD
+   :source-code: base/protocols/ssl/consts.zeek 193 193
+
+   :Type: :zeek:type:`count`
+   :Default: ``40``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_MAX_FRAGMENT_LENGTH
+   :source-code: base/protocols/ssl/consts.zeek 154 154
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_NEXT_PROTOCOL_NEGOTIATION
+   :source-code: base/protocols/ssl/consts.zeek 216 216
+
+   :Type: :zeek:type:`count`
+   :Default: ``13172``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_OID_FILTERS
+   :source-code: base/protocols/ssl/consts.zeek 201 201
+
+   :Type: :zeek:type:`count`
+   :Default: ``48``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_ORIGIN_BOUND_CERTIFICATES
+   :source-code: base/protocols/ssl/consts.zeek 217 217
+
+   :Type: :zeek:type:`count`
+   :Default: ``13175``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_PADDING
+   :source-code: base/protocols/ssl/consts.zeek 174 174
+
+   :Type: :zeek:type:`count`
+   :Default: ``21``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_PADDING_TEMP
+   :source-code: base/protocols/ssl/consts.zeek 222 222
+
+   :Type: :zeek:type:`count`
+   :Default: ``35655``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_PASSWORD_SALT
+   :source-code: base/protocols/ssl/consts.zeek 184 184
+
+   :Type: :zeek:type:`count`
+   :Default: ``31``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_POST_HANDSHAKE_AUTH
+   :source-code: base/protocols/ssl/consts.zeek 202 202
+
+   :Type: :zeek:type:`count`
+   :Default: ``49``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_PRE_SHARED_KEY
+   :source-code: base/protocols/ssl/consts.zeek 194 194
+
+   :Type: :zeek:type:`count`
+   :Default: ``41``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_PSK_KEY_EXCHANGE_MODES
+   :source-code: base/protocols/ssl/consts.zeek 198 198
+
+   :Type: :zeek:type:`count`
+   :Default: ``45``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_PWD_CLEAR
+   :source-code: base/protocols/ssl/consts.zeek 183 183
+
+   :Type: :zeek:type:`count`
+   :Default: ``30``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_PWD_PROTECT
+   :source-code: base/protocols/ssl/consts.zeek 182 182
+
+   :Type: :zeek:type:`count`
+   :Default: ``29``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_QUIC_TRANSPORT_PARAMETERS
+   :source-code: base/protocols/ssl/consts.zeek 210 210
+
+   :Type: :zeek:type:`count`
+   :Default: ``57``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_RECORD_SIZE_LIMIT
+   :source-code: base/protocols/ssl/consts.zeek 181 181
+
+   :Type: :zeek:type:`count`
+   :Default: ``28``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_RENEGOTIATION_INFO
+   :source-code: base/protocols/ssl/consts.zeek 225 225
+
+   :Type: :zeek:type:`count`
+   :Default: ``65281``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_RRC
+   :source-code: base/protocols/ssl/consts.zeek 214 214
+
+   :Type: :zeek:type:`count`
+   :Default: ``61``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_SEQUENCE_NUMBER_ENCRYPTION_ALGORITHMS
+   :source-code: base/protocols/ssl/consts.zeek 213 213
+
+   :Type: :zeek:type:`count`
+   :Default: ``60``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_SERVER_AUTHZ
+   :source-code: base/protocols/ssl/consts.zeek 161 161
+
+   :Type: :zeek:type:`count`
+   :Default: ``8``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_SERVER_CERTIFICATE_TYPE
+   :source-code: base/protocols/ssl/consts.zeek 173 173
+
+   :Type: :zeek:type:`count`
+   :Default: ``20``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_SERVER_NAME
+   :source-code: base/protocols/ssl/consts.zeek 153 153
+
+   :Type: :zeek:type:`count`
+   :Default: ``0``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_SESSIONTICKET_TLS
+   :source-code: base/protocols/ssl/consts.zeek 188 188
+
+   :Type: :zeek:type:`count`
+   :Default: ``35``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_SIGNATURE_ALGORITHMS
+   :source-code: base/protocols/ssl/consts.zeek 166 166
+
+   :Type: :zeek:type:`count`
+   :Default: ``13``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_SIGNATURE_ALGORITHMS_CERT
+   :source-code: base/protocols/ssl/consts.zeek 203 203
+
+   :Type: :zeek:type:`count`
+   :Default: ``50``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_SIGNED_CERTIFICATE_TIMESTAMP
+   :source-code: base/protocols/ssl/consts.zeek 171 171
+
+   :Type: :zeek:type:`count`
+   :Default: ``18``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_SRP
+   :source-code: base/protocols/ssl/consts.zeek 165 165
+
+   :Type: :zeek:type:`count`
+   :Default: ``12``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_STATUS_REQUEST
+   :source-code: base/protocols/ssl/consts.zeek 158 158
+
+   :Type: :zeek:type:`count`
+   :Default: ``5``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_STATUS_REQUEST_V2
+   :source-code: base/protocols/ssl/consts.zeek 170 170
+
+   :Type: :zeek:type:`count`
+   :Default: ``17``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_SUPPORTED_EKT_CIPHERS
+   :source-code: base/protocols/ssl/consts.zeek 192 192
+
+   :Type: :zeek:type:`count`
+   :Default: ``39``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_SUPPORTED_GROUPS
+   :source-code: base/protocols/ssl/consts.zeek 163 163
+
+   :Type: :zeek:type:`count`
+   :Default: ``10``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_SUPPORTED_VERSIONS
+   :source-code: base/protocols/ssl/consts.zeek 196 196
+
+   :Type: :zeek:type:`count`
+   :Default: ``43``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_TICKETEARLYDATAINFO
+   :source-code: base/protocols/ssl/consts.zeek 199 199
+
+   :Type: :zeek:type:`count`
+   :Default: ``46``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_TICKET_PINNING
+   :source-code: base/protocols/ssl/consts.zeek 185 185
+
+   :Type: :zeek:type:`count`
+   :Default: ``32``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_TICKET_REQUEST
+   :source-code: base/protocols/ssl/consts.zeek 211 211
+
+   :Type: :zeek:type:`count`
+   :Default: ``58``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_TLMSP
+   :source-code: base/protocols/ssl/consts.zeek 189 189
+
+   :Type: :zeek:type:`count`
+   :Default: ``36``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_TLMSP_DELEGATE
+   :source-code: base/protocols/ssl/consts.zeek 191 191
+
+   :Type: :zeek:type:`count`
+   :Default: ``38``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_TLMSP_PROXYING
+   :source-code: base/protocols/ssl/consts.zeek 190 190
+
+   :Type: :zeek:type:`count`
+   :Default: ``37``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_TLS_CERT_WITH_EXTERN_PSK
+   :source-code: base/protocols/ssl/consts.zeek 186 186
+
+   :Type: :zeek:type:`count`
+   :Default: ``33``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_TLS_FLAGS
+   :source-code: base/protocols/ssl/consts.zeek 215 215
+
+   :Type: :zeek:type:`count`
+   :Default: ``62``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_TLS_LTS
+   :source-code: base/protocols/ssl/consts.zeek 179 179
+
+   :Type: :zeek:type:`count`
+   :Default: ``26``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_TOKEN_BINDING
+   :source-code: base/protocols/ssl/consts.zeek 177 177
+
+   :Type: :zeek:type:`count`
+   :Default: ``24``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_TRANSPARENCY_INFO
+   :source-code: base/protocols/ssl/consts.zeek 205 205
+
+   :Type: :zeek:type:`count`
+   :Default: ``52``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_TRUNCATED_HMAC
+   :source-code: base/protocols/ssl/consts.zeek 157 157
+
+   :Type: :zeek:type:`count`
+   :Default: ``4``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_TRUSTED_CA_KEYS
+   :source-code: base/protocols/ssl/consts.zeek 156 156
+
+   :Type: :zeek:type:`count`
+   :Default: ``3``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_USER_MAPPING
+   :source-code: base/protocols/ssl/consts.zeek 159 159
+
+   :Type: :zeek:type:`count`
+   :Default: ``6``
+
+
+.. zeek:id:: SSL::SSL_EXTENSION_USE_SRTP
+   :source-code: base/protocols/ssl/consts.zeek 167 167
+
+   :Type: :zeek:type:`count`
+   :Default: ``14``
+
+
+.. zeek:id:: SSL::SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 453 453
+
+   :Type: :zeek:type:`count`
+   :Default: ``29``
+
+
+.. zeek:id:: SSL::SSL_FORTEZZA_KEA_WITH_NULL_SHA
+   :source-code: base/protocols/ssl/consts.zeek 452 452
+
+   :Type: :zeek:type:`count`
+   :Default: ``28``
+
+
+.. zeek:id:: SSL::SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 823 823
+
+   :Type: :zeek:type:`count`
+   :Default: ``65279``
+
+
+.. zeek:id:: SSL::SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2
+   :source-code: base/protocols/ssl/consts.zeek 825 825
+
+   :Type: :zeek:type:`count`
+   :Default: ``65504``
+
+
+.. zeek:id:: SSL::SSL_RSA_FIPS_WITH_DES_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 822 822
+
+   :Type: :zeek:type:`count`
+   :Default: ``65278``
+
+
+.. zeek:id:: SSL::SSL_RSA_FIPS_WITH_DES_CBC_SHA_2
+   :source-code: base/protocols/ssl/consts.zeek 824 824
+
+   :Type: :zeek:type:`count`
+   :Default: ``65505``
+
+
+.. zeek:id:: SSL::SSL_RSA_WITH_3DES_EDE_CBC_MD5
+   :source-code: base/protocols/ssl/consts.zeek 829 829
+
+   :Type: :zeek:type:`count`
+   :Default: ``65411``
+
+
+.. zeek:id:: SSL::SSL_RSA_WITH_DES_CBC_MD5
+   :source-code: base/protocols/ssl/consts.zeek 828 828
+
+   :Type: :zeek:type:`count`
+   :Default: ``65410``
+
+
+.. zeek:id:: SSL::SSL_RSA_WITH_IDEA_CBC_MD5
+   :source-code: base/protocols/ssl/consts.zeek 827 827
+
+   :Type: :zeek:type:`count`
+   :Default: ``65409``
+
+
+.. zeek:id:: SSL::SSL_RSA_WITH_RC2_CBC_MD5
+   :source-code: base/protocols/ssl/consts.zeek 826 826
+
+   :Type: :zeek:type:`count`
+   :Default: ``65408``
+
+
+.. zeek:id:: SSL::SSLv2
+   :source-code: base/protocols/ssl/consts.zeek 4 4
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+
+.. zeek:id:: SSL::SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5
+   :source-code: base/protocols/ssl/consts.zeek 421 421
+
+   :Type: :zeek:type:`count`
+   :Default: ``458944``
+
+
+.. zeek:id:: SSL::SSLv20_CK_DES_64_CBC_WITH_MD5
+   :source-code: base/protocols/ssl/consts.zeek 420 420
+
+   :Type: :zeek:type:`count`
+   :Default: ``393280``
+
+
+.. zeek:id:: SSL::SSLv20_CK_IDEA_128_CBC_WITH_MD5
+   :source-code: base/protocols/ssl/consts.zeek 419 419
+
+   :Type: :zeek:type:`count`
+   :Default: ``327808``
+
+
+.. zeek:id:: SSL::SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5
+   :source-code: base/protocols/ssl/consts.zeek 418 418
+
+   :Type: :zeek:type:`count`
+   :Default: ``262272``
+
+
+.. zeek:id:: SSL::SSLv20_CK_RC2_128_CBC_WITH_MD5
+   :source-code: base/protocols/ssl/consts.zeek 417 417
+
+   :Type: :zeek:type:`count`
+   :Default: ``196736``
+
+
+.. zeek:id:: SSL::SSLv20_CK_RC4_128_EXPORT40_WITH_MD5
+   :source-code: base/protocols/ssl/consts.zeek 416 416
+
+   :Type: :zeek:type:`count`
+   :Default: ``131200``
+
+
+.. zeek:id:: SSL::SSLv20_CK_RC4_128_WITH_MD5
+   :source-code: base/protocols/ssl/consts.zeek 415 415
+
+   :Type: :zeek:type:`count`
+   :Default: ``65664``
+
+
+.. zeek:id:: SSL::SSLv3
+   :source-code: base/protocols/ssl/consts.zeek 5 5
+
+   :Type: :zeek:type:`count`
+   :Default: ``768``
+
+
+.. zeek:id:: SSL::SUPPLEMENTAL_DATA
+   :source-code: base/protocols/ssl/consts.zeek 66 66
+
+   :Type: :zeek:type:`count`
+   :Default: ``23``
+
+
+.. zeek:id:: SSL::TLS12_CID
+   :source-code: base/protocols/ssl/consts.zeek 41 41
+
+   :Type: :zeek:type:`count`
+   :Default: ``25``
+
+
+.. zeek:id:: SSL::TLS13_ACK
+   :source-code: base/protocols/ssl/consts.zeek 42 42
+
+   :Type: :zeek:type:`count`
+   :Default: ``26``
+
+
+.. zeek:id:: SSL::TLS_AEGIS_128L_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 598 598
+
+   :Type: :zeek:type:`count`
+   :Default: ``4871``
+
+
+.. zeek:id:: SSL::TLS_AEGIS_256_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 597 597
+
+   :Type: :zeek:type:`count`
+   :Default: ``4870``
+
+
+.. zeek:id:: SSL::TLS_AES_128_CCM_8_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 595 595
+
+   :Type: :zeek:type:`count`
+   :Default: ``4869``
+
+
+.. zeek:id:: SSL::TLS_AES_128_CCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 594 594
+
+   :Type: :zeek:type:`count`
+   :Default: ``4868``
+
+
+.. zeek:id:: SSL::TLS_AES_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 591 591
+
+   :Type: :zeek:type:`count`
+   :Default: ``4865``
+
+
+.. zeek:id:: SSL::TLS_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 592 592
+
+   :Type: :zeek:type:`count`
+   :Default: ``4866``
+
+
+.. zeek:id:: SSL::TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 603 603
+
+   :Type: :zeek:type:`count`
+   :Default: ``5818``
+
+
+.. zeek:id:: SSL::TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 601 601
+
+   :Type: :zeek:type:`count`
+   :Default: ``5816``
+
+
+.. zeek:id:: SSL::TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 602 602
+
+   :Type: :zeek:type:`count`
+   :Default: ``5817``
+
+
+.. zeek:id:: SSL::TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 600 600
+
+   :Type: :zeek:type:`count`
+   :Default: ``5815``
+
+
+.. zeek:id:: SSL::TLS_CHACHA20_POLY1305_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 593 593
+
+   :Type: :zeek:type:`count`
+   :Default: ``4867``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 495 495
+
+   :Type: :zeek:type:`count`
+   :Default: ``99``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
+   :source-code: base/protocols/ssl/consts.zeek 497 497
+
+   :Type: :zeek:type:`count`
+   :Default: ``101``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 441 441
+
+   :Type: :zeek:type:`count`
+   :Default: ``17``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD
+   :source-code: base/protocols/ssl/consts.zeek 507 507
+
+   :Type: :zeek:type:`count`
+   :Default: ``114``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 443 443
+
+   :Type: :zeek:type:`count`
+   :Default: ``19``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_AES_128_CBC_RMD
+   :source-code: base/protocols/ssl/consts.zeek 508 508
+
+   :Type: :zeek:type:`count`
+   :Default: ``115``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 471 471
+
+   :Type: :zeek:type:`count`
+   :Default: ``50``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 485 485
+
+   :Type: :zeek:type:`count`
+   :Default: ``64``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 551 551
+
+   :Type: :zeek:type:`count`
+   :Default: ``162``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_AES_256_CBC_RMD
+   :source-code: base/protocols/ssl/consts.zeek 509 509
+
+   :Type: :zeek:type:`count`
+   :Default: ``116``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 477 477
+
+   :Type: :zeek:type:`count`
+   :Default: ``56``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 502 502
+
+   :Type: :zeek:type:`count`
+   :Default: ``106``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 552 552
+
+   :Type: :zeek:type:`count`
+   :Default: ``163``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 673 673
+
+   :Type: :zeek:type:`count`
+   :Default: ``49218``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 693 693
+
+   :Type: :zeek:type:`count`
+   :Default: ``49238``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 674 674
+
+   :Type: :zeek:type:`count`
+   :Default: ``49219``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 694 694
+
+   :Type: :zeek:type:`count`
+   :Default: ``49239``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 489 489
+
+   :Type: :zeek:type:`count`
+   :Default: ``68``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 578 578
+
+   :Type: :zeek:type:`count`
+   :Default: ``189``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 736 736
+
+   :Type: :zeek:type:`count`
+   :Default: ``49280``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 524 524
+
+   :Type: :zeek:type:`count`
+   :Default: ``135``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 584 584
+
+   :Type: :zeek:type:`count`
+   :Default: ``195``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 737 737
+
+   :Type: :zeek:type:`count`
+   :Default: ``49281``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_DES_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 442 442
+
+   :Type: :zeek:type:`count`
+   :Default: ``18``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_RC4_128_SHA
+   :source-code: base/protocols/ssl/consts.zeek 498 498
+
+   :Type: :zeek:type:`count`
+   :Default: ``102``
+
+
+.. zeek:id:: SSL::TLS_DHE_DSS_WITH_SEED_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 542 542
+
+   :Type: :zeek:type:`count`
+   :Default: ``153``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 532 532
+
+   :Type: :zeek:type:`count`
+   :Default: ``143``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 533 533
+
+   :Type: :zeek:type:`count`
+   :Default: ``144``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 567 567
+
+   :Type: :zeek:type:`count`
+   :Default: ``178``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_AES_128_CCM
+   :source-code: base/protocols/ssl/consts.zeek 775 775
+
+   :Type: :zeek:type:`count`
+   :Default: ``49318``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 559 559
+
+   :Type: :zeek:type:`count`
+   :Default: ``170``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 534 534
+
+   :Type: :zeek:type:`count`
+   :Default: ``145``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 568 568
+
+   :Type: :zeek:type:`count`
+   :Default: ``179``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_AES_256_CCM
+   :source-code: base/protocols/ssl/consts.zeek 776 776
+
+   :Type: :zeek:type:`count`
+   :Default: ``49319``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 560 560
+
+   :Type: :zeek:type:`count`
+   :Default: ``171``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 709 709
+
+   :Type: :zeek:type:`count`
+   :Default: ``49254``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 715 715
+
+   :Type: :zeek:type:`count`
+   :Default: ``49260``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 710 710
+
+   :Type: :zeek:type:`count`
+   :Default: ``49255``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 716 716
+
+   :Type: :zeek:type:`count`
+   :Default: ``49261``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 758 758
+
+   :Type: :zeek:type:`count`
+   :Default: ``49302``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 752 752
+
+   :Type: :zeek:type:`count`
+   :Default: ``49296``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 759 759
+
+   :Type: :zeek:type:`count`
+   :Default: ``49303``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 753 753
+
+   :Type: :zeek:type:`count`
+   :Default: ``49297``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 812 812
+
+   :Type: :zeek:type:`count`
+   :Default: ``52397``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_NULL_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 569 569
+
+   :Type: :zeek:type:`count`
+   :Default: ``180``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_NULL_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 570 570
+
+   :Type: :zeek:type:`count`
+   :Default: ``181``
+
+
+.. zeek:id:: SSL::TLS_DHE_PSK_WITH_RC4_128_SHA
+   :source-code: base/protocols/ssl/consts.zeek 531 531
+
+   :Type: :zeek:type:`count`
+   :Default: ``142``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 444 444
+
+   :Type: :zeek:type:`count`
+   :Default: ``20``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD
+   :source-code: base/protocols/ssl/consts.zeek 510 510
+
+   :Type: :zeek:type:`count`
+   :Default: ``119``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 446 446
+
+   :Type: :zeek:type:`count`
+   :Default: ``22``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_AES_128_CBC_RMD
+   :source-code: base/protocols/ssl/consts.zeek 511 511
+
+   :Type: :zeek:type:`count`
+   :Default: ``120``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 472 472
+
+   :Type: :zeek:type:`count`
+   :Default: ``51``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 499 499
+
+   :Type: :zeek:type:`count`
+   :Default: ``103``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_AES_128_CCM
+   :source-code: base/protocols/ssl/consts.zeek 767 767
+
+   :Type: :zeek:type:`count`
+   :Default: ``49310``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_AES_128_CCM_8
+   :source-code: base/protocols/ssl/consts.zeek 771 771
+
+   :Type: :zeek:type:`count`
+   :Default: ``49314``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 547 547
+
+   :Type: :zeek:type:`count`
+   :Default: ``158``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_AES_256_CBC_RMD
+   :source-code: base/protocols/ssl/consts.zeek 512 512
+
+   :Type: :zeek:type:`count`
+   :Default: ``121``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 478 478
+
+   :Type: :zeek:type:`count`
+   :Default: ``57``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 503 503
+
+   :Type: :zeek:type:`count`
+   :Default: ``107``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_AES_256_CCM
+   :source-code: base/protocols/ssl/consts.zeek 768 768
+
+   :Type: :zeek:type:`count`
+   :Default: ``49311``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_AES_256_CCM_8
+   :source-code: base/protocols/ssl/consts.zeek 772 772
+
+   :Type: :zeek:type:`count`
+   :Default: ``49315``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 548 548
+
+   :Type: :zeek:type:`count`
+   :Default: ``159``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 675 675
+
+   :Type: :zeek:type:`count`
+   :Default: ``49220``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 689 689
+
+   :Type: :zeek:type:`count`
+   :Default: ``49234``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 676 676
+
+   :Type: :zeek:type:`count`
+   :Default: ``49221``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 690 690
+
+   :Type: :zeek:type:`count`
+   :Default: ``49235``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 490 490
+
+   :Type: :zeek:type:`count`
+   :Default: ``69``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 579 579
+
+   :Type: :zeek:type:`count`
+   :Default: ``190``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 732 732
+
+   :Type: :zeek:type:`count`
+   :Default: ``49276``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 525 525
+
+   :Type: :zeek:type:`count`
+   :Default: ``136``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 585 585
+
+   :Type: :zeek:type:`count`
+   :Default: ``196``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 733 733
+
+   :Type: :zeek:type:`count`
+   :Default: ``49277``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 809 809
+
+   :Type: :zeek:type:`count`
+   :Default: ``52394``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD
+   :source-code: base/protocols/ssl/consts.zeek 805 805
+
+   :Type: :zeek:type:`count`
+   :Default: ``52245``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_DES_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 445 445
+
+   :Type: :zeek:type:`count`
+   :Default: ``21``
+
+
+.. zeek:id:: SSL::TLS_DHE_RSA_WITH_SEED_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 543 543
+
+   :Type: :zeek:type:`count`
+   :Default: ``154``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 449 449
+
+   :Type: :zeek:type:`count`
+   :Default: ``25``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5
+   :source-code: base/protocols/ssl/consts.zeek 447 447
+
+   :Type: :zeek:type:`count`
+   :Default: ``23``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 451 451
+
+   :Type: :zeek:type:`count`
+   :Default: ``27``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 473 473
+
+   :Type: :zeek:type:`count`
+   :Default: ``52``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_AES_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 504 504
+
+   :Type: :zeek:type:`count`
+   :Default: ``108``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_AES_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 555 555
+
+   :Type: :zeek:type:`count`
+   :Default: ``166``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 479 479
+
+   :Type: :zeek:type:`count`
+   :Default: ``58``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_AES_256_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 505 505
+
+   :Type: :zeek:type:`count`
+   :Default: ``109``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 556 556
+
+   :Type: :zeek:type:`count`
+   :Default: ``167``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 677 677
+
+   :Type: :zeek:type:`count`
+   :Default: ``49222``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 697 697
+
+   :Type: :zeek:type:`count`
+   :Default: ``49242``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 678 678
+
+   :Type: :zeek:type:`count`
+   :Default: ``49223``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 698 698
+
+   :Type: :zeek:type:`count`
+   :Default: ``49243``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 491 491
+
+   :Type: :zeek:type:`count`
+   :Default: ``70``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 580 580
+
+   :Type: :zeek:type:`count`
+   :Default: ``191``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 740 740
+
+   :Type: :zeek:type:`count`
+   :Default: ``49284``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 526 526
+
+   :Type: :zeek:type:`count`
+   :Default: ``137``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 586 586
+
+   :Type: :zeek:type:`count`
+   :Default: ``197``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 741 741
+
+   :Type: :zeek:type:`count`
+   :Default: ``49285``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_DES_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 450 450
+
+   :Type: :zeek:type:`count`
+   :Default: ``26``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_RC4_128_MD5
+   :source-code: base/protocols/ssl/consts.zeek 448 448
+
+   :Type: :zeek:type:`count`
+   :Default: ``24``
+
+
+.. zeek:id:: SSL::TLS_DH_ANON_WITH_SEED_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 544 544
+
+   :Type: :zeek:type:`count`
+   :Default: ``155``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 435 435
+
+   :Type: :zeek:type:`count`
+   :Default: ``11``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 437 437
+
+   :Type: :zeek:type:`count`
+   :Default: ``13``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 469 469
+
+   :Type: :zeek:type:`count`
+   :Default: ``48``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_AES_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 483 483
+
+   :Type: :zeek:type:`count`
+   :Default: ``62``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_AES_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 553 553
+
+   :Type: :zeek:type:`count`
+   :Default: ``164``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 475 475
+
+   :Type: :zeek:type:`count`
+   :Default: ``54``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_AES_256_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 500 500
+
+   :Type: :zeek:type:`count`
+   :Default: ``104``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 554 554
+
+   :Type: :zeek:type:`count`
+   :Default: ``165``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 669 669
+
+   :Type: :zeek:type:`count`
+   :Default: ``49214``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 695 695
+
+   :Type: :zeek:type:`count`
+   :Default: ``49240``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 670 670
+
+   :Type: :zeek:type:`count`
+   :Default: ``49215``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 696 696
+
+   :Type: :zeek:type:`count`
+   :Default: ``49241``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 487 487
+
+   :Type: :zeek:type:`count`
+   :Default: ``66``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 576 576
+
+   :Type: :zeek:type:`count`
+   :Default: ``187``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 738 738
+
+   :Type: :zeek:type:`count`
+   :Default: ``49282``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 522 522
+
+   :Type: :zeek:type:`count`
+   :Default: ``133``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 582 582
+
+   :Type: :zeek:type:`count`
+   :Default: ``193``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 739 739
+
+   :Type: :zeek:type:`count`
+   :Default: ``49283``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_DES_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 436 436
+
+   :Type: :zeek:type:`count`
+   :Default: ``12``
+
+
+.. zeek:id:: SSL::TLS_DH_DSS_WITH_SEED_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 540 540
+
+   :Type: :zeek:type:`count`
+   :Default: ``151``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 438 438
+
+   :Type: :zeek:type:`count`
+   :Default: ``14``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 440 440
+
+   :Type: :zeek:type:`count`
+   :Default: ``16``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 470 470
+
+   :Type: :zeek:type:`count`
+   :Default: ``49``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_AES_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 484 484
+
+   :Type: :zeek:type:`count`
+   :Default: ``63``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_AES_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 549 549
+
+   :Type: :zeek:type:`count`
+   :Default: ``160``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 476 476
+
+   :Type: :zeek:type:`count`
+   :Default: ``55``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_AES_256_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 501 501
+
+   :Type: :zeek:type:`count`
+   :Default: ``105``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 550 550
+
+   :Type: :zeek:type:`count`
+   :Default: ``161``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 671 671
+
+   :Type: :zeek:type:`count`
+   :Default: ``49216``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 691 691
+
+   :Type: :zeek:type:`count`
+   :Default: ``49236``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 672 672
+
+   :Type: :zeek:type:`count`
+   :Default: ``49217``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 692 692
+
+   :Type: :zeek:type:`count`
+   :Default: ``49237``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 488 488
+
+   :Type: :zeek:type:`count`
+   :Default: ``67``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 577 577
+
+   :Type: :zeek:type:`count`
+   :Default: ``188``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 734 734
+
+   :Type: :zeek:type:`count`
+   :Default: ``49278``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 523 523
+
+   :Type: :zeek:type:`count`
+   :Default: ``134``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 583 583
+
+   :Type: :zeek:type:`count`
+   :Default: ``194``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 735 735
+
+   :Type: :zeek:type:`count`
+   :Default: ``49279``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_DES_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 439 439
+
+   :Type: :zeek:type:`count`
+   :Default: ``15``
+
+
+.. zeek:id:: SSL::TLS_DH_RSA_WITH_SEED_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 541 541
+
+   :Type: :zeek:type:`count`
+   :Default: ``152``
+
+
+.. zeek:id:: SSL::TLS_ECCPWD_WITH_AES_128_CCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 788 788
+
+   :Type: :zeek:type:`count`
+   :Default: ``49330``
+
+
+.. zeek:id:: SSL::TLS_ECCPWD_WITH_AES_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 786 786
+
+   :Type: :zeek:type:`count`
+   :Default: ``49328``
+
+
+.. zeek:id:: SSL::TLS_ECCPWD_WITH_AES_256_CCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 789 789
+
+   :Type: :zeek:type:`count`
+   :Default: ``49331``
+
+
+.. zeek:id:: SSL::TLS_ECCPWD_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 787 787
+
+   :Type: :zeek:type:`count`
+   :Default: ``49329``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 614 614
+
+   :Type: :zeek:type:`count`
+   :Default: ``49160``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 615 615
+
+   :Type: :zeek:type:`count`
+   :Default: ``49161``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 641 641
+
+   :Type: :zeek:type:`count`
+   :Default: ``49187``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_AES_128_CCM
+   :source-code: base/protocols/ssl/consts.zeek 781 781
+
+   :Type: :zeek:type:`count`
+   :Default: ``49324``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
+   :source-code: base/protocols/ssl/consts.zeek 783 783
+
+   :Type: :zeek:type:`count`
+   :Default: ``49326``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 649 649
+
+   :Type: :zeek:type:`count`
+   :Default: ``49195``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 616 616
+
+   :Type: :zeek:type:`count`
+   :Default: ``49162``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 642 642
+
+   :Type: :zeek:type:`count`
+   :Default: ``49188``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_AES_256_CCM
+   :source-code: base/protocols/ssl/consts.zeek 782 782
+
+   :Type: :zeek:type:`count`
+   :Default: ``49325``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
+   :source-code: base/protocols/ssl/consts.zeek 784 784
+
+   :Type: :zeek:type:`count`
+   :Default: ``49327``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 650 650
+
+   :Type: :zeek:type:`count`
+   :Default: ``49196``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 679 679
+
+   :Type: :zeek:type:`count`
+   :Default: ``49224``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 699 699
+
+   :Type: :zeek:type:`count`
+   :Default: ``49244``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 680 680
+
+   :Type: :zeek:type:`count`
+   :Default: ``49225``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 700 700
+
+   :Type: :zeek:type:`count`
+   :Default: ``49245``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 722 722
+
+   :Type: :zeek:type:`count`
+   :Default: ``49266``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 742 742
+
+   :Type: :zeek:type:`count`
+   :Default: ``49286``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 723 723
+
+   :Type: :zeek:type:`count`
+   :Default: ``49267``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 743 743
+
+   :Type: :zeek:type:`count`
+   :Default: ``49287``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 808 808
+
+   :Type: :zeek:type:`count`
+   :Default: ``52393``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD
+   :source-code: base/protocols/ssl/consts.zeek 804 804
+
+   :Type: :zeek:type:`count`
+   :Default: ``52244``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_NULL_SHA
+   :source-code: base/protocols/ssl/consts.zeek 612 612
+
+   :Type: :zeek:type:`count`
+   :Default: ``49158``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+   :source-code: base/protocols/ssl/consts.zeek 613 613
+
+   :Type: :zeek:type:`count`
+   :Default: ``49159``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 658 658
+
+   :Type: :zeek:type:`count`
+   :Default: ``49204``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 659 659
+
+   :Type: :zeek:type:`count`
+   :Default: ``49205``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 661 661
+
+   :Type: :zeek:type:`count`
+   :Default: ``49207``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 819 819
+
+   :Type: :zeek:type:`count`
+   :Default: ``53251``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 820 820
+
+   :Type: :zeek:type:`count`
+   :Default: ``53253``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256_OLD
+   :source-code: base/protocols/ssl/consts.zeek 815 815
+
+   :Type: :zeek:type:`count`
+   :Default: ``53252``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 817 817
+
+   :Type: :zeek:type:`count`
+   :Default: ``53249``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 660 660
+
+   :Type: :zeek:type:`count`
+   :Default: ``49206``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 662 662
+
+   :Type: :zeek:type:`count`
+   :Default: ``49208``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 818 818
+
+   :Type: :zeek:type:`count`
+   :Default: ``53250``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 719 719
+
+   :Type: :zeek:type:`count`
+   :Default: ``49264``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 720 720
+
+   :Type: :zeek:type:`count`
+   :Default: ``49265``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 762 762
+
+   :Type: :zeek:type:`count`
+   :Default: ``49306``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 763 763
+
+   :Type: :zeek:type:`count`
+   :Default: ``49307``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 811 811
+
+   :Type: :zeek:type:`count`
+   :Default: ``52396``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_NULL_SHA
+   :source-code: base/protocols/ssl/consts.zeek 663 663
+
+   :Type: :zeek:type:`count`
+   :Default: ``49209``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_NULL_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 664 664
+
+   :Type: :zeek:type:`count`
+   :Default: ``49210``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_NULL_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 665 665
+
+   :Type: :zeek:type:`count`
+   :Default: ``49211``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_PSK_WITH_RC4_128_SHA
+   :source-code: base/protocols/ssl/consts.zeek 657 657
+
+   :Type: :zeek:type:`count`
+   :Default: ``49203``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 624 624
+
+   :Type: :zeek:type:`count`
+   :Default: ``49170``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 625 625
+
+   :Type: :zeek:type:`count`
+   :Default: ``49171``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 645 645
+
+   :Type: :zeek:type:`count`
+   :Default: ``49191``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 653 653
+
+   :Type: :zeek:type:`count`
+   :Default: ``49199``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 626 626
+
+   :Type: :zeek:type:`count`
+   :Default: ``49172``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 646 646
+
+   :Type: :zeek:type:`count`
+   :Default: ``49192``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 654 654
+
+   :Type: :zeek:type:`count`
+   :Default: ``49200``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 683 683
+
+   :Type: :zeek:type:`count`
+   :Default: ``49228``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 703 703
+
+   :Type: :zeek:type:`count`
+   :Default: ``49248``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 684 684
+
+   :Type: :zeek:type:`count`
+   :Default: ``49229``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 704 704
+
+   :Type: :zeek:type:`count`
+   :Default: ``49249``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 726 726
+
+   :Type: :zeek:type:`count`
+   :Default: ``49270``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 746 746
+
+   :Type: :zeek:type:`count`
+   :Default: ``49290``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 727 727
+
+   :Type: :zeek:type:`count`
+   :Default: ``49271``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 747 747
+
+   :Type: :zeek:type:`count`
+   :Default: ``49291``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 807 807
+
+   :Type: :zeek:type:`count`
+   :Default: ``52392``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD
+   :source-code: base/protocols/ssl/consts.zeek 803 803
+
+   :Type: :zeek:type:`count`
+   :Default: ``52243``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_NULL_SHA
+   :source-code: base/protocols/ssl/consts.zeek 622 622
+
+   :Type: :zeek:type:`count`
+   :Default: ``49168``
+
+
+.. zeek:id:: SSL::TLS_ECDHE_RSA_WITH_RC4_128_SHA
+   :source-code: base/protocols/ssl/consts.zeek 623 623
+
+   :Type: :zeek:type:`count`
+   :Default: ``49169``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 629 629
+
+   :Type: :zeek:type:`count`
+   :Default: ``49175``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ANON_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 630 630
+
+   :Type: :zeek:type:`count`
+   :Default: ``49176``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ANON_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 631 631
+
+   :Type: :zeek:type:`count`
+   :Default: ``49177``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ANON_WITH_NULL_SHA
+   :source-code: base/protocols/ssl/consts.zeek 627 627
+
+   :Type: :zeek:type:`count`
+   :Default: ``49173``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ANON_WITH_RC4_128_SHA
+   :source-code: base/protocols/ssl/consts.zeek 628 628
+
+   :Type: :zeek:type:`count`
+   :Default: ``49174``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 609 609
+
+   :Type: :zeek:type:`count`
+   :Default: ``49155``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 610 610
+
+   :Type: :zeek:type:`count`
+   :Default: ``49156``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 643 643
+
+   :Type: :zeek:type:`count`
+   :Default: ``49189``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 651 651
+
+   :Type: :zeek:type:`count`
+   :Default: ``49197``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 611 611
+
+   :Type: :zeek:type:`count`
+   :Default: ``49157``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 644 644
+
+   :Type: :zeek:type:`count`
+   :Default: ``49190``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 652 652
+
+   :Type: :zeek:type:`count`
+   :Default: ``49198``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 681 681
+
+   :Type: :zeek:type:`count`
+   :Default: ``49226``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 701 701
+
+   :Type: :zeek:type:`count`
+   :Default: ``49246``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 682 682
+
+   :Type: :zeek:type:`count`
+   :Default: ``49227``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 702 702
+
+   :Type: :zeek:type:`count`
+   :Default: ``49247``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 724 724
+
+   :Type: :zeek:type:`count`
+   :Default: ``49268``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 744 744
+
+   :Type: :zeek:type:`count`
+   :Default: ``49288``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 725 725
+
+   :Type: :zeek:type:`count`
+   :Default: ``49269``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 745 745
+
+   :Type: :zeek:type:`count`
+   :Default: ``49289``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_NULL_SHA
+   :source-code: base/protocols/ssl/consts.zeek 607 607
+
+   :Type: :zeek:type:`count`
+   :Default: ``49153``
+
+
+.. zeek:id:: SSL::TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+   :source-code: base/protocols/ssl/consts.zeek 608 608
+
+   :Type: :zeek:type:`count`
+   :Default: ``49154``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 619 619
+
+   :Type: :zeek:type:`count`
+   :Default: ``49165``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 620 620
+
+   :Type: :zeek:type:`count`
+   :Default: ``49166``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 647 647
+
+   :Type: :zeek:type:`count`
+   :Default: ``49193``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 655 655
+
+   :Type: :zeek:type:`count`
+   :Default: ``49201``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 621 621
+
+   :Type: :zeek:type:`count`
+   :Default: ``49167``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 648 648
+
+   :Type: :zeek:type:`count`
+   :Default: ``49194``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 656 656
+
+   :Type: :zeek:type:`count`
+   :Default: ``49202``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 685 685
+
+   :Type: :zeek:type:`count`
+   :Default: ``49230``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 705 705
+
+   :Type: :zeek:type:`count`
+   :Default: ``49250``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 686 686
+
+   :Type: :zeek:type:`count`
+   :Default: ``49231``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 706 706
+
+   :Type: :zeek:type:`count`
+   :Default: ``49251``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 728 728
+
+   :Type: :zeek:type:`count`
+   :Default: ``49272``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 748 748
+
+   :Type: :zeek:type:`count`
+   :Default: ``49292``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 729 729
+
+   :Type: :zeek:type:`count`
+   :Default: ``49273``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 749 749
+
+   :Type: :zeek:type:`count`
+   :Default: ``49293``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_NULL_SHA
+   :source-code: base/protocols/ssl/consts.zeek 617 617
+
+   :Type: :zeek:type:`count`
+   :Default: ``49163``
+
+
+.. zeek:id:: SSL::TLS_ECDH_RSA_WITH_RC4_128_SHA
+   :source-code: base/protocols/ssl/consts.zeek 618 618
+
+   :Type: :zeek:type:`count`
+   :Default: ``49164``
+
+
+.. zeek:id:: SSL::TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+   :source-code: base/protocols/ssl/consts.zeek 830 830
+
+   :Type: :zeek:type:`count`
+   :Default: ``255``
+
+
+.. zeek:id:: SSL::TLS_FALLBACK_SCSV
+   :source-code: base/protocols/ssl/consts.zeek 605 605
+
+   :Type: :zeek:type:`count`
+   :Default: ``22016``
+
+
+.. zeek:id:: SSL::TLS_GOSTR341001_WITH_28147_CNT_IMIT
+   :source-code: base/protocols/ssl/consts.zeek 518 518
+
+   :Type: :zeek:type:`count`
+   :Default: ``129``
+
+
+.. zeek:id:: SSL::TLS_GOSTR341001_WITH_NULL_GOSTR3411
+   :source-code: base/protocols/ssl/consts.zeek 520 520
+
+   :Type: :zeek:type:`count`
+   :Default: ``131``
+
+
+.. zeek:id:: SSL::TLS_GOSTR341094_WITH_28147_CNT_IMIT
+   :source-code: base/protocols/ssl/consts.zeek 517 517
+
+   :Type: :zeek:type:`count`
+   :Default: ``128``
+
+
+.. zeek:id:: SSL::TLS_GOSTR341094_WITH_NULL_GOSTR3411
+   :source-code: base/protocols/ssl/consts.zeek 519 519
+
+   :Type: :zeek:type:`count`
+   :Default: ``130``
+
+
+.. zeek:id:: SSL::TLS_GOSTR341112_256_WITH_28147_CNT_IMIT
+   :source-code: base/protocols/ssl/consts.zeek 796 796
+
+   :Type: :zeek:type:`count`
+   :Default: ``49410``
+
+
+.. zeek:id:: SSL::TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC
+   :source-code: base/protocols/ssl/consts.zeek 794 794
+
+   :Type: :zeek:type:`count`
+   :Default: ``49408``
+
+
+.. zeek:id:: SSL::TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L
+   :source-code: base/protocols/ssl/consts.zeek 798 798
+
+   :Type: :zeek:type:`count`
+   :Default: ``49411``
+
+
+.. zeek:id:: SSL::TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S
+   :source-code: base/protocols/ssl/consts.zeek 800 800
+
+   :Type: :zeek:type:`count`
+   :Default: ``49413``
+
+
+.. zeek:id:: SSL::TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC
+   :source-code: base/protocols/ssl/consts.zeek 795 795
+
+   :Type: :zeek:type:`count`
+   :Default: ``49409``
+
+
+.. zeek:id:: SSL::TLS_GOSTR341112_256_WITH_MAGMA_MGM_L
+   :source-code: base/protocols/ssl/consts.zeek 799 799
+
+   :Type: :zeek:type:`count`
+   :Default: ``49412``
+
+
+.. zeek:id:: SSL::TLS_GOSTR341112_256_WITH_MAGMA_MGM_S
+   :source-code: base/protocols/ssl/consts.zeek 801 801
+
+   :Type: :zeek:type:`count`
+   :Default: ``49414``
+
+
+.. zeek:id:: SSL::TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
+   :source-code: base/protocols/ssl/consts.zeek 465 465
+
+   :Type: :zeek:type:`count`
+   :Default: ``41``
+
+
+.. zeek:id:: SSL::TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
+   :source-code: base/protocols/ssl/consts.zeek 462 462
+
+   :Type: :zeek:type:`count`
+   :Default: ``38``
+
+
+.. zeek:id:: SSL::TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5
+   :source-code: base/protocols/ssl/consts.zeek 466 466
+
+   :Type: :zeek:type:`count`
+   :Default: ``42``
+
+
+.. zeek:id:: SSL::TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA
+   :source-code: base/protocols/ssl/consts.zeek 463 463
+
+   :Type: :zeek:type:`count`
+   :Default: ``39``
+
+
+.. zeek:id:: SSL::TLS_KRB5_EXPORT_WITH_RC4_40_MD5
+   :source-code: base/protocols/ssl/consts.zeek 467 467
+
+   :Type: :zeek:type:`count`
+   :Default: ``43``
+
+
+.. zeek:id:: SSL::TLS_KRB5_EXPORT_WITH_RC4_40_SHA
+   :source-code: base/protocols/ssl/consts.zeek 464 464
+
+   :Type: :zeek:type:`count`
+   :Default: ``40``
+
+
+.. zeek:id:: SSL::TLS_KRB5_WITH_3DES_EDE_CBC_MD5
+   :source-code: base/protocols/ssl/consts.zeek 459 459
+
+   :Type: :zeek:type:`count`
+   :Default: ``35``
+
+
+.. zeek:id:: SSL::TLS_KRB5_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 455 455
+
+   :Type: :zeek:type:`count`
+   :Default: ``31``
+
+
+.. zeek:id:: SSL::TLS_KRB5_WITH_DES_CBC_MD5
+   :source-code: base/protocols/ssl/consts.zeek 458 458
+
+   :Type: :zeek:type:`count`
+   :Default: ``34``
+
+
+.. zeek:id:: SSL::TLS_KRB5_WITH_DES_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 454 454
+
+   :Type: :zeek:type:`count`
+   :Default: ``30``
+
+
+.. zeek:id:: SSL::TLS_KRB5_WITH_IDEA_CBC_MD5
+   :source-code: base/protocols/ssl/consts.zeek 461 461
+
+   :Type: :zeek:type:`count`
+   :Default: ``37``
+
+
+.. zeek:id:: SSL::TLS_KRB5_WITH_IDEA_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 457 457
+
+   :Type: :zeek:type:`count`
+   :Default: ``33``
+
+
+.. zeek:id:: SSL::TLS_KRB5_WITH_RC4_128_MD5
+   :source-code: base/protocols/ssl/consts.zeek 460 460
+
+   :Type: :zeek:type:`count`
+   :Default: ``36``
+
+
+.. zeek:id:: SSL::TLS_KRB5_WITH_RC4_128_SHA
+   :source-code: base/protocols/ssl/consts.zeek 456 456
+
+   :Type: :zeek:type:`count`
+   :Default: ``32``
+
+
+.. zeek:id:: SSL::TLS_NULL_WITH_NULL_NULL
+   :source-code: base/protocols/ssl/consts.zeek 424 424
+
+   :Type: :zeek:type:`count`
+   :Default: ``0``
+
+
+.. zeek:id:: SSL::TLS_PSK_DHE_WITH_AES_128_CCM_8
+   :source-code: base/protocols/ssl/consts.zeek 779 779
+
+   :Type: :zeek:type:`count`
+   :Default: ``49322``
+
+
+.. zeek:id:: SSL::TLS_PSK_DHE_WITH_AES_256_CCM_8
+   :source-code: base/protocols/ssl/consts.zeek 780 780
+
+   :Type: :zeek:type:`count`
+   :Default: ``49323``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 528 528
+
+   :Type: :zeek:type:`count`
+   :Default: ``139``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 529 529
+
+   :Type: :zeek:type:`count`
+   :Default: ``140``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_AES_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 563 563
+
+   :Type: :zeek:type:`count`
+   :Default: ``174``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_AES_128_CCM
+   :source-code: base/protocols/ssl/consts.zeek 773 773
+
+   :Type: :zeek:type:`count`
+   :Default: ``49316``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_AES_128_CCM_8
+   :source-code: base/protocols/ssl/consts.zeek 777 777
+
+   :Type: :zeek:type:`count`
+   :Default: ``49320``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_AES_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 557 557
+
+   :Type: :zeek:type:`count`
+   :Default: ``168``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 530 530
+
+   :Type: :zeek:type:`count`
+   :Default: ``141``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_AES_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 564 564
+
+   :Type: :zeek:type:`count`
+   :Default: ``175``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_AES_256_CCM
+   :source-code: base/protocols/ssl/consts.zeek 774 774
+
+   :Type: :zeek:type:`count`
+   :Default: ``49317``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_AES_256_CCM_8
+   :source-code: base/protocols/ssl/consts.zeek 778 778
+
+   :Type: :zeek:type:`count`
+   :Default: ``49321``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 558 558
+
+   :Type: :zeek:type:`count`
+   :Default: ``169``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_ARIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 707 707
+
+   :Type: :zeek:type:`count`
+   :Default: ``49252``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_ARIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 713 713
+
+   :Type: :zeek:type:`count`
+   :Default: ``49258``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_ARIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 708 708
+
+   :Type: :zeek:type:`count`
+   :Default: ``49253``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_ARIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 714 714
+
+   :Type: :zeek:type:`count`
+   :Default: ``49259``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 756 756
+
+   :Type: :zeek:type:`count`
+   :Default: ``49300``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 750 750
+
+   :Type: :zeek:type:`count`
+   :Default: ``49294``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 757 757
+
+   :Type: :zeek:type:`count`
+   :Default: ``49301``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 751 751
+
+   :Type: :zeek:type:`count`
+   :Default: ``49295``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_CHACHA20_POLY1305_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 810 810
+
+   :Type: :zeek:type:`count`
+   :Default: ``52395``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_NULL_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 565 565
+
+   :Type: :zeek:type:`count`
+   :Default: ``176``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_NULL_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 566 566
+
+   :Type: :zeek:type:`count`
+   :Default: ``177``
+
+
+.. zeek:id:: SSL::TLS_PSK_WITH_RC4_128_SHA
+   :source-code: base/protocols/ssl/consts.zeek 527 527
+
+   :Type: :zeek:type:`count`
+   :Default: ``138``
+
+
+.. zeek:id:: SSL::TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 494 494
+
+   :Type: :zeek:type:`count`
+   :Default: ``98``
+
+
+.. zeek:id:: SSL::TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
+   :source-code: base/protocols/ssl/consts.zeek 493 493
+
+   :Type: :zeek:type:`count`
+   :Default: ``97``
+
+
+.. zeek:id:: SSL::TLS_RSA_EXPORT1024_WITH_RC4_56_MD5
+   :source-code: base/protocols/ssl/consts.zeek 492 492
+
+   :Type: :zeek:type:`count`
+   :Default: ``96``
+
+
+.. zeek:id:: SSL::TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
+   :source-code: base/protocols/ssl/consts.zeek 496 496
+
+   :Type: :zeek:type:`count`
+   :Default: ``100``
+
+
+.. zeek:id:: SSL::TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 432 432
+
+   :Type: :zeek:type:`count`
+   :Default: ``8``
+
+
+.. zeek:id:: SSL::TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
+   :source-code: base/protocols/ssl/consts.zeek 430 430
+
+   :Type: :zeek:type:`count`
+   :Default: ``6``
+
+
+.. zeek:id:: SSL::TLS_RSA_EXPORT_WITH_RC4_40_MD5
+   :source-code: base/protocols/ssl/consts.zeek 427 427
+
+   :Type: :zeek:type:`count`
+   :Default: ``3``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 536 536
+
+   :Type: :zeek:type:`count`
+   :Default: ``147``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 537 537
+
+   :Type: :zeek:type:`count`
+   :Default: ``148``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 571 571
+
+   :Type: :zeek:type:`count`
+   :Default: ``182``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 561 561
+
+   :Type: :zeek:type:`count`
+   :Default: ``172``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 538 538
+
+   :Type: :zeek:type:`count`
+   :Default: ``149``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 572 572
+
+   :Type: :zeek:type:`count`
+   :Default: ``183``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 562 562
+
+   :Type: :zeek:type:`count`
+   :Default: ``173``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 711 711
+
+   :Type: :zeek:type:`count`
+   :Default: ``49256``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 717 717
+
+   :Type: :zeek:type:`count`
+   :Default: ``49262``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 712 712
+
+   :Type: :zeek:type:`count`
+   :Default: ``49257``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 718 718
+
+   :Type: :zeek:type:`count`
+   :Default: ``49263``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 760 760
+
+   :Type: :zeek:type:`count`
+   :Default: ``49304``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 754 754
+
+   :Type: :zeek:type:`count`
+   :Default: ``49298``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 761 761
+
+   :Type: :zeek:type:`count`
+   :Default: ``49305``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 755 755
+
+   :Type: :zeek:type:`count`
+   :Default: ``49299``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 813 813
+
+   :Type: :zeek:type:`count`
+   :Default: ``52398``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_NULL_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 573 573
+
+   :Type: :zeek:type:`count`
+   :Default: ``184``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_NULL_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 574 574
+
+   :Type: :zeek:type:`count`
+   :Default: ``185``
+
+
+.. zeek:id:: SSL::TLS_RSA_PSK_WITH_RC4_128_SHA
+   :source-code: base/protocols/ssl/consts.zeek 535 535
+
+   :Type: :zeek:type:`count`
+   :Default: ``146``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_3DES_EDE_CBC_RMD
+   :source-code: base/protocols/ssl/consts.zeek 513 513
+
+   :Type: :zeek:type:`count`
+   :Default: ``124``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 434 434
+
+   :Type: :zeek:type:`count`
+   :Default: ``10``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_AES_128_CBC_RMD
+   :source-code: base/protocols/ssl/consts.zeek 514 514
+
+   :Type: :zeek:type:`count`
+   :Default: ``125``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 468 468
+
+   :Type: :zeek:type:`count`
+   :Default: ``47``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_AES_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 481 481
+
+   :Type: :zeek:type:`count`
+   :Default: ``60``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_AES_128_CCM
+   :source-code: base/protocols/ssl/consts.zeek 765 765
+
+   :Type: :zeek:type:`count`
+   :Default: ``49308``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_AES_128_CCM_8
+   :source-code: base/protocols/ssl/consts.zeek 769 769
+
+   :Type: :zeek:type:`count`
+   :Default: ``49312``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_AES_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 545 545
+
+   :Type: :zeek:type:`count`
+   :Default: ``156``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_AES_256_CBC_RMD
+   :source-code: base/protocols/ssl/consts.zeek 515 515
+
+   :Type: :zeek:type:`count`
+   :Default: ``126``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 474 474
+
+   :Type: :zeek:type:`count`
+   :Default: ``53``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_AES_256_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 482 482
+
+   :Type: :zeek:type:`count`
+   :Default: ``61``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_AES_256_CCM
+   :source-code: base/protocols/ssl/consts.zeek 766 766
+
+   :Type: :zeek:type:`count`
+   :Default: ``49309``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_AES_256_CCM_8
+   :source-code: base/protocols/ssl/consts.zeek 770 770
+
+   :Type: :zeek:type:`count`
+   :Default: ``49313``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_AES_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 546 546
+
+   :Type: :zeek:type:`count`
+   :Default: ``157``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_ARIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 667 667
+
+   :Type: :zeek:type:`count`
+   :Default: ``49212``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_ARIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 687 687
+
+   :Type: :zeek:type:`count`
+   :Default: ``49232``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_ARIA_256_CBC_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 668 668
+
+   :Type: :zeek:type:`count`
+   :Default: ``49213``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_ARIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 688 688
+
+   :Type: :zeek:type:`count`
+   :Default: ``49233``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 486 486
+
+   :Type: :zeek:type:`count`
+   :Default: ``65``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 575 575
+
+   :Type: :zeek:type:`count`
+   :Default: ``186``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 730 730
+
+   :Type: :zeek:type:`count`
+   :Default: ``49274``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 521 521
+
+   :Type: :zeek:type:`count`
+   :Default: ``132``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 581 581
+
+   :Type: :zeek:type:`count`
+   :Default: ``192``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 731 731
+
+   :Type: :zeek:type:`count`
+   :Default: ``49275``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_DES_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 433 433
+
+   :Type: :zeek:type:`count`
+   :Default: ``9``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_IDEA_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 431 431
+
+   :Type: :zeek:type:`count`
+   :Default: ``7``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_NULL_MD5
+   :source-code: base/protocols/ssl/consts.zeek 425 425
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_NULL_SHA
+   :source-code: base/protocols/ssl/consts.zeek 426 426
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_NULL_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 480 480
+
+   :Type: :zeek:type:`count`
+   :Default: ``59``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_RC4_128_MD5
+   :source-code: base/protocols/ssl/consts.zeek 428 428
+
+   :Type: :zeek:type:`count`
+   :Default: ``4``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_RC4_128_SHA
+   :source-code: base/protocols/ssl/consts.zeek 429 429
+
+   :Type: :zeek:type:`count`
+   :Default: ``5``
+
+
+.. zeek:id:: SSL::TLS_RSA_WITH_SEED_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 539 539
+
+   :Type: :zeek:type:`count`
+   :Default: ``150``
+
+
+.. zeek:id:: SSL::TLS_SHA256_SHA256
+   :source-code: base/protocols/ssl/consts.zeek 791 791
+
+   :Type: :zeek:type:`count`
+   :Default: ``49332``
+
+
+.. zeek:id:: SSL::TLS_SHA384_SHA384
+   :source-code: base/protocols/ssl/consts.zeek 792 792
+
+   :Type: :zeek:type:`count`
+   :Default: ``49333``
+
+
+.. zeek:id:: SSL::TLS_SM4_CCM_SM3
+   :source-code: base/protocols/ssl/consts.zeek 589 589
+
+   :Type: :zeek:type:`count`
+   :Default: ``199``
+
+
+.. zeek:id:: SSL::TLS_SM4_GCM_SM3
+   :source-code: base/protocols/ssl/consts.zeek 588 588
+
+   :Type: :zeek:type:`count`
+   :Default: ``198``
+
+
+.. zeek:id:: SSL::TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 634 634
+
+   :Type: :zeek:type:`count`
+   :Default: ``49180``
+
+
+.. zeek:id:: SSL::TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 637 637
+
+   :Type: :zeek:type:`count`
+   :Default: ``49183``
+
+
+.. zeek:id:: SSL::TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 640 640
+
+   :Type: :zeek:type:`count`
+   :Default: ``49186``
+
+
+.. zeek:id:: SSL::TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 633 633
+
+   :Type: :zeek:type:`count`
+   :Default: ``49179``
+
+
+.. zeek:id:: SSL::TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 636 636
+
+   :Type: :zeek:type:`count`
+   :Default: ``49182``
+
+
+.. zeek:id:: SSL::TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 639 639
+
+   :Type: :zeek:type:`count`
+   :Default: ``49185``
+
+
+.. zeek:id:: SSL::TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 632 632
+
+   :Type: :zeek:type:`count`
+   :Default: ``49178``
+
+
+.. zeek:id:: SSL::TLS_SRP_SHA_WITH_AES_128_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 635 635
+
+   :Type: :zeek:type:`count`
+   :Default: ``49181``
+
+
+.. zeek:id:: SSL::TLS_SRP_SHA_WITH_AES_256_CBC_SHA
+   :source-code: base/protocols/ssl/consts.zeek 638 638
+
+   :Type: :zeek:type:`count`
+   :Default: ``49184``
+
+
+.. zeek:id:: SSL::TLSv10
+   :source-code: base/protocols/ssl/consts.zeek 6 6
+
+   :Type: :zeek:type:`count`
+   :Default: ``769``
+
+
+.. zeek:id:: SSL::TLSv11
+   :source-code: base/protocols/ssl/consts.zeek 7 7
+
+   :Type: :zeek:type:`count`
+   :Default: ``770``
+
+
+.. zeek:id:: SSL::TLSv12
+   :source-code: base/protocols/ssl/consts.zeek 8 8
+
+   :Type: :zeek:type:`count`
+   :Default: ``771``
+
+
+.. zeek:id:: SSL::TLSv13
+   :source-code: base/protocols/ssl/consts.zeek 9 9
+
+   :Type: :zeek:type:`count`
+   :Default: ``772``
+
+
+.. zeek:id:: SSL::V2_CLIENT_HELLO
+   :source-code: base/protocols/ssl/consts.zeek 45 45
+
+   :Type: :zeek:type:`count`
+   :Default: ``301``
+
+
+.. zeek:id:: SSL::V2_CLIENT_MASTER_KEY
+   :source-code: base/protocols/ssl/consts.zeek 46 46
+
+   :Type: :zeek:type:`count`
+   :Default: ``302``
+
+
+.. zeek:id:: SSL::V2_ERROR
+   :source-code: base/protocols/ssl/consts.zeek 44 44
+
+   :Type: :zeek:type:`count`
+   :Default: ``300``
+
+
+.. zeek:id:: SSL::V2_SERVER_HELLO
+   :source-code: base/protocols/ssl/consts.zeek 47 47
+
+   :Type: :zeek:type:`count`
+   :Default: ``304``
+
+
+.. zeek:id:: SSL::alert_descriptions
+   :source-code: base/protocols/ssl/consts.zeek 113 113
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [40] = "handshake_failure",
+            [45] = "certificate_expired",
+            [20] = "bad_record_mac",
+            [46] = "certificate_unknown",
+            [30] = "decompression_failure",
+            [71] = "insufficient_security",
+            [10] = "unexpected_message",
+            [21] = "decryption_failed",
+            [41] = "no_certificate",
+            [47] = "illegal_parameter",
+            [70] = "protocol_version",
+            [80] = "internal_error",
+            [50] = "decode_error",
+            [120] = "no_application_protocol",
+            [111] = "certificate_unobtainable",
+            [115] = "unknown_psk_identity",
+            [121] = "ech_required",
+            [48] = "unknown_ca",
+            [90] = "user_canceled",
+            [42] = "bad_certificate",
+            [49] = "access_denied",
+            [86] = "inappropriate_fallback",
+            [116] = "certificate_required",
+            [113] = "bad_certificate_status_response",
+            [112] = "unrecognized_name",
+            [60] = "export_restriction",
+            [22] = "record_overflow",
+            [100] = "no_renegotiation",
+            [51] = "decrypt_error",
+            [43] = "unsupported_certificate",
+            [114] = "bad_certificate_hash_value",
+            [0] = "close_notify",
+            [110] = "unsupported_extension",
+            [44] = "certificate_revoked"
+         }
+
+
+   Mapping between numeric codes and human readable strings for alert
+   descriptions.
+
+.. zeek:id:: SSL::alert_levels
+   :source-code: base/protocols/ssl/consts.zeek 74 74
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "fatal",
+            [1] = "warning"
+         }
+
+
+   Mapping between numeric codes and human readable strings for alert
+   levels.
+
+.. zeek:id:: SSL::cipher_desc
+   :source-code: base/protocols/ssl/consts.zeek 835 835
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [49279] = "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+            [53] = "TLS_RSA_WITH_AES_256_CBC_SHA",
+            [49161] = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+            [198] = "TLS_SM4_GCM_SM3",
+            [49284] = "TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256",
+            [49278] = "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+            [52394] = "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+            [49330] = "TLS_ECCPWD_WITH_AES_128_CCM_SHA256",
+            [5815] = "TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256",
+            [49251] = "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384",
+            [146] = "TLS_RSA_PSK_WITH_RC4_128_SHA",
+            [1] = "TLS_RSA_WITH_NULL_MD5",
+            [35] = "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
+            [102] = "TLS_DHE_DSS_WITH_RC4_128_SHA",
+            [52393] = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+            [47802] = "grease_0xBABA",
+            [49410] = "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT",
+            [14] = "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
+            [49198] = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
+            [49239] = "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384",
+            [31] = "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
+            [192] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+            [49283] = "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384",
+            [49291] = "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+            [49295] = "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384",
+            [56] = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+            [49268] = "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
+            [49281] = "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384",
+            [49275] = "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+            [22016] = "TLS_FALLBACK_SCSV",
+            [70] = "TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA",
+            [132] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
+            [4865] = "TLS_AES_128_GCM_SHA256",
+            [49252] = "TLS_PSK_WITH_ARIA_128_CBC_SHA256",
+            [49181] = "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
+            [49205] = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
+            [49307] = "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+            [161] = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
+            [56026] = "grease_0xDADA",
+            [60] = "TLS_RSA_WITH_AES_128_CBC_SHA256",
+            [37] = "TLS_KRB5_WITH_IDEA_CBC_MD5",
+            [185] = "TLS_RSA_PSK_WITH_NULL_SHA384",
+            [49331] = "TLS_ECCPWD_WITH_AES_256_CCM_SHA384",
+            [65279] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
+            [49236] = "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256",
+            [20] = "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
+            [49195] = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+            [164] = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
+            [187] = "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
+            [49299] = "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384",
+            [156] = "TLS_RSA_WITH_AES_128_GCM_SHA256",
+            [97] = "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5",
+            [21] = "TLS_DHE_RSA_WITH_DES_CBC_SHA",
+            [12] = "TLS_DH_DSS_WITH_DES_CBC_SHA",
+            [49175] = "TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA",
+            [169] = "TLS_PSK_WITH_AES_256_GCM_SHA384",
+            [155] = "TLS_DH_ANON_WITH_SEED_CBC_SHA",
+            [49159] = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+            [5817] = "TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384",
+            [150] = "TLS_RSA_WITH_SEED_CBC_SHA",
+            [131200] = "SSLv20_CK_RC4_128_EXPORT40_WITH_MD5",
+            [25] = "TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA",
+            [49256] = "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256",
+            [49324] = "TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
+            [49321] = "TLS_PSK_WITH_AES_256_CCM_8",
+            [49311] = "TLS_DHE_RSA_WITH_AES_256_CCM",
+            [57] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+            [42] = "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
+            [49193] = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
+            [49207] = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
+            [65278] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA",
+            [49333] = "TLS_SHA384_SHA384",
+            [49261] = "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384",
+            [108] = "TLS_DH_ANON_WITH_AES_128_CBC_SHA256",
+            [49309] = "TLS_RSA_WITH_AES_256_CCM",
+            [40] = "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
+            [141] = "TLS_PSK_WITH_AES_256_CBC_SHA",
+            [49285] = "TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384",
+            [49244] = "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256",
+            [23] = "TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5",
+            [49246] = "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256",
+            [65] = "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
+            [13] = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
+            [49206] = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
+            [101] = "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",
+            [19018] = "grease_0x4A4A",
+            [49412] = "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L",
+            [152] = "TLS_DH_RSA_WITH_SEED_CBC_SHA",
+            [120] = "TLS_DHE_RSA_WITH_AES_128_CBC_RMD",
+            [51914] = "grease_0xCACA",
+            [49172] = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+            [49202] = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
+            [49260] = "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256",
+            [35466] = "grease_0x8A8A",
+            [49323] = "TLS_PSK_DHE_WITH_AES_256_CCM_8",
+            [100] = "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA",
+            [166] = "TLS_DH_ANON_WITH_AES_128_GCM_SHA256",
+            [65411] = "SSL_RSA_WITH_3DES_EDE_CBC_MD5",
+            [131] = "TLS_GOSTR341001_WITH_NULL_GOSTR3411",
+            [149] = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
+            [96] = "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5",
+            [49242] = "TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256",
+            [39] = "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
+            [49243] = "TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384",
+            [262272] = "SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5",
+            [27242] = "grease_0x6A6A",
+            [41] = "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
+            [60138] = "grease_0xEAEA",
+            [49223] = "TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384",
+            [49192] = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+            [54] = "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
+            [49264] = "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256",
+            [49249] = "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384",
+            [172] = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
+            [49222] = "TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256",
+            [49267] = "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
+            [49327] = "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",
+            [114] = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD",
+            [49230] = "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256",
+            [34] = "TLS_KRB5_WITH_DES_CBC_MD5",
+            [49191] = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+            [49292] = "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+            [49302] = "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+            [178] = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
+            [49216] = "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256",
+            [7] = "TLS_RSA_WITH_IDEA_CBC_SHA",
+            [49194] = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
+            [128] = "TLS_GOSTR341094_WITH_28147_CNT_IMIT",
+            [49269] = "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
+            [49280] = "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256",
+            [47] = "TLS_RSA_WITH_AES_128_CBC_SHA",
+            [393280] = "SSLv20_CK_DES_64_CBC_WITH_MD5",
+            [49254] = "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256",
+            [49179] = "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
+            [24] = "TLS_DH_ANON_WITH_RC4_128_MD5",
+            [49301] = "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+            [69] = "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
+            [99] = "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA",
+            [162] = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+            [126] = "TLS_RSA_WITH_AES_256_CBC_RMD",
+            [104] = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
+            [61] = "TLS_RSA_WITH_AES_256_CBC_SHA256",
+            [49409] = "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC",
+            [49258] = "TLS_PSK_WITH_ARIA_128_GCM_SHA256",
+            [49188] = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+            [49240] = "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256",
+            [49199] = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            [49282] = "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256",
+            [67] = "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
+            [15] = "TLS_DH_RSA_WITH_DES_CBC_SHA",
+            [49241] = "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384",
+            [64] = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+            [52397] = "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
+            [106] = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
+            [49255] = "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384",
+            [168] = "TLS_PSK_WITH_AES_128_GCM_SHA256",
+            [49272] = "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+            [179] = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
+            [49163] = "TLS_ECDH_RSA_WITH_NULL_SHA",
+            [130] = "TLS_GOSTR341094_WITH_NULL_GOSTR3411",
+            [49308] = "TLS_RSA_WITH_AES_128_CCM",
+            [4866] = "TLS_AES_256_GCM_SHA384",
+            [191] = "TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256",
+            [49211] = "TLS_ECDHE_PSK_WITH_NULL_SHA384",
+            [49215] = "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384",
+            [142] = "TLS_DHE_PSK_WITH_RC4_128_SHA",
+            [49209] = "TLS_ECDHE_PSK_WITH_NULL_SHA",
+            [49203] = "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
+            [65408] = "SSL_RSA_WITH_RC2_CBC_MD5",
+            [16] = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
+            [165] = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
+            [49186] = "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
+            [173] = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
+            [49298] = "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256",
+            [143] = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
+            [14906] = "grease_0x3A3A",
+            [49270] = "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+            [125] = "TLS_RSA_WITH_AES_128_CBC_RMD",
+            [49326] = "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",
+            [8] = "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
+            [49287] = "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
+            [159] = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+            [32] = "TLS_KRB5_WITH_RC4_128_SHA",
+            [138] = "TLS_PSK_WITH_RC4_128_SHA",
+            [170] = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
+            [49160] = "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+            [49155] = "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
+            [49253] = "TLS_PSK_WITH_ARIA_256_CBC_SHA384",
+            [49310] = "TLS_DHE_RSA_WITH_AES_128_CCM",
+            [49414] = "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S",
+            [49320] = "TLS_PSK_WITH_AES_128_CCM_8",
+            [49] = "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
+            [49313] = "TLS_RSA_WITH_AES_256_CCM_8",
+            [49238] = "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256",
+            [197] = "TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256",
+            [49189] = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
+            [49293] = "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+            [49314] = "TLS_DHE_RSA_WITH_AES_128_CCM_8",
+            [49154] = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+            [49263] = "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384",
+            [49274] = "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+            [49208] = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
+            [49257] = "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384",
+            [49184] = "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
+            [49232] = "TLS_RSA_WITH_ARIA_128_GCM_SHA256",
+            [153] = "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
+            [49235] = "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384",
+            [28] = "SSL_FORTEZZA_KEA_WITH_NULL_SHA",
+            [43690] = "grease_0xAAAA",
+            [49229] = "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384",
+            [107] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+            [52] = "TLS_DH_ANON_WITH_AES_128_CBC_SHA",
+            [49266] = "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
+            [199] = "TLS_SM4_CCM_SM3",
+            [105] = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
+            [49231] = "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384",
+            [49178] = "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
+            [49306] = "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+            [188] = "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+            [196] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+            [29] = "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA",
+            [115] = "TLS_DHE_DSS_WITH_AES_128_CBC_RMD",
+            [49411] = "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L",
+            [176] = "TLS_PSK_WITH_NULL_SHA256",
+            [133] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
+            [53253] = "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256",
+            [49214] = "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256",
+            [49413] = "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S",
+            [49182] = "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
+            [49226] = "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256",
+            [6682] = "grease_0x1A1A",
+            [116] = "TLS_DHE_DSS_WITH_AES_256_CBC_RMD",
+            [158] = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+            [49217] = "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384",
+            [3] = "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
+            [4870] = "TLS_AEGIS_256_SHA384",
+            [183] = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
+            [49204] = "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
+            [49312] = "TLS_RSA_WITH_AES_128_CCM_8",
+            [49157] = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+            [4867] = "TLS_CHACHA20_POLY1305_SHA256",
+            [49262] = "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256",
+            [49213] = "TLS_RSA_WITH_ARIA_256_CBC_SHA384",
+            [66] = "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
+            [174] = "TLS_PSK_WITH_AES_128_CBC_SHA256",
+            [49200] = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+            [49164] = "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+            [49218] = "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256",
+            [2] = "TLS_RSA_WITH_NULL_SHA",
+            [49153] = "TLS_ECDH_ECDSA_WITH_NULL_SHA",
+            [49318] = "TLS_DHE_PSK_WITH_AES_128_CCM",
+            [49290] = "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+            [49166] = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+            [163] = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
+            [49245] = "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384",
+            [182] = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
+            [109] = "TLS_DH_ANON_WITH_AES_256_CBC_SHA256",
+            [49332] = "TLS_SHA256_SHA256",
+            [196736] = "SSLv20_CK_RC2_128_CBC_WITH_MD5",
+            [49276] = "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+            [18] = "TLS_DHE_DSS_WITH_DES_CBC_SHA",
+            [157] = "TLS_RSA_WITH_AES_256_GCM_SHA384",
+            [0] = "TLS_NULL_WITH_NULL_NULL",
+            [137] = "TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA",
+            [19] = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+            [49187] = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+            [52395] = "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256",
+            [52392] = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+            [49171] = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+            [49234] = "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256",
+            [65664] = "SSLv20_CK_RC4_128_WITH_MD5",
+            [49196] = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+            [184] = "TLS_RSA_PSK_WITH_NULL_SHA256",
+            [49322] = "TLS_PSK_DHE_WITH_AES_128_CCM_8",
+            [255] = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
+            [59] = "TLS_RSA_WITH_NULL_SHA256",
+            [38] = "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
+            [154] = "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
+            [49286] = "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
+            [49265] = "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384",
+            [98] = "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA",
+            [4868] = "TLS_AES_128_CCM_SHA256",
+            [43] = "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
+            [49303] = "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+            [10794] = "grease_0x2A2A",
+            [49408] = "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC",
+            [49317] = "TLS_PSK_WITH_AES_256_CCM",
+            [49329] = "TLS_ECCPWD_WITH_AES_256_GCM_SHA384",
+            [23130] = "grease_0x5A5A",
+            [49197] = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+            [194] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+            [151] = "TLS_DH_DSS_WITH_SEED_CBC_SHA",
+            [6] = "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
+            [145] = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
+            [49210] = "TLS_ECDHE_PSK_WITH_NULL_SHA256",
+            [53250] = "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384",
+            [10] = "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+            [148] = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
+            [49185] = "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
+            [49233] = "TLS_RSA_WITH_ARIA_256_GCM_SHA384",
+            [50] = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
+            [49316] = "TLS_PSK_WITH_AES_128_CCM",
+            [49170] = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+            [48] = "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
+            [52398] = "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256",
+            [49250] = "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256",
+            [5] = "TLS_RSA_WITH_RC4_128_SHA",
+            [49168] = "TLS_ECDHE_RSA_WITH_NULL_SHA",
+            [53249] = "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256",
+            [49305] = "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+            [49156] = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+            [49319] = "TLS_DHE_PSK_WITH_AES_256_CCM",
+            [49328] = "TLS_ECCPWD_WITH_AES_128_GCM_SHA256",
+            [9] = "TLS_RSA_WITH_DES_CBC_SHA",
+            [68] = "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
+            [53251] = "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256",
+            [49228] = "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256",
+            [180] = "TLS_DHE_PSK_WITH_NULL_SHA256",
+            [4871] = "TLS_AEGIS_128L_SHA256",
+            [17] = "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
+            [65505] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA_2",
+            [119] = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD",
+            [52243] = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD",
+            [52244] = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD",
+            [186] = "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+            [49315] = "TLS_DHE_RSA_WITH_AES_256_CCM_8",
+            [193] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
+            [189] = "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
+            [49225] = "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384",
+            [135] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
+            [140] = "TLS_PSK_WITH_AES_128_CBC_SHA",
+            [129] = "TLS_GOSTR341001_WITH_28147_CNT_IMIT",
+            [49221] = "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384",
+            [49288] = "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
+            [49273] = "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384",
+            [49271] = "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
+            [49325] = "TLS_ECDHE_ECDSA_WITH_AES_256_CCM",
+            [49201] = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+            [175] = "TLS_PSK_WITH_AES_256_CBC_SHA384",
+            [26] = "TLS_DH_ANON_WITH_DES_CBC_SHA",
+            [181] = "TLS_DHE_PSK_WITH_NULL_SHA384",
+            [49300] = "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+            [147] = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
+            [49190] = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
+            [49173] = "TLS_ECDH_ANON_WITH_NULL_SHA",
+            [190] = "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+            [5818] = "TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384",
+            [103] = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+            [51] = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+            [167] = "TLS_DH_ANON_WITH_AES_256_GCM_SHA384",
+            [33] = "TLS_KRB5_WITH_IDEA_CBC_SHA",
+            [171] = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
+            [30] = "TLS_KRB5_WITH_DES_CBC_SHA",
+            [327808] = "SSLv20_CK_IDEA_128_CBC_WITH_MD5",
+            [177] = "TLS_PSK_WITH_NULL_SHA384",
+            [52245] = "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD",
+            [55] = "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
+            [458944] = "SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5",
+            [49183] = "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
+            [49289] = "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
+            [4] = "TLS_RSA_WITH_RC4_128_MD5",
+            [124] = "TLS_RSA_WITH_3DES_EDE_CBC_RMD",
+            [49158] = "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+            [5816] = "TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+            [58] = "TLS_DH_ANON_WITH_AES_256_CBC_SHA",
+            [134] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
+            [49224] = "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256",
+            [49174] = "TLS_ECDH_ANON_WITH_RC4_128_SHA",
+            [49169] = "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+            [49227] = "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384",
+            [49212] = "TLS_RSA_WITH_ARIA_128_CBC_SHA256",
+            [63] = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
+            [49162] = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+            [52396] = "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
+            [49237] = "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384",
+            [11] = "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
+            [39578] = "grease_0x9A9A",
+            [49176] = "TLS_ECDH_ANON_WITH_AES_128_CBC_SHA",
+            [22] = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
+            [2570] = "grease_0x0A0A",
+            [64250] = "grease_0xFAFA",
+            [144] = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
+            [136] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
+            [49294] = "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256",
+            [65409] = "SSL_RSA_WITH_IDEA_CBC_MD5",
+            [65504] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2",
+            [36] = "TLS_KRB5_WITH_RC4_128_MD5",
+            [49180] = "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
+            [31354] = "grease_0x7A7A",
+            [27] = "TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA",
+            [195] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
+            [4869] = "TLS_AES_128_CCM_8_SHA256",
+            [53252] = "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256_OLD",
+            [49296] = "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256",
+            [49248] = "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256",
+            [62] = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
+            [160] = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
+            [139] = "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
+            [49259] = "TLS_PSK_WITH_ARIA_256_GCM_SHA384",
+            [49219] = "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384",
+            [49247] = "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384",
+            [49297] = "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384",
+            [121] = "TLS_DHE_RSA_WITH_AES_256_CBC_RMD",
+            [49165] = "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+            [49277] = "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+            [49220] = "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256",
+            [49167] = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+            [49177] = "TLS_ECDH_ANON_WITH_AES_256_CBC_SHA",
+            [49304] = "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+            [65410] = "SSL_RSA_WITH_DES_CBC_MD5"
+         }
+
+
+   This is a table of all known cipher specs.  It can be used for
+   detecting unknown ciphers and for converting the cipher spec
+   constants into a human readable format.
+
+.. zeek:id:: SSL::ec_curves
+   :source-code: base/protocols/ssl/consts.zeek 326 326
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [19] = "secp192r1",
+            [20] = "secp224k1",
+            [259] = "ffdhe6144",
+            [33] = "brainpoolP512r1tls13",
+            [39] = "GC512B",
+            [30] = "x448",
+            [15] = "secp160k1",
+            [513] = "MLKEM768",
+            [28] = "brainpoolP512r1",
+            [43690] = "grease_0xAAAA",
+            [9] = "sect283k1",
+            [27242] = "grease_0x6A6A",
+            [21] = "secp224r1",
+            [4] = "sect193r1",
+            [12] = "sect409r1",
+            [41] = "curveSM2",
+            [60138] = "grease_0xEAEA",
+            [17] = "secp160r2",
+            [25] = "secp521r1",
+            [65281] = "arbitrary_explicit_prime_curves",
+            [29] = "x25519",
+            [16] = "secp160r1",
+            [25497] = "X25519Kyber768Draft00",
+            [512] = "MLKEM512",
+            [38] = "GC512A",
+            [16696] = "CECPQ2",
+            [1] = "sect163k1",
+            [6682] = "grease_0x1A1A",
+            [11] = "sect409k1",
+            [39578] = "grease_0x9A9A",
+            [35] = "GC256B",
+            [22] = "secp256k1",
+            [256] = "ffdhe2048",
+            [2570] = "grease_0x0A0A",
+            [257] = "ffdhe3072",
+            [14906] = "grease_0x3A3A",
+            [64250] = "grease_0xFAFA",
+            [47802] = "grease_0xBABA",
+            [3] = "sect163r2",
+            [10794] = "grease_0x2A2A",
+            [25498] = "SecP256r1Kyber768Draft00",
+            [23130] = "grease_0x5A5A",
+            [34] = "GC256A",
+            [4588] = "X25519MLKEM768",
+            [40] = "GC512C",
+            [36] = "GC256C",
+            [6] = "sect233k1",
+            [14] = "sect571r1",
+            [31354] = "grease_0x7A7A",
+            [31] = "brainpoolP256r1tls13",
+            [8] = "sect239k1",
+            [23] = "secp256r1",
+            [27] = "brainpoolP384r1",
+            [260] = "ffdhe8192",
+            [7] = "sect233r1",
+            [10] = "sect283r1",
+            [32] = "brainpoolP384r1tls13",
+            [13] = "sect571k1",
+            [26] = "brainpoolP256r1",
+            [19018] = "grease_0x4A4A",
+            [514] = "MLKEM1024",
+            [51914] = "grease_0xCACA",
+            [2] = "sect163r1",
+            [65282] = "arbitrary_explicit_char2_curves",
+            [24] = "secp384r1",
+            [35466] = "grease_0x8A8A",
+            [258] = "ffdhe4096",
+            [5] = "sect193r2",
+            [56026] = "grease_0xDADA",
+            [37] = "GC256D",
+            [18] = "secp192k1",
+            [4589] = "SecP384r1MLKEM1024",
+            [4587] = "SecP256r1MLKEM768"
+         }
+
+
+   Mapping between numeric codes and human readable string for SSL/TLS elliptic curves.
+
+.. zeek:id:: SSL::ec_point_formats
+   :source-code: base/protocols/ssl/consts.zeek 408 408
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [0] = "uncompressed",
+            [2] = "ansiX962_compressed_char2",
+            [1] = "ansiX962_compressed_prime"
+         }
+
+
+   Mapping between numeric codes and human readable string for SSL/TLS EC point formats.
+
+.. zeek:id:: SSL::extensions
+   :source-code: base/protocols/ssl/consts.zeek 231 231
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [19] = "client_certificate_type",
+            [20] = "server_certificate_type",
+            [33] = "tls_cert_with_extern_psk",
+            [39] = "supported_ekt_ciphers",
+            [64768] = "ech_outer_extensions",
+            [46] = "TicketEarlyDataInfo",
+            [15] = "heartbeat",
+            [30] = "pwd_clear",
+            [28] = "record_size_limit",
+            [35655] = "padding",
+            [43690] = "grease_0xAAAA",
+            [9] = "cert_type",
+            [53] = "connection_id_deprecated",
+            [55] = "external_id_hash",
+            [27242] = "grease_0x6A6A",
+            [52] = "transparency_info",
+            [21] = "padding",
+            [4] = "truncated_hmac",
+            [12] = "srp",
+            [41] = "pre_shared_key",
+            [13180] = "encrypted_client_certificates",
+            [60138] = "grease_0xEAEA",
+            [58] = "ticket_request",
+            [17] = "status_request_v2",
+            [13175] = "origin_bound_certificates",
+            [30032] = "channel_id_new",
+            [25] = "cached_info",
+            [65281] = "renegotiation_info",
+            [29] = "pwd_protect",
+            [16] = "application_layer_protocol_negotiation",
+            [59] = "dnssec_chain",
+            [38] = "TLMSP_delegate",
+            [54] = "connection_id",
+            [42] = "early_data",
+            [57] = "quic_transport_parameters",
+            [1] = "max_fragment_length",
+            [6682] = "grease_0x1A1A",
+            [11] = "ec_point_formats",
+            [39578] = "grease_0x9A9A",
+            [35] = "SessionTicket TLS",
+            [22] = "encrypt_then_mac",
+            [2570] = "grease_0x0A0A",
+            [43] = "supported_versions",
+            [14906] = "grease_0x3A3A",
+            [64250] = "grease_0xFAFA",
+            [47802] = "grease_0xBABA",
+            [10794] = "grease_0x2A2A",
+            [3] = "trusted_ca_keys",
+            [44] = "cookie",
+            [23130] = "grease_0x5A5A",
+            [17513] = "application_setting",
+            [34] = "delegated_credential",
+            [45] = "psk_key_exchange_modes",
+            [40] = "key_share_old",
+            [36] = "TLMSP",
+            [14] = "use_srtp",
+            [6] = "user_mapping",
+            [31354] = "grease_0x7A7A",
+            [31] = "password_salt",
+            [23] = "extended_master_secret",
+            [8] = "server_authz",
+            [27] = "compress_certificate",
+            [56] = "external_session_id",
+            [13172] = "next_protocol_negotiation",
+            [7] = "client_authz",
+            [10] = "supported_groups",
+            [32] = "ticket_pinning",
+            [13] = "signature_algorithms",
+            [26] = "tls_lts",
+            [30031] = "channel_id",
+            [62] = "tls_flags",
+            [19018] = "grease_0x4A4A",
+            [47] = "certificate_authorities",
+            [50] = "signature_algorithms_cert",
+            [51914] = "grease_0xCACA",
+            [2] = "client_certificate_url",
+            [48] = "oid_filters",
+            [24] = "token_binding",
+            [35466] = "grease_0x8A8A",
+            [49] = "post_handshake_auth",
+            [5] = "status_request",
+            [65037] = "encrypted_client_hello",
+            [56026] = "grease_0xDADA",
+            [61] = "rrc",
+            [60] = "sequence_number_encryption_algorithms",
+            [51] = "key_share",
+            [37] = "TLMSP_proxying",
+            [18] = "signed_certificate_timestamp",
+            [0] = "server_name"
+         }
+
+
+   Mapping between numeric codes and human readable strings for SSL/TLS
+   extensions.
+
+.. zeek:id:: SSL::hash_algorithms
+   :source-code: base/protocols/ssl/consts.zeek 81 81
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "sha1",
+            [8] = "Intrinsic",
+            [5] = "sha384",
+            [3] = "sha224",
+            [0] = "none",
+            [6] = "sha512",
+            [4] = "sha256",
+            [1] = "md5"
+         }
+
+
+   Mapping between numeric codes and human readable strings for hash
+   algorithms.
+
+.. zeek:id:: SSL::signature_algorithms
+   :source-code: base/protocols/ssl/consts.zeek 94 94
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "dsa",
+            [11] = "rsa_pss_sha512",
+            [5] = "rsa_pss_sha384",
+            [7] = "ed25519",
+            [10] = "rsa_pss_sha384",
+            [6] = "rsa_pss_sha512",
+            [4] = "rsa_pss_sha256",
+            [65] = "gostr34102012_256",
+            [64] = "gostr34102012_256",
+            [8] = "ed448",
+            [3] = "ecdsa",
+            [0] = "anonymous",
+            [9] = "rsa_pss_sha256",
+            [1] = "rsa"
+         }
+
+
+   Mapping between numeric codes and human readable strings for signature
+   algorithms.
+
+.. zeek:id:: SSL::version_strings
+   :source-code: base/protocols/ssl/consts.zeek 17 17
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [769] = "TLSv10",
+            [65279] = "DTLSv10",
+            [768] = "SSLv3",
+            [770] = "TLSv11",
+            [772] = "TLSv13",
+            [2] = "SSLv2",
+            [65276] = "DTLSv13",
+            [771] = "TLSv12",
+            [65277] = "DTLSv12"
+         }
+
+
+   Mapping between the constants and string values for SSL/TLS versions.
+
+
diff --git a/doc/scripts/base/protocols/ssl/ct-list.zeek.rst b/doc/scripts/base/protocols/ssl/ct-list.zeek.rst
new file mode 100644
index 0000000000..9a9819bf89
--- /dev/null
+++ b/doc/scripts/base/protocols/ssl/ct-list.zeek.rst
@@ -0,0 +1,22 @@
+:tocdepth: 3
+
+base/protocols/ssl/ct-list.zeek
+===============================
+.. zeek:namespace:: SSL
+
+
+:Namespace: SSL
+:Imports: :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+=============================================================== =
+:zeek:id:`SSL::ct_logs`: :zeek:type:`table` :zeek:attr:`&redef` 
+=============================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/ssl/files.zeek.rst b/doc/scripts/base/protocols/ssl/files.zeek.rst
new file mode 100644
index 0000000000..464dc5cbb7
--- /dev/null
+++ b/doc/scripts/base/protocols/ssl/files.zeek.rst
@@ -0,0 +1,118 @@
+:tocdepth: 3
+
+base/protocols/ssl/files.zeek
+=============================
+.. zeek:namespace:: SSL
+
+
+:Namespace: SSL
+:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/ssl/main.zeek </scripts/base/protocols/ssl/main.zeek>`, :doc:`base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+==================================================================================================== ==============================================================
+:zeek:id:`SSL::log_include_client_certificate_subject_issuer`: :zeek:type:`bool` :zeek:attr:`&redef` Set this to true to include the client certificate subject
+                                                                                                     and issuer in the SSL logfile.
+:zeek:id:`SSL::log_include_server_certificate_subject_issuer`: :zeek:type:`bool` :zeek:attr:`&redef` Set this to true to include the server certificate subject and
+                                                                                                     issuer from the SSL log file.
+==================================================================================================== ==============================================================
+
+Redefinitions
+#############
+=========================================== ============================================================================================================
+:zeek:type:`SSL::Info`: :zeek:type:`record` 
+                                            
+                                            :New Fields: :zeek:type:`SSL::Info`
+                                            
+                                              cert_chain: :zeek:type:`vector` of :zeek:type:`Files::Info` :zeek:attr:`&optional`
+                                                Chain of certificates offered by the server to validate its
+                                                complete signing chain.
+                                            
+                                              cert_chain_fps: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+                                                An ordered vector of all certificate fingerprints for the
+                                                certificates offered by the server.
+                                            
+                                              client_cert_chain: :zeek:type:`vector` of :zeek:type:`Files::Info` :zeek:attr:`&optional`
+                                                Chain of certificates offered by the client to validate its
+                                                complete signing chain.
+                                            
+                                              client_cert_chain_fps: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+                                                An ordered vector of all certificate fingerprints for the
+                                                certificates offered by the client.
+                                            
+                                              subject: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Subject of the X.509 certificate offered by the server.
+                                            
+                                              issuer: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Issuer of the signer of the X.509 certificate offered by the
+                                                server.
+                                            
+                                              client_subject: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Subject of the X.509 certificate offered by the client.
+                                            
+                                              client_issuer: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Subject of the signer of the X.509 certificate offered by the
+                                                client.
+                                            
+                                              sni_matches_cert: :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Set to true if the hostname sent in the SNI matches the certificate.
+                                            
+                                              server_depth: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                                Current number of certificates seen from either side.
+                                            
+                                              client_depth: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+=========================================== ============================================================================================================
+
+Functions
+#########
+====================================================== =====================================
+:zeek:id:`SSL::describe_file`: :zeek:type:`function`   Default file describer for SSL.
+:zeek:id:`SSL::get_file_handle`: :zeek:type:`function` Default file handle provider for SSL.
+====================================================== =====================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: SSL::log_include_client_certificate_subject_issuer
+   :source-code: base/protocols/ssl/files.zeek 17 17
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Set this to true to include the client certificate subject
+   and issuer in the SSL logfile. This information is rarely present
+   and probably only interesting in very specific circumstances
+
+.. zeek:id:: SSL::log_include_server_certificate_subject_issuer
+   :source-code: base/protocols/ssl/files.zeek 12 12
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Set this to true to include the server certificate subject and
+   issuer from the SSL log file. This information is still available
+   in x509.log.
+
+Functions
+#########
+.. zeek:id:: SSL::describe_file
+   :source-code: base/protocols/ssl/files.zeek 74 95
+
+   :Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`string`
+
+   Default file describer for SSL.
+
+.. zeek:id:: SSL::get_file_handle
+   :source-code: base/protocols/ssl/files.zeek 68 72
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
+
+   Default file handle provider for SSL.
+
+
diff --git a/doc/scripts/base/protocols/ssl/index.rst b/doc/scripts/base/protocols/ssl/index.rst
new file mode 100644
index 0000000000..c005811508
--- /dev/null
+++ b/doc/scripts/base/protocols/ssl/index.rst
@@ -0,0 +1,27 @@
+:orphan:
+
+Package: base/protocols/ssl
+===========================
+
+Support for Secure Sockets Layer (SSL)/Transport Layer Security(TLS) protocol analysis.
+
+:doc:`/scripts/base/protocols/ssl/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/ssl/consts.zeek`
+
+
+:doc:`/scripts/base/protocols/ssl/main.zeek`
+
+   Base SSL analysis script.  This script logs information about the SSL/TLS
+   handshaking and encryption establishment process.
+
+:doc:`/scripts/base/protocols/ssl/mozilla-ca-list.zeek`
+
+
+:doc:`/scripts/base/protocols/ssl/ct-list.zeek`
+
+
+:doc:`/scripts/base/protocols/ssl/files.zeek`
+
+
diff --git a/doc/scripts/base/protocols/ssl/main.zeek.rst b/doc/scripts/base/protocols/ssl/main.zeek.rst
new file mode 100644
index 0000000000..f3e028d0af
--- /dev/null
+++ b/doc/scripts/base/protocols/ssl/main.zeek.rst
@@ -0,0 +1,756 @@
+:tocdepth: 3
+
+base/protocols/ssl/main.zeek
+============================
+.. zeek:namespace:: SSL
+
+Base SSL analysis script.  This script logs information about the SSL/TLS
+handshaking and encryption establishment process.
+
+:Namespace: SSL
+:Imports: :doc:`base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/ssl/consts.zeek </scripts/base/protocols/ssl/consts.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+======================================================================================= ===============================================================
+:zeek:id:`SSL::ct_logs`: :zeek:type:`table` :zeek:attr:`&redef`                         The Certificate Transparency log bundle.
+:zeek:id:`SSL::disable_analyzer_after_detection`: :zeek:type:`bool` :zeek:attr:`&redef` If true, detach the SSL analyzer from the connection to prevent
+                                                                                        continuing to process encrypted traffic.
+:zeek:id:`SSL::max_ssl_history_length`: :zeek:type:`count` :zeek:attr:`&redef`          Maximum length of the ssl_history field to prevent unbounded
+                                                                                        growth when the parser is running into unexpected situations.
+======================================================================================= ===============================================================
+
+Redefinable Options
+###################
+================================================================== ===========================
+:zeek:id:`SSL::root_certs`: :zeek:type:`table` :zeek:attr:`&redef` The default root CA bundle.
+================================================================== ===========================
+
+Types
+#####
+============================================= ============================================================
+:zeek:type:`SSL::CTInfo`: :zeek:type:`record` The record type which contains the field for the Certificate
+                                              Transparency log bundle.
+:zeek:type:`SSL::Info`: :zeek:type:`record`   The record type which contains the fields of the SSL log.
+============================================= ============================================================
+
+Redefinitions
+#############
+==================================================================== =============================================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`SSL::LOG`
+:zeek:type:`SSL::Info`: :zeek:type:`record`                          
+                                                                     
+                                                                     :New Fields: :zeek:type:`SSL::Info`
+                                                                     
+                                                                       delay_tokens: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&optional`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       ssl: :zeek:type:`SSL::Info` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== =============================================================================
+
+Events
+######
+=========================================== =================================================
+:zeek:id:`SSL::log_ssl`: :zeek:type:`event` Event that can be handled to access the SSL
+                                            record as it is sent on to the logging framework.
+=========================================== =================================================
+
+Hooks
+#####
+============================================================ ====================================================================
+:zeek:id:`SSL::finalize_ssl`: :zeek:type:`Conn::RemovalHook` SSL finalization hook.
+:zeek:id:`SSL::log_policy`: :zeek:type:`Log::PolicyHook`     
+:zeek:id:`SSL::ssl_finishing`: :zeek:type:`hook`             Hook that can be used to perform actions right before the log record
+                                                             is written.
+============================================================ ====================================================================
+
+Functions
+#########
+================================================== ====================================================================
+:zeek:id:`SSL::delay_log`: :zeek:type:`function`   Delays an SSL record for a specific token: the record will not be
+                                                   logged as long as the token exists or until 15 seconds elapses.
+:zeek:id:`SSL::undelay_log`: :zeek:type:`function` Undelays an SSL record for a previously inserted token, allowing the
+                                                   record to be logged.
+================================================== ====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: SSL::ct_logs
+   :source-code: base/protocols/ssl/main.zeek 139 139
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`SSL::CTInfo`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+   :Redefinition: from :doc:`/scripts/base/protocols/ssl/ct-list.zeek`
+
+      << Value omitted due to ``@docs_omit_value`` annotation >>
+
+   The Certificate Transparency log bundle. By default, the ct-list.zeek
+   script sets this to the current list of known logs. Entries
+   are indexed by (binary) log-id.
+
+.. zeek:id:: SSL::disable_analyzer_after_detection
+   :source-code: base/protocols/ssl/main.zeek 144 144
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+   :Redefinition: from :doc:`/scripts/policy/protocols/ssl/decryption.zeek`
+
+      ``=``::
+
+         F
+
+   :Redefinition: from :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek`
+
+      ``=``::
+
+         F
+
+
+   If true, detach the SSL analyzer from the connection to prevent
+   continuing to process encrypted traffic. Helps with performance
+   (especially with large file transfers).
+
+.. zeek:id:: SSL::max_ssl_history_length
+   :source-code: base/protocols/ssl/main.zeek 148 148
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100``
+
+   Maximum length of the ssl_history field to prevent unbounded
+   growth when the parser is running into unexpected situations.
+
+Redefinable Options
+###################
+.. zeek:id:: SSL::root_certs
+   :source-code: base/protocols/ssl/main.zeek 119 119
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+   :Redefinition: from :doc:`/scripts/base/protocols/ssl/mozilla-ca-list.zeek`
+
+      << Value omitted due to ``@docs_omit_value`` annotation >>
+
+   The default root CA bundle.  By default, the mozilla-ca-list.zeek
+   script sets this to Mozilla's root CA list.
+
+Types
+#####
+.. zeek:type:: SSL::CTInfo
+   :source-code: base/protocols/ssl/main.zeek 123 134
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: description :zeek:type:`string`
+
+      Description of the Log
+
+
+   .. zeek:field:: operator :zeek:type:`string`
+
+      Operator of the Log
+
+
+   .. zeek:field:: key :zeek:type:`string`
+
+      Public key of the Log.
+
+
+   .. zeek:field:: maximum_merge_delay :zeek:type:`count`
+
+      Maximum merge delay of the Log
+
+
+   .. zeek:field:: url :zeek:type:`string`
+
+      URL of the Log
+
+
+   The record type which contains the field for the Certificate
+   Transparency log bundle.
+
+.. zeek:type:: SSL::Info
+   :source-code: base/protocols/ssl/main.zeek 16 115
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Time when the SSL connection was first detected.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: version_num :zeek:type:`count` :zeek:attr:`&optional`
+
+      Numeric SSL/TLS version that the server chose.
+
+
+   .. zeek:field:: version :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      SSL/TLS version that the server chose.
+
+
+   .. zeek:field:: cipher :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      SSL/TLS cipher suite that the server chose.
+
+
+   .. zeek:field:: curve :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Elliptic curve the server chose when using ECDH/ECDHE.
+
+
+   .. zeek:field:: server_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Value of the Server Name Indicator SSL/TLS extension.  It
+      indicates the server name that the client was requesting.
+
+
+   .. zeek:field:: session_id :zeek:type:`string` :zeek:attr:`&optional`
+
+      Session ID offered by the client for session resumption.
+      Not used for logging.
+
+
+   .. zeek:field:: resumed :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Flag to indicate if the session was resumed reusing
+      the key material exchanged in an earlier connection.
+
+
+   .. zeek:field:: client_ticket_empty_session_seen :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Flag to indicate if we saw a non-empty session ticket being
+      sent by the client using an empty session ID. This value
+      is used to determine if a session is being resumed. It's
+      not logged.
+
+
+   .. zeek:field:: client_key_exchange_seen :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Flag to indicate if we saw a client key exchange message sent
+      by the client. This value is used to determine if a session
+      is being resumed. It's not logged.
+
+
+   .. zeek:field:: client_psk_seen :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Track if the client sent a pre-shared-key extension.
+      Used to determine if a TLS 1.3 session is being resumed.
+      Not logged.
+
+
+   .. zeek:field:: last_alert :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Last alert that was seen during the connection.
+
+
+   .. zeek:field:: next_protocol :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Next protocol the server chose using the application layer
+      next protocol extension, if present.
+
+
+   .. zeek:field:: analyzer_id :zeek:type:`count` :zeek:attr:`&optional`
+
+      The analyzer ID used for the analyzer instance attached
+      to each connection.  It is not used for logging since it's a
+      meaningless arbitrary number.
+
+
+   .. zeek:field:: established :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Flag to indicate if this ssl session has been established
+      successfully, or if it was aborted during the handshake.
+
+
+   .. zeek:field:: logged :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Flag to indicate if this record already has been logged, to
+      prevent duplicates.
+
+
+   .. zeek:field:: hrr_seen :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Flag to indicate that we have seen a Hello Retry request message.
+      Used internally for ssl_history logging
+
+
+   .. zeek:field:: ssl_history :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      SSL history showing which types of packets we received in which order.
+      Letters have the following meaning with client-sent letters being capitalized:
+      
+      A direction flip occurs when the client hello packet is not sent from the originator
+      of a connection. This can, e.g., occur when DTLS is used in a connection that was
+      set up using STUN.
+      
+      ======  ====================================================
+      Letter  Meaning
+      ======  ====================================================
+      ^       direction flipped
+      H       hello_request
+      C       client_hello
+      S       server_hello
+      V       hello_verify_request
+      T       NewSessionTicket
+      X       certificate
+      K       server_key_exchange
+      R       certificate_request
+      N       server_hello_done
+      Y       certificate_verify
+      G       client_key_exchange
+      F       finished
+      W       certificate_url
+      U       certificate_status
+      A       supplemental_data
+      Z       unassigned_handshake_type
+      I       change_cipher_spec
+      B       heartbeat
+      D       application_data
+      E       end_of_early_data
+      O       encrypted_extensions
+      P       key_update
+      M       message_hash
+      J       hello_retry_request
+      L       alert
+      Q       unknown_content_type
+      ======  ====================================================
+      
+
+
+   .. zeek:field:: delay_tokens :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&optional`
+
+
+   .. zeek:field:: cert_chain :zeek:type:`vector` of :zeek:type:`Files::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
+
+      Chain of certificates offered by the server to validate its
+      complete signing chain.
+
+
+   .. zeek:field:: cert_chain_fps :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      (present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
+
+      An ordered vector of all certificate fingerprints for the
+      certificates offered by the server.
+
+
+   .. zeek:field:: client_cert_chain :zeek:type:`vector` of :zeek:type:`Files::Info` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
+
+      Chain of certificates offered by the client to validate its
+      complete signing chain.
+
+
+   .. zeek:field:: client_cert_chain_fps :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      (present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
+
+      An ordered vector of all certificate fingerprints for the
+      certificates offered by the client.
+
+
+   .. zeek:field:: subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
+
+      Subject of the X.509 certificate offered by the server.
+
+
+   .. zeek:field:: issuer :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
+
+      Issuer of the signer of the X.509 certificate offered by the
+      server.
+
+
+   .. zeek:field:: client_subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
+
+      Subject of the X.509 certificate offered by the client.
+
+
+   .. zeek:field:: client_issuer :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
+
+      Subject of the signer of the X.509 certificate offered by the
+      client.
+
+
+   .. zeek:field:: sni_matches_cert :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
+
+      Set to true if the hostname sent in the SNI matches the certificate.
+      Set to false if they do not match. Unset if the client did not send
+      an SNI.
+
+
+   .. zeek:field:: server_depth :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
+
+      Current number of certificates seen from either side. Used
+      to create file handles.
+
+
+   .. zeek:field:: client_depth :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/base/protocols/ssl/files.zeek` is loaded)
+
+
+   .. zeek:field:: always_raise_x509_events :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/files/x509/disable-certificate-events-known-certs.zeek` is loaded)
+
+      Set to true to force certificate events to always be raised for this connection.
+
+
+   .. zeek:field:: requested_client_certificate_authorities :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/certificate-request-info.zeek` is loaded)
+
+      List of client certificate CAs accepted by the server
+
+
+   .. zeek:field:: client_random :zeek:type:`string` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/decryption.zeek` is loaded)
+
+
+   .. zeek:field:: last_originator_heartbeat_request_size :zeek:type:`count` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
+
+
+   .. zeek:field:: last_responder_heartbeat_request_size :zeek:type:`count` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
+
+
+   .. zeek:field:: originator_heartbeats :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
+
+
+   .. zeek:field:: responder_heartbeats :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
+
+
+   .. zeek:field:: heartbleed_detected :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
+
+
+   .. zeek:field:: enc_appdata_packages :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
+
+
+   .. zeek:field:: enc_appdata_bytes :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/heartbleed.zeek` is loaded)
+
+
+   .. zeek:field:: server_version :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      Numeric version of the server in the server hello
+
+
+   .. zeek:field:: client_version :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      Numeric version of the client in the client hello
+
+
+   .. zeek:field:: client_ciphers :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      Ciphers that were offered by the client for the connection
+
+
+   .. zeek:field:: ssl_client_exts :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      SSL Client extensions
+
+
+   .. zeek:field:: ssl_server_exts :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      SSL server extensions
+
+
+   .. zeek:field:: ticket_lifetime_hint :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      Suggested ticket lifetime sent in the session ticket handshake
+      by the server.
+
+
+   .. zeek:field:: dh_param_size :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      The diffie helman parameter size, when using DH.
+
+
+   .. zeek:field:: point_formats :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      supported elliptic curve point formats
+
+
+   .. zeek:field:: client_curves :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      The curves supported by the client.
+
+
+   .. zeek:field:: orig_alpn :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      Application layer protocol negotiation extension sent by the client.
+
+
+   .. zeek:field:: client_supported_versions :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      TLS 1.3 supported versions
+
+
+   .. zeek:field:: server_supported_version :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      TLS 1.3 supported versions
+
+
+   .. zeek:field:: psk_key_exchange_modes :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      TLS 1.3 Pre-shared key exchange modes
+
+
+   .. zeek:field:: client_key_share_groups :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      Key share groups from client hello
+
+
+   .. zeek:field:: server_key_share_group :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      Selected key share group from server hello
+
+
+   .. zeek:field:: client_comp_methods :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      Client supported compression methods
+
+
+   .. zeek:field:: comp_method :zeek:type:`count` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      Server chosen compression method
+
+
+   .. zeek:field:: sigalgs :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      Client supported signature algorithms
+
+
+   .. zeek:field:: hashalgs :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/ssl-log-ext.zeek` is loaded)
+
+      Client supported hash algorithms
+
+
+   .. zeek:field:: validation_status :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/validate-certs.zeek` is loaded)
+
+      Result of certificate validation for this connection.
+
+
+   .. zeek:field:: validation_code :zeek:type:`int` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/validate-certs.zeek` is loaded)
+
+      Result of certificate validation for this connection, given
+      as OpenSSL validation code.
+
+
+   .. zeek:field:: valid_chain :zeek:type:`vector` of :zeek:type:`opaque` of x509 :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/validate-certs.zeek` is loaded)
+
+      Ordered chain of validated certificate, if validation succeeded.
+
+
+   .. zeek:field:: ocsp_status :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/validate-ocsp.zeek` is loaded)
+
+      Result of ocsp validation for this connection.
+
+
+   .. zeek:field:: ocsp_response :zeek:type:`string` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/validate-ocsp.zeek` is loaded)
+
+      ocsp response as string.
+
+
+   .. zeek:field:: valid_scts :zeek:type:`count` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
+
+      Number of valid SCTs that were encountered in the connection.
+
+
+   .. zeek:field:: invalid_scts :zeek:type:`count` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
+
+      Number of SCTs that could not be validated that were encountered in the connection.
+
+
+   .. zeek:field:: valid_ct_logs :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
+
+      Number of different Logs for which valid SCTs were encountered in the connection.
+
+
+   .. zeek:field:: valid_ct_operators :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
+
+      Number of different Log operators of which valid SCTs were encountered in the connection.
+
+
+   .. zeek:field:: valid_ct_operators_list :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
+
+      List of operators for which valid SCTs were encountered in the connection.
+
+
+   .. zeek:field:: ct_proofs :zeek:type:`vector` of :zeek:type:`SSL::SctInfo` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek` is loaded)
+
+      Information about all SCTs that were encountered in the connection.
+
+
+   The record type which contains the fields of the SSL log.
+
+Events
+######
+.. zeek:id:: SSL::log_ssl
+   :source-code: base/protocols/ssl/main.zeek 160 160
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`SSL::Info`)
+
+   Event that can be handled to access the SSL
+   record as it is sent on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: SSL::finalize_ssl
+   :source-code: base/protocols/ssl/main.zeek 517 527
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   SSL finalization hook.  Remaining SSL info may get logged when it's called.
+   The :zeek:see:`SSL::ssl_finishing` hook may either
+   be called before this finalization hook for established SSL connections
+   or during this finalization hook for SSL connections may have info still
+   left to log.
+
+.. zeek:id:: SSL::log_policy
+   :source-code: base/protocols/ssl/main.zeek 13 13
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+.. zeek:id:: SSL::ssl_finishing
+   :source-code: base/protocols/ssl/main.zeek 164 164
+
+   :Type: :zeek:type:`hook` (c: :zeek:type:`connection`) : :zeek:type:`bool`
+
+   Hook that can be used to perform actions right before the log record
+   is written.
+
+Functions
+#########
+.. zeek:id:: SSL::delay_log
+   :source-code: base/protocols/ssl/main.zeek 227 232
+
+   :Type: :zeek:type:`function` (info: :zeek:type:`SSL::Info`, token: :zeek:type:`string`) : :zeek:type:`void`
+
+   Delays an SSL record for a specific token: the record will not be
+   logged as long as the token exists or until 15 seconds elapses.
+
+.. zeek:id:: SSL::undelay_log
+   :source-code: base/protocols/ssl/main.zeek 234 238
+
+   :Type: :zeek:type:`function` (info: :zeek:type:`SSL::Info`, token: :zeek:type:`string`) : :zeek:type:`void`
+
+   Undelays an SSL record for a previously inserted token, allowing the
+   record to be logged.
+
+
diff --git a/doc/scripts/base/protocols/ssl/mozilla-ca-list.zeek.rst b/doc/scripts/base/protocols/ssl/mozilla-ca-list.zeek.rst
new file mode 100644
index 0000000000..279da5fd3f
--- /dev/null
+++ b/doc/scripts/base/protocols/ssl/mozilla-ca-list.zeek.rst
@@ -0,0 +1,22 @@
+:tocdepth: 3
+
+base/protocols/ssl/mozilla-ca-list.zeek
+=======================================
+.. zeek:namespace:: SSL
+
+
+:Namespace: SSL
+:Imports: :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+================================================================== =
+:zeek:id:`SSL::root_certs`: :zeek:type:`table` :zeek:attr:`&redef` 
+================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/syslog/__load__.zeek.rst b/doc/scripts/base/protocols/syslog/__load__.zeek.rst
new file mode 100644
index 0000000000..071cbe15e4
--- /dev/null
+++ b/doc/scripts/base/protocols/syslog/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/syslog/__load__.zeek
+===================================
+
+
+:Imports: :doc:`base/protocols/syslog/consts.zeek </scripts/base/protocols/syslog/consts.zeek>`, :doc:`base/protocols/syslog/main.zeek </scripts/base/protocols/syslog/main.zeek>`, :doc:`base/protocols/syslog/spicy-events.zeek </scripts/base/protocols/syslog/spicy-events.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/syslog/consts.zeek.rst b/doc/scripts/base/protocols/syslog/consts.zeek.rst
new file mode 100644
index 0000000000..b59498ebc2
--- /dev/null
+++ b/doc/scripts/base/protocols/syslog/consts.zeek.rst
@@ -0,0 +1,89 @@
+:tocdepth: 3
+
+base/protocols/syslog/consts.zeek
+=================================
+.. zeek:namespace:: Syslog
+
+Constants definitions for syslog.
+
+:Namespace: Syslog
+
+Summary
+~~~~~~~
+Constants
+#########
+=================================================================================================== ======================================================================
+:zeek:id:`Syslog::facility_codes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Mapping between the constants and string values for syslog facilities.
+:zeek:id:`Syslog::severity_codes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Mapping between the constants and string values for syslog severities.
+=================================================================================================== ======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: Syslog::facility_codes
+   :source-code: base/protocols/syslog/consts.zeek 7 7
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [19] = "LOCAL3",
+            [2] = "MAIL",
+            [20] = "LOCAL4",
+            [14] = "ALERT",
+            [15] = "CLOCK",
+            [6] = "LPR",
+            [16] = "LOCAL0",
+            [8] = "UUCP",
+            [23] = "LOCAL7",
+            [9] = "CRON",
+            [1] = "USER",
+            [11] = "FTP",
+            [999] = "UNSPECIFIED",
+            [5] = "SYSLOG",
+            [7] = "NEWS",
+            [21] = "LOCAL5",
+            [10] = "AUTHPRIV",
+            [22] = "LOCAL6",
+            [4] = "AUTH",
+            [12] = "NTP",
+            [13] = "AUDIT",
+            [18] = "LOCAL2",
+            [3] = "DAEMON",
+            [17] = "LOCAL1",
+            [0] = "KERN"
+         }
+
+
+   Mapping between the constants and string values for syslog facilities.
+
+.. zeek:id:: Syslog::severity_codes
+   :source-code: base/protocols/syslog/consts.zeek 36 36
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function`
+   :Default:
+
+      ::
+
+         {
+            [2] = "CRIT",
+            [999] = "UNSPECIFIED",
+            [5] = "NOTICE",
+            [7] = "DEBUG",
+            [3] = "ERR",
+            [0] = "EMERG",
+            [6] = "INFO",
+            [4] = "WARNING",
+            [1] = "ALERT"
+         }
+
+
+   Mapping between the constants and string values for syslog severities.
+
+
diff --git a/doc/scripts/base/protocols/syslog/index.rst b/doc/scripts/base/protocols/syslog/index.rst
new file mode 100644
index 0000000000..42cd3ee87d
--- /dev/null
+++ b/doc/scripts/base/protocols/syslog/index.rst
@@ -0,0 +1,23 @@
+:orphan:
+
+Package: base/protocols/syslog
+==============================
+
+Support for Syslog protocol analysis.
+
+:doc:`/scripts/base/protocols/syslog/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/syslog/spicy-events.zeek`
+
+   Events generated by the Syslog analyzer.
+
+:doc:`/scripts/base/protocols/syslog/consts.zeek`
+
+   Constants definitions for syslog.
+
+:doc:`/scripts/base/protocols/syslog/main.zeek`
+
+   Core script support for logging syslog messages.  This script represents
+   one syslog message as one logged record.
+
diff --git a/doc/scripts/base/protocols/syslog/main.zeek.rst b/doc/scripts/base/protocols/syslog/main.zeek.rst
new file mode 100644
index 0000000000..173eb01718
--- /dev/null
+++ b/doc/scripts/base/protocols/syslog/main.zeek.rst
@@ -0,0 +1,97 @@
+:tocdepth: 3
+
+base/protocols/syslog/main.zeek
+===============================
+.. zeek:namespace:: Syslog
+
+Core script support for logging syslog messages.  This script represents
+one syslog message as one logged record.
+
+:Namespace: Syslog
+:Imports: :doc:`base/protocols/syslog/consts.zeek </scripts/base/protocols/syslog/consts.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+============================================== ============================================================
+:zeek:type:`Syslog::Info`: :zeek:type:`record` The record type which contains the fields of the syslog log.
+============================================== ============================================================
+
+Redefinitions
+#############
+==================================================================== ==========================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                              
+                                                                     
+                                                                     * :zeek:enum:`Syslog::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                         
+                                                                     
+                                                                     :New Fields: :zeek:type:`connection`
+                                                                     
+                                                                       syslog: :zeek:type:`Syslog::Info` :zeek:attr:`&optional`
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== ==========================================================
+
+Hooks
+#####
+=========================================================== =
+:zeek:id:`Syslog::log_policy`: :zeek:type:`Log::PolicyHook` 
+=========================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Syslog::Info
+   :source-code: base/protocols/syslog/main.zeek 14 29
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp when the syslog message was seen.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: proto :zeek:type:`transport_proto` :zeek:attr:`&log`
+
+      Protocol over which the message was seen.
+
+
+   .. zeek:field:: facility :zeek:type:`string` :zeek:attr:`&log`
+
+      Syslog facility for the message.
+
+
+   .. zeek:field:: severity :zeek:type:`string` :zeek:attr:`&log`
+
+      Syslog severity for the message.
+
+
+   .. zeek:field:: message :zeek:type:`string` :zeek:attr:`&log`
+
+      The plain text message.
+
+
+   The record type which contains the fields of the syslog log.
+
+Hooks
+#####
+.. zeek:id:: Syslog::log_policy
+   :source-code: base/protocols/syslog/main.zeek 11 11
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/base/protocols/syslog/spicy-events.zeek.rst b/doc/scripts/base/protocols/syslog/spicy-events.zeek.rst
new file mode 100644
index 0000000000..69fd9f7721
--- /dev/null
+++ b/doc/scripts/base/protocols/syslog/spicy-events.zeek.rst
@@ -0,0 +1,46 @@
+:tocdepth: 3
+
+base/protocols/syslog/spicy-events.zeek
+=======================================
+
+Events generated by the Syslog analyzer.
+
+
+Summary
+~~~~~~~
+Events
+######
+============================================= ========================================
+:zeek:id:`syslog_message`: :zeek:type:`event` Generated for monitored Syslog messages.
+============================================= ========================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: syslog_message
+   :source-code: base/protocols/syslog/spicy-events.zeek 19 19
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, facility: :zeek:type:`count`, severity: :zeek:type:`count`, msg: :zeek:type:`string`)
+
+   Generated for monitored Syslog messages.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Syslog>`__ for more
+   information about the Syslog protocol.
+   
+
+   :param c: The connection record for the underlying transport-layer session/flow.
+   
+
+   :param facility: The "facility" included in the message.
+   
+
+   :param severity: The "severity" included in the message.
+   
+
+   :param msg: The message logged.
+   
+   .. note:: Zeek currently parses only UDP syslog traffic.
+
+
diff --git a/doc/scripts/base/protocols/tunnels/__load__.zeek.rst b/doc/scripts/base/protocols/tunnels/__load__.zeek.rst
new file mode 100644
index 0000000000..846b4bc666
--- /dev/null
+++ b/doc/scripts/base/protocols/tunnels/__load__.zeek.rst
@@ -0,0 +1,13 @@
+:tocdepth: 3
+
+base/protocols/tunnels/__load__.zeek
+====================================
+
+
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/tunnels/index.rst b/doc/scripts/base/protocols/tunnels/index.rst
new file mode 100644
index 0000000000..344c926e3b
--- /dev/null
+++ b/doc/scripts/base/protocols/tunnels/index.rst
@@ -0,0 +1,11 @@
+:orphan:
+
+Package: base/protocols/tunnels
+===============================
+
+Provides DPD signatures for tunneling protocols that otherwise
+wouldn't be detected at all.
+
+:doc:`/scripts/base/protocols/tunnels/__load__.zeek`
+
+
diff --git a/doc/scripts/base/protocols/websocket/__load__.zeek.rst b/doc/scripts/base/protocols/websocket/__load__.zeek.rst
new file mode 100644
index 0000000000..86b92787cc
--- /dev/null
+++ b/doc/scripts/base/protocols/websocket/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/websocket/__load__.zeek
+======================================
+
+
+:Imports: :doc:`base/protocols/websocket/consts.zeek </scripts/base/protocols/websocket/consts.zeek>`, :doc:`base/protocols/websocket/main.zeek </scripts/base/protocols/websocket/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/websocket/consts.zeek.rst b/doc/scripts/base/protocols/websocket/consts.zeek.rst
new file mode 100644
index 0000000000..43c1dbb607
--- /dev/null
+++ b/doc/scripts/base/protocols/websocket/consts.zeek.rst
@@ -0,0 +1,107 @@
+:tocdepth: 3
+
+base/protocols/websocket/consts.zeek
+====================================
+.. zeek:namespace:: WebSocket
+
+WebSocket constants.
+
+:Namespace: WebSocket
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+=================================================================================================================== =
+:zeek:id:`WebSocket::opcodes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef` 
+=================================================================================================================== =
+
+Constants
+#########
+============================================================= =
+:zeek:id:`WebSocket::HANDSHAKE_GUID`: :zeek:type:`string`     
+:zeek:id:`WebSocket::OPCODE_BINARY`: :zeek:type:`count`       
+:zeek:id:`WebSocket::OPCODE_CLOSE`: :zeek:type:`count`        
+:zeek:id:`WebSocket::OPCODE_CONTINUATION`: :zeek:type:`count` 
+:zeek:id:`WebSocket::OPCODE_PING`: :zeek:type:`count`         
+:zeek:id:`WebSocket::OPCODE_PONG`: :zeek:type:`count`         
+:zeek:id:`WebSocket::OPCODE_TEXT`: :zeek:type:`count`         
+============================================================= =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: WebSocket::opcodes
+   :source-code: base/protocols/websocket/consts.zeek 13 13
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            [0] = "continuation",
+            [9] = "ping",
+            [10] = "pong",
+            [2] = "binary",
+            [8] = "close",
+            [1] = "text"
+         }
+
+
+
+Constants
+#########
+.. zeek:id:: WebSocket::HANDSHAKE_GUID
+   :source-code: base/protocols/websocket/consts.zeek 22 22
+
+   :Type: :zeek:type:`string`
+   :Default: ``"258EAFA5-E914-47DA-95CA-C5AB0DC85B11"``
+
+
+.. zeek:id:: WebSocket::OPCODE_BINARY
+   :source-code: base/protocols/websocket/consts.zeek 8 8
+
+   :Type: :zeek:type:`count`
+   :Default: ``2``
+
+
+.. zeek:id:: WebSocket::OPCODE_CLOSE
+   :source-code: base/protocols/websocket/consts.zeek 9 9
+
+   :Type: :zeek:type:`count`
+   :Default: ``8``
+
+
+.. zeek:id:: WebSocket::OPCODE_CONTINUATION
+   :source-code: base/protocols/websocket/consts.zeek 6 6
+
+   :Type: :zeek:type:`count`
+   :Default: ``0``
+
+
+.. zeek:id:: WebSocket::OPCODE_PING
+   :source-code: base/protocols/websocket/consts.zeek 10 10
+
+   :Type: :zeek:type:`count`
+   :Default: ``9``
+
+
+.. zeek:id:: WebSocket::OPCODE_PONG
+   :source-code: base/protocols/websocket/consts.zeek 11 11
+
+   :Type: :zeek:type:`count`
+   :Default: ``10``
+
+
+.. zeek:id:: WebSocket::OPCODE_TEXT
+   :source-code: base/protocols/websocket/consts.zeek 7 7
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+
+
diff --git a/doc/scripts/base/protocols/websocket/index.rst b/doc/scripts/base/protocols/websocket/index.rst
new file mode 100644
index 0000000000..e290e71ae0
--- /dev/null
+++ b/doc/scripts/base/protocols/websocket/index.rst
@@ -0,0 +1,21 @@
+:orphan:
+
+Package: base/protocols/websocket
+=================================
+
+
+:doc:`/scripts/base/protocols/websocket/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/websocket/consts.zeek`
+
+   WebSocket constants.
+
+:doc:`/scripts/base/protocols/websocket/main.zeek`
+
+   Implements base functionality for WebSocket analysis.
+   
+   Upon a websocket_established() event, logs all gathered information into
+   websocket.log and configures the WebSocket analyzer with the headers
+   collected via http events.
+
diff --git a/doc/scripts/base/protocols/websocket/main.zeek.rst b/doc/scripts/base/protocols/websocket/main.zeek.rst
new file mode 100644
index 0000000000..e464fbd1c4
--- /dev/null
+++ b/doc/scripts/base/protocols/websocket/main.zeek.rst
@@ -0,0 +1,170 @@
+:tocdepth: 3
+
+base/protocols/websocket/main.zeek
+==================================
+.. zeek:namespace:: WebSocket
+
+Implements base functionality for WebSocket analysis.
+
+Upon a websocket_established() event, logs all gathered information into
+websocket.log and configures the WebSocket analyzer with the headers
+collected via http events.
+
+:Namespace: WebSocket
+:Imports: :doc:`base/protocols/http </scripts/base/protocols/http/index>`, :doc:`base/protocols/websocket/consts.zeek </scripts/base/protocols/websocket/consts.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+================================================= ======================================
+:zeek:type:`WebSocket::Info`: :zeek:type:`record` The record type for the WebSocket log.
+================================================= ======================================
+
+Redefinitions
+#############
+========================================================================== ================================================================
+:zeek:id:`HTTP::upgrade_analyzers`: :zeek:type:`table` :zeek:attr:`&redef` 
+:zeek:type:`Log::ID`: :zeek:type:`enum`                                    
+                                                                           
+                                                                           * :zeek:enum:`WebSocket::LOG`
+:zeek:type:`connection`: :zeek:type:`record`                               
+                                                                           
+                                                                           :New Fields: :zeek:type:`connection`
+                                                                           
+                                                                             websocket: :zeek:type:`WebSocket::Info` :zeek:attr:`&optional`
+========================================================================== ================================================================
+
+Events
+######
+======================================================= =================================================================
+:zeek:id:`WebSocket::log_websocket`: :zeek:type:`event` Event that can be handled to access the WebSocket record as it is
+                                                        sent on to the logging framework.
+======================================================= =================================================================
+
+Hooks
+#####
+============================================================== =================================================================
+:zeek:id:`WebSocket::configure_analyzer`: :zeek:type:`hook`    Experimental: Hook to intercept WebSocket analyzer configuration.
+:zeek:id:`WebSocket::log_policy`: :zeek:type:`Log::PolicyHook` Log policy hook.
+============================================================== =================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: WebSocket::Info
+   :source-code: base/protocols/websocket/main.zeek 22 47
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      The connection's 4-tuple of endpoint addresses/ports.
+
+
+   .. zeek:field:: host :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Same as in the HTTP log.
+
+
+   .. zeek:field:: uri :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Same as in the HTTP log.
+
+
+   .. zeek:field:: user_agent :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Same as in the HTTP log.
+
+
+   .. zeek:field:: subprotocol :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The WebSocket subprotocol as selected by the server.
+
+
+   .. zeek:field:: client_protocols :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The protocols requested by the client, if any.
+
+
+   .. zeek:field:: server_extensions :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The extensions selected by the the server, if any.
+
+
+   .. zeek:field:: client_extensions :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The extensions requested by the client, if any.
+
+
+   .. zeek:field:: client_key :zeek:type:`string` :zeek:attr:`&optional`
+
+      The Sec-WebSocket-Key header from the client.
+
+
+   .. zeek:field:: server_accept :zeek:type:`string` :zeek:attr:`&optional`
+
+      The Sec-WebSocket-Accept header from the server.
+
+
+   The record type for the WebSocket log.
+
+Events
+######
+.. zeek:id:: WebSocket::log_websocket
+   :source-code: base/protocols/websocket/main.zeek 51 51
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`WebSocket::Info`)
+
+   Event that can be handled to access the WebSocket record as it is
+   sent on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: WebSocket::configure_analyzer
+   :source-code: base/protocols/websocket/main.zeek 72 72
+
+   :Type: :zeek:type:`hook` (c: :zeek:type:`connection`, aid: :zeek:type:`count`, config: :zeek:type:`WebSocket::AnalyzerConfig`) : :zeek:type:`bool`
+
+
+   :param Experimental: Hook to intercept WebSocket analyzer configuration.
+   
+   Breaking from this hook disables the WebSocket analyzer immediately.
+   To modify the configuration of the analyzer, use the
+   :zeek:see:`WebSocket::AnalyzerConfig` type.
+   
+   While this API allows quite some flexibility currently, should be
+   considered experimental and may change in the future with or
+   without a deprecation phase.
+   
+
+   :param c: The connection
+   
+
+   :param aid: The analyzer ID for the WebSocket analyzer.
+   
+
+   :param config: The configuration record, also containing information
+           about the subprotocol and extensions.
+
+.. zeek:id:: WebSocket::log_policy
+   :source-code: base/protocols/websocket/main.zeek 54 54
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   Log policy hook.
+
+
diff --git a/doc/scripts/base/protocols/xmpp/__load__.zeek.rst b/doc/scripts/base/protocols/xmpp/__load__.zeek.rst
new file mode 100644
index 0000000000..386d5fa7dc
--- /dev/null
+++ b/doc/scripts/base/protocols/xmpp/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+base/protocols/xmpp/__load__.zeek
+=================================
+
+
+:Imports: :doc:`base/protocols/xmpp/main.zeek </scripts/base/protocols/xmpp/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/protocols/xmpp/index.rst b/doc/scripts/base/protocols/xmpp/index.rst
new file mode 100644
index 0000000000..d1c00017e3
--- /dev/null
+++ b/doc/scripts/base/protocols/xmpp/index.rst
@@ -0,0 +1,17 @@
+:orphan:
+
+Package: base/protocols/xmpp
+============================
+
+Support for the Extensible Messaging and Presence Protocol (XMPP).
+
+Note that currently the XMPP analyzer only supports analyzing XMPP sessions
+until they do or do not switch to TLS using StartTLS. Hence, we do not get
+actual chat information from XMPP sessions, only X509 certificates.
+
+:doc:`/scripts/base/protocols/xmpp/__load__.zeek`
+
+
+:doc:`/scripts/base/protocols/xmpp/main.zeek`
+
+
diff --git a/doc/scripts/base/protocols/xmpp/main.zeek.rst b/doc/scripts/base/protocols/xmpp/main.zeek.rst
new file mode 100644
index 0000000000..70a632bec0
--- /dev/null
+++ b/doc/scripts/base/protocols/xmpp/main.zeek.rst
@@ -0,0 +1,21 @@
+:tocdepth: 3
+
+base/protocols/xmpp/main.zeek
+=============================
+.. zeek:namespace:: XMPP
+
+
+:Namespace: XMPP
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+==================================================================== =
+:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef` 
+==================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/base/utils/active-http.zeek.rst b/doc/scripts/base/utils/active-http.zeek.rst
new file mode 100644
index 0000000000..2973431ef2
--- /dev/null
+++ b/doc/scripts/base/utils/active-http.zeek.rst
@@ -0,0 +1,141 @@
+:tocdepth: 3
+
+base/utils/active-http.zeek
+===========================
+.. zeek:namespace:: ActiveHTTP
+
+A module for performing active HTTP requests and
+getting the reply at runtime.
+
+:Namespace: ActiveHTTP
+:Imports: :doc:`base/utils/exec.zeek </scripts/base/utils/exec.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+================================================================================== =================================================
+:zeek:id:`ActiveHTTP::default_max_time`: :zeek:type:`interval` :zeek:attr:`&redef` The default timeout for HTTP requests.
+:zeek:id:`ActiveHTTP::default_method`: :zeek:type:`string` :zeek:attr:`&redef`     The default HTTP method/verb to use for requests.
+================================================================================== =================================================
+
+Types
+#####
+====================================================== =
+:zeek:type:`ActiveHTTP::Request`: :zeek:type:`record`  
+:zeek:type:`ActiveHTTP::Response`: :zeek:type:`record` 
+====================================================== =
+
+Functions
+#########
+===================================================== ========================================
+:zeek:id:`ActiveHTTP::request`: :zeek:type:`function` Perform an HTTP request according to the
+                                                      :zeek:type:`ActiveHTTP::Request` record.
+===================================================== ========================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: ActiveHTTP::default_max_time
+   :source-code: base/utils/active-http.zeek 10 10
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 min``
+
+   The default timeout for HTTP requests.
+
+.. zeek:id:: ActiveHTTP::default_method
+   :source-code: base/utils/active-http.zeek 13 13
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"GET"``
+
+   The default HTTP method/verb to use for requests.
+
+Types
+#####
+.. zeek:type:: ActiveHTTP::Request
+   :source-code: base/utils/active-http.zeek 26 46
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: url :zeek:type:`string`
+
+      The URL being requested.
+
+
+   .. zeek:field:: method :zeek:type:`string` :zeek:attr:`&default` = :zeek:see:`ActiveHTTP::default_method` :zeek:attr:`&optional`
+
+      The HTTP method/verb to use for the request.
+
+
+   .. zeek:field:: client_data :zeek:type:`string` :zeek:attr:`&optional`
+
+      Data to send to the server in the client body.  Keep in
+      mind that you will probably need to set the *method* field
+      to "POST" or "PUT".
+
+
+   .. zeek:field:: max_time :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`ActiveHTTP::default_max_time` :zeek:attr:`&optional`
+
+      Timeout for the request.
+
+
+   .. zeek:field:: addl_curl_args :zeek:type:`string` :zeek:attr:`&optional`
+
+      Additional curl command line arguments.  Be very careful
+      with this option since shell injection could take place
+      if careful handling of untrusted data is not applied.
+
+
+
+.. zeek:type:: ActiveHTTP::Response
+   :source-code: base/utils/active-http.zeek 15 24
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: code :zeek:type:`count`
+
+      Numeric response code from the server.
+
+
+   .. zeek:field:: msg :zeek:type:`string`
+
+      String response message from the server.
+
+
+   .. zeek:field:: body :zeek:type:`string` :zeek:attr:`&optional`
+
+      Full body of the response.
+
+
+   .. zeek:field:: headers :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string` :zeek:attr:`&optional`
+
+      All headers returned by the server.
+
+
+
+Functions
+#########
+.. zeek:id:: ActiveHTTP::request
+   :source-code: base/utils/active-http.zeek 79 135
+
+   :Type: :zeek:type:`function` (req: :zeek:type:`ActiveHTTP::Request`) : :zeek:type:`ActiveHTTP::Response`
+
+   Perform an HTTP request according to the
+   :zeek:type:`ActiveHTTP::Request` record.  This is an asynchronous
+   function and must be called within a "when" statement.
+   
+
+   :param req: A record instance representing all options for an HTTP request.
+   
+
+   :returns: A record with the full response message.
+
+
diff --git a/doc/scripts/base/utils/addrs.zeek.rst b/doc/scripts/base/utils/addrs.zeek.rst
new file mode 100644
index 0000000000..f52dbb9945
--- /dev/null
+++ b/doc/scripts/base/utils/addrs.zeek.rst
@@ -0,0 +1,392 @@
+:tocdepth: 3
+
+base/utils/addrs.zeek
+=====================
+
+Functions for parsing and manipulating IP and MAC addresses.
+
+
+Summary
+~~~~~~~
+Constants
+#########
+======================================================================= =
+:zeek:id:`ip_addr_regex`: :zeek:type:`pattern`                          
+:zeek:id:`ipv4_addr_regex`: :zeek:type:`pattern`                        
+:zeek:id:`ipv4_decim`: :zeek:type:`pattern`                             
+:zeek:id:`ipv6_8hex_regex`: :zeek:type:`pattern`                        
+:zeek:id:`ipv6_addr_regex`: :zeek:type:`pattern`                        
+:zeek:id:`ipv6_compressed_hex4dec_regex`: :zeek:type:`pattern`          
+:zeek:id:`ipv6_compressed_hex_regex`: :zeek:type:`pattern`              
+:zeek:id:`ipv6_compressed_hext4dec_lead_hextets0`: :zeek:type:`pattern` 
+:zeek:id:`ipv6_compressed_hext4dec_lead_hextets1`: :zeek:type:`pattern` 
+:zeek:id:`ipv6_compressed_hext4dec_lead_hextets2`: :zeek:type:`pattern` 
+:zeek:id:`ipv6_compressed_hext4dec_lead_hextets3`: :zeek:type:`pattern` 
+:zeek:id:`ipv6_compressed_hext4dec_lead_hextets4`: :zeek:type:`pattern` 
+:zeek:id:`ipv6_compressed_hext4dec_lead_hextets5`: :zeek:type:`pattern` 
+:zeek:id:`ipv6_compressed_lead_hextets0`: :zeek:type:`pattern`          
+:zeek:id:`ipv6_compressed_lead_hextets1`: :zeek:type:`pattern`          
+:zeek:id:`ipv6_compressed_lead_hextets2`: :zeek:type:`pattern`          
+:zeek:id:`ipv6_compressed_lead_hextets3`: :zeek:type:`pattern`          
+:zeek:id:`ipv6_compressed_lead_hextets4`: :zeek:type:`pattern`          
+:zeek:id:`ipv6_compressed_lead_hextets5`: :zeek:type:`pattern`          
+:zeek:id:`ipv6_compressed_lead_hextets6`: :zeek:type:`pattern`          
+:zeek:id:`ipv6_compressed_lead_hextets7`: :zeek:type:`pattern`          
+:zeek:id:`ipv6_hex4dec_regex`: :zeek:type:`pattern`                     
+:zeek:id:`ipv6_hextet`: :zeek:type:`pattern`                            
+======================================================================= =
+
+Functions
+#########
+====================================================== =========================================================================
+:zeek:id:`addr_to_uri`: :zeek:type:`function`          Returns the string representation of an IP address suitable for inclusion
+                                                       in a URI.
+:zeek:id:`extract_ip_addresses`: :zeek:type:`function` Extracts all IP (v4 or v6) address strings from a given string.
+:zeek:id:`has_valid_octets`: :zeek:type:`function`     Checks if all elements of a string array are a valid octet value.
+:zeek:id:`normalize_mac`: :zeek:type:`function`        Given a string, extracts the hex digits and returns a MAC address in
+                                                       the format: 00:a0:32:d7:81:8f.
+====================================================== =========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: ip_addr_regex
+   :source-code: base/utils/addrs.zeek 64 64
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?((^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)|(^?((^?((^?((^?((^?(([0-9A-Fa-f]{1,4}:){7})$?)(^?([0-9A-Fa-f]{1,4})$?))$?)|(^?((^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,6})?)$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,5})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){5}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){6}::)$?))$?))$?)|(^?((^?(([0-9A-Fa-f]{1,4}:){6})$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?))$?))$?/
+
+
+
+.. zeek:id:: ipv4_addr_regex
+   :source-code: base/utils/addrs.zeek 7 7
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?/
+
+
+
+.. zeek:id:: ipv4_decim
+   :source-code: base/utils/addrs.zeek 5 5
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?/
+
+
+
+.. zeek:id:: ipv6_8hex_regex
+   :source-code: base/utils/addrs.zeek 11 11
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?((^?(([0-9A-Fa-f]{1,4}:){7})$?)(^?([0-9A-Fa-f]{1,4})$?))$?/
+
+
+
+.. zeek:id:: ipv6_addr_regex
+   :source-code: base/utils/addrs.zeek 59 59
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?((^?((^?((^?((^?(([0-9A-Fa-f]{1,4}:){7})$?)(^?([0-9A-Fa-f]{1,4})$?))$?)|(^?((^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,6})?)$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,5})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){5}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){6}::)$?))$?))$?)|(^?((^?(([0-9A-Fa-f]{1,4}:){6})$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?))$?/
+
+
+
+.. zeek:id:: ipv6_compressed_hex4dec_regex
+   :source-code: base/utils/addrs.zeek 52 52
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?/
+
+
+
+.. zeek:id:: ipv6_compressed_hex_regex
+   :source-code: base/utils/addrs.zeek 31 31
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?((^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,6})?)$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,5})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){5}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){6}::)$?))$?/
+
+
+
+.. zeek:id:: ipv6_compressed_hext4dec_lead_hextets0
+   :source-code: base/utils/addrs.zeek 40 40
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
+
+
+
+.. zeek:id:: ipv6_compressed_hext4dec_lead_hextets1
+   :source-code: base/utils/addrs.zeek 42 42
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
+
+
+
+.. zeek:id:: ipv6_compressed_hext4dec_lead_hextets2
+   :source-code: base/utils/addrs.zeek 44 44
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
+
+
+
+.. zeek:id:: ipv6_compressed_hext4dec_lead_hextets3
+   :source-code: base/utils/addrs.zeek 46 46
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
+
+
+
+.. zeek:id:: ipv6_compressed_hext4dec_lead_hextets4
+   :source-code: base/utils/addrs.zeek 48 48
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
+
+
+
+.. zeek:id:: ipv6_compressed_hext4dec_lead_hextets5
+   :source-code: base/utils/addrs.zeek 50 50
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
+
+
+
+.. zeek:id:: ipv6_compressed_lead_hextets0
+   :source-code: base/utils/addrs.zeek 15 15
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,6})?)$?/
+
+
+
+.. zeek:id:: ipv6_compressed_lead_hextets1
+   :source-code: base/utils/addrs.zeek 17 17
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,5})?)$?/
+
+
+
+.. zeek:id:: ipv6_compressed_lead_hextets2
+   :source-code: base/utils/addrs.zeek 19 19
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?/
+
+
+
+.. zeek:id:: ipv6_compressed_lead_hextets3
+   :source-code: base/utils/addrs.zeek 21 21
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?/
+
+
+
+.. zeek:id:: ipv6_compressed_lead_hextets4
+   :source-code: base/utils/addrs.zeek 23 23
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?/
+
+
+
+.. zeek:id:: ipv6_compressed_lead_hextets5
+   :source-code: base/utils/addrs.zeek 25 25
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?/
+
+
+
+.. zeek:id:: ipv6_compressed_lead_hextets6
+   :source-code: base/utils/addrs.zeek 27 27
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){5}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?/
+
+
+
+.. zeek:id:: ipv6_compressed_lead_hextets7
+   :source-code: base/utils/addrs.zeek 29 29
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){6}::)$?/
+
+
+
+.. zeek:id:: ipv6_hex4dec_regex
+   :source-code: base/utils/addrs.zeek 13 13
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?((^?(([0-9A-Fa-f]{1,4}:){6})$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
+
+
+
+.. zeek:id:: ipv6_hextet
+   :source-code: base/utils/addrs.zeek 9 9
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?([0-9A-Fa-f]{1,4})$?/
+
+
+
+Functions
+#########
+.. zeek:id:: addr_to_uri
+   :source-code: base/utils/addrs.zeek 126 132
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`string`
+
+   Returns the string representation of an IP address suitable for inclusion
+   in a URI.  For IPv4, this does no special formatting, but for IPv6, the
+   address is included in square brackets.
+   
+
+   :param a: the address to make suitable for URI inclusion.
+   
+
+   :returns: the string representation of the address suitable for URI inclusion.
+
+.. zeek:id:: extract_ip_addresses
+   :source-code: base/utils/addrs.zeek 89 117
+
+   :Type: :zeek:type:`function` (input: :zeek:type:`string`, check_wrapping: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`) : :zeek:type:`string_vec`
+
+   Extracts all IP (v4 or v6) address strings from a given string.
+   
+
+   :param input: a string that may contain an IP address anywhere within it.
+   
+
+   :param check_wrapping: if true, will only return IP addresses that are wrapped in matching pairs of spaces, square brackets, curly braces, or parens. This can be used to avoid extracting strings that look like IPs from innocuous strings, such as SMTP headers.
+   
+
+   :returns: an array containing all valid IP address strings found in *input*.
+
+.. zeek:id:: has_valid_octets
+   :source-code: base/utils/addrs.zeek 71 80
+
+   :Type: :zeek:type:`function` (octets: :zeek:type:`string_vec`) : :zeek:type:`bool`
+
+   Checks if all elements of a string array are a valid octet value.
+   
+
+   :param octets: an array of strings to check for valid octet values.
+   
+
+   :returns: T if every element is between 0 and 255, inclusive, else F.
+
+.. zeek:id:: normalize_mac
+   :source-code: base/utils/addrs.zeek 141 159
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`string`) : :zeek:type:`string`
+
+   Given a string, extracts the hex digits and returns a MAC address in
+   the format: 00:a0:32:d7:81:8f. If the string doesn't contain 12 or 16 hex
+   digits, an empty string is returned.
+   
+
+   :param a: the string to normalize.
+   
+
+   :returns: a normalized MAC address, or an empty string in the case of an error.
+
+
diff --git a/doc/scripts/base/utils/backtrace.zeek.rst b/doc/scripts/base/utils/backtrace.zeek.rst
new file mode 100644
index 0000000000..d9fe6e0ed9
--- /dev/null
+++ b/doc/scripts/base/utils/backtrace.zeek.rst
@@ -0,0 +1,46 @@
+:tocdepth: 3
+
+base/utils/backtrace.zeek
+=========================
+
+
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================= ==================================
+:zeek:id:`print_backtrace`: :zeek:type:`function` Prints a Zeek function call stack.
+================================================= ==================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: print_backtrace
+   :source-code: base/utils/backtrace.zeek 19 78
+
+   :Type: :zeek:type:`function` (show_args: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`, one_line: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`, one_line_delim: :zeek:type:`string` :zeek:attr:`&default` = ``"|"`` :zeek:attr:`&optional`, skip: :zeek:type:`count` :zeek:attr:`&default` = ``1`` :zeek:attr:`&optional`, to_file: :zeek:type:`file` :zeek:attr:`&default` = ``file "/dev/stdout" of string`` :zeek:attr:`&optional`) : :zeek:type:`void`
+
+   Prints a Zeek function call stack.
+   
+
+   :param show_args: whether to print function argument names/types/values.
+   
+
+   :param one_line: whether to print the stack in a single line or multiple.
+   
+
+   :param one_line_delim: delimiter between stack elements if printing to one line.
+   
+
+   :param skip: the number of call stack elements to skip past, starting from zero,
+         with that being the call to this function.
+   
+
+   :param to_file: the file to which the call stack will be printed.
+   
+   .. zeek:see:: backtrace
+
+
diff --git a/doc/scripts/base/utils/conn-ids.zeek.rst b/doc/scripts/base/utils/conn-ids.zeek.rst
new file mode 100644
index 0000000000..b3ffbd8006
--- /dev/null
+++ b/doc/scripts/base/utils/conn-ids.zeek.rst
@@ -0,0 +1,57 @@
+:tocdepth: 3
+
+base/utils/conn-ids.zeek
+========================
+.. zeek:namespace:: GLOBAL
+
+Simple functions for generating ASCII strings from connection IDs.
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Functions
+#########
+==================================================== ===================================================================
+:zeek:id:`directed_id_string`: :zeek:type:`function` Calls :zeek:id:`id_string` or :zeek:id:`reverse_id_string` if the
+                                                     second argument is T or F, respectively.
+:zeek:id:`id_string`: :zeek:type:`function`          Takes a conn_id record and returns a string representation with the
+                                                     general data flow appearing to be from the connection originator
+                                                     on the left to the responder on the right.
+:zeek:id:`reverse_id_string`: :zeek:type:`function`  Takes a conn_id record and returns a string representation with the
+                                                     general data flow appearing to be from the connection responder
+                                                     on the right to the originator on the left.
+==================================================== ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: directed_id_string
+   :source-code: base/utils/conn-ids.zeek 39 42
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`conn_id`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
+
+   Calls :zeek:id:`id_string` or :zeek:id:`reverse_id_string` if the
+   second argument is T or F, respectively.
+
+.. zeek:id:: id_string
+   :source-code: base/utils/conn-ids.zeek 25 30
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`conn_id`) : :zeek:type:`string`
+
+   Takes a conn_id record and returns a string representation with the
+   general data flow appearing to be from the connection originator
+   on the left to the responder on the right.
+
+.. zeek:id:: reverse_id_string
+   :source-code: base/utils/conn-ids.zeek 32 37
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`conn_id`) : :zeek:type:`string`
+
+   Takes a conn_id record and returns a string representation with the
+   general data flow appearing to be from the connection responder
+   on the right to the originator on the left.
+
+
diff --git a/doc/scripts/base/utils/dir.zeek.rst b/doc/scripts/base/utils/dir.zeek.rst
new file mode 100644
index 0000000000..e58acaf28c
--- /dev/null
+++ b/doc/scripts/base/utils/dir.zeek.rst
@@ -0,0 +1,64 @@
+:tocdepth: 3
+
+base/utils/dir.zeek
+===================
+.. zeek:namespace:: Dir
+
+
+:Namespace: Dir
+:Imports: :doc:`base/frameworks/reporter </scripts/base/frameworks/reporter/index>`, :doc:`base/utils/exec.zeek </scripts/base/utils/exec.zeek>`, :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=========================================================================== =====================================================================
+:zeek:id:`Dir::polling_interval`: :zeek:type:`interval` :zeek:attr:`&redef` The default interval this module checks for files in directories when
+                                                                            using the :zeek:see:`Dir::monitor` function.
+=========================================================================== =====================================================================
+
+Functions
+#########
+============================================== ==============================================================
+:zeek:id:`Dir::monitor`: :zeek:type:`function` Register a directory to monitor with a callback that is called
+                                               every time a previously unseen file is seen.
+============================================== ==============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Dir::polling_interval
+   :source-code: base/utils/dir.zeek 10 10
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``30.0 secs``
+
+   The default interval this module checks for files in directories when
+   using the :zeek:see:`Dir::monitor` function.
+
+Functions
+#########
+.. zeek:id:: Dir::monitor
+   :source-code: base/utils/dir.zeek 60 63
+
+   :Type: :zeek:type:`function` (dir: :zeek:type:`string`, callback: :zeek:type:`function` (fname: :zeek:type:`string`) : :zeek:type:`void`, poll_interval: :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`Dir::polling_interval` :zeek:attr:`&optional`) : :zeek:type:`void`
+
+   Register a directory to monitor with a callback that is called
+   every time a previously unseen file is seen.  If a file is deleted
+   and seen to be gone, then the file is available for being seen again
+   in the future.
+   
+
+   :param dir: The directory to monitor for files.
+   
+
+   :param callback: Callback that gets executed with each file name
+             that is found.  Filenames are provided with the full path.
+   
+
+   :param poll_interval: An interval at which to check for new files.
+
+
diff --git a/doc/scripts/base/utils/directions-and-hosts.zeek.rst b/doc/scripts/base/utils/directions-and-hosts.zeek.rst
new file mode 100644
index 0000000000..1d6e367a6a
--- /dev/null
+++ b/doc/scripts/base/utils/directions-and-hosts.zeek.rst
@@ -0,0 +1,113 @@
+:tocdepth: 3
+
+base/utils/directions-and-hosts.zeek
+====================================
+
+
+:Imports: :doc:`base/utils/site.zeek </scripts/base/utils/site.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+========================================= =
+:zeek:type:`Direction`: :zeek:type:`enum` 
+:zeek:type:`Host`: :zeek:type:`enum`      
+========================================= =
+
+Functions
+#########
+====================================================== ======================================================================
+:zeek:id:`addr_matches_host`: :zeek:type:`function`    Checks whether a given host (IP address) matches a given host type.
+:zeek:id:`id_matches_direction`: :zeek:type:`function` Checks whether a given connection is of a given direction with respect
+                                                       to the locally-monitored network.
+====================================================== ======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Direction
+   :source-code: base/utils/directions-and-hosts.zeek 3 16
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: INBOUND Direction
+
+         The connection originator is not within the locally-monitored
+         network, but the other endpoint is.
+
+      .. zeek:enum:: OUTBOUND Direction
+
+         The connection originator is within the locally-monitored network,
+         but the other endpoint is not.
+
+      .. zeek:enum:: BIDIRECTIONAL Direction
+
+         Only one endpoint is within the locally-monitored network, meaning
+         the connection is either outbound or inbound.
+
+      .. zeek:enum:: NO_DIRECTION Direction
+
+         This value doesn't match any connection.
+
+
+.. zeek:type:: Host
+   :source-code: base/utils/directions-and-hosts.zeek 40 50
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: LOCAL_HOSTS Host
+
+         A host within the locally-monitored network.
+
+      .. zeek:enum:: REMOTE_HOSTS Host
+
+         A host not within the locally-monitored network.
+
+      .. zeek:enum:: ALL_HOSTS Host
+
+         Any host.
+
+      .. zeek:enum:: NO_HOSTS Host
+
+         This value doesn't match any host.
+
+
+Functions
+#########
+.. zeek:id:: addr_matches_host
+   :source-code: base/utils/directions-and-hosts.zeek 58 65
+
+   :Type: :zeek:type:`function` (ip: :zeek:type:`addr`, h: :zeek:type:`Host`) : :zeek:type:`bool`
+
+   Checks whether a given host (IP address) matches a given host type.
+   
+
+   :param ip: address of a host.
+   
+
+   :param h: a host type.
+   
+
+   :returns: T if the given host matches the given type, else F.
+
+.. zeek:id:: id_matches_direction
+   :source-code: base/utils/directions-and-hosts.zeek 25 38
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`conn_id`, d: :zeek:type:`Direction`) : :zeek:type:`bool`
+
+   Checks whether a given connection is of a given direction with respect
+   to the locally-monitored network.
+   
+
+   :param id: a connection record containing the originator/responder hosts.
+   
+
+   :param d: a direction with respect to the locally-monitored network.
+   
+
+   :returns: T if the two connection endpoints match the given direction, else F.
+
+
diff --git a/doc/scripts/base/utils/email.zeek.rst b/doc/scripts/base/utils/email.zeek.rst
new file mode 100644
index 0000000000..e41e15ef30
--- /dev/null
+++ b/doc/scripts/base/utils/email.zeek.rst
@@ -0,0 +1,82 @@
+:tocdepth: 3
+
+base/utils/email.zeek
+=====================
+
+
+
+Summary
+~~~~~~~
+Functions
+#########
+============================================================ ===========================================================================
+:zeek:id:`extract_email_addrs_set`: :zeek:type:`function`    Extract mail addresses out of address specifications conforming to RFC5322.
+:zeek:id:`extract_email_addrs_vec`: :zeek:type:`function`    Extract mail addresses out of address specifications conforming to RFC5322.
+:zeek:id:`extract_first_email_addr`: :zeek:type:`function`   Extract the first email address from a string.
+:zeek:id:`split_mime_email_addresses`: :zeek:type:`function` Split email addresses from MIME headers.
+============================================================ ===========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: extract_email_addrs_set
+   :source-code: base/utils/email.zeek 24 33
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`set` [:zeek:type:`string`]
+
+   Extract mail addresses out of address specifications conforming to RFC5322.
+   
+
+   :param str: A string potentially containing email addresses.
+   
+
+   :returns: A set of extracted email addresses.  An empty set is returned
+            if no email addresses are discovered.
+
+.. zeek:id:: extract_email_addrs_vec
+   :source-code: base/utils/email.zeek 7 16
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`string_vec`
+
+   Extract mail addresses out of address specifications conforming to RFC5322.
+   
+
+   :param str: A string potentially containing email addresses.
+   
+
+   :returns: A vector of extracted email addresses.  An empty vector is returned
+            if no email addresses are discovered.
+
+.. zeek:id:: extract_first_email_addr
+   :source-code: base/utils/email.zeek 40 47
+
+   :Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`string`
+
+   Extract the first email address from a string.
+   
+
+   :param str: A string potentially containing email addresses.
+   
+
+   :returns: An email address or empty string if none found.
+
+.. zeek:id:: split_mime_email_addresses
+   :source-code: base/utils/email.zeek 58 67
+
+   :Type: :zeek:type:`function` (line: :zeek:type:`string`) : :zeek:type:`set` [:zeek:type:`string`]
+
+   Split email addresses from MIME headers.  The email addresses will
+   include the display name and email address as it was given by the mail
+   mail client.  Note that this currently does not account for MIME group
+   addresses and won't handle them correctly.  The group name will show up
+   as part of an email address.
+   
+
+   :param str: The argument from a MIME header.
+   
+
+   :returns: A set of addresses or empty string if none found.
+
+
diff --git a/doc/scripts/base/utils/exec.zeek.rst b/doc/scripts/base/utils/exec.zeek.rst
new file mode 100644
index 0000000000..fd5eabd29c
--- /dev/null
+++ b/doc/scripts/base/utils/exec.zeek.rst
@@ -0,0 +1,114 @@
+:tocdepth: 3
+
+base/utils/exec.zeek
+====================
+.. zeek:namespace:: Exec
+
+A module for executing external command line programs.
+
+:Namespace: Exec
+:Imports: :doc:`base/frameworks/input </scripts/base/frameworks/input/index>`
+
+Summary
+~~~~~~~
+Types
+#####
+=============================================== =
+:zeek:type:`Exec::Command`: :zeek:type:`record` 
+:zeek:type:`Exec::Result`: :zeek:type:`record`  
+=============================================== =
+
+Functions
+#########
+=========================================== ======================================================
+:zeek:id:`Exec::run`: :zeek:type:`function` Function for running command line programs and getting
+                                            output.
+=========================================== ======================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Exec::Command
+   :source-code: base/utils/exec.zeek 8 20
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: cmd :zeek:type:`string`
+
+      The command line to execute. Use care to avoid injection
+      attacks (i.e., if the command uses untrusted/variable data,
+      sanitize it with :zeek:see:`safe_shell_quote`).
+
+
+   .. zeek:field:: stdin :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      Provide standard input to the program as a string.
+
+
+   .. zeek:field:: read_files :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&optional`
+
+      If additional files are required to be read in as part of the
+      output of the command they can be defined here.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&default` = ``Chd8EgFWk2j`` :zeek:attr:`&optional`
+
+      The unique id for tracking executors.
+
+
+
+.. zeek:type:: Exec::Result
+   :source-code: base/utils/exec.zeek 22 34
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: exit_code :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Exit code from the program.
+
+
+   .. zeek:field:: signal_exit :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      True if the command was terminated with a signal.
+
+
+   .. zeek:field:: stdout :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional`
+
+      Each line of standard output.
+
+
+   .. zeek:field:: stderr :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional`
+
+      Each line of standard error.
+
+
+   .. zeek:field:: files :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string_vec` :zeek:attr:`&optional`
+
+      If additional files were requested to be read in
+      the content of the files will be available here.
+
+
+
+Functions
+#########
+.. zeek:id:: Exec::run
+   :source-code: base/utils/exec.zeek 153 187
+
+   :Type: :zeek:type:`function` (cmd: :zeek:type:`Exec::Command`) : :zeek:type:`Exec::Result`
+
+   Function for running command line programs and getting
+   output. This is an asynchronous function which is meant
+   to be run with the ``when`` statement.
+   
+
+   :param cmd: The command to run. Use care to avoid injection attacks!
+   
+
+   :returns: A record representing the full results from the
+            external program execution.
+
+
diff --git a/doc/scripts/base/utils/files.zeek.rst b/doc/scripts/base/utils/files.zeek.rst
new file mode 100644
index 0000000000..cde2894ddb
--- /dev/null
+++ b/doc/scripts/base/utils/files.zeek.rst
@@ -0,0 +1,41 @@
+:tocdepth: 3
+
+base/utils/files.zeek
+=====================
+
+
+:Imports: :doc:`base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>`
+
+Summary
+~~~~~~~
+Functions
+#########
+=========================================================================== ======================================================================
+:zeek:id:`extract_filename_from_content_disposition`: :zeek:type:`function` For CONTENT-DISPOSITION headers, this function can be used to extract
+                                                                            the filename.
+:zeek:id:`generate_extraction_filename`: :zeek:type:`function`              This function can be used to generate a consistent filename for when
+                                                                            contents of a file, stream, or connection are being extracted to disk.
+=========================================================================== ======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: extract_filename_from_content_disposition
+   :source-code: base/utils/files.zeek 20 33
+
+   :Type: :zeek:type:`function` (data: :zeek:type:`string`) : :zeek:type:`string`
+
+   For CONTENT-DISPOSITION headers, this function can be used to extract
+   the filename.
+
+.. zeek:id:: generate_extraction_filename
+   :source-code: base/utils/files.zeek 5 16
+
+   :Type: :zeek:type:`function` (prefix: :zeek:type:`string`, c: :zeek:type:`connection`, suffix: :zeek:type:`string`) : :zeek:type:`string`
+
+   This function can be used to generate a consistent filename for when
+   contents of a file, stream, or connection are being extracted to disk.
+
+
diff --git a/doc/scripts/base/utils/geoip-distance.zeek.rst b/doc/scripts/base/utils/geoip-distance.zeek.rst
new file mode 100644
index 0000000000..caa3bba1d0
--- /dev/null
+++ b/doc/scripts/base/utils/geoip-distance.zeek.rst
@@ -0,0 +1,43 @@
+:tocdepth: 3
+
+base/utils/geoip-distance.zeek
+==============================
+
+Functions to calculate distance between two locations, based on GeoIP data.
+
+
+Summary
+~~~~~~~
+Functions
+#########
+======================================================= ==========================================================================
+:zeek:id:`haversine_distance_ip`: :zeek:type:`function` Returns the distance between two IP addresses using the haversine formula,
+                                                        based on GeoIP database locations.
+======================================================= ==========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: haversine_distance_ip
+   :source-code: base/utils/geoip-distance.zeek 14 26
+
+   :Type: :zeek:type:`function` (a1: :zeek:type:`addr`, a2: :zeek:type:`addr`) : :zeek:type:`double`
+
+   Returns the distance between two IP addresses using the haversine formula,
+   based on GeoIP database locations.  Requires Zeek to be built with GeoIP.
+   
+
+   :param a1: First IP address.
+   
+
+   :param a2: Second IP address.
+   
+
+   :returns: The distance between *a1* and *a2* in miles, or -1.0 if GeoIP data
+            is not available for either of the IP addresses.
+   
+   .. zeek:see:: haversine_distance lookup_location
+
+
diff --git a/doc/scripts/base/utils/hash_hrw.zeek.rst b/doc/scripts/base/utils/hash_hrw.zeek.rst
new file mode 100644
index 0000000000..1f27d6d1b1
--- /dev/null
+++ b/doc/scripts/base/utils/hash_hrw.zeek.rst
@@ -0,0 +1,105 @@
+:tocdepth: 3
+
+base/utils/hash_hrw.zeek
+========================
+.. zeek:namespace:: HashHRW
+
+An implementation of highest random weight (HRW) hashing, also called
+rendezvous hashing. See
+`<https://en.wikipedia.org/wiki/Rendezvous_hashing>`_.
+
+:Namespace: HashHRW
+
+Summary
+~~~~~~~
+Types
+#####
+=================================================== ===================================================================
+:zeek:type:`HashHRW::Pool`: :zeek:type:`record`     A collection of sites to distribute keys across.
+:zeek:type:`HashHRW::Site`: :zeek:type:`record`     A site/node is a unique location to which you want a subset of keys
+                                                    to be distributed.
+:zeek:type:`HashHRW::SiteTable`: :zeek:type:`table` A table of sites, indexed by their id.
+=================================================== ===================================================================
+
+Functions
+#########
+=================================================== ========================================
+:zeek:id:`HashHRW::add_site`: :zeek:type:`function` Add a site to a pool.
+:zeek:id:`HashHRW::get_site`: :zeek:type:`function` Returns: the site to which the key maps.
+:zeek:id:`HashHRW::rem_site`: :zeek:type:`function` Remove a site from a pool.
+=================================================== ========================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: HashHRW::Pool
+   :source-code: base/utils/hash_hrw.zeek 22 24
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: sites :zeek:type:`HashHRW::SiteTable` :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+
+   A collection of sites to distribute keys across.
+
+.. zeek:type:: HashHRW::Site
+   :source-code: base/utils/hash_hrw.zeek 10 16
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`count`
+
+      A unique identifier for the site, should not exceed what
+      can be contained in a 32-bit integer.
+
+
+   .. zeek:field:: user_data :zeek:type:`any` :zeek:attr:`&optional`
+
+      Other data to associate with the site.
+
+
+   A site/node is a unique location to which you want a subset of keys
+   to be distributed.
+
+.. zeek:type:: HashHRW::SiteTable
+   :source-code: base/utils/hash_hrw.zeek 19 19
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`HashHRW::Site`
+
+   A table of sites, indexed by their id.
+
+Functions
+#########
+.. zeek:id:: HashHRW::add_site
+   :source-code: base/utils/hash_hrw.zeek 40 47
+
+   :Type: :zeek:type:`function` (pool: :zeek:type:`HashHRW::Pool`, site: :zeek:type:`HashHRW::Site`) : :zeek:type:`bool`
+
+   Add a site to a pool.
+   
+
+   :returns: F is the site is already in the pool, else T.
+
+.. zeek:id:: HashHRW::get_site
+   :source-code: base/utils/hash_hrw.zeek 58 76
+
+   :Type: :zeek:type:`function` (pool: :zeek:type:`HashHRW::Pool`, key: :zeek:type:`any`) : :zeek:type:`HashHRW::Site`
+
+
+   :returns: the site to which the key maps.
+
+.. zeek:id:: HashHRW::rem_site
+   :source-code: base/utils/hash_hrw.zeek 49 56
+
+   :Type: :zeek:type:`function` (pool: :zeek:type:`HashHRW::Pool`, site: :zeek:type:`HashHRW::Site`) : :zeek:type:`bool`
+
+   Remove a site from a pool.
+   
+
+   :returns: F if the site is not in the pool, else T.
+
+
diff --git a/doc/scripts/base/utils/numbers.zeek.rst b/doc/scripts/base/utils/numbers.zeek.rst
new file mode 100644
index 0000000000..ce48de7298
--- /dev/null
+++ b/doc/scripts/base/utils/numbers.zeek.rst
@@ -0,0 +1,38 @@
+:tocdepth: 3
+
+base/utils/numbers.zeek
+=======================
+
+
+
+Summary
+~~~~~~~
+Functions
+#########
+=============================================== =================================
+:zeek:id:`extract_count`: :zeek:type:`function` Extract an integer from a string.
+=============================================== =================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: extract_count
+   :source-code: base/utils/numbers.zeek 9 25
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`, get_first: :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`) : :zeek:type:`count`
+
+   Extract an integer from a string.
+   
+
+   :param s: The string to search for a number.
+   
+
+   :param get_first: Provide ``F`` if you would like the last number found.
+   
+
+   :returns: The request integer from the given string or ``0`` if
+            no integer was found.
+
+
diff --git a/doc/scripts/base/utils/packages.zeek.rst b/doc/scripts/base/utils/packages.zeek.rst
new file mode 100644
index 0000000000..b723d6d223
--- /dev/null
+++ b/doc/scripts/base/utils/packages.zeek.rst
@@ -0,0 +1,41 @@
+:tocdepth: 3
+
+base/utils/packages.zeek
+========================
+
+Rudimentary functions for helping with Zeek packages.
+
+
+Summary
+~~~~~~~
+Functions
+#########
+========================================== ==================================================
+:zeek:id:`can_load`: :zeek:type:`function` Checks whether @load of a given package name could
+                                           be successful.
+========================================== ==================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: can_load
+   :source-code: base/utils/packages.zeek 13 16
+
+   :Type: :zeek:type:`function` (p: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Checks whether @load of a given package name could
+   be successful.
+   
+   This tests for the existence of corresponding script files
+   in ZEEKPATH. It does not attempt to parse and validate
+   any actual Zeek script code.
+   
+
+   :param path: The filename, package or path to test.
+   
+
+   :returns: T if the given filename, package or path may load.
+
+
diff --git a/doc/scripts/base/utils/paths.zeek.rst b/doc/scripts/base/utils/paths.zeek.rst
new file mode 100644
index 0000000000..2d3edf7969
--- /dev/null
+++ b/doc/scripts/base/utils/paths.zeek.rst
@@ -0,0 +1,86 @@
+:tocdepth: 3
+
+base/utils/paths.zeek
+=====================
+
+Functions to parse and manipulate UNIX style paths and directories.
+
+
+Summary
+~~~~~~~
+Constants
+#########
+================================================== =
+:zeek:id:`absolute_path_pat`: :zeek:type:`pattern` 
+================================================== =
+
+Functions
+#########
+======================================================= ======================================================================
+:zeek:id:`build_path`: :zeek:type:`function`            Constructs a path to a file given a directory and a file name.
+:zeek:id:`build_path_compressed`: :zeek:type:`function` Returns a compressed path to a file given a directory and file name.
+:zeek:id:`extract_path`: :zeek:type:`function`          Given an arbitrary string, extracts a single, absolute path (directory
+                                                        with filename).
+======================================================= ======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: absolute_path_pat
+   :source-code: base/utils/paths.zeek 3 3
+
+   :Type: :zeek:type:`pattern`
+   :Default:
+
+      ::
+
+         /^?((\/|[A-Za-z]:[\\\/]).*)$?/
+
+
+
+Functions
+#########
+.. zeek:id:: build_path
+   :source-code: base/utils/paths.zeek 32 38
+
+   :Type: :zeek:type:`function` (dir: :zeek:type:`string`, file_name: :zeek:type:`string`) : :zeek:type:`string`
+
+   Constructs a path to a file given a directory and a file name.
+   
+
+   :param dir: the directory in which the file lives.
+   
+
+   :param file_name: the name of the file.
+   
+
+   :returns: the concatenation of the directory path and file name, or just
+            the file name if it's already an absolute path or dir is empty.
+
+.. zeek:id:: build_path_compressed
+   :source-code: base/utils/paths.zeek 42 45
+
+   :Type: :zeek:type:`function` (dir: :zeek:type:`string`, file_name: :zeek:type:`string`) : :zeek:type:`string`
+
+   Returns a compressed path to a file given a directory and file name.
+   See :zeek:id:`build_path` and :zeek:id:`compress_path`.
+
+.. zeek:id:: extract_path
+   :source-code: base/utils/paths.zeek 13 22
+
+   :Type: :zeek:type:`function` (input: :zeek:type:`string`) : :zeek:type:`string`
+
+   Given an arbitrary string, extracts a single, absolute path (directory
+   with filename).
+   
+   .. todo:: Make this work on Window's style directories.
+   
+
+   :param input: a string that may contain an absolute path.
+   
+
+   :returns: the first absolute path found in input string, else an empty string.
+
+
diff --git a/doc/scripts/base/utils/patterns.zeek.rst b/doc/scripts/base/utils/patterns.zeek.rst
new file mode 100644
index 0000000000..bdc92dced4
--- /dev/null
+++ b/doc/scripts/base/utils/patterns.zeek.rst
@@ -0,0 +1,106 @@
+:tocdepth: 3
+
+base/utils/patterns.zeek
+========================
+.. zeek:namespace:: GLOBAL
+
+Functions for creating and working with patterns.
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Types
+#####
+==================================================== =
+:zeek:type:`PatternMatchResult`: :zeek:type:`record` 
+==================================================== =
+
+Functions
+#########
+=============================================== =========================================================================
+:zeek:id:`match_pattern`: :zeek:type:`function` Matches the given pattern against the given string, returning
+                                                a :zeek:type:`PatternMatchResult` record.
+:zeek:id:`set_to_regex`: :zeek:type:`function`  Given a pattern as a string with two tildes (~~) contained in it, it will
+                                                return a pattern with string set's elements OR'd together where the
+                                                double-tilde was given.
+=============================================== =========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: PatternMatchResult
+   :source-code: base/utils/patterns.zeek 37 44
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: matched :zeek:type:`bool`
+
+      T if a match was found, F otherwise.
+
+
+   .. zeek:field:: str :zeek:type:`string`
+
+      Portion of string that first matched.
+
+
+   .. zeek:field:: off :zeek:type:`count`
+
+      1-based offset where match starts.
+
+
+
+Functions
+#########
+.. zeek:id:: match_pattern
+   :source-code: base/utils/patterns.zeek 58 67
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`, p: :zeek:type:`pattern`) : :zeek:type:`PatternMatchResult`
+
+   Matches the given pattern against the given string, returning
+   a :zeek:type:`PatternMatchResult` record.
+   For example: ``match_pattern("foobar", /o*[a-k]/)`` returns
+   ``[matched=T, str=f, off=1]``,  because the *first* match is for
+   zero o's followed by an [a-k], but ``match_pattern("foobar", /o+[a-k]/)``
+   returns ``[matched=T, str=oob, off=2]``.
+   
+
+   :param s: a string to match against.
+   
+
+   :param p: a pattern to match.
+   
+
+   :returns: a record indicating the match status.
+
+.. zeek:id:: set_to_regex
+   :source-code: base/utils/patterns.zeek 23 35
+
+   :Type: :zeek:type:`function` (ss: :zeek:type:`set` [:zeek:type:`string`], pat: :zeek:type:`string`) : :zeek:type:`pattern`
+
+   Given a pattern as a string with two tildes (~~) contained in it, it will
+   return a pattern with string set's elements OR'd together where the
+   double-tilde was given.  Examples:
+   
+     .. code-block:: zeek
+   
+       global r1 = set_to_regex(set("a", "b", "c"), "~~");
+       # r1 = /^?(a|b|c)$?/
+       global r2 = set_to_regex(set("a.com", "b.com", "c.com"), "\\.(~~)");
+       # r2 = /^?(\.(a\.com|b\.com|c\.com))$?/
+   
+
+   :param ss: a set of strings to OR together.
+   
+
+   :param pat: the pattern containing a "~~"  in it.  If a literal backslash is
+        included, it needs to be escaped with another backslash due to Zeek's
+        string parsing reducing it to a single backslash upon rendering.
+   
+
+   :returns: the input pattern with "~~" replaced by OR'd elements of input set.
+
+
diff --git a/doc/scripts/base/utils/queue.zeek.rst b/doc/scripts/base/utils/queue.zeek.rst
new file mode 100644
index 0000000000..ff8ca4ce91
--- /dev/null
+++ b/doc/scripts/base/utils/queue.zeek.rst
@@ -0,0 +1,197 @@
+:tocdepth: 3
+
+base/utils/queue.zeek
+=====================
+.. zeek:namespace:: Queue
+
+A FIFO queue.
+
+:Namespace: Queue
+
+Summary
+~~~~~~~
+Types
+#####
+================================================= ==========================================
+:zeek:type:`Queue::Queue`: :zeek:type:`record`    The internal data structure for the queue.
+:zeek:type:`Queue::Settings`: :zeek:type:`record` Settings for initializing the queue.
+================================================= ==========================================
+
+Redefinitions
+#############
+============================================== ==========================================================================================
+:zeek:type:`Queue::Queue`: :zeek:type:`record` 
+                                               
+                                               :New Fields: :zeek:type:`Queue::Queue`
+                                               
+                                                 initialized: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+                                               
+                                                 vals: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`any` :zeek:attr:`&optional`
+                                               
+                                                 settings: :zeek:type:`Queue::Settings` :zeek:attr:`&optional`
+                                               
+                                                 top: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                               
+                                                 bottom: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                               
+                                                 size: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+============================================== ==========================================================================================
+
+Functions
+#########
+=================================================== ==============================================================
+:zeek:id:`Queue::get`: :zeek:type:`function`        Get a value from the end of a queue.
+:zeek:id:`Queue::get_vector`: :zeek:type:`function` Get the contents of the queue as a vector.
+:zeek:id:`Queue::init`: :zeek:type:`function`       Initialize a queue record structure.
+:zeek:id:`Queue::len`: :zeek:type:`function`        Get the number of items in a queue.
+:zeek:id:`Queue::merge`: :zeek:type:`function`      Merge two queues together.
+:zeek:id:`Queue::peek`: :zeek:type:`function`       Peek at the value at the end of the queue without removing it.
+:zeek:id:`Queue::put`: :zeek:type:`function`        Put a value onto the beginning of a queue.
+=================================================== ==============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Queue::Queue
+   :source-code: base/utils/queue.zeek 15 16
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: initialized :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: vals :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`any` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: settings :zeek:type:`Queue::Settings` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: top :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: bottom :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: size :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+
+   The internal data structure for the queue.
+
+.. zeek:type:: Queue::Settings
+   :source-code: base/utils/queue.zeek 7 12
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: max_len :zeek:type:`count` :zeek:attr:`&optional`
+
+      If a maximum length is set for the queue
+      it will maintain itself at that
+      maximum length automatically.
+
+
+   Settings for initializing the queue.
+
+Functions
+#########
+.. zeek:id:: Queue::get
+   :source-code: base/utils/queue.zeek 105 111
+
+   :Type: :zeek:type:`function` (q: :zeek:type:`Queue::Queue`) : :zeek:type:`any`
+
+   Get a value from the end of a queue.
+   
+
+   :param q: The queue to get the value from.
+   
+
+   :returns: The value gotten from the queue.
+
+.. zeek:id:: Queue::get_vector
+   :source-code: base/utils/queue.zeek 140 155
+
+   :Type: :zeek:type:`function` (q: :zeek:type:`Queue::Queue`, ret: :zeek:type:`vector` of :zeek:type:`any`) : :zeek:type:`void`
+
+   Get the contents of the queue as a vector.
+   
+
+   :param q: The queue.
+   
+
+   :param ret: A vector containing the current contents of the queue
+        as the type of ret.
+
+.. zeek:id:: Queue::init
+   :source-code: base/utils/queue.zeek 88 95
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`Queue::Settings` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`) : :zeek:type:`Queue::Queue`
+
+   Initialize a queue record structure.
+   
+
+   :param s: A record which configures the queue.
+   
+
+   :returns: An opaque queue record.
+
+.. zeek:id:: Queue::len
+   :source-code: base/utils/queue.zeek 135 138
+
+   :Type: :zeek:type:`function` (q: :zeek:type:`Queue::Queue`) : :zeek:type:`count`
+
+   Get the number of items in a queue.
+   
+
+   :param q: The queue.
+   
+
+   :returns: The length of the queue.
+
+.. zeek:id:: Queue::merge
+   :source-code: base/utils/queue.zeek 118 133
+
+   :Type: :zeek:type:`function` (q1: :zeek:type:`Queue::Queue`, q2: :zeek:type:`Queue::Queue`) : :zeek:type:`Queue::Queue`
+
+   Merge two queues together.  If any settings are applied
+   to the queues, the settings from *q1* are used for the new
+   merged queue.
+   
+
+   :param q1: The first queue.  Settings are taken from here.
+   
+
+   :param q2: The second queue.
+   
+
+   :returns: A new queue from merging the other two together.
+
+.. zeek:id:: Queue::peek
+   :source-code: base/utils/queue.zeek 113 116
+
+   :Type: :zeek:type:`function` (q: :zeek:type:`Queue::Queue`) : :zeek:type:`any`
+
+   Peek at the value at the end of the queue without removing it.
+   
+
+   :param q: The queue to get the value from.
+   
+
+   :returns: The value at the end of the queue.
+
+.. zeek:id:: Queue::put
+   :source-code: base/utils/queue.zeek 97 103
+
+   :Type: :zeek:type:`function` (q: :zeek:type:`Queue::Queue`, val: :zeek:type:`any`) : :zeek:type:`void`
+
+   Put a value onto the beginning of a queue.
+   
+
+   :param q: The queue to put the value into.
+   
+
+   :param val: The value to insert into the queue.
+
+
diff --git a/doc/scripts/base/utils/site.zeek.rst b/doc/scripts/base/utils/site.zeek.rst
new file mode 100644
index 0000000000..c81d1c772c
--- /dev/null
+++ b/doc/scripts/base/utils/site.zeek.rst
@@ -0,0 +1,266 @@
+:tocdepth: 3
+
+base/utils/site.zeek
+====================
+.. zeek:namespace:: Site
+
+Definitions describing a site - which networks and DNS zones are "local"
+and "neighbors", and servers running particular services.
+
+:Namespace: Site
+:Imports: :doc:`base/utils/patterns.zeek </scripts/base/utils/patterns.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+============================================================================ ======================================================================
+:zeek:id:`Site::local_admins`: :zeek:type:`table` :zeek:attr:`&redef`        If local network administrators are known and they have responsibility
+                                                                             for defined address space, then a mapping can be defined here between
+                                                                             networks for which they have responsibility and a set of email
+                                                                             addresses.
+:zeek:id:`Site::local_nets`: :zeek:type:`set` :zeek:attr:`&redef`            Networks that are considered "local".
+:zeek:id:`Site::local_zones`: :zeek:type:`set` :zeek:attr:`&redef`           DNS zones that are considered "local".
+:zeek:id:`Site::neighbor_nets`: :zeek:type:`set` :zeek:attr:`&redef`         Networks that are considered "neighbors".
+:zeek:id:`Site::neighbor_zones`: :zeek:type:`set` :zeek:attr:`&redef`        DNS zones that are considered "neighbors".
+:zeek:id:`Site::private_address_space`: :zeek:type:`set` :zeek:attr:`&redef` A list of subnets that are considered private address space.
+============================================================================ ======================================================================
+
+Redefinable Options
+###################
+====================================================================================== =================================================================
+:zeek:id:`Site::private_address_space_is_local`: :zeek:type:`bool` :zeek:attr:`&redef` Whether Zeek should automatically consider private address ranges
+                                                                                       "local".
+====================================================================================== =================================================================
+
+State Variables
+###############
+===================================================== =====================================================================
+:zeek:id:`Site::local_nets_table`: :zeek:type:`table` This is used for retrieving the subnet when using multiple entries in
+                                                      :zeek:id:`Site::local_nets`.
+===================================================== =====================================================================
+
+Functions
+#########
+======================================================== =================================================================
+:zeek:id:`Site::get_emails`: :zeek:type:`function`       Function that returns a comma-separated list of email addresses
+                                                         that are considered administrators for the IP address provided as
+                                                         an argument.
+:zeek:id:`Site::is_local_addr`: :zeek:type:`function`    Function that returns true if an address corresponds to one of
+                                                         the local networks, false if not.
+:zeek:id:`Site::is_local_name`: :zeek:type:`function`    Function that returns true if a host name is within a local
+                                                         DNS zone.
+:zeek:id:`Site::is_neighbor_addr`: :zeek:type:`function` Function that returns true if an address corresponds to one of
+                                                         the neighbor networks, false if not.
+:zeek:id:`Site::is_neighbor_name`: :zeek:type:`function` Function that returns true if a host name is within a neighbor
+                                                         DNS zone.
+:zeek:id:`Site::is_private_addr`: :zeek:type:`function`  Function that returns true if an address corresponds to one of
+                                                         the private/unrouted networks, false if not.
+======================================================== =================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Site::local_admins
+   :source-code: base/utils/site.zeek 146 146
+
+   :Type: :zeek:type:`table` [:zeek:type:`subnet`] of :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   If local network administrators are known and they have responsibility
+   for defined address space, then a mapping can be defined here between
+   networks for which they have responsibility and a set of email
+   addresses.
+
+.. zeek:id:: Site::local_nets
+   :source-code: base/utils/site.zeek 124 124
+
+   :Type: :zeek:type:`set` [:zeek:type:`subnet`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Networks that are considered "local".  Note that ZeekControl sets
+   this automatically.
+
+.. zeek:id:: Site::local_zones
+   :source-code: base/utils/site.zeek 149 149
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   DNS zones that are considered "local".
+
+.. zeek:id:: Site::neighbor_nets
+   :source-code: base/utils/site.zeek 140 140
+
+   :Type: :zeek:type:`set` [:zeek:type:`subnet`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Networks that are considered "neighbors".
+
+.. zeek:id:: Site::neighbor_zones
+   :source-code: base/utils/site.zeek 152 152
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   DNS zones that are considered "neighbors".
+
+.. zeek:id:: Site::private_address_space
+   :source-code: base/utils/site.zeek 18 18
+
+   :Type: :zeek:type:`set` [:zeek:type:`subnet`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            64:ff9b:1::/48,
+            198.18.0.0/15,
+            fc00::/7,
+            100.64.0.0/10,
+            ::/128,
+            2002:ffff:ffff::/48,
+            ::1/128,
+            fec0::/10,
+            2002:cb00:7100::/40,
+            2002:c633:6400::/40,
+            240.0.0.0/4,
+            2002:a00::/24,
+            100::/64,
+            255.255.255.255/32,
+            192.0.0.0/24,
+            0.0.0.0/8,
+            239.0.0.0/8,
+            2001:2::/48,
+            172.16.0.0/12,
+            2002:c000:200::/40,
+            2002:f000::/20,
+            2002:7f00::/24,
+            2001::/23,
+            2002:6440::/26,
+            2002:c000::/40,
+            10.0.0.0/8,
+            127.0.0.0/8,
+            224.0.0.0/24,
+            192.0.2.0/24,
+            192.168.0.0/16,
+            2002:ac10::/28,
+            2002:a9fe::/32,
+            169.254.0.0/16,
+            2002:c612::/31,
+            2002::/24,
+            fe80::/10,
+            2001:db8::/32,
+            2002:ef00::/24,
+            203.0.113.0/24,
+            2002:e000::/40,
+            2002:c0a8::/32,
+            198.51.100.0/24
+         }
+
+
+   A list of subnets that are considered private address space.
+   
+   By default, it has address blocks defined by IANA as not being
+   routable over the Internet. Some address blocks are reserved for
+   purposes inconsistent with the address architecture (such as
+   5f00::/16), making them neither clearly private nor routable. We do
+   not include such blocks in this list.
+   
+   See the `IPv4 Special-Purpose Address Registry <https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml>`_
+   and the `IPv6 Special-Purpose Address Registry <https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml>`_
+
+Redefinable Options
+###################
+.. zeek:id:: Site::private_address_space_is_local
+   :source-code: base/utils/site.zeek 130 130
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Whether Zeek should automatically consider private address ranges
+   "local". On by default, this setting ensures that the initial value
+   of :zeek:id:`Site::private_address_space` as well as any later
+   updates to it get copied over into :zeek:id:`Site::local_nets`.
+
+State Variables
+###############
+.. zeek:id:: Site::local_nets_table
+   :source-code: base/utils/site.zeek 137 137
+
+   :Type: :zeek:type:`table` [:zeek:type:`subnet`] of :zeek:type:`subnet`
+   :Default: ``{}``
+
+   This is used for retrieving the subnet when using multiple entries in
+   :zeek:id:`Site::local_nets`.  It's populated automatically from there.
+   A membership query can be done with an
+   :zeek:type:`addr` and the table will yield the subnet it was found
+   within.
+
+Functions
+#########
+.. zeek:id:: Site::get_emails
+   :source-code: base/utils/site.zeek 257 260
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`string`
+
+   Function that returns a comma-separated list of email addresses
+   that are considered administrators for the IP address provided as
+   an argument.
+   The function inspects :zeek:id:`Site::local_admins`.
+
+.. zeek:id:: Site::is_local_addr
+   :source-code: base/utils/site.zeek 194 197
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`bool`
+
+   Function that returns true if an address corresponds to one of
+   the local networks, false if not.
+   The function inspects :zeek:id:`Site::local_nets`.
+
+.. zeek:id:: Site::is_local_name
+   :source-code: base/utils/site.zeek 209 212
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Function that returns true if a host name is within a local
+   DNS zone.
+   The function inspects :zeek:id:`Site::local_zones`.
+
+.. zeek:id:: Site::is_neighbor_addr
+   :source-code: base/utils/site.zeek 199 202
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`bool`
+
+   Function that returns true if an address corresponds to one of
+   the neighbor networks, false if not.
+   The function inspects :zeek:id:`Site::neighbor_nets`.
+
+.. zeek:id:: Site::is_neighbor_name
+   :source-code: base/utils/site.zeek 214 217
+
+   :Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Function that returns true if a host name is within a neighbor
+   DNS zone.
+   The function inspects :zeek:id:`Site::neighbor_zones`.
+
+.. zeek:id:: Site::is_private_addr
+   :source-code: base/utils/site.zeek 204 207
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`bool`
+
+   Function that returns true if an address corresponds to one of
+   the private/unrouted networks, false if not.
+   The function inspects :zeek:id:`Site::private_address_space`.
+
+
diff --git a/doc/scripts/base/utils/strings.zeek.rst b/doc/scripts/base/utils/strings.zeek.rst
new file mode 100644
index 0000000000..f7ad32876d
--- /dev/null
+++ b/doc/scripts/base/utils/strings.zeek.rst
@@ -0,0 +1,68 @@
+:tocdepth: 3
+
+base/utils/strings.zeek
+=======================
+
+Functions to assist with small string analysis and manipulation that can
+be implemented as Zeek functions and don't need to be implemented as built-in
+functions.
+
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================== ==================================================================
+:zeek:id:`cut_tail`: :zeek:type:`function`         Cut a number of characters from the end of the given string.
+:zeek:id:`is_string_binary`: :zeek:type:`function` Returns true if the given string is at least 25% composed of 8-bit
+                                                   characters.
+:zeek:id:`string_escape`: :zeek:type:`function`    Given a string, returns an escaped version.
+================================================== ==================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: cut_tail
+   :source-code: base/utils/strings.zeek 35 40
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`, tail_len: :zeek:type:`count`) : :zeek:type:`string`
+
+   Cut a number of characters from the end of the given string.
+   
+
+   :param s: a string to trim.
+   
+
+   :param tail_len: the number of characters to remove from the end of the string.
+   
+
+   :returns: the given string with *tail_len* characters removed from the end.
+
+.. zeek:id:: is_string_binary
+   :source-code: base/utils/strings.zeek 7 10
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`bool`
+
+   Returns true if the given string is at least 25% composed of 8-bit
+   characters.
+
+.. zeek:id:: string_escape
+   :source-code: base/utils/strings.zeek 20 26
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`, chars: :zeek:type:`string`) : :zeek:type:`string`
+
+   Given a string, returns an escaped version.
+   
+
+   :param s: a string to escape.
+   
+
+   :param chars: a string containing all the characters that need to be escaped.
+   
+
+   :returns: a string with all occurrences of any character in *chars* escaped
+            using ``\``, and any literal ``\`` characters likewise escaped.
+
+
diff --git a/doc/scripts/base/utils/thresholds.zeek.rst b/doc/scripts/base/utils/thresholds.zeek.rst
new file mode 100644
index 0000000000..6c47ffeabe
--- /dev/null
+++ b/doc/scripts/base/utils/thresholds.zeek.rst
@@ -0,0 +1,118 @@
+:tocdepth: 3
+
+base/utils/thresholds.zeek
+==========================
+.. zeek:namespace:: GLOBAL
+
+Functions for using multiple thresholds with a counting tracker.  For
+example, you may want to generate a notice when something happens 10 times
+and again when it happens 100 times but nothing in between.  You can use
+the :zeek:id:`check_threshold` function to define your threshold points
+and the :zeek:type:`TrackCount` variable where you are keeping track of your
+counter.
+
+:Namespace: GLOBAL
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+============================================================================= =========================================================
+:zeek:id:`default_notice_thresholds`: :zeek:type:`vector` :zeek:attr:`&redef` The thresholds you would like to use as defaults with the
+                                                                              :zeek:id:`default_check_threshold` function.
+============================================================================= =========================================================
+
+Types
+#####
+============================================ =
+:zeek:type:`TrackCount`: :zeek:type:`record` 
+============================================ =
+
+Functions
+#########
+========================================================= =====================================================================
+:zeek:id:`check_threshold`: :zeek:type:`function`         This will check if a :zeek:type:`TrackCount` variable has crossed any
+                                                          thresholds in a given set.
+:zeek:id:`default_check_threshold`: :zeek:type:`function` This will use the :zeek:id:`default_notice_thresholds` variable to
+                                                          check a :zeek:type:`TrackCount` variable to see if it has crossed
+                                                          another threshold.
+:zeek:id:`new_track_count`: :zeek:type:`function`         
+========================================================= =====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: default_notice_thresholds
+   :source-code: base/utils/thresholds.zeek 22 22
+
+   :Type: :zeek:type:`vector` of :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         [30, 100, 1000, 10000, 100000, 1000000, 10000000]
+
+
+   The thresholds you would like to use as defaults with the
+   :zeek:id:`default_check_threshold` function.
+
+Types
+#####
+.. zeek:type:: TrackCount
+   :source-code: base/utils/thresholds.zeek 11 18
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: n :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      The counter for the number of times something has happened.
+
+
+   .. zeek:field:: index :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      The index of the vector where the counter currently is.  This
+      is used to track which threshold is currently being watched
+      for.
+
+
+
+Functions
+#########
+.. zeek:id:: check_threshold
+   :source-code: base/utils/thresholds.zeek 49 57
+
+   :Type: :zeek:type:`function` (v: :zeek:type:`vector` of :zeek:type:`count`, tracker: :zeek:type:`TrackCount`) : :zeek:type:`bool`
+
+   This will check if a :zeek:type:`TrackCount` variable has crossed any
+   thresholds in a given set.
+   
+
+   :param v: a vector holding counts that represent thresholds.
+   
+
+   :param tracker: the record being used to track event counter and currently
+            monitored threshold value.
+   
+
+   :returns: T if a threshold has been crossed, else F.
+
+.. zeek:id:: default_check_threshold
+   :source-code: base/utils/thresholds.zeek 59 62
+
+   :Type: :zeek:type:`function` (tracker: :zeek:type:`TrackCount`) : :zeek:type:`bool`
+
+   This will use the :zeek:id:`default_notice_thresholds` variable to
+   check a :zeek:type:`TrackCount` variable to see if it has crossed
+   another threshold.
+
+.. zeek:id:: new_track_count
+   :source-code: base/utils/thresholds.zeek 43 47
+
+   :Type: :zeek:type:`function` () : :zeek:type:`TrackCount`
+
+
+
diff --git a/doc/scripts/base/utils/time.zeek.rst b/doc/scripts/base/utils/time.zeek.rst
new file mode 100644
index 0000000000..1949780933
--- /dev/null
+++ b/doc/scripts/base/utils/time.zeek.rst
@@ -0,0 +1,57 @@
+:tocdepth: 3
+
+base/utils/time.zeek
+====================
+
+Time-related functions.
+
+
+Summary
+~~~~~~~
+Constants
+#########
+===================================== ========================================
+:zeek:id:`null_ts`: :zeek:type:`time` Time value representing the 0 timestamp.
+===================================== ========================================
+
+Functions
+#########
+======================================================= ========================================================================
+:zeek:id:`duration_to_mins_secs`: :zeek:type:`function` Given an interval, returns a string representing the minutes and seconds
+                                                        in the interval (for example, "3m34s").
+:zeek:id:`get_packet_lag`: :zeek:type:`function`        Calculate the packet lag, i.e.
+======================================================= ========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: null_ts
+   :source-code: base/utils/time.zeek 12 12
+
+   :Type: :zeek:type:`time`
+   :Default: ``0.0``
+
+   Time value representing the 0 timestamp.
+
+Functions
+#########
+.. zeek:id:: duration_to_mins_secs
+   :source-code: base/utils/time.zeek 5 9
+
+   :Type: :zeek:type:`function` (dur: :zeek:type:`interval`) : :zeek:type:`string`
+
+   Given an interval, returns a string representing the minutes and seconds
+   in the interval (for example, "3m34s").
+
+.. zeek:id:: get_packet_lag
+   :source-code: base/utils/time.zeek 17 28
+
+   :Type: :zeek:type:`function` () : :zeek:type:`interval`
+
+   Calculate the packet lag, i.e. the difference between wall clock and the
+   timestamp of the currently processed packet. If Zeek is not processing a
+   packet, the function returns a 0 interval value.
+
+
diff --git a/doc/scripts/base/utils/urls.zeek.rst b/doc/scripts/base/utils/urls.zeek.rst
new file mode 100644
index 0000000000..7abcc32367
--- /dev/null
+++ b/doc/scripts/base/utils/urls.zeek.rst
@@ -0,0 +1,129 @@
+:tocdepth: 3
+
+base/utils/urls.zeek
+====================
+
+Functions for URL handling.
+
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+============================================================== ======================================================
+:zeek:id:`url_regex`: :zeek:type:`pattern` :zeek:attr:`&redef` A regular expression for matching and extracting URLs.
+============================================================== ======================================================
+
+Types
+#####
+===================================== =============================================
+:zeek:type:`URI`: :zeek:type:`record` A URI, as parsed by :zeek:id:`decompose_uri`.
+===================================== =============================================
+
+Functions
+#########
+============================================================== ==================================================
+:zeek:id:`decompose_uri`: :zeek:type:`function`                
+:zeek:id:`find_all_urls`: :zeek:type:`function`                Extracts URLs discovered in arbitrary text.
+:zeek:id:`find_all_urls_without_scheme`: :zeek:type:`function` Extracts URLs discovered in arbitrary text without
+                                                               the URL scheme included.
+============================================================== ==================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: url_regex
+   :source-code: base/utils/urls.zeek 7 7
+
+   :Type: :zeek:type:`pattern`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         /^?(^([a-zA-Z\-]{3,5}):\/\/(-\.)?([^[:blank:]\/?\.#-]+\.?)+(\/[^[:blank:]]*)?)$?/
+
+
+   A regular expression for matching and extracting URLs.
+   This is the @imme_emosol regex from https://mathiasbynens.be/demo/url-regex, adapted for Zeek. It's
+   not perfect for all of their test cases, but it's one of the shorter ones that covers most of the
+   test cases.
+
+Types
+#####
+.. zeek:type:: URI
+   :source-code: base/utils/urls.zeek 10 29
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: scheme :zeek:type:`string` :zeek:attr:`&optional`
+
+      The URL's scheme..
+
+
+   .. zeek:field:: netlocation :zeek:type:`string`
+
+      The location, which could be a domain name or an IP address. Left empty if not
+      specified.
+
+
+   .. zeek:field:: portnum :zeek:type:`count` :zeek:attr:`&optional`
+
+      Port number, if included in URI.
+
+
+   .. zeek:field:: path :zeek:type:`string`
+
+      Full including the file name. Will be '/' if there's not path given.
+
+
+   .. zeek:field:: file_name :zeek:type:`string` :zeek:attr:`&optional`
+
+      Full file name, including extension, if there is a file name.
+
+
+   .. zeek:field:: file_base :zeek:type:`string` :zeek:attr:`&optional`
+
+      The base filename, without extension, if there is a file name.
+
+
+   .. zeek:field:: file_ext :zeek:type:`string` :zeek:attr:`&optional`
+
+      The filename's extension, if there is a file name.
+
+
+   .. zeek:field:: params :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string` :zeek:attr:`&optional`
+
+      A table of all query parameters, mapping their keys to values, if there's a
+      query.
+
+
+   A URI, as parsed by :zeek:id:`decompose_uri`.
+
+Functions
+#########
+.. zeek:id:: decompose_uri
+   :source-code: base/utils/urls.zeek 52 135
+
+   :Type: :zeek:type:`function` (uri: :zeek:type:`string`) : :zeek:type:`URI`
+
+
+.. zeek:id:: find_all_urls
+   :source-code: base/utils/urls.zeek 32 35
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`string_set`
+
+   Extracts URLs discovered in arbitrary text.
+
+.. zeek:id:: find_all_urls_without_scheme
+   :source-code: base/utils/urls.zeek 39 50
+
+   :Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`string_set`
+
+   Extracts URLs discovered in arbitrary text without
+   the URL scheme included.
+
+
diff --git a/doc/scripts/builtin-plugins/Zeek_JavaScript/__load__.zeek.rst b/doc/scripts/builtin-plugins/Zeek_JavaScript/__load__.zeek.rst
new file mode 100644
index 0000000000..c1f4ea7206
--- /dev/null
+++ b/doc/scripts/builtin-plugins/Zeek_JavaScript/__load__.zeek.rst
@@ -0,0 +1,124 @@
+:tocdepth: 3
+
+builtin-plugins/Zeek_JavaScript/__load__.zeek
+=============================================
+.. zeek:namespace:: JavaScript
+
+
+:Namespace: JavaScript
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+========================================================================================= =====================================================================
+:zeek:id:`JavaScript::exit_on_uncaught_exceptions`: :zeek:type:`bool` :zeek:attr:`&redef` Node.js default behavior is to exit a process on uncaught exceptions.
+:zeek:id:`JavaScript::files`: :zeek:type:`vector` :zeek:attr:`&redef`                     Vector of filenames to compile/execute after the bootstrap file.
+:zeek:id:`JavaScript::initial_heap_size_in_bytes`: :zeek:type:`count` :zeek:attr:`&redef` Be very conservative.
+:zeek:id:`JavaScript::main_script_source`: :zeek:type:`string` :zeek:attr:`&redef`        The Javascript code executed for bootstrapping.
+:zeek:id:`JavaScript::maximum_heap_size_in_bytes`: :zeek:type:`count` :zeek:attr:`&redef` 
+:zeek:id:`JavaScript::owns_node_inspector`: :zeek:type:`bool` :zeek:attr:`&redef`         If set to T, installs a SIGUSR1 handler and thread to
+                                                                                          start the Node.js / V8 inspector.
+:zeek:id:`JavaScript::owns_process_state`: :zeek:type:`bool` :zeek:attr:`&redef`          Allows to change process state (uid, title, cwd, ...).
+:zeek:id:`JavaScript::thread_pool_size`: :zeek:type:`count` :zeek:attr:`&redef`           
+========================================================================================= =====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: JavaScript::exit_on_uncaught_exceptions
+   :source-code: builtin-plugins/Zeek_JavaScript/__load__.zeek 62 62
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Node.js default behavior is to exit a process on uncaught exceptions.
+   Specifically exceptions in timer callbacks are problematic as a throwing
+   timer callback may break subsequently scheduled timers.
+   
+   Set this to F in order to just keep going when errors happen. Note,
+   if you see any Uncaught errors, this likely means the Javascript
+   state is corrupt.
+
+.. zeek:id:: JavaScript::files
+   :source-code: builtin-plugins/Zeek_JavaScript/__load__.zeek 48 48
+
+   :Type: :zeek:type:`vector` of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         []
+
+
+   Vector of filenames to compile/execute after the bootstrap file.
+
+.. zeek:id:: JavaScript::initial_heap_size_in_bytes
+   :source-code: builtin-plugins/Zeek_JavaScript/__load__.zeek 51 51
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``67108864``
+
+   Be very conservative.
+
+.. zeek:id:: JavaScript::main_script_source
+   :source-code: builtin-plugins/Zeek_JavaScript/__load__.zeek 12 12
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"const module_mod = require('module')\x0aconst publicRequire = module_mod.createRequire(process.cwd() + '/');\x0aglobalThis.require = publicRequire;\x0a\x0aglobalThis.zeek_javascript_init = async () => {\x0a  const zeek = process._linkedBinding('zeekjs').zeek;\x0a  // Helper for zeek record rendering.\x0a  zeek.flatten = (obj, prefix, res) => {\x0a    res = res || {}\x0a    for (const k in obj) {\x0a      const nk = prefix ? `${prefix}.${k}` : k\x0a      const v = obj[k]\x0a\x0a      // Recurse for objects, unless it's actually an array, or has a\x0a      // custom toJSON() method (which is true for the port objects).\x0a      if (v !== null && typeof(v) == 'object' && !Array.isArray(v) && !('toJSON' in v)) {\x0a        zeek.flatten(v, nk, res)\x0a      } else {\x0a        res[nk] = v\x0a      }\x0a    }\x0a    return res\x0a  }\x0a\x0a  const m = new module_mod();\x0a  // Compile a new module that imports all .js files found using import().\x0a  //\x0a  // https://stackoverflow.com/a/17585470/9044112\x0a  return m._compile('const ps = []; zeek.__zeek_javascript_files.forEach((fn) => { ps.push(import(fn)); }); return Promise.all(ps);', process.cwd() + '/');\x0a};\x0a// Add a global zeek object from the linked zeekjs binding\x0aglobalThis.zeek = process._linkedBinding('zeekjs').zeek;\x0a"``
+
+   The Javascript code executed for bootstrapping.
+   This comes fairly straight from the embedding guide to support using
+   require() with filesystem paths in the process working directory.
+   
+   https://docs.w3cub.com/node~14_lts/embedding
+   
+
+.. zeek:id:: JavaScript::maximum_heap_size_in_bytes
+   :source-code: builtin-plugins/Zeek_JavaScript/__load__.zeek 52 52
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``134217728``
+
+
+.. zeek:id:: JavaScript::owns_node_inspector
+   :source-code: builtin-plugins/Zeek_JavaScript/__load__.zeek 75 75
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If set to T, installs a SIGUSR1 handler and thread to
+   start the Node.js / V8 inspector.
+   
+   See Node.js EnvironmentFlags API documentation for details.
+   https://github.com/nodejs/node/blob/v22.11.0/src/node.h#L631
+
+.. zeek:id:: JavaScript::owns_process_state
+   :source-code: builtin-plugins/Zeek_JavaScript/__load__.zeek 68 68
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Allows to change process state (uid, title, cwd, ...).
+   
+   See Node.js EnvironmentFlags API documentation for details.
+   https://github.com/nodejs/node/blob/v22.11.0/src/node.h#L627
+
+.. zeek:id:: JavaScript::thread_pool_size
+   :source-code: builtin-plugins/Zeek_JavaScript/__load__.zeek 53 53
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``4``
+
+
+
diff --git a/doc/scripts/builtin-plugins/Zeek_JavaScript/index.rst b/doc/scripts/builtin-plugins/Zeek_JavaScript/index.rst
new file mode 100644
index 0000000000..10cfac495f
--- /dev/null
+++ b/doc/scripts/builtin-plugins/Zeek_JavaScript/index.rst
@@ -0,0 +1,9 @@
+:orphan:
+
+Package: builtin-plugins/Zeek_JavaScript
+========================================
+
+
+:doc:`/scripts/builtin-plugins/Zeek_JavaScript/__load__.zeek`
+
+
diff --git a/doc/scripts/builtin-plugins/__load__.zeek.rst b/doc/scripts/builtin-plugins/__load__.zeek.rst
new file mode 100644
index 0000000000..39bff597dd
--- /dev/null
+++ b/doc/scripts/builtin-plugins/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+builtin-plugins/__load__.zeek
+=============================
+
+
+:Imports: :doc:`builtin-plugins/Zeek_JavaScript/__load__.zeek </scripts/builtin-plugins/Zeek_JavaScript/__load__.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/builtin-plugins/__preload__.zeek.rst b/doc/scripts/builtin-plugins/__preload__.zeek.rst
new file mode 100644
index 0000000000..327d6c9cb9
--- /dev/null
+++ b/doc/scripts/builtin-plugins/__preload__.zeek.rst
@@ -0,0 +1,13 @@
+:tocdepth: 3
+
+builtin-plugins/__preload__.zeek
+================================
+
+
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/builtin-plugins/index.rst b/doc/scripts/builtin-plugins/index.rst
new file mode 100644
index 0000000000..5ac9d8d294
--- /dev/null
+++ b/doc/scripts/builtin-plugins/index.rst
@@ -0,0 +1,15 @@
+:orphan:
+
+Package: builtin-plugins
+========================
+
+
+:doc:`/scripts/builtin-plugins/__preload__.zeek`
+
+
+:doc:`/scripts/builtin-plugins/__load__.zeek`
+
+
+:doc:`/scripts/builtin-plugins/Zeek_JavaScript/__load__.zeek`
+
+
diff --git a/doc/scripts/policy/files/x509/disable-certificate-events-known-certs.zeek.rst b/doc/scripts/policy/files/x509/disable-certificate-events-known-certs.zeek.rst
new file mode 100644
index 0000000000..edda8f153d
--- /dev/null
+++ b/doc/scripts/policy/files/x509/disable-certificate-events-known-certs.zeek.rst
@@ -0,0 +1,52 @@
+:tocdepth: 3
+
+policy/files/x509/disable-certificate-events-known-certs.zeek
+=============================================================
+.. zeek:namespace:: DisableX509Events
+
+This script disables repeat certificate events for hosts for hosts for which the same
+certificate was seen in the recent past;
+
+This script specifically plugs into the event caching mechanism that is set up by the
+base X509 script certificate-event-cache.zeek. It adds another layer of tracking that
+checks if the same certificate was seen for the server IP address before, when the same
+SNI was used to connect. If the certificate is in the event cache and all of these conditions
+apply, then no certificate related events will be raised.
+
+Please note that while this optimization can lead to a considerable reduction of load in some
+settings, it also means that certain detection scripts that rely on the certificate events being
+raised do no longer work - since the events will not be raised for all connections.
+
+Currently this script only works for X509 certificates that are sent via SSL/TLS connections.
+
+If you use any script that requires certificate events for each single connection,
+you should not load this script.
+
+:Namespace: DisableX509Events
+:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+====================================================================================== ==================================================================================================
+:zeek:type:`SSL::Info`: :zeek:type:`record`                                            
+                                                                                       
+                                                                                       :New Fields: :zeek:type:`SSL::Info`
+                                                                                       
+                                                                                         always_raise_x509_events: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+                                                                                           Set to true to force certificate events to always be raised for this connection.
+:zeek:type:`X509::Info`: :zeek:type:`record`                                           
+                                                                                       
+                                                                                       :New Fields: :zeek:type:`X509::Info`
+                                                                                       
+                                                                                         always_raise_x509_events: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+                                                                                           Set to true to force certificate events to always be raised for this certificate.
+:zeek:id:`X509::certificate_cache_max_entries`: :zeek:type:`count` :zeek:attr:`&redef` Let's be a bit more generous with the number of certificates that we allow to be put into
+                                                                                       the cache.
+====================================================================================== ==================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/analyzer/debug-logging.zeek.rst b/doc/scripts/policy/frameworks/analyzer/debug-logging.zeek.rst
new file mode 100644
index 0000000000..917dfbc4f9
--- /dev/null
+++ b/doc/scripts/policy/frameworks/analyzer/debug-logging.zeek.rst
@@ -0,0 +1,173 @@
+:tocdepth: 3
+
+policy/frameworks/analyzer/debug-logging.zeek
+=============================================
+.. zeek:namespace:: Analyzer::DebugLogging
+
+Logging analyzer confirmations and violations into analyzer-debug.log
+
+:Namespace: Analyzer::DebugLogging
+:Imports: :doc:`base/frameworks/analyzer </scripts/base/frameworks/analyzer/index>`, :doc:`base/frameworks/config </scripts/base/frameworks/config/index>`, :doc:`base/frameworks/logging </scripts/base/frameworks/logging/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+================================================================================================ ======================================================================
+:zeek:id:`Analyzer::DebugLogging::enable`: :zeek:type:`bool` :zeek:attr:`&redef`                 Enable logging of analyzer violations and optionally confirmations
+                                                                                                 when :zeek:see:`Analyzer::DebugLogging::include_confirmations` is set.
+:zeek:id:`Analyzer::DebugLogging::failure_data_max_size`: :zeek:type:`count` :zeek:attr:`&redef` If a violation contains information about the data causing it,
+                                                                                                 include at most this many bytes of it in the log.
+:zeek:id:`Analyzer::DebugLogging::ignore_analyzers`: :zeek:type:`set` :zeek:attr:`&redef`        Set of analyzers for which to not log confirmations or violations.
+:zeek:id:`Analyzer::DebugLogging::include_confirmations`: :zeek:type:`bool` :zeek:attr:`&redef`  Enable analyzer_confirmation.
+:zeek:id:`Analyzer::DebugLogging::include_disabling`: :zeek:type:`bool` :zeek:attr:`&redef`      Enable tracking of analyzers getting disabled.
+================================================================================================ ======================================================================
+
+Types
+#####
+============================================================== ===========================================================================
+:zeek:type:`Analyzer::DebugLogging::Info`: :zeek:type:`record` The record type defining the columns to log in the analyzer logging stream.
+============================================================== ===========================================================================
+
+Redefinitions
+#############
+======================================= ===========================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` Add the analyzer logging stream identifier.
+                                        
+                                        * :zeek:enum:`Analyzer::DebugLogging::LOG`
+======================================= ===========================================
+
+Hooks
+#####
+=========================================================================== =============================================
+:zeek:id:`Analyzer::DebugLogging::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
+=========================================================================== =============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Analyzer::DebugLogging::enable
+   :source-code: policy/frameworks/analyzer/debug-logging.zeek 46 46
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Enable logging of analyzer violations and optionally confirmations
+   when :zeek:see:`Analyzer::DebugLogging::include_confirmations` is set.
+
+.. zeek:id:: Analyzer::DebugLogging::failure_data_max_size
+   :source-code: policy/frameworks/analyzer/debug-logging.zeek 63 63
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``40``
+
+   If a violation contains information about the data causing it,
+   include at most this many bytes of it in the log.
+
+.. zeek:id:: Analyzer::DebugLogging::ignore_analyzers
+   :source-code: policy/frameworks/analyzer/debug-logging.zeek 66 66
+
+   :Type: :zeek:type:`set` [:zeek:type:`AllAnalyzers::Tag`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Set of analyzers for which to not log confirmations or violations.
+
+.. zeek:id:: Analyzer::DebugLogging::include_confirmations
+   :source-code: policy/frameworks/analyzer/debug-logging.zeek 53 53
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Enable analyzer_confirmation. They are usually less interesting
+   outside of development of analyzers or troubleshooting scenarios.
+   Setting this option may also generated multiple log entries per
+   connection, minimally one for each conn.log entry with a populated
+   service field.
+
+.. zeek:id:: Analyzer::DebugLogging::include_disabling
+   :source-code: policy/frameworks/analyzer/debug-logging.zeek 59 59
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Enable tracking of analyzers getting disabled. This is mostly
+   interesting for troubleshooting of analyzers in DPD scenarios.
+   Setting this option may also generated multiple log entries per
+   connection.
+
+Types
+#####
+.. zeek:type:: Analyzer::DebugLogging::Info
+   :source-code: policy/frameworks/analyzer/debug-logging.zeek 17 42
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp of confirmation or violation.
+
+
+   .. zeek:field:: cause :zeek:type:`string` :zeek:attr:`&log`
+
+      What caused this log entry to be produced. This can
+      currently be "violation", "confirmation", or "disabled".
+
+
+   .. zeek:field:: analyzer_kind :zeek:type:`string` :zeek:attr:`&log`
+
+      The kind of analyzer involved. Currently "packet", "file"
+      or "protocol".
+
+
+   .. zeek:field:: analyzer_name :zeek:type:`string` :zeek:attr:`&log`
+
+      The name of the analyzer as produced by :zeek:see:`Analyzer::name`
+      for the analyzer's tag.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Connection UID if available.
+
+
+   .. zeek:field:: fuid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      File UID if available.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Connection identifier if available
+
+
+   .. zeek:field:: failure_reason :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Failure or violation reason, if available.
+
+
+   .. zeek:field:: failure_data :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Data causing failure or violation if available. Truncated
+      to :zeek:see:`Analyzer::DebugLogging::failure_data_max_size`.
+
+
+   The record type defining the columns to log in the analyzer logging stream.
+
+Hooks
+#####
+.. zeek:id:: Analyzer::DebugLogging::log_policy
+   :source-code: policy/frameworks/analyzer/debug-logging.zeek 14 14
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+
diff --git a/doc/scripts/policy/frameworks/analyzer/detect-protocols.zeek.rst b/doc/scripts/policy/frameworks/analyzer/detect-protocols.zeek.rst
new file mode 100644
index 0000000000..ddb5740672
--- /dev/null
+++ b/doc/scripts/policy/frameworks/analyzer/detect-protocols.zeek.rst
@@ -0,0 +1,152 @@
+:tocdepth: 3
+
+policy/frameworks/analyzer/detect-protocols.zeek
+================================================
+.. zeek:namespace:: ProtocolDetector
+
+Finds connections with protocols on non-standard ports with DPD.
+
+:Namespace: ProtocolDetector
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>`, :doc:`base/utils/site.zeek </scripts/base/utils/site.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+======================================================================================== =
+:zeek:id:`ProtocolDetector::minimum_duration`: :zeek:type:`interval` :zeek:attr:`&redef` 
+:zeek:id:`ProtocolDetector::minimum_volume`: :zeek:type:`double` :zeek:attr:`&redef`     
+:zeek:id:`ProtocolDetector::suppress_servers`: :zeek:type:`set` :zeek:attr:`&redef`      
+:zeek:id:`ProtocolDetector::valids`: :zeek:type:`table` :zeek:attr:`&redef`              
+======================================================================================== =
+
+Constants
+#########
+================================================================== =
+:zeek:id:`ProtocolDetector::check_interval`: :zeek:type:`interval` 
+================================================================== =
+
+State Variables
+###############
+================================================================================================== =
+:zeek:id:`ProtocolDetector::servers`: :zeek:type:`table` :zeek:attr:`&read_expire` = ``14.0 days`` 
+================================================================================================== =
+
+Types
+#####
+===================================================== =
+:zeek:type:`ProtocolDetector::dir`: :zeek:type:`enum` 
+===================================================== =
+
+Redefinitions
+#############
+============================================ ===============================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`ProtocolDetector::Protocol_Found`
+                                             
+                                             * :zeek:enum:`ProtocolDetector::Server_Found`
+============================================ ===============================================
+
+Hooks
+#####
+======================================================================================== =======================================================
+:zeek:id:`ProtocolDetector::finalize_protocol_detection`: :zeek:type:`Conn::RemovalHook` Non-standard protocol port detection finalization hook.
+======================================================================================== =======================================================
+
+Functions
+#########
+================================================================== =
+:zeek:id:`ProtocolDetector::found_protocol`: :zeek:type:`function` 
+================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: ProtocolDetector::minimum_duration
+   :source-code: policy/frameworks/analyzer/detect-protocols.zeek 56 56
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``30.0 secs``
+
+
+.. zeek:id:: ProtocolDetector::minimum_volume
+   :source-code: policy/frameworks/analyzer/detect-protocols.zeek 57 57
+
+   :Type: :zeek:type:`double`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``4000.0``
+
+
+.. zeek:id:: ProtocolDetector::suppress_servers
+   :source-code: policy/frameworks/analyzer/detect-protocols.zeek 48 48
+
+   :Type: :zeek:type:`set` [:zeek:type:`AllAnalyzers::Tag`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+
+.. zeek:id:: ProtocolDetector::valids
+   :source-code: policy/frameworks/analyzer/detect-protocols.zeek 25 25
+
+   :Type: :zeek:type:`table` [:zeek:type:`AllAnalyzers::Tag`, :zeek:type:`addr`, :zeek:type:`port`] of :zeek:type:`ProtocolDetector::dir`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+
+Constants
+#########
+.. zeek:id:: ProtocolDetector::check_interval
+   :source-code: policy/frameworks/analyzer/detect-protocols.zeek 60 60
+
+   :Type: :zeek:type:`interval`
+   :Default: ``5.0 secs``
+
+
+State Variables
+###############
+.. zeek:id:: ProtocolDetector::servers
+   :source-code: policy/frameworks/analyzer/detect-protocols.zeek 69 69
+
+   :Type: :zeek:type:`table` [:zeek:type:`addr`, :zeek:type:`port`, :zeek:type:`string`] of :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&read_expire` = ``14.0 days``
+   :Default: ``{}``
+
+
+Types
+#####
+.. zeek:type:: ProtocolDetector::dir
+   :source-code: policy/frameworks/analyzer/detect-protocols.zeek 23 24
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: ProtocolDetector::NONE ProtocolDetector::dir
+
+      .. zeek:enum:: ProtocolDetector::INCOMING ProtocolDetector::dir
+
+      .. zeek:enum:: ProtocolDetector::OUTGOING ProtocolDetector::dir
+
+      .. zeek:enum:: ProtocolDetector::BOTH ProtocolDetector::dir
+
+
+Hooks
+#####
+.. zeek:id:: ProtocolDetector::finalize_protocol_detection
+   :source-code: policy/frameworks/analyzer/detect-protocols.zeek 189 199
+
+   :Type: :zeek:type:`Conn::RemovalHook`
+
+   Non-standard protocol port detection finalization hook.
+
+Functions
+#########
+.. zeek:id:: ProtocolDetector::found_protocol
+   :source-code: policy/frameworks/analyzer/detect-protocols.zeek 227 238
+
+   :Type: :zeek:type:`function` (c: :zeek:type:`connection`, atype: :zeek:type:`AllAnalyzers::Tag`, protocol: :zeek:type:`string`) : :zeek:type:`void`
+
+
+
diff --git a/doc/scripts/policy/frameworks/analyzer/packet-segment-logging.zeek.rst b/doc/scripts/policy/frameworks/analyzer/packet-segment-logging.zeek.rst
new file mode 100644
index 0000000000..e63e9ba694
--- /dev/null
+++ b/doc/scripts/policy/frameworks/analyzer/packet-segment-logging.zeek.rst
@@ -0,0 +1,56 @@
+:tocdepth: 3
+
+policy/frameworks/analyzer/packet-segment-logging.zeek
+======================================================
+.. zeek:namespace:: Analyzer::Logging
+
+This script enables logging of packet segment data when a protocol
+parsing violation is encountered.  The amount of data from the
+packet logged is set by the :zeek:see:`Analyzer::Logging::packet_segment_size` variable.
+A caveat to logging packet data is that in some cases, the packet may
+not be the packet that actually caused the protocol violation.
+
+:Namespace: Analyzer::Logging
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+======================================================================================= =====================================================
+:zeek:id:`Analyzer::Logging::packet_segment_size`: :zeek:type:`int` :zeek:attr:`&redef` Size of the packet segment to display in the DPD log.
+======================================================================================= =====================================================
+
+Redefinitions
+#############
+========================================================= ==============================================================================
+:zeek:type:`Analyzer::Logging::Info`: :zeek:type:`record` 
+                                                          
+                                                          :New Fields: :zeek:type:`Analyzer::Logging::Info`
+                                                          
+                                                            packet_segment: :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+                                                              A chunk of the payload that most likely resulted in the
+                                                              analyzer violation.
+:zeek:type:`connection`: :zeek:type:`record`              
+                                                          
+                                                          :New Fields: :zeek:type:`connection`
+                                                          
+                                                            packet_segment: :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+                                                              A chunk of the payload that most likely resulted in a
+                                                              analyzer violation.
+========================================================= ==============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Analyzer::Logging::packet_segment_size
+   :source-code: policy/frameworks/analyzer/packet-segment-logging.zeek 23 23
+
+   :Type: :zeek:type:`int`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``255``
+
+   Size of the packet segment to display in the DPD log.
+
+
diff --git a/doc/scripts/policy/frameworks/cluster/backend/zeromq/__load__.zeek.rst b/doc/scripts/policy/frameworks/cluster/backend/zeromq/__load__.zeek.rst
new file mode 100644
index 0000000000..ab4f2808f1
--- /dev/null
+++ b/doc/scripts/policy/frameworks/cluster/backend/zeromq/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/cluster/backend/zeromq/__load__.zeek
+======================================================
+
+
+:Imports: :doc:`policy/frameworks/cluster/backend/zeromq/main.zeek </scripts/policy/frameworks/cluster/backend/zeromq/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/cluster/backend/zeromq/connect.zeek.rst b/doc/scripts/policy/frameworks/cluster/backend/zeromq/connect.zeek.rst
new file mode 100644
index 0000000000..f8ed6d83f3
--- /dev/null
+++ b/doc/scripts/policy/frameworks/cluster/backend/zeromq/connect.zeek.rst
@@ -0,0 +1,17 @@
+:tocdepth: 3
+
+policy/frameworks/cluster/backend/zeromq/connect.zeek
+=====================================================
+.. zeek:namespace:: Cluster::Backend::ZeroMQ
+
+Establish ZeroMQ connectivity with the broker.
+
+:Namespace: Cluster::Backend::ZeroMQ
+:Imports: :doc:`policy/frameworks/cluster/backend/zeromq/main.zeek </scripts/policy/frameworks/cluster/backend/zeromq/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/cluster/backend/zeromq/index.rst b/doc/scripts/policy/frameworks/cluster/backend/zeromq/index.rst
new file mode 100644
index 0000000000..0df28f2093
--- /dev/null
+++ b/doc/scripts/policy/frameworks/cluster/backend/zeromq/index.rst
@@ -0,0 +1,79 @@
+:orphan:
+
+Package: policy/frameworks/cluster/backend/zeromq
+=================================================
+
+
+:doc:`/scripts/policy/frameworks/cluster/backend/zeromq/__load__.zeek`
+
+
+:doc:`/scripts/policy/frameworks/cluster/backend/zeromq/main.zeek`
+
+   ZeroMQ cluster backend support.
+   
+   Overview
+   
+   For publish-subscribe functionality, one node in the Zeek cluster spawns a
+   thread running a central broker listening on a XPUB and XSUB socket.
+   These sockets are connected via `zmq_proxy() <https://libzmq.readthedocs.io/en/latest/zmq_proxy.html>`_.
+   All other nodes connect to this central broker with their own XSUB and
+   XPUB sockets, establishing a global many-to-many publish-subscribe system
+   where each node sees subscriptions and messages from all other nodes in a
+   Zeek cluster. ZeroMQ's `publish-subscribe pattern <http://api.zeromq.org/4-2:zmq-socket#toc9>`_
+   documentation may be a good starting point. Elsewhere in ZeroMQ's documentation,
+   the central broker is also called `forwarder <http://api.zeromq.org/4-2:zmq-proxy#toc5>`_.
+   
+   For remote logging functionality, the ZeroMQ `pipeline pattern <http://api.zeromq.org/4-2:zmq-socket#toc14>`_
+   is used. All logger nodes listen on a PULL socket. Other nodes connect
+   via PUSH sockets to all of the loggers. Concretely, remote logging
+   functionality is not publish-subscribe, but instead leverages ZeroMQ's
+   built-in load-balancing functionality provided by PUSH and PULL
+   sockets.
+   
+   The ZeroMQ cluster backend technically allows to run a non-Zeek central
+   broker (it only needs to offer XPUB and XSUB sockets). Further, it is
+   possible to run non-Zeek logger nodes. All a logger node needs to do is
+   open a ZeroMQ PULL socket and interpret the format used by Zeek nodes
+   to send their log writes.
+   
+   Overload Behavior
+   
+   The ZeroMQ cluster backend by default drops outgoing and incoming events
+   when the Zeek cluster is overloaded. Dropping of outgoing events is governed
+   by the :zeek:see:`Cluster::Backend::ZeroMQ::xpub_sndhwm` setting. This
+   is the High Water Mark (HWM) for the local XPUB socket's queue. Once reached,
+   any outgoing events are dropped until there's room in the socket's queue again.
+   The metric ``zeek_cluster_zeromq_xpub_drops_total`` is incremented for every
+   dropped event.
+   
+   For incoming events, the :zeek:see:`Cluster::Backend::ZeroMQ::onloop_queue_hwm`
+   setting is used. Remote events received via the local XSUB socket are first
+   enqueued as raw event messages for processing on Zeek's main event loop.
+   When this queue is full due to more remote events incoming than Zeek
+   can possibly process in an event loop iteration, incoming events are dropped
+   and the ``zeek_cluster_zeromq_onloop_drops_total`` metric is incremented.
+   
+   Incoming log batches or subscription and unsubscription events are passed
+   through the onloop queue, but the HWM does currently not apply to them. The
+   assumption is that 1) these are not frequent and 2) more important than
+   arbitrary publish-subscribe events.
+   
+   To avoid dropping any events (e.g. for performance testing or offline PCAP
+   processing), the recommended strategy is to set both
+   :zeek:see:`Cluster::Backend::ZeroMQ::xpub_sndhwm` and
+   :zeek:see:`Cluster::Backend::ZeroMQ::onloop_queue_hwm` to ``0``,
+   disabling the HWM and dropping logic. It is up to the user to monitor CPU
+   and memory usage of individual nodes to avoid overloading and running into
+   out-of-memory situations.
+   
+   As a Zeek operator, you should monitor ``zeek_cluster_zeromq_xpub_drops_total``
+   and ``zeek_cluster_zeromq_onloop_drops_total``. Any non-zero values for these
+   metrics indicate an overloaded Zeek cluster. See the the cluster telemetry
+   options :zeek:see:`Cluster::Telemetry::core_metrics` and
+   :zeek:see:`Cluster::Telemetry::websocket_metrics` for ways to get a better
+   understanding about the events published and received.
+
+:doc:`/scripts/policy/frameworks/cluster/backend/zeromq/connect.zeek`
+
+   Establish ZeroMQ connectivity with the broker.
+
diff --git a/doc/scripts/policy/frameworks/cluster/backend/zeromq/main.zeek.rst b/doc/scripts/policy/frameworks/cluster/backend/zeromq/main.zeek.rst
new file mode 100644
index 0000000000..f1ceb0d9ef
--- /dev/null
+++ b/doc/scripts/policy/frameworks/cluster/backend/zeromq/main.zeek.rst
@@ -0,0 +1,608 @@
+:tocdepth: 3
+
+policy/frameworks/cluster/backend/zeromq/main.zeek
+==================================================
+.. zeek:namespace:: Cluster::Backend::ZeroMQ
+
+ZeroMQ cluster backend support.
+
+Overview
+
+For publish-subscribe functionality, one node in the Zeek cluster spawns a
+thread running a central broker listening on a XPUB and XSUB socket.
+These sockets are connected via `zmq_proxy() <https://libzmq.readthedocs.io/en/latest/zmq_proxy.html>`_.
+All other nodes connect to this central broker with their own XSUB and
+XPUB sockets, establishing a global many-to-many publish-subscribe system
+where each node sees subscriptions and messages from all other nodes in a
+Zeek cluster. ZeroMQ's `publish-subscribe pattern <http://api.zeromq.org/4-2:zmq-socket#toc9>`_
+documentation may be a good starting point. Elsewhere in ZeroMQ's documentation,
+the central broker is also called `forwarder <http://api.zeromq.org/4-2:zmq-proxy#toc5>`_.
+
+For remote logging functionality, the ZeroMQ `pipeline pattern <http://api.zeromq.org/4-2:zmq-socket#toc14>`_
+is used. All logger nodes listen on a PULL socket. Other nodes connect
+via PUSH sockets to all of the loggers. Concretely, remote logging
+functionality is not publish-subscribe, but instead leverages ZeroMQ's
+built-in load-balancing functionality provided by PUSH and PULL
+sockets.
+
+The ZeroMQ cluster backend technically allows to run a non-Zeek central
+broker (it only needs to offer XPUB and XSUB sockets). Further, it is
+possible to run non-Zeek logger nodes. All a logger node needs to do is
+open a ZeroMQ PULL socket and interpret the format used by Zeek nodes
+to send their log writes.
+
+Overload Behavior
+
+The ZeroMQ cluster backend by default drops outgoing and incoming events
+when the Zeek cluster is overloaded. Dropping of outgoing events is governed
+by the :zeek:see:`Cluster::Backend::ZeroMQ::xpub_sndhwm` setting. This
+is the High Water Mark (HWM) for the local XPUB socket's queue. Once reached,
+any outgoing events are dropped until there's room in the socket's queue again.
+The metric ``zeek_cluster_zeromq_xpub_drops_total`` is incremented for every
+dropped event.
+
+For incoming events, the :zeek:see:`Cluster::Backend::ZeroMQ::onloop_queue_hwm`
+setting is used. Remote events received via the local XSUB socket are first
+enqueued as raw event messages for processing on Zeek's main event loop.
+When this queue is full due to more remote events incoming than Zeek
+can possibly process in an event loop iteration, incoming events are dropped
+and the ``zeek_cluster_zeromq_onloop_drops_total`` metric is incremented.
+
+Incoming log batches or subscription and unsubscription events are passed
+through the onloop queue, but the HWM does currently not apply to them. The
+assumption is that 1) these are not frequent and 2) more important than
+arbitrary publish-subscribe events.
+
+To avoid dropping any events (e.g. for performance testing or offline PCAP
+processing), the recommended strategy is to set both
+:zeek:see:`Cluster::Backend::ZeroMQ::xpub_sndhwm` and
+:zeek:see:`Cluster::Backend::ZeroMQ::onloop_queue_hwm` to ``0``,
+disabling the HWM and dropping logic. It is up to the user to monitor CPU
+and memory usage of individual nodes to avoid overloading and running into
+out-of-memory situations.
+
+As a Zeek operator, you should monitor ``zeek_cluster_zeromq_xpub_drops_total``
+and ``zeek_cluster_zeromq_onloop_drops_total``. Any non-zero values for these
+metrics indicate an overloaded Zeek cluster. See the the cluster telemetry
+options :zeek:see:`Cluster::Telemetry::core_metrics` and
+:zeek:see:`Cluster::Telemetry::websocket_metrics` for ways to get a better
+understanding about the events published and received.
+
+:Namespace: Cluster::Backend::ZeroMQ
+:Imports: :doc:`base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+=================================================================================================== ==================================================================
+:zeek:id:`Cluster::Backend::ZeroMQ::connect_log_endpoints`: :zeek:type:`vector` :zeek:attr:`&redef` Vector of ZeroMQ endpoints to connect to for logging.
+:zeek:id:`Cluster::Backend::ZeroMQ::connect_xpub_endpoint`: :zeek:type:`string` :zeek:attr:`&redef` The central broker's XPUB endpoint to connect to.
+:zeek:id:`Cluster::Backend::ZeroMQ::connect_xpub_nodrop`: :zeek:type:`bool` :zeek:attr:`&redef`     Do not silently drop messages if high-water-mark is reached.
+:zeek:id:`Cluster::Backend::ZeroMQ::connect_xsub_endpoint`: :zeek:type:`string` :zeek:attr:`&redef` The central broker's XSUB endpoint to connect to.
+:zeek:id:`Cluster::Backend::ZeroMQ::debug_flags`: :zeek:type:`count` :zeek:attr:`&redef`            Bitmask to enable low-level stderr based debug printing.
+:zeek:id:`Cluster::Backend::ZeroMQ::hello_expiration`: :zeek:type:`interval` :zeek:attr:`&redef`    Expiration for hello state.
+:zeek:id:`Cluster::Backend::ZeroMQ::internal_topic_prefix`: :zeek:type:`string` :zeek:attr:`&redef` The topic prefix used for internal ZeroMQ specific communication.
+:zeek:id:`Cluster::Backend::ZeroMQ::ipv6`: :zeek:type:`bool` :zeek:attr:`&redef`                    Set ZMQ_IPV6 option.
+:zeek:id:`Cluster::Backend::ZeroMQ::linger_ms`: :zeek:type:`int` :zeek:attr:`&redef`                Configure the ZeroMQ's sockets linger value.
+:zeek:id:`Cluster::Backend::ZeroMQ::listen_log_endpoint`: :zeek:type:`string` :zeek:attr:`&redef`   PULL socket address to listen on for log messages.
+:zeek:id:`Cluster::Backend::ZeroMQ::listen_xpub_endpoint`: :zeek:type:`string` :zeek:attr:`&redef`  XPUB listen endpoint for the central broker.
+:zeek:id:`Cluster::Backend::ZeroMQ::listen_xpub_nodrop`: :zeek:type:`bool` :zeek:attr:`&redef`      Do not silently drop messages if high-water-mark is reached.
+:zeek:id:`Cluster::Backend::ZeroMQ::listen_xsub_endpoint`: :zeek:type:`string` :zeek:attr:`&redef`  XSUB listen endpoint for the central broker.
+:zeek:id:`Cluster::Backend::ZeroMQ::log_immediate`: :zeek:type:`bool` :zeek:attr:`&redef`           Configure ZeroMQ's immediate setting on PUSH sockets
+:zeek:id:`Cluster::Backend::ZeroMQ::log_rcvbuf`: :zeek:type:`int` :zeek:attr:`&redef`               Kernel receive buffer size for log sockets.
+:zeek:id:`Cluster::Backend::ZeroMQ::log_rcvhwm`: :zeek:type:`int` :zeek:attr:`&redef`               Receive high water mark value for the log PULL sockets.
+:zeek:id:`Cluster::Backend::ZeroMQ::log_sndbuf`: :zeek:type:`int` :zeek:attr:`&redef`               Kernel transmit buffer size for log sockets.
+:zeek:id:`Cluster::Backend::ZeroMQ::log_sndhwm`: :zeek:type:`int` :zeek:attr:`&redef`               Send high water mark value for the log PUSH sockets.
+:zeek:id:`Cluster::Backend::ZeroMQ::onloop_queue_hwm`: :zeek:type:`count` :zeek:attr:`&redef`       Maximum number of incoming events queued for Zeek's event loop.
+:zeek:id:`Cluster::Backend::ZeroMQ::poll_max_messages`: :zeek:type:`count` :zeek:attr:`&redef`      Messages to receive before yielding.
+:zeek:id:`Cluster::Backend::ZeroMQ::proxy_io_threads`: :zeek:type:`count` :zeek:attr:`&redef`       How many IO threads to configure for the ZeroMQ context that
+                                                                                                    acts as a central broker.
+:zeek:id:`Cluster::Backend::ZeroMQ::run_proxy_thread`: :zeek:type:`bool` :zeek:attr:`&redef`        Toggle for running a central ZeroMQ XPUB-XSUB broker on this node.
+:zeek:id:`Cluster::Backend::ZeroMQ::xpub_sndbuf`: :zeek:type:`int` :zeek:attr:`&redef`              Kernel transmit buffer size for the XPUB socket.
+:zeek:id:`Cluster::Backend::ZeroMQ::xpub_sndhwm`: :zeek:type:`int` :zeek:attr:`&redef`              Send high water mark value for the XPUB socket.
+:zeek:id:`Cluster::Backend::ZeroMQ::xsub_rcvbuf`: :zeek:type:`int` :zeek:attr:`&redef`              Kernel receive buffer size for the XSUB socket.
+:zeek:id:`Cluster::Backend::ZeroMQ::xsub_rcvhwm`: :zeek:type:`int` :zeek:attr:`&redef`              Receive high water mark value for the XSUB socket.
+=================================================================================================== ==================================================================
+
+State Variables
+###############
+================================================================================================= ================================
+:zeek:id:`Cluster::Backend::ZeroMQ::node_topic_prefix`: :zeek:type:`string` :zeek:attr:`&redef`   The node topic prefix to use.
+:zeek:id:`Cluster::Backend::ZeroMQ::nodeid_topic_prefix`: :zeek:type:`string` :zeek:attr:`&redef` The node_id topic prefix to use.
+================================================================================================= ================================
+
+Redefinitions
+#############
+================================================================================================================= =
+:zeek:id:`Cluster::Backend::ZeroMQ::run_proxy_thread`: :zeek:type:`bool` :zeek:attr:`&redef`                      
+:zeek:id:`Cluster::Telemetry::topic_normalizations`: :zeek:type:`table` :zeek:attr:`&ordered` :zeek:attr:`&redef` 
+:zeek:id:`Cluster::backend`: :zeek:type:`Cluster::BackendTag` :zeek:attr:`&redef`                                 
+:zeek:id:`Cluster::logger_pool_spec`: :zeek:type:`Cluster::PoolSpec` :zeek:attr:`&redef`                          
+:zeek:id:`Cluster::logger_topic`: :zeek:type:`string` :zeek:attr:`&redef`                                         
+:zeek:id:`Cluster::manager_topic`: :zeek:type:`string` :zeek:attr:`&redef`                                        
+:zeek:id:`Cluster::node_id`: :zeek:type:`function` :zeek:attr:`&redef`                                            
+:zeek:id:`Cluster::node_topic`: :zeek:type:`function` :zeek:attr:`&redef`                                         
+:zeek:id:`Cluster::nodeid_topic`: :zeek:type:`function` :zeek:attr:`&redef`                                       
+:zeek:id:`Cluster::proxy_pool_spec`: :zeek:type:`Cluster::PoolSpec` :zeek:attr:`&redef`                           
+:zeek:id:`Cluster::proxy_topic`: :zeek:type:`string` :zeek:attr:`&redef`                                          
+:zeek:id:`Cluster::worker_pool_spec`: :zeek:type:`Cluster::PoolSpec` :zeek:attr:`&redef`                          
+:zeek:id:`Cluster::worker_topic`: :zeek:type:`string` :zeek:attr:`&redef`                                         
+================================================================================================================= =
+
+Events
+######
+======================================================================= =================================================================
+:zeek:id:`Cluster::Backend::ZeroMQ::hello`: :zeek:type:`event`          Low-level event send to a node in response to their subscription.
+:zeek:id:`Cluster::Backend::ZeroMQ::subscription`: :zeek:type:`event`   Low-level event when a subscription is added.
+:zeek:id:`Cluster::Backend::ZeroMQ::unsubscription`: :zeek:type:`event` Low-level event when a subscription vanishes.
+======================================================================= =================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Cluster::Backend::ZeroMQ::connect_log_endpoints
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 86 86
+
+   :Type: :zeek:type:`vector` of :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         []
+
+
+   Vector of ZeroMQ endpoints to connect to for logging.
+   
+   A node's PUSH socket used for logging connects to each
+   of the ZeroMQ endpoints listed in this vector.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::connect_xpub_endpoint
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 73 73
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"tcp://127.0.0.1:5556"``
+
+   The central broker's XPUB endpoint to connect to.
+   
+   A node connects with its XSUB socket to the XPUB socket
+   of the central broker.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::connect_xpub_nodrop
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 250 250
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Do not silently drop messages if high-water-mark is reached.
+   
+   Whether to configure ``ZMQ_XPUB_NODROP`` on the XPUB socket
+   connecting to the proxy to detect when sending a message fails
+   due to reaching the high-water-mark. If you set this to **F**,
+   then the XPUB drops metric will stop working as sending on the
+   XPUB socket will always succeed. Unless you're developing on the
+   ZeroMQ cluster backend, keep this set to **T**.
+   
+   See ZeroMQ's `ZMQ_XPUB_NODROP documentation <http://api.zeromq.org/4-2:zmq-setsockopt#toc61>`_
+   for more details.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::connect_xsub_endpoint
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 80 80
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"tcp://127.0.0.1:5555"``
+
+   The central broker's XSUB endpoint to connect to.
+   
+   A node connects with its XPUB socket to the XSUB socket
+   of the central broker.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::debug_flags
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 280 280
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0``
+
+   Bitmask to enable low-level stderr based debug printing.
+   
+       poll:   1 (produce verbose zmq::poll() output)
+       thread: 2 (produce thread related output)
+   
+   Or values from the above list together and set debug_flags
+   to the result. E.g. use 7 to select 4, 2 and 1. Only use this
+   in development if something seems off. The thread used internally
+   will produce output on stderr.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::hello_expiration
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 320 320
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10.0 secs``
+
+   Expiration for hello state.
+   
+   How long to wait before expiring information about
+   subscriptions and hello messages from other
+   nodes. These expirations trigger reporter warnings.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::internal_topic_prefix
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 332 332
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek.zeromq.internal."``
+
+   The topic prefix used for internal ZeroMQ specific communication.
+   
+   This is used for the "ready to publish callback" topics.
+   
+   Zeek creates a short-lived subscription for a auto-generated
+   topic name with this prefix and waits for it to be confirmed
+   on its XPUB socket. Once this happens, the XPUB socket should've
+   also received all other active subscriptions of other nodes in a
+   cluster from the central XPUB/XSUB proxy and therefore can be
+   deemed ready for publish operations.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::ipv6
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 237 237
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Set ZMQ_IPV6 option.
+   
+   The ZeroMQ library has IPv6 support in ZeroMQ. For Zeek we enable it
+   unconditionally such that listening or connecting  with IPv6 just works.
+   
+   See ZeroMQ's `ZMQ_IPV6 documentation <http://api.zeromq.org/4-2:zmq-setsockopt#toc23>`_
+   for more details.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::linger_ms
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 136 136
+
+   :Type: :zeek:type:`int`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``500``
+
+   Configure the ZeroMQ's sockets linger value.
+   
+   The default used by libzmq is 30 seconds (30 000) which is very long
+   when loggers vanish before workers during a shutdown, so we reduce
+   this to 500 milliseconds by default.
+   
+   A value of ``-1`` configures blocking forever, while ``0`` would
+   immediately discard any pending messages.
+   
+   See ZeroMQ's `ZMQ_LINGER documentation <http://api.zeromq.org/4-2:zmq-setsockopt#toc24>`_
+   for more details.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::listen_log_endpoint
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 123 123
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   PULL socket address to listen on for log messages.
+   
+   If empty, don't listen for log messages, otherwise
+   a ZeroMQ address to bind to. E.g., ``tcp://127.0.0.1:5555``.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::listen_xpub_endpoint
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 117 117
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"tcp://127.0.0.1:5555"``
+
+   XPUB listen endpoint for the central broker.
+   
+   This setting is used for the XPUB socket of the central broker started
+   when :zeek:see:`Cluster::Backend::ZeroMQ::run_proxy_thread` is ``T``.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::listen_xpub_nodrop
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 263 263
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Do not silently drop messages if high-water-mark is reached.
+   
+   Whether to configure ``ZMQ_XPUB_NODROP`` on the XPUB socket
+   to detect when sending a message fails due to reaching
+   the high-water-mark.
+   
+   This setting applies to the XPUB/XSUB broker started when
+   :zeek:see:`Cluster::Backend::ZeroMQ::run_proxy_thread` is ``T``.
+   
+   See ZeroMQ's `ZMQ_XPUB_NODROP documentation <http://api.zeromq.org/4-2:zmq-setsockopt#toc61>`_
+   for more details.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::listen_xsub_endpoint
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 111 111
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"tcp://127.0.0.1:5556"``
+
+   XSUB listen endpoint for the central broker.
+   
+   This setting is used for the XSUB socket of the central broker started
+   when :zeek:see:`Cluster::Backend::ZeroMQ::run_proxy_thread` is ``T``.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::log_immediate
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 193 193
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Configure ZeroMQ's immediate setting on PUSH sockets
+   
+   Setting this to ``T`` will queue log writes only to completed
+   connections. By default, log writes are queued to all potential
+   endpoints listed in :zeek:see:`Cluster::Backend::ZeroMQ::connect_log_endpoints`.
+   
+   See ZeroMQ's `ZMQ_IMMEDIATE documentation <http://api.zeromq.org/4-2:zmq-setsockopt#toc21>`_
+   for more details.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::log_rcvbuf
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 228 228
+
+   :Type: :zeek:type:`int`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``-1``
+
+   Kernel receive buffer size for log sockets.
+   
+   Using -1 will use the kernel's default.
+   
+   See ZeroMQ's `ZMQ_RCVBUF documentation <http://api.zeromq.org/4-2:zmq-setsockopt#toc34>`_
+   for more details.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::log_rcvhwm
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 213 213
+
+   :Type: :zeek:type:`int`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1000``
+
+   Receive high water mark value for the log PULL sockets.
+   
+   If reached, Zeek workers will block or drop messages.
+   
+   See ZeroMQ's `ZMQ_RCVHWM documentation <http://api.zeromq.org/4-2:zmq-setsockopt#toc35>`_
+   for more details.
+   
+   TODO: Make action configurable (block vs drop)
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::log_sndbuf
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 220 220
+
+   :Type: :zeek:type:`int`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``-1``
+
+   Kernel transmit buffer size for log sockets.
+   
+   Using -1 will use the kernel's default.
+   
+   See ZeroMQ's `ZMQ_SNDBUF documentation <http://api.zeromq.org/4-2:zmq-setsockopt#toc45>`_.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::log_sndhwm
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 203 203
+
+   :Type: :zeek:type:`int`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1000``
+
+   Send high water mark value for the log PUSH sockets.
+   
+   If reached, Zeek nodes will block or drop messages.
+   
+   See ZeroMQ's `ZMQ_SNDHWM documentation <http://api.zeromq.org/4-2:zmq-setsockopt#toc46>`_
+   for more details.
+   
+   TODO: Make action configurable (block vs drop)
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::onloop_queue_hwm
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 183 183
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10000``
+
+   Maximum number of incoming events queued for Zeek's event loop.
+   
+   This constant defines the maximum number of remote events queued
+   by the ZeroMQ cluster backend for Zeek's event loop to drain in
+   one go. If you set this value to 0 (unlimited), consider closely
+   CPU and memory usage of cluster nodes as high remote event rates
+   may starve packet processing.
+   
+   If more events are received than can fit the queue, new events will be
+   dropped and the ``zeek_cluster_zeromq_onloop_drops_total`` metric
+   incremented.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::poll_max_messages
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 269 269
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100``
+
+   Messages to receive before yielding.
+   
+   Yield from the receive loop when this many messages have been
+   received from one of the used sockets.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::proxy_io_threads
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 105 105
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``2``
+
+   How many IO threads to configure for the ZeroMQ context that
+   acts as a central broker.
+   See ZeroMQ's `ZMQ_IO_THREADS documentation <http://api.zeromq.org/4-2:zmq-ctx-set#toc4>`_
+   and the `I/O threads <https://zguide.zeromq.org/docs/chapter2/#I-O-Threads>`_
+   section in the ZeroMQ guide for details.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::run_proxy_thread
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 97 97
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+   :Redefinition: from :doc:`/scripts/policy/frameworks/cluster/backend/zeromq/main.zeek`
+
+      ``=``::
+
+         Cluster::local_node_type() == Cluster::MANAGER
+
+
+   Toggle for running a central ZeroMQ XPUB-XSUB broker on this node.
+   
+   If set to ``T``, :zeek:see:`Cluster::Backend::ZeroMQ::spawn_zmq_proxy_thread`
+   is called during :zeek:see:`zeek_init`. The node will listen
+   on :zeek:see:`Cluster::Backend::ZeroMQ::listen_xsub_endpoint` and
+   :zeek:see:`Cluster::Backend::ZeroMQ::listen_xpub_endpoint` and
+   forward subscriptions and messages between nodes.
+   
+   By default, this is set to ``T`` on the manager and ``F`` elsewhere.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::xpub_sndbuf
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 153 153
+
+   :Type: :zeek:type:`int`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``-1``
+
+   Kernel transmit buffer size for the XPUB socket.
+   
+   Using -1 will use the kernel's default.
+   
+   See ZeroMQ's `ZMQ_SNDBUF documentation <http://api.zeromq.org/4-2:zmq-setsockopt#toc45>`_
+   for more details.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::xpub_sndhwm
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 145 145
+
+   :Type: :zeek:type:`int`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1000``
+
+   Send high water mark value for the XPUB socket.
+   
+   Events published when the XPUB queue is full will be dropped and the
+   ``zeek_cluster_zeromq_xpub_drops_total`` metric incremented.
+   
+   See ZeroMQ's `ZMQ_SNDHWM documentation <http://api.zeromq.org/4-2:zmq-setsockopt#toc46>`_
+   for more details.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::xsub_rcvbuf
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 170 170
+
+   :Type: :zeek:type:`int`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``-1``
+
+   Kernel receive buffer size for the XSUB socket.
+   
+   Using -1 will use the kernel's default.
+   
+   See ZeroMQ's `ZMQ_RCVBUF documentation <http://api.zeromq.org/4-2:zmq-setsockopt#toc34>`_
+   for more details.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::xsub_rcvhwm
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 162 162
+
+   :Type: :zeek:type:`int`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1000``
+
+   Receive high water mark value for the XSUB socket.
+   
+   If reached, the Zeek node will start reporting back pressure
+   to the central XPUB socket.
+   
+   See ZeroMQ's `ZMQ_RCVHWM documentation <http://api.zeromq.org/4-2:zmq-setsockopt#toc35>`_
+   for more details.
+
+State Variables
+###############
+.. zeek:id:: Cluster::Backend::ZeroMQ::node_topic_prefix
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 283 283
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek.cluster.node"``
+
+   The node topic prefix to use.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::nodeid_topic_prefix
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 286 286
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek.cluster.nodeid"``
+
+   The node_id topic prefix to use.
+
+Events
+######
+.. zeek:id:: Cluster::Backend::ZeroMQ::hello
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 488 525
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, id: :zeek:type:`string`)
+
+   Low-level event send to a node in response to their subscription.
+   
+
+   :param name: The sending node's name in :zeek:see:`Cluster::nodes`.
+   
+
+   :param id: The sending node's identifier, as generated by :zeek:see:`Cluster::node_id`.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::subscription
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 457 483
+
+   :Type: :zeek:type:`event` (topic: :zeek:type:`string`)
+
+   Low-level event when a subscription is added.
+   
+   Every node observes all subscriptions from other nodes
+   in a cluster through its XPUB socket. Whenever a new
+   subscription topic is added, this event is raised with
+   the topic.
+   
+
+   :param topic: The topic.
+
+.. zeek:id:: Cluster::Backend::ZeroMQ::unsubscription
+   :source-code: policy/frameworks/cluster/backend/zeromq/main.zeek 530 549
+
+   :Type: :zeek:type:`event` (topic: :zeek:type:`string`)
+
+   Low-level event when a subscription vanishes.
+   
+   Every node observes all subscriptions from other nodes
+   in a cluster through its XPUB socket. Whenever a subscription
+   is removed from the local XPUB socket, this event is raised
+   with the topic set to the removed subscription.
+   
+
+   :param topic: The topic.
+
+
diff --git a/doc/scripts/policy/frameworks/cluster/experimental.zeek.rst b/doc/scripts/policy/frameworks/cluster/experimental.zeek.rst
new file mode 100644
index 0000000000..bedc7cc8d6
--- /dev/null
+++ b/doc/scripts/policy/frameworks/cluster/experimental.zeek.rst
@@ -0,0 +1,74 @@
+:tocdepth: 3
+
+policy/frameworks/cluster/experimental.zeek
+===========================================
+.. zeek:namespace:: Cluster::Experimental
+
+Experimental features of the Cluster framework.
+
+:Namespace: Cluster::Experimental
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`
+
+Summary
+~~~~~~~
+Events
+######
+========================================================================== =======================================================================
+:zeek:id:`Cluster::Experimental::cluster_started`: :zeek:type:`event`      When using broker-enabled cluster framework, this event will be
+                                                                           broadcasted from the manager once all nodes reported that they have set
+                                                                           up all their outgoing connections to other cluster nodes based on the
+                                                                           given cluster layout.
+:zeek:id:`Cluster::Experimental::node_fully_connected`: :zeek:type:`event` When using broker-enabled cluster framework, this event will be sent to
+                                                                           the manager and raised locally, once a cluster node has successfully
+                                                                           conducted cluster-level handshakes for all its outgoing connections to
+                                                                           other cluster nodes based on the given cluster layout.
+========================================================================== =======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: Cluster::Experimental::cluster_started
+   :source-code: policy/frameworks/cluster/nodes-experimental/manager.zeek 33 36
+
+   :Type: :zeek:type:`event` ()
+
+   When using broker-enabled cluster framework, this event will be
+   broadcasted from the manager once all nodes reported that they have set
+   up all their outgoing connections to other cluster nodes based on the
+   given cluster layout.
+   
+   .. warning::
+   
+       There is no tracking of cluster node connectivity. Thus, there is
+       no guarantee that all peerings still exist at the time of this event
+       being raised.
+
+.. zeek:id:: Cluster::Experimental::node_fully_connected
+   :source-code: policy/frameworks/cluster/nodes-experimental/manager.zeek 16 31
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`, id: :zeek:type:`string`, resending: :zeek:type:`bool`)
+
+   When using broker-enabled cluster framework, this event will be sent to
+   the manager and raised locally, once a cluster node has successfully
+   conducted cluster-level handshakes for all its outgoing connections to
+   other cluster nodes based on the given cluster layout.
+   
+
+   :param name: The name of the now fully connected node.
+   
+
+   :param id: The identifier of the now fully connected node.
+   
+
+   :param resending: If true, the node has previously signaled that it is fully
+              connected. This may happen in case the manager restarts.
+   
+   .. warning::
+   
+       There is no tracking of cluster node connectivity. Thus, there is
+       no guarantee that all peerings still exist at the time of this event
+       being raised.
+
+
diff --git a/doc/scripts/policy/frameworks/cluster/nodes-experimental/manager.zeek.rst b/doc/scripts/policy/frameworks/cluster/nodes-experimental/manager.zeek.rst
new file mode 100644
index 0000000000..6c9a7f8137
--- /dev/null
+++ b/doc/scripts/policy/frameworks/cluster/nodes-experimental/manager.zeek.rst
@@ -0,0 +1,18 @@
+:tocdepth: 3
+
+policy/frameworks/cluster/nodes-experimental/manager.zeek
+=========================================================
+.. zeek:namespace:: Cluster::Experimental
+
+This script is loaded on the cluster manager to cover manager-related
+parts of experimental features.
+
+:Namespace: Cluster::Experimental
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`policy/frameworks/cluster/experimental.zeek </scripts/policy/frameworks/cluster/experimental.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek.rst b/doc/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek.rst
new file mode 100644
index 0000000000..541583daeb
--- /dev/null
+++ b/doc/scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek.rst
@@ -0,0 +1,32 @@
+:tocdepth: 3
+
+policy/frameworks/conn_key/vlan_fivetuple.zeek
+==============================================
+
+This script adapts Zeek's connection key to include 802.1Q VLAN and
+Q-in-Q tags, when available. Zeek normally ignores VLAN tags for connection
+lookups; this change makes it factor them in and also makes those VLAN tags
+part of the :zeek:see:`conn_id` record.
+
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+========================================================================== =======================================================================
+:zeek:id:`ConnKey::factory`: :zeek:type:`ConnKey::Tag` :zeek:attr:`&redef` 
+:zeek:type:`conn_id_ctx`: :zeek:type:`record`                              
+                                                                           
+                                                                           :New Fields: :zeek:type:`conn_id_ctx`
+                                                                           
+                                                                             vlan: :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                               The outer VLAN for this connection, if applicable.
+                                                                           
+                                                                             inner_vlan: :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                               The inner VLAN for this connection, if applicable.
+========================================================================== =======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/control/controllee.zeek.rst b/doc/scripts/policy/frameworks/control/controllee.zeek.rst
new file mode 100644
index 0000000000..4372c2ede3
--- /dev/null
+++ b/doc/scripts/policy/frameworks/control/controllee.zeek.rst
@@ -0,0 +1,24 @@
+:tocdepth: 3
+
+policy/frameworks/control/controllee.zeek
+=========================================
+.. zeek:namespace:: Control
+
+The controllee portion of the control framework.  Load this script if remote
+runtime control of the Zeek process is desired.
+
+A controllee only needs to load the controllee script in addition
+to the specific analysis scripts desired.  It may also need a node
+configured as a controller node in the communications nodes configuration::
+
+    zeek <scripts> frameworks/control/controllee
+
+:Namespace: Control
+:Imports: :doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`, :doc:`base/frameworks/control </scripts/base/frameworks/control/index>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/control/controller.zeek.rst b/doc/scripts/policy/frameworks/control/controller.zeek.rst
new file mode 100644
index 0000000000..950a7d68ad
--- /dev/null
+++ b/doc/scripts/policy/frameworks/control/controller.zeek.rst
@@ -0,0 +1,23 @@
+:tocdepth: 3
+
+policy/frameworks/control/controller.zeek
+=========================================
+.. zeek:namespace:: Control
+
+This is a utility script that implements the controller interface for the
+control framework.  It's intended to be run to control a remote Zeek
+and then shutdown.
+
+It's intended to be used from the command line like this::
+
+    zeek <scripts> frameworks/control/controller Control::host=<host_addr> Control::host_port=<host_port> Control::cmd=<command> [Control::arg=<arg>]
+
+:Namespace: Control
+:Imports: :doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`, :doc:`base/frameworks/control </scripts/base/frameworks/control/index>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/files/detect-MHR.zeek.rst b/doc/scripts/policy/frameworks/files/detect-MHR.zeek.rst
new file mode 100644
index 0000000000..b1f53827f8
--- /dev/null
+++ b/doc/scripts/policy/frameworks/files/detect-MHR.zeek.rst
@@ -0,0 +1,77 @@
+:tocdepth: 3
+
+policy/frameworks/files/detect-MHR.zeek
+=======================================
+.. zeek:namespace:: TeamCymruMalwareHashRegistry
+
+Detect file downloads that have hash values matching files in Team
+Cymru's Malware Hash Registry (https://www.team-cymru.com/mhr.html).
+
+:Namespace: TeamCymruMalwareHashRegistry
+:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`policy/frameworks/files/hash-all-files.zeek </scripts/policy/frameworks/files/hash-all-files.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=================================================================================================== ====================================================================
+:zeek:id:`TeamCymruMalwareHashRegistry::match_file_types`: :zeek:type:`pattern` :zeek:attr:`&redef` File types to attempt matching against the Malware Hash Registry.
+:zeek:id:`TeamCymruMalwareHashRegistry::match_sub_url`: :zeek:type:`string` :zeek:attr:`&redef`     The Match notice has a sub message with a URL where you can get more
+                                                                                                    information about the file.
+:zeek:id:`TeamCymruMalwareHashRegistry::notice_threshold`: :zeek:type:`count` :zeek:attr:`&redef`   The malware hash registry runs each malware sample through several
+                                                                                                    A/V engines.
+=================================================================================================== ====================================================================
+
+Redefinitions
+#############
+============================================ ===============================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`TeamCymruMalwareHashRegistry::Match`:
+                                               The hash value of a file transferred over HTTP matched in the
+                                               malware hash registry.
+============================================ ===============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: TeamCymruMalwareHashRegistry::match_file_types
+   :source-code: policy/frameworks/files/detect-MHR.zeek 18 18
+
+   :Type: :zeek:type:`pattern`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         /^?((^?((^?((^?((^?((^?((^?(application\/x-dosexec)$?)|(^?(application\/vnd\.ms-cab-compressed)$?))$?)|(^?(application\/pdf)$?))$?)|(^?(application\/x-shockwave-flash)$?))$?)|(^?(application\/x-java-applet)$?))$?)|(^?(application\/jar)$?))$?)|(^?(video\/mp4)$?))$?/
+
+
+   File types to attempt matching against the Malware Hash Registry.
+
+.. zeek:id:: TeamCymruMalwareHashRegistry::match_sub_url
+   :source-code: policy/frameworks/files/detect-MHR.zeek 29 29
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"https://www.virustotal.com/gui/search/%s"``
+
+   The Match notice has a sub message with a URL where you can get more
+   information about the file. The %s will be replaced with the SHA-1
+   hash of the file.
+
+.. zeek:id:: TeamCymruMalwareHashRegistry::notice_threshold
+   :source-code: policy/frameworks/files/detect-MHR.zeek 35 35
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10``
+
+   The malware hash registry runs each malware sample through several
+   A/V engines.  Team Cymru returns a percentage to indicate how
+   many A/V engines flagged the sample as malicious. This threshold
+   allows you to require a minimum detection rate.
+
+
diff --git a/doc/scripts/policy/frameworks/files/entropy-test-all-files.zeek.rst b/doc/scripts/policy/frameworks/files/entropy-test-all-files.zeek.rst
new file mode 100644
index 0000000000..4ab49d86ee
--- /dev/null
+++ b/doc/scripts/policy/frameworks/files/entropy-test-all-files.zeek.rst
@@ -0,0 +1,27 @@
+:tocdepth: 3
+
+policy/frameworks/files/entropy-test-all-files.zeek
+===================================================
+.. zeek:namespace:: Files
+
+
+:Namespace: Files
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+================================================================= =======================================================================
+:zeek:type:`Files::Info`: :zeek:type:`record` :zeek:attr:`&redef` 
+                                                                  
+                                                                  :New Fields: :zeek:type:`Files::Info`
+                                                                  
+                                                                    entropy: :zeek:type:`double` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                      The information density of the contents of the file,
+                                                                      expressed as a number of bits per character.
+================================================================= =======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/files/extract-all-files.zeek.rst b/doc/scripts/policy/frameworks/files/extract-all-files.zeek.rst
new file mode 100644
index 0000000000..914f40ad92
--- /dev/null
+++ b/doc/scripts/policy/frameworks/files/extract-all-files.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+policy/frameworks/files/extract-all-files.zeek
+==============================================
+
+Extract all files to disk.
+
+:Imports: :doc:`base/files/extract </scripts/base/files/extract/index>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/files/hash-all-files.zeek.rst b/doc/scripts/policy/frameworks/files/hash-all-files.zeek.rst
new file mode 100644
index 0000000000..56a8236e13
--- /dev/null
+++ b/doc/scripts/policy/frameworks/files/hash-all-files.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+policy/frameworks/files/hash-all-files.zeek
+===========================================
+
+Perform MD5 and SHA1 hashing on all files.
+
+:Imports: :doc:`base/files/hash </scripts/base/files/hash/index>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/do_expire.zeek.rst b/doc/scripts/policy/frameworks/intel/do_expire.zeek.rst
new file mode 100644
index 0000000000..727a1b763f
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/do_expire.zeek.rst
@@ -0,0 +1,23 @@
+:tocdepth: 3
+
+policy/frameworks/intel/do_expire.zeek
+======================================
+.. zeek:namespace:: Intel
+
+This script enables expiration for intelligence items.
+
+:Namespace: Intel
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================================================ =
+:zeek:id:`Intel::item_expiration`: :zeek:type:`interval` :zeek:attr:`&redef` 
+============================================================================ =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/do_notice.zeek.rst b/doc/scripts/policy/frameworks/intel/do_notice.zeek.rst
new file mode 100644
index 0000000000..bb1504225d
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/do_notice.zeek.rst
@@ -0,0 +1,40 @@
+:tocdepth: 3
+
+policy/frameworks/intel/do_notice.zeek
+======================================
+.. zeek:namespace:: Intel
+
+This script enables notice generation for intelligence matches.
+
+:Namespace: Intel
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+================================================= ===================================================================================
+:zeek:type:`Intel::MetaData`: :zeek:type:`record` 
+                                                  
+                                                  :New Fields: :zeek:type:`Intel::MetaData`
+                                                  
+                                                    do_notice: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+                                                      A boolean value to allow the data itself to represent
+                                                      if the indicator that this metadata is attached to
+                                                      is notice worthy.
+                                                  
+                                                    if_in: :zeek:type:`Intel::Where` :zeek:attr:`&optional`
+                                                      Restrictions on when notices are created to only create
+                                                      them if the *do_notice* field is T and the notice was
+                                                      seen in the indicated location.
+:zeek:type:`Notice::Type`: :zeek:type:`enum`      
+                                                  
+                                                  * :zeek:enum:`Intel::Notice`:
+                                                    This notice is generated when an intelligence
+                                                    indicator is denoted to be notice-worthy.
+================================================= ===================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/removal.zeek.rst b/doc/scripts/policy/frameworks/intel/removal.zeek.rst
new file mode 100644
index 0000000000..fca1873fa2
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/removal.zeek.rst
@@ -0,0 +1,28 @@
+:tocdepth: 3
+
+policy/frameworks/intel/removal.zeek
+====================================
+.. zeek:namespace:: Intel
+
+This script enables removal of intelligence items.
+
+:Namespace: Intel
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+================================================= ================================================================================
+:zeek:type:`Intel::MetaData`: :zeek:type:`record` 
+                                                  
+                                                  :New Fields: :zeek:type:`Intel::MetaData`
+                                                  
+                                                    remove: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+                                                      A boolean value to indicate whether the item should be removed.
+================================================= ================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/seen/__load__.zeek.rst b/doc/scripts/policy/frameworks/intel/seen/__load__.zeek.rst
new file mode 100644
index 0000000000..57e30c3305
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/seen/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/intel/seen/__load__.zeek
+==========================================
+
+
+:Imports: :doc:`policy/frameworks/intel/seen/conn-established.zeek </scripts/policy/frameworks/intel/seen/conn-established.zeek>`, :doc:`policy/frameworks/intel/seen/dns.zeek </scripts/policy/frameworks/intel/seen/dns.zeek>`, :doc:`policy/frameworks/intel/seen/file-hashes.zeek </scripts/policy/frameworks/intel/seen/file-hashes.zeek>`, :doc:`policy/frameworks/intel/seen/file-names.zeek </scripts/policy/frameworks/intel/seen/file-names.zeek>`, :doc:`policy/frameworks/intel/seen/http-headers.zeek </scripts/policy/frameworks/intel/seen/http-headers.zeek>`, :doc:`policy/frameworks/intel/seen/http-url.zeek </scripts/policy/frameworks/intel/seen/http-url.zeek>`, :doc:`policy/frameworks/intel/seen/pubkey-hashes.zeek </scripts/policy/frameworks/intel/seen/pubkey-hashes.zeek>`, :doc:`policy/frameworks/intel/seen/smb-filenames.zeek </scripts/policy/frameworks/intel/seen/smb-filenames.zeek>`, :doc:`policy/frameworks/intel/seen/smtp-url-extraction.zeek </scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek>`, :doc:`policy/frameworks/intel/seen/smtp.zeek </scripts/policy/frameworks/intel/seen/smtp.zeek>`, :doc:`policy/frameworks/intel/seen/ssl.zeek </scripts/policy/frameworks/intel/seen/ssl.zeek>`, :doc:`policy/frameworks/intel/seen/x509.zeek </scripts/policy/frameworks/intel/seen/x509.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/seen/conn-established.zeek.rst b/doc/scripts/policy/frameworks/intel/seen/conn-established.zeek.rst
new file mode 100644
index 0000000000..3782172e1b
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/seen/conn-established.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/intel/seen/conn-established.zeek
+==================================================
+
+
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`policy/frameworks/intel/seen/where-locations.zeek </scripts/policy/frameworks/intel/seen/where-locations.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/seen/dns.zeek.rst b/doc/scripts/policy/frameworks/intel/seen/dns.zeek.rst
new file mode 100644
index 0000000000..0a862c25f9
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/seen/dns.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/intel/seen/dns.zeek
+=====================================
+
+
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`policy/frameworks/intel/seen/where-locations.zeek </scripts/policy/frameworks/intel/seen/where-locations.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/seen/file-hashes.zeek.rst b/doc/scripts/policy/frameworks/intel/seen/file-hashes.zeek.rst
new file mode 100644
index 0000000000..ca0cc844b1
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/seen/file-hashes.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/intel/seen/file-hashes.zeek
+=============================================
+
+
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`policy/frameworks/intel/seen/where-locations.zeek </scripts/policy/frameworks/intel/seen/where-locations.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/seen/file-names.zeek.rst b/doc/scripts/policy/frameworks/intel/seen/file-names.zeek.rst
new file mode 100644
index 0000000000..c16b1805f7
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/seen/file-names.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/intel/seen/file-names.zeek
+============================================
+
+
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`policy/frameworks/intel/seen/where-locations.zeek </scripts/policy/frameworks/intel/seen/where-locations.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/seen/http-headers.zeek.rst b/doc/scripts/policy/frameworks/intel/seen/http-headers.zeek.rst
new file mode 100644
index 0000000000..603c987aac
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/seen/http-headers.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/intel/seen/http-headers.zeek
+==============================================
+
+
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>`, :doc:`policy/frameworks/intel/seen/where-locations.zeek </scripts/policy/frameworks/intel/seen/where-locations.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/seen/http-url.zeek.rst b/doc/scripts/policy/frameworks/intel/seen/http-url.zeek.rst
new file mode 100644
index 0000000000..e8647b8265
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/seen/http-url.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/intel/seen/http-url.zeek
+==========================================
+
+
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/protocols/http/utils.zeek </scripts/base/protocols/http/utils.zeek>`, :doc:`policy/frameworks/intel/seen/where-locations.zeek </scripts/policy/frameworks/intel/seen/where-locations.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/seen/index.rst b/doc/scripts/policy/frameworks/intel/seen/index.rst
new file mode 100644
index 0000000000..05b11baae1
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/seen/index.rst
@@ -0,0 +1,52 @@
+:orphan:
+
+Package: policy/frameworks/intel/seen
+=====================================
+
+Scripts that send data to the intelligence framework.
+
+:doc:`/scripts/policy/frameworks/intel/seen/__load__.zeek`
+
+
+:doc:`/scripts/policy/frameworks/intel/seen/conn-established.zeek`
+
+
+:doc:`/scripts/policy/frameworks/intel/seen/where-locations.zeek`
+
+
+:doc:`/scripts/policy/frameworks/intel/seen/dns.zeek`
+
+
+:doc:`/scripts/policy/frameworks/intel/seen/file-hashes.zeek`
+
+
+:doc:`/scripts/policy/frameworks/intel/seen/file-names.zeek`
+
+
+:doc:`/scripts/policy/frameworks/intel/seen/http-headers.zeek`
+
+
+:doc:`/scripts/policy/frameworks/intel/seen/http-url.zeek`
+
+
+:doc:`/scripts/policy/frameworks/intel/seen/pubkey-hashes.zeek`
+
+
+:doc:`/scripts/policy/frameworks/intel/seen/ssl.zeek`
+
+
+:doc:`/scripts/policy/frameworks/intel/seen/smb-filenames.zeek`
+
+
+:doc:`/scripts/policy/frameworks/intel/seen/smtp.zeek`
+
+
+:doc:`/scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek`
+
+
+:doc:`/scripts/policy/frameworks/intel/seen/x509.zeek`
+
+
+:doc:`/scripts/policy/frameworks/intel/seen/manage-event-groups.zeek`
+
+
diff --git a/doc/scripts/policy/frameworks/intel/seen/manage-event-groups.zeek.rst b/doc/scripts/policy/frameworks/intel/seen/manage-event-groups.zeek.rst
new file mode 100644
index 0000000000..3b78c7431e
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/seen/manage-event-groups.zeek.rst
@@ -0,0 +1,46 @@
+:tocdepth: 3
+
+policy/frameworks/intel/seen/manage-event-groups.zeek
+=====================================================
+.. zeek:namespace:: Intel
+
+
+:Namespace: Intel
+:Imports: :doc:`base/frameworks/reporter </scripts/base/frameworks/reporter/index>`, :doc:`policy/frameworks/intel/seen </scripts/policy/frameworks/intel/seen/index>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+================================================================================= ============================================================
+:zeek:id:`Intel::manage_seen_event_groups`: :zeek:type:`bool` :zeek:attr:`&redef` Whether Intel event groups for the seen scripts are managed.
+================================================================================= ============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Intel::manage_seen_event_groups
+   :source-code: policy/frameworks/intel/seen/manage-event-groups.zeek 21 21
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Whether Intel event groups for the seen scripts are managed.
+   
+   When loading this script, by default, all :zeek:see:`Intel::Type`
+   event groups are disabled at startup and only enabled when indicators
+   of corresponding types are loaded into the Intel framework's store.
+   This allows to load the ``frameworks/intel/seen`` scripts without
+   incurring event handling overhead when no Intel indicators are loaded.
+   
+   One caveat is that the :zeek:see:`Intel::seen_policy` hook will not
+   be invoked for indicator types that are not at all in the Intel
+   framework's store. If you rely on :zeek:see:`Intel::seen_policy` to
+   find unmatched indicators, do not not load this script, set this
+   variable to ``F``, or insert dummy values of the types using
+   :zeek:see:`Intel::insert`.
+
+
diff --git a/doc/scripts/policy/frameworks/intel/seen/pubkey-hashes.zeek.rst b/doc/scripts/policy/frameworks/intel/seen/pubkey-hashes.zeek.rst
new file mode 100644
index 0000000000..5a0aca665d
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/seen/pubkey-hashes.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/intel/seen/pubkey-hashes.zeek
+===============================================
+
+
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/protocols/ssh </scripts/base/protocols/ssh/index>`, :doc:`policy/frameworks/intel/seen/where-locations.zeek </scripts/policy/frameworks/intel/seen/where-locations.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/seen/smb-filenames.zeek.rst b/doc/scripts/policy/frameworks/intel/seen/smb-filenames.zeek.rst
new file mode 100644
index 0000000000..ed1966444a
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/seen/smb-filenames.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/intel/seen/smb-filenames.zeek
+===============================================
+
+
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/protocols/smb </scripts/base/protocols/smb/index>`, :doc:`policy/frameworks/intel/seen/where-locations.zeek </scripts/policy/frameworks/intel/seen/where-locations.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek.rst b/doc/scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek.rst
new file mode 100644
index 0000000000..f847101d2b
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/intel/seen/smtp-url-extraction.zeek
+=====================================================
+
+
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/protocols/smtp </scripts/base/protocols/smtp/index>`, :doc:`base/utils/urls.zeek </scripts/base/utils/urls.zeek>`, :doc:`policy/frameworks/intel/seen/where-locations.zeek </scripts/policy/frameworks/intel/seen/where-locations.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/seen/smtp.zeek.rst b/doc/scripts/policy/frameworks/intel/seen/smtp.zeek.rst
new file mode 100644
index 0000000000..c60469b864
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/seen/smtp.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/intel/seen/smtp.zeek
+======================================
+
+
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/protocols/smtp </scripts/base/protocols/smtp/index>`, :doc:`base/utils/email.zeek </scripts/base/utils/email.zeek>`, :doc:`policy/frameworks/intel/seen/where-locations.zeek </scripts/policy/frameworks/intel/seen/where-locations.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/seen/ssl.zeek.rst b/doc/scripts/policy/frameworks/intel/seen/ssl.zeek.rst
new file mode 100644
index 0000000000..8ff1e2cfc9
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/seen/ssl.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/intel/seen/ssl.zeek
+=====================================
+
+
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`policy/frameworks/intel/seen/where-locations.zeek </scripts/policy/frameworks/intel/seen/where-locations.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/seen/where-locations.zeek.rst b/doc/scripts/policy/frameworks/intel/seen/where-locations.zeek.rst
new file mode 100644
index 0000000000..b58894df99
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/seen/where-locations.zeek.rst
@@ -0,0 +1,70 @@
+:tocdepth: 3
+
+policy/frameworks/intel/seen/where-locations.zeek
+=================================================
+
+
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================ ===============================================
+:zeek:type:`Intel::Where`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`Conn::IN_ORIG`
+                                             
+                                             * :zeek:enum:`Conn::IN_RESP`
+                                             
+                                             * :zeek:enum:`DNS::IN_REQUEST`
+                                             
+                                             * :zeek:enum:`DNS::IN_RESPONSE`
+                                             
+                                             * :zeek:enum:`Files::IN_HASH`
+                                             
+                                             * :zeek:enum:`Files::IN_NAME`
+                                             
+                                             * :zeek:enum:`HTTP::IN_HOST_HEADER`
+                                             
+                                             * :zeek:enum:`HTTP::IN_REFERRER_HEADER`
+                                             
+                                             * :zeek:enum:`HTTP::IN_URL`
+                                             
+                                             * :zeek:enum:`HTTP::IN_USER_AGENT_HEADER`
+                                             
+                                             * :zeek:enum:`HTTP::IN_X_FORWARDED_FOR_HEADER`
+                                             
+                                             * :zeek:enum:`SMB::IN_FILE_NAME`
+                                             
+                                             * :zeek:enum:`SMTP::IN_CC`
+                                             
+                                             * :zeek:enum:`SMTP::IN_FROM`
+                                             
+                                             * :zeek:enum:`SMTP::IN_HEADER`
+                                             
+                                             * :zeek:enum:`SMTP::IN_MAIL_FROM`
+                                             
+                                             * :zeek:enum:`SMTP::IN_MESSAGE`
+                                             
+                                             * :zeek:enum:`SMTP::IN_RCPT_TO`
+                                             
+                                             * :zeek:enum:`SMTP::IN_RECEIVED_HEADER`
+                                             
+                                             * :zeek:enum:`SMTP::IN_REPLY_TO`
+                                             
+                                             * :zeek:enum:`SMTP::IN_TO`
+                                             
+                                             * :zeek:enum:`SMTP::IN_X_ORIGINATING_IP_HEADER`
+                                             
+                                             * :zeek:enum:`SSH::IN_SERVER_HOST_KEY`
+                                             
+                                             * :zeek:enum:`SSL::IN_SERVER_NAME`
+                                             
+                                             * :zeek:enum:`X509::IN_CERT`
+============================================ ===============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/intel/seen/x509.zeek.rst b/doc/scripts/policy/frameworks/intel/seen/x509.zeek.rst
new file mode 100644
index 0000000000..bbe0430117
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/seen/x509.zeek.rst
@@ -0,0 +1,33 @@
+:tocdepth: 3
+
+policy/frameworks/intel/seen/x509.zeek
+======================================
+.. zeek:namespace:: Intel
+
+
+:Namespace: Intel
+:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`policy/frameworks/intel/seen/where-locations.zeek </scripts/policy/frameworks/intel/seen/where-locations.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+================================================================================================= =============================================================================
+:zeek:id:`Intel::enable_x509_ext_subject_alternative_name`: :zeek:type:`bool` :zeek:attr:`&redef` Enables the extraction of subject alternate names from the X509 SAN DNS field
+================================================================================================= =============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Intel::enable_x509_ext_subject_alternative_name
+   :source-code: policy/frameworks/intel/seen/x509.zeek 9 9
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Enables the extraction of subject alternate names from the X509 SAN DNS field
+
+
diff --git a/doc/scripts/policy/frameworks/intel/whitelist.zeek.rst b/doc/scripts/policy/frameworks/intel/whitelist.zeek.rst
new file mode 100644
index 0000000000..3366bbe57d
--- /dev/null
+++ b/doc/scripts/policy/frameworks/intel/whitelist.zeek.rst
@@ -0,0 +1,28 @@
+:tocdepth: 3
+
+policy/frameworks/intel/whitelist.zeek
+======================================
+.. zeek:namespace:: Intel
+
+This script enables whitelisting for intelligence items.
+
+:Namespace: Intel
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+================================================= ===================================================================================
+:zeek:type:`Intel::MetaData`: :zeek:type:`record` 
+                                                  
+                                                  :New Fields: :zeek:type:`Intel::MetaData`
+                                                  
+                                                    whitelist: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+                                                      A boolean value to indicate whether the item is whitelisted.
+================================================= ===================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/management/__load__.zeek.rst b/doc/scripts/policy/frameworks/management/__load__.zeek.rst
new file mode 100644
index 0000000000..405ccb816e
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/__load__.zeek.rst
@@ -0,0 +1,19 @@
+:tocdepth: 3
+
+policy/frameworks/management/__load__.zeek
+==========================================
+
+This loads Management framework functionality needed by both the controller
+and agents. Note that there's no notion of loading "the Management
+framework" -- one always loads "management/controller" or
+"management/agent". This __load__ script exists only to simplify loading all
+common functionality.
+
+:Imports: :doc:`policy/frameworks/management/config.zeek </scripts/policy/frameworks/management/config.zeek>`, :doc:`policy/frameworks/management/log.zeek </scripts/policy/frameworks/management/log.zeek>`, :doc:`policy/frameworks/management/persistence.zeek </scripts/policy/frameworks/management/persistence.zeek>`, :doc:`policy/frameworks/management/request.zeek </scripts/policy/frameworks/management/request.zeek>`, :doc:`policy/frameworks/management/types.zeek </scripts/policy/frameworks/management/types.zeek>`, :doc:`policy/frameworks/management/util.zeek </scripts/policy/frameworks/management/util.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/management/agent/__load__.zeek.rst b/doc/scripts/policy/frameworks/management/agent/__load__.zeek.rst
new file mode 100644
index 0000000000..77cd97a4a6
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/agent/__load__.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+policy/frameworks/management/agent/__load__.zeek
+================================================
+
+The entry point for the Management framework's cluster agent. It runs
+bootstrap logic for launching an agent process via Zeek's Supervisor.
+
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/management/agent/api.zeek.rst b/doc/scripts/policy/frameworks/management/agent/api.zeek.rst
new file mode 100644
index 0000000000..dfadcc9ded
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/agent/api.zeek.rst
@@ -0,0 +1,344 @@
+:tocdepth: 3
+
+policy/frameworks/management/agent/api.zeek
+===========================================
+.. zeek:namespace:: Management::Agent::API
+
+The event API of cluster agents. Most endpoints consist of event pairs,
+where the agent answers a request event with a corresponding response
+event. Such event pairs share the same name prefix and end in "_request" and
+"_response", respectively.
+
+:Namespace: Management::Agent::API
+:Imports: :doc:`base/frameworks/supervisor/control.zeek </scripts/base/frameworks/supervisor/control.zeek>`, :doc:`policy/frameworks/management/types.zeek </scripts/policy/frameworks/management/types.zeek>`
+
+Summary
+~~~~~~~
+Constants
+#########
+============================================================== ================================================================
+:zeek:id:`Management::Agent::API::version`: :zeek:type:`count` A simple versioning scheme, used to track basic compatibility of
+                                                               controller and agent.
+============================================================== ================================================================
+
+Events
+######
+============================================================================= =====================================================================
+:zeek:id:`Management::Agent::API::agent_standby_request`: :zeek:type:`event`  The controller sends this event to convey that the agent is not
+                                                                              currently required.
+:zeek:id:`Management::Agent::API::agent_standby_response`: :zeek:type:`event` Response to a
+                                                                              :zeek:see:`Management::Agent::API::agent_standby_request` event.
+:zeek:id:`Management::Agent::API::agent_welcome_request`: :zeek:type:`event`  The controller sends this event to confirm to the agent that it is
+                                                                              part of the current cluster topology.
+:zeek:id:`Management::Agent::API::agent_welcome_response`: :zeek:type:`event` Response to a
+                                                                              :zeek:see:`Management::Agent::API::agent_welcome_request` event.
+:zeek:id:`Management::Agent::API::deploy_request`: :zeek:type:`event`         The controller sends this event to deploy a cluster configuration to
+                                                                              this instance.
+:zeek:id:`Management::Agent::API::deploy_response`: :zeek:type:`event`        Response to a :zeek:see:`Management::Agent::API::deploy_request`
+                                                                              event.
+:zeek:id:`Management::Agent::API::get_nodes_request`: :zeek:type:`event`      The controller sends this event to request a list of
+                                                                              :zeek:see:`Management::NodeStatus` records that capture
+                                                                              the status of Supervisor-managed nodes running on this instance.
+:zeek:id:`Management::Agent::API::get_nodes_response`: :zeek:type:`event`     Response to a :zeek:see:`Management::Agent::API::get_nodes_request`
+                                                                              event.
+:zeek:id:`Management::Agent::API::node_dispatch_request`: :zeek:type:`event`  The controller sends this to every agent to request a dispatch (the
+                                                                              execution of a pre-implemented activity) to all cluster nodes.
+:zeek:id:`Management::Agent::API::node_dispatch_response`: :zeek:type:`event` Response to a
+                                                                              :zeek:see:`Management::Agent::API::node_dispatch_request` event.
+:zeek:id:`Management::Agent::API::notify_agent_hello`: :zeek:type:`event`     The agent sends this event upon peering as a "check-in", informing
+                                                                              the controller that an agent of the given name is now available to
+                                                                              communicate with.
+:zeek:id:`Management::Agent::API::notify_change`: :zeek:type:`event`          
+:zeek:id:`Management::Agent::API::notify_error`: :zeek:type:`event`           
+:zeek:id:`Management::Agent::API::notify_log`: :zeek:type:`event`             
+:zeek:id:`Management::Agent::API::restart_request`: :zeek:type:`event`        The controller sends this event to ask the agent to restart currently
+                                                                              running Zeek cluster nodes.
+:zeek:id:`Management::Agent::API::restart_response`: :zeek:type:`event`       Response to a :zeek:see:`Management::Agent::API::restart_request`
+                                                                              event.
+============================================================================= =====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: Management::Agent::API::version
+   :source-code: policy/frameworks/management/agent/api.zeek 14 14
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+   A simple versioning scheme, used to track basic compatibility of
+   controller and agent.
+
+Events
+######
+.. zeek:id:: Management::Agent::API::agent_standby_request
+   :source-code: policy/frameworks/management/agent/main.zeek 871 890
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`)
+
+   The controller sends this event to convey that the agent is not
+   currently required. This status may later change, depending on
+   updates from the client, so the Broker-level peering can remain
+   active. The agent releases any cluster-related resources (including
+   shutdown of existing Zeek cluster nodes) when processing the request,
+   and confirms via the response event. Shutting down an agent at this
+   point has no operational impact on the running cluster.
+   
+
+   :param reqid: a request identifier string, echoed in the response event.
+   
+
+.. zeek:id:: Management::Agent::API::agent_standby_response
+   :source-code: policy/frameworks/management/agent/api.zeek 150 150
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, result: :zeek:type:`Management::Result`)
+
+   Response to a
+   :zeek:see:`Management::Agent::API::agent_standby_request` event. The
+   agent sends this back to the controller.
+   
+
+   :param reqid: the request identifier used in the request event.
+   
+
+   :param result: the result record.
+   
+
+.. zeek:id:: Management::Agent::API::agent_welcome_request
+   :source-code: policy/frameworks/management/agent/main.zeek 857 869
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`)
+
+   The controller sends this event to confirm to the agent that it is
+   part of the current cluster topology. The agent acknowledges with a
+   :zeek:see:`Management::Agent::API::agent_welcome_response` event,
+   upon which the controller may proceed with a cluster deployment to
+   this agent.
+   
+
+   :param reqid: a request identifier string, echoed in the response event.
+   
+
+.. zeek:id:: Management::Agent::API::agent_welcome_response
+   :source-code: policy/frameworks/management/controller/main.zeek 900 926
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, result: :zeek:type:`Management::Result`)
+
+   Response to a
+   :zeek:see:`Management::Agent::API::agent_welcome_request` event. The
+   agent sends this back to the controller.
+   
+
+   :param reqid: the request identifier used in the request event.
+   
+
+   :param result: the result record.
+   
+
+.. zeek:id:: Management::Agent::API::deploy_request
+   :source-code: policy/frameworks/management/agent/main.zeek 411 451
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, config: :zeek:type:`Management::Configuration`, force: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`)
+
+   The controller sends this event to deploy a cluster configuration to
+   this instance. Once processed, the agent responds with a
+   :zeek:see:`Management::Agent::API::deploy_response` event.  event.
+   
+
+   :param reqid: a request identifier string, echoed in the response event.
+   
+
+   :param config: a :zeek:see:`Management::Configuration` record describing the
+       cluster topology. This contains the full topology, not just the
+       part pertaining to this instance: the cluster framework requires
+       full cluster visibility to establish needed peerings.
+   
+
+   :param force: whether to re-deploy (i.e., restart its Zeek cluster nodes)
+       when the agent already runs this configuration. This relies on
+       the config ID to determine config equality.
+   
+
+.. zeek:id:: Management::Agent::API::deploy_response
+   :source-code: policy/frameworks/management/controller/main.zeek 944 1000
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, results: :zeek:type:`Management::ResultVec`)
+
+   Response to a :zeek:see:`Management::Agent::API::deploy_request`
+   event. The agent sends this back to the controller.
+   
+
+   :param reqid: the request identifier used in the request event.
+   
+
+   :param results: A vector of :zeek:see:`Management::Result` records, each
+       capturing the outcome of a single launched node. For failing
+       nodes, the result's data field is a
+       :zeek:see:`Management::NodeOutputs` record.
+   
+
+.. zeek:id:: Management::Agent::API::get_nodes_request
+   :source-code: policy/frameworks/management/agent/main.zeek 588 597
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`)
+
+   The controller sends this event to request a list of
+   :zeek:see:`Management::NodeStatus` records that capture
+   the status of Supervisor-managed nodes running on this instance.
+   instances.
+   
+
+   :param reqid: a request identifier string, echoed in the response event.
+   
+
+.. zeek:id:: Management::Agent::API::get_nodes_response
+   :source-code: policy/frameworks/management/controller/main.zeek 1153 1197
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, result: :zeek:type:`Management::Result`)
+
+   Response to a :zeek:see:`Management::Agent::API::get_nodes_request`
+   event. The agent sends this back to the controller.
+   
+
+   :param reqid: the request identifier used in the request event.
+   
+
+   :param result: a :zeek:see:`Management::Result` record. Its data
+       member is a vector of :zeek:see:`Management::NodeStatus`
+       records, covering the nodes at this instance. The result may also
+       indicate failure, with error messages indicating what went wrong.
+   
+
+.. zeek:id:: Management::Agent::API::node_dispatch_request
+   :source-code: policy/frameworks/management/agent/main.zeek 761 855
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, action: :zeek:type:`vector` of :zeek:type:`string`, nodes: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`)
+
+   The controller sends this to every agent to request a dispatch (the
+   execution of a pre-implemented activity) to all cluster nodes.  This
+   is the generic controller-agent "back-end" implementation of explicit
+   client-controller "front-end" interactions, including:
+   
+   - :zeek:see:`Management::Controller::API::get_id_value_request`: two
+     arguments, the first being "get_id_value" and the second the name
+     of the ID to look up.
+   
+
+   :param reqid: a request identifier string, echoed in the response event.
+   
+
+   :param action: the requested dispatch command, with any arguments.
+   
+
+   :param nodes: a set of cluster node names (e.g. "worker-01") to retrieve
+      the values from. An empty set, supplied by default, means
+      retrieval from all nodes managed by the agent.
+   
+
+.. zeek:id:: Management::Agent::API::node_dispatch_response
+   :source-code: policy/frameworks/management/controller/main.zeek 1230 1295
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, results: :zeek:type:`Management::ResultVec`)
+
+   Response to a
+   :zeek:see:`Management::Agent::API::node_dispatch_request` event. Each
+   agent sends this back to the controller to report the dispatch
+   outcomes on all nodes managed by that agent.
+   
+
+   :param reqid: the request identifier used in the request event.
+   
+
+   :param results: a :zeek:type:`vector` of :zeek:see:`Management::Result`
+       records. Each record covers one Zeek cluster node managed by this
+       agent. Upon success, each :zeek:see:`Management::Result` record's
+       data member contains the dispatches' response in a data type
+       appropriate for the respective dispatch.
+   
+
+.. zeek:id:: Management::Agent::API::notify_agent_hello
+   :source-code: policy/frameworks/management/controller/main.zeek 835 898
+
+   :Type: :zeek:type:`event` (instance: :zeek:type:`string`, id: :zeek:type:`string`, connecting: :zeek:type:`bool`, api_version: :zeek:type:`count`)
+
+   The agent sends this event upon peering as a "check-in", informing
+   the controller that an agent of the given name is now available to
+   communicate with. It is a controller-level equivalent of
+   :zeek:see:`Broker::peer_added` and triggered by it.
+   
+
+   :param instance: an instance name, really the agent's name as per
+      :zeek:see:`Management::Agent::get_name`.
+   
+
+   :param id: the Broker ID of the agent.
+   
+
+   :param connecting: true if this agent connected to the controller,
+      false if the controller connected to the agent.
+   
+
+   :param api_version: the API version of this agent.
+   
+
+.. zeek:id:: Management::Agent::API::notify_change
+   :source-code: policy/frameworks/management/controller/main.zeek 929 930
+
+   :Type: :zeek:type:`event` (instance: :zeek:type:`string`, n: :zeek:type:`Management::Node`, old: :zeek:type:`Management::State`, new: :zeek:type:`Management::State`)
+
+
+.. zeek:id:: Management::Agent::API::notify_error
+   :source-code: policy/frameworks/management/controller/main.zeek 934 935
+
+   :Type: :zeek:type:`event` (instance: :zeek:type:`string`, msg: :zeek:type:`string`, node: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`)
+
+
+.. zeek:id:: Management::Agent::API::notify_log
+   :source-code: policy/frameworks/management/controller/main.zeek 939 940
+
+   :Type: :zeek:type:`event` (instance: :zeek:type:`string`, msg: :zeek:type:`string`, node: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`)
+
+
+.. zeek:id:: Management::Agent::API::restart_request
+   :source-code: policy/frameworks/management/agent/main.zeek 934 1008
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, nodes: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`)
+
+   The controller sends this event to ask the agent to restart currently
+   running Zeek cluster nodes. For nodes currently running, the agent
+   places these nodes into PENDING state and sends restart events to the
+   Supervisor, rendering its responses into a list of
+   :zeek:see:`Management::Result` records summarizing each node restart.
+   When restarted nodes check in with the agent, they switch back to
+   RUNNING state. The agent ignores nodes not currently running.
+   
+
+   :param reqid: a request identifier string, echoed in the response event.
+   
+
+   :param nodes: a set of cluster node names (e.g. "worker-01") to restart. An
+      empty set, supplied by default, means restart of all of the
+      agent's current cluster nodes.
+   
+
+.. zeek:id:: Management::Agent::API::restart_response
+   :source-code: policy/frameworks/management/controller/main.zeek 1376 1414
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, results: :zeek:type:`Management::ResultVec`)
+
+   Response to a :zeek:see:`Management::Agent::API::restart_request`
+   event. The agent sends this back to the controller when the
+   Supervisor has restarted all nodes affected, or a timeout occurs.
+   
+
+   :param reqid: the request identifier used in the request event.
+   
+
+   :param results: a :zeek:type:`vector` of :zeek:see:`Management::Result`, one
+       for each Supervisor transaction. Each such result identifies both
+       the instance and node.
+   
+
+
diff --git a/doc/scripts/policy/frameworks/management/agent/boot.zeek.rst b/doc/scripts/policy/frameworks/management/agent/boot.zeek.rst
new file mode 100644
index 0000000000..1d2fd9a792
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/agent/boot.zeek.rst
@@ -0,0 +1,26 @@
+:tocdepth: 3
+
+policy/frameworks/management/agent/boot.zeek
+============================================
+
+The cluster agent boot logic runs in Zeek's supervisor and instructs it to
+launch a Management agent process. The agent's main logic resides in main.zeek,
+similarly to other frameworks. The new process will execute that script.
+
+If the current process is not the Zeek supervisor, this does nothing.
+
+:Imports: :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`, :doc:`policy/frameworks/management/agent/config.zeek </scripts/policy/frameworks/management/agent/config.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+================================================================================== =
+:zeek:id:`Broker::default_listen_address`: :zeek:type:`string` :zeek:attr:`&redef` 
+:zeek:id:`SupervisorControl::enable_listen`: :zeek:type:`bool` :zeek:attr:`&redef` 
+================================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/management/agent/config.zeek.rst b/doc/scripts/policy/frameworks/management/agent/config.zeek.rst
new file mode 100644
index 0000000000..b1c1876fea
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/agent/config.zeek.rst
@@ -0,0 +1,235 @@
+:tocdepth: 3
+
+policy/frameworks/management/agent/config.zeek
+==============================================
+.. zeek:namespace:: Management::Agent
+
+Configuration settings for a cluster agent.
+
+:Namespace: Management::Agent
+:Imports: :doc:`base/misc/installation.zeek </scripts/base/misc/installation.zeek>`, :doc:`policy/frameworks/management </scripts/policy/frameworks/management/index>`, :doc:`policy/frameworks/management/controller/config.zeek </scripts/policy/frameworks/management/controller/config.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+============================================================================================== =====================================================================================
+:zeek:id:`Management::Agent::archive_cmd`: :zeek:type:`string` :zeek:attr:`&redef`             The archival command.
+:zeek:id:`Management::Agent::archive_dir`: :zeek:type:`string` :zeek:attr:`&redef`             The destination interval for archived logs.
+:zeek:id:`Management::Agent::archive_interval`: :zeek:type:`interval` :zeek:attr:`&redef`      The archival interval to use.
+:zeek:id:`Management::Agent::archive_logs`: :zeek:type:`bool` :zeek:attr:`&redef`              Whether the agent should periodically invoke zeek-archiver to
+                                                                                               finalize logs.
+:zeek:id:`Management::Agent::controller`: :zeek:type:`Broker::NetworkInfo` :zeek:attr:`&redef` The network coordinates of the controller.
+:zeek:id:`Management::Agent::default_port`: :zeek:type:`port` :zeek:attr:`&redef`              The fallback listen port if :zeek:see:`Management::Agent::listen_port` remains empty.
+:zeek:id:`Management::Agent::directory`: :zeek:type:`string` :zeek:attr:`&redef`               An optional working directory for the agent.
+:zeek:id:`Management::Agent::listen_address`: :zeek:type:`string` :zeek:attr:`&redef`          The network address the agent listens on.
+:zeek:id:`Management::Agent::listen_port`: :zeek:type:`string` :zeek:attr:`&redef`             The network port the agent listens on.
+:zeek:id:`Management::Agent::name`: :zeek:type:`string` :zeek:attr:`&redef`                    The name this agent uses to represent the cluster instance it
+                                                                                               manages.
+:zeek:id:`Management::Agent::stderr_file`: :zeek:type:`string` :zeek:attr:`&redef`             Agent stderr log configuration.
+:zeek:id:`Management::Agent::stdout_file`: :zeek:type:`string` :zeek:attr:`&redef`             Agent stdout log configuration.
+:zeek:id:`Management::Agent::topic_prefix`: :zeek:type:`string` :zeek:attr:`&redef`            The agent's Broker topic prefix.
+============================================================================================== =====================================================================================
+
+Functions
+#########
+================================================================== =====================================================================
+:zeek:id:`Management::Agent::endpoint_info`: :zeek:type:`function` Returns a :zeek:see:`Broker::EndpointInfo` record for this instance.
+:zeek:id:`Management::Agent::get_name`: :zeek:type:`function`      Returns the effective name of this agent.
+:zeek:id:`Management::Agent::instance`: :zeek:type:`function`      Returns a :zeek:see:`Management::Instance` describing this
+                                                                   instance (its agent name plus listening address/port, as applicable).
+================================================================== =====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Management::Agent::archive_cmd
+   :source-code: policy/frameworks/management/agent/config.zeek 63 63
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   The archival command. When empty, defaults to the zeek-archiver
+   installed with the Zeek distribution. Whatever the command, the
+   agent will invoke it like zeek-archiver, so take a look at its
+   command-line arguments if you're planning to put in place a
+   substitute. Archival happens from the
+   :zeek:see:`Log::default_rotation_dir` to
+   :zeek:see:`Management::Agent::archive_dir`.
+
+.. zeek:id:: Management::Agent::archive_dir
+   :source-code: policy/frameworks/management/agent/config.zeek 66 66
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"/usr/local/zeek/logs"``
+
+   The destination interval for archived logs.
+
+.. zeek:id:: Management::Agent::archive_interval
+   :source-code: policy/frameworks/management/agent/config.zeek 54 54
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0 secs``
+
+   The archival interval to use. When 0, it defaults to the log rotation
+   interval.
+
+.. zeek:id:: Management::Agent::archive_logs
+   :source-code: policy/frameworks/management/agent/config.zeek 50 50
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Whether the agent should periodically invoke zeek-archiver to
+   finalize logs.
+
+.. zeek:id:: Management::Agent::controller
+   :source-code: policy/frameworks/management/agent/config.zeek 79 79
+
+   :Type: :zeek:type:`Broker::NetworkInfo`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            address="127.0.0.1"
+            bound_port=2150/tcp
+         }
+
+
+   The network coordinates of the controller. By default, the agent
+   connects locally to the controller at its default port. Assigning
+   a :zeek:see:`Broker::NetworkInfo` record with IP address "0.0.0.0"
+   means the controller should instead connect to the agent. If you'd
+   like to use that mode, make sure to set
+   :zeek:see:`Management::Agent::listen_address` and
+   :zeek:see:`Management::Agent::listen_port` as needed.
+
+.. zeek:id:: Management::Agent::default_port
+   :source-code: policy/frameworks/management/agent/config.zeek 46 46
+
+   :Type: :zeek:type:`port`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``2151/tcp``
+
+   The fallback listen port if :zeek:see:`Management::Agent::listen_port` remains empty.
+
+.. zeek:id:: Management::Agent::directory
+   :source-code: policy/frameworks/management/agent/config.zeek 87 87
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   An optional working directory for the agent. Agent and controller
+   currently only log locally, not via the Zeek cluster's logger
+   node. This means that if multiple agents and/or controllers work from
+   the same directory, output may get garbled. When not set, defaults to
+   a directory named after the agent (as per its get_name() result).
+
+.. zeek:id:: Management::Agent::listen_address
+   :source-code: policy/frameworks/management/agent/config.zeek 38 38
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   The network address the agent listens on. This only takes effect if
+   the agent isn't configured to connect to the controller (see
+   :zeek:see:`Management::Agent::controller`). By default this uses the value of the
+   ZEEK_AGENT_ADDR environment variable, but you may also redef to
+   a specific value. When empty, the implementation falls back to
+   :zeek:see:`Management::default_address`.
+
+.. zeek:id:: Management::Agent::listen_port
+   :source-code: policy/frameworks/management/agent/config.zeek 43 43
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   The network port the agent listens on. Counterpart to
+   :zeek:see:`Management::Agent::listen_address`, defaulting to the ZEEK_AGENT_PORT
+   environment variable.
+
+.. zeek:id:: Management::Agent::name
+   :source-code: policy/frameworks/management/agent/config.zeek 17 17
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   The name this agent uses to represent the cluster instance it
+   manages. Defaults to the value of the ZEEK_AGENT_NAME environment
+   variable. When that is unset and you don't redef the value,
+   the implementation defaults to "agent-<hostname>".
+
+.. zeek:id:: Management::Agent::stderr_file
+   :source-code: policy/frameworks/management/agent/config.zeek 30 30
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"stderr"``
+
+   Agent stderr log configuration. Like :zeek:see:`Management::Agent::stdout_file`,
+   but for the stderr stream.
+
+.. zeek:id:: Management::Agent::stdout_file
+   :source-code: policy/frameworks/management/agent/config.zeek 26 26
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"stdout"``
+
+   Agent stdout log configuration. If the string is non-empty, Zeek will
+   produce a free-form log (i.e., not one governed by Zeek's logging
+   framework) in the agent's working directory. If left empty, no such
+   log results.
+   
+   Note that the agent also establishes a "proper" Zeek log via the
+   :zeek:see:`Management::Log` module.
+
+.. zeek:id:: Management::Agent::topic_prefix
+   :source-code: policy/frameworks/management/agent/config.zeek 70 70
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek/management/agent"``
+
+   The agent's Broker topic prefix. For its own communication, the agent
+   suffixes this with "/<name>", based on :zeek:see:`Management::Agent::get_name`.
+
+Functions
+#########
+.. zeek:id:: Management::Agent::endpoint_info
+   :source-code: policy/frameworks/management/agent/config.zeek 118 140
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Broker::EndpointInfo`
+
+   Returns a :zeek:see:`Broker::EndpointInfo` record for this instance.
+   Similar to :zeek:see:`Management::Agent::instance`, but with slightly different
+   data format.
+
+.. zeek:id:: Management::Agent::get_name
+   :source-code: policy/frameworks/management/agent/config.zeek 102 108
+
+   :Type: :zeek:type:`function` () : :zeek:type:`string`
+
+   Returns the effective name of this agent.
+
+.. zeek:id:: Management::Agent::instance
+   :source-code: policy/frameworks/management/agent/config.zeek 110 116
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Management::Instance`
+
+   Returns a :zeek:see:`Management::Instance` describing this
+   instance (its agent name plus listening address/port, as applicable).
+
+
diff --git a/doc/scripts/policy/frameworks/management/agent/index.rst b/doc/scripts/policy/frameworks/management/agent/index.rst
new file mode 100644
index 0000000000..8f29b32bc6
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/agent/index.rst
@@ -0,0 +1,37 @@
+:orphan:
+
+Package: policy/frameworks/management/agent
+===========================================
+
+
+:doc:`/scripts/policy/frameworks/management/agent/__load__.zeek`
+
+   The entry point for the Management framework's cluster agent. It runs
+   bootstrap logic for launching an agent process via Zeek's Supervisor.
+
+:doc:`/scripts/policy/frameworks/management/agent/api.zeek`
+
+   The event API of cluster agents. Most endpoints consist of event pairs,
+   where the agent answers a request event with a corresponding response
+   event. Such event pairs share the same name prefix and end in "_request" and
+   "_response", respectively.
+
+:doc:`/scripts/policy/frameworks/management/agent/boot.zeek`
+
+   The cluster agent boot logic runs in Zeek's supervisor and instructs it to
+   launch a Management agent process. The agent's main logic resides in main.zeek,
+   similarly to other frameworks. The new process will execute that script.
+   
+   If the current process is not the Zeek supervisor, this does nothing.
+
+:doc:`/scripts/policy/frameworks/management/agent/config.zeek`
+
+   Configuration settings for a cluster agent.
+
+:doc:`/scripts/policy/frameworks/management/agent/main.zeek`
+
+   This is the main "runtime" of a cluster agent. Zeek does not load this
+   directly; rather, the agent's bootstrapping module (in ./boot.zeek)
+   specifies it as the script to run in the node newly created via Zeek's
+   supervisor.
+
diff --git a/doc/scripts/policy/frameworks/management/agent/main.zeek.rst b/doc/scripts/policy/frameworks/management/agent/main.zeek.rst
new file mode 100644
index 0000000000..de38a1e03a
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/agent/main.zeek.rst
@@ -0,0 +1,136 @@
+:tocdepth: 3
+
+policy/frameworks/management/agent/main.zeek
+============================================
+.. zeek:namespace:: Management::Agent::Runtime
+
+This is the main "runtime" of a cluster agent. Zeek does not load this
+directly; rather, the agent's bootstrapping module (in ./boot.zeek)
+specifies it as the script to run in the node newly created via Zeek's
+supervisor.
+
+:Namespace: Management::Agent::Runtime
+:Imports: :doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`, :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`, :doc:`policy/frameworks/management </scripts/policy/frameworks/management/index>`, :doc:`policy/frameworks/management/agent/api.zeek </scripts/policy/frameworks/management/agent/api.zeek>`, :doc:`policy/frameworks/management/agent/config.zeek </scripts/policy/frameworks/management/agent/config.zeek>`, :doc:`policy/frameworks/management/node/api.zeek </scripts/policy/frameworks/management/node/api.zeek>`, :doc:`policy/frameworks/management/node/config.zeek </scripts/policy/frameworks/management/node/config.zeek>`, :doc:`policy/frameworks/management/supervisor/api.zeek </scripts/policy/frameworks/management/supervisor/api.zeek>`, :doc:`policy/frameworks/management/supervisor/config.zeek </scripts/policy/frameworks/management/supervisor/config.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+=============================================================================== ================================================================
+:zeek:type:`Management::Agent::Runtime::DeployState`: :zeek:type:`record`       Request state for deploy requests.
+:zeek:type:`Management::Agent::Runtime::NodeDispatchState`: :zeek:type:`record` Request state for node dispatches, tracking the requested action
+                                                                                as well as received responses.
+:zeek:type:`Management::Agent::Runtime::RestartState`: :zeek:type:`record`      Request state for restart requests, tracking received responses.
+:zeek:type:`Management::Agent::Runtime::SupervisorState`: :zeek:type:`record`   Request state specific to the agent's Supervisor interactions.
+=============================================================================== ================================================================
+
+Redefinitions
+#############
+=========================================================================================== ==============================================================================================================
+:zeek:type:`Management::Request::Request`: :zeek:type:`record`                              
+                                                                                            
+                                                                                            :New Fields: :zeek:type:`Management::Request::Request`
+                                                                                            
+                                                                                              supervisor_state_agent: :zeek:type:`Management::Agent::Runtime::SupervisorState` :zeek:attr:`&optional`
+                                                                                            
+                                                                                              deploy_state_agent: :zeek:type:`Management::Agent::Runtime::DeployState` :zeek:attr:`&optional`
+                                                                                            
+                                                                                              node_dispatch_state_agent: :zeek:type:`Management::Agent::Runtime::NodeDispatchState` :zeek:attr:`&optional`
+                                                                                            
+                                                                                              restart_state_agent: :zeek:type:`Management::Agent::Runtime::RestartState` :zeek:attr:`&optional`
+:zeek:id:`Management::Request::timeout_interval`: :zeek:type:`interval` :zeek:attr:`&redef` 
+:zeek:id:`Management::role`: :zeek:type:`Management::Role` :zeek:attr:`&redef`              
+:zeek:id:`table_expire_interval`: :zeek:type:`interval` :zeek:attr:`&redef`                 
+=========================================================================================== ==============================================================================================================
+
+Events
+######
+=============================================================================== =
+:zeek:id:`Management::Agent::Runtime::trigger_log_archival`: :zeek:type:`event` 
+=============================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Management::Agent::Runtime::DeployState
+   :source-code: policy/frameworks/management/agent/main.zeek 35 39
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: nodes_pending :zeek:type:`set` [:zeek:type:`string`]
+
+      Zeek cluster nodes the provided configuration requested
+      and which have not yet checked in with the agent.
+
+
+   Request state for deploy requests.
+
+.. zeek:type:: Management::Agent::Runtime::NodeDispatchState
+   :source-code: policy/frameworks/management/agent/main.zeek 43 50
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: action :zeek:type:`vector` of :zeek:type:`string`
+
+      The dispatched action. The first string is a command,
+      any remaining strings its arguments.
+
+
+   .. zeek:field:: requests :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      Request state for every node managed by this agent.
+
+
+   Request state for node dispatches, tracking the requested action
+   as well as received responses.
+
+.. zeek:type:: Management::Agent::Runtime::RestartState
+   :source-code: policy/frameworks/management/agent/main.zeek 53 57
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: requests :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      Request state for every node the agent asks the Supervisor
+      to restart.
+
+
+   Request state for restart requests, tracking received responses.
+
+.. zeek:type:: Management::Agent::Runtime::SupervisorState
+   :source-code: policy/frameworks/management/agent/main.zeek 25 32
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: node :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+      Name of the node the Supervisor is acting on, if applicable.
+
+
+   .. zeek:field:: status :zeek:type:`Supervisor::Status` :zeek:attr:`&optional`
+
+      The result of a status request.
+
+
+   .. zeek:field:: restart_result :zeek:type:`bool` :zeek:attr:`&optional`
+
+      The result of a restart request.
+
+
+   Request state specific to the agent's Supervisor interactions.
+
+Events
+######
+.. zeek:id:: Management::Agent::Runtime::trigger_log_archival
+   :source-code: policy/frameworks/management/agent/main.zeek 217 261
+
+   :Type: :zeek:type:`event` (run_archival: :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`)
+
+
+
diff --git a/doc/scripts/policy/frameworks/management/config.zeek.rst b/doc/scripts/policy/frameworks/management/config.zeek.rst
new file mode 100644
index 0000000000..7069da718b
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/config.zeek.rst
@@ -0,0 +1,139 @@
+:tocdepth: 3
+
+policy/frameworks/management/config.zeek
+========================================
+.. zeek:namespace:: Management
+
+Management framework configuration settings common to agent and controller.
+This does not include config settings that exist in both agent and
+controller but that they set differently, since setting defaults here would
+be awkward or pointless (since both node types would overwrite them
+anyway). For role-specific settings, see management/controller/config.zeek
+and management/agent/config.zeek.
+
+:Namespace: Management
+:Imports: :doc:`base/misc/installation.zeek </scripts/base/misc/installation.zeek>`, :doc:`policy/frameworks/management/types.zeek </scripts/policy/frameworks/management/types.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+=============================================================================== ===================================================================
+:zeek:id:`Management::connect_retry`: :zeek:type:`interval` :zeek:attr:`&redef` The retry interval for Broker connects.
+:zeek:id:`Management::default_address`: :zeek:type:`string` :zeek:attr:`&redef` The fallback listen address if more specific addresses, such as
+                                                                                the controller's :zeek:see:`Management::Controller::listen_address`
+                                                                                remains empty.
+:zeek:id:`Management::role`: :zeek:type:`Management::Role` :zeek:attr:`&redef`  The role of this process in cluster management.
+:zeek:id:`Management::spool_dir`: :zeek:type:`string` :zeek:attr:`&redef`       The toplevel directory in which the Management framework creates
+                                                                                spool state for any Zeek nodes, including the Zeek cluster, agents,
+                                                                                and the controller.
+:zeek:id:`Management::state_dir`: :zeek:type:`string` :zeek:attr:`&redef`       The toplevel directory for variable state, such as Broker data
+                                                                                stores.
+=============================================================================== ===================================================================
+
+Functions
+#########
+=========================================================== ===================================================================
+:zeek:id:`Management::get_spool_dir`: :zeek:type:`function` Returns the effective spool directory for the management framework.
+:zeek:id:`Management::get_state_dir`: :zeek:type:`function` Returns the effective state directory for the management framework.
+=========================================================== ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Management::connect_retry
+   :source-code: policy/frameworks/management/config.zeek 27 27
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 sec``
+
+   The retry interval for Broker connects. Defaults to a more
+   aggressive value compared to Broker's 30s.
+
+.. zeek:id:: Management::default_address
+   :source-code: policy/frameworks/management/config.zeek 23 23
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"0.0.0.0"``
+
+   The fallback listen address if more specific addresses, such as
+   the controller's :zeek:see:`Management::Controller::listen_address`
+   remains empty. Unless redefined, this listens on all interfaces.
+
+.. zeek:id:: Management::role
+   :source-code: policy/frameworks/management/config.zeek 18 18
+
+   :Type: :zeek:type:`Management::Role`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``Management::NONE``
+   :Redefinition: from :doc:`/scripts/policy/frameworks/management/agent/main.zeek`
+
+      ``=``::
+
+         Management::AGENT
+
+   :Redefinition: from :doc:`/scripts/policy/frameworks/management/controller/main.zeek`
+
+      ``=``::
+
+         Management::CONTROLLER
+
+   :Redefinition: from :doc:`/scripts/policy/frameworks/management/node/main.zeek`
+
+      ``=``::
+
+         Management::NODE
+
+
+   The role of this process in cluster management. Use this to
+   differentiate code based on the type of node in which it ends up
+   running.
+
+.. zeek:id:: Management::spool_dir
+   :source-code: policy/frameworks/management/config.zeek 33 33
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   The toplevel directory in which the Management framework creates
+   spool state for any Zeek nodes, including the Zeek cluster, agents,
+   and the controller. Don't use this directly, use the
+   :zeek:see:`Management::get_spool_dir` function.
+
+.. zeek:id:: Management::state_dir
+   :source-code: policy/frameworks/management/config.zeek 38 38
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   The toplevel directory for variable state, such as Broker data
+   stores. Don't use this directly, use the
+   :zeek:see:`Management::get_state_dir` function.
+
+Functions
+#########
+.. zeek:id:: Management::get_spool_dir
+   :source-code: policy/frameworks/management/config.zeek 51 57
+
+   :Type: :zeek:type:`function` () : :zeek:type:`string`
+
+   Returns the effective spool directory for the management framework.
+   That's :zeek:see:`Management::spool_dir` when set, otherwise the
+   installation's spool directory.
+
+.. zeek:id:: Management::get_state_dir
+   :source-code: policy/frameworks/management/config.zeek 59 65
+
+   :Type: :zeek:type:`function` () : :zeek:type:`string`
+
+   Returns the effective state directory for the management framework.
+   That's :zeek:see:`Management::state_dir` when set, otherwise the
+   installation's state directory.
+
+
diff --git a/doc/scripts/policy/frameworks/management/controller/__load__.zeek.rst b/doc/scripts/policy/frameworks/management/controller/__load__.zeek.rst
new file mode 100644
index 0000000000..9dd3613aa5
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/controller/__load__.zeek.rst
@@ -0,0 +1,15 @@
+:tocdepth: 3
+
+policy/frameworks/management/controller/__load__.zeek
+=====================================================
+
+The entry point for the Management framework's cluster controller. It runs
+bootstrap logic for launching a controller process via Zeek's Supervisor.
+
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/management/controller/api.zeek.rst b/doc/scripts/policy/frameworks/management/controller/api.zeek.rst
new file mode 100644
index 0000000000..97dfc6af9e
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/controller/api.zeek.rst
@@ -0,0 +1,402 @@
+:tocdepth: 3
+
+policy/frameworks/management/controller/api.zeek
+================================================
+.. zeek:namespace:: Management::Controller::API
+
+The event API of cluster controllers. Most endpoints consist of event pairs,
+where the controller answers the client's request event with a corresponding
+response event. Such event pairs share the same name prefix and end in
+"_request" and "_response", respectively.
+
+:Namespace: Management::Controller::API
+:Imports: :doc:`policy/frameworks/management/types.zeek </scripts/policy/frameworks/management/types.zeek>`
+
+Summary
+~~~~~~~
+Constants
+#########
+=================================================================== ================================================================
+:zeek:id:`Management::Controller::API::version`: :zeek:type:`count` A simple versioning scheme, used to track basic compatibility of
+                                                                    controller, agents, and the client.
+=================================================================== ================================================================
+
+Events
+######
+======================================================================================== ======================================================================
+:zeek:id:`Management::Controller::API::deploy_request`: :zeek:type:`event`               Trigger deployment of a previously staged configuration.
+:zeek:id:`Management::Controller::API::deploy_response`: :zeek:type:`event`              Response to a :zeek:see:`Management::Controller::API::deploy_request`
+                                                                                         event.
+:zeek:id:`Management::Controller::API::get_configuration_request`: :zeek:type:`event`    The client sends this event to retrieve the controller's current
+                                                                                         cluster configuration(s).
+:zeek:id:`Management::Controller::API::get_configuration_response`: :zeek:type:`event`   Response to a
+                                                                                         :zeek:see:`Management::Controller::API::get_configuration_request`
+                                                                                         event.
+:zeek:id:`Management::Controller::API::get_id_value_request`: :zeek:type:`event`         The client sends this event to retrieve the current value of a
+                                                                                         variable in Zeek's global namespace, referenced by the given
+                                                                                         identifier (i.e., variable name).
+:zeek:id:`Management::Controller::API::get_id_value_response`: :zeek:type:`event`        Response to a
+                                                                                         :zeek:see:`Management::Controller::API::get_id_value_request`
+                                                                                         event.
+:zeek:id:`Management::Controller::API::get_instances_request`: :zeek:type:`event`        The client sends this event to request a list of the currently
+                                                                                         peered agents/instances.
+:zeek:id:`Management::Controller::API::get_instances_response`: :zeek:type:`event`       Response to a
+                                                                                         :zeek:see:`Management::Controller::API::get_instances_request`
+                                                                                         event.
+:zeek:id:`Management::Controller::API::get_nodes_request`: :zeek:type:`event`            The client sends this event to request a list of
+                                                                                         :zeek:see:`Management::NodeStatus` records that capture
+                                                                                         the status of Supervisor-managed nodes running on the cluster's
+                                                                                         instances.
+:zeek:id:`Management::Controller::API::get_nodes_response`: :zeek:type:`event`           Response to a
+                                                                                         :zeek:see:`Management::Controller::API::get_nodes_request` event.
+:zeek:id:`Management::Controller::API::notify_agents_ready`: :zeek:type:`event`          The controller triggers this event when the operational cluster
+                                                                                         instances align with the ones desired by the cluster
+                                                                                         configuration.
+:zeek:id:`Management::Controller::API::restart_request`: :zeek:type:`event`              The client sends this event to restart currently running Zeek cluster
+                                                                                         nodes.
+:zeek:id:`Management::Controller::API::restart_response`: :zeek:type:`event`             Response to a :zeek:see:`Management::Controller::API::restart_request`
+                                                                                         event.
+:zeek:id:`Management::Controller::API::stage_configuration_request`: :zeek:type:`event`  Upload a configuration to the controller for later deployment.
+:zeek:id:`Management::Controller::API::stage_configuration_response`: :zeek:type:`event` Response to a
+                                                                                         :zeek:see:`Management::Controller::API::stage_configuration_request`
+                                                                                         event.
+:zeek:id:`Management::Controller::API::test_timeout_request`: :zeek:type:`event`         This event causes no further action (other than getting logged) if
+                                                                                         with_state is F.
+:zeek:id:`Management::Controller::API::test_timeout_response`: :zeek:type:`event`        Response to a
+                                                                                         :zeek:see:`Management::Controller::API::test_timeout_request`
+                                                                                         event.
+======================================================================================== ======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Constants
+#########
+.. zeek:id:: Management::Controller::API::version
+   :source-code: policy/frameworks/management/controller/api.zeek 13 13
+
+   :Type: :zeek:type:`count`
+   :Default: ``1``
+
+   A simple versioning scheme, used to track basic compatibility of
+   controller, agents, and the client.
+
+Events
+######
+.. zeek:id:: Management::Controller::API::deploy_request
+   :source-code: policy/frameworks/management/controller/main.zeek 1088 1128
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`)
+
+   Trigger deployment of a previously staged configuration.  The client
+   sends this event to the controller, which deploys the configuration
+   to the agents. Agents then terminate any previously running cluster
+   nodes and (re-)launch those defined in the new configuration. Once
+   each agent has responded (or a timeout occurs), the controller sends
+   a response event back to the client, aggregating the results from the
+   agents. The controller keeps the staged configuration available for
+   download, or re-deployment.  In addition, the deployed configuration
+   becomes available for download as well, with any augmentations
+   (e.g. node ports filled in by auto-assignment) reflected.
+   
+
+   :param reqid: a request identifier string, echoed in the response event.
+   
+
+.. zeek:id:: Management::Controller::API::deploy_response
+   :source-code: policy/frameworks/management/controller/api.zeek 119 119
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, results: :zeek:type:`Management::ResultVec`)
+
+   Response to a :zeek:see:`Management::Controller::API::deploy_request`
+   event. The controller sends this back to the client, conveying the
+   outcome of the deployment.
+   
+
+   :param reqid: the request identifier used in the request event.
+   
+
+   :param results: a vector of :zeek:see:`Management::Result` records.
+       Each member captures the result of launching one cluster
+       node captured in the configuration, or an agent-wide error
+       when the result does not indicate a particular node.
+   
+
+.. zeek:id:: Management::Controller::API::get_configuration_request
+   :source-code: policy/frameworks/management/controller/main.zeek 1063 1086
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, deployed: :zeek:type:`bool`)
+
+   The client sends this event to retrieve the controller's current
+   cluster configuration(s).
+   
+
+   :param reqid: a request identifier string, echoed in the response event.
+   
+
+   :param deployed: when true, returns the deployed configuration (if any),
+       otherwise the staged one (if any).
+   
+
+.. zeek:id:: Management::Controller::API::get_configuration_response
+   :source-code: policy/frameworks/management/controller/api.zeek 89 89
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, result: :zeek:type:`Management::Result`)
+
+   Response to a
+   :zeek:see:`Management::Controller::API::get_configuration_request`
+   event. The controller sends this back to the client, with the
+   requested configuration.
+   
+
+   :param reqid: the request identifier used in the request event.
+   
+
+   :param result: a :zeek:see:`Management::Result` record with a successful
+       :zeek:see:`Management::Configuration` in the data member, if
+       a configuration is currently deployed. Otherwise, a Result
+       record in error state, with no data value assigned.
+   
+
+.. zeek:id:: Management::Controller::API::get_id_value_request
+   :source-code: policy/frameworks/management/controller/main.zeek 1297 1374
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, id: :zeek:type:`string`, nodes: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`)
+
+   The client sends this event to retrieve the current value of a
+   variable in Zeek's global namespace, referenced by the given
+   identifier (i.e., variable name). The controller asks all agents
+   to retrieve this value from each cluster node, accumulates the
+   returned responses, and responds with a get_id_value_response
+   event back to the client.
+   
+
+   :param reqid: a request identifier string, echoed in the response event.
+   
+
+   :param id: the name of the variable whose value to retrieve.
+   
+
+   :param nodes: a set of cluster node names (e.g. "worker-01") to retrieve
+      the values from. An empty set, supplied by default, means
+      retrieval from all current cluster nodes.
+   
+
+.. zeek:id:: Management::Controller::API::get_id_value_response
+   :source-code: policy/frameworks/management/controller/api.zeek 182 182
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, results: :zeek:type:`Management::ResultVec`)
+
+   Response to a
+   :zeek:see:`Management::Controller::API::get_id_value_request`
+   event. The controller sends this back to the client, with a JSON
+   representation of the requested global ID on all relevant instances.
+   
+
+   :param reqid: the request identifier used in the request event.
+   
+
+   :param results: a :zeek:type:`vector` of :zeek:see:`Management::Result`
+       records. Each record covers one Zeek cluster node. Each record's
+       data field contains a string with the JSON rendering (as produced
+       by :zeek:id:`to_json`, including the error strings it potentially
+       returns).
+   
+
+.. zeek:id:: Management::Controller::API::get_instances_request
+   :source-code: policy/frameworks/management/controller/main.zeek 1130 1151
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`)
+
+   The client sends this event to request a list of the currently
+   peered agents/instances.
+   
+
+   :param reqid: a request identifier string, echoed in the response event.
+   
+
+.. zeek:id:: Management::Controller::API::get_instances_response
+   :source-code: policy/frameworks/management/controller/api.zeek 32 32
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, result: :zeek:type:`Management::Result`)
+
+   Response to a
+   :zeek:see:`Management::Controller::API::get_instances_request`
+   event. The controller sends this back to the client.
+   
+
+   :param reqid: the request identifier used in the request event.
+   
+
+   :param result: a :zeek:see:`Management::Result`. Its data member is a vector
+       of :zeek:see:`Management::Instance` records.
+   
+
+.. zeek:id:: Management::Controller::API::get_nodes_request
+   :source-code: policy/frameworks/management/controller/main.zeek 1199 1228
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`)
+
+   The client sends this event to request a list of
+   :zeek:see:`Management::NodeStatus` records that capture
+   the status of Supervisor-managed nodes running on the cluster's
+   instances.
+   
+
+   :param reqid: a request identifier string, echoed in the response event.
+   
+
+.. zeek:id:: Management::Controller::API::get_nodes_response
+   :source-code: policy/frameworks/management/controller/api.zeek 147 147
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, results: :zeek:type:`Management::ResultVec`)
+
+   Response to a
+   :zeek:see:`Management::Controller::API::get_nodes_request` event. The
+   controller sends this back to the client, with a description of the
+   nodes currently managed by the Supervisors on all connected
+   instances. This includes agents and possibly the controller, if it
+   runs jointly with an agent.
+   
+
+   :param reqid: the request identifier used in the request event.
+   
+
+   :param results: a :zeek:type:`vector` of :zeek:see:`Management::Result`
+       records. Each record covers one cluster instance. Each record's
+       data member is a vector of :zeek:see:`Management::NodeStatus`
+       records, covering the nodes at that instance. Results may also
+       indicate failure, with error messages indicating what went wrong.
+   
+
+.. zeek:id:: Management::Controller::API::notify_agents_ready
+   :source-code: policy/frameworks/management/controller/main.zeek 801 833
+
+   :Type: :zeek:type:`event` (instances: :zeek:type:`set` [:zeek:type:`string`])
+
+   The controller triggers this event when the operational cluster
+   instances align with the ones desired by the cluster
+   configuration. It's essentially a cluster management readiness
+   event. This event is currently only used internally by the controller,
+   and not published to topics.
+   
+
+   :param instances: the set of instance names now ready.
+   
+
+.. zeek:id:: Management::Controller::API::restart_request
+   :source-code: policy/frameworks/management/controller/main.zeek 1416 1509
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, nodes: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`)
+
+   The client sends this event to restart currently running Zeek cluster
+   nodes. The controller relays the request to its agents, which respond
+   with a list of :zeek:see:`Management::Result` records summarizing
+   each node restart. The controller combines these lists, and sends a
+   :zeek:see:`Management::Controller::API::restart_response` event with
+   the result.
+   
+
+   :param reqid: a request identifier string, echoed in the response event.
+   
+
+   :param nodes: a set of cluster node names (e.g. "worker-01") to restart.  An
+      empty set, supplied by default, means restart of all current
+      cluster nodes.
+   
+
+.. zeek:id:: Management::Controller::API::restart_response
+   :source-code: policy/frameworks/management/controller/api.zeek 213 213
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, results: :zeek:type:`Management::ResultVec`)
+
+   Response to a :zeek:see:`Management::Controller::API::restart_request`
+   event. The controller sends this back to the client when it has received
+   responses from all agents involved, or a timeout occurs.
+   
+
+   :param reqid: the request identifier used in the request event.
+   
+
+   :param results: a :zeek:type:`vector` of :zeek:see:`Management::Result`,
+       combining the restart results from all agents. Each such result
+       identifies both the instance and node in question. Results that
+       do not identify an instance are generated by the controller,
+       flagging corner cases, including absence of a deployed cluster
+       or unknown nodes.
+   
+
+.. zeek:id:: Management::Controller::API::stage_configuration_request
+   :source-code: policy/frameworks/management/controller/main.zeek 1002 1061
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, config: :zeek:type:`Management::Configuration`)
+
+   Upload a configuration to the controller for later deployment.
+   The client sends this event to the controller, which validates the
+   configuration and indicates the outcome in its response event. No
+   deployment takes place yet, and existing deployed configurations and
+   the running Zeek cluster remain intact. To trigger deployment of an uploaded
+   configuration, use :zeek:see:`Management::Controller::API::deploy_request`.
+   
+
+   :param reqid: a request identifier string, echoed in the response event.
+   
+
+   :param config: a :zeek:see:`Management::Configuration` record
+       specifying the cluster configuration.
+   
+
+.. zeek:id:: Management::Controller::API::stage_configuration_response
+   :source-code: policy/frameworks/management/controller/api.zeek 63 63
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, results: :zeek:type:`Management::ResultVec`)
+
+   Response to a
+   :zeek:see:`Management::Controller::API::stage_configuration_request`
+   event. The controller sends this back to the client, conveying
+   validation results.
+   
+
+   :param reqid: the request identifier used in the request event.
+   
+
+   :param results: a :zeek:see:`Management::Result` vector, indicating whether
+       the controller accepts the configuration. In case of a success,
+       a single result record indicates so. Otherwise, the sequence is
+       all errors, each indicating a configuration validation error.
+   
+
+.. zeek:id:: Management::Controller::API::test_timeout_request
+   :source-code: policy/frameworks/management/controller/main.zeek 1588 1599
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, with_state: :zeek:type:`bool`)
+
+   This event causes no further action (other than getting logged) if
+   with_state is F. When T, the controller establishes request state, and
+   the controller only ever sends the response event when this state times
+   out.
+   
+
+   :param reqid: a request identifier string, echoed in the response event when
+       with_state is T.
+   
+
+   :param with_state: flag indicating whether the controller should keep (and
+       time out) request state for this request.
+   
+
+.. zeek:id:: Management::Controller::API::test_timeout_response
+   :source-code: policy/frameworks/management/controller/api.zeek 238 238
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, result: :zeek:type:`Management::Result`)
+
+   Response to a
+   :zeek:see:`Management::Controller::API::test_timeout_request`
+   event. The controller sends this back to the client if the original
+   request had the with_state flag.
+   
+
+   :param reqid: the request identifier used in the request event.
+   
+
+
diff --git a/doc/scripts/policy/frameworks/management/controller/boot.zeek.rst b/doc/scripts/policy/frameworks/management/controller/boot.zeek.rst
new file mode 100644
index 0000000000..336399d5da
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/controller/boot.zeek.rst
@@ -0,0 +1,20 @@
+:tocdepth: 3
+
+policy/frameworks/management/controller/boot.zeek
+=================================================
+
+The cluster controller's boot logic runs in Zeek's supervisor and instructs
+it to launch the Management controller process. The controller's main logic
+resides in main.zeek, similarly to other frameworks. The new process will
+execute that script.
+
+If the current process is not the Zeek supervisor, this does nothing.
+
+:Imports: :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`, :doc:`policy/frameworks/management/controller/config.zeek </scripts/policy/frameworks/management/controller/config.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/management/controller/config.zeek.rst b/doc/scripts/policy/frameworks/management/controller/config.zeek.rst
new file mode 100644
index 0000000000..c9441a4e9d
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/controller/config.zeek.rst
@@ -0,0 +1,324 @@
+:tocdepth: 3
+
+policy/frameworks/management/controller/config.zeek
+===================================================
+.. zeek:namespace:: Management::Controller
+
+Configuration settings for the cluster controller.
+
+:Namespace: Management::Controller
+:Imports: :doc:`policy/frameworks/management </scripts/policy/frameworks/management/index>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+======================================================================================================================= =====================================================================================
+:zeek:id:`Management::Controller::auto_assign_broker_ports`: :zeek:type:`bool` :zeek:attr:`&redef`                      Whether the controller should auto-assign Broker listening ports to
+                                                                                                                        cluster nodes that need them and don't have them explicitly specified
+                                                                                                                        in cluster configurations.
+:zeek:id:`Management::Controller::auto_assign_broker_start_port`: :zeek:type:`port` :zeek:attr:`&redef`                 The TCP start port to use for auto-assigning cluster node listening
+                                                                                                                        ports, if :zeek:see:`Management::Controller::auto_assign_broker_ports` is
+                                                                                                                        enabled (the default) and nodes don't come with those ports assigned.
+:zeek:id:`Management::Controller::auto_assign_metrics_ports`: :zeek:type:`bool` :zeek:attr:`&redef`                     Whether the controller should auto-assign metrics ports for Prometheus
+                                                                                                                        to nodes that need them and don't have them explicitly specified in
+                                                                                                                        their cluster configurations.
+:zeek:id:`Management::Controller::auto_assign_metrics_start_port`: :zeek:type:`port` :zeek:attr:`&redef`                The TCP start port to use for auto-assigning metrics exposition ports
+                                                                                                                        for Prometheus, if :zeek:see:`Management::Controller::auto_assign_metrics_ports`
+                                                                                                                        is enabled (the default).
+:zeek:id:`Management::Controller::default_port`: :zeek:type:`port` :zeek:attr:`&redef`                                  The fallback listen port if :zeek:see:`Management::Controller::listen_port`
+                                                                                                                        remains empty.
+:zeek:id:`Management::Controller::default_port_websocket`: :zeek:type:`port` :zeek:attr:`&redef`                        The fallback listen port if :zeek:see:`Management::Controller::listen_port_websocket`
+                                                                                                                        remains empty.
+:zeek:id:`Management::Controller::directory`: :zeek:type:`string` :zeek:attr:`&redef`                                   An optional custom output directory for stdout/stderr.
+:zeek:id:`Management::Controller::listen_address`: :zeek:type:`string` :zeek:attr:`&redef`                              The network address the controller listens on for Broker clients.
+:zeek:id:`Management::Controller::listen_address_websocket`: :zeek:type:`string` :zeek:attr:`&redef`                    The network address the controller listens on for websocket
+                                                                                                                        clients.
+:zeek:id:`Management::Controller::listen_port`: :zeek:type:`string` :zeek:attr:`&redef`                                 The network port the controller listens on for Broker clients.
+:zeek:id:`Management::Controller::listen_port_websocket`: :zeek:type:`string` :zeek:attr:`&redef`                       The network port the controller listens on for websocket clients.
+:zeek:id:`Management::Controller::name`: :zeek:type:`string` :zeek:attr:`&redef`                                        The name of this controller.
+:zeek:id:`Management::Controller::stderr_file`: :zeek:type:`string` :zeek:attr:`&redef`                                 The controller's stderr log name.
+:zeek:id:`Management::Controller::stdout_file`: :zeek:type:`string` :zeek:attr:`&redef`                                 The controller's stdout log name.
+:zeek:id:`Management::Controller::tls_options_websocket`: :zeek:type:`Cluster::WebSocketTLSOptions` :zeek:attr:`&redef` TLS options for the controller's WebSocket server.
+:zeek:id:`Management::Controller::topic`: :zeek:type:`string` :zeek:attr:`&redef`                                       The controller's Broker topic.
+======================================================================================================================= =====================================================================================
+
+Constants
+#########
+================================================================== ====================================================================
+:zeek:id:`Management::Controller::store_name`: :zeek:type:`string` The name of the Broker store the controller uses to persist internal
+                                                                   state to disk.
+================================================================== ====================================================================
+
+Functions
+#########
+================================================================================= ================================================================
+:zeek:id:`Management::Controller::endpoint_info`: :zeek:type:`function`           Returns a :zeek:see:`Broker::EndpointInfo` record describing the
+                                                                                  controller's Broker connectivity.
+:zeek:id:`Management::Controller::endpoint_info_websocket`: :zeek:type:`function` Returns a :zeek:see:`Broker::EndpointInfo` record describing the
+                                                                                  controller's websocket connectivity.
+:zeek:id:`Management::Controller::get_name`: :zeek:type:`function`                Returns the effective name of the controller.
+:zeek:id:`Management::Controller::network_info`: :zeek:type:`function`            Returns a :zeek:see:`Broker::NetworkInfo` record describing the
+                                                                                  controller's Broker connectivity.
+:zeek:id:`Management::Controller::network_info_websocket`: :zeek:type:`function`  Returns a :zeek:see:`Broker::NetworkInfo` record describing the
+                                                                                  controller's websocket connectivity.
+================================================================================= ================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Management::Controller::auto_assign_broker_ports
+   :source-code: policy/frameworks/management/controller/config.zeek 75 75
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Whether the controller should auto-assign Broker listening ports to
+   cluster nodes that need them and don't have them explicitly specified
+   in cluster configurations.
+
+.. zeek:id:: Management::Controller::auto_assign_broker_start_port
+   :source-code: policy/frameworks/management/controller/config.zeek 80 80
+
+   :Type: :zeek:type:`port`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``2200/tcp``
+
+   The TCP start port to use for auto-assigning cluster node listening
+   ports, if :zeek:see:`Management::Controller::auto_assign_broker_ports` is
+   enabled (the default) and nodes don't come with those ports assigned.
+
+.. zeek:id:: Management::Controller::auto_assign_metrics_ports
+   :source-code: policy/frameworks/management/controller/config.zeek 85 85
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Whether the controller should auto-assign metrics ports for Prometheus
+   to nodes that need them and don't have them explicitly specified in
+   their cluster configurations.
+
+.. zeek:id:: Management::Controller::auto_assign_metrics_start_port
+   :source-code: policy/frameworks/management/controller/config.zeek 90 90
+
+   :Type: :zeek:type:`port`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``9000/tcp``
+
+   The TCP start port to use for auto-assigning metrics exposition ports
+   for Prometheus, if :zeek:see:`Management::Controller::auto_assign_metrics_ports`
+   is enabled (the default).
+
+.. zeek:id:: Management::Controller::default_port
+   :source-code: policy/frameworks/management/controller/config.zeek 44 44
+
+   :Type: :zeek:type:`port`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``2150/tcp``
+
+   The fallback listen port if :zeek:see:`Management::Controller::listen_port`
+   remains empty. When set to 0/unknown, the controller won't listen
+   for Broker connections. Don't do this if your management agents
+   connect to the controller (instead of the default other way around),
+   as they require Broker connectivity.
+
+.. zeek:id:: Management::Controller::default_port_websocket
+   :source-code: policy/frameworks/management/controller/config.zeek 62 62
+
+   :Type: :zeek:type:`port`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``2149/tcp``
+
+   The fallback listen port if :zeek:see:`Management::Controller::listen_port_websocket`
+   remains empty. When set to 0/unknown, the controller won't listen
+   for websocket clients.
+
+.. zeek:id:: Management::Controller::directory
+   :source-code: policy/frameworks/management/controller/config.zeek 99 99
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   An optional custom output directory for stdout/stderr. Agent and
+   controller currently only log locally, not via the Zeek cluster's
+   logger node. This means that if both write to the same log file,
+   output gets garbled.
+
+.. zeek:id:: Management::Controller::listen_address
+   :source-code: policy/frameworks/management/controller/config.zeek 31 31
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   The network address the controller listens on for Broker clients. By
+   default this uses the ZEEK_CONTROLLER_ADDR environment variable, but
+   you may also redef to a specific value. When empty, the
+   implementation falls back to :zeek:see:`Management::default_address`.
+
+.. zeek:id:: Management::Controller::listen_address_websocket
+   :source-code: policy/frameworks/management/controller/config.zeek 51 51
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   The network address the controller listens on for websocket
+   clients. By default this uses the ZEEK_CONTROLLER_WEBSOCKET_ADDR
+   environment variable, but you may also redef to a specific
+   value. When empty, the implementation falls back to
+   :zeek:see:`Management::default_address`.
+
+.. zeek:id:: Management::Controller::listen_port
+   :source-code: policy/frameworks/management/controller/config.zeek 37 37
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   The network port the controller listens on for Broker clients.
+   Defaults to the ZEEK_CONTROLLER_PORT environment variable.
+   When that is not set, the implementation falls back to
+   :zeek:see:`Management::Controller::default_port`.
+
+.. zeek:id:: Management::Controller::listen_port_websocket
+   :source-code: policy/frameworks/management/controller/config.zeek 57 57
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   The network port the controller listens on for websocket clients.
+   Defaults to the ZEEK_CONTROLLER_WEBSOCKET_PORT environment
+   variable. When that is not set, the implementation falls back to
+   :zeek:see:`Management::Controller::default_port_websocket`.
+
+.. zeek:id:: Management::Controller::name
+   :source-code: policy/frameworks/management/controller/config.zeek 12 12
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   The name of this controller. Defaults to the value of the
+   ZEEK_CONTROLLER_NAME environment variable. When that is unset and the
+   user doesn't redef the value, the implementation defaults to
+   "controller-<hostname>".
+
+.. zeek:id:: Management::Controller::stderr_file
+   :source-code: policy/frameworks/management/controller/config.zeek 25 25
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"stderr"``
+
+   The controller's stderr log name. Like :zeek:see:`Management::Controller::stdout_file`,
+   but for the stderr stream.
+
+.. zeek:id:: Management::Controller::stdout_file
+   :source-code: policy/frameworks/management/controller/config.zeek 21 21
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"stdout"``
+
+   The controller's stdout log name. If the string is non-empty, Zeek
+   will produce a free-form log (i.e., not one governed by Zeek's
+   logging framework) in the controller's working directory. If left
+   empty, no such log results.
+   
+   Note that the controller also establishes a "proper" Zeek log via the
+   :zeek:see:`Management::Log` module.
+
+.. zeek:id:: Management::Controller::tls_options_websocket
+   :source-code: policy/frameworks/management/controller/config.zeek 70 70
+
+   :Type: :zeek:type:`Cluster::WebSocketTLSOptions`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            cert_file=<uninitialized>
+            key_file=<uninitialized>
+            enable_peer_verification=F
+            ca_file=""
+            ciphers=""
+         }
+
+
+   TLS options for the controller's WebSocket server. The default is
+   to operate unencrypted. To replicate Broker's default encryption
+   without endpoint validation, set the
+   :zeek:field:`Cluster::WebSocketTLSOptions$ca_file` field to
+   "NONE" and :zeek:field:`Cluster::WebSocketTLSOptions$ciphers` to
+   "AECDH-AES256-SHA@SECLEVEL=0:AECDH-AES256-SHA:P-384".
+
+.. zeek:id:: Management::Controller::topic
+   :source-code: policy/frameworks/management/controller/config.zeek 93 93
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek/management/controller"``
+
+   The controller's Broker topic. Clients send requests to this topic.
+
+Constants
+#########
+.. zeek:id:: Management::Controller::store_name
+   :source-code: policy/frameworks/management/controller/config.zeek 103 103
+
+   :Type: :zeek:type:`string`
+   :Default: ``"controller"``
+
+   The name of the Broker store the controller uses to persist internal
+   state to disk.
+
+Functions
+#########
+.. zeek:id:: Management::Controller::endpoint_info
+   :source-code: policy/frameworks/management/controller/config.zeek 171 179
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Broker::EndpointInfo`
+
+   Returns a :zeek:see:`Broker::EndpointInfo` record describing the
+   controller's Broker connectivity.
+
+.. zeek:id:: Management::Controller::endpoint_info_websocket
+   :source-code: policy/frameworks/management/controller/config.zeek 181 189
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Broker::EndpointInfo`
+
+   Returns a :zeek:see:`Broker::EndpointInfo` record describing the
+   controller's websocket connectivity.
+
+.. zeek:id:: Management::Controller::get_name
+   :source-code: policy/frameworks/management/controller/config.zeek 125 131
+
+   :Type: :zeek:type:`function` () : :zeek:type:`string`
+
+   Returns the effective name of the controller.
+
+.. zeek:id:: Management::Controller::network_info
+   :source-code: policy/frameworks/management/controller/config.zeek 133 150
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Broker::NetworkInfo`
+
+   Returns a :zeek:see:`Broker::NetworkInfo` record describing the
+   controller's Broker connectivity.
+
+.. zeek:id:: Management::Controller::network_info_websocket
+   :source-code: policy/frameworks/management/controller/config.zeek 152 169
+
+   :Type: :zeek:type:`function` () : :zeek:type:`Broker::NetworkInfo`
+
+   Returns a :zeek:see:`Broker::NetworkInfo` record describing the
+   controller's websocket connectivity.
+
+
diff --git a/doc/scripts/policy/frameworks/management/controller/index.rst b/doc/scripts/policy/frameworks/management/controller/index.rst
new file mode 100644
index 0000000000..87fbb02ddf
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/controller/index.rst
@@ -0,0 +1,38 @@
+:orphan:
+
+Package: policy/frameworks/management/controller
+================================================
+
+
+:doc:`/scripts/policy/frameworks/management/controller/config.zeek`
+
+   Configuration settings for the cluster controller.
+
+:doc:`/scripts/policy/frameworks/management/controller/__load__.zeek`
+
+   The entry point for the Management framework's cluster controller. It runs
+   bootstrap logic for launching a controller process via Zeek's Supervisor.
+
+:doc:`/scripts/policy/frameworks/management/controller/api.zeek`
+
+   The event API of cluster controllers. Most endpoints consist of event pairs,
+   where the controller answers the client's request event with a corresponding
+   response event. Such event pairs share the same name prefix and end in
+   "_request" and "_response", respectively.
+
+:doc:`/scripts/policy/frameworks/management/controller/boot.zeek`
+
+   The cluster controller's boot logic runs in Zeek's supervisor and instructs
+   it to launch the Management controller process. The controller's main logic
+   resides in main.zeek, similarly to other frameworks. The new process will
+   execute that script.
+   
+   If the current process is not the Zeek supervisor, this does nothing.
+
+:doc:`/scripts/policy/frameworks/management/controller/main.zeek`
+
+   This is the main "runtime" of the Management framework's controller. Zeek
+   does not load this directly; rather, the controller's bootstrapping module
+   (in ./boot.zeek) specifies it as the script to run in the node newly created
+   by the supervisor.
+
diff --git a/doc/scripts/policy/frameworks/management/controller/main.zeek.rst b/doc/scripts/policy/frameworks/management/controller/main.zeek.rst
new file mode 100644
index 0000000000..13079ca6a6
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/controller/main.zeek.rst
@@ -0,0 +1,176 @@
+:tocdepth: 3
+
+policy/frameworks/management/controller/main.zeek
+=================================================
+.. zeek:namespace:: Management::Controller::Runtime
+
+This is the main "runtime" of the Management framework's controller. Zeek
+does not load this directly; rather, the controller's bootstrapping module
+(in ./boot.zeek) specifies it as the script to run in the node newly created
+by the supervisor.
+
+:Namespace: Management::Controller::Runtime
+:Imports: :doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`, :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`policy/frameworks/management </scripts/policy/frameworks/management/index>`, :doc:`policy/frameworks/management/agent/api.zeek </scripts/policy/frameworks/management/agent/api.zeek>`, :doc:`policy/frameworks/management/agent/config.zeek </scripts/policy/frameworks/management/agent/config.zeek>`, :doc:`policy/frameworks/management/controller/api.zeek </scripts/policy/frameworks/management/controller/api.zeek>`, :doc:`policy/frameworks/management/controller/config.zeek </scripts/policy/frameworks/management/controller/config.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+==================================================================================== ====================================================================
+:zeek:type:`Management::Controller::Runtime::ConfigState`: :zeek:type:`enum`         A cluster configuration uploaded by the client goes through multiple
+                                                                                     states on its way to deployment.
+:zeek:type:`Management::Controller::Runtime::DeployState`: :zeek:type:`record`       Request state specific to
+                                                                                     :zeek:see:`Management::Controller::API::deploy_request` and
+                                                                                     :zeek:see:`Management::Controller::API::deploy_response`.
+:zeek:type:`Management::Controller::Runtime::GetNodesState`: :zeek:type:`record`     Request state specific to
+                                                                                     :zeek:see:`Management::Controller::API::get_nodes_request` and
+                                                                                     :zeek:see:`Management::Controller::API::get_nodes_response`.
+:zeek:type:`Management::Controller::Runtime::NodeDispatchState`: :zeek:type:`record` Request state for node dispatch requests, to track the requested
+                                                                                     action and received responses.
+:zeek:type:`Management::Controller::Runtime::RestartState`: :zeek:type:`record`      Request state specific to
+                                                                                     :zeek:see:`Management::Controller::API::restart_request` and
+                                                                                     :zeek:see:`Management::Controller::API::restart_response`.
+:zeek:type:`Management::Controller::Runtime::TestState`: :zeek:type:`record`         Dummy state for internal state-keeping test cases.
+==================================================================================== ====================================================================
+
+Redefinitions
+#############
+============================================================================== =============================================================================================================
+:zeek:type:`Management::Request::Request`: :zeek:type:`record`                 
+                                                                               
+                                                                               :New Fields: :zeek:type:`Management::Request::Request`
+                                                                               
+                                                                                 deploy_state: :zeek:type:`Management::Controller::Runtime::DeployState` :zeek:attr:`&optional`
+                                                                               
+                                                                                 get_nodes_state: :zeek:type:`Management::Controller::Runtime::GetNodesState` :zeek:attr:`&optional`
+                                                                               
+                                                                                 node_dispatch_state: :zeek:type:`Management::Controller::Runtime::NodeDispatchState` :zeek:attr:`&optional`
+                                                                               
+                                                                                 restart_state: :zeek:type:`Management::Controller::Runtime::RestartState` :zeek:attr:`&optional`
+                                                                               
+                                                                                 test_state: :zeek:type:`Management::Controller::Runtime::TestState` :zeek:attr:`&optional`
+:zeek:id:`Management::role`: :zeek:type:`Management::Role` :zeek:attr:`&redef` 
+:zeek:id:`table_expire_interval`: :zeek:type:`interval` :zeek:attr:`&redef`    
+============================================================================== =============================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Management::Controller::Runtime::ConfigState
+   :source-code: policy/frameworks/management/controller/main.zeek 24 29
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Management::Controller::Runtime::STAGED Management::Controller::Runtime::ConfigState
+
+         As provided by the client.
+
+      .. zeek:enum:: Management::Controller::Runtime::READY Management::Controller::Runtime::ConfigState
+
+         Necessary updates made, e.g. ports filled in.
+
+      .. zeek:enum:: Management::Controller::Runtime::DEPLOYED Management::Controller::Runtime::ConfigState
+
+         Sent off to the agents for deployment.
+
+   A cluster configuration uploaded by the client goes through multiple
+   states on its way to deployment.
+
+.. zeek:type:: Management::Controller::Runtime::DeployState
+   :source-code: policy/frameworks/management/controller/main.zeek 33 41
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: config :zeek:type:`Management::Configuration`
+
+      The cluster configuration the controller is deploying.
+
+
+   .. zeek:field:: is_internal :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      Whether this is a controller-internal deployment, or
+      triggered via a request by a remote peer/client.
+
+
+   .. zeek:field:: requests :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      Request state for every controller/agent transaction.
+
+
+   Request state specific to
+   :zeek:see:`Management::Controller::API::deploy_request` and
+   :zeek:see:`Management::Controller::API::deploy_response`.
+
+.. zeek:type:: Management::Controller::Runtime::GetNodesState
+   :source-code: policy/frameworks/management/controller/main.zeek 46 49
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: requests :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      Request state for every controller/agent transaction.
+
+
+   Request state specific to
+   :zeek:see:`Management::Controller::API::get_nodes_request` and
+   :zeek:see:`Management::Controller::API::get_nodes_response`.
+
+.. zeek:type:: Management::Controller::Runtime::NodeDispatchState
+   :source-code: policy/frameworks/management/controller/main.zeek 62 72
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: action :zeek:type:`vector` of :zeek:type:`string`
+
+      The dispatched action. The first string is a command,
+      any remaining strings its arguments.
+
+
+   .. zeek:field:: requests :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      Request state for every controller/agent transaction.
+      The set of strings tracks the node names from which
+      we still expect responses, before we can respond back
+      to the client.
+
+
+   Request state for node dispatch requests, to track the requested
+   action and received responses. Node dispatches are requests to
+   execute pre-implemented actions on every node in the cluster,
+   and report their outcomes. See
+   :zeek:see:`Management::Agent::API::node_dispatch_request` and
+   :zeek:see:`Management::Agent::API::node_dispatch_response` for the
+   agent/controller interaction, and
+   :zeek:see:`Management::Controller::API::get_id_value_request` and
+   :zeek:see:`Management::Controller::API::get_id_value_response`
+   for an example of a specific API the controller generalizes into
+   a dispatch.
+
+.. zeek:type:: Management::Controller::Runtime::RestartState
+   :source-code: policy/frameworks/management/controller/main.zeek 77 80
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: requests :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      Request state for every controller/agent transaction.
+
+
+   Request state specific to
+   :zeek:see:`Management::Controller::API::restart_request` and
+   :zeek:see:`Management::Controller::API::restart_response`.
+
+.. zeek:type:: Management::Controller::Runtime::TestState
+   :source-code: policy/frameworks/management/controller/main.zeek 83 84
+
+   :Type: :zeek:type:`record`
+
+   Dummy state for internal state-keeping test cases.
+
+
diff --git a/doc/scripts/policy/frameworks/management/index.rst b/doc/scripts/policy/frameworks/management/index.rst
new file mode 100644
index 0000000000..f62d498477
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/index.rst
@@ -0,0 +1,148 @@
+:orphan:
+
+Package: policy/frameworks/management
+=====================================
+
+
+:doc:`/scripts/policy/frameworks/management/agent/__load__.zeek`
+
+   The entry point for the Management framework's cluster agent. It runs
+   bootstrap logic for launching an agent process via Zeek's Supervisor.
+
+:doc:`/scripts/policy/frameworks/management/agent/api.zeek`
+
+   The event API of cluster agents. Most endpoints consist of event pairs,
+   where the agent answers a request event with a corresponding response
+   event. Such event pairs share the same name prefix and end in "_request" and
+   "_response", respectively.
+
+:doc:`/scripts/policy/frameworks/management/types.zeek`
+
+   This module holds the basic types needed for the Management framework. These
+   are used by both cluster agent and controller, and several have corresponding
+   implementations in zeek-client.
+
+:doc:`/scripts/policy/frameworks/management/agent/boot.zeek`
+
+   The cluster agent boot logic runs in Zeek's supervisor and instructs it to
+   launch a Management agent process. The agent's main logic resides in main.zeek,
+   similarly to other frameworks. The new process will execute that script.
+   
+   If the current process is not the Zeek supervisor, this does nothing.
+
+:doc:`/scripts/policy/frameworks/management/agent/config.zeek`
+
+   Configuration settings for a cluster agent.
+
+:doc:`/scripts/policy/frameworks/management/__load__.zeek`
+
+   This loads Management framework functionality needed by both the controller
+   and agents. Note that there's no notion of loading "the Management
+   framework" -- one always loads "management/controller" or
+   "management/agent". This __load__ script exists only to simplify loading all
+   common functionality.
+
+:doc:`/scripts/policy/frameworks/management/config.zeek`
+
+   Management framework configuration settings common to agent and controller.
+   This does not include config settings that exist in both agent and
+   controller but that they set differently, since setting defaults here would
+   be awkward or pointless (since both node types would overwrite them
+   anyway). For role-specific settings, see management/controller/config.zeek
+   and management/agent/config.zeek.
+
+:doc:`/scripts/policy/frameworks/management/log.zeek`
+
+   This module implements logging abilities for controller and agent. It uses
+   Zeek's logging framework and works only for nodes managed by the
+   supervisor. In this setting Zeek's logging framework operates locally, i.e.,
+   this does not involve logger nodes.
+
+:doc:`/scripts/policy/frameworks/management/persistence.zeek`
+
+   Common adjustments for any kind of Zeek node when we run the Management
+   framework.
+
+:doc:`/scripts/policy/frameworks/management/request.zeek`
+
+   This module implements a request state abstraction in the Management
+   framework that both controller and agent use to connect request events to
+   subsequent response ones, and to be able to time out such requests.
+
+:doc:`/scripts/policy/frameworks/management/util.zeek`
+
+   Utility functions for the Management framework, available to agent
+   and controller.
+
+:doc:`/scripts/policy/frameworks/management/controller/config.zeek`
+
+   Configuration settings for the cluster controller.
+
+:doc:`/scripts/policy/frameworks/management/controller/__load__.zeek`
+
+   The entry point for the Management framework's cluster controller. It runs
+   bootstrap logic for launching a controller process via Zeek's Supervisor.
+
+:doc:`/scripts/policy/frameworks/management/controller/api.zeek`
+
+   The event API of cluster controllers. Most endpoints consist of event pairs,
+   where the controller answers the client's request event with a corresponding
+   response event. Such event pairs share the same name prefix and end in
+   "_request" and "_response", respectively.
+
+:doc:`/scripts/policy/frameworks/management/controller/boot.zeek`
+
+   The cluster controller's boot logic runs in Zeek's supervisor and instructs
+   it to launch the Management controller process. The controller's main logic
+   resides in main.zeek, similarly to other frameworks. The new process will
+   execute that script.
+   
+   If the current process is not the Zeek supervisor, this does nothing.
+
+:doc:`/scripts/policy/frameworks/management/node/api.zeek`
+
+   The Management event API of cluster nodes. The API consists of request/
+   response event pairs, like elsewhere in the Management, Supervisor, and
+   Control frameworks.
+
+:doc:`/scripts/policy/frameworks/management/node/config.zeek`
+
+   Configuration settings for nodes controlled by the Management framework.
+
+:doc:`/scripts/policy/frameworks/management/supervisor/__load__.zeek`
+
+
+:doc:`/scripts/policy/frameworks/management/supervisor/main.zeek`
+
+   This module provides functionality the Management framework places directly
+   in the Supervisor.
+
+:doc:`/scripts/policy/frameworks/management/supervisor/api.zeek`
+
+
+:doc:`/scripts/policy/frameworks/management/supervisor/config.zeek`
+
+   Configuration settings for the Management framework's supervisor extension.
+
+:doc:`/scripts/policy/frameworks/management/agent/main.zeek`
+
+   This is the main "runtime" of a cluster agent. Zeek does not load this
+   directly; rather, the agent's bootstrapping module (in ./boot.zeek)
+   specifies it as the script to run in the node newly created via Zeek's
+   supervisor.
+
+:doc:`/scripts/policy/frameworks/management/controller/main.zeek`
+
+   This is the main "runtime" of the Management framework's controller. Zeek
+   does not load this directly; rather, the controller's bootstrapping module
+   (in ./boot.zeek) specifies it as the script to run in the node newly created
+   by the supervisor.
+
+:doc:`/scripts/policy/frameworks/management/node/__load__.zeek`
+
+
+:doc:`/scripts/policy/frameworks/management/node/main.zeek`
+
+   This module provides Management framework functionality present in every
+   cluster node, to allowing Management agents to interact with the nodes.
+
diff --git a/doc/scripts/policy/frameworks/management/log.zeek.rst b/doc/scripts/policy/frameworks/management/log.zeek.rst
new file mode 100644
index 0000000000..9cecb3f960
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/log.zeek.rst
@@ -0,0 +1,157 @@
+:tocdepth: 3
+
+policy/frameworks/management/log.zeek
+=====================================
+.. zeek:namespace:: Management::Log
+
+This module implements logging abilities for controller and agent. It uses
+Zeek's logging framework and works only for nodes managed by the
+supervisor. In this setting Zeek's logging framework operates locally, i.e.,
+this does not involve logger nodes.
+
+:Namespace: Management::Log
+:Imports: :doc:`policy/frameworks/management/config.zeek </scripts/policy/frameworks/management/config.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+========================================================================= =========================================================================
+:zeek:type:`Management::Log::Info`: :zeek:type:`record` :zeek:attr:`&log` The record type containing the column fields of the agent/controller log.
+:zeek:type:`Management::Log::Level`: :zeek:type:`enum`                    The controller/agent log supports four different log levels.
+========================================================================= =========================================================================
+
+Redefinitions
+#############
+======================================= ======================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` The cluster logging stream identifier.
+                                        
+                                        * :zeek:enum:`Management::Log::LOG`
+======================================= ======================================
+
+Hooks
+#####
+==================================================================== =============================================
+:zeek:id:`Management::Log::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
+==================================================================== =============================================
+
+Functions
+#########
+========================================================== ===================================
+:zeek:id:`Management::Log::debug`: :zeek:type:`function`   A debug-level log message writer.
+:zeek:id:`Management::Log::error`: :zeek:type:`function`   An error-level log message writer.
+:zeek:id:`Management::Log::info`: :zeek:type:`function`    An info-level log message writer.
+:zeek:id:`Management::Log::warning`: :zeek:type:`function` A warning-level log message writer.
+========================================================== ===================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Management::Log::Info
+   :source-code: policy/frameworks/management/log.zeek 26 37
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      The time at which a cluster message was generated.
+
+
+   .. zeek:field:: node :zeek:type:`string` :zeek:attr:`&log`
+
+      The name of the node that is creating the log record.
+
+
+   .. zeek:field:: level :zeek:type:`string` :zeek:attr:`&log`
+
+      Log level of this message, converted from the above Level enum
+
+
+   .. zeek:field:: role :zeek:type:`string` :zeek:attr:`&log`
+
+      The role of the node, translated from Management::Role.
+
+
+   .. zeek:field:: message :zeek:type:`string` :zeek:attr:`&log`
+
+      A message indicating information about cluster controller operation.
+
+   :Attributes: :zeek:attr:`&log`
+
+   The record type containing the column fields of the agent/controller log.
+
+.. zeek:type:: Management::Log::Level
+   :source-code: policy/frameworks/management/log.zeek 18 24
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Management::Log::DEBUG Management::Log::Level
+
+      .. zeek:enum:: Management::Log::INFO Management::Log::Level
+
+      .. zeek:enum:: Management::Log::WARNING Management::Log::Level
+
+      .. zeek:enum:: Management::Log::ERROR Management::Log::Level
+
+   The controller/agent log supports four different log levels.
+
+Hooks
+#####
+.. zeek:id:: Management::Log::log_policy
+   :source-code: policy/frameworks/management/log.zeek 15 15
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+Functions
+#########
+.. zeek:id:: Management::Log::debug
+   :source-code: policy/frameworks/management/log.zeek 85 93
+
+   :Type: :zeek:type:`function` (message: :zeek:type:`string`) : :zeek:type:`void`
+
+   A debug-level log message writer.
+   
+
+   :param message: the message to log.
+   
+
+.. zeek:id:: Management::Log::error
+   :source-code: policy/frameworks/management/log.zeek 115 123
+
+   :Type: :zeek:type:`function` (message: :zeek:type:`string`) : :zeek:type:`void`
+
+   An error-level log message writer. (This only logs a message, it does not
+   terminate Zeek or have other runtime effects.)
+   
+
+   :param message: the message to log.
+   
+
+.. zeek:id:: Management::Log::info
+   :source-code: policy/frameworks/management/log.zeek 95 103
+
+   :Type: :zeek:type:`function` (message: :zeek:type:`string`) : :zeek:type:`void`
+
+   An info-level log message writer.
+   
+
+   :param message: the message to log.
+   
+
+.. zeek:id:: Management::Log::warning
+   :source-code: policy/frameworks/management/log.zeek 105 113
+
+   :Type: :zeek:type:`function` (message: :zeek:type:`string`) : :zeek:type:`void`
+
+   A warning-level log message writer.
+   
+
+   :param message: the message to log.
+   
+
+
diff --git a/doc/scripts/policy/frameworks/management/node/__load__.zeek.rst b/doc/scripts/policy/frameworks/management/node/__load__.zeek.rst
new file mode 100644
index 0000000000..bad5dffc40
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/node/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/management/node/__load__.zeek
+===============================================
+
+
+:Imports: :doc:`policy/frameworks/management/node/main.zeek </scripts/policy/frameworks/management/node/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/management/node/api.zeek.rst b/doc/scripts/policy/frameworks/management/node/api.zeek.rst
new file mode 100644
index 0000000000..36a189d9ef
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/node/api.zeek.rst
@@ -0,0 +1,85 @@
+:tocdepth: 3
+
+policy/frameworks/management/node/api.zeek
+==========================================
+.. zeek:namespace:: Management::Node::API
+
+The Management event API of cluster nodes. The API consists of request/
+response event pairs, like elsewhere in the Management, Supervisor, and
+Control frameworks.
+
+:Namespace: Management::Node::API
+:Imports: :doc:`policy/frameworks/management/types.zeek </scripts/policy/frameworks/management/types.zeek>`
+
+Summary
+~~~~~~~
+Events
+######
+============================================================================ =====================================================================
+:zeek:id:`Management::Node::API::node_dispatch_request`: :zeek:type:`event`  Management agents send this event to every Zeek cluster node to run a
+                                                                             "dispatch" -- a particular, pre-implemented action.
+:zeek:id:`Management::Node::API::node_dispatch_response`: :zeek:type:`event` Response to a node_dispatch_request event.
+:zeek:id:`Management::Node::API::notify_node_hello`: :zeek:type:`event`      The cluster nodes send this event upon peering as a "check-in" to
+                                                                             the agent, to indicate the node is now available to communicate
+                                                                             with.
+============================================================================ =====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: Management::Node::API::node_dispatch_request
+   :source-code: policy/frameworks/management/node/main.zeek 58 97
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, action: :zeek:type:`vector` of :zeek:type:`string`, nodes: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`)
+
+   Management agents send this event to every Zeek cluster node to run a
+   "dispatch" -- a particular, pre-implemented action. This is the agent-node
+   complement to :zeek:see:`Management::Agent::API::node_dispatch_request`.
+   
+
+   :param reqid: a request identifier string, echoed in the response event.
+   
+
+   :param action: the requested dispatch command, with any arguments.
+   
+
+   :param nodes: the cluster node names this dispatch targets. An empty set,
+       supplied by default, means it applies to all nodes. Since nodes
+       receive all dispatch requests, they can use any node names provided
+       here to filter themselves out of responding.
+
+.. zeek:id:: Management::Node::API::node_dispatch_response
+   :source-code: policy/frameworks/management/agent/main.zeek 690 759
+
+   :Type: :zeek:type:`event` (reqid: :zeek:type:`string`, result: :zeek:type:`Management::Result`)
+
+   Response to a node_dispatch_request event. The nodes send this back
+   to the agent. This is the agent-node equivalent of
+   :zeek:see:`Management::Agent::API::node_dispatch_response`.
+   
+
+   :param reqid: the request identifier used in the request event.
+   
+
+   :param result: a :zeek:see:`Management::Result` record covering one Zeek
+       cluster node managed by the agent. Upon success, the data field
+       contains a value appropriate for the requested dispatch.
+
+.. zeek:id:: Management::Node::API::notify_node_hello
+   :source-code: policy/frameworks/management/agent/main.zeek 1010 1033
+
+   :Type: :zeek:type:`event` (node: :zeek:type:`string`)
+
+   The cluster nodes send this event upon peering as a "check-in" to
+   the agent, to indicate the node is now available to communicate
+   with. It is an agent-level equivalent of :zeek:see:`Broker::peer_added`,
+   and similar to :zeek:see:`Management::Agent::API::notify_agent_hello`
+   for agents.
+   
+
+   :param node: the name of the node, as given in :zeek:see:`Cluster::node`.
+   
+
+
diff --git a/doc/scripts/policy/frameworks/management/node/config.zeek.rst b/doc/scripts/policy/frameworks/management/node/config.zeek.rst
new file mode 100644
index 0000000000..14ee5c1e89
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/node/config.zeek.rst
@@ -0,0 +1,61 @@
+:tocdepth: 3
+
+policy/frameworks/management/node/config.zeek
+=============================================
+.. zeek:namespace:: Management::Node
+
+Configuration settings for nodes controlled by the Management framework.
+
+:Namespace: Management::Node
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+================================================================================= ======================================
+:zeek:id:`Management::Node::node_topic`: :zeek:type:`string` :zeek:attr:`&redef`  The nodes' Broker topic.
+:zeek:id:`Management::Node::stderr_file`: :zeek:type:`string` :zeek:attr:`&redef` Cluster node stderr log configuration.
+:zeek:id:`Management::Node::stdout_file`: :zeek:type:`string` :zeek:attr:`&redef` Cluster node stdout log configuration.
+================================================================================= ======================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Management::Node::node_topic
+   :source-code: policy/frameworks/management/node/config.zeek 8 8
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek/management/node"``
+
+   The nodes' Broker topic. Cluster nodes automatically subscribe
+   to it, to receive request events from the Management framework.
+
+.. zeek:id:: Management::Node::stderr_file
+   :source-code: policy/frameworks/management/node/config.zeek 21 21
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"stderr"``
+
+   Cluster node stderr log configuration. Like
+   :zeek:see:`Management::Node::stdout_file`, but for the stderr stream.
+
+.. zeek:id:: Management::Node::stdout_file
+   :source-code: policy/frameworks/management/node/config.zeek 17 17
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"stdout"``
+
+   Cluster node stdout log configuration. If the string is non-empty,
+   Zeek will produce a free-form log (i.e., not one governed by Zeek's
+   logging framework) in the node's working directory. If left empty, no
+   such log results.
+   
+   Note that cluster nodes also establish a "proper" management log via
+   the :zeek:see:`Management::Log` module.
+
+
diff --git a/doc/scripts/policy/frameworks/management/node/index.rst b/doc/scripts/policy/frameworks/management/node/index.rst
new file mode 100644
index 0000000000..1d166e69ad
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/node/index.rst
@@ -0,0 +1,24 @@
+:orphan:
+
+Package: policy/frameworks/management/node
+==========================================
+
+
+:doc:`/scripts/policy/frameworks/management/node/api.zeek`
+
+   The Management event API of cluster nodes. The API consists of request/
+   response event pairs, like elsewhere in the Management, Supervisor, and
+   Control frameworks.
+
+:doc:`/scripts/policy/frameworks/management/node/config.zeek`
+
+   Configuration settings for nodes controlled by the Management framework.
+
+:doc:`/scripts/policy/frameworks/management/node/__load__.zeek`
+
+
+:doc:`/scripts/policy/frameworks/management/node/main.zeek`
+
+   This module provides Management framework functionality present in every
+   cluster node, to allowing Management agents to interact with the nodes.
+
diff --git a/doc/scripts/policy/frameworks/management/node/main.zeek.rst b/doc/scripts/policy/frameworks/management/node/main.zeek.rst
new file mode 100644
index 0000000000..62dd65dd17
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/node/main.zeek.rst
@@ -0,0 +1,24 @@
+:tocdepth: 3
+
+policy/frameworks/management/node/main.zeek
+===========================================
+.. zeek:namespace:: Management::Node
+
+This module provides Management framework functionality present in every
+cluster node, to allowing Management agents to interact with the nodes.
+
+:Namespace: Management::Node
+:Imports: :doc:`base/frameworks/broker/store.zeek </scripts/base/frameworks/broker/store.zeek>`, :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/logging/writers/ascii.zeek </scripts/base/frameworks/logging/writers/ascii.zeek>`, :doc:`base/misc/installation.zeek </scripts/base/misc/installation.zeek>`, :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`, :doc:`policy/frameworks/management </scripts/policy/frameworks/management/index>`, :doc:`policy/frameworks/management/agent/config.zeek </scripts/policy/frameworks/management/agent/config.zeek>`, :doc:`policy/frameworks/management/node/api.zeek </scripts/policy/frameworks/management/node/api.zeek>`, :doc:`policy/frameworks/management/node/config.zeek </scripts/policy/frameworks/management/node/config.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================================================== =
+:zeek:id:`Management::role`: :zeek:type:`Management::Role` :zeek:attr:`&redef` 
+============================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/management/persistence.zeek.rst b/doc/scripts/policy/frameworks/management/persistence.zeek.rst
new file mode 100644
index 0000000000..f0c440c620
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/persistence.zeek.rst
@@ -0,0 +1,22 @@
+:tocdepth: 3
+
+policy/frameworks/management/persistence.zeek
+=============================================
+
+Common adjustments for any kind of Zeek node when we run the Management
+framework.
+
+:Imports: :doc:`base/misc/installation.zeek </scripts/base/misc/installation.zeek>`, :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`, :doc:`policy/frameworks/management/config.zeek </scripts/policy/frameworks/management/config.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================================================= =
+:zeek:id:`Log::default_rotation_dir`: :zeek:type:`string` :zeek:attr:`&redef` 
+============================================================================= =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/management/request.zeek.rst b/doc/scripts/policy/frameworks/management/request.zeek.rst
new file mode 100644
index 0000000000..b6db804367
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/request.zeek.rst
@@ -0,0 +1,295 @@
+:tocdepth: 3
+
+policy/frameworks/management/request.zeek
+=========================================
+.. zeek:namespace:: Management::Request
+
+This module implements a request state abstraction in the Management
+framework that both controller and agent use to connect request events to
+subsequent response ones, and to be able to time out such requests.
+
+:Namespace: Management::Request
+:Imports: :doc:`policy/frameworks/management/config.zeek </scripts/policy/frameworks/management/config.zeek>`, :doc:`policy/frameworks/management/types.zeek </scripts/policy/frameworks/management/types.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+=========================================================================================== =======================================
+:zeek:id:`Management::Request::timeout_interval`: :zeek:type:`interval` :zeek:attr:`&redef` The timeout interval for request state.
+=========================================================================================== =======================================
+
+State Variables
+###############
+=================================================================================== ==========================================================
+:zeek:id:`Management::Request::null_req`: :zeek:type:`Management::Request::Request` A token request that serves as a null/nonexistent request.
+=================================================================================== ==========================================================
+
+Types
+#####
+============================================================== ====================================================================
+:zeek:type:`Management::Request::Request`: :zeek:type:`record` Request records track state associated with a request/response event
+                                                               pair.
+============================================================== ====================================================================
+
+Redefinitions
+#############
+============================================================== ===========================================================================================================================
+:zeek:type:`Management::Request::Request`: :zeek:type:`record` 
+                                                               
+                                                               :New Fields: :zeek:type:`Management::Request::Request`
+                                                               
+                                                                 finish: :zeek:type:`function` (req: :zeek:type:`Management::Request::Request`) : :zeek:type:`void` :zeek:attr:`&optional`
+                                                                   A callback to invoke when this request is finished via
+                                                                   :zeek:see:`Management::Request::finish`.
+============================================================== ===========================================================================================================================
+
+Events
+######
+=================================================================== ======================================================================
+:zeek:id:`Management::Request::request_expired`: :zeek:type:`event` This event fires when a request times out (as per the
+                                                                    Management::Request::timeout_interval) before it has been finished via
+                                                                    Management::Request::finish().
+=================================================================== ======================================================================
+
+Functions
+#########
+================================================================ ========================================================================
+:zeek:id:`Management::Request::create`: :zeek:type:`function`    This function establishes request state.
+:zeek:id:`Management::Request::finish`: :zeek:type:`function`    This function marks a request as complete and causes Zeek to release
+                                                                 its internal state.
+:zeek:id:`Management::Request::is_null`: :zeek:type:`function`   This function is a helper predicate to indicate whether a given
+                                                                 request is null.
+:zeek:id:`Management::Request::lookup`: :zeek:type:`function`    This function looks up the request for a given request ID and returns
+                                                                 it.
+:zeek:id:`Management::Request::to_string`: :zeek:type:`function` For troubleshooting, this function renders a request record to a string.
+================================================================ ========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Management::Request::timeout_interval
+   :source-code: policy/frameworks/management/request.zeek 52 52
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10.0 secs``
+   :Redefinition: from :doc:`/scripts/policy/frameworks/management/agent/main.zeek`
+
+      ``=``::
+
+         5.0 secs
+
+
+   The timeout interval for request state. Such state (see the
+   :zeek:see:`Management::Request` module) ties together request and
+   response event pairs. A timeout causes cleanup of request state if
+   regular request/response processing hasn't already done so. It
+   applies both to request state kept in the controller and the agent,
+   though the two use different timeout values: agent-side requests time
+   out more quickly. This allows agents to send more meaningful error
+   messages, while the controller's timeouts serve as a last resort to
+   ensure response to the client.
+
+State Variables
+###############
+.. zeek:id:: Management::Request::null_req
+   :source-code: policy/frameworks/management/request.zeek 55 55
+
+   :Type: :zeek:type:`Management::Request::Request`
+   :Default:
+
+      ::
+
+         {
+            id=""
+            parent_id=<uninitialized>
+            results=[]
+            finished=T
+            finish=<uninitialized>
+            supervisor_state_agent=<uninitialized>
+            deploy_state_agent=<uninitialized>
+            node_dispatch_state_agent=<uninitialized>
+            restart_state_agent=<uninitialized>
+            deploy_state=<uninitialized>
+            get_nodes_state=<uninitialized>
+            node_dispatch_state=<uninitialized>
+            restart_state=<uninitialized>
+            test_state=<uninitialized>
+         }
+
+
+   A token request that serves as a null/nonexistent request.
+
+Types
+#####
+.. zeek:type:: Management::Request::Request
+   :source-code: policy/frameworks/management/request.zeek 17 33
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`string`
+
+      Each request has a hopefully unique ID provided by the requester.
+
+
+   .. zeek:field:: parent_id :zeek:type:`string` :zeek:attr:`&optional`
+
+      For requests that result based upon another request (such as when
+      the controller sends requests to agents based on a request it
+      received by the client), this specifies that original, "parent"
+      request.
+
+
+   .. zeek:field:: results :zeek:type:`Management::ResultVec` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+
+      The results vector builds up the list of results we eventually
+      send to the requestor when we have processed the request.
+
+
+   .. zeek:field:: finished :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+
+      An internal flag to track whether a request is complete.
+
+
+   .. zeek:field:: finish :zeek:type:`function` (<recursion>) : :zeek:type:`void` :zeek:attr:`&optional`
+
+      A callback to invoke when this request is finished via
+      :zeek:see:`Management::Request::finish`.
+
+
+   .. zeek:field:: supervisor_state_agent :zeek:type:`Management::Agent::Runtime::SupervisorState` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/management/agent/main.zeek` is loaded)
+
+
+   .. zeek:field:: deploy_state_agent :zeek:type:`Management::Agent::Runtime::DeployState` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/management/agent/main.zeek` is loaded)
+
+
+   .. zeek:field:: node_dispatch_state_agent :zeek:type:`Management::Agent::Runtime::NodeDispatchState` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/management/agent/main.zeek` is loaded)
+
+
+   .. zeek:field:: restart_state_agent :zeek:type:`Management::Agent::Runtime::RestartState` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/management/agent/main.zeek` is loaded)
+
+
+   .. zeek:field:: deploy_state :zeek:type:`Management::Controller::Runtime::DeployState` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/management/controller/main.zeek` is loaded)
+
+
+   .. zeek:field:: get_nodes_state :zeek:type:`Management::Controller::Runtime::GetNodesState` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/management/controller/main.zeek` is loaded)
+
+
+   .. zeek:field:: node_dispatch_state :zeek:type:`Management::Controller::Runtime::NodeDispatchState` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/management/controller/main.zeek` is loaded)
+
+
+   .. zeek:field:: restart_state :zeek:type:`Management::Controller::Runtime::RestartState` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/management/controller/main.zeek` is loaded)
+
+
+   .. zeek:field:: test_state :zeek:type:`Management::Controller::Runtime::TestState` :zeek:attr:`&optional`
+
+      (present if :doc:`/scripts/policy/frameworks/management/controller/main.zeek` is loaded)
+
+
+   Request records track state associated with a request/response event
+   pair. Calls to
+   :zeek:see:`Management::Request::create` establish such state
+   when an entity sends off a request event, while
+   :zeek:see:`Management::Request::finish` clears the state when
+   a corresponding response event comes in, or the state times out.
+
+Events
+######
+.. zeek:id:: Management::Request::request_expired
+   :source-code: policy/frameworks/management/request.zeek 84 84
+
+   :Type: :zeek:type:`event` (req: :zeek:type:`Management::Request::Request`)
+
+   This event fires when a request times out (as per the
+   Management::Request::timeout_interval) before it has been finished via
+   Management::Request::finish().
+   
+
+   :param req: the request state that is expiring.
+   
+
+Functions
+#########
+.. zeek:id:: Management::Request::create
+   :source-code: policy/frameworks/management/request.zeek 119 124
+
+   :Type: :zeek:type:`function` (reqid: :zeek:type:`string` :zeek:attr:`&default` = ``9Ye7pQPhuMe`` :zeek:attr:`&optional`) : :zeek:type:`Management::Request::Request`
+
+   This function establishes request state.
+   
+
+   :param reqid: the identifier to use for the request.
+   
+
+.. zeek:id:: Management::Request::finish
+   :source-code: policy/frameworks/management/request.zeek 134 148
+
+   :Type: :zeek:type:`function` (reqid: :zeek:type:`string`) : :zeek:type:`bool`
+
+   This function marks a request as complete and causes Zeek to release
+   its internal state. When the request does not exist, this does
+   nothing.
+   
+
+   :param reqid: the ID of the request state to release.
+   
+
+.. zeek:id:: Management::Request::is_null
+   :source-code: policy/frameworks/management/request.zeek 150 156
+
+   :Type: :zeek:type:`function` (request: :zeek:type:`Management::Request::Request`) : :zeek:type:`bool`
+
+   This function is a helper predicate to indicate whether a given
+   request is null.
+   
+
+   :param request: a Request record to check.
+   
+
+   :returns: T if the given request matches the null_req instance, F otherwise.
+   
+
+.. zeek:id:: Management::Request::lookup
+   :source-code: policy/frameworks/management/request.zeek 126 132
+
+   :Type: :zeek:type:`function` (reqid: :zeek:type:`string`) : :zeek:type:`Management::Request::Request`
+
+   This function looks up the request for a given request ID and returns
+   it. When no such request exists, returns Management::Request::null_req.
+   
+
+   :param reqid: the ID of the request state to retrieve.
+   
+
+.. zeek:id:: Management::Request::to_string
+   :source-code: policy/frameworks/management/request.zeek 158 168
+
+   :Type: :zeek:type:`function` (request: :zeek:type:`Management::Request::Request`) : :zeek:type:`string`
+
+   For troubleshooting, this function renders a request record to a string.
+   
+
+   :param request: the request to render.
+   
+
+
diff --git a/doc/scripts/policy/frameworks/management/supervisor/__load__.zeek.rst b/doc/scripts/policy/frameworks/management/supervisor/__load__.zeek.rst
new file mode 100644
index 0000000000..fc4bccad43
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/supervisor/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/management/supervisor/__load__.zeek
+=====================================================
+
+
+:Imports: :doc:`policy/frameworks/management/supervisor/main.zeek </scripts/policy/frameworks/management/supervisor/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/management/supervisor/api.zeek.rst b/doc/scripts/policy/frameworks/management/supervisor/api.zeek.rst
new file mode 100644
index 0000000000..f694459e6c
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/supervisor/api.zeek.rst
@@ -0,0 +1,44 @@
+:tocdepth: 3
+
+policy/frameworks/management/supervisor/api.zeek
+================================================
+.. zeek:namespace:: Management::Supervisor::API
+
+
+:Namespace: Management::Supervisor::API
+:Imports: :doc:`policy/frameworks/management/types.zeek </scripts/policy/frameworks/management/types.zeek>`
+
+Summary
+~~~~~~~
+Events
+######
+============================================================================ =====================================================================
+:zeek:id:`Management::Supervisor::API::notify_node_exit`: :zeek:type:`event` The Supervisor generates this event whenever it has received a status
+                                                                             update from the stem, indicating that a node exited.
+============================================================================ =====================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Events
+######
+.. zeek:id:: Management::Supervisor::API::notify_node_exit
+   :source-code: policy/frameworks/management/agent/main.zeek 263 269
+
+   :Type: :zeek:type:`event` (node: :zeek:type:`string`, outputs: :zeek:type:`Management::NodeOutputs`)
+
+   The Supervisor generates this event whenever it has received a status
+   update from the stem, indicating that a node exited.
+   
+
+   :param node: the name of a node previously created via
+       :zeek:see:`Supervisor::create`.
+   
+
+   :param outputs: stdout/stderr context for the node. The contained strings
+       span up to the 100 most recent lines in the corresponding
+       stream. See :zeek:see:`Management::Supervisor::output_max_lines`
+       to adjust the line limit.
+   
+
+
diff --git a/doc/scripts/policy/frameworks/management/supervisor/config.zeek.rst b/doc/scripts/policy/frameworks/management/supervisor/config.zeek.rst
new file mode 100644
index 0000000000..c841484192
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/supervisor/config.zeek.rst
@@ -0,0 +1,75 @@
+:tocdepth: 3
+
+policy/frameworks/management/supervisor/config.zeek
+===================================================
+.. zeek:namespace:: Management::Supervisor
+
+Configuration settings for the Management framework's supervisor extension.
+
+:Namespace: Management::Supervisor
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+=========================================================================================== =================================================================
+:zeek:id:`Management::Supervisor::output_max_lines`: :zeek:type:`count` :zeek:attr:`&redef` The maximum number of stdout/stderr output lines to convey in
+                                                                                            :zeek:see:`Management::Supervisor::API::notify_node_exit` events.
+:zeek:id:`Management::Supervisor::print_stderr`: :zeek:type:`bool` :zeek:attr:`&redef`      Whether to print the stderr sent up to the Supervisor by created
+                                                                                            nodes to the terminal.
+:zeek:id:`Management::Supervisor::print_stdout`: :zeek:type:`bool` :zeek:attr:`&redef`      Whether to print the stdout sent up to the Supervisor by created
+                                                                                            nodes to the terminal.
+:zeek:id:`Management::Supervisor::topic_prefix`: :zeek:type:`string` :zeek:attr:`&redef`    The Broker topic for Management framework communication with the
+                                                                                            Supervisor.
+=========================================================================================== =================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Management::Supervisor::output_max_lines
+   :source-code: policy/frameworks/management/supervisor/config.zeek 24 24
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100``
+
+   The maximum number of stdout/stderr output lines to convey in
+   :zeek:see:`Management::Supervisor::API::notify_node_exit` events.
+
+.. zeek:id:: Management::Supervisor::print_stderr
+   :source-code: policy/frameworks/management/supervisor/config.zeek 20 20
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Whether to print the stderr sent up to the Supervisor by created
+   nodes to the terminal. By default, this is disabled since this output
+   already ends up in a node-specific stderr file, per
+   :zeek:see:`Management::Node::stderr_file`.
+
+.. zeek:id:: Management::Supervisor::print_stdout
+   :source-code: policy/frameworks/management/supervisor/config.zeek 14 14
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Whether to print the stdout sent up to the Supervisor by created
+   nodes to the terminal. By default, this is disabled since this output
+   already ends up in a node-specific stdout file, per
+   :zeek:see:`Management::Node::stdout_file`.
+
+.. zeek:id:: Management::Supervisor::topic_prefix
+   :source-code: policy/frameworks/management/supervisor/config.zeek 8 8
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek/management/supervisor"``
+
+   The Broker topic for Management framework communication with the
+   Supervisor. The agent subscribes to this.
+
+
diff --git a/doc/scripts/policy/frameworks/management/supervisor/index.rst b/doc/scripts/policy/frameworks/management/supervisor/index.rst
new file mode 100644
index 0000000000..e2a8dea78d
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/supervisor/index.rst
@@ -0,0 +1,21 @@
+:orphan:
+
+Package: policy/frameworks/management/supervisor
+================================================
+
+
+:doc:`/scripts/policy/frameworks/management/supervisor/__load__.zeek`
+
+
+:doc:`/scripts/policy/frameworks/management/supervisor/main.zeek`
+
+   This module provides functionality the Management framework places directly
+   in the Supervisor.
+
+:doc:`/scripts/policy/frameworks/management/supervisor/api.zeek`
+
+
+:doc:`/scripts/policy/frameworks/management/supervisor/config.zeek`
+
+   Configuration settings for the Management framework's supervisor extension.
+
diff --git a/doc/scripts/policy/frameworks/management/supervisor/main.zeek.rst b/doc/scripts/policy/frameworks/management/supervisor/main.zeek.rst
new file mode 100644
index 0000000000..7d4acd8707
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/supervisor/main.zeek.rst
@@ -0,0 +1,18 @@
+:tocdepth: 3
+
+policy/frameworks/management/supervisor/main.zeek
+=================================================
+.. zeek:namespace:: Management::Supervisor
+
+This module provides functionality the Management framework places directly
+in the Supervisor.
+
+:Namespace: Management::Supervisor
+:Imports: :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`, :doc:`base/utils/queue.zeek </scripts/base/utils/queue.zeek>`, :doc:`policy/frameworks/management/node/config.zeek </scripts/policy/frameworks/management/node/config.zeek>`, :doc:`policy/frameworks/management/supervisor/api.zeek </scripts/policy/frameworks/management/supervisor/api.zeek>`, :doc:`policy/frameworks/management/supervisor/config.zeek </scripts/policy/frameworks/management/supervisor/config.zeek>`, :doc:`policy/frameworks/management/types.zeek </scripts/policy/frameworks/management/types.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/management/types.zeek.rst b/doc/scripts/policy/frameworks/management/types.zeek.rst
new file mode 100644
index 0000000000..225448b673
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/types.zeek.rst
@@ -0,0 +1,386 @@
+:tocdepth: 3
+
+policy/frameworks/management/types.zeek
+=======================================
+.. zeek:namespace:: Management
+
+This module holds the basic types needed for the Management framework. These
+are used by both cluster agent and controller, and several have corresponding
+implementations in zeek-client.
+
+:Namespace: Management
+
+Summary
+~~~~~~~
+Types
+#####
+=========================================================== =====================================================================
+:zeek:type:`Management::Configuration`: :zeek:type:`record` Data structure capturing a cluster's complete configuration.
+:zeek:type:`Management::Instance`: :zeek:type:`record`      Configuration describing a Zeek instance running a Cluster
+                                                            Agent.
+:zeek:type:`Management::InstanceVec`: :zeek:type:`vector`   
+:zeek:type:`Management::Node`: :zeek:type:`record`          Configuration describing a Cluster Node process.
+:zeek:type:`Management::NodeOutputs`: :zeek:type:`record`   In :zeek:see:`Management::Controller::API::deploy_response` events,
+                                                            each :zeek:see:`Management::Result` indicates the outcome of a
+                                                            launched cluster node.
+:zeek:type:`Management::NodeStatus`: :zeek:type:`record`    The status of a Supervisor-managed node, as reported to the client in
+                                                            a get_nodes_request/get_nodes_response transaction.
+:zeek:type:`Management::NodeStatusVec`: :zeek:type:`vector` 
+:zeek:type:`Management::Option`: :zeek:type:`record`        A Zeek-side option with value.
+:zeek:type:`Management::Result`: :zeek:type:`record`        Return value for request-response API event pairs.
+:zeek:type:`Management::ResultVec`: :zeek:type:`vector`     
+:zeek:type:`Management::Role`: :zeek:type:`enum`            Management infrastructure node type.
+:zeek:type:`Management::State`: :zeek:type:`enum`           State that a Cluster Node can be in.
+=========================================================== =====================================================================
+
+Functions
+#########
+================================================================== =========================================================
+:zeek:id:`Management::result_to_string`: :zeek:type:`function`     Given a :zeek:see:`Management::Result` record,
+                                                                   this function returns a string summarizing it.
+:zeek:id:`Management::result_vec_to_string`: :zeek:type:`function` Given a vector of :zeek:see:`Management::Result` records,
+                                                                   this function returns a string summarizing them.
+================================================================== =========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Management::Configuration
+   :source-code: policy/frameworks/management/types.zeek 67 74
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: id :zeek:type:`string` :zeek:attr:`&default` = ``fD0qxAnfwOe`` :zeek:attr:`&optional`
+
+      Unique identifier for a particular configuration
+
+
+   .. zeek:field:: instances :zeek:type:`set` [:zeek:type:`Management::Instance`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      The instances in the cluster.
+
+
+   .. zeek:field:: nodes :zeek:type:`set` [:zeek:type:`Management::Node`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      The set of nodes in the cluster, as distributed over the instances.
+
+
+   Data structure capturing a cluster's complete configuration.
+
+.. zeek:type:: Management::Instance
+   :source-code: policy/frameworks/management/types.zeek 27 34
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      Unique, human-readable instance name
+
+
+   .. zeek:field:: host :zeek:type:`addr`
+
+      IP address of system
+
+
+   .. zeek:field:: listen_port :zeek:type:`port` :zeek:attr:`&optional`
+
+      Agent listening port. Not needed if agents connect to controller.
+
+
+   Configuration describing a Zeek instance running a Cluster
+   Agent. Normally, there'll be one instance per cluster
+   system: a single physical system.
+
+.. zeek:type:: Management::InstanceVec
+   :source-code: policy/frameworks/management/types.zeek 36 36
+
+   :Type: :zeek:type:`vector` of :zeek:type:`Management::Instance`
+
+
+.. zeek:type:: Management::Node
+   :source-code: policy/frameworks/management/types.zeek 52 64
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      Cluster-unique, human-readable node name
+
+
+   .. zeek:field:: instance :zeek:type:`string`
+
+      Name of instance where node is to run
+
+
+   .. zeek:field:: role :zeek:type:`Supervisor::ClusterRole`
+
+      Role of the node.
+
+
+   .. zeek:field:: state :zeek:type:`Management::State`
+
+      Desired, or current, run state.
+
+
+   .. zeek:field:: p :zeek:type:`port` :zeek:attr:`&optional`
+
+      Port on which this node will listen
+
+
+   .. zeek:field:: scripts :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional`
+
+      Additional Zeek scripts for node
+
+
+   .. zeek:field:: options :zeek:type:`set` [:zeek:type:`Management::Option`] :zeek:attr:`&optional`
+
+      Zeek options for node
+
+
+   .. zeek:field:: interface :zeek:type:`string` :zeek:attr:`&optional`
+
+      Interface to sniff
+
+
+   .. zeek:field:: cpu_affinity :zeek:type:`int` :zeek:attr:`&optional`
+
+      CPU/core number to pin to
+
+
+   .. zeek:field:: env :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string` :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+
+      Custom environment vars
+
+
+   .. zeek:field:: metrics_port :zeek:type:`port` :zeek:attr:`&optional`
+
+      Metrics exposure port, for Prometheus
+
+
+   Configuration describing a Cluster Node process.
+
+.. zeek:type:: Management::NodeOutputs
+   :source-code: policy/frameworks/management/types.zeek 122 125
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: stdout :zeek:type:`string`
+
+      The stdout stream of a Zeek process
+
+
+   .. zeek:field:: stderr :zeek:type:`string`
+
+      The stderr stream of a Zeek process
+
+
+   In :zeek:see:`Management::Controller::API::deploy_response` events,
+   each :zeek:see:`Management::Result` indicates the outcome of a
+   launched cluster node. If a node does not launch properly (meaning
+   it doesn't check in with the agent on the machine it's running on),
+   the result will indicate failure, and its data field will be an
+   instance of this record, capturing the stdout and stderr output of
+   the failing node.
+
+.. zeek:type:: Management::NodeStatus
+   :source-code: policy/frameworks/management/types.zeek 78 94
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: node :zeek:type:`string`
+
+      Cluster-unique, human-readable node name
+
+
+   .. zeek:field:: state :zeek:type:`Management::State`
+
+      Current run state of the node.
+
+
+   .. zeek:field:: mgmt_role :zeek:type:`Management::Role` :zeek:attr:`&default` = ``Management::NONE`` :zeek:attr:`&optional`
+
+      Role the node plays in cluster management.
+
+
+   .. zeek:field:: cluster_role :zeek:type:`Supervisor::ClusterRole` :zeek:attr:`&default` = ``Supervisor::NONE`` :zeek:attr:`&optional`
+
+      Role the node plays in the Zeek cluster.
+
+
+   .. zeek:field:: pid :zeek:type:`int` :zeek:attr:`&optional`
+
+      Process ID of the node. This is optional because the Supervisor may not have
+      a PID when a node is still bootstrapping.
+
+
+   .. zeek:field:: p :zeek:type:`port` :zeek:attr:`&optional`
+
+      The node's Broker peering listening port, if any.
+
+
+   .. zeek:field:: metrics_port :zeek:type:`port` :zeek:attr:`&optional`
+
+      The node's metrics port for Prometheus, if any.
+
+
+   The status of a Supervisor-managed node, as reported to the client in
+   a get_nodes_request/get_nodes_response transaction.
+
+.. zeek:type:: Management::NodeStatusVec
+   :source-code: policy/frameworks/management/types.zeek 96 96
+
+   :Type: :zeek:type:`vector` of :zeek:type:`Management::NodeStatus`
+
+
+.. zeek:type:: Management::Option
+   :source-code: policy/frameworks/management/types.zeek 19 22
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+      Name of option
+
+
+   .. zeek:field:: value :zeek:type:`string`
+
+      Value of option
+
+
+   A Zeek-side option with value.
+
+.. zeek:type:: Management::Result
+   :source-code: policy/frameworks/management/types.zeek 104 111
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: reqid :zeek:type:`string`
+
+      Request ID of operation this result refers to
+
+
+   .. zeek:field:: success :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
+
+      True if successful
+
+
+   .. zeek:field:: instance :zeek:type:`string` :zeek:attr:`&optional`
+
+      Name of associated instance (for context)
+
+
+   .. zeek:field:: data :zeek:type:`any` :zeek:attr:`&optional`
+
+      Addl data returned for successful operation
+
+
+   .. zeek:field:: error :zeek:type:`string` :zeek:attr:`&optional`
+
+      Descriptive error on failure
+
+
+   .. zeek:field:: node :zeek:type:`string` :zeek:attr:`&optional`
+
+      Name of associated node (for context)
+
+
+   Return value for request-response API event pairs. Some responses
+   contain one, others multiple of these. The request ID allows clients
+   to string requests and responses together. Agents and the controller
+   fill in the instance and node fields whenever there's sufficient
+   context to define them. Any result produced by an agent will carry an
+   instance value, for example.
+
+.. zeek:type:: Management::ResultVec
+   :source-code: policy/frameworks/management/types.zeek 113 113
+
+   :Type: :zeek:type:`vector` of :zeek:type:`Management::Result`
+
+
+.. zeek:type:: Management::Role
+   :source-code: policy/frameworks/management/types.zeek 11 17
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Management::NONE Management::Role
+
+         No active role in cluster management
+
+      .. zeek:enum:: Management::AGENT Management::Role
+
+         A cluster management agent.
+
+      .. zeek:enum:: Management::CONTROLLER Management::Role
+
+         The cluster's controller.
+
+      .. zeek:enum:: Management::NODE Management::Role
+
+         A managed cluster node (worker, manager, etc).
+
+   Management infrastructure node type. This intentionally does not
+   include the managed cluster node types (worker, logger, etc) -- those
+   continue to be managed by the cluster framework.
+
+.. zeek:type:: Management::State
+   :source-code: policy/frameworks/management/types.zeek 42 50
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Management::PENDING Management::State
+
+         Not yet running
+
+      .. zeek:enum:: Management::RUNNING Management::State
+
+         Running and operating normally
+
+      .. zeek:enum:: Management::STOPPED Management::State
+
+         Explicitly stopped
+
+      .. zeek:enum:: Management::FAILED Management::State
+
+         Failed to start; and permanently halted
+
+      .. zeek:enum:: Management::CRASHED Management::State
+
+         Crashed, will be restarted,
+
+      .. zeek:enum:: Management::UNKNOWN Management::State
+
+         State not known currently (e.g., because of lost connectivity)
+
+   State that a Cluster Node can be in. State changes trigger an
+   API notification (see notify_change()). The Pending state corresponds
+   to the Supervisor not yet reporting a PID for a node when it has not
+   yet fully launched.
+
+Functions
+#########
+.. zeek:id:: Management::result_to_string
+   :source-code: policy/frameworks/management/types.zeek 136 160
+
+   :Type: :zeek:type:`function` (res: :zeek:type:`Management::Result`) : :zeek:type:`string`
+
+   Given a :zeek:see:`Management::Result` record,
+   this function returns a string summarizing it.
+
+.. zeek:id:: Management::result_vec_to_string
+   :source-code: policy/frameworks/management/types.zeek 162 170
+
+   :Type: :zeek:type:`function` (res: :zeek:type:`Management::ResultVec`) : :zeek:type:`string`
+
+   Given a vector of :zeek:see:`Management::Result` records,
+   this function returns a string summarizing them.
+
+
diff --git a/doc/scripts/policy/frameworks/management/util.zeek.rst b/doc/scripts/policy/frameworks/management/util.zeek.rst
new file mode 100644
index 0000000000..db7686a4bc
--- /dev/null
+++ b/doc/scripts/policy/frameworks/management/util.zeek.rst
@@ -0,0 +1,38 @@
+:tocdepth: 3
+
+policy/frameworks/management/util.zeek
+======================================
+.. zeek:namespace:: Management::Util
+
+Utility functions for the Management framework, available to agent
+and controller.
+
+:Namespace: Management::Util
+
+Summary
+~~~~~~~
+Functions
+#########
+================================================================= ============================================================
+:zeek:id:`Management::Util::set_to_vector`: :zeek:type:`function` Renders a set of strings to an alphabetically sorted vector.
+================================================================= ============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Functions
+#########
+.. zeek:id:: Management::Util::set_to_vector
+   :source-code: policy/frameworks/management/util.zeek 15 25
+
+   :Type: :zeek:type:`function` (ss: :zeek:type:`set` [:zeek:type:`string`]) : :zeek:type:`vector` of :zeek:type:`string`
+
+   Renders a set of strings to an alphabetically sorted vector.
+   
+
+   :param ss: the string set to convert.
+   
+
+   :returns: the vector of all strings in ss.
+
+
diff --git a/doc/scripts/policy/frameworks/netcontrol/catch-and-release.zeek.rst b/doc/scripts/policy/frameworks/netcontrol/catch-and-release.zeek.rst
new file mode 100644
index 0000000000..aa64a02ea9
--- /dev/null
+++ b/doc/scripts/policy/frameworks/netcontrol/catch-and-release.zeek.rst
@@ -0,0 +1,412 @@
+:tocdepth: 3
+
+policy/frameworks/netcontrol/catch-and-release.zeek
+===================================================
+.. zeek:namespace:: NetControl
+
+Implementation of catch-and-release functionality for NetControl.
+
+:Namespace: NetControl
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/netcontrol </scripts/base/frameworks/netcontrol/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+======================================================================================================= ====================================================================================
+:zeek:id:`NetControl::catch_release_warn_blocked_ip_encountered`: :zeek:type:`bool` :zeek:attr:`&redef` If true, catch and release warns if packets of an IP address are still seen after it
+                                                                                                        should have been blocked.
+======================================================================================================= ====================================================================================
+
+Redefinable Options
+###################
+======================================================================================= =====================================================================================
+:zeek:id:`NetControl::catch_release_intervals`: :zeek:type:`vector` :zeek:attr:`&redef` Time intervals for which subsequent drops of the same IP take
+                                                                                        effect.
+:zeek:id:`NetControl::watch_connections`: :zeek:type:`bool` :zeek:attr:`&redef`         If true, catch_release_seen is called on the connection originator in new_connection,
+                                                                                        connection_established, partial_connection, connection_attempt, connection_rejected,
+                                                                                        connection_reset and connection_pending
+======================================================================================= =====================================================================================
+
+Types
+#####
+=============================================================== =========================================================================
+:zeek:type:`NetControl::BlockInfo`: :zeek:type:`record`         This record is used for storing information about current blocks that are
+                                                                part of catch and release.
+:zeek:type:`NetControl::CatchReleaseActions`: :zeek:type:`enum` The enum that contains the different kinds of messages that are logged by
+                                                                catch and release.
+:zeek:type:`NetControl::CatchReleaseInfo`: :zeek:type:`record`  The record type that is used for representing and logging
+=============================================================== =========================================================================
+
+Redefinitions
+#############
+======================================= ========================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` 
+                                        
+                                        * :zeek:enum:`NetControl::CATCH_RELEASE`
+======================================= ========================================
+
+Events
+######
+======================================================================= ===================================================================================
+:zeek:id:`NetControl::catch_release_add`: :zeek:type:`event`            
+:zeek:id:`NetControl::catch_release_block_delete`: :zeek:type:`event`   
+:zeek:id:`NetControl::catch_release_block_new`: :zeek:type:`event`      
+:zeek:id:`NetControl::catch_release_delete`: :zeek:type:`event`         
+:zeek:id:`NetControl::catch_release_encountered`: :zeek:type:`event`    
+:zeek:id:`NetControl::catch_release_forgotten`: :zeek:type:`event`      Event is raised when catch and release cases management of an IP address because no
+                                                                        activity was seen within the watch_until period.
+:zeek:id:`NetControl::log_netcontrol_catch_release`: :zeek:type:`event` Event that can be handled to access the :zeek:type:`NetControl::CatchReleaseInfo`
+                                                                        record as it is sent on to the logging framework.
+======================================================================= ===================================================================================
+
+Hooks
+#####
+============================================================================= =
+:zeek:id:`NetControl::log_policy_catch_release`: :zeek:type:`Log::PolicyHook` 
+============================================================================= =
+
+Functions
+#########
+=========================================================================== =======================================================================================================
+:zeek:id:`NetControl::catch_release_seen`: :zeek:type:`function`            This function can be called to notify the catch and release script that activity by
+                                                                            an IP address was seen.
+:zeek:id:`NetControl::drop_address_catch_release`: :zeek:type:`function`    Stops all packets involving an IP address from being forwarded.
+:zeek:id:`NetControl::get_catch_release_info`: :zeek:type:`function`        Get the :zeek:see:`NetControl::BlockInfo` record for an address currently blocked by catch and release.
+:zeek:id:`NetControl::unblock_address_catch_release`: :zeek:type:`function` Removes an address from being watched with catch and release.
+=========================================================================== =======================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: NetControl::catch_release_warn_blocked_ip_encountered
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 148 148
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   If true, catch and release warns if packets of an IP address are still seen after it
+   should have been blocked.
+
+Redefinable Options
+###################
+.. zeek:id:: NetControl::catch_release_intervals
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 152 152
+
+   :Type: :zeek:type:`vector` of :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         [10.0 mins, 1.0 hr, 1.0 day, 7.0 days]
+
+
+   Time intervals for which subsequent drops of the same IP take
+   effect.
+
+.. zeek:id:: NetControl::watch_connections
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 144 144
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   If true, catch_release_seen is called on the connection originator in new_connection,
+   connection_established, partial_connection, connection_attempt, connection_rejected,
+   connection_reset and connection_pending
+
+Types
+#####
+.. zeek:type:: NetControl::BlockInfo
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 16 29
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: block_until :zeek:type:`time` :zeek:attr:`&optional`
+
+      Absolute time indicating until when a block is inserted using NetControl.
+
+
+   .. zeek:field:: watch_until :zeek:type:`time`
+
+      Absolute time indicating until when an IP address is watched to reblock it.
+
+
+   .. zeek:field:: num_reblocked :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+
+      Number of times an IP address was reblocked.
+
+
+   .. zeek:field:: current_interval :zeek:type:`count`
+
+      Number indicating at which catch and release interval we currently are.
+
+
+   .. zeek:field:: current_block_id :zeek:type:`string`
+
+      ID of the inserted block, if any.
+
+
+   .. zeek:field:: location :zeek:type:`string` :zeek:attr:`&optional`
+
+      User specified string.
+
+
+   This record is used for storing information about current blocks that are
+   part of catch and release.
+
+.. zeek:type:: NetControl::CatchReleaseActions
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 33 51
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: NetControl::INFO NetControl::CatchReleaseActions
+
+         Log lines marked with info are purely informational; no action was taken.
+
+      .. zeek:enum:: NetControl::ADDED NetControl::CatchReleaseActions
+
+         A rule for the specified IP address already existed in NetControl (outside
+         of catch-and-release). Catch and release did not add a new rule, but is now
+         watching the IP address and will add a new rule after the current rule expires.
+
+      .. zeek:enum:: NetControl::DROP_REQUESTED NetControl::CatchReleaseActions
+
+         A drop was requested by catch and release.
+
+      .. zeek:enum:: NetControl::DROPPED NetControl::CatchReleaseActions
+
+         An address was successfully blocked by catch and release.
+
+      .. zeek:enum:: NetControl::UNBLOCK NetControl::CatchReleaseActions
+
+         An address was unblocked after the timeout expired.
+
+      .. zeek:enum:: NetControl::FORGOTTEN NetControl::CatchReleaseActions
+
+         An address was forgotten because it did not reappear within the `watch_until` interval.
+
+      .. zeek:enum:: NetControl::SEEN_AGAIN NetControl::CatchReleaseActions
+
+         A watched IP address was seen again; catch and release will re-block it.
+
+   The enum that contains the different kinds of messages that are logged by
+   catch and release.
+
+.. zeek:type:: NetControl::CatchReleaseInfo
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 53 78
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      The absolute time indicating when the action for this log-line occurred.
+
+
+   .. zeek:field:: rule_id :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The rule id that this log line refers to.
+
+
+   .. zeek:field:: ip :zeek:type:`addr` :zeek:attr:`&log`
+
+      The IP address that this line refers to.
+
+
+   .. zeek:field:: action :zeek:type:`NetControl::CatchReleaseActions` :zeek:attr:`&log`
+
+      The action that was taken in this log-line.
+
+
+   .. zeek:field:: block_interval :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The current block_interval (for how long the address is blocked).
+
+
+   .. zeek:field:: watch_interval :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The current watch_interval (for how long the address will be watched and re-block if it reappears).
+
+
+   .. zeek:field:: blocked_until :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The absolute time until which the address is blocked.
+
+
+   .. zeek:field:: watched_until :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The absolute time until which the address will be monitored.
+
+
+   .. zeek:field:: num_blocked :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Number of times that this address was blocked in the current cycle.
+
+
+   .. zeek:field:: location :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      The user specified location string.
+
+
+   .. zeek:field:: message :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Additional informational string by the catch and release framework about this log-line.
+
+
+   .. zeek:field:: plugin :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Plugin triggering the log entry.
+
+
+   The record type that is used for representing and logging
+
+Events
+######
+.. zeek:id:: NetControl::catch_release_add
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 161 161
+
+   :Type: :zeek:type:`event` (a: :zeek:type:`addr`, location: :zeek:type:`string`)
+
+
+.. zeek:id:: NetControl::catch_release_block_delete
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 160 160
+
+   :Type: :zeek:type:`event` (a: :zeek:type:`addr`)
+
+
+.. zeek:id:: NetControl::catch_release_block_new
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 159 159
+
+   :Type: :zeek:type:`event` (a: :zeek:type:`addr`, b: :zeek:type:`NetControl::BlockInfo`)
+
+
+.. zeek:id:: NetControl::catch_release_delete
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 162 162
+
+   :Type: :zeek:type:`event` (a: :zeek:type:`addr`, reason: :zeek:type:`string`)
+
+
+.. zeek:id:: NetControl::catch_release_encountered
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 163 163
+
+   :Type: :zeek:type:`event` (a: :zeek:type:`addr`)
+
+
+.. zeek:id:: NetControl::catch_release_forgotten
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 139 139
+
+   :Type: :zeek:type:`event` (a: :zeek:type:`addr`, bi: :zeek:type:`NetControl::BlockInfo`)
+
+   Event is raised when catch and release cases management of an IP address because no
+   activity was seen within the watch_until period.
+   
+
+   :param a: The address that is no longer being managed.
+   
+
+   :param bi: The :zeek:see:`NetControl::BlockInfo` record containing information about the block.
+
+.. zeek:id:: NetControl::log_netcontrol_catch_release
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 156 156
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`NetControl::CatchReleaseInfo`)
+
+   Event that can be handled to access the :zeek:type:`NetControl::CatchReleaseInfo`
+   record as it is sent on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: NetControl::log_policy_catch_release
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 12 12
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+Functions
+#########
+.. zeek:id:: NetControl::catch_release_seen
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 447 511
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`void`
+
+   This function can be called to notify the catch and release script that activity by
+   an IP address was seen. If the respective IP address is currently monitored by catch and
+   release and not blocked, the block will be reinstated. See the documentation of watch_new_connection
+   which events the catch and release functionality usually monitors for activity.
+   
+
+   :param a: The address that was seen and should be re-dropped if it is being watched.
+
+.. zeek:id:: NetControl::drop_address_catch_release
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 353 419
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`NetControl::BlockInfo`
+
+   Stops all packets involving an IP address from being forwarded. This function
+   uses catch-and-release functionality, where the IP address is only dropped for
+   a short amount of time that is incremented steadily when the IP is encountered
+   again.
+   
+   In cluster mode, this function works on workers as well as the manager. On managers,
+   the returned :zeek:see:`NetControl::BlockInfo` record will not contain the block ID,
+   which will be assigned on the manager.
+   
+
+   :param a: The address to be dropped.
+   
+
+   :param t: How long to drop it, with 0 being indefinitely.
+   
+
+   :param location: An optional string describing where the drop was triggered.
+   
+
+   :returns: The :zeek:see:`NetControl::BlockInfo` record containing information about
+            the inserted block.
+
+.. zeek:id:: NetControl::get_catch_release_info
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 345 351
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`NetControl::BlockInfo`
+
+   Get the :zeek:see:`NetControl::BlockInfo` record for an address currently blocked by catch and release.
+   If the address is unknown to catch and release, the watch_until time will be set to 0.
+   
+   In cluster mode, this function works on the manager and workers. On workers, the data will
+   lag slightly behind the manager; if you add a block, it will not be instantly available via
+   this function.
+   
+
+   :param a: The address to get information about.
+   
+
+   :returns: The :zeek:see:`NetControl::BlockInfo` record containing information about
+            the inserted block.
+
+.. zeek:id:: NetControl::unblock_address_catch_release
+   :source-code: policy/frameworks/netcontrol/catch-and-release.zeek 422 445
+
+   :Type: :zeek:type:`function` (a: :zeek:type:`addr`, reason: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`bool`
+
+   Removes an address from being watched with catch and release. Returns true if the
+   address was found and removed; returns false if it was unknown to catch and release.
+   
+   If the address is currently blocked, and the block was inserted by catch and release,
+   the block is removed.
+   
+
+   :param a: The address to be unblocked.
+   
+
+   :param reason: A reason for the unblock.
+   
+
+   :returns: True if the address was unblocked.
+
+
diff --git a/doc/scripts/policy/frameworks/notice/__load__.zeek.rst b/doc/scripts/policy/frameworks/notice/__load__.zeek.rst
new file mode 100644
index 0000000000..a28757e819
--- /dev/null
+++ b/doc/scripts/policy/frameworks/notice/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/notice/__load__.zeek
+======================================
+
+
+:Imports: :doc:`policy/frameworks/notice/extend-email/hostnames.zeek </scripts/policy/frameworks/notice/extend-email/hostnames.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/notice/actions/drop.zeek.rst b/doc/scripts/policy/frameworks/notice/actions/drop.zeek.rst
new file mode 100644
index 0000000000..70586e66d9
--- /dev/null
+++ b/doc/scripts/policy/frameworks/notice/actions/drop.zeek.rst
@@ -0,0 +1,30 @@
+:tocdepth: 3
+
+policy/frameworks/notice/actions/drop.zeek
+==========================================
+.. zeek:namespace:: Notice
+
+This script extends the built in notice code to implement the IP address
+dropping functionality.
+
+:Namespace: Notice
+:Imports: :doc:`base/frameworks/netcontrol </scripts/base/frameworks/netcontrol/index>`, :doc:`base/frameworks/notice/main.zeek </scripts/base/frameworks/notice/main.zeek>`, :doc:`policy/frameworks/netcontrol/catch-and-release.zeek </scripts/policy/frameworks/netcontrol/catch-and-release.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================== ===================================================================================================
+:zeek:type:`Notice::Info`: :zeek:type:`record` 
+                                               
+                                               :New Fields: :zeek:type:`Notice::Info`
+                                               
+                                                 dropped: :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+                                                   Indicate if the $src IP address was dropped and denied
+                                                   network access.
+============================================== ===================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/notice/community-id.zeek.rst b/doc/scripts/policy/frameworks/notice/community-id.zeek.rst
new file mode 100644
index 0000000000..1f58057ed3
--- /dev/null
+++ b/doc/scripts/policy/frameworks/notice/community-id.zeek.rst
@@ -0,0 +1,42 @@
+:tocdepth: 3
+
+policy/frameworks/notice/community-id.zeek
+==========================================
+.. zeek:namespace:: CommunityID::Notice
+
+
+:Namespace: CommunityID::Notice
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`, :doc:`policy/protocols/conn/community-id-logging.zeek </scripts/policy/protocols/conn/community-id-logging.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+============================================================================== =
+:zeek:id:`CommunityID::Notice::enabled`: :zeek:type:`bool` :zeek:attr:`&redef` 
+============================================================================== =
+
+Redefinitions
+#############
+============================================== ============================================================================
+:zeek:type:`Notice::Info`: :zeek:type:`record` 
+                                               
+                                               :New Fields: :zeek:type:`Notice::Info`
+                                               
+                                                 community_id: :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+============================================== ============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: CommunityID::Notice::enabled
+   :source-code: policy/frameworks/notice/community-id.zeek 14 14
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+
+
diff --git a/doc/scripts/policy/frameworks/notice/extend-email/hostnames.zeek.rst b/doc/scripts/policy/frameworks/notice/extend-email/hostnames.zeek.rst
new file mode 100644
index 0000000000..7b3bf577d5
--- /dev/null
+++ b/doc/scripts/policy/frameworks/notice/extend-email/hostnames.zeek.rst
@@ -0,0 +1,20 @@
+:tocdepth: 3
+
+policy/frameworks/notice/extend-email/hostnames.zeek
+====================================================
+.. zeek:namespace:: Notice
+
+Loading this script extends the :zeek:enum:`Notice::ACTION_EMAIL` action
+by appending to the email the hostnames associated with
+:zeek:type:`Notice::Info`'s *src* and *dst* fields as determined by a
+DNS lookup.
+
+:Namespace: Notice
+:Imports: :doc:`base/frameworks/notice/main.zeek </scripts/base/frameworks/notice/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/notice/index.rst b/doc/scripts/policy/frameworks/notice/index.rst
new file mode 100644
index 0000000000..0ebf50a35e
--- /dev/null
+++ b/doc/scripts/policy/frameworks/notice/index.rst
@@ -0,0 +1,24 @@
+:orphan:
+
+Package: policy/frameworks/notice
+=================================
+
+
+:doc:`/scripts/policy/frameworks/notice/__load__.zeek`
+
+
+:doc:`/scripts/policy/frameworks/notice/extend-email/hostnames.zeek`
+
+   Loading this script extends the :zeek:enum:`Notice::ACTION_EMAIL` action
+   by appending to the email the hostnames associated with
+   :zeek:type:`Notice::Info`'s *src* and *dst* fields as determined by a
+   DNS lookup.
+
+:doc:`/scripts/policy/frameworks/notice/actions/drop.zeek`
+
+   This script extends the built in notice code to implement the IP address
+   dropping functionality.
+
+:doc:`/scripts/policy/frameworks/notice/community-id.zeek`
+
+
diff --git a/doc/scripts/policy/frameworks/packet-filter/shunt.zeek.rst b/doc/scripts/policy/frameworks/packet-filter/shunt.zeek.rst
new file mode 100644
index 0000000000..0bb2b65bef
--- /dev/null
+++ b/doc/scripts/policy/frameworks/packet-filter/shunt.zeek.rst
@@ -0,0 +1,115 @@
+:tocdepth: 3
+
+policy/frameworks/packet-filter/shunt.zeek
+==========================================
+.. zeek:namespace:: PacketFilter
+
+
+:Namespace: PacketFilter
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/packet-filter </scripts/base/frameworks/packet-filter/index>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+=============================================================================== =======================================================================
+:zeek:id:`PacketFilter::max_bpf_shunts`: :zeek:type:`count` :zeek:attr:`&redef` The maximum number of BPF based shunts that Zeek is allowed to perform.
+=============================================================================== =======================================================================
+
+Redefinitions
+#############
+============================================ ============================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`PacketFilter::Cannot_BPF_Shunt_Conn`:
+                                               Limitations in BPF make shunting some connections with BPF
+                                               impossible.
+                                             
+                                             * :zeek:enum:`PacketFilter::No_More_Conn_Shunts_Available`:
+                                               Indicative that :zeek:id:`PacketFilter::max_bpf_shunts`
+                                               connections are already being shunted with BPF filters and
+                                               no more are allowed.
+============================================ ============================================================
+
+Functions
+#########
+========================================================================== ============================================================================
+:zeek:id:`PacketFilter::current_shunted_conns`: :zeek:type:`function`      Retrieve the currently shunted connections.
+:zeek:id:`PacketFilter::current_shunted_host_pairs`: :zeek:type:`function` Retrieve the currently shunted host pairs.
+:zeek:id:`PacketFilter::force_unshunt_host_pair`: :zeek:type:`function`    Performs the same function as the :zeek:id:`PacketFilter::unshunt_host_pair`
+                                                                           function, but it forces an immediate filter update.
+:zeek:id:`PacketFilter::shunt_conn`: :zeek:type:`function`                 Call this function to use BPF to shunt a connection (to prevent the
+                                                                           data packets from reaching Zeek).
+:zeek:id:`PacketFilter::shunt_host_pair`: :zeek:type:`function`            This function will use a BPF expression to shunt traffic between
+                                                                           the two hosts given in the ``conn_id`` so that the traffic is never
+                                                                           exposed to Zeek's traffic processing.
+:zeek:id:`PacketFilter::unshunt_host_pair`: :zeek:type:`function`          Remove shunting for a host pair given as a ``conn_id``.
+========================================================================== ============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: PacketFilter::max_bpf_shunts
+   :source-code: policy/frameworks/packet-filter/shunt.zeek 8 8
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``100``
+
+   The maximum number of BPF based shunts that Zeek is allowed to perform.
+
+Functions
+#########
+.. zeek:id:: PacketFilter::current_shunted_conns
+   :source-code: policy/frameworks/packet-filter/shunt.zeek 86 89
+
+   :Type: :zeek:type:`function` () : :zeek:type:`set` [:zeek:type:`conn_id`]
+
+   Retrieve the currently shunted connections.
+
+.. zeek:id:: PacketFilter::current_shunted_host_pairs
+   :source-code: policy/frameworks/packet-filter/shunt.zeek 91 94
+
+   :Type: :zeek:type:`function` () : :zeek:type:`set` [:zeek:type:`conn_id`]
+
+   Retrieve the currently shunted host pairs.
+
+.. zeek:id:: PacketFilter::force_unshunt_host_pair
+   :source-code: policy/frameworks/packet-filter/shunt.zeek 133 142
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`conn_id`) : :zeek:type:`bool`
+
+   Performs the same function as the :zeek:id:`PacketFilter::unshunt_host_pair`
+   function, but it forces an immediate filter update.
+
+.. zeek:id:: PacketFilter::shunt_conn
+   :source-code: policy/frameworks/packet-filter/shunt.zeek 144 162
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`conn_id`) : :zeek:type:`bool`
+
+   Call this function to use BPF to shunt a connection (to prevent the
+   data packets from reaching Zeek). For TCP connections, control
+   packets are still allowed through so that Zeek can continue logging
+   the connection and it can stop shunting once the connection ends.
+
+.. zeek:id:: PacketFilter::shunt_host_pair
+   :source-code: policy/frameworks/packet-filter/shunt.zeek 108 118
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`conn_id`) : :zeek:type:`bool`
+
+   This function will use a BPF expression to shunt traffic between
+   the two hosts given in the ``conn_id`` so that the traffic is never
+   exposed to Zeek's traffic processing.
+
+.. zeek:id:: PacketFilter::unshunt_host_pair
+   :source-code: policy/frameworks/packet-filter/shunt.zeek 120 131
+
+   :Type: :zeek:type:`function` (id: :zeek:type:`conn_id`) : :zeek:type:`bool`
+
+   Remove shunting for a host pair given as a ``conn_id``.  The filter
+   is not immediately removed.  It waits for the occasional filter
+   update done by the ``PacketFilter`` framework.
+
+
diff --git a/doc/scripts/policy/frameworks/signatures/iso-9660.zeek.rst b/doc/scripts/policy/frameworks/signatures/iso-9660.zeek.rst
new file mode 100644
index 0000000000..2084c86703
--- /dev/null
+++ b/doc/scripts/policy/frameworks/signatures/iso-9660.zeek.rst
@@ -0,0 +1,21 @@
+:tocdepth: 3
+
+policy/frameworks/signatures/iso-9660.zeek
+==========================================
+
+Load signature for ISO 9660 disk image and increase
+default_file_bof_buffer_size to make it functional.
+
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+=============================================================================== =
+:zeek:id:`default_file_bof_buffer_size`: :zeek:type:`count` :zeek:attr:`&redef` 
+=============================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/software/version-changes.zeek.rst b/doc/scripts/policy/frameworks/software/version-changes.zeek.rst
new file mode 100644
index 0000000000..0687e9586f
--- /dev/null
+++ b/doc/scripts/policy/frameworks/software/version-changes.zeek.rst
@@ -0,0 +1,49 @@
+:tocdepth: 3
+
+policy/frameworks/software/version-changes.zeek
+===============================================
+.. zeek:namespace:: Software
+
+Provides the possibility to define software names that are interesting to
+watch for changes.  A notice is generated if software versions change on a
+host.
+
+:Namespace: Software
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+====================================================================================== ====================================================================
+:zeek:id:`Software::interesting_version_changes`: :zeek:type:`set` :zeek:attr:`&redef` Some software is more interesting when the version changes and this
+                                                                                       is a set of all software that should raise a notice when a different
+                                                                                       version is seen on a host.
+====================================================================================== ====================================================================
+
+Redefinitions
+#############
+============================================ ======================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`Software::Software_Version_Change`:
+                                               For certain software, a version changing may matter.
+============================================ ======================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Software::interesting_version_changes
+   :source-code: policy/frameworks/software/version-changes.zeek 22 22
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Some software is more interesting when the version changes and this
+   is a set of all software that should raise a notice when a different
+   version is seen on a host.
+
+
diff --git a/doc/scripts/policy/frameworks/software/vulnerable.zeek.rst b/doc/scripts/policy/frameworks/software/vulnerable.zeek.rst
new file mode 100644
index 0000000000..80f04ba5d0
--- /dev/null
+++ b/doc/scripts/policy/frameworks/software/vulnerable.zeek.rst
@@ -0,0 +1,111 @@
+:tocdepth: 3
+
+policy/frameworks/software/vulnerable.zeek
+==========================================
+.. zeek:namespace:: Software
+
+Provides a variable to define vulnerable versions of software and if
+a version of that software is as old or older than the defined version a
+notice will be generated.
+
+:Namespace: Software
+:Imports: :doc:`base/frameworks/control </scripts/base/frameworks/control/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=================================================================================================== =============================================================
+:zeek:id:`Software::vulnerable_versions_update_endpoint`: :zeek:type:`string` :zeek:attr:`&redef`   The DNS zone where runtime vulnerable software updates will
+                                                                                                    be loaded from.
+:zeek:id:`Software::vulnerable_versions_update_interval`: :zeek:type:`interval` :zeek:attr:`&redef` The interval at which vulnerable versions should grab updates
+                                                                                                    over DNS.
+=================================================================================================== =============================================================
+
+Redefinable Options
+###################
+================================================================================ ===============================================================
+:zeek:id:`Software::vulnerable_versions`: :zeek:type:`table` :zeek:attr:`&redef` This is a table of software versions indexed by the name of the
+                                                                                 software and a set of version ranges that are declared to be
+                                                                                 vulnerable for that software.
+================================================================================ ===============================================================
+
+Types
+#####
+================================================================== =
+:zeek:type:`Software::VulnerableVersionRange`: :zeek:type:`record` 
+================================================================== =
+
+Redefinitions
+#############
+============================================ ===============================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`Software::Vulnerable_Version`:
+                                               Indicates that a vulnerable version of software was detected.
+============================================ ===============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Software::vulnerable_versions_update_endpoint
+   :source-code: policy/frameworks/software/vulnerable.zeek 32 32
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   The DNS zone where runtime vulnerable software updates will
+   be loaded from.
+
+.. zeek:id:: Software::vulnerable_versions_update_interval
+   :source-code: policy/frameworks/software/vulnerable.zeek 36 36
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 hr``
+
+   The interval at which vulnerable versions should grab updates
+   over DNS.
+
+Redefinable Options
+###################
+.. zeek:id:: Software::vulnerable_versions
+   :source-code: policy/frameworks/software/vulnerable.zeek 41 41
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`set` [:zeek:type:`Software::VulnerableVersionRange`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   This is a table of software versions indexed by the name of the
+   software and a set of version ranges that are declared to be
+   vulnerable for that software.
+
+Types
+#####
+.. zeek:type:: Software::VulnerableVersionRange
+   :source-code: policy/frameworks/software/vulnerable.zeek 17 28
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: min :zeek:type:`Software::Version` :zeek:attr:`&optional`
+
+      The minimal version of a vulnerable version range.  This
+      field can be undefined if all previous versions of a piece
+      of software are vulnerable.
+
+
+   .. zeek:field:: max :zeek:type:`Software::Version`
+
+      The maximum vulnerable version.  This field is deliberately
+      not optional because a maximum vulnerable version must
+      always be defined.  This assumption may become incorrect
+      if all future versions of some software are to be considered
+      vulnerable. :)
+
+
+
+
diff --git a/doc/scripts/policy/frameworks/software/windows-version-detection.zeek.rst b/doc/scripts/policy/frameworks/software/windows-version-detection.zeek.rst
new file mode 100644
index 0000000000..cc2c005ea4
--- /dev/null
+++ b/doc/scripts/policy/frameworks/software/windows-version-detection.zeek.rst
@@ -0,0 +1,98 @@
+:tocdepth: 3
+
+policy/frameworks/software/windows-version-detection.zeek
+=========================================================
+.. zeek:namespace:: OS
+
+Windows systems access a Microsoft Certificate Revocation List (CRL) periodically. The
+user agent for these requests reveals which version of Crypt32.dll installed on the system,
+which can uniquely identify the version of Windows that's running.
+
+This script will log the version of Windows that was identified to the Software framework.
+
+:Namespace: OS
+:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+========================================================================= =
+:zeek:id:`OS::crypto_api_mapping`: :zeek:type:`table` :zeek:attr:`&redef` 
+========================================================================= =
+
+Types
+#####
+============================================================ =
+:zeek:type:`Software::name_and_version`: :zeek:type:`record` 
+============================================================ =
+
+Redefinitions
+#############
+============================================== ==================================================
+:zeek:type:`Software::Type`: :zeek:type:`enum` 
+                                               
+                                               * :zeek:enum:`OS::WINDOWS`:
+                                                 Identifier for Windows operating system versions
+============================================== ==================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: OS::crypto_api_mapping
+   :source-code: policy/frameworks/software/windows-version-detection.zeek 23 23
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`Software::name_and_version`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            ["Microsoft-CryptoAPI/5.131.3790.1830"] = [name="Windows", version=[major=5, minor=131, minor2=3790, minor3=1830, addl="XP x64 or Server 2003 SP1"]],
+            ["Microsoft-CryptoAPI/5.131.2600.3249"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3249, addl="XP SP3 RC Beta"]],
+            ["Microsoft-CryptoAPI/5.131.2600.5508"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=5508, addl="XP SP3 RC2 Update 2"]],
+            ["Microsoft-CryptoAPI/5.131.2600.3180"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3180, addl="XP SP3 Beta 1"]],
+            ["Microsoft-CryptoAPI/5.131.2600.3264"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3264, addl="XP SP3 RC1"]],
+            ["Microsoft-CryptoAPI/6.2"] = [name="Windows", version=[major=6, minor=2, minor2=<uninitialized>, minor3=<uninitialized>, addl="8 or Server 2012"]],
+            ["Microsoft-CryptoAPI/5.131.2600.3282"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3282, addl="XP SP3 RC1 Update"]],
+            ["Microsoft-CryptoAPI/5.131.3790.5235"] = [name="Windows", version=[major=5, minor=131, minor2=3790, minor3=5235, addl="XP x64 or Server 2003 with MS13-095"]],
+            ["Microsoft-CryptoAPI/6.4"] = [name="Windows", version=[major=6, minor=4, minor2=<uninitialized>, minor3=<uninitialized>, addl="10 Technical Preview"]],
+            ["Microsoft-CryptoAPI/5.131.2600.0"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=0, addl="XP SP0"]],
+            ["Microsoft-CryptoAPI/5.131.2600.5512"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=5512, addl="XP SP3"]],
+            ["Microsoft-CryptoAPI/5.131.2195.6661"] = [name="Windows", version=[major=5, minor=131, minor2=2195, minor3=6661, addl="2000 SP4"]],
+            ["Microsoft-CryptoAPI/5.131.2195.6926"] = [name="Windows", version=[major=5, minor=131, minor2=2195, minor3=6926, addl="2000 with Hotfix 98830"]],
+            ["Microsoft-CryptoAPI/6.0"] = [name="Windows", version=[major=6, minor=0, minor2=<uninitialized>, minor3=<uninitialized>, addl="Vista or Server 2008"]],
+            ["Microsoft-CryptoAPI/5.131.3790.0"] = [name="Windows", version=[major=5, minor=131, minor2=3790, minor3=0, addl="XP x64 or Server 2003 SP0"]],
+            ["Microsoft-CryptoAPI/6.3"] = [name="Windows", version=[major=6, minor=3, minor2=<uninitialized>, minor3=<uninitialized>, addl="8.1 or Server 2012 R2"]],
+            ["Microsoft-CryptoAPI/5.131.2600.3205"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3205, addl="XP SP3 Beta 2"]],
+            ["Microsoft-CryptoAPI/5.131.2600.1106"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=1106, addl="XP SP1"]],
+            ["Microsoft-CryptoAPI/5.131.2600.2180"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=2180, addl="XP SP2"]],
+            ["Microsoft-CryptoAPI/5.131.2195.6824"] = [name="Windows", version=[major=5, minor=131, minor2=2195, minor3=6824, addl="2000 with MS04-11"]],
+            ["Microsoft-CryptoAPI/5.131.2600.3300"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3300, addl="XP SP3 RC2"]],
+            ["Microsoft-CryptoAPI/6.1"] = [name="Windows", version=[major=6, minor=1, minor2=<uninitialized>, minor3=<uninitialized>, addl="7 or Server 2008 R2"]],
+            ["Microsoft-CryptoAPI/10.0"] = [name="Windows", version=[major=10, minor=0, minor2=<uninitialized>, minor3=<uninitialized>, addl=<uninitialized>]],
+            ["Microsoft-CryptoAPI/5.131.2600.3311"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3311, addl="XP SP3 RC2 Update"]],
+            ["Microsoft-CryptoAPI/5.131.3790.3959"] = [name="Windows", version=[major=5, minor=131, minor2=3790, minor3=3959, addl="XP x64 or Server 2003 SP2"]]
+         }
+
+
+
+Types
+#####
+.. zeek:type:: Software::name_and_version
+   :source-code: policy/frameworks/software/windows-version-detection.zeek 18 21
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+
+   .. zeek:field:: version :zeek:type:`Software::Version`
+
+
+
+
diff --git a/doc/scripts/policy/frameworks/spicy/resource-usage.zeek.rst b/doc/scripts/policy/frameworks/spicy/resource-usage.zeek.rst
new file mode 100644
index 0000000000..2effcfcc9e
--- /dev/null
+++ b/doc/scripts/policy/frameworks/spicy/resource-usage.zeek.rst
@@ -0,0 +1,16 @@
+:tocdepth: 3
+
+policy/frameworks/spicy/resource-usage.zeek
+===========================================
+.. zeek:namespace:: Spicy
+
+Logs Spicy-related resource usage continuously for debugging purposes.
+
+:Namespace: Spicy
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/storage/backend/redis/__load__.zeek.rst b/doc/scripts/policy/frameworks/storage/backend/redis/__load__.zeek.rst
new file mode 100644
index 0000000000..5e03cd56b4
--- /dev/null
+++ b/doc/scripts/policy/frameworks/storage/backend/redis/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/storage/backend/redis/__load__.zeek
+=====================================================
+
+
+:Imports: :doc:`policy/frameworks/storage/backend/redis/main.zeek </scripts/policy/frameworks/storage/backend/redis/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/storage/backend/redis/index.rst b/doc/scripts/policy/frameworks/storage/backend/redis/index.rst
new file mode 100644
index 0000000000..4c9dae756e
--- /dev/null
+++ b/doc/scripts/policy/frameworks/storage/backend/redis/index.rst
@@ -0,0 +1,13 @@
+:orphan:
+
+Package: policy/frameworks/storage/backend/redis
+================================================
+
+
+:doc:`/scripts/policy/frameworks/storage/backend/redis/__load__.zeek`
+
+
+:doc:`/scripts/policy/frameworks/storage/backend/redis/main.zeek`
+
+   Redis storage backend support
+
diff --git a/doc/scripts/policy/frameworks/storage/backend/redis/main.zeek.rst b/doc/scripts/policy/frameworks/storage/backend/redis/main.zeek.rst
new file mode 100644
index 0000000000..68e61738c0
--- /dev/null
+++ b/doc/scripts/policy/frameworks/storage/backend/redis/main.zeek.rst
@@ -0,0 +1,108 @@
+:tocdepth: 3
+
+policy/frameworks/storage/backend/redis/main.zeek
+=================================================
+.. zeek:namespace:: Storage::Backend::Redis
+
+Redis storage backend support
+
+:Namespace: Storage::Backend::Redis
+:Imports: :doc:`base/frameworks/storage/main.zeek </scripts/base/frameworks/storage/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+======================================================================================================== ==============================================
+:zeek:id:`Storage::Backend::Redis::default_connect_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`   Default value for connection attempt timeouts.
+:zeek:id:`Storage::Backend::Redis::default_operation_timeout`: :zeek:type:`interval` :zeek:attr:`&redef` Default value for operation timeouts.
+======================================================================================================== ==============================================
+
+Types
+#####
+================================================================== ==============================================
+:zeek:type:`Storage::Backend::Redis::Options`: :zeek:type:`record` Options record for the built-in Redis backend.
+================================================================== ==============================================
+
+Redefinitions
+#############
+========================================================= =============================================================================
+:zeek:type:`Storage::BackendOptions`: :zeek:type:`record` 
+                                                          
+                                                          :New Fields: :zeek:type:`Storage::BackendOptions`
+                                                          
+                                                            redis: :zeek:type:`Storage::Backend::Redis::Options` :zeek:attr:`&optional`
+========================================================= =============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Storage::Backend::Redis::default_connect_timeout
+   :source-code: policy/frameworks/storage/backend/redis/main.zeek 10 10
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5.0 secs``
+
+   Default value for connection attempt timeouts. This can be overridden
+   per-connection with the ``connect_timeout`` backend option.
+
+.. zeek:id:: Storage::Backend::Redis::default_operation_timeout
+   :source-code: policy/frameworks/storage/backend/redis/main.zeek 14 14
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5.0 secs``
+
+   Default value for operation timeouts. This can be overridden per-connection
+   with the ``operation_timeout`` backend option.
+
+Types
+#####
+.. zeek:type:: Storage::Backend::Redis::Options
+   :source-code: policy/frameworks/storage/backend/redis/main.zeek 17 49
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: server_host :zeek:type:`string` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: server_port :zeek:type:`port` :zeek:attr:`&default` = ``6379/tcp`` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: server_unix_socket :zeek:type:`string` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: key_prefix :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+
+
+   .. zeek:field:: connect_timeout :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`Storage::Backend::Redis::default_connect_timeout` :zeek:attr:`&optional`
+
+      Timeout for connection attempts to the backend. Connection attempts
+      that exceed this time will return
+      :zeek:see:`Storage::CONNECTION_FAILED`.
+
+
+   .. zeek:field:: operation_timeout :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`Storage::Backend::Redis::default_operation_timeout` :zeek:attr:`&optional`
+
+      Timeout for operation requests sent to the backend. Operations that
+      exceed this time will return :zeek:see:`Storage::TIMEOUT`.
+
+
+   .. zeek:field:: username :zeek:type:`string` :zeek:attr:`&optional`
+
+      A username to use for authentication the server is protected by an ACL.
+
+
+   .. zeek:field:: password :zeek:type:`string` :zeek:attr:`&optional`
+
+      A username to use for authentication the server is protected by an ACL
+      or by a simple password.
+
+
+   Options record for the built-in Redis backend.
+
+
diff --git a/doc/scripts/policy/frameworks/storage/backend/sqlite/__load__.zeek.rst b/doc/scripts/policy/frameworks/storage/backend/sqlite/__load__.zeek.rst
new file mode 100644
index 0000000000..5c8e1c9060
--- /dev/null
+++ b/doc/scripts/policy/frameworks/storage/backend/sqlite/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/frameworks/storage/backend/sqlite/__load__.zeek
+======================================================
+
+
+:Imports: :doc:`policy/frameworks/storage/backend/sqlite/main.zeek </scripts/policy/frameworks/storage/backend/sqlite/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/frameworks/storage/backend/sqlite/index.rst b/doc/scripts/policy/frameworks/storage/backend/sqlite/index.rst
new file mode 100644
index 0000000000..c31713643f
--- /dev/null
+++ b/doc/scripts/policy/frameworks/storage/backend/sqlite/index.rst
@@ -0,0 +1,13 @@
+:orphan:
+
+Package: policy/frameworks/storage/backend/sqlite
+=================================================
+
+
+:doc:`/scripts/policy/frameworks/storage/backend/sqlite/__load__.zeek`
+
+
+:doc:`/scripts/policy/frameworks/storage/backend/sqlite/main.zeek`
+
+   SQLite storage backend support
+
diff --git a/doc/scripts/policy/frameworks/storage/backend/sqlite/main.zeek.rst b/doc/scripts/policy/frameworks/storage/backend/sqlite/main.zeek.rst
new file mode 100644
index 0000000000..5b458a7f03
--- /dev/null
+++ b/doc/scripts/policy/frameworks/storage/backend/sqlite/main.zeek.rst
@@ -0,0 +1,91 @@
+:tocdepth: 3
+
+policy/frameworks/storage/backend/sqlite/main.zeek
+==================================================
+.. zeek:namespace:: Storage::Backend::SQLite
+
+SQLite storage backend support
+
+:Namespace: Storage::Backend::SQLite
+:Imports: :doc:`base/frameworks/storage/main.zeek </scripts/base/frameworks/storage/main.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+=================================================================== ===============================================
+:zeek:type:`Storage::Backend::SQLite::Options`: :zeek:type:`record` Options record for the built-in SQLite backend.
+=================================================================== ===============================================
+
+Redefinitions
+#############
+========================================================= ===============================================================================
+:zeek:type:`Storage::BackendOptions`: :zeek:type:`record` 
+                                                          
+                                                          :New Fields: :zeek:type:`Storage::BackendOptions`
+                                                          
+                                                            sqlite: :zeek:type:`Storage::Backend::SQLite::Options` :zeek:attr:`&optional`
+========================================================= ===============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Storage::Backend::SQLite::Options
+   :source-code: policy/frameworks/storage/backend/sqlite/main.zeek 9 50
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: database_path :zeek:type:`string`
+
+      Path to the database file on disk. Setting this to ":memory:" will tell
+      SQLite to use an in-memory database. Relative paths will be opened
+      relative to the directory where Zeek was started from. Zeek will not
+      create intermediate directories if they do not already exist. See
+      https://www.sqlite.org/c3ref/open.html for more rules on paths that can
+      be passed here.
+
+
+   .. zeek:field:: table_name :zeek:type:`string`
+
+      Name of the table used for storing data. It is possible to use the same
+      database file for two separate tables, as long as the this value is
+      different between the two.
+
+
+   .. zeek:field:: busy_timeout :zeek:type:`interval` :zeek:attr:`&default` = ``5.0 secs`` :zeek:attr:`&optional`
+
+      The timeout for the connection to the database. This is set
+      per-connection. It is equivalent to setting a ``busy_timeout`` pragma
+      value, but that value will be ignored in favor of this field.
+
+
+   .. zeek:field:: pragma_commands :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string` :zeek:attr:`&ordered` :zeek:attr:`&default` = *...* :zeek:attr:`&optional`
+
+      Key/value table for passing pragma commands when opening the database.
+      These must be pairs that can be passed to the ``pragma`` command in
+      sqlite. The ``integrity_check`` pragma is run automatically and does
+      not need to be included here. For pragmas without a second argument,
+      set the value to an empty string. Setting the ``busy_timeout`` pragma
+      here will be ignored.
+
+
+   .. zeek:field:: pragma_timeout :zeek:type:`interval` :zeek:attr:`&default` = ``500.0 msecs`` :zeek:attr:`&optional`
+
+      The total amount of time that an SQLite backend will spend attempting
+      to run an individual pragma command before giving up and returning an
+      initialization error. Setting this to zero will result in the backend
+      attempting forever until success.
+
+
+   .. zeek:field:: pragma_wait_on_busy :zeek:type:`interval` :zeek:attr:`&default` = ``5.0 msecs`` :zeek:attr:`&optional`
+
+      The amount of time that at SQLite backend will wait between failures
+      to run an individual pragma command.
+
+
+   Options record for the built-in SQLite backend.
+
+
diff --git a/doc/scripts/policy/frameworks/telemetry/log.zeek.rst b/doc/scripts/policy/frameworks/telemetry/log.zeek.rst
new file mode 100644
index 0000000000..2682e4ecc7
--- /dev/null
+++ b/doc/scripts/policy/frameworks/telemetry/log.zeek.rst
@@ -0,0 +1,225 @@
+:tocdepth: 3
+
+policy/frameworks/telemetry/log.zeek
+====================================
+.. zeek:namespace:: Telemetry
+
+Implementation of a :file:`telemetry.log` and :file:`telemetry_histogram.log`
+file using metrics accessible via the Telemetry module.
+
+:Namespace: Telemetry
+:Imports: :doc:`base/frameworks/telemetry </scripts/base/frameworks/telemetry/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+============================================================================= ===============================================================
+:zeek:id:`Telemetry::log_interval`: :zeek:type:`interval` :zeek:attr:`&redef` How often metrics are reported.
+:zeek:id:`Telemetry::log_prefixes`: :zeek:type:`set` :zeek:attr:`&redef`      Only metrics with prefixes in this set will be included in the
+                                                                              :file:`telemetry.log` and :file:`telemetry_histogram.log` files
+                                                                              by default.
+============================================================================= ===============================================================
+
+Types
+#####
+========================================================== =======================================================
+:zeek:type:`Telemetry::HistogramInfo`: :zeek:type:`record` Record type used for logging histogram metrics.
+:zeek:type:`Telemetry::Info`: :zeek:type:`record`          Record type used for logging counter and gauge metrics.
+========================================================== =======================================================
+
+Redefinitions
+#############
+======================================= =======================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` 
+                                        
+                                        * :zeek:enum:`Telemetry::LOG`
+                                        
+                                        * :zeek:enum:`Telemetry::LOG_HISTOGRAM`
+======================================= =======================================
+
+Events
+######
+================================================================= =========================================================
+:zeek:id:`Telemetry::log_telemetry`: :zeek:type:`event`           Event triggered for every record in the stream.
+:zeek:id:`Telemetry::log_telemetry_histogram`: :zeek:type:`event` Event triggered for every record in the histogram stream.
+================================================================= =========================================================
+
+Hooks
+#####
+======================================================================== =======================================================
+:zeek:id:`Telemetry::log_policy`: :zeek:type:`Log::PolicyHook`           A default logging policy hook for the stream.
+:zeek:id:`Telemetry::log_policy_histogram`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the histogram stream.
+======================================================================== =======================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Telemetry::log_interval
+   :source-code: policy/frameworks/telemetry/log.zeek 12 12
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 min``
+
+   How often metrics are reported.
+
+.. zeek:id:: Telemetry::log_prefixes
+   :source-code: policy/frameworks/telemetry/log.zeek 23 23
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            "process",
+            "zeek"
+         }
+
+
+   Only metrics with prefixes in this set will be included in the
+   :file:`telemetry.log` and :file:`telemetry_histogram.log` files
+   by default. Setting this option to an empty set includes all
+   prefixes.
+   
+   For more fine-grained customization, setting this option to an
+   empty set and implementing the :zeek:see:`Telemetry::log_policy`
+   and :zeek:see:`Telemetry::log_policy_histogram` hooks to filter
+   individual records is recommended.
+
+Types
+#####
+.. zeek:type:: Telemetry::HistogramInfo
+   :source-code: policy/frameworks/telemetry/log.zeek 51 78
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp of reporting.
+
+
+   .. zeek:field:: peer :zeek:type:`string` :zeek:attr:`&log`
+
+      Peer that generated this log.
+
+
+   .. zeek:field:: name :zeek:type:`string` :zeek:attr:`&log`
+
+      The name of the metric.
+
+
+   .. zeek:field:: labels :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log`
+
+      The names of the individual labels.
+
+
+   .. zeek:field:: label_values :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log`
+
+      The values of the labels as listed in ``labels``.
+
+
+   .. zeek:field:: bounds :zeek:type:`vector` of :zeek:type:`double` :zeek:attr:`&log`
+
+      The bounds of the individual buckets
+
+
+   .. zeek:field:: values :zeek:type:`vector` of :zeek:type:`double` :zeek:attr:`&log`
+
+      The number of observations within each individual bucket.
+
+
+   .. zeek:field:: sum :zeek:type:`double` :zeek:attr:`&log`
+
+      The sum over all observations
+
+
+   .. zeek:field:: observations :zeek:type:`double` :zeek:attr:`&log`
+
+      The total number of observations.
+
+
+   Record type used for logging histogram metrics.
+
+.. zeek:type:: Telemetry::Info
+   :source-code: policy/frameworks/telemetry/log.zeek 26 48
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp of reporting.
+
+
+   .. zeek:field:: peer :zeek:type:`string` :zeek:attr:`&log`
+
+      Peer that generated this log.
+
+
+   .. zeek:field:: metric_type :zeek:type:`string` :zeek:attr:`&log`
+
+      Contains the value "counter" or "gauge" depending on
+      the underlying metric type.
+
+
+   .. zeek:field:: name :zeek:type:`string` :zeek:attr:`&log`
+
+      The name of the metric.
+
+
+   .. zeek:field:: labels :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log`
+
+      The names of the individual labels.
+
+
+   .. zeek:field:: label_values :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log`
+
+      The values of the labels as listed in ``labels``.
+
+
+   .. zeek:field:: value :zeek:type:`double` :zeek:attr:`&log`
+
+      The value of this metric.
+
+
+   Record type used for logging counter and gauge metrics.
+
+Events
+######
+.. zeek:id:: Telemetry::log_telemetry
+   :source-code: policy/frameworks/telemetry/log.zeek 87 87
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Telemetry::Info`)
+
+   Event triggered for every record in the stream.
+
+.. zeek:id:: Telemetry::log_telemetry_histogram
+   :source-code: policy/frameworks/telemetry/log.zeek 90 90
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Telemetry::HistogramInfo`)
+
+   Event triggered for every record in the histogram stream.
+
+Hooks
+#####
+.. zeek:id:: Telemetry::log_policy
+   :source-code: policy/frameworks/telemetry/log.zeek 81 81
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+.. zeek:id:: Telemetry::log_policy_histogram
+   :source-code: policy/frameworks/telemetry/log.zeek 84 84
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the histogram stream.
+
+
diff --git a/doc/scripts/policy/integration/collective-intel/__load__.zeek.rst b/doc/scripts/policy/integration/collective-intel/__load__.zeek.rst
new file mode 100644
index 0000000000..0a79665486
--- /dev/null
+++ b/doc/scripts/policy/integration/collective-intel/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/integration/collective-intel/__load__.zeek
+=================================================
+
+
+:Imports: :doc:`policy/integration/collective-intel/main.zeek </scripts/policy/integration/collective-intel/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/integration/collective-intel/index.rst b/doc/scripts/policy/integration/collective-intel/index.rst
new file mode 100644
index 0000000000..9c76137919
--- /dev/null
+++ b/doc/scripts/policy/integration/collective-intel/index.rst
@@ -0,0 +1,16 @@
+:orphan:
+
+Package: policy/integration/collective-intel
+============================================
+
+The scripts in this module are for deeper integration with the
+Collective Intelligence Framework (CIF) since Zeek's Intel framework
+doesn't natively behave the same as CIF nor does it store and maintain
+the same data in all cases.
+
+:doc:`/scripts/policy/integration/collective-intel/__load__.zeek`
+
+
+:doc:`/scripts/policy/integration/collective-intel/main.zeek`
+
+
diff --git a/doc/scripts/policy/integration/collective-intel/main.zeek.rst b/doc/scripts/policy/integration/collective-intel/main.zeek.rst
new file mode 100644
index 0000000000..601f378536
--- /dev/null
+++ b/doc/scripts/policy/integration/collective-intel/main.zeek.rst
@@ -0,0 +1,93 @@
+:tocdepth: 3
+
+policy/integration/collective-intel/main.zeek
+=============================================
+.. zeek:namespace:: Intel
+
+
+:Namespace: Intel
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`
+
+Summary
+~~~~~~~
+Types
+#####
+============================================ ========================================================
+:zeek:type:`Intel::CIF`: :zeek:type:`record` CIF record used for consistent formatting of CIF values.
+============================================ ========================================================
+
+Redefinitions
+#############
+================================================= ====================================================================================
+:zeek:type:`Intel::Info`: :zeek:type:`record`     
+                                                  
+                                                  :New Fields: :zeek:type:`Intel::Info`
+                                                  
+                                                    cif: :zeek:type:`Intel::CIF` :zeek:attr:`&log` :zeek:attr:`&optional`
+:zeek:type:`Intel::MetaData`: :zeek:type:`record` This file adds mapping between the Collective Intelligence Framework (CIF) and Zeek.
+                                                  
+                                                  :New Fields: :zeek:type:`Intel::MetaData`
+                                                  
+                                                    cif_tags: :zeek:type:`string` :zeek:attr:`&optional`
+                                                      Maps to the 'tags' fields in CIF
+                                                  
+                                                    cif_confidence: :zeek:type:`double` :zeek:attr:`&optional`
+                                                      Maps to the 'confidence' field in CIF
+                                                  
+                                                    cif_source: :zeek:type:`string` :zeek:attr:`&optional`
+                                                      Maps to the 'source' field in CIF
+                                                  
+                                                    cif_description: :zeek:type:`string` :zeek:attr:`&optional`
+                                                      Maps to the 'description' field in CIF
+                                                  
+                                                    cif_firstseen: :zeek:type:`string` :zeek:attr:`&optional`
+                                                      Maps to the 'firstseen' field in CIF
+                                                  
+                                                    cif_lastseen: :zeek:type:`string` :zeek:attr:`&optional`
+                                                      Maps to the 'lastseen' field in CIF
+================================================= ====================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: Intel::CIF
+   :source-code: policy/integration/collective-intel/main.zeek 24 37
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: tags :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      CIF tags observations, examples for tags are ``botnet`` or ``exploit``.
+
+
+   .. zeek:field:: confidence :zeek:type:`double` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      In CIF Confidence details the degree of certainty of a given observation.
+
+
+   .. zeek:field:: source :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Source given in CIF.
+
+
+   .. zeek:field:: description :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      description given in CIF.
+
+
+   .. zeek:field:: firstseen :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      First time the source observed the behavior.
+
+
+   .. zeek:field:: lastseen :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      Last time the source observed the behavior.
+
+
+   CIF record used for consistent formatting of CIF values.
+
+
diff --git a/doc/scripts/policy/misc/capture-loss.zeek.rst b/doc/scripts/policy/misc/capture-loss.zeek.rst
new file mode 100644
index 0000000000..55c009c217
--- /dev/null
+++ b/doc/scripts/policy/misc/capture-loss.zeek.rst
@@ -0,0 +1,161 @@
+:tocdepth: 3
+
+policy/misc/capture-loss.zeek
+=============================
+.. zeek:namespace:: CaptureLoss
+
+This script logs evidence regarding the degree to which the packet
+capture process suffers from measurement loss.
+The loss could be due to overload on the host or NIC performing
+the packet capture or it could even be beyond the host.  If you are
+capturing from a switch with a SPAN port, it's very possible that
+the switch itself could be overloaded and dropping packets.
+Reported loss is computed in terms of the number of "gap events" (ACKs
+for a sequence number that's above a gap).
+
+:Namespace: CaptureLoss
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+========================================================================================= =================================================================
+:zeek:id:`CaptureLoss::initial_watch_interval`: :zeek:type:`interval` :zeek:attr:`&redef` For faster feedback on cluster health, the first capture loss
+                                                                                          report is generated this many minutes after startup.
+:zeek:id:`CaptureLoss::minimum_acks`: :zeek:type:`count` :zeek:attr:`&redef`              The minimum number of ACKs expected for a single peer in a
+                                                                                          watch interval.
+:zeek:id:`CaptureLoss::too_much_loss`: :zeek:type:`double` :zeek:attr:`&redef`            The percentage of missed data that is considered "too much"
+                                                                                          when the :zeek:enum:`CaptureLoss::Too_Much_Loss` notice should be
+                                                                                          generated.
+:zeek:id:`CaptureLoss::watch_interval`: :zeek:type:`interval` :zeek:attr:`&redef`         The interval at which capture loss reports are created in a
+                                                                                          running cluster (that is, after the first report).
+========================================================================================= =================================================================
+
+Types
+#####
+=================================================== =
+:zeek:type:`CaptureLoss::Info`: :zeek:type:`record` 
+=================================================== =
+
+Redefinitions
+#############
+============================================ =============================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`      
+                                             
+                                             * :zeek:enum:`CaptureLoss::LOG`
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`CaptureLoss::Too_Little_Traffic`:
+                                               Report if the traffic seen by a peer within a given watch
+                                               interval is less than :zeek:id:`CaptureLoss::minimum_acks`.
+                                             
+                                             * :zeek:enum:`CaptureLoss::Too_Much_Loss`:
+                                               Report if the detected capture loss exceeds the percentage
+                                               threshold defined in :zeek:id:`CaptureLoss::too_much_loss`.
+============================================ =============================================================
+
+Hooks
+#####
+================================================================ =
+:zeek:id:`CaptureLoss::log_policy`: :zeek:type:`Log::PolicyHook` 
+================================================================ =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: CaptureLoss::initial_watch_interval
+   :source-code: policy/misc/capture-loss.zeek 51 51
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 min``
+
+   For faster feedback on cluster health, the first capture loss
+   report is generated this many minutes after startup.
+
+.. zeek:id:: CaptureLoss::minimum_acks
+   :source-code: policy/misc/capture-loss.zeek 62 62
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1``
+
+   The minimum number of ACKs expected for a single peer in a
+   watch interval. If the number seen is less than this,
+   :zeek:enum:`CaptureLoss::Too_Little_Traffic` is raised.
+
+.. zeek:id:: CaptureLoss::too_much_loss
+   :source-code: policy/misc/capture-loss.zeek 57 57
+
+   :Type: :zeek:type:`double`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0.1``
+
+   The percentage of missed data that is considered "too much"
+   when the :zeek:enum:`CaptureLoss::Too_Much_Loss` notice should be
+   generated. The value is expressed as a double between 0 and 1 with 1
+   being 100%.
+
+.. zeek:id:: CaptureLoss::watch_interval
+   :source-code: policy/misc/capture-loss.zeek 47 47
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``15.0 mins``
+
+   The interval at which capture loss reports are created in a
+   running cluster (that is, after the first report).
+
+Types
+#####
+.. zeek:type:: CaptureLoss::Info
+   :source-code: policy/misc/capture-loss.zeek 28 43
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the measurement occurred.
+
+
+   .. zeek:field:: ts_delta :zeek:type:`interval` :zeek:attr:`&log`
+
+      The time delay between this measurement and the last.
+
+
+   .. zeek:field:: peer :zeek:type:`string` :zeek:attr:`&log`
+
+      In the event that there are multiple Zeek instances logging
+      to the same host, this distinguishes each peer with its
+      individual name.
+
+
+   .. zeek:field:: gaps :zeek:type:`count` :zeek:attr:`&log`
+
+      Number of missed ACKs from the previous measurement interval.
+
+
+   .. zeek:field:: acks :zeek:type:`count` :zeek:attr:`&log`
+
+      Total number of ACKs seen in the previous measurement interval.
+
+
+   .. zeek:field:: percent_lost :zeek:type:`double` :zeek:attr:`&log`
+
+      Percentage of ACKs seen where the data being ACKed wasn't seen.
+
+
+
+Hooks
+#####
+.. zeek:id:: CaptureLoss::log_policy
+   :source-code: policy/misc/capture-loss.zeek 17 17
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/policy/misc/detect-traceroute/__load__.zeek.rst b/doc/scripts/policy/misc/detect-traceroute/__load__.zeek.rst
new file mode 100644
index 0000000000..f27efcfcdc
--- /dev/null
+++ b/doc/scripts/policy/misc/detect-traceroute/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+policy/misc/detect-traceroute/__load__.zeek
+===========================================
+
+
+:Imports: :doc:`policy/misc/detect-traceroute/main.zeek </scripts/policy/misc/detect-traceroute/main.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/misc/detect-traceroute/index.rst b/doc/scripts/policy/misc/detect-traceroute/index.rst
new file mode 100644
index 0000000000..1f56b0cf15
--- /dev/null
+++ b/doc/scripts/policy/misc/detect-traceroute/index.rst
@@ -0,0 +1,17 @@
+:orphan:
+
+Package: policy/misc/detect-traceroute
+======================================
+
+Detect hosts that are running traceroute.
+
+:doc:`/scripts/policy/misc/detect-traceroute/__load__.zeek`
+
+
+:doc:`/scripts/policy/misc/detect-traceroute/main.zeek`
+
+   This script detects a large number of ICMP Time Exceeded messages heading
+   toward hosts that have sent low TTL packets. It generates a notice when the
+   number of ICMP Time Exceeded messages for a source-destination pair exceeds
+   a threshold.
+
diff --git a/doc/scripts/policy/misc/detect-traceroute/main.zeek.rst b/doc/scripts/policy/misc/detect-traceroute/main.zeek.rst
new file mode 100644
index 0000000000..5b8e4d6344
--- /dev/null
+++ b/doc/scripts/policy/misc/detect-traceroute/main.zeek.rst
@@ -0,0 +1,147 @@
+:tocdepth: 3
+
+policy/misc/detect-traceroute/main.zeek
+=======================================
+.. zeek:namespace:: Traceroute
+
+This script detects a large number of ICMP Time Exceeded messages heading
+toward hosts that have sent low TTL packets. It generates a notice when the
+number of ICMP Time Exceeded messages for a source-destination pair exceeds
+a threshold.
+
+:Namespace: Traceroute
+:Imports: :doc:`base/frameworks/signatures </scripts/base/frameworks/signatures/index>`, :doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+============================================================================================= ===================================================================
+:zeek:id:`Traceroute::icmp_time_exceeded_interval`: :zeek:type:`interval` :zeek:attr:`&redef` Interval at which to watch for the
+                                                                                              :zeek:id:`Traceroute::icmp_time_exceeded_threshold` variable to be
+                                                                                              crossed.
+:zeek:id:`Traceroute::icmp_time_exceeded_threshold`: :zeek:type:`double` :zeek:attr:`&redef`  Defines the threshold for ICMP Time Exceeded messages for a src-dst
+                                                                                              pair.
+:zeek:id:`Traceroute::require_low_ttl_packets`: :zeek:type:`bool` :zeek:attr:`&redef`         By default this script requires that any host detected running
+                                                                                              traceroutes first send low TTL packets (TTL < 10) to the traceroute
+                                                                                              destination host.
+============================================================================================= ===================================================================
+
+Types
+#####
+================================================== ======================================
+:zeek:type:`Traceroute::Info`: :zeek:type:`record` The log record for the traceroute log.
+================================================== ======================================
+
+Redefinitions
+#############
+============================================================================ =====================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                                      
+                                                                             
+                                                                             * :zeek:enum:`Traceroute::LOG`
+:zeek:type:`Notice::Type`: :zeek:type:`enum`                                 
+                                                                             
+                                                                             * :zeek:enum:`Traceroute::Detected`:
+                                                                               Indicates that a host was seen running traceroutes.
+:zeek:id:`Signatures::ignored_ids`: :zeek:type:`pattern` :zeek:attr:`&redef` 
+============================================================================ =====================================================
+
+Events
+######
+========================================================= =
+:zeek:id:`Traceroute::log_traceroute`: :zeek:type:`event` 
+========================================================= =
+
+Hooks
+#####
+=============================================================== =
+:zeek:id:`Traceroute::log_policy`: :zeek:type:`Log::PolicyHook` 
+=============================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: Traceroute::icmp_time_exceeded_interval
+   :source-code: policy/misc/detect-traceroute/main.zeek 41 41
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``3.0 mins``
+
+   Interval at which to watch for the
+   :zeek:id:`Traceroute::icmp_time_exceeded_threshold` variable to be
+   crossed.  At the end of each interval the counter is reset.
+
+.. zeek:id:: Traceroute::icmp_time_exceeded_threshold
+   :source-code: policy/misc/detect-traceroute/main.zeek 36 36
+
+   :Type: :zeek:type:`double`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``3.0``
+
+   Defines the threshold for ICMP Time Exceeded messages for a src-dst
+   pair.  This threshold only comes into play after a host is found to
+   be sending low TTL packets.
+
+.. zeek:id:: Traceroute::require_low_ttl_packets
+   :source-code: policy/misc/detect-traceroute/main.zeek 31 31
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   By default this script requires that any host detected running
+   traceroutes first send low TTL packets (TTL < 10) to the traceroute
+   destination host.  Changing this setting to F will relax the
+   detection a bit by solely relying on ICMP time-exceeded messages to
+   detect traceroute.
+
+Types
+#####
+.. zeek:type:: Traceroute::Info
+   :source-code: policy/misc/detect-traceroute/main.zeek 44 53
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp
+
+
+   .. zeek:field:: src :zeek:type:`addr` :zeek:attr:`&log`
+
+      Address initiating the traceroute.
+
+
+   .. zeek:field:: dst :zeek:type:`addr` :zeek:attr:`&log`
+
+      Destination address of the traceroute.
+
+
+   .. zeek:field:: proto :zeek:type:`string` :zeek:attr:`&log`
+
+      Protocol used for the traceroute.
+
+
+   The log record for the traceroute log.
+
+Events
+######
+.. zeek:id:: Traceroute::log_traceroute
+   :source-code: policy/misc/detect-traceroute/main.zeek 55 55
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Traceroute::Info`)
+
+
+Hooks
+#####
+.. zeek:id:: Traceroute::log_policy
+   :source-code: policy/misc/detect-traceroute/main.zeek 17 17
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/policy/misc/dump-events.zeek.rst b/doc/scripts/policy/misc/dump-events.zeek.rst
new file mode 100644
index 0000000000..73c9a523c9
--- /dev/null
+++ b/doc/scripts/policy/misc/dump-events.zeek.rst
@@ -0,0 +1,70 @@
+:tocdepth: 3
+
+policy/misc/dump-events.zeek
+============================
+.. zeek:namespace:: DumpEvents
+
+This script dumps the events that Zeek raises out to standard output in a
+readable form. This is for debugging only and allows to understand events and
+their parameters as Zeek processes input. Note that it will show only events
+for which a handler is defined.
+
+:Namespace: DumpEvents
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+========================================================================== ===========================================================
+:zeek:id:`DumpEvents::include`: :zeek:type:`pattern` :zeek:attr:`&redef`   Only include events matching the given pattern into output.
+:zeek:id:`DumpEvents::include_args`: :zeek:type:`bool` :zeek:attr:`&redef` If true, include event arguments in output.
+========================================================================== ===========================================================
+
+Redefinable Options
+###################
+============================================================================= ================================================================
+:zeek:id:`DumpEvents::dump_all_events`: :zeek:type:`bool` :zeek:attr:`&redef` By default, only events that are handled in a script are dumped.
+============================================================================= ================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: DumpEvents::include
+   :source-code: policy/misc/dump-events.zeek 18 18
+
+   :Type: :zeek:type:`pattern`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         /^?(.*)$?/
+
+
+   Only include events matching the given pattern into output. By default, the
+   pattern matches all events.
+
+.. zeek:id:: DumpEvents::include_args
+   :source-code: policy/misc/dump-events.zeek 10 10
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   If true, include event arguments in output.
+
+Redefinable Options
+###################
+.. zeek:id:: DumpEvents::dump_all_events
+   :source-code: policy/misc/dump-events.zeek 14 14
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   By default, only events that are handled in a script are dumped. Setting this option to true
+   will cause unhandled events to be dumped too.
+
+
diff --git a/doc/scripts/policy/misc/loaded-scripts.zeek.rst b/doc/scripts/policy/misc/loaded-scripts.zeek.rst
new file mode 100644
index 0000000000..a63f3b4d75
--- /dev/null
+++ b/doc/scripts/policy/misc/loaded-scripts.zeek.rst
@@ -0,0 +1,61 @@
+:tocdepth: 3
+
+policy/misc/loaded-scripts.zeek
+===============================
+.. zeek:namespace:: LoadedScripts
+
+Log the loaded scripts.
+
+:Namespace: LoadedScripts
+:Imports: :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+===================================================== =
+:zeek:type:`LoadedScripts::Info`: :zeek:type:`record` 
+===================================================== =
+
+Redefinitions
+#############
+======================================= =================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` 
+                                        
+                                        * :zeek:enum:`LoadedScripts::LOG`
+======================================= =================================
+
+Hooks
+#####
+================================================================== =
+:zeek:id:`LoadedScripts::log_policy`: :zeek:type:`Log::PolicyHook` 
+================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: LoadedScripts::Info
+   :source-code: policy/misc/loaded-scripts.zeek 11 16
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string` :zeek:attr:`&log`
+
+      Name of the script loaded potentially with spaces included
+      before the file name to indicate load depth.  The convention
+      is two spaces per level of depth.
+
+
+
+Hooks
+#####
+.. zeek:id:: LoadedScripts::log_policy
+   :source-code: policy/misc/loaded-scripts.zeek 9 9
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/policy/misc/profiling.zeek.rst b/doc/scripts/policy/misc/profiling.zeek.rst
new file mode 100644
index 0000000000..973ad4d185
--- /dev/null
+++ b/doc/scripts/policy/misc/profiling.zeek.rst
@@ -0,0 +1,25 @@
+:tocdepth: 3
+
+policy/misc/profiling.zeek
+==========================
+.. zeek:namespace:: Profiling
+
+Turns on profiling of Zeek resource consumption.
+
+:Namespace: Profiling
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+=============================================================================== =================================================
+:zeek:id:`expensive_profiling_multiple`: :zeek:type:`count` :zeek:attr:`&redef` Set the expensive profiling interval (multiple of
+                                                                                :zeek:id:`profiling_interval`).
+:zeek:id:`profiling_file`: :zeek:type:`file` :zeek:attr:`&redef`                Set the profiling output file.
+:zeek:id:`profiling_interval`: :zeek:type:`interval` :zeek:attr:`&redef`        Set the cheap profiling interval.
+=============================================================================== =================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/misc/stats.zeek.rst b/doc/scripts/policy/misc/stats.zeek.rst
new file mode 100644
index 0000000000..4555dc32e9
--- /dev/null
+++ b/doc/scripts/policy/misc/stats.zeek.rst
@@ -0,0 +1,227 @@
+:tocdepth: 3
+
+policy/misc/stats.zeek
+======================
+.. zeek:namespace:: Stats
+
+Log memory/packet/lag statistics.
+
+:Namespace: Stats
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/telemetry </scripts/base/frameworks/telemetry/index>`, :doc:`base/utils/time.zeek </scripts/base/utils/time.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+============================================================================ =============================
+:zeek:id:`Stats::report_interval`: :zeek:type:`interval` :zeek:attr:`&redef` How often stats are reported.
+============================================================================ =============================
+
+Types
+#####
+============================================= =
+:zeek:type:`Stats::Info`: :zeek:type:`record` 
+============================================= =
+
+Redefinitions
+#############
+======================================= =========================
+:zeek:type:`Log::ID`: :zeek:type:`enum` 
+                                        
+                                        * :zeek:enum:`Stats::LOG`
+======================================= =========================
+
+Events
+######
+=============================================== ===============================================================
+:zeek:id:`Stats::log_stats`: :zeek:type:`event` Event to catch stats as they are written to the logging stream.
+=============================================== ===============================================================
+
+Hooks
+#####
+========================================================== =
+:zeek:id:`Stats::log_policy`: :zeek:type:`Log::PolicyHook` 
+========================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Stats::report_interval
+   :source-code: policy/misc/stats.zeek 15 15
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5.0 mins``
+
+   How often stats are reported.
+
+Types
+#####
+.. zeek:type:: Stats::Info
+   :source-code: policy/misc/stats.zeek 17 86
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for the measurement.
+
+
+   .. zeek:field:: peer :zeek:type:`string` :zeek:attr:`&log`
+
+      Peer that generated this log.  Mostly for clusters.
+
+
+   .. zeek:field:: mem :zeek:type:`count` :zeek:attr:`&log`
+
+      Amount of memory currently in use in MB.
+
+
+   .. zeek:field:: pkts_proc :zeek:type:`count` :zeek:attr:`&log`
+
+      Number of packets processed since the last stats interval.
+
+
+   .. zeek:field:: bytes_recv :zeek:type:`count` :zeek:attr:`&log`
+
+      Number of bytes received since the last stats interval if
+      reading live traffic.
+
+
+   .. zeek:field:: pkts_dropped :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Number of packets dropped since the last stats interval if
+      reading live traffic.
+
+
+   .. zeek:field:: pkts_link :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Number of packets seen on the link since the last stats
+      interval if reading live traffic.
+
+
+   .. zeek:field:: pkt_lag :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Lag between the wall clock and packet timestamps if reading
+      live traffic.
+
+
+   .. zeek:field:: pkts_filtered :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Number of packets filtered from the link since the last
+      stats interval if reading live traffic.
+
+
+   .. zeek:field:: events_proc :zeek:type:`count` :zeek:attr:`&log`
+
+      Number of events processed since the last stats interval.
+
+
+   .. zeek:field:: events_queued :zeek:type:`count` :zeek:attr:`&log`
+
+      Number of events that have been queued since the last stats
+      interval.
+
+
+   .. zeek:field:: active_tcp_conns :zeek:type:`count` :zeek:attr:`&log`
+
+      TCP connections currently in memory.
+
+
+   .. zeek:field:: active_udp_conns :zeek:type:`count` :zeek:attr:`&log`
+
+      UDP connections currently in memory.
+
+
+   .. zeek:field:: active_icmp_conns :zeek:type:`count` :zeek:attr:`&log`
+
+      ICMP connections currently in memory.
+
+
+   .. zeek:field:: tcp_conns :zeek:type:`count` :zeek:attr:`&log`
+
+      TCP connections seen since last stats interval.
+
+
+   .. zeek:field:: udp_conns :zeek:type:`count` :zeek:attr:`&log`
+
+      UDP connections seen since last stats interval.
+
+
+   .. zeek:field:: icmp_conns :zeek:type:`count` :zeek:attr:`&log`
+
+      ICMP connections seen since last stats interval.
+
+
+   .. zeek:field:: timers :zeek:type:`count` :zeek:attr:`&log`
+
+      Number of timers scheduled since last stats interval.
+
+
+   .. zeek:field:: active_timers :zeek:type:`count` :zeek:attr:`&log`
+
+      Current number of scheduled timers.
+
+
+   .. zeek:field:: files :zeek:type:`count` :zeek:attr:`&log`
+
+      Number of files seen since last stats interval.
+
+
+   .. zeek:field:: active_files :zeek:type:`count` :zeek:attr:`&log`
+
+      Current number of files actively being seen.
+
+
+   .. zeek:field:: dns_requests :zeek:type:`count` :zeek:attr:`&log`
+
+      Number of DNS requests seen since last stats interval.
+
+
+   .. zeek:field:: active_dns_requests :zeek:type:`count` :zeek:attr:`&log`
+
+      Current number of DNS requests awaiting a reply.
+
+
+   .. zeek:field:: reassem_tcp_size :zeek:type:`count` :zeek:attr:`&log`
+
+      Current size of TCP data in reassembly.
+
+
+   .. zeek:field:: reassem_file_size :zeek:type:`count` :zeek:attr:`&log`
+
+      Current size of File data in reassembly.
+
+
+   .. zeek:field:: reassem_frag_size :zeek:type:`count` :zeek:attr:`&log`
+
+      Current size of packet fragment data in reassembly.
+
+
+   .. zeek:field:: reassem_unknown_size :zeek:type:`count` :zeek:attr:`&log`
+
+      Current size of unknown data in reassembly (this is only PIA buffer right now).
+
+
+
+Events
+######
+.. zeek:id:: Stats::log_stats
+   :source-code: policy/misc/stats.zeek 89 89
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Stats::Info`)
+
+   Event to catch stats as they are written to the logging stream.
+
+Hooks
+#####
+.. zeek:id:: Stats::log_policy
+   :source-code: policy/misc/stats.zeek 12 12
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/policy/misc/trim-trace-file.zeek.rst b/doc/scripts/policy/misc/trim-trace-file.zeek.rst
new file mode 100644
index 0000000000..d19faf38a1
--- /dev/null
+++ b/doc/scripts/policy/misc/trim-trace-file.zeek.rst
@@ -0,0 +1,57 @@
+:tocdepth: 3
+
+policy/misc/trim-trace-file.zeek
+================================
+.. zeek:namespace:: TrimTraceFile
+
+Deletes the ``-w`` tracefile at regular intervals and starts a new file
+from scratch.
+
+:Namespace: TrimTraceFile
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+================================================================================== ================================================================
+:zeek:id:`TrimTraceFile::trim_interval`: :zeek:type:`interval` :zeek:attr:`&redef` The interval between times that the output tracefile is rotated.
+================================================================================== ================================================================
+
+Events
+######
+================================================ ===================================================================
+:zeek:id:`TrimTraceFile::go`: :zeek:type:`event` This event can be generated externally to this script if on-demand
+                                                 tracefile rotation is required with the caveat that the script
+                                                 doesn't currently attempt to get back on schedule automatically and
+                                                 the next trim likely won't happen on the
+                                                 :zeek:id:`TrimTraceFile::trim_interval`.
+================================================ ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: TrimTraceFile::trim_interval
+   :source-code: policy/misc/trim-trace-file.zeek 8 8
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10.0 mins``
+
+   The interval between times that the output tracefile is rotated.
+
+Events
+######
+.. zeek:id:: TrimTraceFile::go
+   :source-code: policy/misc/trim-trace-file.zeek 18 31
+
+   :Type: :zeek:type:`event` (first_trim: :zeek:type:`bool`)
+
+   This event can be generated externally to this script if on-demand
+   tracefile rotation is required with the caveat that the script
+   doesn't currently attempt to get back on schedule automatically and
+   the next trim likely won't happen on the
+   :zeek:id:`TrimTraceFile::trim_interval`.
+
+
diff --git a/doc/scripts/policy/misc/unknown-protocols.zeek.rst b/doc/scripts/policy/misc/unknown-protocols.zeek.rst
new file mode 100644
index 0000000000..49ddfb2cf6
--- /dev/null
+++ b/doc/scripts/policy/misc/unknown-protocols.zeek.rst
@@ -0,0 +1,92 @@
+:tocdepth: 3
+
+policy/misc/unknown-protocols.zeek
+==================================
+.. zeek:namespace:: UnknownProtocol
+
+This script logs information about packet protocols that Zeek doesn't
+know how to process. Mostly these come from packet analysis plugins when
+they attempt to forward to the next analyzer, but they also can originate
+from non-packet analyzers.
+
+:Namespace: UnknownProtocol
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
+
+Summary
+~~~~~~~
+Types
+#####
+======================================================= =
+:zeek:type:`UnknownProtocol::Info`: :zeek:type:`record` 
+======================================================= =
+
+Redefinitions
+#############
+======================================= ===================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` 
+                                        
+                                        * :zeek:enum:`UnknownProtocol::LOG`
+======================================= ===================================
+
+Hooks
+#####
+==================================================================== =
+:zeek:id:`UnknownProtocol::log_policy`: :zeek:type:`Log::PolicyHook` 
+==================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: UnknownProtocol::Info
+   :source-code: policy/misc/unknown-protocols.zeek 15 38
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for when the measurement occurred.
+
+
+   .. zeek:field:: analyzer :zeek:type:`string` :zeek:attr:`&log`
+
+      The string name of the analyzer attempting to forward the protocol.
+
+
+   .. zeek:field:: protocol_id :zeek:type:`string` :zeek:attr:`&log`
+
+      The identifier of the protocol being forwarded in hex notation.
+
+
+   .. zeek:field:: protocol_id_num :zeek:type:`count`
+
+      The identifier of the protocol being forwarded as count.
+      Note: The count value is not logged by default. It is provided for
+      easy access in log policy hooks.
+
+
+   .. zeek:field:: first_bytes :zeek:type:`string` :zeek:attr:`&log`
+
+      A certain number of bytes at the start of the unknown protocol's
+      header.
+
+
+   .. zeek:field:: analyzer_history :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log`
+
+      The chain of packet analyzers that processed the packet up to this
+      point. This includes the history of encapsulating packets in case
+      of tunneling.
+
+
+
+Hooks
+#####
+.. zeek:id:: UnknownProtocol::log_policy
+   :source-code: policy/misc/unknown-protocols.zeek 13 13
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/policy/misc/weird-stats.zeek.rst b/doc/scripts/policy/misc/weird-stats.zeek.rst
new file mode 100644
index 0000000000..d744fb10a3
--- /dev/null
+++ b/doc/scripts/policy/misc/weird-stats.zeek.rst
@@ -0,0 +1,101 @@
+:tocdepth: 3
+
+policy/misc/weird-stats.zeek
+============================
+.. zeek:namespace:: SumStats
+.. zeek:namespace:: WeirdStats
+
+Log weird statistics.
+
+:Namespaces: SumStats, WeirdStats
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+===================================================================================== =============================
+:zeek:id:`WeirdStats::weird_stat_interval`: :zeek:type:`interval` :zeek:attr:`&redef` How often stats are reported.
+===================================================================================== =============================
+
+Types
+#####
+================================================== =
+:zeek:type:`WeirdStats::Info`: :zeek:type:`record` 
+================================================== =
+
+Redefinitions
+#############
+======================================= ==============================
+:zeek:type:`Log::ID`: :zeek:type:`enum` 
+                                        
+                                        * :zeek:enum:`WeirdStats::LOG`
+======================================= ==============================
+
+Events
+######
+========================================================== =
+:zeek:id:`WeirdStats::log_weird_stats`: :zeek:type:`event` 
+========================================================== =
+
+Hooks
+#####
+=============================================================== =
+:zeek:id:`WeirdStats::log_policy`: :zeek:type:`Log::PolicyHook` 
+=============================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: WeirdStats::weird_stat_interval
+   :source-code: policy/misc/weird-stats.zeek 14 14
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``15.0 mins``
+
+   How often stats are reported.
+
+Types
+#####
+.. zeek:type:: WeirdStats::Info
+   :source-code: policy/misc/weird-stats.zeek 16 23
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for the measurement.
+
+
+   .. zeek:field:: name :zeek:type:`string` :zeek:attr:`&log`
+
+      Name of the weird.
+
+
+   .. zeek:field:: num_seen :zeek:type:`count` :zeek:attr:`&log`
+
+      Number of times weird was seen since the last stats interval.
+
+
+
+Events
+######
+.. zeek:id:: WeirdStats::log_weird_stats
+   :source-code: policy/misc/weird-stats.zeek 25 25
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`WeirdStats::Info`)
+
+
+Hooks
+#####
+.. zeek:id:: WeirdStats::log_policy
+   :source-code: policy/misc/weird-stats.zeek 11 11
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/policy/protocols/conn/community-id-logging.zeek.rst b/doc/scripts/policy/protocols/conn/community-id-logging.zeek.rst
new file mode 100644
index 0000000000..0638c6e2eb
--- /dev/null
+++ b/doc/scripts/policy/protocols/conn/community-id-logging.zeek.rst
@@ -0,0 +1,52 @@
+:tocdepth: 3
+
+policy/protocols/conn/community-id-logging.zeek
+===============================================
+.. zeek:namespace:: CommunityID
+
+Adds community hash IDs to conn.log.
+
+:Namespace: CommunityID
+:Imports: :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+======================================================================== =
+:zeek:id:`CommunityID::do_base64`: :zeek:type:`bool` :zeek:attr:`&redef` 
+:zeek:id:`CommunityID::seed`: :zeek:type:`count` :zeek:attr:`&redef`     
+======================================================================== =
+
+Redefinitions
+#############
+============================================ ============================================================================
+:zeek:type:`Conn::Info`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`Conn::Info`
+                                             
+                                               community_id: :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+============================================ ============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: CommunityID::do_base64
+   :source-code: policy/protocols/conn/community-id-logging.zeek 12 12
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+
+.. zeek:id:: CommunityID::seed
+   :source-code: policy/protocols/conn/community-id-logging.zeek 8 8
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0``
+
+
+
diff --git a/doc/scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek.rst b/doc/scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek.rst
new file mode 100644
index 0000000000..f912dbd0da
--- /dev/null
+++ b/doc/scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek.rst
@@ -0,0 +1,22 @@
+:tocdepth: 3
+
+policy/protocols/conn/disable-unknown-ip-proto-support.zeek
+===========================================================
+
+This script filters the ip_proto field out of the conn.log and disables
+logging of connections with unknown IP protocols.
+
+:Imports: :doc:`base/frameworks/analyzer/main.zeek </scripts/base/frameworks/analyzer/main.zeek>`, :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================ =
+:zeek:type:`Conn::Info`: :zeek:type:`record` 
+============================================ =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/conn/failed-service-logging.zeek.rst b/doc/scripts/policy/protocols/conn/failed-service-logging.zeek.rst
new file mode 100644
index 0000000000..334e71f067
--- /dev/null
+++ b/doc/scripts/policy/protocols/conn/failed-service-logging.zeek.rst
@@ -0,0 +1,32 @@
+:tocdepth: 3
+
+policy/protocols/conn/failed-service-logging.zeek
+=================================================
+.. zeek:namespace:: Conn
+
+This script adds the new column ``failed_service`` to the connection log.
+The column contains the list of protocols in a connection that raised protocol
+violations causing the analyzer to be removed. Protocols are listed in order
+that they were removed.
+
+:Namespace: Conn
+:Imports: :doc:`base/frameworks/analyzer/dpd.zeek </scripts/base/frameworks/analyzer/dpd.zeek>`, :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================ =======================================================================================================================
+:zeek:type:`Conn::Info`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`Conn::Info`
+                                             
+                                               failed_service: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional` :zeek:attr:`&ordered`
+                                                 List of analyzers in a connection that raised violations
+                                                 causing their removal.
+============================================ =======================================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/conn/ip-proto-name-logging.zeek.rst b/doc/scripts/policy/protocols/conn/ip-proto-name-logging.zeek.rst
new file mode 100644
index 0000000000..780ec19dce
--- /dev/null
+++ b/doc/scripts/policy/protocols/conn/ip-proto-name-logging.zeek.rst
@@ -0,0 +1,30 @@
+:tocdepth: 3
+
+policy/protocols/conn/ip-proto-name-logging.zeek
+================================================
+.. zeek:namespace:: Conn
+
+This script adds a string version of the ip_proto field. It's not recommended
+to load this policy and the ip_proto removal policy at the same time, as
+conn.log will end up with useless information in the log from this field.
+
+:Namespace: Conn
+:Imports: :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================ =============================================================================
+:zeek:type:`Conn::Info`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`Conn::Info`
+                                             
+                                               ip_proto_name: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                 A string version of the ip_proto field
+============================================ =============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/conn/known-hosts.zeek.rst b/doc/scripts/policy/protocols/conn/known-hosts.zeek.rst
new file mode 100644
index 0000000000..27204dab49
--- /dev/null
+++ b/doc/scripts/policy/protocols/conn/known-hosts.zeek.rst
@@ -0,0 +1,214 @@
+:tocdepth: 3
+
+policy/protocols/conn/known-hosts.zeek
+======================================
+.. zeek:namespace:: Known
+
+This script logs hosts that Zeek determines have performed complete TCP
+handshakes and logs the address once per day (by default).  The log that
+is output provides an easy way to determine a count of the IP addresses in
+use on a network per day.
+
+:Namespace: Known
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=============================================================================== =======================================================
+:zeek:id:`Known::host_store_timeout`: :zeek:type:`interval` :zeek:attr:`&redef` The timeout interval to use for operations against
+                                                                                :zeek:see:`Known::host_store`.
+:zeek:id:`Known::host_tracking`: :zeek:type:`Host` :zeek:attr:`&redef`          The hosts whose existence should be logged and tracked.
+=============================================================================== =======================================================
+
+Redefinable Options
+###################
+============================================================================== ====================================================================
+:zeek:id:`Known::host_store_expiry`: :zeek:type:`interval` :zeek:attr:`&redef` The expiry interval of new entries in :zeek:see:`Known::host_store`.
+:zeek:id:`Known::host_store_name`: :zeek:type:`string` :zeek:attr:`&redef`     The Broker topic name to use for :zeek:see:`Known::host_store`.
+:zeek:id:`Known::use_host_store`: :zeek:type:`bool` :zeek:attr:`&redef`        Toggles between different implementations of this script.
+============================================================================== ====================================================================
+
+State Variables
+###############
+======================================================================================================= ================================================================
+:zeek:id:`Known::host_store`: :zeek:type:`Cluster::StoreInfo`                                           Holds the set of all known hosts.
+:zeek:id:`Known::hosts`: :zeek:type:`set` :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef` The set of all known addresses to store for preventing duplicate
+                                                                                                        logging of addresses.
+======================================================================================================= ================================================================
+
+Types
+#####
+================================================== ========================================================================
+:zeek:type:`Known::HostsInfo`: :zeek:type:`record` The record type which contains the column fields of the known-hosts log.
+================================================== ========================================================================
+
+Redefinitions
+#############
+======================================= ==========================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` The known-hosts logging stream identifier.
+                                        
+                                        * :zeek:enum:`Known::HOSTS_LOG`
+======================================= ==========================================
+
+Events
+######
+===================================================== ========================================================================
+:zeek:id:`Known::log_known_hosts`: :zeek:type:`event` An event that can be handled to access the :zeek:type:`Known::HostsInfo`
+                                                      record as it is sent on to the logging framework.
+===================================================== ========================================================================
+
+Hooks
+#####
+================================================================ =============================================
+:zeek:id:`Known::log_policy_hosts`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
+================================================================ =============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Known::host_store_timeout
+   :source-code: policy/protocols/conn/known-hosts.zeek 50 50
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``15.0 secs``
+
+   The timeout interval to use for operations against
+   :zeek:see:`Known::host_store`.
+
+.. zeek:id:: Known::host_tracking
+   :source-code: policy/protocols/conn/known-hosts.zeek 35 35
+
+   :Type: :zeek:type:`Host`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``LOCAL_HOSTS``
+   :Redefinition: from :doc:`/scripts/policy/tuning/track-all-assets.zeek`
+
+      ``=``::
+
+         ALL_HOSTS
+
+
+   The hosts whose existence should be logged and tracked.
+   See :zeek:type:`Host` for possible choices.
+
+Redefinable Options
+###################
+.. zeek:id:: Known::host_store_expiry
+   :source-code: policy/protocols/conn/known-hosts.zeek 46 46
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 day``
+
+   The expiry interval of new entries in :zeek:see:`Known::host_store`.
+   This also changes the interval at which hosts get logged.
+
+.. zeek:id:: Known::host_store_name
+   :source-code: policy/protocols/conn/known-hosts.zeek 42 42
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek/known/hosts"``
+
+   The Broker topic name to use for :zeek:see:`Known::host_store`.
+
+.. zeek:id:: Known::use_host_store
+   :source-code: policy/protocols/conn/known-hosts.zeek 31 31
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Toggles between different implementations of this script.
+   When true, use a Broker data store, else use a regular Zeek set
+   with keys uniformly distributed over proxy nodes in cluster
+   operation.
+
+State Variables
+###############
+.. zeek:id:: Known::host_store
+   :source-code: policy/protocols/conn/known-hosts.zeek 39 39
+
+   :Type: :zeek:type:`Cluster::StoreInfo`
+   :Default:
+
+      ::
+
+         {
+            name=<uninitialized>
+            store=<uninitialized>
+            master_node=""
+            master=F
+            backend=Broker::MEMORY
+            options=[sqlite=[path="", synchronous=<uninitialized>, journal_mode=<uninitialized>, failure_mode=Broker::SQLITE_FAILURE_MODE_FAIL, integrity_check=F]]
+            clone_resync_interval=10.0 secs
+            clone_stale_interval=5.0 mins
+            clone_mutation_buffer_interval=2.0 mins
+         }
+
+
+   Holds the set of all known hosts.  Keys in the store are addresses
+   and their associated value will always be the "true" boolean.
+
+.. zeek:id:: Known::hosts
+   :source-code: policy/protocols/conn/known-hosts.zeek 60 60
+
+   :Type: :zeek:type:`set` [:zeek:type:`addr`]
+   :Attributes: :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   The set of all known addresses to store for preventing duplicate
+   logging of addresses.  It can also be used from other scripts to
+   inspect if an address has been seen in use.
+   Maintain the list of known hosts for 24 hours so that the existence
+   of each individual address is logged each day.
+   
+   In cluster operation, this set is distributed uniformly across
+   proxy nodes.
+
+Types
+#####
+.. zeek:type:: Known::HostsInfo
+   :source-code: policy/protocols/conn/known-hosts.zeek 19 25
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      The timestamp at which the host was detected.
+
+
+   .. zeek:field:: host :zeek:type:`addr` :zeek:attr:`&log`
+
+      The address that was detected originating or responding to a
+      TCP connection.
+
+
+   The record type which contains the column fields of the known-hosts log.
+
+Events
+######
+.. zeek:id:: Known::log_known_hosts
+   :source-code: policy/protocols/conn/known-hosts.zeek 64 64
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Known::HostsInfo`)
+
+   An event that can be handled to access the :zeek:type:`Known::HostsInfo`
+   record as it is sent on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: Known::log_policy_hosts
+   :source-code: policy/protocols/conn/known-hosts.zeek 16 16
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+
diff --git a/doc/scripts/policy/protocols/conn/known-services.zeek.rst b/doc/scripts/policy/protocols/conn/known-services.zeek.rst
new file mode 100644
index 0000000000..1863281714
--- /dev/null
+++ b/doc/scripts/policy/protocols/conn/known-services.zeek.rst
@@ -0,0 +1,349 @@
+:tocdepth: 3
+
+policy/protocols/conn/known-services.zeek
+=========================================
+.. zeek:namespace:: Known
+
+This script logs and tracks active services.  For this script, an active
+service is defined as an IP address and port of a server for which
+a TCP handshake (SYN+ACK) is observed, assumed to have been done in the
+past (started seeing packets mid-connection, but the server is actively
+sending data), or sent at least one UDP packet.
+If a protocol name is found/known for service, that will be logged,
+but services whose names can't be determined are also still logged.
+
+:Namespace: Known
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/storage/async.zeek </scripts/base/frameworks/storage/async.zeek>`, :doc:`base/frameworks/storage/sync.zeek </scripts/base/frameworks/storage/sync.zeek>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`, :doc:`policy/frameworks/storage/backend/sqlite </scripts/policy/frameworks/storage/backend/sqlite/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+====================================================================================== ========================================================================
+:zeek:id:`Known::service_store_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`     The timeout interval to use for operations against
+                                                                                       :zeek:see:`Known::service_broker_store` and
+                                                                                       :zeek:see:`Known::service_store_backend`.
+:zeek:id:`Known::service_tracking`: :zeek:type:`Host` :zeek:attr:`&redef`              The hosts whose services should be tracked and logged.
+:zeek:id:`Known::service_udp_requires_response`: :zeek:type:`bool` :zeek:attr:`&redef` Require UDP server to respond before considering it an "active service".
+====================================================================================== ========================================================================
+
+Redefinable Options
+###################
+========================================================================================================= =============================================================================
+:zeek:id:`Known::service_store_backend_options`: :zeek:type:`Storage::BackendOptions` :zeek:attr:`&redef` The options for the service store.
+:zeek:id:`Known::service_store_backend_type`: :zeek:type:`Storage::Backend` :zeek:attr:`&redef`           The type of storage backend to open.
+:zeek:id:`Known::service_store_expiry`: :zeek:type:`interval` :zeek:attr:`&redef`                         The expiry interval of new entries in :zeek:see:`Known::service_broker_store`
+                                                                                                          and :zeek:see:`Known::service_store_backend`.
+:zeek:id:`Known::service_store_name`: :zeek:type:`string` :zeek:attr:`&redef`                             The Broker topic name to use for :zeek:see:`Known::service_broker_store`.
+:zeek:id:`Known::service_store_prefix`: :zeek:type:`string` :zeek:attr:`&redef`                           The name to use for :zeek:see:`Known::service_store_backend`.
+:zeek:id:`Known::use_service_store`: :zeek:type:`bool` :zeek:attr:`&redef`                                Toggles between different implementations of this script.
+:zeek:id:`Known::use_storage_framework`: :zeek:type:`bool` :zeek:attr:`&redef`                            Switches to the version of this script that uses the storage
+                                                                                                          framework instead of Broker stores.
+========================================================================================================= =============================================================================
+
+State Variables
+###############
+======================================================================================== ========================================================================
+:zeek:id:`Known::service_broker_store`: :zeek:type:`Cluster::StoreInfo`                  Storage configuration for Broker stores
+                                                                                         Holds the set of all known services.
+:zeek:id:`Known::service_store_backend`: :zeek:type:`opaque`                             Storage configuration for storage framework stores
+                                                                                         This requires setting a configuration in local.zeek that sets the
+                                                                                         Known::use_storage_framework boolean to T, and optionally sets different
+                                                                                         values in the Known::service_store_backend_options record.
+:zeek:id:`Known::services`: :zeek:type:`table` :zeek:attr:`&create_expire` = ``1.0 day`` Tracks the set of daily-detected services for preventing the logging
+                                                                                         of duplicates, but can also be inspected by other scripts for
+                                                                                         different purposes.
+======================================================================================== ========================================================================
+
+Types
+#####
+============================================================ ======================================================================
+:zeek:type:`Known::AddrPortServTriplet`: :zeek:type:`record` 
+:zeek:type:`Known::ServicesInfo`: :zeek:type:`record`        The record type which contains the column fields of the known-services
+                                                             log.
+============================================================ ======================================================================
+
+Redefinitions
+#############
+============================================ =============================================================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`      The known-services logging stream identifier.
+                                             
+                                             * :zeek:enum:`Known::SERVICES_LOG`
+:zeek:type:`connection`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`connection`
+                                             
+                                               known_services_done: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+============================================ =============================================================================================
+
+Events
+######
+======================================================== ========================================================================
+:zeek:id:`Known::log_known_services`: :zeek:type:`event` Event that can be handled to access the :zeek:type:`Known::ServicesInfo`
+                                                         record as it is sent on to the logging framework.
+======================================================== ========================================================================
+
+Hooks
+#####
+=================================================================== =============================================
+:zeek:id:`Known::log_policy_services`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
+=================================================================== =============================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Known::service_store_timeout
+   :source-code: policy/protocols/conn/known-services.zeek 104 104
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``15.0 secs``
+
+   The timeout interval to use for operations against
+   :zeek:see:`Known::service_broker_store` and
+   :zeek:see:`Known::service_store_backend`.
+
+.. zeek:id:: Known::service_tracking
+   :source-code: policy/protocols/conn/known-services.zeek 56 56
+
+   :Type: :zeek:type:`Host`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``LOCAL_HOSTS``
+   :Redefinition: from :doc:`/scripts/policy/tuning/track-all-assets.zeek`
+
+      ``=``::
+
+         ALL_HOSTS
+
+
+   The hosts whose services should be tracked and logged.
+   See :zeek:type:`Host` for possible choices.
+
+.. zeek:id:: Known::service_udp_requires_response
+   :source-code: policy/protocols/conn/known-services.zeek 52 52
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Require UDP server to respond before considering it an "active service".
+
+Redefinable Options
+###################
+.. zeek:id:: Known::service_store_backend_options
+   :source-code: policy/protocols/conn/known-services.zeek 93 93
+
+   :Type: :zeek:type:`Storage::BackendOptions`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            serializer=Storage::STORAGE_SERIALIZER_JSON
+            forced_sync=F
+            redis=<uninitialized>
+            sqlite=[database_path=":memory:", table_name="zeek/known/services", busy_timeout=5.0 secs, pragma_commands={
+               ["integrity_check"] = "",
+               ["journal_mode"] = "WAL",
+               ["synchronous"] = "normal",
+               ["temp_store"] = "memory"
+            }, pragma_timeout=500.0 msecs, pragma_wait_on_busy=5.0 msecs]
+         }
+
+
+   The options for the service store. This should be redef'd in local.zeek to set
+   connection information for the backend. The options default to a memory store.
+
+.. zeek:id:: Known::service_store_backend_type
+   :source-code: policy/protocols/conn/known-services.zeek 89 89
+
+   :Type: :zeek:type:`Storage::Backend`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``Storage::STORAGE_BACKEND_SQLITE``
+
+   The type of storage backend to open.
+
+.. zeek:id:: Known::service_store_expiry
+   :source-code: policy/protocols/conn/known-services.zeek 99 99
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 day``
+
+   The expiry interval of new entries in :zeek:see:`Known::service_broker_store`
+   and :zeek:see:`Known::service_store_backend`.  This also changes the interval
+   at which services get logged.
+
+.. zeek:id:: Known::service_store_name
+   :source-code: policy/protocols/conn/known-services.zeek 72 72
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek/known/services"``
+
+   The Broker topic name to use for :zeek:see:`Known::service_broker_store`.
+
+.. zeek:id:: Known::service_store_prefix
+   :source-code: policy/protocols/conn/known-services.zeek 86 86
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeekknownservices"``
+
+   The name to use for :zeek:see:`Known::service_store_backend`. This will be used
+   by the backends to differentiate tables/keys. This should be alphanumeric so
+   that it can be used as the table name for the storage framework.
+
+.. zeek:id:: Known::use_service_store
+   :source-code: policy/protocols/conn/known-services.zeek 44 44
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Toggles between different implementations of this script.
+   When true, use a Broker data store, else use a regular Zeek set
+   with keys uniformly distributed over proxy nodes in cluster
+   operation.
+
+.. zeek:id:: Known::use_storage_framework
+   :source-code: policy/protocols/conn/known-services.zeek 49 49
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Switches to the version of this script that uses the storage
+   framework instead of Broker stores. This will default to ``T``
+   in v8.1.
+
+State Variables
+###############
+.. zeek:id:: Known::service_broker_store
+   :source-code: policy/protocols/conn/known-services.zeek 69 69
+
+   :Type: :zeek:type:`Cluster::StoreInfo`
+   :Default:
+
+      ::
+
+         {
+            name=<uninitialized>
+            store=<uninitialized>
+            master_node=""
+            master=F
+            backend=Broker::MEMORY
+            options=[sqlite=[path="", synchronous=<uninitialized>, journal_mode=<uninitialized>, failure_mode=Broker::SQLITE_FAILURE_MODE_FAIL, integrity_check=F]]
+            clone_resync_interval=10.0 secs
+            clone_stale_interval=5.0 mins
+            clone_mutation_buffer_interval=2.0 mins
+         }
+
+
+   Storage configuration for Broker stores
+   Holds the set of all known services.  Keys in the store are
+   :zeek:type:`Known::AddrPortServTriplet` and their associated value is
+   always the boolean value of "true".
+
+.. zeek:id:: Known::service_store_backend
+   :source-code: policy/protocols/conn/known-services.zeek 81 81
+
+   :Type: :zeek:type:`opaque` of Storage::BackendHandle
+
+   Storage configuration for storage framework stores
+   This requires setting a configuration in local.zeek that sets the
+   Known::use_storage_framework boolean to T, and optionally sets different
+   values in the Known::service_store_backend_options record.
+   Backend to use for storing known services data using the storage framework.
+
+.. zeek:id:: Known::services
+   :source-code: policy/protocols/conn/known-services.zeek 114 114
+
+   :Type: :zeek:type:`table` [:zeek:type:`addr`, :zeek:type:`port`] of :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&create_expire` = ``1.0 day``
+   :Default: ``{}``
+
+   Tracks the set of daily-detected services for preventing the logging
+   of duplicates, but can also be inspected by other scripts for
+   different purposes.
+   
+   In cluster operation, this table is uniformly distributed across
+   proxy nodes.
+   
+   This table is automatically populated and shouldn't be directly modified.
+
+Types
+#####
+.. zeek:type:: Known::AddrPortServTriplet
+   :source-code: policy/protocols/conn/known-services.zeek 58 62
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: host :zeek:type:`addr`
+
+
+   .. zeek:field:: p :zeek:type:`port`
+
+
+   .. zeek:field:: serv :zeek:type:`string`
+
+
+
+.. zeek:type:: Known::ServicesInfo
+   :source-code: policy/protocols/conn/known-services.zeek 27 38
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      The time at which the service was detected.
+
+
+   .. zeek:field:: host :zeek:type:`addr` :zeek:attr:`&log`
+
+      The host address on which the service is running.
+
+
+   .. zeek:field:: port_num :zeek:type:`port` :zeek:attr:`&log`
+
+      The port number on which the service is running.
+
+
+   .. zeek:field:: port_proto :zeek:type:`transport_proto` :zeek:attr:`&log`
+
+      The transport-layer protocol which the service uses.
+
+
+   .. zeek:field:: service :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log`
+
+      A set of protocols that match the service's connection payloads.
+
+
+   The record type which contains the column fields of the known-services
+   log.
+
+Events
+######
+.. zeek:id:: Known::log_known_services
+   :source-code: policy/protocols/conn/known-services.zeek 118 118
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Known::ServicesInfo`)
+
+   Event that can be handled to access the :zeek:type:`Known::ServicesInfo`
+   record as it is sent on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: Known::log_policy_services
+   :source-code: policy/protocols/conn/known-services.zeek 23 23
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+   A default logging policy hook for the stream.
+
+
diff --git a/doc/scripts/policy/protocols/conn/mac-logging.zeek.rst b/doc/scripts/policy/protocols/conn/mac-logging.zeek.rst
new file mode 100644
index 0000000000..10feff434b
--- /dev/null
+++ b/doc/scripts/policy/protocols/conn/mac-logging.zeek.rst
@@ -0,0 +1,31 @@
+:tocdepth: 3
+
+policy/protocols/conn/mac-logging.zeek
+======================================
+.. zeek:namespace:: Conn
+
+This script adds link-layer address (MAC) information to the connection logs
+
+:Namespace: Conn
+:Imports: :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================ ============================================================================
+:zeek:type:`Conn::Info`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`Conn::Info`
+                                             
+                                               orig_l2_addr: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                 Link-layer address of the originator, if available.
+                                             
+                                               resp_l2_addr: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                 Link-layer address of the responder, if available.
+============================================ ============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek.rst b/doc/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek.rst
new file mode 100644
index 0000000000..2cbec5ca67
--- /dev/null
+++ b/doc/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek.rst
@@ -0,0 +1,28 @@
+:tocdepth: 3
+
+policy/protocols/conn/pppoe-session-id-logging.zeek
+===================================================
+.. zeek:namespace:: Conn
+
+This script adds PPPoE session ID information to the connection log.
+
+:Namespace: Conn
+:Imports: :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================ ===============================================================================
+:zeek:type:`Conn::Info`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`Conn::Info`
+                                             
+                                               pppoe_session_id: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                 The PPPoE session id, if applicable for this connection.
+============================================ ===============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/conn/speculative-service.zeek.rst b/doc/scripts/policy/protocols/conn/speculative-service.zeek.rst
new file mode 100644
index 0000000000..070ef4c37b
--- /dev/null
+++ b/doc/scripts/policy/protocols/conn/speculative-service.zeek.rst
@@ -0,0 +1,37 @@
+:tocdepth: 3
+
+policy/protocols/conn/speculative-service.zeek
+==============================================
+.. zeek:namespace:: Conn
+
+This script adds information about matched DPD signatures to the connection
+log.
+
+:Namespace: Conn
+:Imports: :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+========================================================================== =====================================================================================================================
+:zeek:type:`Conn::Info`: :zeek:type:`record`                               
+                                                                           
+                                                                           :New Fields: :zeek:type:`Conn::Info`
+                                                                           
+                                                                             speculative_service: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                               Protocol that was determined by a matching signature after the beginning
+                                                                               of a connection.
+:zeek:type:`connection`: :zeek:type:`record`                               
+                                                                           
+                                                                           :New Fields: :zeek:type:`connection`
+                                                                           
+                                                                             speculative_service: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+:zeek:id:`dpd_late_match_stop`: :zeek:type:`bool` :zeek:attr:`&redef`      
+:zeek:id:`dpd_match_only_beginning`: :zeek:type:`bool` :zeek:attr:`&redef` 
+========================================================================== =====================================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/conn/vlan-logging.zeek.rst b/doc/scripts/policy/protocols/conn/vlan-logging.zeek.rst
new file mode 100644
index 0000000000..18b0fe9367
--- /dev/null
+++ b/doc/scripts/policy/protocols/conn/vlan-logging.zeek.rst
@@ -0,0 +1,31 @@
+:tocdepth: 3
+
+policy/protocols/conn/vlan-logging.zeek
+=======================================
+.. zeek:namespace:: Conn
+
+This script adds VLAN information to the connection log.
+
+:Namespace: Conn
+:Imports: :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================ =======================================================================
+:zeek:type:`Conn::Info`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`Conn::Info`
+                                             
+                                               vlan: :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                 The outer VLAN for this connection, if applicable.
+                                             
+                                               inner_vlan: :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                 The inner VLAN for this connection, if applicable.
+============================================ =======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/conn/weirds.zeek.rst b/doc/scripts/policy/protocols/conn/weirds.zeek.rst
new file mode 100644
index 0000000000..8b16956358
--- /dev/null
+++ b/doc/scripts/policy/protocols/conn/weirds.zeek.rst
@@ -0,0 +1,33 @@
+:tocdepth: 3
+
+policy/protocols/conn/weirds.zeek
+=================================
+.. zeek:namespace:: Conn
+
+This script handles core generated connection related "weird" events to
+push weird information about connections into the weird framework.
+For live operational deployments, this can frequently cause load issues
+due to large numbers of these events and quite possibly shouldn't be
+loaded.
+
+:Namespace: Conn
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================ ===================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`Conn::Content_Gap`:
+                                               Data has sequence hole; perhaps due to filtering.
+                                             
+                                             * :zeek:enum:`Conn::Retransmission_Inconsistency`:
+                                               Possible evasion; usually just chud.
+============================================ ===================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/dhcp/msg-orig.zeek.rst b/doc/scripts/policy/protocols/dhcp/msg-orig.zeek.rst
new file mode 100644
index 0000000000..e863fe20e9
--- /dev/null
+++ b/doc/scripts/policy/protocols/dhcp/msg-orig.zeek.rst
@@ -0,0 +1,32 @@
+:tocdepth: 3
+
+policy/protocols/dhcp/msg-orig.zeek
+===================================
+.. zeek:namespace:: DHCP
+
+Add a field that logs the order of hosts sending messages
+using the same DHCP transaction ID.  This information is
+occasionally needed on some networks to fully explain the
+DHCP sequence.
+
+:Namespace: DHCP
+:Imports: :doc:`base/protocols/dhcp </scripts/base/protocols/dhcp/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================ ============================================================================================================================
+:zeek:type:`DHCP::Info`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`DHCP::Info`
+                                             
+                                               msg_orig: :zeek:type:`vector` of :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+                                                 The address that originated each message from the
+                                                 `msg_types` field.
+============================================ ============================================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/dhcp/software.zeek.rst b/doc/scripts/policy/protocols/dhcp/software.zeek.rst
new file mode 100644
index 0000000000..d70788016e
--- /dev/null
+++ b/doc/scripts/policy/protocols/dhcp/software.zeek.rst
@@ -0,0 +1,38 @@
+:tocdepth: 3
+
+policy/protocols/dhcp/software.zeek
+===================================
+.. zeek:namespace:: DHCP
+
+Software identification and extraction for DHCP traffic.
+
+:Namespace: DHCP
+:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`, :doc:`base/protocols/dhcp </scripts/base/protocols/dhcp/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================== ===============================================================================
+:zeek:type:`DHCP::Info`: :zeek:type:`record`   
+                                               
+                                               :New Fields: :zeek:type:`DHCP::Info`
+                                               
+                                                 client_software: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                   Software reported by the client in the `vendor_class` option.
+                                               
+                                                 server_software: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                   Software reported by the server in the `vendor_class` option.
+:zeek:type:`Software::Type`: :zeek:type:`enum` 
+                                               
+                                               * :zeek:enum:`DHCP::CLIENT`:
+                                                 Identifier for web browsers in the software framework.
+                                               
+                                               * :zeek:enum:`DHCP::SERVER`:
+                                                 Identifier for web servers in the software framework.
+============================================== ===============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/dhcp/sub-opts.zeek.rst b/doc/scripts/policy/protocols/dhcp/sub-opts.zeek.rst
new file mode 100644
index 0000000000..3ab210c2b9
--- /dev/null
+++ b/doc/scripts/policy/protocols/dhcp/sub-opts.zeek.rst
@@ -0,0 +1,38 @@
+:tocdepth: 3
+
+policy/protocols/dhcp/sub-opts.zeek
+===================================
+.. zeek:namespace:: DHCP
+
+
+:Namespace: DHCP
+:Imports: :doc:`base/protocols/dhcp </scripts/base/protocols/dhcp/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================ ===============================================================================
+:zeek:type:`DHCP::Info`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`DHCP::Info`
+                                             
+                                               circuit_id: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                 Added by DHCP relay agents which terminate switched or
+                                                 permanent circuits.
+                                             
+                                               agent_remote_id: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                 A globally unique identifier added by relay agents to identify
+                                                 the remote host end of the circuit.
+                                             
+                                               subscriber_id: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                 The subscriber ID is a value independent of the physical
+                                                 network configuration so that a customer's DHCP configuration
+                                                 can be given to them correctly no matter where they are
+                                                 physically connected.
+============================================ ===============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/dns/auth-addl.zeek.rst b/doc/scripts/policy/protocols/dns/auth-addl.zeek.rst
new file mode 100644
index 0000000000..6ba3807332
--- /dev/null
+++ b/doc/scripts/policy/protocols/dns/auth-addl.zeek.rst
@@ -0,0 +1,36 @@
+:tocdepth: 3
+
+policy/protocols/dns/auth-addl.zeek
+===================================
+.. zeek:namespace:: DNS
+
+This script adds authoritative and additional responses for the current
+query to the DNS log.  It can cause severe overhead due to the need
+for all authoritative and additional responses to have events generated.
+This script is not recommended for use on heavily loaded links.
+
+:Namespace: DNS
+:Imports: :doc:`base/protocols/dns/main.zeek </scripts/base/protocols/dns/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+=================================================================== =======================================================================================
+:zeek:type:`DNS::Info`: :zeek:type:`record`                         
+                                                                    
+                                                                    :New Fields: :zeek:type:`DNS::Info`
+                                                                    
+                                                                      auth: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                        Authoritative responses for the query.
+                                                                    
+                                                                      addl: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                        Additional responses for the query.
+:zeek:id:`dns_skip_all_addl`: :zeek:type:`bool` :zeek:attr:`&redef` 
+:zeek:id:`dns_skip_all_auth`: :zeek:type:`bool` :zeek:attr:`&redef` 
+=================================================================== =======================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/dns/detect-external-names.zeek.rst b/doc/scripts/policy/protocols/dns/detect-external-names.zeek.rst
new file mode 100644
index 0000000000..74950af98c
--- /dev/null
+++ b/doc/scripts/policy/protocols/dns/detect-external-names.zeek.rst
@@ -0,0 +1,55 @@
+:tocdepth: 3
+
+policy/protocols/dns/detect-external-names.zeek
+===============================================
+.. zeek:namespace:: DNS
+
+This script detects names which are not within zones considered to be
+local but resolving to addresses considered local.
+The :zeek:id:`Site::local_zones` variable **must** be set appropriately for
+this detection.
+
+:Namespace: DNS
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/utils/site.zeek </scripts/base/utils/site.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=============================================================================== =====================================
+:zeek:id:`DNS::skip_resp_host_port_pairs`: :zeek:type:`set` :zeek:attr:`&redef` Default is to ignore mDNS broadcasts.
+=============================================================================== =====================================
+
+Redefinitions
+#############
+============================================ ===========================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`DNS::External_Name`:
+                                               Raised when a non-local name is found to be pointing at a
+                                               local host.
+============================================ ===========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: DNS::skip_resp_host_port_pairs
+   :source-code: policy/protocols/dns/detect-external-names.zeek 20 20
+
+   :Type: :zeek:type:`set` [:zeek:type:`addr`, :zeek:type:`port`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            [224.0.0.251, 5353/udp] ,
+            [ff02::fb, 5353/udp] 
+         }
+
+
+   Default is to ignore mDNS broadcasts.
+
+
diff --git a/doc/scripts/policy/protocols/dns/log-original-query-case.zeek.rst b/doc/scripts/policy/protocols/dns/log-original-query-case.zeek.rst
new file mode 100644
index 0000000000..3cba82ec85
--- /dev/null
+++ b/doc/scripts/policy/protocols/dns/log-original-query-case.zeek.rst
@@ -0,0 +1,29 @@
+:tocdepth: 3
+
+policy/protocols/dns/log-original-query-case.zeek
+=================================================
+.. zeek:namespace:: DNS
+
+This script adds the query with its original letter casing
+to the DNS log.
+
+:Namespace: DNS
+:Imports: :doc:`base/protocols/dns/main.zeek </scripts/base/protocols/dns/main.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+=========================================== ==============================================================================
+:zeek:type:`DNS::Info`: :zeek:type:`record` 
+                                            
+                                            :New Fields: :zeek:type:`DNS::Info`
+                                            
+                                              original_query: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Query with original letter casing
+=========================================== ==============================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/ftp/detect-bruteforcing.zeek.rst b/doc/scripts/policy/protocols/ftp/detect-bruteforcing.zeek.rst
new file mode 100644
index 0000000000..0448bcc81f
--- /dev/null
+++ b/doc/scripts/policy/protocols/ftp/detect-bruteforcing.zeek.rst
@@ -0,0 +1,59 @@
+:tocdepth: 3
+
+policy/protocols/ftp/detect-bruteforcing.zeek
+=============================================
+.. zeek:namespace:: FTP
+
+FTP brute-forcing detector, triggering when too many rejected usernames or
+failed passwords have occurred from a single address.
+
+:Namespace: FTP
+:Imports: :doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`, :doc:`base/protocols/ftp </scripts/base/protocols/ftp/index>`, :doc:`base/utils/time.zeek </scripts/base/utils/time.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+========================================================================================== ==================================================================
+:zeek:id:`FTP::bruteforce_measurement_interval`: :zeek:type:`interval` :zeek:attr:`&redef` The time period in which the threshold needs to be crossed before
+                                                                                           being reset.
+:zeek:id:`FTP::bruteforce_threshold`: :zeek:type:`double` :zeek:attr:`&redef`              How many rejected usernames or passwords are required before being
+                                                                                           considered to be bruteforcing.
+========================================================================================== ==================================================================
+
+Redefinitions
+#############
+============================================ ==============================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`FTP::Bruteforcing`:
+                                               Indicates a host bruteforcing FTP logins by watching for too
+                                               many rejected usernames or failed passwords.
+============================================ ==============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: FTP::bruteforce_measurement_interval
+   :source-code: policy/protocols/ftp/detect-bruteforcing.zeek 24 24
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``15.0 mins``
+
+   The time period in which the threshold needs to be crossed before
+   being reset.
+
+.. zeek:id:: FTP::bruteforce_threshold
+   :source-code: policy/protocols/ftp/detect-bruteforcing.zeek 20 20
+
+   :Type: :zeek:type:`double`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``20.0``
+
+   How many rejected usernames or passwords are required before being
+   considered to be bruteforcing.
+
+
diff --git a/doc/scripts/policy/protocols/ftp/detect.zeek.rst b/doc/scripts/policy/protocols/ftp/detect.zeek.rst
new file mode 100644
index 0000000000..085f2355d9
--- /dev/null
+++ b/doc/scripts/policy/protocols/ftp/detect.zeek.rst
@@ -0,0 +1,27 @@
+:tocdepth: 3
+
+policy/protocols/ftp/detect.zeek
+================================
+.. zeek:namespace:: FTP
+
+Detect various potentially bad FTP activities.
+
+:Namespace: FTP
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ftp </scripts/base/protocols/ftp/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================ =======================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`FTP::Site_Exec_Success`:
+                                               Indicates that a successful response to a "SITE EXEC"
+                                               command/arg pair was seen.
+============================================ =======================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/ftp/software.zeek.rst b/doc/scripts/policy/protocols/ftp/software.zeek.rst
new file mode 100644
index 0000000000..fc05f24b39
--- /dev/null
+++ b/doc/scripts/policy/protocols/ftp/software.zeek.rst
@@ -0,0 +1,29 @@
+:tocdepth: 3
+
+policy/protocols/ftp/software.zeek
+==================================
+.. zeek:namespace:: FTP
+
+Software detection with the FTP protocol.
+
+:Namespace: FTP
+:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================== =======================================================
+:zeek:type:`Software::Type`: :zeek:type:`enum` 
+                                               
+                                               * :zeek:enum:`FTP::CLIENT`:
+                                                 Identifier for FTP clients in the software framework.
+                                               
+                                               * :zeek:enum:`FTP::SERVER`:
+                                                 Not currently implemented.
+============================================== =======================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/http/detect-sql-injection.zeek.rst b/doc/scripts/policy/protocols/http/detect-sql-injection.zeek.rst
new file mode 100644
index 0000000000..8e07c998bc
--- /dev/null
+++ b/doc/scripts/policy/protocols/http/detect-sql-injection.zeek.rst
@@ -0,0 +1,111 @@
+:tocdepth: 3
+
+policy/protocols/http/detect-sql-injection.zeek
+===============================================
+.. zeek:namespace:: HTTP
+
+SQL injection attack detection in HTTP.
+
+The script annotates the notices it generates with an associated $uid
+connection identifier; always provides an attacker IP address in the
+$src field; and always provides a victim IP address in the $dst field.
+
+:Namespace: HTTP
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+================================================================================== ================================================================
+:zeek:id:`HTTP::match_sql_injection_uri`: :zeek:type:`pattern` :zeek:attr:`&redef` Regular expression is used to match URI based SQL injections.
+:zeek:id:`HTTP::sqli_requests_interval`: :zeek:type:`interval` :zeek:attr:`&redef` Interval at which to watch for the
+                                                                                   :zeek:id:`HTTP::sqli_requests_threshold` variable to be crossed.
+:zeek:id:`HTTP::sqli_requests_threshold`: :zeek:type:`double` :zeek:attr:`&redef`  Defines the threshold that determines if an SQL injection attack
+                                                                                   is ongoing based on the number of requests that appear to be SQL
+                                                                                   injection attacks.
+================================================================================== ================================================================
+
+Redefinitions
+#############
+======================================================= ==============================================================
+:zeek:type:`HTTP::Tags`: :zeek:type:`enum`              
+                                                        
+                                                        * :zeek:enum:`HTTP::URI_SQLI`:
+                                                          Indicator of a URI based SQL injection attack.
+:zeek:type:`Notice::Type`: :zeek:type:`enum`            
+                                                        
+                                                        * :zeek:enum:`HTTP::SQL_Injection_Attacker`:
+                                                          Indicates that a host performing SQL injection attacks was
+                                                          detected.
+                                                        
+                                                        * :zeek:enum:`HTTP::SQL_Injection_Victim`:
+                                                          Indicates that a host was seen to have SQL injection attacks
+                                                          against it.
+:zeek:type:`SumStats::Observation`: :zeek:type:`record` 
+                                                        
+                                                        :New Fields: :zeek:type:`SumStats::Observation`
+                                                        
+                                                          uid: :zeek:type:`string` :zeek:attr:`&optional`
+======================================================= ==============================================================
+
+Hooks
+#####
+=============================================== =======================================================================
+:zeek:id:`HTTP::sqli_policy`: :zeek:type:`hook` A hook that can be used to prevent specific requests from being counted
+                                                as an injection attempt.
+=============================================== =======================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: HTTP::match_sql_injection_uri
+   :source-code: policy/protocols/http/detect-sql-injection.zeek 41 41
+
+   :Type: :zeek:type:`pattern`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         /^?((^?((^?((^?((^?(((?i:^?([\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+.*?(having|union|exec|select|delete|drop|declare|create|insert)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+)$?))|((?i:^?([\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-0-9%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+(x?or|n?and)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+'?(([^a-zA-Z&]+)?=|exists))$?)))$?)|((?i:^?([\?&][^[:blank:]\x00-\x1f\+]+?=[\-0-9%]*([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*([0-9]|\(?convert|cast))$?)))$?)|((?i:^?([\?&][^[:blank:]\x00-\x1f\|\+]+?=([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|;)*(x?or|n?and|having|union|exec|select|delete|drop|declare|create|regexp|insert)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,})$?)))$?)|((?i:^?([\?&][^[:blank:]\x00-\x1f\+]+?=[^\.]*?(char|ascii|substring|truncate|version|length)\()$?)))$?)|(^?(\/\*![[:digit:]]{5}.*?\*\/)$?))$?/
+
+
+   Regular expression is used to match URI based SQL injections.
+
+.. zeek:id:: HTTP::sqli_requests_interval
+   :source-code: policy/protocols/http/detect-sql-injection.zeek 38 38
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5.0 mins``
+
+   Interval at which to watch for the
+   :zeek:id:`HTTP::sqli_requests_threshold` variable to be crossed.
+   At the end of each interval the counter is reset.
+
+.. zeek:id:: HTTP::sqli_requests_threshold
+   :source-code: policy/protocols/http/detect-sql-injection.zeek 33 33
+
+   :Type: :zeek:type:`double`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``50.0``
+
+   Defines the threshold that determines if an SQL injection attack
+   is ongoing based on the number of requests that appear to be SQL
+   injection attacks.
+
+Hooks
+#####
+.. zeek:id:: HTTP::sqli_policy
+   :source-code: policy/protocols/http/detect-sql-injection.zeek 52 52
+
+   :Type: :zeek:type:`hook` (c: :zeek:type:`connection`, method: :zeek:type:`string`, unescaped_URI: :zeek:type:`string`) : :zeek:type:`bool`
+
+   A hook that can be used to prevent specific requests from being counted
+   as an injection attempt.  Use a 'break' statement to exit the hook
+   early and ignore the request.
+
+
diff --git a/doc/scripts/policy/protocols/http/detect-webapps.zeek.rst b/doc/scripts/policy/protocols/http/detect-webapps.zeek.rst
new file mode 100644
index 0000000000..c0dafdf63f
--- /dev/null
+++ b/doc/scripts/policy/protocols/http/detect-webapps.zeek.rst
@@ -0,0 +1,33 @@
+:tocdepth: 3
+
+policy/protocols/http/detect-webapps.zeek
+=========================================
+.. zeek:namespace:: HTTP
+
+Detect and log web applications through the software framework.
+
+:Namespace: HTTP
+:Imports: :doc:`base/frameworks/signatures </scripts/base/frameworks/signatures/index>`, :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================================================ ===================================================================
+:zeek:id:`Signatures::ignored_ids`: :zeek:type:`pattern` :zeek:attr:`&redef` 
+:zeek:type:`Software::Info`: :zeek:type:`record`                             
+                                                                             
+                                                                             :New Fields: :zeek:type:`Software::Info`
+                                                                             
+                                                                               url: :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+                                                                                 Most root URL where the software was discovered.
+:zeek:type:`Software::Type`: :zeek:type:`enum`                               
+                                                                             
+                                                                             * :zeek:enum:`HTTP::WEB_APPLICATION`:
+                                                                               Identifier for web applications in the software framework.
+============================================================================ ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/http/header-names.zeek.rst b/doc/scripts/policy/protocols/http/header-names.zeek.rst
new file mode 100644
index 0000000000..046f584765
--- /dev/null
+++ b/doc/scripts/policy/protocols/http/header-names.zeek.rst
@@ -0,0 +1,60 @@
+:tocdepth: 3
+
+policy/protocols/http/header-names.zeek
+=======================================
+.. zeek:namespace:: HTTP
+
+Extract and include the header names used for each request in the HTTP
+logging stream.  The headers in the logging stream will be stored in the
+same order which they were seen on the wire.
+
+:Namespace: HTTP
+:Imports: :doc:`base/protocols/http/main.zeek </scripts/base/protocols/http/main.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=============================================================================== =====================================================================
+:zeek:id:`HTTP::log_client_header_names`: :zeek:type:`bool` :zeek:attr:`&redef` A boolean value to determine if client header names are to be logged.
+:zeek:id:`HTTP::log_server_header_names`: :zeek:type:`bool` :zeek:attr:`&redef` A boolean value to determine if server header names are to be logged.
+=============================================================================== =====================================================================
+
+Redefinitions
+#############
+============================================ ==========================================================================================================
+:zeek:type:`HTTP::Info`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`HTTP::Info`
+                                             
+                                               client_header_names: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                 The vector of HTTP header names sent by the client.
+                                             
+                                               server_header_names: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                 The vector of HTTP header names sent by the server.
+============================================ ==========================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: HTTP::log_client_header_names
+   :source-code: policy/protocols/http/header-names.zeek 21 21
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   A boolean value to determine if client header names are to be logged.
+
+.. zeek:id:: HTTP::log_server_header_names
+   :source-code: policy/protocols/http/header-names.zeek 24 24
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   A boolean value to determine if server header names are to be logged.
+
+
diff --git a/doc/scripts/policy/protocols/http/software-browser-plugins.zeek.rst b/doc/scripts/policy/protocols/http/software-browser-plugins.zeek.rst
new file mode 100644
index 0000000000..250595bb4b
--- /dev/null
+++ b/doc/scripts/policy/protocols/http/software-browser-plugins.zeek.rst
@@ -0,0 +1,36 @@
+:tocdepth: 3
+
+policy/protocols/http/software-browser-plugins.zeek
+===================================================
+.. zeek:namespace:: HTTP
+
+Detect browser plugins as they leak through requests to Omniture
+advertising servers.
+
+:Namespace: HTTP
+:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================== ==================================================================================
+:zeek:type:`HTTP::Info`: :zeek:type:`record`   
+                                               
+                                               :New Fields: :zeek:type:`HTTP::Info`
+                                               
+                                                 omniture: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+                                                   Indicates if the server is an omniture advertising server.
+                                               
+                                                 flash_version: :zeek:type:`string` :zeek:attr:`&optional`
+                                                   The unparsed Flash version, if detected.
+:zeek:type:`Software::Type`: :zeek:type:`enum` 
+                                               
+                                               * :zeek:enum:`HTTP::BROWSER_PLUGIN`:
+                                                 Identifier for browser plugins in the software framework.
+============================================== ==================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/http/software.zeek.rst b/doc/scripts/policy/protocols/http/software.zeek.rst
new file mode 100644
index 0000000000..4f20f0f422
--- /dev/null
+++ b/doc/scripts/policy/protocols/http/software.zeek.rst
@@ -0,0 +1,54 @@
+:tocdepth: 3
+
+policy/protocols/http/software.zeek
+===================================
+.. zeek:namespace:: HTTP
+
+Software identification and extraction for HTTP traffic.
+
+:Namespace: HTTP
+:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+============================================================================== ===============================================================
+:zeek:id:`HTTP::ignored_user_agents`: :zeek:type:`pattern` :zeek:attr:`&redef` The pattern of HTTP User-Agents which you would like to ignore.
+============================================================================== ===============================================================
+
+Redefinitions
+#############
+============================================== ========================================================
+:zeek:type:`Software::Type`: :zeek:type:`enum` 
+                                               
+                                               * :zeek:enum:`HTTP::APPSERVER`:
+                                                 Identifier for app servers in the software framework.
+                                               
+                                               * :zeek:enum:`HTTP::BROWSER`:
+                                                 Identifier for web browsers in the software framework.
+                                               
+                                               * :zeek:enum:`HTTP::SERVER`:
+                                                 Identifier for web servers in the software framework.
+============================================== ========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: HTTP::ignored_user_agents
+   :source-code: policy/protocols/http/software.zeek 18 18
+
+   :Type: :zeek:type:`pattern`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         /^?(NO_DEFAULT)$?/
+
+
+   The pattern of HTTP User-Agents which you would like to ignore.
+
+
diff --git a/doc/scripts/policy/protocols/http/var-extraction-cookies.zeek.rst b/doc/scripts/policy/protocols/http/var-extraction-cookies.zeek.rst
new file mode 100644
index 0000000000..7924e2efe4
--- /dev/null
+++ b/doc/scripts/policy/protocols/http/var-extraction-cookies.zeek.rst
@@ -0,0 +1,28 @@
+:tocdepth: 3
+
+policy/protocols/http/var-extraction-cookies.zeek
+=================================================
+.. zeek:namespace:: HTTP
+
+Extracts and logs variable names from cookies sent by clients.
+
+:Namespace: HTTP
+:Imports: :doc:`base/protocols/http/main.zeek </scripts/base/protocols/http/main.zeek>`, :doc:`base/protocols/http/utils.zeek </scripts/base/protocols/http/utils.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================ ==================================================================================================
+:zeek:type:`HTTP::Info`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`HTTP::Info`
+                                             
+                                               cookie_vars: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+                                                 Variable names extracted from all cookies.
+============================================ ==================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/http/var-extraction-uri.zeek.rst b/doc/scripts/policy/protocols/http/var-extraction-uri.zeek.rst
new file mode 100644
index 0000000000..a5c27fb4ef
--- /dev/null
+++ b/doc/scripts/policy/protocols/http/var-extraction-uri.zeek.rst
@@ -0,0 +1,29 @@
+:tocdepth: 3
+
+policy/protocols/http/var-extraction-uri.zeek
+=============================================
+.. zeek:namespace:: HTTP
+
+Extracts and logs variables from the requested URI in the default HTTP
+logging stream.
+
+:Namespace: HTTP
+:Imports: :doc:`base/protocols/http </scripts/base/protocols/http/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================ ===============================================================================================
+:zeek:type:`HTTP::Info`: :zeek:type:`record` 
+                                             
+                                             :New Fields: :zeek:type:`HTTP::Info`
+                                             
+                                               uri_vars: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+                                                 Variable names from the URI.
+============================================ ===============================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/krb/ticket-logging.zeek.rst b/doc/scripts/policy/protocols/krb/ticket-logging.zeek.rst
new file mode 100644
index 0000000000..4d94ae8628
--- /dev/null
+++ b/doc/scripts/policy/protocols/krb/ticket-logging.zeek.rst
@@ -0,0 +1,31 @@
+:tocdepth: 3
+
+policy/protocols/krb/ticket-logging.zeek
+========================================
+.. zeek:namespace:: KRB
+
+Add Kerberos ticket hashes to the krb.log
+
+:Namespace: KRB
+:Imports: :doc:`base/protocols/krb </scripts/base/protocols/krb/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+=========================================== ===========================================================================
+:zeek:type:`KRB::Info`: :zeek:type:`record` 
+                                            
+                                            :New Fields: :zeek:type:`KRB::Info`
+                                            
+                                              auth_ticket: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Hash of ticket used to authorize request/transaction
+                                            
+                                              new_ticket: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Hash of ticket returned by the KDC
+=========================================== ===========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/modbus/known-masters-slaves.zeek.rst b/doc/scripts/policy/protocols/modbus/known-masters-slaves.zeek.rst
new file mode 100644
index 0000000000..ccf32f5c57
--- /dev/null
+++ b/doc/scripts/policy/protocols/modbus/known-masters-slaves.zeek.rst
@@ -0,0 +1,118 @@
+:tocdepth: 3
+
+policy/protocols/modbus/known-masters-slaves.zeek
+=================================================
+.. zeek:namespace:: Known
+
+Script for tracking known Modbus masters and slaves.
+
+.. todo:: This script needs a lot of work.  What might be more interesting
+         is to track master/slave relationships based on commands sent and
+         successful (non-exception) responses.
+
+:Namespace: Known
+:Imports: :doc:`base/protocols/modbus </scripts/base/protocols/modbus/index>`
+
+Summary
+~~~~~~~
+State Variables
+###############
+============================================================================================================== ===============================
+:zeek:id:`Known::modbus_nodes`: :zeek:type:`set` :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef` The Modbus nodes being tracked.
+============================================================================================================== ===============================
+
+Types
+#####
+======================================================= =
+:zeek:type:`Known::ModbusDeviceType`: :zeek:type:`enum` 
+:zeek:type:`Known::ModbusInfo`: :zeek:type:`record`     
+======================================================= =
+
+Redefinitions
+#############
+======================================= ================================
+:zeek:type:`Log::ID`: :zeek:type:`enum` 
+                                        
+                                        * :zeek:enum:`Known::MODBUS_LOG`
+======================================= ================================
+
+Events
+######
+====================================================== =====================================================================
+:zeek:id:`Known::log_known_modbus`: :zeek:type:`event` Event that can be handled to access the loggable record as it is sent
+                                                       on to the logging framework.
+====================================================== =====================================================================
+
+Hooks
+#####
+================================================================= =
+:zeek:id:`Known::log_policy_modbus`: :zeek:type:`Log::PolicyHook` 
+================================================================= =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+State Variables
+###############
+.. zeek:id:: Known::modbus_nodes
+   :source-code: policy/protocols/modbus/known-masters-slaves.zeek 31 31
+
+   :Type: :zeek:type:`set` [:zeek:type:`addr`, :zeek:type:`Known::ModbusDeviceType`]
+   :Attributes: :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   The Modbus nodes being tracked.
+
+Types
+#####
+.. zeek:type:: Known::ModbusDeviceType
+   :source-code: policy/protocols/modbus/known-masters-slaves.zeek 16 20
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: Known::MODBUS_MASTER Known::ModbusDeviceType
+
+      .. zeek:enum:: Known::MODBUS_SLAVE Known::ModbusDeviceType
+
+
+.. zeek:type:: Known::ModbusInfo
+   :source-code: policy/protocols/modbus/known-masters-slaves.zeek 21 28
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      The time the device was discovered.
+
+
+   .. zeek:field:: host :zeek:type:`addr` :zeek:attr:`&log`
+
+      The IP address of the host.
+
+
+   .. zeek:field:: device_type :zeek:type:`Known::ModbusDeviceType` :zeek:attr:`&log`
+
+      The type of device being tracked.
+
+
+
+Events
+######
+.. zeek:id:: Known::log_known_modbus
+   :source-code: policy/protocols/modbus/known-masters-slaves.zeek 35 35
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Known::ModbusInfo`)
+
+   Event that can be handled to access the loggable record as it is sent
+   on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: Known::log_policy_modbus
+   :source-code: policy/protocols/modbus/known-masters-slaves.zeek 14 14
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/policy/protocols/modbus/track-memmap.zeek.rst b/doc/scripts/policy/protocols/modbus/track-memmap.zeek.rst
new file mode 100644
index 0000000000..8ce3b0a3bf
--- /dev/null
+++ b/doc/scripts/policy/protocols/modbus/track-memmap.zeek.rst
@@ -0,0 +1,170 @@
+:tocdepth: 3
+
+policy/protocols/modbus/track-memmap.zeek
+=========================================
+.. zeek:namespace:: Modbus
+
+This script tracks the memory map of holding (read/write) registers and logs
+changes as they are discovered.
+
+.. todo:: Not all register read and write functions are supported yet.
+
+:Namespace: Modbus
+:Imports: :doc:`base/protocols/modbus </scripts/base/protocols/modbus/index>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+====================================================================== ==================================================
+:zeek:id:`Modbus::track_memmap`: :zeek:type:`Host` :zeek:attr:`&redef` The hosts that should have memory mapping enabled.
+====================================================================== ==================================================
+
+State Variables
+###############
+======================================================= =======================================================
+:zeek:id:`Modbus::device_registers`: :zeek:type:`table` The memory map of slaves is tracked with this variable.
+======================================================= =======================================================
+
+Types
+#####
+======================================================= =====================================================================
+:zeek:type:`Modbus::MemmapInfo`: :zeek:type:`record`    
+:zeek:type:`Modbus::RegisterValue`: :zeek:type:`record` 
+:zeek:type:`Modbus::Registers`: :zeek:type:`table`      Indexed on the device register value and yielding the register value.
+======================================================= =====================================================================
+
+Redefinitions
+#############
+============================================== ========================================================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`        
+                                               
+                                               * :zeek:enum:`Modbus::REGISTER_CHANGE_LOG`
+:zeek:type:`Modbus::Info`: :zeek:type:`record` 
+                                               
+                                               :New Fields: :zeek:type:`Modbus::Info`
+                                               
+                                                 track_address: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+============================================== ========================================================================================
+
+Events
+######
+======================================================= =====================================================================
+:zeek:id:`Modbus::changed_register`: :zeek:type:`event` This event is generated every time a register is seen to be different
+                                                        than it was previously seen to be.
+======================================================= =====================================================================
+
+Hooks
+#####
+=========================================================================== =
+:zeek:id:`Modbus::log_policy_register_change`: :zeek:type:`Log::PolicyHook` 
+=========================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Modbus::track_memmap
+   :source-code: policy/protocols/modbus/track-memmap.zeek 17 17
+
+   :Type: :zeek:type:`Host`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``ALL_HOSTS``
+
+   The hosts that should have memory mapping enabled.
+
+State Variables
+###############
+.. zeek:id:: Modbus::device_registers
+   :source-code: policy/protocols/modbus/track-memmap.zeek 46 46
+
+   :Type: :zeek:type:`table` [:zeek:type:`addr`] of :zeek:type:`Modbus::Registers`
+   :Default: ``{}``
+
+   The memory map of slaves is tracked with this variable.
+
+Types
+#####
+.. zeek:type:: Modbus::MemmapInfo
+   :source-code: policy/protocols/modbus/track-memmap.zeek 19 35
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      Timestamp for the detected register change.
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+      Unique ID for the connection.
+
+
+   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
+
+      Connection ID.
+
+
+   .. zeek:field:: register :zeek:type:`count` :zeek:attr:`&log`
+
+      The device memory offset.
+
+
+   .. zeek:field:: old_val :zeek:type:`count` :zeek:attr:`&log`
+
+      The old value stored in the register.
+
+
+   .. zeek:field:: new_val :zeek:type:`count` :zeek:attr:`&log`
+
+      The new value stored in the register.
+
+
+   .. zeek:field:: delta :zeek:type:`interval` :zeek:attr:`&log`
+
+      The time delta between when the *old_val* and *new_val* were
+      seen.
+
+
+
+.. zeek:type:: Modbus::RegisterValue
+   :source-code: policy/protocols/modbus/track-memmap.zeek 37 40
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: last_set :zeek:type:`time`
+
+
+   .. zeek:field:: value :zeek:type:`count`
+
+
+
+.. zeek:type:: Modbus::Registers
+   :source-code: policy/protocols/modbus/track-memmap.zeek 43 43
+
+   :Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`Modbus::RegisterValue`
+
+   Indexed on the device register value and yielding the register value.
+
+Events
+######
+.. zeek:id:: Modbus::changed_register
+   :source-code: policy/protocols/modbus/track-memmap.zeek 103 108
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, register: :zeek:type:`count`, old_val: :zeek:type:`count`, new_val: :zeek:type:`count`, delta: :zeek:type:`interval`)
+
+   This event is generated every time a register is seen to be different
+   than it was previously seen to be.
+
+Hooks
+#####
+.. zeek:id:: Modbus::log_policy_register_change
+   :source-code: policy/protocols/modbus/track-memmap.zeek 14 14
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/policy/protocols/mysql/software.zeek.rst b/doc/scripts/policy/protocols/mysql/software.zeek.rst
new file mode 100644
index 0000000000..56f7a4e08b
--- /dev/null
+++ b/doc/scripts/policy/protocols/mysql/software.zeek.rst
@@ -0,0 +1,26 @@
+:tocdepth: 3
+
+policy/protocols/mysql/software.zeek
+====================================
+.. zeek:namespace:: MySQL
+
+Software identification and extraction for MySQL traffic.
+
+:Namespace: MySQL
+:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================== =========================================================
+:zeek:type:`Software::Type`: :zeek:type:`enum` 
+                                               
+                                               * :zeek:enum:`MySQL::SERVER`:
+                                                 Identifier for MySQL servers in the software framework.
+============================================== =========================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/rdp/indicate_ssl.zeek.rst b/doc/scripts/policy/protocols/rdp/indicate_ssl.zeek.rst
new file mode 100644
index 0000000000..fa1364539e
--- /dev/null
+++ b/doc/scripts/policy/protocols/rdp/indicate_ssl.zeek.rst
@@ -0,0 +1,29 @@
+:tocdepth: 3
+
+policy/protocols/rdp/indicate_ssl.zeek
+======================================
+.. zeek:namespace:: RDP
+
+If an RDP session is "upgraded" to SSL, this will be indicated
+with this script in a new field added to the RDP log.
+
+:Namespace: RDP
+:Imports: :doc:`base/protocols/rdp </scripts/base/protocols/rdp/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+=========================================== ===============================================================================================
+:zeek:type:`RDP::Info`: :zeek:type:`record` 
+                                            
+                                            :New Fields: :zeek:type:`RDP::Info`
+                                            
+                                              ssl: :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+                                                Flag the connection if it was seen over SSL.
+=========================================== ===============================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/smb/log-cmds.zeek.rst b/doc/scripts/policy/protocols/smb/log-cmds.zeek.rst
new file mode 100644
index 0000000000..a713ff5648
--- /dev/null
+++ b/doc/scripts/policy/protocols/smb/log-cmds.zeek.rst
@@ -0,0 +1,64 @@
+:tocdepth: 3
+
+policy/protocols/smb/log-cmds.zeek
+==================================
+.. zeek:namespace:: SMB
+
+Load this script to generate an SMB command log, smb_cmd.log.
+This is primarily useful for debugging.
+
+:Namespace: SMB
+:Imports: :doc:`base/protocols/smb </scripts/base/protocols/smb/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+============================================================================== ====================================================
+:zeek:id:`SMB::ignored_command_statuses`: :zeek:type:`set` :zeek:attr:`&redef` The server response statuses which are *not* logged.
+============================================================================== ====================================================
+
+Redefinitions
+#############
+======================================= ===========================
+:zeek:type:`Log::ID`: :zeek:type:`enum` 
+                                        
+                                        * :zeek:enum:`SMB::CMD_LOG`
+======================================= ===========================
+
+Hooks
+#####
+======================================================== =
+:zeek:id:`SMB::log_policy`: :zeek:type:`Log::PolicyHook` 
+======================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: SMB::ignored_command_statuses
+   :source-code: policy/protocols/smb/log-cmds.zeek 16 16
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            "MORE_PROCESSING_REQUIRED"
+         }
+
+
+   The server response statuses which are *not* logged.
+
+Hooks
+#####
+.. zeek:id:: SMB::log_policy
+   :source-code: policy/protocols/smb/log-cmds.zeek 13 13
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/policy/protocols/smtp/blocklists.zeek.rst b/doc/scripts/policy/protocols/smtp/blocklists.zeek.rst
new file mode 100644
index 0000000000..5f7a83b84d
--- /dev/null
+++ b/doc/scripts/policy/protocols/smtp/blocklists.zeek.rst
@@ -0,0 +1,50 @@
+:tocdepth: 3
+
+policy/protocols/smtp/blocklists.zeek
+=====================================
+.. zeek:namespace:: SMTP
+
+Watch for various SPAM blocklist URLs in SMTP error messages.
+
+:Namespace: SMTP
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/smtp </scripts/base/protocols/smtp/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=================================================================================== =
+:zeek:id:`SMTP::blocklist_error_messages`: :zeek:type:`pattern` :zeek:attr:`&redef` 
+=================================================================================== =
+
+Redefinitions
+#############
+============================================ ===================================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`SMTP::Blocklist_Blocked_Host`:
+                                               The originator's address is seen in the block list error message.
+                                             
+                                             * :zeek:enum:`SMTP::Blocklist_Error_Message`:
+                                               An SMTP server sent a reply mentioning an SMTP block list.
+============================================ ===================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: SMTP::blocklist_error_messages
+   :source-code: policy/protocols/smtp/blocklists.zeek 20 20
+
+   :Type: :zeek:type:`pattern`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         /^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?(spamhaus\.org\/)$?)|(^?(sophos\.com\/security\/)$?))$?)|(^?(spamcop\.net\/bl)$?))$?)|(^?(cbl\.abuseat\.org\/)$?))$?)|(^?(sorbs\.net\/)$?))$?)|(^?(bsn\.borderware\.com\/)$?))$?)|(^?(mail-abuse\.com\/)$?))$?)|(^?(b\.barracudacentral\.com\/)$?))$?)|(^?(psbl\.surriel\.com\/)$?))$?)|(^?(antispam\.imp\.ch\/)$?))$?)|(^?(dyndns\.com\/.*spam)$?))$?)|(^?(rbl\.knology\.net\/)$?))$?)|(^?(intercept\.datapacket\.net\/)$?))$?)|(^?(uceprotect\.net\/)$?))$?)|(^?(hostkarma\.junkemailfilter\.com\/)$?))$?/
+
+
+
+
diff --git a/doc/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek.rst b/doc/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek.rst
new file mode 100644
index 0000000000..fc2d75c588
--- /dev/null
+++ b/doc/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek.rst
@@ -0,0 +1,53 @@
+:tocdepth: 3
+
+policy/protocols/smtp/detect-suspicious-orig.zeek
+=================================================
+.. zeek:namespace:: SMTP
+
+
+:Namespace: SMTP
+:Imports: :doc:`base/frameworks/notice/main.zeek </scripts/base/frameworks/notice/main.zeek>`, :doc:`base/protocols/smtp/main.zeek </scripts/base/protocols/smtp/main.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+======================================================================================= ===================================================================
+:zeek:id:`SMTP::suspicious_origination_countries`: :zeek:type:`set` :zeek:attr:`&redef` Places where it's suspicious for mail to originate from represented
+                                                                                        as all-capital, two character country codes (e.g., US).
+:zeek:id:`SMTP::suspicious_origination_networks`: :zeek:type:`set` :zeek:attr:`&redef`  
+======================================================================================= ===================================================================
+
+Redefinitions
+#############
+============================================ ===========================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`SMTP::Suspicious_Origination`
+============================================ ===========================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: SMTP::suspicious_origination_countries
+   :source-code: policy/protocols/smtp/detect-suspicious-orig.zeek 14 14
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Places where it's suspicious for mail to originate from represented
+   as all-capital, two character country codes (e.g., US).  It requires
+   Zeek to be built with GeoIP support.
+
+.. zeek:id:: SMTP::suspicious_origination_networks
+   :source-code: policy/protocols/smtp/detect-suspicious-orig.zeek 15 15
+
+   :Type: :zeek:type:`set` [:zeek:type:`subnet`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+
+
diff --git a/doc/scripts/policy/protocols/smtp/entities-excerpt.zeek.rst b/doc/scripts/policy/protocols/smtp/entities-excerpt.zeek.rst
new file mode 100644
index 0000000000..7292f3042a
--- /dev/null
+++ b/doc/scripts/policy/protocols/smtp/entities-excerpt.zeek.rst
@@ -0,0 +1,49 @@
+:tocdepth: 3
+
+policy/protocols/smtp/entities-excerpt.zeek
+===========================================
+.. zeek:namespace:: SMTP
+
+This script is for optionally adding a body excerpt to the SMTP
+entities log.
+
+:Namespace: SMTP
+:Imports: :doc:`base/protocols/smtp/entities.zeek </scripts/base/protocols/smtp/entities.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=================================================================================== ===================================================================
+:zeek:id:`SMTP::default_entity_excerpt_len`: :zeek:type:`count` :zeek:attr:`&redef` This is the default value for how much of the entity body should be
+                                                                                    included for all MIME entities.
+=================================================================================== ===================================================================
+
+Redefinitions
+#############
+============================================== ======================================================================================================
+:zeek:type:`SMTP::Entity`: :zeek:type:`record` 
+                                               
+                                               :New Fields: :zeek:type:`SMTP::Entity`
+                                               
+                                                 excerpt: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
+                                                   The entity body excerpt.
+============================================== ======================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: SMTP::default_entity_excerpt_len
+   :source-code: policy/protocols/smtp/entities-excerpt.zeek 17 17
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``0``
+
+   This is the default value for how much of the entity body should be
+   included for all MIME entities.  The lesser of this value and
+   :zeek:see:`default_file_bof_buffer_size` will be used.
+
+
diff --git a/doc/scripts/policy/protocols/smtp/software.zeek.rst b/doc/scripts/policy/protocols/smtp/software.zeek.rst
new file mode 100644
index 0000000000..55c306a639
--- /dev/null
+++ b/doc/scripts/policy/protocols/smtp/software.zeek.rst
@@ -0,0 +1,86 @@
+:tocdepth: 3
+
+policy/protocols/smtp/software.zeek
+===================================
+.. zeek:namespace:: SMTP
+
+This script feeds software detected through email into the software
+framework.  Mail clients and webmail interfaces are the only thing
+currently detected.
+
+TODO:
+
+* Find some heuristic to determine if email was sent through
+  a MS Exchange webmail interface as opposed to a desktop client.
+
+:Namespace: SMTP
+:Imports: :doc:`base/frameworks/software/main.zeek </scripts/base/frameworks/software/main.zeek>`, :doc:`base/protocols/smtp/main.zeek </scripts/base/protocols/smtp/main.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+======================================================================================= ===================================================================
+:zeek:id:`SMTP::detect_clients_in_messages_from`: :zeek:type:`Host` :zeek:attr:`&redef` Assuming that local mail servers are more trustworthy with the
+                                                                                        headers they insert into message envelopes, this default makes Zeek
+                                                                                        not attempt to detect software in inbound message bodies.
+:zeek:id:`SMTP::webmail_user_agents`: :zeek:type:`pattern` :zeek:attr:`&redef`          A regular expression to match USER-AGENT-like headers to find if a
+                                                                                        message was sent with a webmail interface.
+======================================================================================= ===================================================================
+
+Redefinitions
+#############
+============================================== ======================================================================================================
+:zeek:type:`SMTP::Info`: :zeek:type:`record`   
+                                               
+                                               :New Fields: :zeek:type:`SMTP::Info`
+                                               
+                                                 is_webmail: :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+                                                   Boolean indicator of if the message was sent through a
+                                                   webmail interface.
+:zeek:type:`Software::Type`: :zeek:type:`enum` 
+                                               
+                                               * :zeek:enum:`SMTP::MAIL_CLIENT`
+                                               
+                                               * :zeek:enum:`SMTP::MAIL_SERVER`
+                                               
+                                               * :zeek:enum:`SMTP::WEBMAIL_SERVER`
+============================================== ======================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: SMTP::detect_clients_in_messages_from
+   :source-code: policy/protocols/smtp/software.zeek 36 36
+
+   :Type: :zeek:type:`Host`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``LOCAL_HOSTS``
+
+   Assuming that local mail servers are more trustworthy with the
+   headers they insert into message envelopes, this default makes Zeek
+   not attempt to detect software in inbound message bodies.  If mail
+   coming in from external addresses gives incorrect data in
+   the Received headers, it could populate your SOFTWARE logging stream
+   with incorrect data.  If you would like to detect mail clients for
+   incoming messages (network traffic originating from a non-local
+   address), set this variable to EXTERNAL_HOSTS or ALL_HOSTS.
+
+.. zeek:id:: SMTP::webmail_user_agents
+   :source-code: policy/protocols/smtp/software.zeek 40 40
+
+   :Type: :zeek:type:`pattern`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         /^?((^?((^?((^?((^?((^?(^iPlanet Messenger)$?)|(^?(^Sun Java\(tm\) System Messenger Express)$?))$?)|(^?(\(IMP\))$?))$?)|(^?(^SquirrelMail)$?))$?)|(^?(^NeoMail)$?))$?)|(^?(ZimbraWebClient)$?))$?/
+
+
+   A regular expression to match USER-AGENT-like headers to find if a
+   message was sent with a webmail interface.
+
+
diff --git a/doc/scripts/policy/protocols/ssh/detect-bruteforcing.zeek.rst b/doc/scripts/policy/protocols/ssh/detect-bruteforcing.zeek.rst
new file mode 100644
index 0000000000..ebd77e56d5
--- /dev/null
+++ b/doc/scripts/policy/protocols/ssh/detect-bruteforcing.zeek.rst
@@ -0,0 +1,82 @@
+:tocdepth: 3
+
+policy/protocols/ssh/detect-bruteforcing.zeek
+=============================================
+.. zeek:namespace:: SSH
+
+Detect hosts which are doing password guessing attacks and/or password
+bruteforcing over SSH.
+
+:Namespace: SSH
+:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`, :doc:`base/protocols/ssh </scripts/base/protocols/ssh/index>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+=============================================================================== =====================================================================
+:zeek:id:`SSH::guessing_timeout`: :zeek:type:`interval` :zeek:attr:`&redef`     The amount of time to remember presumed non-successful logins to
+                                                                                build a model of a password guesser.
+:zeek:id:`SSH::ignore_guessers`: :zeek:type:`table` :zeek:attr:`&redef`         This value can be used to exclude hosts or entire networks from being
+                                                                                tracked as potential "guessers".
+:zeek:id:`SSH::password_guesses_limit`: :zeek:type:`double` :zeek:attr:`&redef` The number of failed SSH connections before a host is designated as
+                                                                                guessing passwords.
+=============================================================================== =====================================================================
+
+Redefinitions
+#############
+============================================ ============================================================
+:zeek:type:`Intel::Where`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`SSH::SUCCESSFUL_LOGIN`:
+                                               An indicator of the login for the intel framework.
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`SSH::Login_By_Password_Guesser`:
+                                               Indicates that a host previously identified as a "password
+                                               guesser" has now had a successful login
+                                               attempt.
+                                             
+                                             * :zeek:enum:`SSH::Password_Guessing`:
+                                               Indicates that a host has been identified as crossing the
+                                               :zeek:id:`SSH::password_guesses_limit` threshold with
+                                               failed logins.
+============================================ ============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: SSH::guessing_timeout
+   :source-code: policy/protocols/ssh/detect-bruteforcing.zeek 34 34
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``30.0 mins``
+
+   The amount of time to remember presumed non-successful logins to
+   build a model of a password guesser.
+
+.. zeek:id:: SSH::ignore_guessers
+   :source-code: policy/protocols/ssh/detect-bruteforcing.zeek 39 39
+
+   :Type: :zeek:type:`table` [:zeek:type:`subnet`] of :zeek:type:`subnet`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   This value can be used to exclude hosts or entire networks from being
+   tracked as potential "guessers". The index represents
+   client subnets and the yield value represents server subnets.
+
+.. zeek:id:: SSH::password_guesses_limit
+   :source-code: policy/protocols/ssh/detect-bruteforcing.zeek 30 30
+
+   :Type: :zeek:type:`double`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``30.0``
+
+   The number of failed SSH connections before a host is designated as
+   guessing passwords.
+
+
diff --git a/doc/scripts/policy/protocols/ssh/geo-data.zeek.rst b/doc/scripts/policy/protocols/ssh/geo-data.zeek.rst
new file mode 100644
index 0000000000..f33e029fa7
--- /dev/null
+++ b/doc/scripts/policy/protocols/ssh/geo-data.zeek.rst
@@ -0,0 +1,61 @@
+:tocdepth: 3
+
+policy/protocols/ssh/geo-data.zeek
+==================================
+.. zeek:namespace:: SSH
+
+Geodata based detections for SSH analysis.
+
+:Namespace: SSH
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssh </scripts/base/protocols/ssh/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+======================================================================= ==================================================================
+:zeek:id:`SSH::watched_countries`: :zeek:type:`set` :zeek:attr:`&redef` The set of countries for which you'd like to generate notices upon
+                                                                        successful login.
+======================================================================= ==================================================================
+
+Redefinitions
+#############
+============================================ =====================================================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`SSH::Watched_Country_Login`:
+                                               If an SSH login is seen to or from a "watched" country based
+                                               on the :zeek:id:`SSH::watched_countries` variable then this
+                                               notice will be generated.
+:zeek:type:`SSH::Info`: :zeek:type:`record`  
+                                             
+                                             :New Fields: :zeek:type:`SSH::Info`
+                                             
+                                               remote_location: :zeek:type:`geo_location` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                 Add geographic data related to the "remote" host of the
+                                                 connection.
+============================================ =====================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: SSH::watched_countries
+   :source-code: policy/protocols/ssh/geo-data.zeek 24 24
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            "RO"
+         }
+
+
+   The set of countries for which you'd like to generate notices upon
+   successful login.
+
+
diff --git a/doc/scripts/policy/protocols/ssh/interesting-hostnames.zeek.rst b/doc/scripts/policy/protocols/ssh/interesting-hostnames.zeek.rst
new file mode 100644
index 0000000000..884e45d768
--- /dev/null
+++ b/doc/scripts/policy/protocols/ssh/interesting-hostnames.zeek.rst
@@ -0,0 +1,54 @@
+:tocdepth: 3
+
+policy/protocols/ssh/interesting-hostnames.zeek
+===============================================
+.. zeek:namespace:: SSH
+
+This script will generate a notice if an apparent SSH login originates
+or heads to a host with a reverse hostname that looks suspicious.  By
+default, the regular expression to match "interesting" hostnames includes
+names that are typically used for infrastructure hosts like nameservers,
+mail servers, web servers and ftp servers.
+
+:Namespace: SSH
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=============================================================================== ===============================================================
+:zeek:id:`SSH::interesting_hostnames`: :zeek:type:`pattern` :zeek:attr:`&redef` Strange/bad host names to see successful SSH logins from or to.
+=============================================================================== ===============================================================
+
+Redefinitions
+#############
+============================================ ===============================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`SSH::Interesting_Hostname_Login`:
+                                               Generated if a login originates or responds with a host where
+                                               the reverse hostname lookup resolves to a name matched by the
+                                               :zeek:id:`SSH::interesting_hostnames` regular expression.
+============================================ ===============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: SSH::interesting_hostnames
+   :source-code: policy/protocols/ssh/interesting-hostnames.zeek 20 20
+
+   :Type: :zeek:type:`pattern`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         /^?((^?((^?((^?((^?((^?((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))$?)|(^?(^mail[0-9]*\.)$?))$?)|(^?(^pop[0-9]*\.)$?))$?)|(^?(^imap[0-9]*\.)$?))$?)|(^?(^www[0-9]*\.)$?))$?)|(^?(^ftp[0-9]*\.)$?))$?/
+
+
+   Strange/bad host names to see successful SSH logins from or to.
+
+
diff --git a/doc/scripts/policy/protocols/ssh/software.zeek.rst b/doc/scripts/policy/protocols/ssh/software.zeek.rst
new file mode 100644
index 0000000000..27ca5ae8b8
--- /dev/null
+++ b/doc/scripts/policy/protocols/ssh/software.zeek.rst
@@ -0,0 +1,30 @@
+:tocdepth: 3
+
+policy/protocols/ssh/software.zeek
+==================================
+.. zeek:namespace:: SSH
+
+Extracts SSH client and server information from SSH
+connections and forwards it to the software framework.
+
+:Namespace: SSH
+:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================== =======================================================
+:zeek:type:`Software::Type`: :zeek:type:`enum` 
+                                               
+                                               * :zeek:enum:`SSH::CLIENT`:
+                                                 Identifier for SSH servers in the software framework.
+                                               
+                                               * :zeek:enum:`SSH::SERVER`:
+                                                 Identifier for SSH clients in the software framework.
+============================================== =======================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/ssl/certificate-request-info.zeek.rst b/doc/scripts/policy/protocols/ssl/certificate-request-info.zeek.rst
new file mode 100644
index 0000000000..c91c06900e
--- /dev/null
+++ b/doc/scripts/policy/protocols/ssl/certificate-request-info.zeek.rst
@@ -0,0 +1,29 @@
+:tocdepth: 3
+
+policy/protocols/ssl/certificate-request-info.zeek
+==================================================
+.. zeek:namespace:: SSL
+
+When the server requests a client certificate, it optionally may specify a list of CAs that
+it accepts. If the server does this, this script adds this list to ssl.log.
+
+:Namespace: SSL
+:Imports: :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+=========================================== ===============================================================================================================================
+:zeek:type:`SSL::Info`: :zeek:type:`record` 
+                                            
+                                            :New Fields: :zeek:type:`SSL::Info`
+                                            
+                                              requested_client_certificate_authorities: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+                                                List of client certificate CAs accepted by the server
+=========================================== ===============================================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/ssl/decryption.zeek.rst b/doc/scripts/policy/protocols/ssl/decryption.zeek.rst
new file mode 100644
index 0000000000..1f41f50584
--- /dev/null
+++ b/doc/scripts/policy/protocols/ssl/decryption.zeek.rst
@@ -0,0 +1,98 @@
+:tocdepth: 3
+
+policy/protocols/ssl/decryption.zeek
+====================================
+.. zeek:namespace:: SSL
+
+This script allows for the decryption of certain TLS 1.2 connections, if the user is in possession
+of the private key material for the session. Key material can either be provided via a file (useful
+for processing trace files) or via sending events via Broker (for live decoding).
+
+Please note that this feature is experimental and can change without guarantees to our typical
+deprecation timeline. Please also note that currently only TLS 1.2 connections that use the
+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite are supported.
+
+:Namespace: SSL
+:Imports: :doc:`base/frameworks/input </scripts/base/frameworks/input/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+============================================================================ =====================================================================================================
+:zeek:id:`SSL::keylog_file`: :zeek:type:`string` :zeek:attr:`&redef`         This can be set to a file that contains the session secrets for decryption, when parsing a pcap file.
+:zeek:id:`SSL::secret_expiration`: :zeek:type:`interval` :zeek:attr:`&redef` Secrets expire after this time of not being used.
+============================================================================ =====================================================================================================
+
+Redefinitions
+#############
+======================================================================================= ===========================================================
+:zeek:type:`SSL::Info`: :zeek:type:`record`                                             
+                                                                                        
+                                                                                        :New Fields: :zeek:type:`SSL::Info`
+                                                                                        
+                                                                                          client_random: :zeek:type:`string` :zeek:attr:`&optional`
+:zeek:id:`SSL::disable_analyzer_after_detection`: :zeek:type:`bool` :zeek:attr:`&redef` 
+======================================================================================= ===========================================================
+
+Events
+######
+============================================== ==============================================================================================
+:zeek:id:`SSL::add_keys`: :zeek:type:`event`   This event can be triggered, e.g., via Broker to add known keys to the TLS key database.
+:zeek:id:`SSL::add_secret`: :zeek:type:`event` This event can be triggered, e.g., via Broker to add known secrets to the TLS secret database.
+============================================== ==============================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: SSL::keylog_file
+   :source-code: policy/protocols/ssl/decryption.zeek 24 24
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   This can be set to a file that contains the session secrets for decryption, when parsing a pcap file.
+   Please note that, when using this feature, you probably want to pause processing of data till this
+   file has been read.
+
+.. zeek:id:: SSL::secret_expiration
+   :source-code: policy/protocols/ssl/decryption.zeek 27 27
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``5.0 mins``
+
+   Secrets expire after this time of not being used.
+
+Events
+######
+.. zeek:id:: SSL::add_keys
+   :source-code: policy/protocols/ssl/decryption.zeek 82 85
+
+   :Type: :zeek:type:`event` (client_random: :zeek:type:`string`, keys: :zeek:type:`string`)
+
+   This event can be triggered, e.g., via Broker to add known keys to the TLS key database.
+   
+
+   :param client_random: client random for which the key is set
+   
+
+   :param keys: key material
+
+.. zeek:id:: SSL::add_secret
+   :source-code: policy/protocols/ssl/decryption.zeek 87 90
+
+   :Type: :zeek:type:`event` (client_random: :zeek:type:`string`, secrets: :zeek:type:`string`)
+
+   This event can be triggered, e.g., via Broker to add known secrets to the TLS secret database.
+   
+
+   :param client_random: client random for which the secret is set
+   
+
+   :param secrets: derived TLS secrets material
+
+
diff --git a/doc/scripts/policy/protocols/ssl/expiring-certs.zeek.rst b/doc/scripts/policy/protocols/ssl/expiring-certs.zeek.rst
new file mode 100644
index 0000000000..8642d87098
--- /dev/null
+++ b/doc/scripts/policy/protocols/ssl/expiring-certs.zeek.rst
@@ -0,0 +1,71 @@
+:tocdepth: 3
+
+policy/protocols/ssl/expiring-certs.zeek
+========================================
+.. zeek:namespace:: SSL
+
+Generate notices when X.509 certificates over SSL/TLS are expired or
+going to expire soon based on the date and time values stored within the
+certificate.
+
+:Namespace: SSL
+:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+======================================================================================= ======================================================================
+:zeek:id:`SSL::notify_certs_expiration`: :zeek:type:`Host` :zeek:attr:`&redef`          The category of hosts you would like to be notified about which have
+                                                                                        certificates that are going to be expiring soon.
+:zeek:id:`SSL::notify_when_cert_expiring_in`: :zeek:type:`interval` :zeek:attr:`&redef` The time before a certificate is going to expire that you would like
+                                                                                        to start receiving :zeek:enum:`SSL::Certificate_Expires_Soon` notices.
+======================================================================================= ======================================================================
+
+Redefinitions
+#############
+============================================ ==============================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`SSL::Certificate_Expired`:
+                                               Indicates that a certificate's NotValidAfter date has lapsed
+                                               and the certificate is now invalid.
+                                             
+                                             * :zeek:enum:`SSL::Certificate_Expires_Soon`:
+                                               Indicates that a certificate is going to expire within
+                                               :zeek:id:`SSL::notify_when_cert_expiring_in`.
+                                             
+                                             * :zeek:enum:`SSL::Certificate_Not_Valid_Yet`:
+                                               Indicates that a certificate's NotValidBefore date is future
+                                               dated.
+============================================ ==============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: SSL::notify_certs_expiration
+   :source-code: policy/protocols/ssl/expiring-certs.zeek 30 30
+
+   :Type: :zeek:type:`Host`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``LOCAL_HOSTS``
+
+   The category of hosts you would like to be notified about which have
+   certificates that are going to be expiring soon.  By default, these
+   notices will be suppressed by the notice framework for 1 day after
+   a particular certificate has had a notice generated.
+   Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
+
+.. zeek:id:: SSL::notify_when_cert_expiring_in
+   :source-code: policy/protocols/ssl/expiring-certs.zeek 34 34
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``30.0 days``
+
+   The time before a certificate is going to expire that you would like
+   to start receiving :zeek:enum:`SSL::Certificate_Expires_Soon` notices.
+
+
diff --git a/doc/scripts/policy/protocols/ssl/heartbleed.zeek.rst b/doc/scripts/policy/protocols/ssl/heartbleed.zeek.rst
new file mode 100644
index 0000000000..e99104d035
--- /dev/null
+++ b/doc/scripts/policy/protocols/ssl/heartbleed.zeek.rst
@@ -0,0 +1,53 @@
+:tocdepth: 3
+
+policy/protocols/ssl/heartbleed.zeek
+====================================
+.. zeek:namespace:: Heartbleed
+
+Detect the TLS heartbleed attack. See http://heartbleed.com for more.
+
+:Namespace: Heartbleed
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+======================================================================================= ================================================================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum`                                            
+                                                                                        
+                                                                                        * :zeek:enum:`Heartbleed::SSL_Heartbeat_Attack`:
+                                                                                          Indicates that a host performed a heartbleed attack or scan.
+                                                                                        
+                                                                                        * :zeek:enum:`Heartbleed::SSL_Heartbeat_Attack_Success`:
+                                                                                          Indicates that a host performing a heartbleed attack was probably successful.
+                                                                                        
+                                                                                        * :zeek:enum:`Heartbleed::SSL_Heartbeat_Many_Requests`:
+                                                                                          Indicates we saw many heartbeat requests without a reply.
+                                                                                        
+                                                                                        * :zeek:enum:`Heartbleed::SSL_Heartbeat_Odd_Length`:
+                                                                                          Indicates we saw heartbeat requests with odd length.
+:zeek:type:`SSL::Info`: :zeek:type:`record`                                             
+                                                                                        
+                                                                                        :New Fields: :zeek:type:`SSL::Info`
+                                                                                        
+                                                                                          last_originator_heartbeat_request_size: :zeek:type:`count` :zeek:attr:`&optional`
+                                                                                        
+                                                                                          last_responder_heartbeat_request_size: :zeek:type:`count` :zeek:attr:`&optional`
+                                                                                        
+                                                                                          originator_heartbeats: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                                                                        
+                                                                                          responder_heartbeats: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                                                                        
+                                                                                          heartbleed_detected: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
+                                                                                        
+                                                                                          enc_appdata_packages: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+                                                                                        
+                                                                                          enc_appdata_bytes: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
+:zeek:id:`SSL::disable_analyzer_after_detection`: :zeek:type:`bool` :zeek:attr:`&redef` 
+======================================================================================= ================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/ssl/known-certs.zeek.rst b/doc/scripts/policy/protocols/ssl/known-certs.zeek.rst
new file mode 100644
index 0000000000..3af50df2ae
--- /dev/null
+++ b/doc/scripts/policy/protocols/ssl/known-certs.zeek.rst
@@ -0,0 +1,244 @@
+:tocdepth: 3
+
+policy/protocols/ssl/known-certs.zeek
+=====================================
+.. zeek:namespace:: Known
+
+Log information about certificates while attempting to avoid duplicate
+logging.
+
+:Namespace: Known
+:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=============================================================================== ====================================================================
+:zeek:id:`Known::cert_store_expiry`: :zeek:type:`interval` :zeek:attr:`&redef`  The expiry interval of new entries in :zeek:see:`Known::cert_store`.
+:zeek:id:`Known::cert_store_timeout`: :zeek:type:`interval` :zeek:attr:`&redef` The timeout interval to use for operations against
+                                                                                :zeek:see:`Known::cert_store`.
+:zeek:id:`Known::cert_tracking`: :zeek:type:`Host` :zeek:attr:`&redef`          The certificates whose existence should be logged and tracked.
+=============================================================================== ====================================================================
+
+Redefinable Options
+###################
+========================================================================== ===============================================================
+:zeek:id:`Known::cert_store_name`: :zeek:type:`string` :zeek:attr:`&redef` The Broker topic name to use for :zeek:see:`Known::cert_store`.
+:zeek:id:`Known::use_cert_store`: :zeek:type:`bool` :zeek:attr:`&redef`    Toggles between different implementations of this script.
+========================================================================== ===============================================================
+
+State Variables
+###############
+======================================================================================================= ===================================================================
+:zeek:id:`Known::cert_store`: :zeek:type:`Cluster::StoreInfo`                                           Holds the set of all known certificates.
+:zeek:id:`Known::certs`: :zeek:type:`set` :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef` The set of all known certificates to store for preventing duplicate
+                                                                                                        logging.
+======================================================================================================= ===================================================================
+
+Types
+#####
+========================================================= =
+:zeek:type:`Known::AddrCertHashPair`: :zeek:type:`record` 
+:zeek:type:`Known::CertsInfo`: :zeek:type:`record`        
+========================================================= =
+
+Redefinitions
+#############
+======================================= ===============================
+:zeek:type:`Log::ID`: :zeek:type:`enum` 
+                                        
+                                        * :zeek:enum:`Known::CERTS_LOG`
+======================================= ===============================
+
+Events
+######
+===================================================== =====================================================================
+:zeek:id:`Known::log_known_certs`: :zeek:type:`event` Event that can be handled to access the loggable record as it is sent
+                                                      on to the logging framework.
+===================================================== =====================================================================
+
+Hooks
+#####
+================================================================ =
+:zeek:id:`Known::log_policy_certs`: :zeek:type:`Log::PolicyHook` 
+================================================================ =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Known::cert_store_expiry
+   :source-code: policy/protocols/ssl/known-certs.zeek 57 57
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 day``
+
+   The expiry interval of new entries in :zeek:see:`Known::cert_store`.
+   This also changes the interval at which certs get logged.
+
+.. zeek:id:: Known::cert_store_timeout
+   :source-code: policy/protocols/ssl/known-certs.zeek 61 61
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``15.0 secs``
+
+   The timeout interval to use for operations against
+   :zeek:see:`Known::cert_store`.
+
+.. zeek:id:: Known::cert_tracking
+   :source-code: policy/protocols/ssl/known-certs.zeek 34 34
+
+   :Type: :zeek:type:`Host`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``LOCAL_HOSTS``
+   :Redefinition: from :doc:`/scripts/policy/tuning/track-all-assets.zeek`
+
+      ``=``::
+
+         ALL_HOSTS
+
+
+   The certificates whose existence should be logged and tracked.
+   Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
+
+Redefinable Options
+###################
+.. zeek:id:: Known::cert_store_name
+   :source-code: policy/protocols/ssl/known-certs.zeek 53 53
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``"zeek/known/certs"``
+
+   The Broker topic name to use for :zeek:see:`Known::cert_store`.
+
+.. zeek:id:: Known::use_cert_store
+   :source-code: policy/protocols/ssl/known-certs.zeek 40 40
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+
+   Toggles between different implementations of this script.
+   When true, use a Broker data store, else use a regular Zeek set
+   with keys uniformly distributed over proxy nodes in cluster
+   operation.
+
+State Variables
+###############
+.. zeek:id:: Known::cert_store
+   :source-code: policy/protocols/ssl/known-certs.zeek 50 50
+
+   :Type: :zeek:type:`Cluster::StoreInfo`
+   :Default:
+
+      ::
+
+         {
+            name=<uninitialized>
+            store=<uninitialized>
+            master_node=""
+            master=F
+            backend=Broker::MEMORY
+            options=[sqlite=[path="", synchronous=<uninitialized>, journal_mode=<uninitialized>, failure_mode=Broker::SQLITE_FAILURE_MODE_FAIL, integrity_check=F]]
+            clone_resync_interval=10.0 secs
+            clone_stale_interval=5.0 mins
+            clone_mutation_buffer_interval=2.0 mins
+         }
+
+
+   Holds the set of all known certificates.  Keys in the store are of
+   type :zeek:type:`Known::AddrCertHashPair` and their associated value is
+   always the boolean value of "true".
+
+.. zeek:id:: Known::certs
+   :source-code: policy/protocols/ssl/known-certs.zeek 70 70
+
+   :Type: :zeek:type:`set` [:zeek:type:`addr`, :zeek:type:`string`]
+   :Attributes: :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   The set of all known certificates to store for preventing duplicate
+   logging. It can also be used from other scripts to
+   inspect if a certificate has been seen in use. The string value
+   in the set is for storing the DER formatted certificate' SHA1 hash.
+   
+   In cluster operation, this set is uniformly distributed across
+   proxy nodes.
+
+Types
+#####
+.. zeek:type:: Known::AddrCertHashPair
+   :source-code: policy/protocols/ssl/known-certs.zeek 42 45
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: host :zeek:type:`addr`
+
+
+   .. zeek:field:: hash :zeek:type:`string`
+
+
+
+.. zeek:type:: Known::CertsInfo
+   :source-code: policy/protocols/ssl/known-certs.zeek 16 30
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+      The timestamp when the certificate was detected.
+
+
+   .. zeek:field:: host :zeek:type:`addr` :zeek:attr:`&log`
+
+      The address that offered the certificate.
+
+
+   .. zeek:field:: port_num :zeek:type:`port` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      If the certificate was handed out by a server, this is the
+      port that the server was listening on.
+
+
+   .. zeek:field:: subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Certificate subject.
+
+
+   .. zeek:field:: issuer_subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Certificate issuer subject.
+
+
+   .. zeek:field:: serial :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+      Serial number for the certificate.
+
+
+
+Events
+######
+.. zeek:id:: Known::log_known_certs
+   :source-code: policy/protocols/ssl/known-certs.zeek 74 74
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Known::CertsInfo`)
+
+   Event that can be handled to access the loggable record as it is sent
+   on to the logging framework.
+
+Hooks
+#####
+.. zeek:id:: Known::log_policy_certs
+   :source-code: policy/protocols/ssl/known-certs.zeek 14 14
+
+   :Type: :zeek:type:`Log::PolicyHook`
+
+
+
diff --git a/doc/scripts/policy/protocols/ssl/log-certs-base64.zeek.rst b/doc/scripts/policy/protocols/ssl/log-certs-base64.zeek.rst
new file mode 100644
index 0000000000..235487e12a
--- /dev/null
+++ b/doc/scripts/policy/protocols/ssl/log-certs-base64.zeek.rst
@@ -0,0 +1,29 @@
+:tocdepth: 3
+
+policy/protocols/ssl/log-certs-base64.zeek
+==========================================
+
+This script is used to extract certificates seen on the wire to Zeek log files.
+The certificates are base64-encoded and written to ssl.log, to the newly added cert
+field.
+
+:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+======================================================================================= ==========================================================================
+:zeek:type:`X509::Info`: :zeek:type:`record`                                            
+                                                                                        
+                                                                                        :New Fields: :zeek:type:`X509::Info`
+                                                                                        
+                                                                                          cert: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                                            Base64 encoded X.509 certificate.
+:zeek:id:`X509::default_max_field_string_bytes`: :zeek:type:`count` :zeek:attr:`&redef` Certificates can be large and we don't want to risk truncating the output.
+======================================================================================= ==========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/ssl/log-hostcerts-only.zeek.rst b/doc/scripts/policy/protocols/ssl/log-hostcerts-only.zeek.rst
new file mode 100644
index 0000000000..1259ca198c
--- /dev/null
+++ b/doc/scripts/policy/protocols/ssl/log-hostcerts-only.zeek.rst
@@ -0,0 +1,18 @@
+:tocdepth: 3
+
+policy/protocols/ssl/log-hostcerts-only.zeek
+============================================
+.. zeek:namespace:: X509
+
+When this script is loaded, only the host certificates (client and server)
+will be logged to x509.log. Logging of all other certificates will be suppressed.
+
+:Namespace: X509
+:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/ssl/ssl-log-ext.zeek.rst b/doc/scripts/policy/protocols/ssl/ssl-log-ext.zeek.rst
new file mode 100644
index 0000000000..7a7159fa7c
--- /dev/null
+++ b/doc/scripts/policy/protocols/ssl/ssl-log-ext.zeek.rst
@@ -0,0 +1,85 @@
+:tocdepth: 3
+
+policy/protocols/ssl/ssl-log-ext.zeek
+=====================================
+.. zeek:namespace:: SSL
+
+This file adds a lot of additional information to the SSL log
+It is not loaded by default since the information significantly expands
+the log and is probably not interesting for a majority of people.
+
+:Namespace: SSL
+:Imports: :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+=========================================== ===============================================================================================================
+:zeek:type:`SSL::Info`: :zeek:type:`record` 
+                                            
+                                            :New Fields: :zeek:type:`SSL::Info`
+                                            
+                                              server_version: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Numeric version of the server in the server hello
+                                            
+                                              client_version: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Numeric version of the client in the client hello
+                                            
+                                              client_ciphers: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Ciphers that were offered by the client for the connection
+                                            
+                                              ssl_client_exts: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                SSL Client extensions
+                                            
+                                              ssl_server_exts: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                SSL server extensions
+                                            
+                                              ticket_lifetime_hint: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Suggested ticket lifetime sent in the session ticket handshake
+                                                by the server.
+                                            
+                                              dh_param_size: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                The diffie helman parameter size, when using DH.
+                                            
+                                              point_formats: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                supported elliptic curve point formats
+                                            
+                                              client_curves: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                The curves supported by the client.
+                                            
+                                              orig_alpn: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Application layer protocol negotiation extension sent by the client.
+                                            
+                                              client_supported_versions: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                TLS 1.3 supported versions
+                                            
+                                              server_supported_version: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                TLS 1.3 supported versions
+                                            
+                                              psk_key_exchange_modes: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                TLS 1.3 Pre-shared key exchange modes
+                                            
+                                              client_key_share_groups: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Key share groups from client hello
+                                            
+                                              server_key_share_group: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Selected key share group from server hello
+                                            
+                                              client_comp_methods: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Client supported compression methods
+                                            
+                                              comp_method: :zeek:type:`count` :zeek:attr:`&optional`
+                                                Server chosen compression method
+                                            
+                                              sigalgs: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Client supported signature algorithms
+                                            
+                                              hashalgs: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                Client supported hash algorithms
+=========================================== ===============================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/ssl/validate-certs.zeek.rst b/doc/scripts/policy/protocols/ssl/validate-certs.zeek.rst
new file mode 100644
index 0000000000..15eeee1d0f
--- /dev/null
+++ b/doc/scripts/policy/protocols/ssl/validate-certs.zeek.rst
@@ -0,0 +1,127 @@
+:tocdepth: 3
+
+policy/protocols/ssl/validate-certs.zeek
+========================================
+.. zeek:namespace:: SSL
+
+Perform full certificate chain validation for SSL certificates.
+
+:Namespace: SSL
+:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
+
+Summary
+~~~~~~~
+State Variables
+###############
+========================================================================================================================= ==================================================================
+:zeek:id:`SSL::recently_validated_certs`: :zeek:type:`table` :zeek:attr:`&read_expire` = ``5.0 mins`` :zeek:attr:`&redef` Result values for recently validated chains along with the
+                                                                                                                          validation status are kept in this table to avoid constant
+                                                                                                                          validation every time the same certificate chain is seen.
+:zeek:id:`SSL::ssl_cache_intermediate_ca`: :zeek:type:`bool` :zeek:attr:`&redef`                                          Use intermediate CA certificate caching when trying to validate
+                                                                                                                          certificates.
+:zeek:id:`SSL::ssl_store_valid_chain`: :zeek:type:`bool` :zeek:attr:`&redef`                                              Store the valid chain in c$ssl$valid_chain if validation succeeds.
+========================================================================================================================= ==================================================================
+
+Redefinitions
+#############
+============================================ ========================================================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`SSL::Invalid_Server_Cert`:
+                                               This notice indicates that the result of validating the
+                                               certificate along with its full certificate chain was
+                                               invalid.
+:zeek:type:`SSL::Info`: :zeek:type:`record`  
+                                             
+                                             :New Fields: :zeek:type:`SSL::Info`
+                                             
+                                               validation_status: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                 Result of certificate validation for this connection.
+                                             
+                                               validation_code: :zeek:type:`int` :zeek:attr:`&optional`
+                                                 Result of certificate validation for this connection, given
+                                                 as OpenSSL validation code.
+                                             
+                                               valid_chain: :zeek:type:`vector` of :zeek:type:`opaque` of x509 :zeek:attr:`&optional`
+                                                 Ordered chain of validated certificate, if validation succeeded.
+============================================ ========================================================================================
+
+Events
+######
+==================================================== ===============================================================
+:zeek:id:`SSL::intermediate_add`: :zeek:type:`event` Event from a manager to workers when encountering a new, valid
+                                                     intermediate.
+:zeek:id:`SSL::new_intermediate`: :zeek:type:`event` Event from workers to the manager when a new intermediate chain
+                                                     is to be added.
+==================================================== ===============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+State Variables
+###############
+.. zeek:id:: SSL::recently_validated_certs
+   :source-code: policy/protocols/ssl/validate-certs.zeek 33 33
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`X509::Result`
+   :Attributes: :zeek:attr:`&read_expire` = ``5.0 mins`` :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Result values for recently validated chains along with the
+   validation status are kept in this table to avoid constant
+   validation every time the same certificate chain is seen.
+
+.. zeek:id:: SSL::ssl_cache_intermediate_ca
+   :source-code: policy/protocols/ssl/validate-certs.zeek 46 46
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Use intermediate CA certificate caching when trying to validate
+   certificates. When this is enabled, Zeek keeps track of all valid
+   intermediate CA certificates that it has seen in the past. When
+   encountering a host certificate that cannot be validated because
+   of missing intermediate CA certificate, the cached list is used
+   to try to validate the cert. This is similar to how Firefox is
+   doing certificate validation.
+   
+   Disabling this will usually greatly increase the number of validation warnings
+   that you encounter. Only disable if you want to find misconfigured servers.
+
+.. zeek:id:: SSL::ssl_store_valid_chain
+   :source-code: policy/protocols/ssl/validate-certs.zeek 51 51
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``F``
+   :Redefinition: from :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek`
+
+      ``=``::
+
+         T
+
+
+   Store the valid chain in c$ssl$valid_chain if validation succeeds.
+   This has a potentially high memory impact, depending on the local environment
+   and is thus disabled by default.
+
+Events
+######
+.. zeek:id:: SSL::intermediate_add
+   :source-code: policy/protocols/ssl/validate-certs.zeek 72 75
+
+   :Type: :zeek:type:`event` (key: :zeek:type:`string`, value: :zeek:type:`vector` of :zeek:type:`opaque` of x509)
+
+   Event from a manager to workers when encountering a new, valid
+   intermediate.
+
+.. zeek:id:: SSL::new_intermediate
+   :source-code: policy/protocols/ssl/validate-certs.zeek 77 84
+
+   :Type: :zeek:type:`event` (key: :zeek:type:`string`, value: :zeek:type:`vector` of :zeek:type:`opaque` of x509)
+
+   Event from workers to the manager when a new intermediate chain
+   is to be added.
+
+
diff --git a/doc/scripts/policy/protocols/ssl/validate-ocsp.zeek.rst b/doc/scripts/policy/protocols/ssl/validate-ocsp.zeek.rst
new file mode 100644
index 0000000000..8ca1e0d296
--- /dev/null
+++ b/doc/scripts/policy/protocols/ssl/validate-ocsp.zeek.rst
@@ -0,0 +1,36 @@
+:tocdepth: 3
+
+policy/protocols/ssl/validate-ocsp.zeek
+=======================================
+.. zeek:namespace:: SSL
+
+Perform validation of stapled OCSP responses.
+
+:Namespace: SSL
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+============================================ ===========================================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`SSL::Invalid_Ocsp_Response`:
+                                               This indicates that the OCSP response was not deemed
+                                               to be valid.
+:zeek:type:`SSL::Info`: :zeek:type:`record`  
+                                             
+                                             :New Fields: :zeek:type:`SSL::Info`
+                                             
+                                               ocsp_status: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                 Result of ocsp validation for this connection.
+                                             
+                                               ocsp_response: :zeek:type:`string` :zeek:attr:`&optional`
+                                                 ocsp response as string.
+============================================ ===========================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/protocols/ssl/validate-sct.zeek.rst b/doc/scripts/policy/protocols/ssl/validate-sct.zeek.rst
new file mode 100644
index 0000000000..f18a9d7b1e
--- /dev/null
+++ b/doc/scripts/policy/protocols/ssl/validate-sct.zeek.rst
@@ -0,0 +1,129 @@
+:tocdepth: 3
+
+policy/protocols/ssl/validate-sct.zeek
+======================================
+.. zeek:namespace:: SSL
+
+Perform validation of Signed Certificate Timestamps, as used
+for Certificate Transparency. See RFC6962 for more details.
+
+:Namespace: SSL
+:Imports: :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`policy/protocols/ssl/validate-certs.zeek </scripts/policy/protocols/ssl/validate-certs.zeek>`
+
+Summary
+~~~~~~~
+Types
+#####
+============================================== ================================================================
+:zeek:type:`SSL::SctInfo`: :zeek:type:`record` This record is used to store information about the SCTs that are
+                                               encountered in a SSL connection.
+:zeek:type:`SSL::SctSource`: :zeek:type:`enum` List of the different sources for Signed Certificate Timestamp
+============================================== ================================================================
+
+Redefinitions
+#############
+============================================================================ ===================================================================================================================
+:zeek:type:`SSL::Info`: :zeek:type:`record`                                  
+                                                                             
+                                                                             :New Fields: :zeek:type:`SSL::Info`
+                                                                             
+                                                                               valid_scts: :zeek:type:`count` :zeek:attr:`&optional`
+                                                                                 Number of valid SCTs that were encountered in the connection.
+                                                                             
+                                                                               invalid_scts: :zeek:type:`count` :zeek:attr:`&optional`
+                                                                                 Number of SCTs that could not be validated that were encountered in the connection.
+                                                                             
+                                                                               valid_ct_logs: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                                 Number of different Logs for which valid SCTs were encountered in the connection.
+                                                                             
+                                                                               valid_ct_operators: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+                                                                                 Number of different Log operators of which valid SCTs were encountered in the connection.
+                                                                             
+                                                                               valid_ct_operators_list: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&optional`
+                                                                                 List of operators for which valid SCTs were encountered in the connection.
+                                                                             
+                                                                               ct_proofs: :zeek:type:`vector` of :zeek:type:`SSL::SctInfo` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
+                                                                                 Information about all SCTs that were encountered in the connection.
+:zeek:id:`SSL::ssl_store_valid_chain`: :zeek:type:`bool` :zeek:attr:`&redef` 
+============================================================================ ===================================================================================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Types
+#####
+.. zeek:type:: SSL::SctInfo
+   :source-code: policy/protocols/ssl/validate-sct.zeek 30 50
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: version :zeek:type:`count`
+
+      The version of the encountered SCT (should always be 0 for v1).
+
+
+   .. zeek:field:: logid :zeek:type:`string`
+
+      The ID of the log issuing this SCT.
+
+
+   .. zeek:field:: timestamp :zeek:type:`count`
+
+      The timestamp at which this SCT was issued measured since the
+      epoch (January 1, 1970, 00:00), ignoring leap seconds, in
+      milliseconds. Not converted to a Zeek timestamp because we need
+      the exact value for validation.
+
+
+   .. zeek:field:: sig_alg :zeek:type:`count`
+
+      The signature algorithm used for this sct.
+
+
+   .. zeek:field:: hash_alg :zeek:type:`count`
+
+      The hash algorithm used for this sct.
+
+
+   .. zeek:field:: signature :zeek:type:`string`
+
+      The signature of this SCT.
+
+
+   .. zeek:field:: source :zeek:type:`SSL::SctSource`
+
+      Source of this SCT.
+
+
+   .. zeek:field:: valid :zeek:type:`bool` :zeek:attr:`&optional`
+
+      Validation result of this SCT.
+
+
+   This record is used to store information about the SCTs that are
+   encountered in a SSL connection.
+
+.. zeek:type:: SSL::SctSource
+   :source-code: policy/protocols/ssl/validate-sct.zeek 16 27
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: SSL::SCT_X509_EXT SSL::SctSource
+
+         Signed Certificate Timestamp was encountered in the extension of
+         an X.509 certificate.
+
+      .. zeek:enum:: SSL::SCT_TLS_EXT SSL::SctSource
+
+         Signed Certificate Timestamp was encountered in an TLS session
+         extension.
+
+      .. zeek:enum:: SSL::SCT_OCSP_EXT SSL::SctSource
+
+         Signed Certificate Timestamp was encountered in the extension of
+         an stapled OCSP reply.
+
+   List of the different sources for Signed Certificate Timestamp
+
+
diff --git a/doc/scripts/policy/protocols/ssl/weak-keys.zeek.rst b/doc/scripts/policy/protocols/ssl/weak-keys.zeek.rst
new file mode 100644
index 0000000000..35002f9c52
--- /dev/null
+++ b/doc/scripts/policy/protocols/ssl/weak-keys.zeek.rst
@@ -0,0 +1,109 @@
+:tocdepth: 3
+
+policy/protocols/ssl/weak-keys.zeek
+===================================
+.. zeek:namespace:: SSL
+
+Generate notices when SSL/TLS connections use certificates, DH parameters,
+or cipher suites that are deemed to be insecure.
+
+:Namespace: SSL
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=========================================================================================== ==============================================================================
+:zeek:id:`SSL::notify_dh_length_shorter_cert_length`: :zeek:type:`bool` :zeek:attr:`&redef` Warn if the DH key length is smaller than the certificate key length.
+:zeek:id:`SSL::notify_minimal_key_length`: :zeek:type:`count` :zeek:attr:`&redef`           The minimal key length in bits that is considered to be safe.
+:zeek:id:`SSL::notify_weak_keys`: :zeek:type:`Host` :zeek:attr:`&redef`                     The category of hosts you would like to be notified about which are using weak
+                                                                                            keys/ciphers/protocol_versions.
+:zeek:id:`SSL::tls_minimum_version`: :zeek:type:`count` :zeek:attr:`&redef`                 Warn if a server negotiates a SSL session with a protocol version smaller than
+                                                                                            the specified version.
+:zeek:id:`SSL::unsafe_ciphers_regex`: :zeek:type:`pattern` :zeek:attr:`&redef`              Warn if a server negotiates an unsafe cipher suite.
+=========================================================================================== ==============================================================================
+
+Redefinitions
+#############
+============================================ ===============================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`SSL::Old_Version`:
+                                               Indicates that a server is using a potentially unsafe version
+                                             
+                                             * :zeek:enum:`SSL::Weak_Cipher`:
+                                               Indicates that a server is using a potentially unsafe cipher
+                                             
+                                             * :zeek:enum:`SSL::Weak_Key`:
+                                               Indicates that a server is using a potentially unsafe key.
+============================================ ===============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: SSL::notify_dh_length_shorter_cert_length
+   :source-code: policy/protocols/ssl/weak-keys.zeek 34 34
+
+   :Type: :zeek:type:`bool`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``T``
+
+   Warn if the DH key length is smaller than the certificate key length. This is
+   potentially unsafe because it gives a wrong impression of safety due to the
+   certificate key length. However, it is very common and cannot be avoided in some
+   settings (e.g. with old java clients).
+
+.. zeek:id:: SSL::notify_minimal_key_length
+   :source-code: policy/protocols/ssl/weak-keys.zeek 28 28
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``2048``
+
+   The minimal key length in bits that is considered to be safe. Any shorter
+   (non-EC) key lengths will trigger a notice.
+
+.. zeek:id:: SSL::notify_weak_keys
+   :source-code: policy/protocols/ssl/weak-keys.zeek 24 24
+
+   :Type: :zeek:type:`Host`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``LOCAL_HOSTS``
+
+   The category of hosts you would like to be notified about which are using weak
+   keys/ciphers/protocol_versions.  By default, these notices will be suppressed
+   by the notice framework for 1 day after a particular host has had a notice
+   generated. Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
+
+.. zeek:id:: SSL::tls_minimum_version
+   :source-code: policy/protocols/ssl/weak-keys.zeek 41 41
+
+   :Type: :zeek:type:`count`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``769``
+
+   Warn if a server negotiates a SSL session with a protocol version smaller than
+   the specified version. By default, the minimal version is TLSv10 because SSLv2
+   and v3 have serious security issued.
+   See https://tools.ietf.org/html/draft-thomson-sslv3-diediedie-00
+   To disable, set to SSLv20
+
+.. zeek:id:: SSL::unsafe_ciphers_regex
+   :source-code: policy/protocols/ssl/weak-keys.zeek 45 45
+
+   :Type: :zeek:type:`pattern`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         /^?((_EXPORT_)|(_RC4_))$?/
+
+
+   Warn if a server negotiates an unsafe cipher suite. By default, we only warn when
+   encountering old export cipher suites, or RC4 (see RFC7465).
+
+
diff --git a/doc/scripts/policy/tuning/json-logs.zeek.rst b/doc/scripts/policy/tuning/json-logs.zeek.rst
new file mode 100644
index 0000000000..a14309a41c
--- /dev/null
+++ b/doc/scripts/policy/tuning/json-logs.zeek.rst
@@ -0,0 +1,21 @@
+:tocdepth: 3
+
+policy/tuning/json-logs.zeek
+============================
+
+Loading this script will cause all logs to be written
+out as JSON by default.
+
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+==================================================================== =
+:zeek:id:`LogAscii::use_json`: :zeek:type:`bool` :zeek:attr:`&redef` 
+==================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/policy/tuning/track-all-assets.zeek.rst b/doc/scripts/policy/tuning/track-all-assets.zeek.rst
new file mode 100644
index 0000000000..6a3a031a48
--- /dev/null
+++ b/doc/scripts/policy/tuning/track-all-assets.zeek.rst
@@ -0,0 +1,23 @@
+:tocdepth: 3
+
+policy/tuning/track-all-assets.zeek
+===================================
+
+
+:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`, :doc:`policy/protocols/conn/known-hosts.zeek </scripts/policy/protocols/conn/known-hosts.zeek>`, :doc:`policy/protocols/conn/known-services.zeek </scripts/policy/protocols/conn/known-services.zeek>`, :doc:`policy/protocols/ssl/known-certs.zeek </scripts/policy/protocols/ssl/known-certs.zeek>`
+
+Summary
+~~~~~~~
+Redefinitions
+#############
+========================================================================== =
+:zeek:id:`Known::cert_tracking`: :zeek:type:`Host` :zeek:attr:`&redef`     
+:zeek:id:`Known::host_tracking`: :zeek:type:`Host` :zeek:attr:`&redef`     
+:zeek:id:`Known::service_tracking`: :zeek:type:`Host` :zeek:attr:`&redef`  
+:zeek:id:`Software::asset_tracking`: :zeek:type:`Host` :zeek:attr:`&redef` 
+========================================================================== =
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/test-all-policy.zeek.rst b/doc/scripts/test-all-policy.zeek.rst
new file mode 100644
index 0000000000..37e541c3d4
--- /dev/null
+++ b/doc/scripts/test-all-policy.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+test-all-policy.zeek
+====================
+
+
+:Imports: :doc:`policy/files/x509/disable-certificate-events-known-certs.zeek </scripts/policy/files/x509/disable-certificate-events-known-certs.zeek>`, :doc:`policy/frameworks/analyzer/debug-logging.zeek </scripts/policy/frameworks/analyzer/debug-logging.zeek>`, :doc:`policy/frameworks/analyzer/detect-protocols.zeek </scripts/policy/frameworks/analyzer/detect-protocols.zeek>`, :doc:`policy/frameworks/analyzer/packet-segment-logging.zeek </scripts/policy/frameworks/analyzer/packet-segment-logging.zeek>`, :doc:`policy/frameworks/cluster/backend/zeromq/__load__.zeek </scripts/policy/frameworks/cluster/backend/zeromq/__load__.zeek>`, :doc:`policy/frameworks/cluster/backend/zeromq/main.zeek </scripts/policy/frameworks/cluster/backend/zeromq/main.zeek>`, :doc:`policy/frameworks/cluster/experimental.zeek </scripts/policy/frameworks/cluster/experimental.zeek>`, :doc:`policy/frameworks/files/detect-MHR.zeek </scripts/policy/frameworks/files/detect-MHR.zeek>`, :doc:`policy/frameworks/files/entropy-test-all-files.zeek </scripts/policy/frameworks/files/entropy-test-all-files.zeek>`, :doc:`policy/frameworks/files/hash-all-files.zeek </scripts/policy/frameworks/files/hash-all-files.zeek>`, :doc:`policy/frameworks/intel/do_expire.zeek </scripts/policy/frameworks/intel/do_expire.zeek>`, :doc:`policy/frameworks/intel/do_notice.zeek </scripts/policy/frameworks/intel/do_notice.zeek>`, :doc:`policy/frameworks/intel/removal.zeek </scripts/policy/frameworks/intel/removal.zeek>`, :doc:`policy/frameworks/intel/seen/__load__.zeek </scripts/policy/frameworks/intel/seen/__load__.zeek>`, :doc:`policy/frameworks/intel/seen/conn-established.zeek </scripts/policy/frameworks/intel/seen/conn-established.zeek>`, :doc:`policy/frameworks/intel/seen/dns.zeek </scripts/policy/frameworks/intel/seen/dns.zeek>`, :doc:`policy/frameworks/intel/seen/file-hashes.zeek </scripts/policy/frameworks/intel/seen/file-hashes.zeek>`, :doc:`policy/frameworks/intel/seen/file-names.zeek </scripts/policy/frameworks/intel/seen/file-names.zeek>`, :doc:`policy/frameworks/intel/seen/http-headers.zeek </scripts/policy/frameworks/intel/seen/http-headers.zeek>`, :doc:`policy/frameworks/intel/seen/http-url.zeek </scripts/policy/frameworks/intel/seen/http-url.zeek>`, :doc:`policy/frameworks/intel/seen/manage-event-groups.zeek </scripts/policy/frameworks/intel/seen/manage-event-groups.zeek>`, :doc:`policy/frameworks/intel/seen/pubkey-hashes.zeek </scripts/policy/frameworks/intel/seen/pubkey-hashes.zeek>`, :doc:`policy/frameworks/intel/seen/smb-filenames.zeek </scripts/policy/frameworks/intel/seen/smb-filenames.zeek>`, :doc:`policy/frameworks/intel/seen/smtp-url-extraction.zeek </scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek>`, :doc:`policy/frameworks/intel/seen/smtp.zeek </scripts/policy/frameworks/intel/seen/smtp.zeek>`, :doc:`policy/frameworks/intel/seen/ssl.zeek </scripts/policy/frameworks/intel/seen/ssl.zeek>`, :doc:`policy/frameworks/intel/seen/where-locations.zeek </scripts/policy/frameworks/intel/seen/where-locations.zeek>`, :doc:`policy/frameworks/intel/seen/x509.zeek </scripts/policy/frameworks/intel/seen/x509.zeek>`, :doc:`policy/frameworks/intel/whitelist.zeek </scripts/policy/frameworks/intel/whitelist.zeek>`, :doc:`policy/frameworks/management/__load__.zeek </scripts/policy/frameworks/management/__load__.zeek>`, :doc:`policy/frameworks/management/agent/__load__.zeek </scripts/policy/frameworks/management/agent/__load__.zeek>`, :doc:`policy/frameworks/management/agent/api.zeek </scripts/policy/frameworks/management/agent/api.zeek>`, :doc:`policy/frameworks/management/agent/boot.zeek </scripts/policy/frameworks/management/agent/boot.zeek>`, :doc:`policy/frameworks/management/agent/config.zeek </scripts/policy/frameworks/management/agent/config.zeek>`, :doc:`policy/frameworks/management/config.zeek </scripts/policy/frameworks/management/config.zeek>`, :doc:`policy/frameworks/management/controller/__load__.zeek </scripts/policy/frameworks/management/controller/__load__.zeek>`, :doc:`policy/frameworks/management/controller/api.zeek </scripts/policy/frameworks/management/controller/api.zeek>`, :doc:`policy/frameworks/management/controller/boot.zeek </scripts/policy/frameworks/management/controller/boot.zeek>`, :doc:`policy/frameworks/management/controller/config.zeek </scripts/policy/frameworks/management/controller/config.zeek>`, :doc:`policy/frameworks/management/log.zeek </scripts/policy/frameworks/management/log.zeek>`, :doc:`policy/frameworks/management/node/api.zeek </scripts/policy/frameworks/management/node/api.zeek>`, :doc:`policy/frameworks/management/node/config.zeek </scripts/policy/frameworks/management/node/config.zeek>`, :doc:`policy/frameworks/management/persistence.zeek </scripts/policy/frameworks/management/persistence.zeek>`, :doc:`policy/frameworks/management/request.zeek </scripts/policy/frameworks/management/request.zeek>`, :doc:`policy/frameworks/management/supervisor/__load__.zeek </scripts/policy/frameworks/management/supervisor/__load__.zeek>`, :doc:`policy/frameworks/management/supervisor/api.zeek </scripts/policy/frameworks/management/supervisor/api.zeek>`, :doc:`policy/frameworks/management/supervisor/config.zeek </scripts/policy/frameworks/management/supervisor/config.zeek>`, :doc:`policy/frameworks/management/supervisor/main.zeek </scripts/policy/frameworks/management/supervisor/main.zeek>`, :doc:`policy/frameworks/management/types.zeek </scripts/policy/frameworks/management/types.zeek>`, :doc:`policy/frameworks/management/util.zeek </scripts/policy/frameworks/management/util.zeek>`, :doc:`policy/frameworks/netcontrol/catch-and-release.zeek </scripts/policy/frameworks/netcontrol/catch-and-release.zeek>`, :doc:`policy/frameworks/notice/__load__.zeek </scripts/policy/frameworks/notice/__load__.zeek>`, :doc:`policy/frameworks/notice/actions/drop.zeek </scripts/policy/frameworks/notice/actions/drop.zeek>`, :doc:`policy/frameworks/notice/community-id.zeek </scripts/policy/frameworks/notice/community-id.zeek>`, :doc:`policy/frameworks/notice/extend-email/hostnames.zeek </scripts/policy/frameworks/notice/extend-email/hostnames.zeek>`, :doc:`policy/frameworks/packet-filter/shunt.zeek </scripts/policy/frameworks/packet-filter/shunt.zeek>`, :doc:`policy/frameworks/software/version-changes.zeek </scripts/policy/frameworks/software/version-changes.zeek>`, :doc:`policy/frameworks/software/vulnerable.zeek </scripts/policy/frameworks/software/vulnerable.zeek>`, :doc:`policy/frameworks/software/windows-version-detection.zeek </scripts/policy/frameworks/software/windows-version-detection.zeek>`, :doc:`policy/frameworks/storage/backend/redis/__load__.zeek </scripts/policy/frameworks/storage/backend/redis/__load__.zeek>`, :doc:`policy/frameworks/storage/backend/redis/main.zeek </scripts/policy/frameworks/storage/backend/redis/main.zeek>`, :doc:`policy/frameworks/storage/backend/sqlite/__load__.zeek </scripts/policy/frameworks/storage/backend/sqlite/__load__.zeek>`, :doc:`policy/frameworks/storage/backend/sqlite/main.zeek </scripts/policy/frameworks/storage/backend/sqlite/main.zeek>`, :doc:`policy/frameworks/telemetry/log.zeek </scripts/policy/frameworks/telemetry/log.zeek>`, :doc:`policy/integration/collective-intel/__load__.zeek </scripts/policy/integration/collective-intel/__load__.zeek>`, :doc:`policy/integration/collective-intel/main.zeek </scripts/policy/integration/collective-intel/main.zeek>`, :doc:`policy/misc/capture-loss.zeek </scripts/policy/misc/capture-loss.zeek>`, :doc:`policy/misc/detect-traceroute/__load__.zeek </scripts/policy/misc/detect-traceroute/__load__.zeek>`, :doc:`policy/misc/detect-traceroute/main.zeek </scripts/policy/misc/detect-traceroute/main.zeek>`, :doc:`policy/misc/loaded-scripts.zeek </scripts/policy/misc/loaded-scripts.zeek>`, :doc:`policy/misc/profiling.zeek </scripts/policy/misc/profiling.zeek>`, :doc:`policy/misc/stats.zeek </scripts/policy/misc/stats.zeek>`, :doc:`policy/misc/trim-trace-file.zeek </scripts/policy/misc/trim-trace-file.zeek>`, :doc:`policy/misc/unknown-protocols.zeek </scripts/policy/misc/unknown-protocols.zeek>`, :doc:`policy/misc/weird-stats.zeek </scripts/policy/misc/weird-stats.zeek>`, :doc:`policy/protocols/conn/community-id-logging.zeek </scripts/policy/protocols/conn/community-id-logging.zeek>`, :doc:`policy/protocols/conn/disable-unknown-ip-proto-support.zeek </scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek>`, :doc:`policy/protocols/conn/failed-service-logging.zeek </scripts/policy/protocols/conn/failed-service-logging.zeek>`, :doc:`policy/protocols/conn/ip-proto-name-logging.zeek </scripts/policy/protocols/conn/ip-proto-name-logging.zeek>`, :doc:`policy/protocols/conn/known-hosts.zeek </scripts/policy/protocols/conn/known-hosts.zeek>`, :doc:`policy/protocols/conn/known-services.zeek </scripts/policy/protocols/conn/known-services.zeek>`, :doc:`policy/protocols/conn/mac-logging.zeek </scripts/policy/protocols/conn/mac-logging.zeek>`, :doc:`policy/protocols/conn/pppoe-session-id-logging.zeek </scripts/policy/protocols/conn/pppoe-session-id-logging.zeek>`, :doc:`policy/protocols/conn/vlan-logging.zeek </scripts/policy/protocols/conn/vlan-logging.zeek>`, :doc:`policy/protocols/conn/weirds.zeek </scripts/policy/protocols/conn/weirds.zeek>`, :doc:`policy/protocols/dhcp/msg-orig.zeek </scripts/policy/protocols/dhcp/msg-orig.zeek>`, :doc:`policy/protocols/dhcp/software.zeek </scripts/policy/protocols/dhcp/software.zeek>`, :doc:`policy/protocols/dhcp/sub-opts.zeek </scripts/policy/protocols/dhcp/sub-opts.zeek>`, :doc:`policy/protocols/dns/auth-addl.zeek </scripts/policy/protocols/dns/auth-addl.zeek>`, :doc:`policy/protocols/dns/detect-external-names.zeek </scripts/policy/protocols/dns/detect-external-names.zeek>`, :doc:`policy/protocols/dns/log-original-query-case.zeek </scripts/policy/protocols/dns/log-original-query-case.zeek>`, :doc:`policy/protocols/ftp/detect-bruteforcing.zeek </scripts/policy/protocols/ftp/detect-bruteforcing.zeek>`, :doc:`policy/protocols/ftp/detect.zeek </scripts/policy/protocols/ftp/detect.zeek>`, :doc:`policy/protocols/ftp/software.zeek </scripts/policy/protocols/ftp/software.zeek>`, :doc:`policy/protocols/http/detect-sql-injection.zeek </scripts/policy/protocols/http/detect-sql-injection.zeek>`, :doc:`policy/protocols/http/detect-webapps.zeek </scripts/policy/protocols/http/detect-webapps.zeek>`, :doc:`policy/protocols/http/header-names.zeek </scripts/policy/protocols/http/header-names.zeek>`, :doc:`policy/protocols/http/software-browser-plugins.zeek </scripts/policy/protocols/http/software-browser-plugins.zeek>`, :doc:`policy/protocols/http/software.zeek </scripts/policy/protocols/http/software.zeek>`, :doc:`policy/protocols/http/var-extraction-cookies.zeek </scripts/policy/protocols/http/var-extraction-cookies.zeek>`, :doc:`policy/protocols/http/var-extraction-uri.zeek </scripts/policy/protocols/http/var-extraction-uri.zeek>`, :doc:`policy/protocols/krb/ticket-logging.zeek </scripts/policy/protocols/krb/ticket-logging.zeek>`, :doc:`policy/protocols/modbus/known-masters-slaves.zeek </scripts/policy/protocols/modbus/known-masters-slaves.zeek>`, :doc:`policy/protocols/modbus/track-memmap.zeek </scripts/policy/protocols/modbus/track-memmap.zeek>`, :doc:`policy/protocols/mysql/software.zeek </scripts/policy/protocols/mysql/software.zeek>`, :doc:`policy/protocols/rdp/indicate_ssl.zeek </scripts/policy/protocols/rdp/indicate_ssl.zeek>`, :doc:`policy/protocols/smb/log-cmds.zeek </scripts/policy/protocols/smb/log-cmds.zeek>`, :doc:`policy/protocols/smtp/blocklists.zeek </scripts/policy/protocols/smtp/blocklists.zeek>`, :doc:`policy/protocols/smtp/detect-suspicious-orig.zeek </scripts/policy/protocols/smtp/detect-suspicious-orig.zeek>`, :doc:`policy/protocols/smtp/entities-excerpt.zeek </scripts/policy/protocols/smtp/entities-excerpt.zeek>`, :doc:`policy/protocols/smtp/software.zeek </scripts/policy/protocols/smtp/software.zeek>`, :doc:`policy/protocols/ssh/detect-bruteforcing.zeek </scripts/policy/protocols/ssh/detect-bruteforcing.zeek>`, :doc:`policy/protocols/ssh/geo-data.zeek </scripts/policy/protocols/ssh/geo-data.zeek>`, :doc:`policy/protocols/ssh/interesting-hostnames.zeek </scripts/policy/protocols/ssh/interesting-hostnames.zeek>`, :doc:`policy/protocols/ssh/software.zeek </scripts/policy/protocols/ssh/software.zeek>`, :doc:`policy/protocols/ssl/certificate-request-info.zeek </scripts/policy/protocols/ssl/certificate-request-info.zeek>`, :doc:`policy/protocols/ssl/decryption.zeek </scripts/policy/protocols/ssl/decryption.zeek>`, :doc:`policy/protocols/ssl/expiring-certs.zeek </scripts/policy/protocols/ssl/expiring-certs.zeek>`, :doc:`policy/protocols/ssl/heartbleed.zeek </scripts/policy/protocols/ssl/heartbleed.zeek>`, :doc:`policy/protocols/ssl/known-certs.zeek </scripts/policy/protocols/ssl/known-certs.zeek>`, :doc:`policy/protocols/ssl/log-certs-base64.zeek </scripts/policy/protocols/ssl/log-certs-base64.zeek>`, :doc:`policy/protocols/ssl/log-hostcerts-only.zeek </scripts/policy/protocols/ssl/log-hostcerts-only.zeek>`, :doc:`policy/protocols/ssl/ssl-log-ext.zeek </scripts/policy/protocols/ssl/ssl-log-ext.zeek>`, :doc:`policy/protocols/ssl/validate-certs.zeek </scripts/policy/protocols/ssl/validate-certs.zeek>`, :doc:`policy/protocols/ssl/validate-ocsp.zeek </scripts/policy/protocols/ssl/validate-ocsp.zeek>`, :doc:`policy/protocols/ssl/validate-sct.zeek </scripts/policy/protocols/ssl/validate-sct.zeek>`, :doc:`policy/protocols/ssl/weak-keys.zeek </scripts/policy/protocols/ssl/weak-keys.zeek>`, :doc:`policy/tuning/json-logs.zeek </scripts/policy/tuning/json-logs.zeek>`, :doc:`policy/tuning/track-all-assets.zeek </scripts/policy/tuning/track-all-assets.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/zeekygen/__load__.zeek.rst b/doc/scripts/zeekygen/__load__.zeek.rst
new file mode 100644
index 0000000000..01b74322f5
--- /dev/null
+++ b/doc/scripts/zeekygen/__load__.zeek.rst
@@ -0,0 +1,14 @@
+:tocdepth: 3
+
+zeekygen/__load__.zeek
+======================
+
+
+:Imports: :doc:`policy/frameworks/cluster/backend/zeromq/connect.zeek </scripts/policy/frameworks/cluster/backend/zeromq/connect.zeek>`, :doc:`policy/frameworks/cluster/nodes-experimental/manager.zeek </scripts/policy/frameworks/cluster/nodes-experimental/manager.zeek>`, :doc:`policy/frameworks/conn_key/vlan_fivetuple.zeek </scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek>`, :doc:`policy/frameworks/control/controllee.zeek </scripts/policy/frameworks/control/controllee.zeek>`, :doc:`policy/frameworks/control/controller.zeek </scripts/policy/frameworks/control/controller.zeek>`, :doc:`policy/frameworks/files/extract-all-files.zeek </scripts/policy/frameworks/files/extract-all-files.zeek>`, :doc:`policy/frameworks/management/agent/main.zeek </scripts/policy/frameworks/management/agent/main.zeek>`, :doc:`policy/frameworks/management/controller/main.zeek </scripts/policy/frameworks/management/controller/main.zeek>`, :doc:`policy/frameworks/management/node/__load__.zeek </scripts/policy/frameworks/management/node/__load__.zeek>`, :doc:`policy/frameworks/management/node/main.zeek </scripts/policy/frameworks/management/node/main.zeek>`, :doc:`policy/frameworks/signatures/iso-9660.zeek </scripts/policy/frameworks/signatures/iso-9660.zeek>`, :doc:`policy/frameworks/spicy/resource-usage.zeek </scripts/policy/frameworks/spicy/resource-usage.zeek>`, :doc:`policy/misc/dump-events.zeek </scripts/policy/misc/dump-events.zeek>`, :doc:`policy/protocols/conn/speculative-service.zeek </scripts/policy/protocols/conn/speculative-service.zeek>`, :doc:`policy/protocols/ssl/decryption.zeek </scripts/policy/protocols/ssl/decryption.zeek>`, :doc:`test-all-policy.zeek </scripts/test-all-policy.zeek>`, :doc:`zeekygen/example.zeek </scripts/zeekygen/example.zeek>`
+
+Summary
+~~~~~~~
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+
diff --git a/doc/scripts/zeekygen/example.zeek.rst b/doc/scripts/zeekygen/example.zeek.rst
new file mode 100644
index 0000000000..f7b40c8748
--- /dev/null
+++ b/doc/scripts/zeekygen/example.zeek.rst
@@ -0,0 +1,306 @@
+:tocdepth: 3
+
+zeekygen/example.zeek
+=====================
+.. zeek:namespace:: ZeekygenExample
+
+This is an example script that demonstrates Zeekygen-style
+documentation.  It generally will make most sense when viewing
+the script's raw source code and comparing to the HTML-rendered
+version.
+
+Comments in the from ``##!`` are meant to summarize the script's
+purpose.  They are transferred directly into the generated
+`reStructuredText <http://docutils.sourceforge.net/rst.html>`_
+(reST) document associated with the script.
+
+.. tip:: You can embed directives and roles within ``##``-stylized comments.
+
+There's also a custom role to reference any identifier node in
+the Zeek Sphinx domain that's good for "see alsos", e.g.
+
+See also: :zeek:see:`ZeekygenExample::a_var`,
+:zeek:see:`ZeekygenExample::ONE`, :zeek:see:`SSH::Info`
+
+And a custom directive does the equivalent references:
+
+.. zeek:see:: ZeekygenExample::a_var ZeekygenExample::ONE SSH::Info
+
+:Namespace: ZeekygenExample
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`, :doc:`policy/frameworks/software/vulnerable.zeek </scripts/policy/frameworks/software/vulnerable.zeek>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+======================================================================================= =======================================================
+:zeek:id:`ZeekygenExample::an_option`: :zeek:type:`set` :zeek:attr:`&redef`             Add documentation for "an_option" here.
+:zeek:id:`ZeekygenExample::option_with_init`: :zeek:type:`interval` :zeek:attr:`&redef` Default initialization will be generated automatically.
+======================================================================================= =======================================================
+
+State Variables
+###############
+========================================================================== ========================================================================
+:zeek:id:`ZeekygenExample::a_var`: :zeek:type:`bool`                       Put some documentation for "a_var" here.
+:zeek:id:`ZeekygenExample::summary_test`: :zeek:type:`string`              The first sentence for a particular identifier's summary text ends here.
+:zeek:id:`ZeekygenExample::var_without_explicit_type`: :zeek:type:`string` Types are inferred, that information is self-documenting.
+========================================================================== ========================================================================
+
+Types
+#####
+==================================================================================== ===========================================================
+:zeek:type:`ZeekygenExample::ComplexRecord`: :zeek:type:`record` :zeek:attr:`&redef` General documentation for a type "ComplexRecord" goes here.
+:zeek:type:`ZeekygenExample::Info`: :zeek:type:`record`                              An example record to be used with a logging stream.
+:zeek:type:`ZeekygenExample::SimpleEnum`: :zeek:type:`enum`                          Documentation for the "SimpleEnum" type goes here.
+:zeek:type:`ZeekygenExample::SimpleRecord`: :zeek:type:`record`                      General documentation for a type "SimpleRecord" goes here.
+==================================================================================== ===========================================================
+
+Redefinitions
+#############
+=============================================================== =====================================================================
+:zeek:type:`Log::ID`: :zeek:type:`enum`                         
+                                                                
+                                                                * :zeek:enum:`ZeekygenExample::LOG`
+:zeek:type:`Notice::Type`: :zeek:type:`enum`                    
+                                                                
+                                                                * :zeek:enum:`ZeekygenExample::Zeekygen_Four`:
+                                                                  Omitting comments is fine, and so is mixing ``##`` and ``##<``, but
+                                                                  it's probably best to use only one style consistently.
+                                                                
+                                                                * :zeek:enum:`ZeekygenExample::Zeekygen_One`:
+                                                                  Any number of this type of comment
+                                                                  will document "Zeekygen_One".
+                                                                
+                                                                * :zeek:enum:`ZeekygenExample::Zeekygen_Three`
+                                                                
+                                                                * :zeek:enum:`ZeekygenExample::Zeekygen_Two`:
+                                                                  Any number of this type of comment
+                                                                  will document "ZEEKYGEN_TWO".
+:zeek:type:`ZeekygenExample::SimpleEnum`: :zeek:type:`enum`     Document the "SimpleEnum" redef here with any special info regarding
+                                                                the *redef* itself.
+                                                                
+                                                                * :zeek:enum:`ZeekygenExample::FIVE`:
+                                                                  Also "FIVE".
+                                                                
+                                                                * :zeek:enum:`ZeekygenExample::FOUR`:
+                                                                  And some documentation for "FOUR".
+:zeek:type:`ZeekygenExample::SimpleRecord`: :zeek:type:`record` Document the record extension *redef* itself here.
+                                                                
+                                                                :New Fields: :zeek:type:`ZeekygenExample::SimpleRecord`
+                                                                
+                                                                  field_ext: :zeek:type:`string` :zeek:attr:`&optional`
+                                                                    Document the extending field like this.
+=============================================================== =====================================================================
+
+Events
+######
+======================================================== ==========================
+:zeek:id:`ZeekygenExample::an_event`: :zeek:type:`event` Summarize "an_event" here.
+======================================================== ==========================
+
+Functions
+#########
+============================================================= =======================================
+:zeek:id:`ZeekygenExample::a_function`: :zeek:type:`function` Summarize purpose of "a_function" here.
+============================================================= =======================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: ZeekygenExample::an_option
+   :source-code: zeekygen/example.zeek 132 132
+
+   :Type: :zeek:type:`set` [:zeek:type:`addr`, :zeek:type:`addr`, :zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Add documentation for "an_option" here.
+   The type/attribute information is all generated automatically.
+
+.. zeek:id:: ZeekygenExample::option_with_init
+   :source-code: zeekygen/example.zeek 135 135
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``10.0 msecs``
+
+   Default initialization will be generated automatically.
+   More docs can be added here.
+
+State Variables
+###############
+.. zeek:id:: ZeekygenExample::a_var
+   :source-code: zeekygen/example.zeek 140 140
+
+   :Type: :zeek:type:`bool`
+
+   Put some documentation for "a_var" here.  Any global/non-const that
+   isn't a function/event/hook is classified as a "state variable"
+   in the generated docs.
+
+.. zeek:id:: ZeekygenExample::summary_test
+   :source-code: zeekygen/example.zeek 148 148
+
+   :Type: :zeek:type:`string`
+
+   The first sentence for a particular identifier's summary text ends here.
+   And this second sentence doesn't show in the short description provided
+   by the table of all identifiers declared by this script.
+
+.. zeek:id:: ZeekygenExample::var_without_explicit_type
+   :source-code: zeekygen/example.zeek 143 143
+
+   :Type: :zeek:type:`string`
+   :Default: ``"this works"``
+
+   Types are inferred, that information is self-documenting.
+
+Types
+#####
+.. zeek:type:: ZeekygenExample::ComplexRecord
+   :source-code: zeekygen/example.zeek 110 117
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: field1 :zeek:type:`count`
+
+      Counts something.
+
+
+   .. zeek:field:: field2 :zeek:type:`bool`
+
+      Toggles something.
+
+
+   .. zeek:field:: field3 :zeek:type:`ZeekygenExample::SimpleRecord`
+
+      Zeekygen automatically tracks types
+      and cross-references are automatically
+      inserted into generated docs.
+
+
+   .. zeek:field:: msg :zeek:type:`string` :zeek:attr:`&default` = ``"blah"`` :zeek:attr:`&optional`
+
+      Attributes are self-documenting.
+
+   :Attributes: :zeek:attr:`&redef`
+
+   General documentation for a type "ComplexRecord" goes here.
+
+.. zeek:type:: ZeekygenExample::Info
+   :source-code: zeekygen/example.zeek 124 128
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
+
+
+   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
+
+
+   .. zeek:field:: status :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
+
+
+   An example record to be used with a logging stream.
+   Nothing special about it.  If another script redefs this type
+   to add fields, the generated documentation will show all original
+   fields plus the extensions and the scripts which contributed to it
+   (provided they are also @load'ed).
+
+.. zeek:type:: ZeekygenExample::SimpleEnum
+   :source-code: zeekygen/example.zeek 78 85
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: ZeekygenExample::ONE ZeekygenExample::SimpleEnum
+
+         Documentation for particular enum values is added like this.
+         And can also span multiple lines.
+
+      .. zeek:enum:: ZeekygenExample::TWO ZeekygenExample::SimpleEnum
+
+         Or this style is valid to document the preceding enum value.
+
+      .. zeek:enum:: ZeekygenExample::THREE ZeekygenExample::SimpleEnum
+
+      .. zeek:enum:: ZeekygenExample::FOUR ZeekygenExample::SimpleEnum
+
+         And some documentation for "FOUR".
+
+      .. zeek:enum:: ZeekygenExample::FIVE ZeekygenExample::SimpleEnum
+
+         Also "FIVE".
+
+   Documentation for the "SimpleEnum" type goes here.
+   It can span multiple lines.
+
+.. zeek:type:: ZeekygenExample::SimpleRecord
+   :source-code: zeekygen/example.zeek 97 101
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: field1 :zeek:type:`count`
+
+      Counts something.
+
+
+   .. zeek:field:: field2 :zeek:type:`bool`
+
+      Toggles something.
+
+
+   .. zeek:field:: field_ext :zeek:type:`string` :zeek:attr:`&optional`
+
+      Document the extending field like this.
+      Or here, like this.
+
+
+   General documentation for a type "SimpleRecord" goes here.
+   The way fields can be documented is similar to what's already seen
+   for enums.
+
+Events
+######
+.. zeek:id:: ZeekygenExample::an_event
+   :source-code: zeekygen/example.zeek 171 171
+
+   :Type: :zeek:type:`event` (name: :zeek:type:`string`)
+
+   Summarize "an_event" here.
+   Give more details about "an_event" here.
+   
+   ZeekygenExample::a_function should not be confused as a parameter
+   in the generated docs, but it also doesn't generate a cross-reference
+   link.  Use the see role instead: :zeek:see:`ZeekygenExample::a_function`.
+   
+
+   :param name: Describe the argument here.
+
+Functions
+#########
+.. zeek:id:: ZeekygenExample::a_function
+   :source-code: zeekygen/example.zeek 161 161
+
+   :Type: :zeek:type:`function` (tag: :zeek:type:`string`, msg: :zeek:type:`string`) : :zeek:type:`string`
+
+   Summarize purpose of "a_function" here.
+   Give more details about "a_function" here.
+   Separating the documentation of the params/return values with
+   empty comments is optional, but improves readability of script.
+   
+
+   :param tag: Function arguments can be described
+        like this.
+   
+
+   :param msg: Another param.
+   
+
+   :returns: Describe the return type here.
+
+
diff --git a/doc/scripts/zeekygen/index.rst b/doc/scripts/zeekygen/index.rst
new file mode 100644
index 0000000000..0b1b0ecdbf
--- /dev/null
+++ b/doc/scripts/zeekygen/index.rst
@@ -0,0 +1,37 @@
+:orphan:
+
+Package: zeekygen
+=================
+
+This package is loaded during the process which automatically generates
+reference documentation for all Zeek scripts (i.e. "Zeekygen").  Its only
+purpose is to provide an easy way to load all known Zeek scripts plus any
+extra scripts needed or used by the documentation process.
+
+:doc:`/scripts/zeekygen/__load__.zeek`
+
+
+:doc:`/scripts/zeekygen/example.zeek`
+
+   This is an example script that demonstrates Zeekygen-style
+   documentation.  It generally will make most sense when viewing
+   the script's raw source code and comparing to the HTML-rendered
+   version.
+   
+   Comments in the from ``##!`` are meant to summarize the script's
+   purpose.  They are transferred directly into the generated
+   `reStructuredText <http://docutils.sourceforge.net/rst.html>`_
+   (reST) document associated with the script.
+   
+   .. tip:: You can embed directives and roles within ``##``-stylized comments.
+   
+   There's also a custom role to reference any identifier node in
+   the Zeek Sphinx domain that's good for "see alsos", e.g.
+   
+   See also: :zeek:see:`ZeekygenExample::a_var`,
+   :zeek:see:`ZeekygenExample::ONE`, :zeek:see:`SSH::Info`
+   
+   And a custom directive does the equivalent references:
+   
+   .. zeek:see:: ZeekygenExample::a_var ZeekygenExample::ONE SSH::Info
+
diff --git a/doc/traces/20171220_smb_at_schedule.pcap b/doc/traces/20171220_smb_at_schedule.pcap
new file mode 100644
index 0000000000..014c3dc298
Binary files /dev/null and b/doc/traces/20171220_smb_at_schedule.pcap differ
diff --git a/doc/traces/README b/doc/traces/README
new file mode 100644
index 0000000000..1ec67eab16
--- /dev/null
+++ b/doc/traces/README
@@ -0,0 +1,27 @@
+Traces used in the examples of the docs.
+
+* tm1t.pcap
+
+  ?
+
+* 20171220_smb_at_schedule.pcap
+
+  References:
+
+  https://redmine.openinfosecfoundation.org/issues/3109
+  https://github.com/tianyulab/Hunting_lateral_movement/blob/master/20171220_smb_at_schedule.pcap
+
+  SHA1:
+
+  b5c5329536c7add1267cbbc50ac1436387c0b773
+
+* get.trace
+
+  That's the zeek/testing/btest/Traces/http/get.trace one.
+
+* quickstart.pcap
+
+  From curl commands:
+
+  curl -X GET http://zeek.org
+  curl -X WEIRD http://zeek.org
diff --git a/doc/traces/get.trace b/doc/traces/get.trace
new file mode 100644
index 0000000000..f098e04ae6
Binary files /dev/null and b/doc/traces/get.trace differ
diff --git a/doc/traces/quickstart.pcap b/doc/traces/quickstart.pcap
new file mode 100644
index 0000000000..f25acfb0fc
Binary files /dev/null and b/doc/traces/quickstart.pcap differ
diff --git a/doc/troubleshooting.rst b/doc/troubleshooting.rst
new file mode 100644
index 0000000000..482187178d
--- /dev/null
+++ b/doc/troubleshooting.rst
@@ -0,0 +1,403 @@
+.. _troubleshooting:
+
+===============
+Troubleshooting
+===============
+
+This page lists approaches and mentions logs and metrics available
+to understand and debug Zeek's performance.
+
+There may be assumptions about Linux deployments regarding kernel features
+and tooling available.
+
+Memory Leaks and State Growth
+=============================
+
+When memory of any Zeek process continuously grows in production or testing
+settings, there might be a memory leak in Zeek's C++ core or it might be
+scripting state growth. Examples of the latter are a global table that is
+populated but elements aren't expired or removed. Containers attached to
+connections may also cause unbounded state growth when these connections
+are long-lived.
+
+For such issues, using jemalloc's memory profiling can be invaluable. A good
+introduction to this topic is `Justin Azoff's profiling presentation`_ (`slides`_).
+
+
+Jemalloc Memory Profiling
+-------------------------
+
+For memory profiling with `jemalloc`_ you need jemalloc compiled with
+profiling enabled. Some Linux distributions provide a libjemalloc package that
+is configured this way. For example, Debian on the amd64 architecture
+has it enabled while Fedora 38 does not. You're advised to verify the
+``config.prof`` line in the jemalloc stats output as shown below.
+
+.. note::
+
+   If your distribution does not provide a suitable libjemalloc package,
+   building jemalloc from source configured with the required options
+   is reasonably easy.
+
+   .. code-block:: console
+
+      $ git clone git@github.com:jemalloc/jemalloc.git
+      $ cd jemalloc
+      $ git checkout 5.2.1  # or newer releases
+      $ ./autogen.sh && ./configure --enable-prof
+
+      # Optionally, use LD_PRELOAD
+      $ export LD_PRELOAD=$(pwd)/lib/libjemalloc.so
+      # ...or install the custom libjemalloc build.
+      $ sudo make install
+
+You can either build Zeek from source and pass the ``--enable-jemalloc`` flag
+(possibly with ``--with-jemalloc=/usr/local/`` for a custom build) to always
+use the jemalloc allocator (recommended), or set ``LD_PRELOAD`` as shown above.
+Using ``LD_PRELOAD`` can be convenient if you're not
+in a position to rebuild Zeek or you're consuming upstream binary packages that
+did not use ``--enable-jemalloc``, or you want to use a custom ad-hoc/patched
+jemalloc build.
+
+To verify jemalloc profiling is functional, run the following command and
+check that ``config.prof`` reports ``true``.
+
+.. code-block:: console
+
+   $ MALLOC_CONF="stats_print:true" zeek -e 'event zeek_init() {}' 2>&1  | grep 'config.prof'
+   config.prof: true
+   config.prof_libgcc: true
+   config.prof_libunwind: false
+   ...
+
+
+If there is no output or ``config.prof`` says ``false``, verify your Zeek
+and libjemalloc setup.
+
+.. note::
+
+   Neither ``LD_PRELOAD`` nor ``MALLOC_CONF`` work with a setuid or setcap
+   ``zeek`` binary and you might need to run as root or another privileged
+   user instead.
+
+At this point you can run Zeek with a ``MALLOC_CONF`` setting that will dump
+memory profiles roughly every 256MB of allocation activity (controlled by the
+``lg_prof_interval`` setting - 2**28 = 256 MB).
+
+.. code-block:: console
+
+   $ MALLOC_CONF="prof:true,prof_prefix:jeprof.out,prof_final:true,lg_prof_interval:28" zeek -C -i eth0
+
+The files dumped by jemalloc will have a naming pattern of ``jeprof.out.<pid>...``
+and can be postprocessed with the ``jeprof`` utility.
+
+.. code-block:: console
+
+   $ jeprof $(which zeek)  jeprof.out.*
+   Welcome to jeprof!  For help, type 'help'.
+   (jeprof) top
+   Total: 1773.2 MB
+      381.8  21.5%  21.5%    381.8  21.5% __gnu_cxx::new_allocator::allocate
+      232.6  13.1%  34.6%    232.6  13.1% std::__cxx11::basic_string::_M_construct
+      147.5   8.3%  43.0%    265.0  14.9% zeek::make_intrusive
+      144.0   8.1%  51.1%    144.0   8.1% monitoring_thread_loop
+      135.0   7.6%  58.7%    135.0   7.6% zeek::util::safe_realloc
+      117.0   6.6%  65.3%    802.6  45.3% yyparse
+       63.0   3.6%  68.9%    108.0   6.1% zeeklex
+       54.0   3.0%  71.9%     54.0   3.0% zeek::Obj::SetLocationInfo
+       49.0   2.8%  74.7%     49.0   2.8% alloc_aligned_chunks
+       45.0   2.5%  77.2%     45.0   2.5% zeek::detail::EquivClass::EquivClass
+
+
+It can be more insightful to generate a graph as SVG or GIF from the ``.heap`` files
+as these make the call chain more visible directly (click image to enlarge).
+
+.. code-block:: console
+
+   $ jeprof $(which zeek) --svg jeprof.out.3075061.* > out.svg
+
+.. image:: /images/troubleshooting/http-fake-state-growth.gif
+   :alt: State growth in a ``std::vector<std::string>``
+   :scale: 10%
+
+In above image, ``basic_string _M_construct`` called from ``HTTP_Analyzer DeliverStream``
+is standing out as well as ``new_allocator allocate`` called from ``std::vector _M_realloc_insert``.
+This memory growth was provoked by patching the HTTP analyzer such that all input
+data passed to ``DeliverStream()`` was also copied into a single statically allocated
+``std::vector<std::string>`` and never freed again.
+
+ZeekControl Integration
+~~~~~~~~~~~~~~~~~~~~~~~
+
+When working in a ZeekControl based environment, the `zeek-jemalloc`_ plugin
+can help with setting up the required environment variables. The ``.heap``
+files will be located in a worker's individual spool directory and can be
+processed with the ``jeprof`` utility as shown above.
+
+.. _zeek-jemalloc: https://github.com/JustinAzoff/zeek-jemalloc-profiling/tree/master
+.. _justin azoff's profiling presentation: https://www.youtube.com/watch?v=gWSXbqxnJfs
+.. _slides: https://old.zeek.org/zeekweek2019/slides/justin-azoff-profiling.pdf
+.. _jemalloc: https://jemalloc.net/
+
+
+CPU Profiling
+=============
+
+When a Zeek worker is using close to all of a single CPU as seen via ``zeekctl top``
+or ``top -p <pid>``, this usually means it is either receiving too many packets
+and is simply overloaded, or there's a performance problem. Particularly at
+low packet rates or with pathological packet streams it is worth debugging
+
+Perf and Flame Graphs
+---------------------
+
+It can be valuable to leverage the `perf`_ tool on Linux and generate
+`Flame Graphs`_ from the recorded data.
+
+.. note::
+
+   For best results it's recommended to build Zeek and third-party libraries
+   used by Zeek with frame pointers enabled setting the ``-fno-omit-frame-pointer``
+   compile flag.
+
+   .. code-block:: console
+
+      $ CXXFLAGS="-fno-omit-frame-pointer" CFLAGS="-fno-omit-frame-pointer" ./configure --build-type=RelWithDebugInfo ...
+
+   Using ``-fno-omit-frame-pointer`` may have a performance impact. Therefore,
+   Linux distributions may or may not use it by default to compile libraries.
+   You're advised to test performance differences in your environment and whether
+   having frame pointers available for troubleshooting in production is more
+   important than any performance gains.
+
+   On Ubuntu you may explore using the ``libc6-prof`` for a glibc library
+   compiled with frame pointers enabled. On Fedora 38 on the other hand
+   most packages should be compiled with
+   `frame pointers enabled by default <https://fedoraproject.org/wiki/Changes/fno-omit-frame-pointer>`_.
+
+Assuming the PID of a Zeek worker is 3639255, a perf profile with call graph
+information can be collected as follows:
+
+.. code-block:: console
+
+   $ perf record -g -p 3639255
+   ^C[ perf record: Woken up 8 times to write data ]
+   [ perf record: Captured and wrote 2.893 MB perf.data (13865 samples) ]
+
+The resulting ``perf.data`` file can be visualized and post-processed
+via ``perf report``, ``perf script``, etc.
+
+When Zeek workers are pinned to CPUs, it can also be useful to record all
+activity on that CPU via ``perf record -g -C <cpu>`` instead.
+
+To produce a flame graph ``perf.data``, run the following command pipeline,
+assuming a git checkout of the `FlameGraph`_ repository at an appropriate
+location.
+
+.. code-block:: console
+
+   $ perf script | /path/to/FlameGraph/stackcollapse-perf.pl | /path/to/FlameGraph/flamegraph.pl  > out.svg
+
+The resulting flame graph may look as follows:
+
+.. image:: /images/troubleshooting/flamegraph.png
+   :alt: Example flame graph.
+   :scale: 25%
+
+Visualizing flame graphs this way removes the time dimension. `FlameScope`_ is
+a project allowing exploration of different time ranges within the recorded data
+which can be valuable if you observe Zeek processes freezing or hanging.
+
+.. _perf: https://perf.wiki.kernel.org/index.php/Main_Page
+.. _Flame Graphs: https://www.brendangregg.com/flamegraphs.html
+.. _FlameGraph: https://github.com/brendangregg/FlameGraph
+.. _FlameScope: https://github.com/Netflix/flamescope
+.. _Fedora -fno-omit-framepointers: https://fedoraproject.org/wiki/Changes/fno-omit-frame-pointer
+
+
+Metrics and Stats
+=================
+
+Telemetry Framework and Prometheus
+----------------------------------
+
+Starting with Zeek 5.1, the script-level as well as C++ API of the :ref:`framework-telemetry`
+is being leveraged more extensively to expose metrics about Zeek's operational behavior.
+Generally we recommend consuming these metrics through the Prometheus endpoint
+exposed on ``http://manager-ip:9911/metrics`` by default.
+
+Currently, basic version information, network and process metrics, log records per
+log stream and log writers, data about event invocations as well as Broker
+subsystem metrics are exposed.
+
+Below is an example of using ``curl`` to list some of the metrics. In a production
+setup, usually a `Prometheus Server`_ is configured to scrape above endpoint
+which then stores metrics data for later visualization.
+
+.. code-block:: console
+
+   $ curl -s localhost:9911/metrics | grep -E '^(zeek_version|zeek_log|zeek_event|zeek_net|process_|zeek_active_sessions|zeek_total_sessions)'
+   zeek_version_info{beta="false",commit="622",debug="false",endpoint="",major="6",minor="0",patch="0",version_number="60000",version_string="6.0.0-dev.622"} 1.000000 1684826824560
+   zeek_event_handler_invocations_total{endpoint="",name="zeek_init"} 1 1684826824560
+   ...
+   zeek_event_handler_invocations_total{endpoint="",name="dns_message"} 4 1684826824560
+   zeek_event_handler_invocations_total{endpoint="",name="dns_request"} 2 1684826824560
+   zeek_event_handler_invocations_total{endpoint="",name="dns_end"} 4 1684826824560
+   zeek_event_handler_invocations_total{endpoint="",name="connection_state_remove"} 547 1684826824560
+   ...
+   zeek_event_handler_invocations_total{endpoint="",name="file_hash"} 1628 1684826824560
+   zeek_event_handler_invocations_total{endpoint="",name="file_state_remove"} 814 1684826824560
+   zeek_net_dropped_packets_total{endpoint=""} 0.000000 1684826824560
+   zeek_net_link_packets_total{endpoint=""} 19664.000000 1684826824560
+   zeek_net_received_bytes_total{endpoint=""} 1699891.000000 1684826824560
+   zeek_net_received_packets_total{endpoint=""} 9832.000000 1684826824560
+   ...
+   zeek_log_writer_writes_total{endpoint="",filter_name="default",module="DNS",path="dns",stream="DNS::LOG",writer="Log::WRITER_ASCII"} 2 1684826824560
+   zeek_log_writer_writes_total{endpoint="",filter_name="default",module="HTTP",path="http",stream="HTTP::LOG",writer="Log::WRITER_ASCII"} 819 1684826824560
+   zeek_log_writer_writes_total{endpoint="",filter_name="default",module="Conn",path="conn",stream="Conn::LOG",writer="Log::WRITER_ASCII"} 547 1684826824560
+   zeek_log_writer_writes_total{endpoint="",filter_name="default",module="Files",path="files",stream="Files::LOG",writer="Log::WRITER_ASCII"} 814 1684826824560
+   ...
+   zeek_log_stream_writes_total{endpoint="",module="DNS",stream="DNS::LOG"} 2 1684826824560
+   zeek_log_stream_writes_total{endpoint="",module="HTTP",stream="HTTP::LOG"} 819 1684826824560
+   zeek_log_stream_writes_total{endpoint="",module="Conn",stream="Conn::LOG"} 547 1684826824560
+   zeek_log_stream_writes_total{endpoint="",module="Files",stream="Files::LOG"} 814 1684826824560
+   zeek_active_sessions{endpoint="",protocol="tcp"} 0 1684829159305
+   ...
+   zeek_total_sessions_total{endpoint="",protocol="tcp"} 45101 1684829159305
+   zeek_total_sessions_total{endpoint="",protocol="udp"} 39849 1684829159305
+   zeek_total_sessions_total{endpoint="",protocol="icmp"} 320 1684829159305
+   process_open_fds{endpoint=""} 62 1684826824560
+   process_cpu_seconds_total{endpoint=""} 1.950000 1684826824560
+   process_virtual_memory_bytes{endpoint=""} 1917345792 1684826824560
+   process_resident_memory_bytes{endpoint=""} 268935168 1684826824560
+
+
+If you prefer to consume metrics via logs, the :file:`telemetry.log`
+(:zeek:see:`Telemetry::Info`) may work. Its
+format is a bit unusual, however. See the :ref:`framework-telemetry`'s
+documentation for more details about the log and how to add further metrics
+from your own Zeek scripts.
+
+.. _Prometheus server: https://prometheus.io/
+
+
+:file:`stats.log`
+-----------------
+
+The :file:`stats.log` is enabled when loading the :doc:`/scripts/policy/misc/stats.zeek` script.
+This is the default with the stock :file:`local.zeek` included with Zeek. This
+log provides stats about Zeek's operational behavior in a structured log format.
+
+See the :zeek:see:`Stats::Info` record documentation for a description of
+the individual fields.
+
+The default reporting interval is 5 minutes. It can make sense to reduce
+this interval for testing or during troubleshooting via
+``redef Stats::report_interval=30sec``. Stats collection may have a
+non-negligible impact on performance and running, for example,
+every second may be detrimental.
+
+For historic reasons, this log contains delta values for ``pkts_proc``,
+``bytes_recv``, ``events_proc``, ``tcp_conns``, etc. This can make it
+difficult to use the values as-is in metrics systems that expect counter
+metrics to continuously grow and compute rates or delta values on the fly.
+
+.. note::
+
+   If you're creating your own custom metrics or stats-like log, consider
+   using absolute values for counter metrics. Relative values can
+   always be derived from two absolute values. The inverse is not true.
+   Popular metrics systems usually assume absolute counter values, too.
+
+Following an example of a :file:`stats.log` entry:
+
+.. code-block:: console
+
+   $ zeek -C -i eth0 local Stats::report_interval=30sec LogAscii::use_json=T
+   $ jq < stats.log
+   ...
+   {
+       "ts": 1684828680.616951,
+       "peer": "zeek",
+       "mem": 344,
+       "pkts_proc": 300000,
+       "bytes_recv": 78092228,
+       "pkts_dropped": 0,
+       "pkts_link": 299609,
+       "pkt_lag": 0.003422975540161133,
+       "events_proc": 448422,
+       "events_queued": 448422,
+       "active_tcp_conns": 2279,
+       "active_udp_conns": 2809,
+       "active_icmp_conns": 96,
+       "tcp_conns": 6747,
+       "udp_conns": 5954,
+       "icmp_conns": 48,
+       "timers": 67510,
+       "active_timers": 35086,
+       "files": 8165,
+       "active_files": 0,
+       "dns_requests": 218,
+       "active_dns_requests": 2,
+       "reassem_tcp_size": 7816,
+       "reassem_file_size": 0,
+       "reassem_frag_size": 0,
+       "reassem_unknown_size": 0
+   }
+
+:file:`prof.log`
+----------------
+
+The :file:`prof.log` provides aggregated information about Zeek's runtime status
+in a fairly non-structured text format.
+Likely future metrics will be added through the Telemetry framework mentioned
+above, but as of now it does contain information about queue sizes within
+the threading subsystem and other details that are not yet exposed otherwise.
+
+To enable :file:`prof.log`, load the :doc:`/scripts/policy/misc/profiling.zeek` script
+in :file:`local.zeek` or start Zeek with ``misc/profiling`` on the command-line:
+
+.. code-block:: console
+
+   $ zeek -C -i eth0 misc/profiling
+
+The following provides an example of :file:`prof.log` content:
+
+.. code-block:: console
+
+   $ cat prof.log
+   1684828232.344252 Comm: peers=0 stores=1 pending_queries=0 events_in=0 events_out=0 logs_in=0 logs_out=0 ids_in=0 ids_out=0 1684828262.344351 ------------------------
+   1684828262.344351 Memory: total=406480K total_adj=149536K malloced: 0K
+   1684828262.344351 Run-time: user+sys=53.2 user=44.6 sys=8.6 real=631.1
+   1684828262.344351 Conns: total=84712 current=6759/6759
+   1684828262.344351 Conns: tcp=3847/3860 udp=2815/2883 icmp=97/98
+   1684828262.344351 TCP-States:        Inact.  Syn.    SA      Part.   Est.    Fin.    Rst.
+   1684828262.344351 TCP-States:Inact.                                                          
+   1684828262.344351 TCP-States:Syn.    76                                              36      
+   1684828262.344351 TCP-States:SA                                                              
+   1684828262.344351 TCP-States:Part.                                                           
+   1684828262.344351 TCP-States:Est.                                    652     2214    36      
+   1684828262.344351 TCP-States:Fin.                                            753             
+   1684828262.344351 TCP-States:Rst.                                    16      64              
+   1684828262.344351 Connections expired due to inactivity: 2426
+   1684828262.344351 Timers: current=47708 max=47896 lag=0.00s
+   1684828262.344351 DNS_Mgr: requests=1596 successful=1596 failed=0 pending=0 cached_hosts=0 cached_addrs=1207
+   1684828262.344351 Triggers: total=4900 pending=0
+   1684828262.344351         ConnectionDeleteTimer = 905
+   1684828262.344351         ConnectionInactivityTimer = 6759
+   1684828262.344351         DNSExpireTimer = 1840
+   1684828262.344351         FileAnalysisInactivityTimer = 32836
+   1684828262.344351         ScheduleTimer = 11
+   1684828262.344351         TableValTimer = 34
+   1684828262.344351         TCPConnectionAttemptTimer = 166
+   1684828262.344351         TCPConnectionExpireTimer = 5156
+   1684828262.344351         ThreadHeartbeat = 1
+   1684828262.344351 Threads: current=21
+   1684828262.344351   dns/Log::WRITER_ASCII     in=586 out=258 pending=0/0 (#queue r/w: in=586/586 out=258/258)
+   1684828262.344351   known_hosts/Log::WRITER_ASCII in=475 out=258 pending=0/0 (#queue r/w: in=475/475 out=258/258)
+   1684828262.344351   software/Log::WRITER_ASCII in=478 out=258 pending=0/0 (#queue r/w: in=478/478 out=258/258)
+   ...
+   1684828262.344351   files/Log::WRITER_ASCII   in=483 out=258 pending=0/0 (#queue r/w: in=483/483 out=258/258)
+   1684828262.344351   http/Log::WRITER_ASCII    in=483 out=258 pending=0/0 (#queue r/w: in=483/483 out=258/258)
+   1684828262.344351   weird/Log::WRITER_ASCII   in=260 out=257 pending=0/0 (#queue r/w: in=260/260 out=257/257)
+   1684828262.344351   conn/Log::WRITER_ASCII    in=486 out=257 pending=0/0 (#queue r/w: in=486/486 out=257/257)